For best results: this site
requires that cookies be enabled for proper operation - see Legal Page for more info
Select Any of These
Server Bugs
LAST UPDATED:
Thursday, 14 February 2008 20:45:11 -0600
Changes to this page are IN PROGRESS
BEA WEBLOGIC SERVER BUFFER OVERFLOW VULNERABILITY
BEA Systems WebLogic Server is a wireless application server.
Unchecked buffers exist in a particular handler for URL requests that
begin with two dots. Depending on the data entered into the buffer,
WebLogic Server could be forced to crash or arbitrary code could be
executed on the system in the security context of the Web server. In
the event that random data was sent in order to crash the server,
restarting the application would be required in order to regain normal
functionality. BEA Systems has released WebLogic Server 5.1 SP 7 to
fix this problem. To download, browse to
SQL 7.0 BUG: ACCESS VIOLATION UNDER HIGH CURSOR STRESS
Microsoft has confirmed that under high-stress conditions on SQL
7.0, certain cursor operations may infrequently cause an access
violation. The server may become unstable or hang, causing other
unrelated access violations. Asynchronous cursor population is one
scenario where this could occur.
A supported fix that corrects this problem is now available from
Microsoft, but it has not been fully regression tested and should be
applied only to systems experiencing this specific problem. If this
specific problem does not severely affect you, Microsoft recommends
that you wait for the next SQL Server service pack, which will contain
this fix.
To resolve this problem immediately, contact Microsoft Product Support
Services to obtain the fix. For a list of Microsoft Product Support
Services phone numbers and information on support costs, please go to
Microsoft recently reported that SQL Server 7.0 may occasionally be
slower than SQL Server 6.5 when you run certain rare types of left
outer joins that involve large result sets. A supported fix that
corrects this problem is now available from Microsoft, but it has not
been fully regression tested and should be applied only to systems
experiencing this specific problem. If this problem does not severely
affect you, Microsoft recommends that you wait for the next SQL Server
Service Pack containing this fix.
To resolve this problem immediately, contact Microsoft Product Support
Services to obtain the fix. For a complete list of Microsoft Product
Support Services phone numbers and information on support costs,
please go to
Microsoft has discovered a bug in its Microsoft SQL Server OLAP
Services version 7.0 that may cause you problems. When a cube or
dimension is processed using the DTS Addin, and the processing fails
for some reason, the error message that displays is incorrect. An
operating system error message displays instead of the Decision
Support Object (DSO) error message. For example, if the program fails
with the 206 error "Process operation failed," the following operating
system 206 error displays instead: "The filename or extension is too
long." Similarly, the 207 "Internal error" displays as "The ring 2
stack is in use."
Microsoft has confirmed this problem in SQL Server OLAP Services
version 7.0 and is working on a fix.
MICROSOFT SQL SERVER VERSION 7.0 FIX
Microsoft has identified a potential problem you may experience
with SQL version 7.0. Under rare conditions a malformed Tabular Data
Stream (TDS) packet, which is submitted using Remote Procedure Call
(RPC) protocol, can cause various Access Violations (AVs). The AV may
result in a server shutdown if it occurs within the Open Data Services
(ODS) layer. If occurring outside ODS, the AV may cause instability
that results in a server hang.
The cause of the malformed packet is usually a network-layer factor
such as the Network Interface Card (NIC), NIC device driver, or
network router. Much less frequently a bug in the ODBC, OLE-DB, or
DB-Library client libraries may cause the problem.
This hot fix improves the server-side robustness for handling these
malformed packets. In some situations (but not all), it will avoid the
AV. Instead you may see error 17805: "Invalid buffer received from
client."
A supported fix that corrects this problem is now available from
Microsoft, but it has not been fully regression tested and should be
applied only to systems experiencing this specific problem. If this
specific problem does not severely affect you, Microsoft recommends
that you wait for the next SQL Server Service Pack containing this
fix.
To resolve this problem immediately, contact Microsoft Product Support
Services to obtain the fix. For a complete list of Microsoft Product
Support Services phone numbers and information on support costs, go to
the following Web address:
If you receive the error message "Error 7102 with Keyset-Driven
Cursors on Table with Text Column" on your SQL 7.0 system, you're
experiencing a known, fixable bug. The problem occurs when a
keyset-driven cursor on a SELECT statement that uses the NOLOCK option
on a table with a text column returns error 7102--if while fetching
the data, one of the records of the cursor's result set is deleted
from another connection.
Error message 7102 is: "Server: Msg 7102, Level 20, State 99,
Procedure sp_cursorfetch, Line 24 SQL Server Internal Error. Text
manager cannot continue with current statement."
Microsoft recommends the following workarounds for this problem:
- Remove the NOLOCK option from the SELECT statement.
- Change the cursor to any other type (for example, static, dynamic,
or fast_forward).
YET ANOTHER SQL 7.0 BUG
When using per-server licensing, if a certain mixture of clients
connect that require the server to grow the overflow chain used to
track and maintain licensing, heap memory corruption and/or an access
violation (AV) may occur.
Use per-seat licensing instead. Microsoft has confirmed this problem
in SQL Server version 7.0.
MCIS VULNERABILITY SOLVED
A patch is available from Microsoft to eliminate a potential
security problem with the Microsoft Commercial Internet System (MCIS).
