Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title HP-UX Running Netscape / Red Hat Directory Server, Remote Cross Site Scripting (XSS) or Remote Denial of Service (DoS)
Informations
Name HPSBUX02354 SSRT080113 First vendor Publication 2008-09-01
Vendor HP Last vendor Modification 2008-09-01
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Potential security vulnerabilities have been identified in HP-UX running Netscape / Red Hat Directory Server. These vulnerabilities could be exploited remotely to allow Cross Site Scripting (XSS) or to create a Denial of Service (DoS).

Original Source

Url : http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01532861

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-399 Resource Management Errors
25 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
25 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5865
 
Oval ID: oval:org.mitre.oval:def:5865
Title: HP-UX Running Netscape / Red Hat Directory Server, Remote Cross Site Scripting (XSS) or Remote Denial of Service (DoS)
Description: Multiple buffer overflows in the adminutil library in CGI applications in Red Hat Directory Server 7.1 before SP7 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted Accept-Language HTTP header.
Family: unix Class: vulnerability
Reference(s): CVE-2008-2928
Version: 9
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5877
 
Oval ID: oval:org.mitre.oval:def:5877
Title: HP-UX Running Netscape / Red Hat Directory Server, Remote Cross Site Scripting (XSS) or Remote Denial of Service (DoS)
Description: Multiple cross-site scripting (XSS) vulnerabilities in the adminutil library in the Directory Server Administration Express and Directory Server Gateway (DSGW) web interface in Red Hat Directory Server 7.1 before SP7 and 8 EL4 and EL5, and Fedora Directory Server, allow remote attackers to inject arbitrary web script or HTML via input values that use % (percent) escaping.
Family: unix Class: vulnerability
Reference(s): CVE-2008-2929
Version: 9
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6078
 
Oval ID: oval:org.mitre.oval:def:6078
Title: HP-UX Running Netscape / Red Hat Directory Server, Remote Cross Site Scripting (XSS) or Remote Denial of Service (DoS)
Description: Red Hat Directory Server 7.1 before SP7, Red Hat Directory Server 8, and Fedora Directory Server 1.1.1 allow remote attackers to cause a denial of service (CPU consumption and search outage) via crafted LDAP search requests with patterns, related to a single-threaded regular-expression subsystem.
Family: unix Class: vulnerability
Reference(s): CVE-2008-2930
Version: 9
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6118
 
Oval ID: oval:org.mitre.oval:def:6118
Title: HP-UX Running Netscape / Red Hat Directory Server, Remote Cross Site Scripting (XSS) or Remote Denial of Service (DoS)
Description: Multiple memory leaks in Red Hat Directory Server 7.1 before SP7, Red Hat Directory Server 8, and Fedora Directory Server 1.1.1 and earlier allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) the authentication / bind phase and (2) anonymous LDAP search requests.
Family: unix Class: vulnerability
Reference(s): CVE-2008-3283
Version: 9
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 9

OpenVAS Exploits

Date Description
2009-05-05 Name : HP-UX Update for Netscape / Red Hat Directory Server HPSBUX02354
File : nvt/gb_hp_ux_HPSBUX02354.nasl
2009-02-17 Name : Fedora Update for adminutil FEDORA-2008-7339
File : nvt/gb_fedora_2008_7339_adminutil_fc9.nasl
2009-02-17 Name : Fedora Update for adminutil FEDORA-2008-7642
File : nvt/gb_fedora_2008_7642_adminutil_fc8.nasl
2009-02-17 Name : Fedora Update for fedora-ds-base FEDORA-2008-7813
File : nvt/gb_fedora_2008_7813_fedora-ds-base_fc9.nasl
2009-02-17 Name : Fedora Update for fedora-ds-base FEDORA-2008-7891
File : nvt/gb_fedora_2008_7891_fedora-ds-base_fc8.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
48176 Red Hat Directory Server adminutil Library Accept-Language HTTP Header Handli...

48175 Red Hat Directory Server Directory Server Gateway (DSGW) Interface adminutil ...

48174 Red Hat Directory Server Directory Server Administration Express Interface ad...

48173 Red Hat Directory Server Crafted Pattern LDAP Search Request DoS

48172 Red Hat Directory Server Anonymous LDAP Search Request Unspecified Remote DoS

48171 Red Hat Directory Server Authentication / Bind Phase Unspecified Remote DoS

Information Assurance Vulnerability Management (IAVM)

Date Description
2008-09-18 IAVM : 2008-T-0049 - Multiple Vulnerabilities in RedHat Fedora Directory Server
Severity : Category I - VMSKEY : V0017350

Snort® IPS/IDS

Date Description
2014-01-10 Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow ...
RuleID : 16213 - Revision : 11 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2008-09-12 Name : The remote Fedora host is missing a security update.
File : fedora_2008-7813.nasl - Type : ACT_GATHER_INFO
2008-09-12 Name : The remote Fedora host is missing a security update.
File : fedora_2008-7891.nasl - Type : ACT_GATHER_INFO
2008-09-10 Name : The remote Fedora host is missing a security update.
File : fedora_2008-7339.nasl - Type : ACT_GATHER_INFO
2008-09-10 Name : The remote Fedora host is missing a security update.
File : fedora_2008-7642.nasl - Type : ACT_GATHER_INFO