SecurityFocus Newsletter #131 ----------------------------- This newsletter is sponsored by Tripwire (http://www.tripwire.com) ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER Has your data been compromised? Know for certain with Tripwire on duty Tripwire data integrity assurance solutions tell you if, when, and how data on your system has been changed. Learn more and get a FREE copy of our popular Common Security Exploit and Vulnerability Matrix Poster. Click here to gain confidence in your data. http://www.tripwire.com/literature/poster/index.cfm?djinn=363 ------------------------------------------------------------------------------- I. FRONT AND CENTER 1. SecurityFocus is Hiring! 2. **SecurityFocus Promotion: Two Week Trial of SIA** 3. The Devil You Know: Responding to Interface-based Insider Attacks 4. Heuristic Techniques in AV Solutions: An Overview 5. Solving the Problem of HTML Mail II. BUGTRAQ SUMMARY 1. kicq 2.0.0b1 Invalid ICQ Packet Denial of Service Vulnerability 2. Lotus Domino Remote Authentication Bypass Vulnerability 3. MRTG Configuration Generator Path Disclosure Vulnerability 4. Lotus Domino Webserver DOS Device Extension Denial of Service... 5. Lotus Domino MS-Dos Device Name Denial Of Service Vulnerability 6. Faq-O-Matic Cross-Site Scripting Vulnerability 7. Netgear RT314/RT311 Gateway Router Cross-Site Scripting... 8. Internet Security Systems BlackICE and RealSecure DoS... 9. PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability 10. Microsoft MSN ActiveX Object Information Disclosure... 11. MIRC Nick Buffer Overflow Vulnerability 12. eshare Expressions Directory Traversal Vulnerability 13. Castelle Faxpress Plaintext Password Disclosure Vulnerability 14. ICQ For MacOS X Client Denial Of Service Vulnerability 15. NetScreen ScreenOS Port Scan DoS Vulnerability 16. MRTG CGI Arbitrary File Display Vulnerability III. SECURITYFOCUS NEWS ARTICLES 1. Network Associates is Sued Over Review Ban 2. U.S. Funds Open Source Security Hub 3. NASA Hacker Gets 21 Months 4. Microsoft's New Security Chief Was Hacker Hunter IV.SECURITYFOCUS TOP 6 TOOLS 1. p0f v1.8.2 2. ifmonitor v0.13 3. PinePGP v0.17.3 4. Yet Another Advanced Log Analyzer v0.4.1 5. NGSecureWeb v1.00 6. Wnmap v1.2 V. SECURITYJOBS LIST SUMMARY 1. HIPAA Security (Thread) 2. No Contact (Thread) 3. Two UK Based Forensic Computing Positions (Thread) 4. Architect / Sr. Architect - Infosec / Java / Internet... 5. Channel Sales Director - Location Open (Thread) 6. Director/Lead Sales Engineer - Austin, TX (Thread) 7. Sr. Security Product Architect - Austin, TX (Thread) 8. Vice President of Product Marketing - Austin, TX (Thread) 9. Director/Lead Sales Engineer - Location Open (Thread) 10. Federal Sales Director - Washington, DC (Thread) 11. Make a Difference - Unix Sys. Admin/Eng (Thread) 12. Job Opporunity (Thread) 13. Seeking: Information Security/Penetration Testing Position... 14. Needed: HIPAA Compliance Coordinator - Greythorn (Thread) 15. Student looking for summer job/internship (Thread) 16. Mgmnt. Resume (Thread) 17. Resume ! (Thread) VI. INCIDENTS LIST SUMMARY 1. new SNMP vuln? (Thread) 2. Why would my machine do this? (Thread) 3. Scan that doesn't make sense (Thread) 4. HTTP 408 errors (Thread) 5. We Are Past Your Firewall...Thanks for the responses (Thread) 6. nimda like probes (Thread) 7. We Are Past Your Firewall... (Thread) 8. New Nimda scanning pattern ? (Thread) 9. BS Generator Worm/defacements?? (Thread) 10. gibberish defacement? (Thread) 11. Help please (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY 1. HTTP 1.1 TRACE Command (Thread) 2. directory traversal (Thread) 3. Web Browsers vulnerable to the Extended HTML Form Attack (IE... 4. HELP ! : Trojanised HTML: Internet Exporer 5 and 6 [technical... 5. Reported Kazaa and Morpheus vulnerabilities (Thread) 6. Comcast man-in-the-middle attack (Thread) 7. chaging your @home IP address... could you take a bunch... 8. vim error? (Thread) 9. ssh (Thread) 10. Encryption Algorithm Footprint (Thread) 11. Pgp.com was exposing ... information. (Thread) 12. Morpheus Request share files Deny of Service (Thread) 13. Holes in Actinic E-commerce services. (Thread) 14. Request share files Deny of Service (Thread) 15. chaging your @home IP address... could you take a bunch... 16. chaging your @home IP address... could you take a bunch... 17. Problem with FreeBSD's version of SED (Thread) 18. chaging your @home IP address... could you take a bunch of... 19. texis(CGI) Path Disclosure Vulnerability (Thread) 20. Problems with the scripts by Solution Scripts (Thread) 21. chaging your @home IP address... could you take a bunch of... 22. MSN Messenger reveals your name to websites (and can reveal... 23. Security Hole in WWWeBBB forum (Thread) 24. Blue Boar - Reported Kazaa and Morpheus vulnerabilities... 25. Re[2]: directory traversal (Thread) 26. mIRC Buffer Overflow (Thread) 27. Badtrans on the list (Thread) 28. Hacker's Digest - Issue 3 Winter 2002 (Thread) 29. Sardonix Security Auditing Portal (Thread) 30. Lotus Domino password bypass (Thread) 31. Correction - Oracle Apache+WebDB info leakege (Thread) 32. [Fwd: Reported Kazaa and Morpheus vulnerabilities] (Thread) 33. switch jamming (Thread) 34. Antwort: Lotus Domino url bypass (Thread) 35. CSS, CSS & let me give you some more CSS (Thread) 36. Lotus Domino url bypass (Thread) 37. X2 SSHD Vuln Update (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY 1. Where would the changes be saved? (Thread) 2. Question regarding attack (Thread) 3. SYSTEM grabbing ports? (Thread) 4. Allowing users to change their password via the web (Thread) 5. Secure Transactions over HTTPS???? (Thread) 6. Possible hack - Portable profile found in a Windows 2K Pro SP1... 