Specifications
SAFER – Vol. 3, Issue 6 9 © 2000 The Relay Group
Omnis Studio 2.4 Weak Database Field Encryption Vulnerability
Released May 25, 2000
Affects Omnis Studio 2.4
Reference http://www.securityfocus.com/bid/1255
Problem
- The encryption scheme used in Omnis Studio is weak and easily broken with any scientific
calculator or even pen and paper, if the attacker has a good knowledge of hex and ASCII. Each
unencrypted byte is simply replaced with a value dependent on that byte's original value and the
remainder of its position in the string divided by 4.
- Note that this vulnerability does not affect the security of Omnis Studio directly, but will be present
in all applications designed using Omnis Studio.
SAFER
- No responses from the vendor yet.
Network Associates WebShield SMTP 4.5.44 Configuration Modification Vulnerability
Released May 25, 2000
Affects Network Associates WebShield SMTP 4.5.44
Reference http://www.securityfocus.com/bid/1253
Problem
- By default, Network Associates WebShield SMTP runs the management agent on port 9999. A
remote user may gain access to this agent and modify the configuration of WebShield SMTP
simply by connecting to this particular port. Issuing the command "GET_CONFIG<CR>" will return
the current configuration.
- The management agent grants access based on a list of authorized hostnames, but will grant
access to any IP address which cannot be resolved to a hostname even if 'MailCfg' is set to only
allow configuration from localhost.
SAFER
- This vulnerability is not present in Network Associates WebShield SMTP 4.5.74.0 or later. It is
recommended to upgrade to version 4.5.74.0 or later.
HP Web JetAdmin Directory Traversal Vulnerability
Released May 24, 2000
Affects HP JetAdmin 5.6, HP JetAdmin 5.5.177
Reference http://www.securityfocus.com/bid/1243
Problem
- By default JetAdmin Web Interface Server listens on port 8000. By requesting a specially formed
URL which includes "../" it is possible for a remote user to gain read-access to any files outside of
the web-published directory.
SAFER
- Upgrade to Version 6.0.
Qualcomm Qpopper 'EUIDL' Format String Input Vulnerability
Released May 24, 2000
Affects Qualcomm qpopper 2.53, 2.52
Reference http://www.securityfocus.com/bid/1242
Problem
- By placing machine executable code in the X-UIDL header field, supplying formatting strings in the
"From:" field in a mail header, and then issuing, as the user the mail was sent to, a 'euidl'
command, it is possible to execute arbitrary code.
- This code will execute as the user executing the euidl command, but with group 'mail' permissions
on hosts running qpopper in that group. This is often done due to mail spool permissions.
- This vulnerability does not exist in versions after 2.53. It also requires an account on the machine.
SAFER
- The vendor recommends upgrading to versions 3.0.2 or later of qpopper.