Presently, a malicious user could crash a server by causing buffer
overruns via the Internet Mail Access Protocol (IMAP). IMAP responds
to a variety of requests. A malicious user can submit a request
containing arguments that will overflow the IMAP buffer, resulting in
failure of most Internet-related services on the machine. Microsoft
has acknowledged the problem and released a patch for MCIS 2.0 and
2.5. It is available for download at
Users of Microsoft Internet Information Server 4.0, Microsoft Site
Server 3.0, and Microsoft Site Server Commerce Edition 3 should be
sure to download two patches that eliminate two possible
vulnerabilities in the Escape Character Parsing and Virtual Directory
Naming features. The patches are available at the following URLs,
respectively:
An incompatibility has arisen between Microsoft's widespread
Internet Information Server 4 (note: NOT MS Internet Explorer, the Web
browser) and certain international versions of Netscape Communicator
4.7. The bug involves miscommunication between browser and server when
Communicator attempts to accept 56-bit digital certificates. IIS 4
does not support 56-bit certificates, and when Communicator tries to
step up to 128-bit certificates, it causes an invalid page fault in
netscape.exe. Industry sources say that MS IIS 4 is in use on almost
25 percent of all Web servers and that the affected versions of
Netscape total nearly half of all versions in circulation.
Unfortunately, neither of the two software companies appears willing
to accept full responsibility for the bug. The only upside is for
users of the domestic (U.S.) 128-bit version of Communicator, which
Netscape claims is immune to the bug. Users of international versions
can work around the problem by disabling 56-bit encryption. Follow
these steps:
>From the Communicator pull-down menu, select Tools, and then click
Security Info.
On the resulting Web page, click the Navigator link in the left
column, then select Configure SSL v3 from the right pane.
In the subsequent pop-up menu, remove the check marks from the
following two options: "RC4 encryption with a 56-bit key and a SHA-1
MAC" and "DES encryption in CBC mode with a 56-bit key and a SHA-1
MAC". Then click OK to close this window. From the Security Info Web
page, click OK to finish. Microsoft is still working on the problem
with IIS 4 itself.
MICROSOFT SITE SERVER PATCHED AGAIN
Microsoft Site Server 3.0 Commerce Edition contains a newly
discovered vulnerability. The problem affects those who use wizards to
generate Web site applications or those who utilize the sample files
provided with the program. Applications generated by the wizards do
not require validation for user inputs. A malicious user could supply
SQL commands in place of a user input; the command would execute and
the intruder could read, alter, add, or delete data in the database.
The vulnerability is only associated with wizard-generated code that's
included in the sample files. Volcano Coffee Sample Site and
Custom-Site (created by the Site-Builder Wizard) are the only Web
applications affected. A patch is available to fix the problem. You
can read more about the patch and download it from
Microsoft IIS 3.0 will return the source code of various
server-side script files (such as ASP files) if the file name in the
URL request contains a %2e character string, which is the hex value
for quote-period-quote ("."). Source code disclosure could yield
sensitive information such as user names and passwords. As of the
writing of this tip, there are no fixes or workarounds available for
this bug. (Microsoft's Knowledge Base currently supports versions 4.0
and later.) Concerned users are urged to consider upgrading, or
contact Microsoft for more information.
The Phone Book Service in Microsoft Internet Information Server
provides dial-in services to corporations and ISPs. When users dial
in, their client software can be configured to download phone book
updates from a Web server. The application that serves the update is
pbserver.dll. This DLL contains a buffer overrun vulnerability that
can allow the execution of arbitrary code or crash IIS. Microsoft has
patched the issue. For more information or to download the patch,
browse to:
ASP files that contain scripts with the LANGUAGE parameter
containing a specifically large buffer and have the RUNAT value set as
Server may crash Microsoft Internet Information Server 4.0. Depending
on the data entered into the buffer, a denial of service (DoS) attack
could launch or arbitrary code could execute under the SYSTEM
privilege level. Note: IIS 5.0 does not contain this bug. Several
updates and patches for IIS 4.0 from Microsoft include fixes for this
bug. To fix this specific problem in IIS 4.0, download and apply the
following patch:
Your system is no longer vulnerable if you have downloaded any of the
following patches (note each patch's corresponding MS advisory number;
type it into a search on Microsoft's home page for more information):
When attempting to upload a large file to Microsoft Internet
Information Server (IIS) 4.0 from a browser using the ASP
Request.BinaryRead method, the CPU utilization on the IIS machine may
go to 100 percent, causing system hang. According to Microsoft, the
ASP engine doesn't handle this process properly. To work around this
problem, apply the latest service pack for Windows NT Server or
Workstation 4.0. To download a service pack, browse to
Under certain circumstances, Microsoft Internet Information Server
will transmit in plain text the contents of Session ID Cookies that
should be marked as secure.
