Manualshelf

Specifications

ManualsBrandsCayman Systems ManualsComputer equipment3220-H
11121314151617181920
SAFER – Vol. 3, Issue 6 19 © 2000 The Relay Group
NTMail Server 5.x Proxy Access Vulnerability
Released May 12, 2000
Affects NTMailserver.com NTMail 5.0
Reference http://www.securityfocus.com/bid/1196
Problem
- NTMail server can be configured as a proxy server as well as a web configuration server. By
default each function is assigned a port. The configuration function uses port 8000 and the proxy
function uses port 8080.
- If a separate proxy server is being utilized with security restrictions in place, it is possible to
disable the proxy function of the NTMail server, thus forcing users to go through the restricted
proxy server. However a user could reconfigure their proxy setup to point to NTMail on port 8000,
redirecting them to the internet with no restrictions.
SAFER
- Disable the WWW configuration service until a patch is released.
Microsoft IIS 4.0/5.0 Malformed Filename Request Vulnerability
Released May 11, 2000
Affects Microsoft IIS 4.0, 5.0
Reference http://www.securityfocus.com/bid/1193
Problem
- Requesting a known filename with the extension replaced with .htr preceded by approximately 230
"%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will
cause the server to retrieve the file and its contents. This is due to the .htr file extension being
mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL
removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals
the source of the file.
- This action can only be performed if an .htr request has not been previously made or if ISM.DLL is
loaded into memory for the first time. If an .htr request has already been made, a restart of the
web server is necessary in order to perform another.
SAFER
- Microsoft has released patches, which rectify this issue.
Bugzilla 2.8 Unchecked Existing Bug Report Vulnerability
Released May 11, 2000
Affects Mozilla Bugzilla 2.8
Reference http://www.securityfocus.com/bid/1199
Problem
- The machine running bugzilla is vulnerable to exploitation due to an input validation error. When
accepting a bug report, the script "process_bug.cgi" calls "./processmail" via system() argumented
by a number of parameters with values originating from user input via a web-form.
- There are no checks against these values for shell metacharacters by the script before insertion
into the system() call. Consequently, commands can be appended to the end of the form values
and executed by /bin/sh in the manner: "value;id". The form value that is passed to system() for all
bug reports is "who", shown here in this section of code from "process_bug.cgi":
SAFER
- Updated version of BugZilla has been released.