[Pluto-security] Fwd: Guardent Client Advisory: Multiple wordtrans-web Vulnerabilities

Dido dido@sicurweb.com
Mon, 09 Sep 2002 18:54:24 +0200


>Guardent Client Advisory
>Multiple wordtrans-web Vulnerabilities
>
>September 6th, 2002
>
>Summary:
>
>Guardent has discovered vulnerabilities in the wordtrans-web package.  The
>vulnerabilities allow for remote execution of arbitrary code under the
>privileges of user running the webserver and a cross-site scripting
>vulnerability.
>
>
>Scope:
>
>Guardent has verified that all versions prior to and including the current
>development version of wordtrans-1.1pre9 are vulnerable.
>
>The current distribution of Red Hat Linux 7.3 is vulnerable.
>Earlier versions of Red Hat Linux do not contain the vulnerable package.
>
>The Debian wordtrans-web package version 1.0beta-2-2.4 in unstable is
>vulnerable.  Note that this package is not present in the stable release,
>Debian 3.0 (woody).
>
>
>Description:
>
>The wordtrans-web package provides an interface to query multilingual
>dictionaries via a web browser.  Improper input validation allows for the
>execution of arbitrary code or injection of cross-site scripting code by
>passing in unexpected parameters to the wordtrans.php script.  The
>wordtrans.php script in turn executes the "wordtrans" binary unsafely with
>the unexpected parameters.
>
>The Common Vulnerabilities and Exposures project (cve.mitre.org) has
>assigned the name CAN-2002-0837 to this issue.
>
>
>Detection:
>
>Red Hat Linux administrators are encouraged to verify the presence and
>version of their wordtrans-web package using the
>command:
>      rpm -qi wordtrans-web
>
>Guardent has provided the following snort signature to assist users in
>detecting accesses of the vulnerable wordtrans-web component.
>
>alert tcp $EXTERNAL_NET any -> $WEB_SERVERS 80 (msg:"WEB-MISC wordtrans-web
>access"; flags:A+; uricontent:"/wordtrans.php"; nocase;
>classtype:attempted-recon; sid:1082322; rev:1;)
>
>Clients of Guardent's Security Defense Appliance for Managed Intrusion
>Detection Security Services are already being monitored for abuses of this
>vulnerability.
>
>
>Recommendations:
>
>Users of the Red Hat Network can update their systems using the 'up2date'
>tool.
>
>Users of Debian can download the fixed wordtrans-web package version
>1.0beta2-2.5 from http://packages.debian.org/wordtrans-web
>
>Guardent has provided the following workarounds for popular versions of the
>wordtrans-web package.  These workarounds are not meant to be a substitute
>for recommended vendor packages.
>
>The following patch is for version wordtrans-1.1pre8.php:
>
>*** wordtrans-1.1pre8.php.old
>- --- wordtrans-1.1pre8.php
>***************
>*** 15,20 ****
>- --- 15,21 ----
>   <head>
>   <title>
>   <?
>+ $dict=ereg_replace("[^[:alnum:]-]","",$dict);
>   if ($word == "") {
>         if ($lang == "es")
>                 echo "Interfaz Web de Wordtrans";
>
>The following patch is for version wordtrans-1.1pre9.php:
>
>*** wordtrans-1.1pre9.php.old
>- --- wordtrans-1.1pre9.php
>***************
>*** 20,25 ****
>- --- 20,26 ----
>   <head>
>   <title>
>   <?
>+ $dict=ereg_replace("[^[:alnum:]-]","",$dict);
>   if ($word == "") {
>         if ($lang == "es")
>                 echo "Interfaz Web de Wordtrans";
>
>References:
>
>Guardent Client Advisory - Multiple wordtrans-web Vulnerabilities
>      http://www.guardent.com/comp_news_advisories.html
>
>Red Hat Errata RHSA-2002-188
>      http://rhn.redhat.com/errata/RHSA-2002-188.html
>
>Debian wordtrans-web package
>      http://packages.debian.org/wordtrans-web
>
>The Common Vulnerability and Exposures project - CAN-2002-0837
>      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0837
>
>
>Credits:
>
>This vulnerability was discovered and researched by Allen Wilson of
>Guardent, Inc.  Guardent would like to thank Mark J. Cox and the entire Red
>Hat Security Response Team as well as Matt Zimmerman of Debian GNU/Linux for
>their response and handling of this vulnerability.
>
>About Guardent:
>
>Guardent provides security and privacy programs for Global 2000
>organizations.  Integrating consulting and managed services, Guardent helps
>financial services, life sciences, manufacturing, government and technology
>clients achieve their business objectives through the use of appropriate
>security and privacy measures.  Guardent can assist your organization with
>Vulnerability Assessment Services, Managed Intrusion Detection and Firewall
>Services.  Guardent can also provide assistance in developing an Incident
>Response Plan.