When a user initiates a Web session secured via SSL, Session ID
Cookies should be marked as secure from then on. This is not the case
if the user visits an ASP page hosted on IIS 4.0 or 5.0. In the event
that a user views an ASP document during a secure Web session, the
Session ID Cookie would then be marked as nonsecure. Once the user
visits a nonsecure portion of the Web site, a malicious user would be
able to read the contents of the cookie in plain text. The attacker
would then be able to use the credentials from the Session ID Cookie
to hijack the session successfully and take any actions he or she
wished under the guise of the original user. Microsoft has
successfully patched this issue. For more information or to download
the patch, read the Microsoft security bulletin:
Microsoft has versions of Network Monitor that ship with Windows NT
4 and 2000 and Systems Management Server. Unfortunately, it has been
discovered that NetMon contains several unchecked buffers that a
malicious user could exploit to gain access to the system or server.
Microsoft has made patches available for nearly all versions of
Windows NT 4, Windows 2000, and Systems Management Server 1.2 and 2.0.
(It should be noted that Windows NT 4 Workstation and Windows 2000
Professional do not include NetMon; systems running those operating
systems have nothing to fear unless you have installed Systems
Management Server.)
For more information or to download the patches, browse to
A bug in Microsoft Exchange Server 5.5 makes the program unable to
process e-mail messages that have a blank MIME charset field. If it
encounters such a message, Exchange Server will cease operation,
requiring a restart. Then, the offending e-mail message must be
located and deleted. A simple task, since the message will be at the
front of the queue after restart. Exchange 2000 is not affected by
this bug. Microsoft has patched this and other problems for 5.5 and
will also include the fixes in the forthcoming Exchange Server Service
Pack 4. Until the Service Pack's release, download this patch from
Microsoft NetMon is a tool that allows administrators of Windows
NT/2000 systems to capture network traffic for analysis by the
sysadmin. Several DLL files used by NetMon contain unchecked buffers
that could be exploited to gain control of NetMon, and thereby execute
arbitrary code on the victim's network. Microsoft has patched this
issue. For more information or to download the patch, read the
Security Bulletin at:
This vulnerability affects Microsoft Exchange Server 4.0 and 5.0
for NT and Outlook 97. On many systems, if you leave both the BCC and
Reply-To fields or the Return-Path and From fields blank, Outlook will
crash upon the delivery of these particular e-mail messages. Exchange
will produce an error stating that the message is not deliverable and
asking the user to check for sufficient memory or disk space. At the
time this tip was written, no fixes or patches were available for this
bug. Furthermore, not all users have experienced problems. Users who
have found themselves susceptible should contact Microsoft for more
information.
SQL SERVER DTS PASSWORD DISCLOSURE
In Microsoft SQL Server 7.0 and 6.5, it is possible for a user to
reveal the database passwords of other users by viewing the properties
of DTS packages they have created. In the properties of a connection
object within the data transformation services, a dialog box will
appear that displays the user name and asterisks in the password
field. Although it is not displayed, the password is present and can
be retrieved with the proper utilities.
There is a workaround: Specify user rights to allow other users only
load and execute privileges. The properties tab will only be available
to the package creator and the administrator. Microsoft has released a
patch to rectify the issue completely. Download the patches for Intel-
and Alpha-based systems, respectively, from
SQL SERVER SUBJECT TO DOS AND OTHER VULNERABILITIES
In Microsoft SQL Server 7.0 and 2000, there are several buffer
overflow vulnerabilities that could result in execution of arbitrary
code or a denial of service. These bugs can be exploited by sending
long strings to certain extended stored procedures. Microsoft is aware
of the error and has patched the issue. For more information or to
download the patch, read the Frequently Asked Questions file at
Microsoft's Web site:
WINDOWS 2000 DIRECTORY SERVICES RESTORE MODE PASSWORD BUG
Windows 2000 Server and Advanced Server are vulnerable to a bug
that could allow a malicious user with physical access to a domain
controller to install malicious software on it. The bug lies in the
Directory Service Restore Mode feature. If the Configure Your Server
tool is used to initially set a computer as a domain controller, the
password field for Restore Mode would come up blank, allowing a user
full access to the system. Microsoft has patched this issue. For more
information or to download the patch, read the Microsoft Security
Bulletin:
DNS services provided by Windows 2000 Server and Advanced Server
contain a "memory leak" bug that can cause the system to slowly
consume memory. The rate of consumption depends on the number of DNS
queries the server receives. A malicious user could flood the server
with queries and thereby cause a Denial of Servi (DoS) attack. The
server would require a restart to regain normal functionality.
Microsoft patched this issue with Windows 2000 Service Pack 1. Users
who have not already applied Service Pack 1 (issued in July 2000) are
urged to do so. For more information on this bug and how to obtain
Service Pack 1, browse to:
In Windows 2000 Server, adding several thousand DNS zones may cause
the Registry System Hive to become too big. When restarting the
server, users may receive the following error message:
"\winnt\system32\config\system file is missing or corrupt." Users who
have already experienced the error should use the Last Known Good
Registry option to get restarted. As of the writing of this tip, a fix
is being tested and will be in a future Windows 2000 service pack.
