Security
Thanks for reading
This is my last week as LWN.net's Security Page Editor. I've opted to pass the Security Page duties on to an excellent editor so I can focus my time for LWN.net on administrivia and infrastructure issues."Thank You" to everyone who has read the security page this year. I'll miss the pleasure of providing you with our weekly security summary.
Safe Travels,
Dennis Tenney, LWN.net Dude
Brief items
OpenSSL worm in the news
The OpenSSL worm, has been referred to in various reports as Apache/mod_ssl worm, linux.slapper.worm, bugtraq.c worm and Modap worm. Please check out last week's security page for more information.This week CNET continued their coverage with a report that the worm "has reached a plateau after infecting about 7,000 servers and turning the hosts into a peer-to-peer network that could be used to attack other computers."
Personal Computer World covers the recent Slapper C varient "which, has infected 1,500 servers already and is spreading, although a source point has not been identified at this time."
Open-source group gets Sun security gift (CNET News.com)
CNET covers the recent donation by Sun of their "elliptic curve" cryptography technology to the open source community. "Elliptic curve cryptography will enable secure communications with devices that don't have as much calculating power as most desktop computers, said Whitfield Diffie, Sun's chief security officer and a pioneer of the Diffie-Hellman "public key" cryptography method used today in SSL and other encryption systems."London man charged with making virus (Reuters)
Reuters News Agency reports the arrest of the suspected author of "the malicious "T0rn" virus that attacked Linux computer systems". The suspect was assested at his home in Surbiton, southwest of London, England.
T0rn, which later was modified by a Chinese virus-writing group to
create another worm known as Lion, circulated in the digital wild for
much of 2001, but did relatively little harm.
Security reports
Xoops RC3 script injection vulnerability
David Suzanne reports a script injection vulnerability in Xoops RC3; the current version.
XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, weblogs and much more.
phpWebSite 0.8.3 fixes PHP source injection vulnerability
Tim Vandermeersch reports a PHP source injection vulnerabilty in phpWebSite which is fixed in version 0.8.3. Upgrading is recommended; the vulnerability allows remote execution of arbitrary PHP code by an attacker.JAWmail cross-site scripting vulnerabilities
Ulf Harnhammar reports cross-site scripting vulnerabilities in JAWmail 1.0-rc1. Versions 2.0-rc1 and later are not vulnerable.
There are several cross-site scripting holes in JAWmail that are
triggered by reading incoming e-mail messages. An attacker can
use them to take over a victim's e-mail account by simply sending
certain malicious e-mails to the victim.
Squirrel Mail 1.2.8 fixes cross site scripting vulnerabilities
SquirrelMail 1.2.8 fixes all of the cross site scripting vulnerabilities described in this post.
SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no Javascript) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has a all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
New vulnerabilities
Multiple vulnerabilities in Zope 2.5.1
| Package(s): | zope | CVE #(s): | CAN-2002-0170 CAN-2002-0687 CAN-2002-0688 | ||||
| Created: | September 25, 2002 | Updated: | September 26, 2002 | ||||
| Description: | Three security hotfixes are available to fix vulnerabilities in
Zope 2.5.1:
| ||||||
| Alerts: |
| ||||||
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat | CVE #(s): | |||||||||||||||||||||
| Created: | September 25, 2002 | Updated: | January 29, 2003 | ||||||||||||||||||||
| Description: | Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
Tomcat is the servlet container that is used in the official
Reference Implementation for the
Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by Sun
under the Java
Community Process.
| ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Resources
OWASP Guide to Building Secure Web Applications v1.1
The Open Web Application Security Project announces the release of an updated version of the Open Web Application Security Project Guide to Building Secure Web Applications. The guide is available from here in PDF and HTML format.Linux Security Week and Advisory Watch
The September 23rd Linux Security Week and September 20th Linux Advisory Watch newsletters from LinuxSecurity.com are available.RATS 2.0 released
The RATS Team announces the release of RATS 2.0.
RATS, the Rough Auditing Tool for Security, is a security auditing utility
for C, C++, Python, Perl and PHP code. RATS scans source code, finding
potentially dangerous function calls. The goal of this project is not
to definitively find bugs. The current goal is to provide a reasonable
starting point for performing manual security audits. RATS is released
under version 2 of the GNU Public License (GPL).
The Art of Unspoofing
Sean Trifero and Brian Knox have published The Art of Unspoofing, an article on various ways to detect who might be behind a DoS attack. A post of the article garnered this response by Sean Trifero to some pointed comments.
Events
CanSecWest/core03 call for papers
CanSecWest/core03 computer security training conference will be held April 16-18 2003 in Vancouver, British Columbia, Canada.
Submissions and presentation proposals for tutorials
for this conference will be accepted during the months
of September and October 2002, with preference given
to submissions made in September.
ToorCon 2002 Conference in San Diego this weekend
The ToorCon 2002 folks sent out a reminder that the conference is this weekend!
We would like to invite everyone to ToorCon 2002 this year which is on the
27-29th of September. We have just recently released our finalized speaker
lineup and it looks like it'll be one of ToorCon's best years yet. This is a
final reminder that ToorCon will be this weekend, so mark your calendars if
you haven't already!
ToorCon 2002 will be held September 27-29th in San Diego, CA, USA.
A Gathering of Big Crypto Brains (Wired)
Wired reports on the annual COSAC conference held recently in Naas, Ireland.
Speakers also give hands-on demonstrations. In a conference highlight,
Yokohama National University professor Tsutomu Matsumoto and some of
his graduate students showed how easy it is to trick biometric
fingerprint-scanning systems with fake fingers.
Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| September 26, 2002 | New Security Paradigms Workshop 2002 | (The Chamberlain Hotel)Hampton, Virginia, USA |
| September 27 - 29, 2002 | ToorCon 2002 | (San Diego Concourse)San Diego, CA, USA |
| October 16 - 18, 2002 | Recent Advances in Intrusion Detection 2002(RAID 2002) | Zurich, Switzerland |
| October 17, 2002 | ShadowCon 2002 | NSWC Dahlgren, VA |
| November 26 - 27, 2002 | HiverCon 2002 | (Burlington Hotel)Dublin, Ireland |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Next page:
Kernel development>>