Manualshelf

Specifications

ManualsBrandsCayman Systems ManualsComputer equipment3220-H
21222324252627282930
SAFER – Vol. 3, Issue 6 22 © 2000 The Relay Group
NetStructure 7110 Undocumented Password Vulnerability
Released May 08, 2000
Affects Intel Corporation NetStructure 7110.0
Reference http://www.securityfocus.com/bid/1182
Problem
- This internet equipment is designed for businesses with multiple Web site locations, routing traffic
to the best available site from a single URL. Certain revisions of this package have an
undocumented supervisor password. This password, which grants access to the 'wizard' mode of
the device, is derived from the MAC address of the primary NIC. This MAC address is displayed in
the login banner.
- This password can be utilized from the admin console locally (via a serial interface) or remotely if
the machine has been deployed with a modem for remote access. With this password an intruder
gains shell access to the underlying UNIX system and may sniff traffic, among other things.
SAFER
- Intel has created a patch for this issue.
AOL Instant Messenger Path Disclosure Vulnerability
Released May 08, 2000
Affects AOL Instant Messenger 4.0
Reference http://www.securityfocus.com/bid/1180
Problem
- If a user transmits a file through AOL Instant Messenger, the full local path of the file is displayed
to the remote recipient. This information could possibly be used in order to discover the Operating
System platform and other sensitive details which may assist in a future attack.
SAFER
- No details about the fix have been released. We expect that AOL will indeed fix the problem in
next release or AIM.
Microsoft IIS shtml.exe Path Disclosure Vulnerability
Released May 06, 2000
Affects Microsoft FrontPage Server Extensions Module for Apache 3.0.43, IIS 4.0 and 5.0
Reference http://www.securityfocus.com/bid/1174
Problem
- The local path of a HTML, HTM, ASP, or SHTML file can be disclosed in Microsoft IIS 4.0/5.0.
Passing a path to a non-existent file to the shtml.exe program will display an error message stating
that the file cannot be found accompanied by the full local path to the web root.
SAFER
- Microsoft is aware of the issue and stated on May 8, 2000 that a patch is forthcoming.
Netwin DNews News Server Buffer Overflow Vulnerability
Released May 05, 2000
Affects NetWin DNews 5.3
Reference http://www.securityfocus.com/bid/1172
Problem
- DNews News Server provides a CGI application that gives access to users NNTP server over the
web. There are many unchecked buffers in the program, some of which can be exploited directly
from any browser.
- Supplying an overlylong value for the "group", "cmd" and "utag" variables, and possibly others, will
overwrite their respective buffers. In this manner, arbitrary code can be executed on the remote
target.
SAFER
- Netwin has released patches which rectify this issue.