Watch for news on the fix at Microsoft's Web site:
Some time ago, it was discovered that Microsoft Internet
Information Server (IIS) allows unauthenticated users access to any
known file in the context of the IUSR_machinename account. By default,
this account is a member of the Everyone and Users groups. This means
a user could access, delete, modify, or execute any file located on
the same logical drive as any Web-accessible file these groups can
access. A malicious user possessing no credentials whatsoever could
exploit this bug to gain the same privileges as a remote user. A patch
released by Microsoft recently fixed this and other IIS bugs. The
Microsoft Security Bulletin below provides links to the patches and
explains the problem in more detail:
Microsoft has identified a problem you may experience on your IIS
3.0 Web server. The problem affects the performance of Active Server
Pages, and a memory leak in asp.dll causes the problem. You can use
Performance Monitor to verify the memory leak. To resolve this
problem, Microsoft has produced a hot fix. You can get it at the
following FTP site:
Microsoft recently identified a problem you may experience on
Internet Information Servers 2.0 and 3.0. When Internet Information
Server receives a CGI request from a browser containing 4KB to 8KB of
data, the IIS service stops. Microsoft has confirmed this problem and
has produced a hot fix to correct it. The iis-fixi file is for x86
platforms, and the iis-fixa file is for Alpha platforms. You can get
the hot fix at the following FTP address:
WINDOWS MEDIA SERVICES SERVER CONNECTION VULNERABILITY
If a connection to a server running the Windows Media Unicast
Service was started, then severed in a particular way, the service
would leak some of the resources that were allocated during the
connection. Repeated enough times, this could degrade the server's
performance to the point where it would no longer be able to provide
useful service. The Windows Media Unicast Service does not release all
of the resources allocated to the connection. By repeatedly making and
then severing connections in this manner, a malicious user could
exhaust the resources on a server, in a manner known as a DoS (Denial
of Service) attack.
Windows Media Services 4.1 ships as part of Windows 2000, and the
patch for Windows Media Services 4.1 can be applied over Windows 2000
Gold or SP1. Windows Media Services 4.0 does not ship as part of any
other product. The patch for Windows Media Services 4.0 can be applied
to any machine already running the program.
You can read details about the problem and download the fix from
Microsoft's Web site:
Users of Microsoft Windows NT Workstation 4.0, Windows NT Server
4.0, and Windows NT Server 4.0 Enterprise Edition should be aware of a
security issue regarding the Recycle Bin. Under certain conditions, a
malicious user can create, delete, or modify files in the Recycle Bin
of another user. There are limitations, of course, such as the
inability to affect Recycle Bins across multiple computers or even on
different partitions of the same disk. However, the security risk is
real. You can download the patch for Intel or Alpha systems, and read
more about the problem in the Microsoft Security Bulletin at
Service Pack 6 (SP6) provides the latest updates to Microsoft
Windows NT Workstation 4.0, Windows NT Server 4.0, and Windows NT
Server 4.0, Enterprise Edition. SP6 contains known Year 2000 updates
for Windows NT 4.0. These updates are also available as separate Web
downloads that customers may apply to a Service Pack 4 or 5 system.
Providing these options gives organizations the flexibility to choose
which path is easier for them in addressing Y2K issues. SP6 is not a
required upgrade for Y2K; Microsoft recommends that each customer
consult the SP6 documentation and then determine whether to deploy it.
You can download this service pack at the following URL:
Microsoft Internet Information Server ships with Front Page Server
Extensions (FPSE). These extensions provide additional
services to remote and local administrators. By
supplying malformed data to one of the FPSE functions, a malicious
user could cause IIS to stop responding. A restart would be required
in order to regain normal functionality. A user need only have FPSE
installed to be vulnerable to this bug. Microsoft is aware of the
problem and has released a patch. For more information, read the
Microsoft Security Bulletin:
If you're running Microsoft's Internet Information Server (IIS)
version 3.0 or 4.0 on a computer that has the default language set to
Chinese (Simplified or Traditional), Korean, or Japanese, you need to
be aware of a known problem identified by Microsoft. This problem
occurs on some localized versions of IIS, including Simplified
Chinese, Traditional Chinese, Japanese, and Korean IIS 4.0. The
problem can occur on any language version of IIS 3.0 and 4.0
(including the English version) if a double-byte code page or
double-byte character set (such as Japanese, Korean, Simplified
Chinese, or Traditional Chinese) language pack is installed on the
computer and is configured as the default locale in the Regional
Settings of Control Panel.
Microsoft recently released a patch that eliminates this problem. You
can download the patch file from
Auction Weaver is an auction creation and maintenance
program that allows a site to host auctions created by the Web master
or Web site visitors. Much of the program operates on simple CGI
scripts and user input through form fields.
However, because of improper checking within certain fields, it is
possible for a malicious user to delete arbitrary files and
directories through the use of the double period (..) character. A
malicious user can exploit this to affect files within and outside the
Web root. This bug affects versions 1.0 through 1.04. Auction Weaver's
developers, CGI Script Center, have fixed the problem in the latest
version, 1.05. Download it from
BlackIce Defender by Network Ice provides personal
firewall protection and intrusion detection for systems with a network
or dial-up connection.
A vulnerability was recently discovered in the way BlackIce Defender
protects many of the higher-level UDP ports. Defender and its sister
program, BlackIce Agent, do not block incoming UDP port connections
above 1021 regardless of the security settings in the program's user
preferences. Unfortunately, one of the most popular intrusion
programs, Back Orifice, uses ports above 1021 by default. A small time
gap exists between the issue of the first Back Orifice command and the
time when BlackIce blocks the offending IP address. In some cases, the
time gap can be large enough so that a malicious user can slip several
commands past BlackIce via a script.
