FYI.

RSA just sent this announcement to registered RSA SecurCare Online customers.

_Vin

----------------------------------

From: RSA Security <securcare_note@...>
Date: Thu, 5 May 2005 14:14:12 -0400
Subject:
Potential Security Vulnerability Found and Fixed in RSA Authentication
Agents 5.3 for Web


Dear RSA SecurCare Online Customer:

RSA Security has recently discovered and fixed 2 potential security
vulnerabilities in the following RSA Authentication Agents for Web software:

- RSA Authentication Agent 5.3 for Web for IIS
- RSA Authentication Agent 5.3 for Web for Apache
- RSA Authentication Agent 5.3 for Web for Sun Java System

The issues have been addressed and thoroughly qualified by RSA Security.
RSA Security is not aware of any security breaches resulting from these
vulnerabilities.


Description:

- The RSA Authentication Agents for Web 5.3 for Apache, IIS, and Sun Java
System can be exploited to conduct cross-site scripting attacks
- The RSA Authentication Agent for Web 5.3 for IIS can be exploited with a
heap overflow condition


Implication:

- Input passed to the "postdata" parameter in "/WebID/IISWebAgentIF.dll" is
not properly sanitized before it is returned to users. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of a vulnerable site.
- A heap overflow condition causes IIS to crash on Windows 2000


Action Taken by RSA Security:

RSA has created security patches to eliminate these vulnerabilities to be
applied to the following:

- RSA Authentication Agent 5.3 for Web for IIS
- RSA Authentication Agent 5.3 for Web for Apache
- RSA Authentication Agent 5.3 for Web for Sun Java System

IMPORTANT: Customers using RSA Authentication Agent 5.2 for Web with any
web server other that Apache 1.3 must upgrade to the corresponding 5.3
version and apply the security patches.


Recommendation:

RSA Security recommends that all customers currently using RSA
Authentication Agents 5.3 for Web software apply the security patches
available now on the RSA SecurCare Online site. Doing so eliminates these
vulnerabilities.


Getting Security Fixes:

To get this new patch and documentation, log on to RSA SecurCare Online at
https://knowledge.rsasecurity.com and click "Downloads" in the left
navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and
"Authentication Agent 5.x", and select the downloads and documentation that
pertain to your environment.


Getting Support and Service:

For customers with current maintenance contracts, please contact your local
RSA Security Customer Support department with any additional questions
regarding this RSA SecurCare Alert. Contact phone numbers can be found on
RSA Security's Web site at http://www.rsasecurity.com/node.asp?id=1068.

General Customer Support Information:

http://www.rsasecurity.com/node.asp?id=1067

RSA SecurCare Online:

https://knowledge.rsasecurity.com

About RSA SecurCare Notes & Alerts Subscription:
RSA SecurCare Notes & Alerts are targeted email messages RSA Security sends
you based on the RSA Security product family you currently use. If you'd
like to stop receiving RSA SecurCare Notes & Alerts, or if you'd like to
change which RSA Security product family's Notes & Alerts you currently
receive, log on to RSA SecurCare Online at
https://knowledge.rsasecurity.com and click "Notes & Alerts" and
"Subscription" in the left navigation menu. Following the instructions on
the page, remove the check mark next to the RSA Security product family
whose Notes & Alerts you no longer wish to receive. Then click the "Submit"
button to save your selection.


Sincerely,

RSA Security Customer Support

(** Please do not reply to this email. To change or cancel your
subscription to RSA SecurCare Notes & Alerts, please log on to RSA
SecurCare Online at https://knowledge.rsasecurity.com, click "Notes &
Alerts" and "Subscription" in the left navigation menu, and follow the
instructions on the page to unsubscribe from this service.)