Guardent Client Advisory: Multiple wordtrans-web Vulnerabilities

2002-09-10T00:00:00
ID SECURITYVULNS:DOC:3472
Type securityvulns
Reporter Securityvulns
Modified 2002-09-10T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----

Guardent Client Advisory Multiple wordtrans-web Vulnerabilities

September 6th, 2002

Summary:

Guardent has discovered vulnerabilities in the wordtrans-web package. The vulnerabilities allow for remote execution of arbitrary code under the privileges of user running the webserver and a cross-site scripting vulnerability.

Scope:

Guardent has verified that all versions prior to and including the current development version of wordtrans-1.1pre9 are vulnerable.

The current distribution of Red Hat Linux 7.3 is vulnerable. Earlier versions of Red Hat Linux do not contain the vulnerable package.

The Debian wordtrans-web package version 1.0beta-2-2.4 in unstable is vulnerable. Note that this package is not present in the stable release, Debian 3.0 (woody).

Description:

The wordtrans-web package provides an interface to query multilingual dictionaries via a web browser. Improper input validation allows for the execution of arbitrary code or injection of cross-site scripting code by passing in unexpected parameters to the wordtrans.php script. The wordtrans.php script in turn executes the "wordtrans" binary unsafely with the unexpected parameters.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0837 to this issue.

Detection:

Red Hat Linux administrators are encouraged to verify the presence and version of their wordtrans-web package using the command: rpm -qi wordtrans-web

Guardent has provided the following snort signature to assist users in detecting accesses of the vulnerable wordtrans-web component.

alert tcp $EXTERNAL_NET any -> $WEB_SERVERS 80 (msg:"WEB-MISC wordtrans-web access"; flags:A+; uricontent:"/wordtrans.php"; nocase; classtype:attempted-recon; sid:1082322; rev:1;)

Clients of Guardent's Security Defense Appliance for Managed Intrusion Detection Security Services are already being monitored for abuses of this vulnerability.

Recommendations:

Users of the Red Hat Network can update their systems using the 'up2date' tool.

Users of Debian can download the fixed wordtrans-web package version 1.0beta2-2.5 from http://packages.debian.org/wordtrans-web

Guardent has provided the following workarounds for popular versions of the wordtrans-web package. These workarounds are not meant to be a substitute for recommended vendor packages.

The following patch is for version wordtrans-1.1pre8.php:

wordtrans-1.1pre8.php.old - --- wordtrans-1.1pre8.php ** 15,20 *** - --- 15,21 ---- <head> <title> <? + $dict=ereg_replace("[^[:alnum:]-]","",$dict); if ($word == "") { if ($lang == "es") echo "Interfaz Web de Wordtrans";

The following patch is for version wordtrans-1.1pre9.php:

wordtrans-1.1pre9.php.old - --- wordtrans-1.1pre9.php ** 20,25 *** - --- 20,26 ---- <head> <title> <? + $dict=ereg_replace("[^[:alnum:]-]","",$dict); if ($word == "") { if ($lang == "es") echo "Interfaz Web de Wordtrans";

References:

Guardent Client Advisory - Multiple wordtrans-web Vulnerabilities http://www.guardent.com/comp_news_advisories.html

Red Hat Errata RHSA-2002-188 http://rhn.redhat.com/errata/RHSA-2002-188.html

Debian wordtrans-web package http://packages.debian.org/wordtrans-web

The Common Vulnerability and Exposures project - CAN-2002-0837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0837

Credits:

This vulnerability was discovered and researched by Allen Wilson of Guardent, Inc. Guardent would like to thank Mark J. Cox and the entire Red Hat Security Response Team as well as Matt Zimmerman of Debian GNU/Linux for their response and handling of this vulnerability.

About Guardent:

Guardent provides security and privacy programs for Global 2000 organizations. Integrating consulting and managed services, Guardent helps financial services, life sciences, manufacturing, government and technology clients achieve their business objectives through the use of appropriate security and privacy measures. Guardent can assist your organization with Vulnerability Assessment Services, Managed Intrusion Detection and Firewall Services. Guardent can also provide assistance in developing an Incident Response Plan.

For clients requiring support for these issues, please contact the Guardent Operations Center at (888) 456-3210 ext. 4 or by e-mailing clientcare@guardent.com.

All media inquiries should be directed to:

Dan McCall (617) 577-6500 dan.mccall@guardent.com

(C) Copyright 2002 Guardent, Inc.

Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of Guardent, Inc.

Disclaimer: The information within this document may change without notice. Guardent will keep an updated version of this advisory on its web site at www.guardent.com for a limited period of time. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall Guardent be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.1.90-nr1

iQCVAwUBPXisNsH4ptnoIp0ZAQGJNAP+JwRLdinpC0TZh4PSvHlvPP9IN/ROdnwZ +tIen40I0KcNKMOiOu1bYz8PZPz/HfvJB6vXaZZJIxuXraTYZz/LCngVqH1qzB7K K/gn/F2fyDVTNPkUoYOlh0WaWdjv/acQV1X9SjCK1Jvx5EcKRRhgdBY49HF1ACpl J7a9Eqplfrc= =V2yJ -----END PGP SIGNATURE-----