This bug affects all versions of BlackIce Agent up to 2.0.23 and
BlackIce Defender up to 2.1. At this time there are no known fixes for
the bug, but a possible workaround involves configuring BlackIce to
the Paranoid setting, which blocks all incoming UDP and TCP
connections.
Patrol is an enterprise management software suite
offered by BMC Software. One of the Patrol components listens on a UDP
port and accepts connections from any host or port by default. As a
result, it is possible for an attacker to cause a "ping-pong" attack
by spoofing packets so they appear to be from a host's service. UDP
datagrams would then bounce back and forth until the victim's
resources are exhausted; in other words, it's the dreaded denial of
service (DoS) attack. A workaround is to configure IP filtering at the
network gateway to block untrusted UDP traffic.
BROKER FTP MULTIPLE SECURITY BUGS
Transoft's Broker FTP is an FTP server package for
Windows NT/2000 and Windows 9x. Multiple vulnerabilities exist in
Broker FTP Server that could allow a remote attacker to browse root
directories and possibly retrieve account names and passwords.
Transoft has released upgrades that fix both of the above
vulnerabilities. For more information, contact Transoft via the site
it has created for Broker FTP:
All versions of Real Networks' RealServer after 6.0x
include a bug that will cause the program to crash if it receives a
request for a specific file with an unspecified variable value. Real
Networks has released a patch for this bug. For information on
possible workarounds or to download the patch, browse to
When attempting to access the administrative proxy
server in Winroute 3.04, the user gets a prompt for a user name and
password. Canceling this dialog box will give the user full access to
the administrative controls used to configure the proxy server. A user
can access the administration program if he or she has the IP address
of the machine running WinRoute. By default, WinRoute listens on port
44333. There are no known fixes for this bug. Users are urged to
contact Tiny Software at
BYTES INTERACTIVE WEB SHOPPER BACK-OUT VULNERABILITY
Bytes Interactive Web Shopper is an XML-based shopping
cart for e-commerce sites. Unfortunately, in versions 1.0 and 2.0, the
newpage variable does not properly check for insecure relative paths.
This means a user can back out of the program's path and conceivably
access any known file. Bytes Interactive has not patched the problem
as of the writing of this tip. However, the discoverer of the bug has
offered the following workaround:
Use your favorite text editor to uncomment the #$debug=1 variable so
the script will check for insecure relative paths and disallow viewing
of an arbitrary file.
McMurtrey/Whitaker Associates Cart32 is a simple
application for adding and maintaining a virtual shopping cart on an
e-commerce site. It has been discovered that by appending a request
for the cart32.exe executable with the EXPDATE string, an attacker can
access an error message followed by a debugging page containing the
server variables, the Cart32 administration directory, and possibly
the contents of the cgi-bin. A simple workaround would be to replace
the string "expdate" in the binary with some other string. However,
users are urged to contact McMurtrey/Whitaker for its official
position on the matter.
An implementation issue exists in Firewall-1 that can
allow an attacker to determine a valid user name by the response given
to authentication requests from a remote client. Firewall-1 responds
with a different message if a user name is invalid, or if it is valid
but the password is invalid. By first determining valid user names, a
malicious user can then use a brute-force attack (as discussed in our
previous tip) to find out the passwords associated with those user
names. However, Firewall-1 user Patrik Sternudd asserts that
administrators can create a generic* account in the user database that
will remedy this problem. This account will produce the same message
for all invalid user names, much like a default message.
FTP SERV-U DIRECTORY TRAVERSAL
FTP Serv-U is an internet FTP server from CatSoft.
Authenticated users can gain access to the ftproot of the drive where
Serv-U FTP has been installed. Users that have read, write, execute,
and list access in the home directory will have the same permissions
for any file that resides on the same partition as the ftproot. Once a
user is in the home directory, he or she can successfully transfer any
files using specially crafted GET requests. Furthermore, all hidden
files will be revealed even if the Hide Hidden Files feature is on.
Successful exploitation could enable a malicious user to gain access
to systems files, password files, and so forth, and could lead to a
complete compromise of the host. This vulnerability affects versions
2.4 nd 2.5. Users are urged to upgrade to the newest version, 2.5i,
for the fix. Browse to:
Inktomi Search Software 3.x (formerly Ultraseek
Server), a search engine for intranet or Web site environments, is
subject to a denial of service (DoS). A malformed URL request on port
8765 will cause the service to stop responding, requiring a restart.
This vulnerability has been patched in version 4.0 on Sun Solaris,
Windows NT, Linux, and HP-UX platforms. Download the patch that
corresponds to your system:
IPSwitch IMail is an e-mail server that serves clients
their mail via a Web interface. IMail supports most common e-mail
protocols such as SMTP, POP3, IMAP4, LDAP and so on. Specifying a
base64 encoded SMTP AUTH password containing an abnormally large
number of bytes will cause the server to responding and refuse any new
connections.
IPSwitch has patched the issue. To download the patch, browse to:
Ipswitch's IMail is an e-mail server that allows
clients to view their e-mail via a Web interface on port 8383. Using
this interface, users may read and send mail, as well as access file
attachments.
Certain versions of IMail do not perform proper access validation.
This results in users having the ability to attach files to which they
should not have access. This bug affects IMail versions 6.0 to 6.4.