7. Local security policy Settings (Thread) 8. IM encryption (Thread) 9. TCP/IP Filtering problem on W2KAS (Thread) 10. Possible hack - Portable profile found in a Windows 2K Pro SP... 11. Windows 2000/.Net Group Policy Locker (Thread) 12. TCP/IP Filtering problem on (Thread) 13. SecurityFocus Microsoft Newsletter #72 (Thread) IX. SUN FOCUS LIST SUMMARY 1. nfssrv:nfs_portmon (Thread) 2. Trouble changing BSM/audit options without reboot (Thread) X. LINUX FOCUS LIST SUMMARY 1. iptables + strings: tutorial + script (Thread) 2. apache and nimda (now iptables) (Thread) 3. nimda and string match [Re: apache and nimbda] (Thread) XI. SPONSOR INFORMATION I. FRONT AND CENTER ------------------- 1. SecurityFocus is Hiring! SecurityFocus is currently looking for a programmer/debugger for its Threat Analysis teams. This position requires skillsets which I have outlined below. These positions require the staff members to be located in Calgary, Alberta, Canada. Relocation assistance is possible from within Canada. Skills will require verification by the way of an actual practical test before an in-person interview is secured. Skills required: - Expertise with SoftICE & IDA Pro (or similar tools). - Expertise with x86 assembly language - Programming ability in C & C++, targeting both the Unix and Windows platforms - Strong report writing skills and ability to interface with customers. Additional skills preferred: - Working knowledge of computer viruses, worms, and trojans propagation techniques - Working knowledge of honeypots. Personal Skills Required: Any applicant must be able to work in a team environment and deal with very tight deliverables. An outgoing pleasant personality is an absolute requiremant. No rockstars, no primadonas. About SecurityFocus SecurityFocus, is the leading provider of security intelligence products and services for business. They include SIA (Security Intelligence Alert), which alerts subscribers to security vulnerabilities, and ARIS (Attack Registry & Intelligence Service), which predicts cyber assaults on customer networks, based on global attack data. SecurityFocus also licenses the world's largest and most comprehensive vulnerability information database, hosts the most popular security community mailing list on the Internet, Bugtraq, and publishes original security content on its Web site. Please send resumes if interested to Alfred Huger ah@securityfocus.com 2. **SecurityFocus Promotion: Two Week Trial of SIA** SecurityFocus(tm), a leading provider of enterprise security threat management systems, announces new pricing for SIA(tm) our Security Intelligence Alert Service. We are also offering a FREE two-week trial of SIA between January 21st and March 15th, 2002. SIA provides the most comprehensive and customizable vulnerability and malicious code alerts available. SIA delivers complete, up-to-the-minute, specific, actionable information that allows enterprises to prevent attacks before they occur. SIA allows you to: **Fully protect your systems with comprehensive alerts that are specific to your infrastructure. SIA allows you to specify down to the version level those products for which you wish to receive alerts. **Reduce the threat of network downtime from attacks. SIA provides everything you need to know: thorough technical description of the attack, workarounds or available patches, signatures for updating IDSs, mitigation/disinfection strategies, etc. **Save hours a day by not having to look through hundreds of emails or dozens of websites. SIA allows you to prioritize your current vulnerabilities and eliminate the highest risks first. To take advantage of our FREE two-week trial offer and receive real-time configuration-specific vulnerability and malicious code alerts, please call toll-free 1-866-577-6300 in the United States and Canada, or +1-650-655-6300 outside North America. You may also contact us at sales@securityfocus.com, or click here http://www.securityfocus.com/feedback to have a sales representative contact you. 3. The Devil You Know: Responding to Interface-based Insider Attacks by Ronald L. Mendell It is estimated that up to eighty-five percent of intrusions are perpetrated by insiders. This article will examine how response teams can detect and investigate interface-based insider attacks. It is also hoped that the article will provide the basis of incident response policies for responding to and investigating insider attacks that exploit interface-based vulnerabilities. http://www.securityfocus.com/infocus/1543 4. Heuristic Techniques in AV Solutions: An Overview by Markus Schmall Heuristic technologies can be found in nearly all current anti-virus (herein referred to as AV) solutions and also in other security-related areas like intrusion detection systems and attack analysis systems with correlating components. This article will offer a brief overview of generic heuristic approaches within AV solutions with a particular emphasis on heuristics for Visual Basic for Applications-based malware. http://www.securityfocus.com/infocus/1542 5. Solving the Problem of HTML Mail by Shane Coursen Now there are options for screening potentially dangerous messages, or even eliminating HTML email from your life. http://www.securityfocus.com/columnists/58 II. BUGTRAQ SUMMARY ------------------- 1. kicq 2.0.0b1 Invalid ICQ Packet Denial of Service Vulnerability BugTraq ID: 4018 Remote: Yes Date Published: Feb 02 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4018 Summary: kicq 2.0.0b1 is an ICQ client for the K Desktop Environment (KDE). kicq can be crashed remotely by initiating a telnet connection to a port it is listening on and sending "random" characters. kicq expects to receive valid ICQ protocol packets on this port, and it fails to properly respond to unexpected data or shut down gracefully. This does not affect other components of the system, only the ICQ client. 