Brief items
Here is
an advisory from the KDE project
regarding a flaw in Konqueror's digital certificate handling. It seems
that Konqueror (along with certain other, proprietary web browsers) doesn't
look hard enough at how a site's certificate was signed, meaning that
anybody can fake a certificate for anybody else's site. Thus, with a
little additional trickery, it would be possible to set up "man in the
middle" attacks and steal credit card numbers.
The Register described this
vulnerability as "a colossal stuff-up." Certainly the error is worth
fixing, but anybody who is greatly concerned about this vulnerability would
be well advised to look at the end of the "Certificates and Credentials"
chapter in Bruce Schneier's Secrets & Lies:
I visited www.palm.com to purchase something for my PalmPilot.
When I went to the online checkout, I was redirected to
https://palmorder.modusmedia.com/asp/store.asp. The SSL
certificate was registered to Modus Media Internatinoal; clearly a
flagrant attempt to defraud web customers, which I deftly uncovered
because I carefully checked the SSL certificate. Not.
All that SSL does in almost every use is to verify that the remote site has
a certificate issued by a trusted authority. There is no verification that
said certificate has anything to do with the site that the user expects to
be interacting with. Man in the middle attacks are easily done even when
the web browser properly checks how digital certificates were signed; the
Konqueror vulnerability has not really opened up any new holes.
The real issue, which nobody is all that concerned about, is that the
digital certificate system is not doing much for its users. Quoting
Schneier again: "Digital certificates provide no actual security for
electronic commerce; it's a complete sham.
" Konqueror users should
go ahead and apply the patch (see the LWN
vulnerability entry for distributor updates as they arrive), but it's
not going to make them all that much more secure against man in the middle
attacks.
Comments (1 posted)
Bruce Schneier's CRYPTO-GRAM newsletter for August is out; it includes a
look at Palladium, the proposed law allowing attacks against online
copyright violators, and the idea of arming airline pilots. "
To me,
it's another example of the insane lengths the entertainment companies are
willing to go to preserve their business models. They're willing to
destroy your privacy, have general-purpose computers declared illegal, and
exercise special vigilante police powers that no one else has...just to
make sure that no one watches 'The Little Mermaid' without paying for it.
They're trying to invent a new crime: interference with a business
model.
"
Full Story (comments: none)
Security reports
FUDforum is a web-based forum
system. Ulf Harnhammar has reported two vulnerabilities in this package;
one can provide access to files outside of the FUDforum directory, and the
other can lead to SQL injection issues. The problems have been fixed in
version 2.2.0.
Full Story (comments: none)
A new cross-site scripting vulnerability has been reported in PHP-Nuke
v5.6; properly exploited, this hole can be used to obtain access to the
site's administrative accounts. No fix is available as of this writing.
(Additional note: this vulnerability was actually
first
reported in March. PostNuke also, apparently, has this problem).
Full Story (comments: none)
php-affiliate - a script for running web site affiliate programs - places a
little too much trust in the hidden fields it puts into forms, with the
result that users can modify information belonging to other users.
Full Story (comments: none)
The
Web Shop
Manager e-commerce system has trivial remote command execution
vulnerability. This problem exists in version 1.1; no updates are yet
visible on the project web site.
Full Story (comments: none)
New vulnerabilities
Numerous vulnerabilities in bugzilla
Comments (1 posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
Buffer overflow in libpng
| Package(s): | libpng |
CVE #(s): | CAN-2002-0728
CAN-2002-0660
|
| Created: | August 20, 2002 |
Updated: | August 20, 2002 |
| Description: |
Versions of libpng prior to 1.0.14 contain a buffer overflow in the
progressive reader when the PNG datastream contains more IDAT data than
indicated by the IHDR chunk. Such deliberately malformed datastreams would
crash applications that are linked to libpng and that use the progressive
reading feature. (From the Red Hat alert). |
| Alerts: |
|
Comments (none posted)
Inadequate digital certificate verification in Konqueror
| Package(s): | Konqueror |
CVE #(s): | |
| Created: | August 19, 2002 |
Updated: | August 21, 2002 |
| Description: |
The Konqueror web browser, versions 3.0.2 and prior, does not properly
check how digital certificates were signed; the result is that anybody can
create fake certificates and use them for "man in the middle" attacks. The
problem was fixed in Konqueror 3.0.3.
See also:
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in mantis
| Package(s): | mantis |
CVE #(s): | |
| Created: | August 20, 2002 |
Updated: | September 4, 2002 |
| Description: |
The Mantis project has reported a number of bugs in the Mantis bug tracking
system, including:
Needless to say, upgrading to a version later than 0.17.3 is recommended. |
| Alerts: |
|
Comments (none posted)
Safemode vulnerability in PHP
| Package(s): | PHP |
CVE #(s): | CAN-2001-1246
|
| Created: | August 20, 2002 |
Updated: | October 9, 2002 |
| Description: |
PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. |
| Alerts: |
|
Comments (none posted)
XDR vulnerability in krb5
| Package(s): | krb5 |
CVE #(s): | CAN-2002-0391
|
| Created: | August 19, 2002 |
Updated: | August 20, 2002 |
| Description: |
The Kerberos 5 implementation suffers from the same SunRPC XDR buffer overflow problem as many other packages (see the CERT advisory). |
| Alerts: |
|
Comments (none posted)
Resources
The folks at SecurityFocus have set up two new mailing lists for security
discussions - one aimed at BSD systems, and the "unix-other" list for
proprietary Unix systems.
Full Story (comments: none)
The LinuxSecurity.com weekly newsletter for August 19 is available.
Full Story (comments: none)
Events
| August 28 - 30, 2002 | Workshop on Information Security Applications(WISA 2002) | Jeju Island, Korea |
| September 19 - 20, 2002 | SEcurity of Communications on the Internet 2002(SECI'02) | Tunis, Tunisia |
| September 23 - 26, 2002 | New Security Paradigms Workshop 2002 | (The Chamberlain Hotel)Hampton, Virginia, USA |
| September 23 - 25, 2002 | University of Idaho Workshop on Computer Forensics | (University of Idaho)Moscow, Idaho, USA |
| September 26 - 27, 2002 | HiverCon 2002 | (Hilton Hotel)Dublin, Ireland |
| September 27 - 29, 2002 | ToorCon 2002 | (San Diego Concourse)San Diego, CA, USA |
| October 16 - 18, 2002 | Recent Advances in Intrusion Detection 2002(RAID 2002) | Zurich, Switzerland |
Comments (none posted)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