Ipswitch has provided a patch to fix this and other problems. Download
it from
Sending a specifically large number of RNTO commands
to GoodTech's FTP Server can cause it to stop responding, requiring a
restart. This affects GoodTech FTP Server 3.0 for Windows 95, 98, NT,
and 2000, and FTP Server 3.0.1 for Windows 95 and 98. There are
currently no known fixes or workarounds for this issue. Concerned
users are urged to contact GoodTech Systems for more information.
Halflife Dedicated Linux Server is a software package
used to host Halflife games for network gaming. Two vulnerabilities in
the rcon command could allow a user to gain access remotely to the
host running the software. Valve Software has upgraded Halflife server
versions 3.1.0.1 and 3.1.0.2. Download the upgrade (version 1.1.0.4)
from
Valve Software's Half-Life server is a game server
written to act as a centralized server for players of Sierra's popular
Half-Life multiplayer online video game. Versions 3.1 and earlier of
the server ship with a remotely exploitable buffer overflow in the
changelevel rcon command. Valve Software has released a fix. Users
should upgrade to version 3.0.1.4 by browsing to
By sending illegally fragmented packets directly to or
routed through CheckPoint FireWall-1, it is possible to force the
firewall to use 100 percent of available processor time logging these
packets. The FireWall-1 rule base cannot prevent this attack, and it
will not be logged. This bug affects versions 4.0 and 4.1. CheckPoint
has developed Service Pack 2 for FireWall-1 4.1 to address this issue.
Users with a software subscription can download it from
COMPUTALYNX CMAIL CPU UTILIZATION DOS VULNERABILITY
ComputaLynx CMail Server is a mail server application
for Internet and LANs. Its Web interface resides on port 8002 by
default and is vulnerable to a temporary CPU utilization Denial of
Service (DoS). This could in turn become more serious with repeated
attacks.
After connecting to the service, it is possible to enter a user name
of around 200K, causing CPU use to jump to about 95 percent. The
process releases the CPU after an unpredictable length of time. Since
this issue only affects version 2.4.7, users should upgrade to 2.4.8
to rectify the situation. ComputaLynx is aware of the vulnerability
and has been very up front about fixing it in this latest version. For
more information, browse to
AnalogX SimpleServer WWW 1.05 contains a bug that
could result in a DoS (Denial of Service). If a long URL is sent to
port 80, that could cause the service to stop responding, requiring a
restart to regain normal functionality. AnalogX has released an
upgrade that fixes this problem. Download it from
Master Index is a professional search engine, much
like those used by Yahoo and AltaVista. Synergy Labs has recently
discovered a flaw that allows a remote user to traverse the file
system by "backing out" of the Web root directory. They can then view
or download any file for which the Master Index user has read
permissions. Armada Design (creator of Master Index) has been notified
of the bug and is supposedly developing a fix. For more information on
Master Index or Armada Design, browse to
Users who have mail systems running Atrium Software's
Mercur Mail Server version 3.2 should be aware that remote users can
read any e-mail message in a known mailbox of a known user through
directory traversing. They can accomplish this by logging onto the
server and executing IMAP commands accompanied by paths such as
/../../directory. Currently, there are no patches or workarounds for
this bug. Users are urged to contact Atrium Software for more
information. You can reach the company via its Web site at
NetWin's DMail is a mail server for Unix and Windows
NT. If over 260 characters are sent to the ETRN command, that corrupts
the stack and causes the mail server to crash. This could allow remote
attackers to execute arbitrary commands as root or cause a Denial of
Service (DoS).
The following versions have been found vulnerable: 2.7, 2.7q, 2.8e,
2.8f, 2.8g, and 2.8h. Linux and Solaris users should upgrade to DMail
2.7r or 2.8k (currently in beta), available for download from
NetWin has stated that it is currently building new versions for all
platforms, and urges users who can't find the correct version to
contact it via e-mail:
mailto:support-dmail@netwinsite.com
NETWORK ASSOCIATES PGP BUG
PGP stands for Pretty Good Privacy. It is Network
Associates' contribution to online security. PGP Certificate Server
provides certificate management services that ensure the user
connecting to a Web site is, in fact, the legitimate registered user.
Unfortunately, it is susceptible to a simple Denial of Service attack.
A malicious user can log in using the management port (port 4000 by
default) with reverse DNS disabled. This effectively hides his or her
IP and will cause the server to crash, which in turn prevents users
from logging onto the Web site. There's a bright side--this is a DoS
attack in the strictest sense of the term. It doesn't destroy or
compromise any data; it merely disables the server until a reboot.
Network Associates urges users of versions before 2.5.1 to upgrade
before applying the patch it has developed for this bug. Those who
have not already been contacted by Network Associates regarding this
bug are advised to call the company at 800/722-3709.
For more information on PGP Certificate Server, browse to
Network Associates' PGP Certificate Server 2.5.1 and
2.5 for Windows NT and Solaris 2.5.1 contain a bug that can cause them
to crash. By default, the program listens on port 4000 for remote
server management and port 5000 for PGP replication. If Certificate
Server cannot resolve the IP address of a machine connecting to either
of these ports, it will crash. An error message will warn the user
that the system could not read memory at address 0x00000000. It is not
likely that a malicious user could easily exploit this bug.