2. Lotus Domino Remote Authentication Bypass Vulnerability BugTraq ID: 4022 Remote: Yes Date Published: Feb 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4022 Summary: Lotus Domino Server is an application framework for web based collaborative software. It runs on multiple platforms including Windows and Unix. A vulnerability exists in some versions of Domino. Notes database files may be protected such that a password is required in order to access them. However, a maliciously constructed URL of a specific length bypasses this protection, allowing any remote user to view the sensitive file. It has been reported that a constructed filename of the form file.ntf+++nsf, with a length of between 219 and 257 characters in total will exploit this vulnerability. A remote user requesting this file will be given file.nsf without the need to authenticate. There have been multiple reports that this is a known issue, and only allows the remote user to access template (.ntf) files. There have been reports that this issue is fixed in Domino 5.0.9. 3. MRTG Configuration Generator Path Disclosure Vulnerability BugTraq ID: 4021 Remote: Yes Date Published: Feb 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4021 Summary: MRTG Configuration Generator is a configuration file generator for devices being monitored on a network. A vulnerability has been reported in mrtg.cgi that could allow a malicious user to view the full path to the web root. Reportedly, if a user submits a HTTP request to a host containing unusual characters, the server will return an error page containing the path to the web root. This information could be used to launch further attacks against the host. * Please note that the person who discovered this issue reported it in Multi Router Traffic Grapher (MRTG). However, mrtg.cgi is not part of MRTG it is a completely indepedent utility. 4. Lotus Domino Webserver DOS Device Extension Denial of Service Vulnerability BugTraq ID: 4020 Remote: Yes Date Published: Feb 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4020 Summary: Lotus Domino Server is an application framework for web based collaborative software. It runs on multiple platforms including Windows and Unix. It has been reported that all versions of Lotus Domino Webserver prior to 5.0.9a running on Windows 2000 may be vulnerable to a denial of service condition. If a request for a DOS device from CGI-BIN has an extension of 220 characters, the server will spawn a cmd.exe session to run nul.pif. The server will also pop up a window asking for a program association to run nul.pif with. If this is done approximately 400 times, the server will reportedly run out of working threads. This vulnerability may not having anything to do with the inclusion of MS-DOS device names in requests, but this is unconfirmed. 5. Lotus Domino MS-Dos Device Name Denial Of Service Vulnerability BugTraq ID: 4019 Remote: Yes Date Published: Feb 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4019 Summary: Lotus Domino Server is an application framework for web based collaborative software. It runs on multiple platforms including Windows and Unix. It is possible to cause a denial of services to legitimate users of the web server. MS-DOS device names (such as CON, AUX, PRN, etc.) are not sufficiently filtered out from web requests. Requests for MS-DOS devices are passed to the CGI handler (nhttpcgi.exe). Once a device is invoked, it is not released by the server. With multiple requests, it is possible to starve the available resources to create a denial of service condition. A manual restart of the service is required to regain normal functionality. 6. Faq-O-Matic Cross-Site Scripting Vulnerability BugTraq ID: 4023 Remote: Yes Date Published: Feb 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4023 Summary: FAQ-O-Matic is a freely available, open-source FAQ (Frequently Asked Questions) manager. It is intended to run on Linux and Unix variants. FAQ-O-Matic does not sufficiently filter HTML tags, including script code, from URL parameters. It is possible to create a malicious link containing arbitrary script code. When a legitimate user browses the malicious link, the script code will be executed in the user's browser in the context of the website running Faq-O-Matic. As a result, it may be possible for a remote attacker to steal cookie-based authentication credentials from a legitimate user of the user. The attacker may then hijack the session of the legitimate user. 7. Netgear RT314/RT311 Gateway Router Cross-Site Scripting Vulnerability BugTraq ID: 4024 Remote: Yes Date Published: Feb 03 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4024 Summary: The Netgear RT314/RT311 Gateway Router models allow Cable/DSL users to share a connection. These products provide a web-based administrative interface. The affected products run a ZyXel-RomPager web server to provide easy web-based configuration. HTML tags are not sufficiently filtered from URL parameters. As a result, the web interface for the router is prone to cross-site scripting attacks. This may be exploited by an attacker who knows the internal IP address of the router. Arbitrary script code may be included in a malicious link, which is executed in the browser of the victim, in the context of the router. It is possible that an attacker may capitalize on this opportunity to gain unauthorized administrative access to the router. This may occur if the attacker can successfully steal cookie-based authentication credentials from a user who has access to the administrative interface. It should be noted that there is a distinct possibility that any other router products running the ZyXel-RomPager web server (versions 3.02 or earlier) may also be prone to this issue. This issue reportedly does not affect the Netgear RP114 Cable/DSL Web Safe Router. 