Security Update - Have your site tested

27 Nov 2001

Have you had your site tested in the last 3 months? If you have not we would suggest that you contact us for a full security audit of your site, costs are between £650.00 and £1,500.00, please contact us with your site address for a quote.

Title: Redhat Stronghold File System Disclosure
Category: CGI abuses
Summary: Redhat Stronghold File System Disclosure
Description: Redhat Stronghold Secure Server File System Disclosure Vulnerability
The problem:
In Redhat Stronghold from versions 2.3 up to 3.0 a flaw exists that allows a remote attacker to disclose sensitive system files including the httpd.conf file, if a restricted access to the server status report is not enabled when using those features. This may assist an attacker in performing further attacks.

Please note that this attack can be performed after a default installation. The vulnerability seems to affect all previous version of Stonghold.
Vendor status: Patch was released (November 19, 2001)
Risk factor: Medium

Title: rwhois format string attack (2)
Category: Gain a shell remotely
Summary: Determines if rwhois is vulnerable to a format string attack
The remote rwhois daemon is vulnerable to a format string attack when supplied malformed arguments to a malformed request-such as %p%p%p)

An attacker may use this flaw to gain a shell on this host.
Risk factor: High
Solution: Disable this service or upgrade to version or newer

Title: ActivePerl perlIS.dll Buffer Overflow
Category: CGI abuses
Summary: Determines if arbitrary commands can be executed thanks to ActivePerl's perlIS.dll
An attacker can run arbitrary code on the remote IIS server if it is running a version of ActivePerl prior to and has the Check that file exists option disabled for the perlIS.dll.
Either upgrade to a version of ActivePerl more recent than or enable the Check that file exists option. To enable this option, open up the IIS MMC, right click on a (virtual) directory in your web server, choose Properties, click on the Configuration... button, highlight the .plx item, click Edit, and then check Check that file exists.
Risk factor: High

Title: Informix traversal
Category: Remote file access Summary: /ifx/?LO=../../../file
The Web DataBlade modules for Informix SQL allows an attacker to read arbitrary files on the remote system by sending a specially crafted request, like:

GET /ifx/?LO=../../../../file
Solution: Disable this module
Risk factor: High

Title: DoSable Oracle WebCache server
Category: Denial of Service
There is a bug in the remote version of OracleWebCache which allows any attacker to disable this service remotely.

An attacker may use this flaw to prevent outsiders from accessing your website.
Solution: None yet.
Risk factor: Medium

Title: Jakarta Tomcat Path Disclosure
Category: CGI abuses
Tomcat will reveal the physical path of the webroot when asked for a .jsp file using a specially crafted request.

An attacker may use this flaw to gain further knowledge about the remote filesystem layout.
Solution: None at this time.
Risk factor: Low

Title: PHP-Nuke Gallery Add-on File View
Category: CGI abuses
The remote PHP-Nuke service has a bugged version of the 'Gallery' Add-on which allow attackers to read arbitrary files on the host.
Every file that the webserver has access to can be read by anyone.
Solution: Disable this add-on
Risk factor: High

Title: RPC Endpoint Mapper can Cause RPC Service to Fail
Category: Windows
Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Normal service could be restored by rebooting the server.
Risk factor: Serious