Regardless, Network Associates has released a patch to fix the bug.
Download it from
Like our last tip, today's tip is about the
possibility of "backing out" to the root directory of a Web server
running a particular program. Synergy Labs has revealed that PHPix, a
popular Web picture-gallery creator, is susceptible to double period
and slash (../) character sequences, which the user can supply in an
http variable used to reference a file on the Web server's file
system. As a result, the attacker can construct a path relative to the
current working directory of the Web server using the double period
(..) character and then the target file name/path to read any file on
the system. This bug affects versions 1.0, 1.0.1, and 1.0.2. The
vendor has been informed of the bug and users are strongly urged to
wait for a patch to become available before implementing PHPix. For
more information, browse to
Quake1 Server is designed to host multiple Quake
players for network play. A vulnerability exists that can allow a
malicious user to crash the server remotely. If Quake1 Server is sent
specially crafted UDP packets, it will crash, resulting in a denial of
service (DoS) and requiring a server restart. The server application
has been updated to fix this and other bugs and to provide many
enhancements over the original program. For more information or to
download, browse to:
Several unchecked buffer vulnerabilities exist in
Robotex Viking Server 1.0.6 (build 355 and below) for Windows 95 and
NT 4. These vulnerabilities could be exploited to cause system crashes
or execute arbitrary code. Users of build 370 and later are not
vulnerable.
RSA Security ACE/Server versions after 3.1 are
vulnerable to a DoS (Denial of Service) attack brought on by sending
UDP datagrams at an unusually high speed. This will cause the server
to crash, requiring a reboot to regain functionality. When the problem
was reported to the vendor, it performed its own tests and couldn't
replicate the crash. However, users are still reporting problems. If
you're using ACE/Server 3.3 or 3.3.1, RSA Support recommends that you
download and install patch 16 (3.3.16), which includes the fix for
this problem. This patch s available at
If you are unable to install the 3.3.16 patch, or you
are using ACE/Server 4.0 or 4.1, RSA Support recommends that you
install the hot fix for this problem, which you can obtain at
The minimum recommended patch level for this hot fix
is patch 15 (3.3.15).
SHAMBALA SERVER PLAIN-TEXT PASSWORD PROBLEM
Shambala is a multiserver (FTP, Web, chat) by
Evolvable Corporation, designed for the small office or home office
user. Unfortunately, it stores user passwords in plain text, so a
malicious user can easily retrieve them and use them to gain full
control over Shambala Server and possibly other services.
Evolvable Corporation is aware of this problem and says an upcoming
release of Shambala Server will address it. For more information on
Shambala Server or Evolvable Corporation, browse to
Intel's Shiva Access Manager 5.0 for Solaris is
vulnerable to a default configuration problem. It leaves the LDAP
password and distinguished name in a text file that is owned by root
and set world-readable by default. This file also contains information
such as the LDAP server's host name and server port. A workaround is
to change the permissions for the following file:
Intel has reportedly been notified, but at press time
there was no word on a fix.
SMALL HTTP SERVER BUG
A buffer overflow is present in certain versions of
the Small HTTP Server. A malformed HTTP GET request several thousand
characters long can trigger the overflow in question. There are
currently no known fixes or workarounds for this bug. Concerned users
are urged to contact the program's author via the following Web site:
Each time you add an account to Mindstorm Networks
SmartFTP Daemon, it creates a unique user file that contains the
password, user rights, and other pertinent details. A user with an
existing account and write access on SmartFTP Daemon (including
anonymous) can gain full access to the host by modifying this
particular user file and uploading it anywhere on the file system.
Mindstorm Networks has been made aware of the issue and is working on
a fix. However, Moritz Jodeit (the discoverer of the bug) has created
the following unofficial hot fix:
SonicWall provides Internet security solutions in the
form of hardware. A bug exists in its SOHO model which could lead to a
Denial of Service (Dos). When an unusually long user name is specified
on the authentication page, SonicWall SOHO will stop responding and
refuse any new connections. A restart of the service may be required
to gain normal functionality. Furthermore, it has been verified that
this vulnerability is exploitable via malformed HTTP requests as well.
SonicWall has released a firmware upgrade to patch this issue. To
receive the patch, contact SonicWall tech support at:
Today's tip is about a design flaw rather than a true
bug (although some people equate the two). StalkerLab's Mailers
contains the program CGImail.exe, which uses a template file to
convert an HTML form to e-mail. It is possible for a user to save the
Web page to disk and modify different variables, such as the To,
Attach, and File variables. This could cause the program to send any
file saved on the Web server to the user.
Sverre H. Huseby, the discoverer of this vulnerability, has provided
the following workaround: "There is no fail-safe manner in which to
mitigate the risk posed by this vulnerability. Until the vendor
provides a solution, you may wish to disable this software. It should
be noted that to achieve this, you will need to either rename the
binaries, change the execution permissions, or remove the package
entirely, as an intruder may still exploit this problem if the package
is resident in the server, even if it is not in active use."
Stalkerlab's Web site may provide more information in the future:
Michal Trojnara's Stunnel SSL wrapper does not offer
adequate encryption in certain versions on certain platforms. Versions
3.8 and earlier on Windows and Sun Solaris systems do not include the
pseudo-random number generator located in the /dev/urandom directory.