8. Internet Security Systems BlackICE and RealSecure DoS Vulnerability BugTraq ID: 4025 Remote: Yes Date Published: Feb 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4025 Summary: Internet Security Systems's BlackICE Defender, BlackICE Agent and RealSecure Server Sensor, are network intrusion detection systems which run in Microsoft Windows environments. A denial of service condition has been reported in these products which can be exploited by a remote user. Exploitation is achievable via ping flood attack. Sending a continuous series of ICMP Echo Request (Ping) 10,000 byte packets to a target host, could cause the host to reboot. However, dial up users are not subject to this issue. A continuous combination of such requests and replies could cause the systems functionality to diminish or crash. Results of this issue may slightly vary from system to system. If an attacker is exploiting this issue on a host with the paranoid setting enabled, BlackICE could disable itself. In such a case where the BlackICE or RealSecure service becomes unresponsive, the host may become susceptible to attackers launching more "intelligent" attacks. Reports indicate that this is a kernel-mode issue and the ability to execute arbitrary code is not possible. In addition, BlackICE will not log this attack. Reportedly, only Windows 2000 and XP hosts are susceptible to this issue. 9. PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability BugTraq ID: 4026 Remote: Yes Date Published: Feb 03 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4026 Summary: PHP is a server side scripting language, designed to be embedded within HTML files. It is available for Windows, Linux, and many Unix based operating systems. It is commonly used for web development, and is very widely deployed. A vulnerability has been discovered that may allow an attacker to gain access to sensitive information that is located on areas of a filesystem that were restricted when PHP safe_mode was enabled. The safe_mode feature in PHP may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that have been restricted when PHP safe_mode was enabled. In particular, the MySQL client library that ships with PHP does not properly honor safe_mode. As a result, it is possible to use a LOAD DATA statement to read files that exist in restricted areas of the filesystem (as determined by PHP safe_mode). An attacker with access to the MySQL database may exploit this issue to view any files which are readable by the database process. 10. Microsoft MSN ActiveX Object Information Disclosure Vulnerability BugTraq ID: 4028 Remote: Yes Date Published: Feb 02 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4028 Summary: Microsoft's MSN Messenger is a popular instant messenger application for the Window's family of operating systems. It is based on the Passport system, and users are uniquely identified by an email address. By default, some versions of MSN expose information through an ActiveX object. This object may be accessed through javascript or VBScript. Information available through this object includes the current user's display name, and the display name of all user's on their contact list. In the event that any party does not have a display name defined, their email address is available instead. This may result in the disclosure of sensitive information, if the user has a meaningful display name and is under the impression that they are anonymously visiting a web page. This information may also be of some value in tracking usage across multiple domains, as a sort of "super cookie". Additional information is available to a select group of Microsoft hosted sites, and to any trusted domain suffix listed in the registry. Malicious local software such as spyware or adware may modify this registry key, and expand the range of information available to a domain. It is possible to include a top level domain such as .com. The relevant key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes 11. MIRC Nick Buffer Overflow Vulnerability BugTraq ID: 4027 Remote: Yes Date Published: Feb 03 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4027 Summary: mIRC is a popular Internet Relay Chat client whichs runs of Microsoft Windows 9x/ME/NT/2000/XP operating systems. A remote exploitable buffer overflow condition has been discovered in mIRC. This issue is due to improper bounds checking of nicknames sent by the server in the 001 numeric. Upon connection to an IRC server, most servers send a 001 numeric in response to a client connection to welcome the client. The 001 numeric looks like "Welcome to the Internet Relay Network $nickname" where $nikcname represents the nickname of the user. If the server sends an excessively long nickname to the client (200+ characters), it is possible to overwrite stack variables (including the return address). As a result, the malicious server can cause attacker-supplied instructions to be executed on the client host. This issue is also exploitable via a webpage that can instruct the client to launch and to make a connection to the malicious server. This may lead to a full compromise of the host running the client software on some Windows systems. 