Main
Old News
Links
About
FAQ
RFC'S
Search
Books
Reviews
Downloads
Library
Common
Patch Section

Archive
Articles
Advisories
Contrib
Papers

Found a bug or have some feedback?
Email us
www.cgisecurity.com

5/28/03 Cumulative Patch for Internet Information Service

SPI Labs and NSFocus have discovered multiple holes in IIS. Two denial of service conditions exist that can allow an attacker to cause IIS to stop responding. One Cross site scripting issue exists in the 302 redirection pages, and one buffer overflow that allows command execution as the webserver user. The buffer overflow requires the user to have upload ability, and Server Side Include permissions.

SPILabs Advisory
Microsoft advisory

Fix:
To apply this patch run windows update and install patch "Q811114:"

5/28/03 Apache Pre 2.0.46 Denial of Service

Below is a snippet from the apache advisory.

Apache 2.0.46 Major changes

Security vulnerabilities closed since Apache 2.0.45

*) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
remotely through mod_dav and possibly other mechanisms, causing
an Apache child process to crash. The crash was first reported
by David Endler and was researched and
fixed by Joe Orton . Details will be released
on 30 May 2003.

*) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
affecting basic authentication on Unix platforms related to
thread-safety in apr_password_validate(). The problem was reported
by John Hughes

Full advisory

5/27/03 Sun One Application Server Multiple vulnerabilities

SPILabs Has identified four issues in the popular Sun One application server. They range from Source code theft, Log evasion, Cross site scripting, and plaintext administrative password storage.

Sun One Multiple Issues

5/27/03 Multiple holes in Vignette
s21sec has discovered eight vulnerabilities in Vignette Application server.

Vignette User enumeration
Vignette TCL Command execution
Vignette internal information leak
Vignette Server side include injection
Vignette Cross site scripting issues
Vignette License access modification
Vignette SQL Injection
Vignette AIX memory leak

5/17/03 IIS Security and Programming Countermeasures e-book released
Jason Coombs has released this 440 page e-book on IIS security, and secure programming. Worth a read if you run IIS on a production system.

5/17/03 Windows update isn't always updating...
According to this email from NTBugtraq Windows Update is falsely reporting when your system is patched. It also goes into further detail of how to make sure your system is properly patched with windows update. Definitely worth a read.

4/12/03 Website updates
I've recently made a few additions to the site that I would like to point out.

1. I've added the .NET security page which contains links to .NET related documentation.
2. I added relevant newsgroups to the "Quick Links" pages towards the bottom right hand corner.
3. Added more documents to the library section of this website.

Future Additions
I will be adding Websphere, Weblogic, Oracle, Mysql, and IIS sections to this website. They will have documents on security, tutorials, and downloads relevant to each product.

If there is anything on this website that you feel should be here please Tell me.


Old News

Site Updates
• Novell HTTPSTK DOS
• IIS Denial of Service
• Apache Pre 2.0.46 Denial of service
• SunOne Multiple issues
• Vignette Multiple XSS

Last Update
Sat Jun 7 15:01:14
more...

Search the archive

Bugtraq
Securityfocus updating please wait

Updated every 15 minutes

Webappsec
List
• Re: View and edit hidden HTML form fields (fwd)
• Re: View and edit hidden HTML form fields (fwd)
• Re: IIS Virtual Directory Security
• RE: View and edit hidden HTML form fields (fwd)
• Re: View and edit hidden HTML form fields (fwd)

Updated every 15 minutes

Quick Links
• Cross site scripting (XSS)

• .NET security resouces

• Websphere security resources

• Java security

• Database and SQL Injection

• XML security resources

Copyright www.cgisecurity.com ©2003
. . . . . . .