This weakness could allow an attacker to more readily read protected
information, which in turn could lead to further compromises of system
security. Users are urged to upgrade to version 3.9 or better. Browse
to:
By default, Subscribe Me Lite by CGI Script Center
creates a database file called addresses.txt, which can be remotely
modified. This allows a malicious user to add to or delete e-mail
addresses from the database. To avoid the need for an administrative
password to view the file, the file is placed in a world-readable
directory by default. A simple workaround for this rather minor
vulnerability would be to place the file in a directory that is not
world readable.
VolanoChatPro is a Java-based Internet chat server
that runs on Windows and Unix-like platforms. It stores most of its
configuration information in a file called properties.txt. This file
is set as world readable by default and contains the server and admin
passwords. Since the passwords are not encrypted or protected in any
way, they are retrievable by anyone with access to the VolanoChatPro
directory. A quick workaround would be to change the permissions of
the properties.txt file to mode 600. According to Volano support,
"This will set it so only the userid under which you installed and
start the VolanoChat server can read the file."
User name and password information for the Wavelink
2458 Family Command Module is transmitted on the network as clear
text, permitting anyone with a packet sniffer to compromise the unit's
security. Furthermore, there is no default restriction on the
number of log-in attempts. This effectively allows for what is known
as a brute-force attack, wherein a malicious user sets up a program to
bombard the service with log-in requests until that program determines
the correct user name and password.
Michael Grant, the discoverer of the bug, has offered the following
potential solutions:
- In the config, limit the IP addresses allowed to connect to the
unit.
- Limit the user name and password combinations allowed per IP.
- Employ some form of encryption of either the user name or the
password, or both.
For more information on the WaveLink products, browse to
WebShield SMTP is an e-mail virus scanner from Network
Associates, designed for Internet gateways. A specially crafted e-mail
message containing specific text characters received by WebShield will
crash the program, requiring a restart. Network Associates has
released a hot fix (HF8). Users are urged to contact their Network
Associates representative for the fix. For more information, browse
to:
Texas Imperial Software's Winsock FTPd is a popular
FTP daemon for Windows. Unfortunately, it contains bugs that could
allow a user to access the root directory of the drive containing the
software. To its credit, FTPd allows the administrator to restrict
users' access to only the home directory and below. However, a
specially malformed cd command will allow a user to effectively "back
out" of the home directory and gain access to any other file on the
drive. This bug affects versions 3.0pro, 2.41RC14, and 2.41RC14pro.
Texas Imperial Software has developed upgrades for all affected
versions. Users can download them respectively from the following
URLs:
Bardon Data Systems WinU is a user interface
replacement for Windows 95/98/NT featuring added security
capabilities. The Emergency Password feature in versions 5.1 and
earlier, which allows an administrator to gain full access to
configuration settings, accepts a number of publicly available master
passwords hard-coded within the program by Bardon
Data Systems. These passwords effectively create a back door, easily
exploitable by a malicious user to gain full administrative control
over the WinU interface. Users are strongly urged to upgrade to
version 5.2. Browse to
XS4ALL Simple SunFTP Server contains a couple of bugs.
Like most FTP servers, it uses new-line (or carriage-return)
characters to determine the input of new data. If a user connects,
enters data, and then disconnects before the new-line character
is sent, the program will crash--resulting in the dreaded Denial of
Service (DoS). Furthermore, sending a
large number of characters (unspecified for security reasons) to the
server will overwrite critical data in the application's memory,
also known as a buffer overrun error.
It has not yet been determined if either of these DoS vulnerabilities
would allow a malicious user to execute arbitrary code on the victim's
computer. There are currently no fixes or workarounds for these bugs,
and the entire SunFTP project has been put on hold by XS4ALL, severely
limiting the likelihood of a fix in the near future.
ARCSERVEIT 6.61 PATCH
Computer Associates recently released a patch for its
ArcserveIt product that adds support for new devices under Windows
NT. This patch requires you to download two files--cazipxp.exe and
lo51595.caz. You'll find both files and complete installation
instructions on the Computer Associates Web site at the following
addresses:
TINY WINROUTE PRO MEMORY PROTECTION DISABLING VULNERABILITY
Tiny WinRoute Pro is a firewall and Internet router that enables
networked machines to access the Internet through a single connection.
By default, during the installation of WinRoute Pro 4.1 the installer
disables the Kernel Mode Write Protection within a Windows 2000
environment. Disabling this feature will allow intended interference
with various system operations and permit unsolicited write
operations. The Write Protection feature is enabled by default in
Windows 2000, but WinRoute will not perform if Memory Write Protection
is enabled. Tiny Software has reportedly addressed this issue in
WinRoute 5.0, due out soon. Users should keep an eye on Tiny
Software's WinRoute homepage for more information:
BEA Systems WebLogic Server is a wireless application server.
Unchecked buffers exist in a particular handler for URL requests that
begin with two dots. Depending on the data entered into the buffer,
WebLogic Server could be forced to crash or arbitrary code could be
executed on the system in the security context of the Web server. In
the event that random data was sent in order to crash the server,
restarting the application would be required in order to regain normal
functionality. BEA Systems has released WebLogic Server 5.1 SP 7 to
fix this problem. To download, browse to
Changes to this page are IN PROGRESS 