12. eshare Expressions Directory Traversal Vulnerability BugTraq ID: 4029 Remote: Yes Date Published: Feb 05 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4029 Summary: eshare communications eshare Expressions is a server application that enables users to conduct on line chat sessions, discussion forums, virtual meetings, training, confrenecing etc. eshare Expressions runs on Windows systems A directory traversal vulnerability has been discovered in the eshare Expressions, which may potentially disclose known files to remote attackers. This is due to insufficient validation of strings passed in web requests. An attacker who submits a specially crafted web request containing double dot slash(../) character sequences may be able to browse known files residing on a vulnerable host. This vulnerability may also allow attackers to gain access to known directories, however this has not been confirmed. 13. Castelle Faxpress Plaintext Password Disclosure Vulnerability BugTraq ID: 4030 Remote: Yes Date Published: Feb 05 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4030 Summary: Castelle FaxPress is an integrated solution for a network fax environment. FaxPress is a hardware and software server providing fax functionality, and is designed to integrate with Microsoft Windows, Novell NetWare, and Linux based systems. FaxPress includes support for printing, either directly or through a network printer queue. If a print job is submitted to the network queue with an incorrect password, an error message is reported to the client through the FaxPress notice system. This error message includes the submitted username and password in plain text. Under some circumstances, this may result in the disclosure of sensitive information. For example, in a corporate environment, the FaxPress client may be configured by a central department, and the individual users unaware of the password used. 14. ICQ For MacOS X Client Denial Of Service Vulnerability BugTraq ID: 4031 Remote: Yes Date Published: Feb 05 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4031 Summary: ICQ For MacOS X is a port of the popular Mirabilis ICQ client to the Apple MacOS X platform. It is freely available. It is possible to cause MacOS X ICQ clients to crash by sending an excessively long request (19000+ characters). If such a request is sent to the port the client it is bound to, the client will crash and must be restarted to regain normal functionality. MacOS X ICQ clients normally bind to ports 49152 and 49159. This is likely due to an unchecked buffer of some sort, so the possibility of exploiting this condition to execute arbitrary attacker-supplied instructions does exist. Though this possibility has not been confirmed. This issue has been reported for ICQ For MacOS X version 2.6X Beta. Other versions may also be prone to this issue. 15. NetScreen ScreenOS Port Scan DoS Vulnerability BugTraq ID: 4015 Remote: No Date Published: Feb 01 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4015 Summary: NetScreen is a line of internet security appliances inetgrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NeScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients. An issue has been reported in NetScreen ScreenOS which could cause the system to stop responding. If a user within the trusted network attempts to do a port scan on an external system, ScreenOS could fail requiring a restart. This is due to the number of concurrent sessions allowed per user. It is possible to exploit this issue with a port scanner that does not properly release sessions. A restart of the service may be required in order to gain normal functionality. 16. MRTG CGI Arbitrary File Display Vulnerability BugTraq ID: 4017 Remote: Yes Date Published: Feb 02 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4017 Summary: Multi Router Traffic Grapher (MRTG) CGI scripts allow display of arbitrary files from the host machine. This can be accomplished by specifying a relative path and file name in a query string passed to the scripts via a properly constructed URL. The scripts reported to be vulnerable include mrtg.cgi, traffic.cgi, 14all-1.1.cgi, and 14all.cgi. An example URL is: http://somehost/mrtg.cgi?cfg=../../../../../../../../etc/passwd. All affected scripts are reportedly exploited with the same query string (i.e., the "cfg=" variable). This is simply a failure to parse input and ensure that the requested file isn't outside of the web root environment. Files that are not accessible to CGI can not be disclosed; i.e., permissions are not superceded. III. SECURITYFOCUS NEWS AND COMMENTARY ------------------------------------------ 1. Network Associates is Sued Over Review Ban By Dick Kelsey, Newsbytes The state of New York takes the security software company to court over a license clause prohibiting unauthorized reviews of its anti-virus and firewall products http://www.securityfocus.com/news/323 2. U.S. Funds Open Source Security Hub By Kevin Poulsen A new approach to open source security auditing, funded by the U.S. Defense Department, offers recognition to geeks who examine code http://www.securityfocus.com/news/322 3. NASA Hacker Gets 21 Months By Dick Kelsey, Newsbytes A California man who admitted hacking into computers at NASA, Oregon State University and an Internet service provider has been sentenced to 21 months in federal prison and ordered to pay nearly $88,000 in restitution. http://www.securityfocus.com/news/321 4. Microsoft's New Security Chief Was Hacker Hunter By Steven Bonisteel, Newsbytes Microsoft's new security czar may not be an expert in patching holes in software, but he has experience in hunting down and prosecuting hackers who like to exploit such vulnerabilities. http://www.securityfocus.com/news/320 IV.SECURITYFOCUS TOP 6 TOOLS ----------------------------- 1. p0f v1.8.2 by William Stearns Relevant URL: http://www.stearns.org/p0f/ Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX, Solaris, SunOS Summary: p0f performs passive OS detection based on SYN packets. Unlike nmap, p0f does recognition without sending any data. Additionally, it is able to determine distance to remote host, and can be used to determine the structure of a foreign or local network. When running on the gateway of a network it is able to gather huge amounts of data and provide useful statistics. On a user-end computer it could be used as powerful IDS add-on. p0f supports full tcpdump-style filtering expressions, and has an extensible and detailed fingerprinting database. It runs on Linux 2.0/2.2, FreeBSD, OpenBSD, NetBSD, SunOS, and Solaris. 2. ifmonitor v0.13 by Edson Medina Relevant URL: http://ifmonitor.preteritoimperfeito.com/ Platforms: Linux Summary: ifmonitor is a network interface traffic logger and grapher for Linux. It does not depend on SNMP, and it is written in Perl/PHP. It uses MySQL to store its logs. 3. PinePGP v0.17.3 by Hany Relevant URL: http://www.megaloman.com/~hany/software/pinepgp/stable.html Platforms: Linux Summary: PinePGP provides PGP and GnuPG filters for pine. PGP versions 2.6.x, 5.x, and 6.5.x are supported. 4. Yet Another Advanced Log Analyzer v0.4.1 by Florian Forster Relevant URL: http://13hackerz.de/yaala/ Platforms: Perl (any system supporting perl) Summary: "yaala" parses logfiles and generates very detailed statistics in HTML format. It features two different output types with different amount of information: one for webmasters/sysadmins that would like to get some very interesting (but not necessarily useful) information about their audience, and one that is more likely to be presented on a website. It currently works with Apache's access-log format and the NCSA format (e.g. Apache's combined log) as well as Squid's access logfile format. 5. NGSecureWeb v1.00 by NGSEC Research Team labs@ngsec.com Relevant URL: http://www.ngsec.com/download.html Platforms: UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP Summary: NGSecureWeb is a security module for Web Servers. It acts as an application IDS/firewall, preventing security bugs from being exploited. It has the ability to check for shellcodes (even polymorphic ones), buffer overflows, forbidden words, long URLs, long GET arguments, long POST arguments, long HEADERS, etc., in the HTTP request. If the IDS engine detects a possible attack, the firewall engine stops the request. The Apache and Netscape Enterprise Web servers are supported. 6. Wnmap v1.2 by Efrain 'ET' Torres et@cyberspace.org Relevant URL: http://pwp.007mundo.com/etorres1/ Platforms: Linux Summary: When you use a WEB scanner it justs earches for the existence of cgis or files in common directories. Thats the fact. But it should not be that way. Because many companies just use their own locations to put their cgis. So you are just searching in a default web server path, leaving behind a huge space without testing, with bigger holes that you didnt found. WMAP search recursively, grabing all the info contained in html tags like HREF, FORM and FRAME, capturing the new directories , dividing and including them in the tests. V. SECURITY JOBS SUMMARY ------------------------ 1. HIPAA Security (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=000501c1af3f$519404a0$0b00a8c0@wai021&threads=1 2. No Contact (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=OE61LWkdkTQUM6H2Htl00003e5d@hotmail.com&threads=1 3. Two UK Based Forensic Computing Positions (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=3C610614.40209@Lee-And-Allen.Com&threads=1 4. Architect / Sr. Architect - Infosec / Java / Internet technologies / HIPAA (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020206005536.16880.qmail@mail.securityfocus.com&threads=1 5. Channel Sales Director - Location Open (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020205223018.31835.qmail@mail.securityfocus.com&threads=1 6. Director/Lead Sales Engineer - Austin, TX (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020205222914.31556.qmail@mail.securityfocus.com&threads=1 7. Sr. Security Product Architect - Austin, TX (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020205222107.30452.qmail@mail.securityfocus.com&threads=1 8. Vice President of Product Marketing - Austin, TX (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020205222038.15211.qmail@mail.securityfocus.com&threads=1 9. Director/Lead Sales Engineer - Location Open (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020205221753.15193.qmail@mail.securityfocus.com&threads=1 10. Federal Sales Director - Washington, DC (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020205221648.14849.qmail@mail.securityfocus.com&threads=1 11. Make a Difference - Unix Sys. Admin/Eng (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020205212233.7647.qmail@mail.securityfocus.com&threads=1 12. Job Opporunity (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=200202051516.KAA01123@hank.bcentralhost.com&threads=1 13. Seeking: Information Security/Penetration Testing Position (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020204233311.30910.qmail@mail.securityfocus.com&threads=1 14. Needed: HIPAA Compliance Coordinator - Greythorn (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=5544986F9407D611A5900008C7096406076EE9@EXCHANGE&threads=1 15. Student looking for summer job/internship (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=200202042059.g14KxgT13397@SMTP2.cgocable.net&threads=1 16. Mgmnt. Resume (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=3C5E8974.33E6E7F@herald.infi.net&threads=1 17. Resume ! (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=77&mid=20020204013919.11771.qmail@mail.securityfocus.com&threads=1 VI. INCIDENTS LIST SUMMARY ------------------------- 1. new SNMP vuln? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=003601c1b01a$98c57440$6bcbc2d1@cybermesa.com&threads=1 2. Why would my machine do this? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=001301c1b01c$141a8620$48bb42cf@mis1.wrv.com&threads=1 3. Scan that doesn't make sense (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=20020206190358.I16776@adm.gu.se&threads=1 4. HTTP 408 errors (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=20020206153249.V24596@Space.Net&threads=1 5. We Are Past Your Firewall...Thanks for the responses (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=20020206145519.23084.qmail@web14608.mail.yahoo.com&threads=1 6. nimda like probes (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=1012878893.15312.88.camel@eccles.itss.auckland.ac.nz&threads=1 7. We Are Past Your Firewall... (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=BB7FD4FF9E440648A731452E5D341FB00FB0BB@hitsexchange01.advance-med.com&threads=1 8. New Nimda scanning pattern ? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=1012854650.15313.29.camel@eccles.itss.auckland.ac.nz&threads=1 9. BS Generator Worm/defacements?? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=20020204170914.2650.qmail@email.com&threads=1 10. gibberish defacement? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=20020204142944.5774.qmail@email.com&threads=1 11. Help please (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&mid=1012851206.3c5ee206d71c3@webmail.lee.k12.nc.us&threads=1 VII. VULN-DEV RESEARCH LIST SUMMARY ---------------------------------- 1. HTTP 1.1 TRACE Command (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C6375AB.A8E7DEF0@iinet.net.au&threads=1 2. directory traversal (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=007901c1b052$565bfb00$1001a8c0@TBSS&threads=1 3. Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=35530000.1013150639@localhost&threads=1 4. HELP ! : Trojanised HTML: Internet Exporer 5 and 6 [technical exercise] (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=200202080029.g180TMUg006465@mail11.megamailservers.com&threads=1 5. Reported Kazaa and Morpheus vulnerabilities (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=000c01c1b050$bddcc900$9b00a8c0@burlingtonvt.net&threads=1 6. Comcast man-in-the-middle attack (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=Pine.BSF.4.30.0202071941380.783-100000@totally.righteous.net&threads=1 7. chaging your @home IP address... could you take a bunch of them....probably. (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=Pine.LNX.4.33.0202071634050.27731-100000@terra.pissah.com&threads=1 8. vim error? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=MDEJLHLKBGKBJBHHJMIBIENDCCAA.ryany@pantek.com&threads=1 9. ssh (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=Pine.LNX.4.42.0202071542530.747-100000@nimue.bos.bindview.com&threads=1 10. Encryption Algorithm Footprint (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=000f01c1af7d$25d2cf70$32c86cca@liugx&threads=1 11. Pgp.com was exposing ... information. (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=20020207162550.2362.qmail@web20408.mail.yahoo.com&threads=1 12. Morpheus Request share files Deny of Service (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C61C9CD.29AA219C@ciudad.com.ar&threads=1 13. Holes in Actinic E-commerce services. (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=F5455ZK6oOr65JP59qu000120d1@hotmail.com&threads=1 14. Request share files Deny of Service (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C617D07.E33A33C@ciudad.com.ar&threads=1 15. chaging your @home IP address... could you take a bunch ofthe m....probably... could you get something from it...maybe (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=106FA1B70E24D511946D00B0D077F3861A3313@chqsrvr4.paulo.com&threads=1 16. chaging your @home IP address... could you take a bunch ofthem....probably... could you get something from it...maybe (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=4.3.2.7.2.20020206124516.14c72f08@shit.intranet.shitcum.com&threads=1 17. Problem with FreeBSD's version of SED (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=Pine.LNX.4.30.0202061221470.7588-100000@biocserver.BIOC.CWRU.Edu&threads=1 18. chaging your @home IP address... could you take a bunch of them....probably... could you get something from it...maybe (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=1012993222.5866.4487.camel@puma.trustix.com&threads=1 19. texis(CGI) Path Disclosure Vulnerability (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=200202061434.g16EYIP46377@cgisecurity.net&threads=1 20. Problems with the scripts by Solution Scripts (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=111001c1aec2$44f0ba40$0502a8c0@guinness&threads=1 21. chaging your @home IP address... could you take a bunch of (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=45950.24.247.24.39.1012980022.squirrel@webmail.gotclue.org&threads=1 22. MSN Messenger reveals your name to websites (and can reveal email addresses too) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=NEEPLCMFPIEOEDGJJJIGCEHDCAAA.bryan_allerdice@yahoo.com&threads=1 23. Security Hole in WWWeBBB forum (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=F174hMLqoSiOejvJnw40001af01@hotmail.com&threads=1 24. Blue Boar - Reported Kazaa and Morpheus vulnerabilities (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=F51GI5fV1Bn9wmaOJOF0001f1aa@hotmail.com&threads=1 25. Re[2]: directory traversal (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=6322152763.20020205190029@labs.secureance.com&threads=1 26. mIRC Buffer Overflow (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=005c01c1ae70$c054aef0$0400000a@deviate.cx&threads=1 27. Badtrans on the list (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C5FD877.2000600@pakcert.org&threads=1 28. Hacker's Digest - Issue 3 Winter 2002 (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=012201c1ae89$078083e0$71c4edd1@y5i6g4&threads=1 29. Sardonix Security Auditing Portal (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C6033A8.8070004@wirex.com&threads=1 30. Lotus Domino password bypass (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=00ba01c1ada2$0336ba30$71e693c3@XU5UDGJMHXJ300&threads=1 31. Correction - Oracle Apache+WebDB info leakege (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=683171DCB09AD511A6A00008C7918F12BACFC8@itmilexc02.it.kworld.kpmg.com&threads=1 32. [Fwd: Reported Kazaa and Morpheus vulnerabilities] (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C5F1329.207166EB@thievco.com&threads=1 33. switch jamming (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=MWMail.dhrefhtn@host.none&threads=1 34. Antwort: Lotus Domino url bypass (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=018601c1ada5$082a6610$bbc7fea9@STEALTH&threads=1 35. CSS, CSS & let me give you some more CSS (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=3C5E5D39.40E986B@ubizen.com&threads=1 36. Lotus Domino url bypass (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=93B6SQ2XIFB8UTVUPL651WGC04EADWQ.3c5e57ac@NICOLAS&threads=1 37. X2 SSHD Vuln Update (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=82&mid=006c01c1ad87$bd1143a0$5b802ed8@mur.odyssey.on.ca&threads=1 VIII. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. Where would the changes be saved? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=AAEJJLOGDIINFKOLIPEMIEGOCOAA.ken.hoover@yale.edu&threads=1 2. Question regarding attack (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=012201c1b014$2a1f1880$0302a8c0@WorkGroup&threads=1 3. SYSTEM grabbing ports? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=013101c1afd7$950cd480$652ca8c0@FUSION.CO.UK&threads=1 4. Allowing users to change their password via the web (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=NEEPLCMFPIEOEDGJJJIGGEIKCAAA.bryan_allerdice@yahoo.com&threads=1 5. Secure Transactions over HTTPS???? (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=019001c1af44$ffb25a00$0a971681@cwru.edu&threads=1 6. Possible hack - Portable profile found in a Windows 2K Pro SP1 station.. (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=F114g5wlSe9F6EBSotw00003374@hotmail.com&threads=1 7. Local security policy Settings (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=NEEPLCMFPIEOEDGJJJIGMEHJCAAA.bryan_allerdice@yahoo.com&threads=1 8. IM encryption (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=HMEIJMEKLHGNJPCDCEBOCEHMCLAA.jrodriguez@intellinet-tech.com&threads=1 9. TCP/IP Filtering problem on W2KAS (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020205164653.A14288@garbarek.hsc.fr&threads=1 10. Possible hack - Portable profile found in a Windows 2K Pro SP 1 station.. (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=4FAAAF78EB0ED411A45200D0B73C4DE12127A1@ThisAddressDoesNotExist&threads=1 11. Windows 2000/.Net Group Policy Locker (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020204173152.28883.qmail@web10907.mail.yahoo.com&threads=1 12. TCP/IP Filtering problem on (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=180349117824.20020204172944@rubikon.pl&threads=1 13. SecurityFocus Microsoft Newsletter #72 (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.LNX.4.43.0202041517560.7331-100000@mail.securityfocus.com&threads=1 IX. SUN FOCUS LIST SUMMARY ---------------------------- 1. nfssrv:nfs_portmon (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=92&mid=20020206213449.B8477@chopin.gmi.com&threads=1 2. Trouble changing BSM/audit options without reboot (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=92&mid=200202070023.g170NqGC277703@jurassic.eng.sun.com &threads=1 X. LINUX FOCUS LIST SUMMARY --------------------------- 1. iptables + strings: tutorial + script (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=32802.192.168.0.1.1013045938.squirrel@fire-eyes.yi.org&threads=1 2. apache and nimda (now iptables) (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=002501c1ae9f$48d0ef90$d041793e@PC&threads=1 3. nimda and string match [Re: apache and nimbda] (Thread) Relevant URL: http://www.securityfocus.com/cgi-bin/archive.pl?id=91&mid=20020205182437.GB4588@haverlant.homeip.net&threads=1 XI. SPONSOR INFORMATION ----------------------- This newsletter is sponsored by Tripwire (http://www.tripwire.com) ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER Has your data been compromised? Know for certain with Tripwire on duty Tripwire data integrity assurance solutions tell you if, when, and how data on your system has been changed. Learn more and get a FREE copy of our popular Common Security Exploit and Vulnerability Matrix Poster. Click here to gain confidence in your data. http://www.tripwire.com/literature/poster/index.cfm?djinn=363 -------------------------------------------------------------------------------