Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - August 30, 2007

Yahoo! Messenger Get Version Info ActiveX Remote Code Execution Vulnerability

Advisory ID : FrSIRT/ADV-2007-3011
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-30
Technical Description

A vulnerability has been identified in Yahoo! Messenger, which could be exploited by remote attackers to cause a denial of service or take complete control of an affected system. This issue is caused by a buffer overflow error in the Get Version Info (YVerInfo.dll) ActiveX control when processing malformed data, which could be exploited by remote attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page.

Affected Products

Yahoo! Messenger versions 8.x

Solution

Upgrade to the latest version :
http://messenger.yahoo.com/download.php

References

http://www.frsirt.com/english/advisories/2007/3011
http://messenger.yahoo.com/security_update.php?id=082907

Credits

Vulnerability reported by iDefense Labs.

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - August 30, 2007
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - August 30, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Cisco CallManager Multiple Cross Site Scripting and SQL Inje

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Cisco CallManager Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-3010
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-30
Technical Description

Multiple vulnerabilities have been identified in Cisco CallManager and Unified Communications Manager, which could be exploited by remote attackers to execute arbitrary SQL queries or scripting code. These issues are caused by unspecified input validation errors in various scripts when processing user-supplied data, which could be exploited by malicious people to conduct SQL injection or cross site scripting attacks.

Affected Products

Cisco CallManager versions prior to 3.3(5)sr2b
Cisco CallManager versions prior to 4.1(3)sr5
Cisco CallManager versions prior to 4.2(3)sr2
Cisco CallManager versions prior to 4.3(1)sr1
Cisco Unified Communications Manager versions prior to 3.3(5)sr2b
Cisco Unified Communications Manager versions prior to 4.1(3)sr5
Cisco Unified Communications Manager versions prior to 4.2(3)sr2
Cisco Unified Communications Manager versions prior to 4.3(1)sr1

Solution

Upgrade to version 3.3(5)sr2b, 4.1(3)sr5, 4.2(3)sr2 or 4.3(1)sr1 :
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-33?psrtdcat20e2
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-41?psrtdcat20e2
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-42?psrtdcat20e2
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-43?psrtdcat20e2

References

http://www.frsirt.com/english/advisories/2007/3010
http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml

Credits

Vulnerabilities reported by Gama SEC and Elliot Kendall (Brandeis University).

Collapse -
Debian Security Update Fixes Postfix-policyd Code Execution

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Debian Security Update Fixes Postfix-policyd Code Execution Vulnerability

Advisory ID : FrSIRT/ADV-2007-3012
CVE ID : CVE-2007-3791
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-30
Technical Description

A vulnerability has been identified in Debian, which could be exploited by remote attackers to cause a denial of service or execute arbitrary code. This issue is caused by a buffer overflow error in the "w_read()" [sockets.c] function within Postfix-policyd when processing overly long data, which could be exploited by remote attackers to crash an affected application or compromise a vulnerable system.

Affected Products

Debian GNU/Linux etch
Debian GNU/Linux sid

Solution

Debian GNU/Linux etch - Upgrade to postfix-policyd version 1.80-2.1etch1
Debian GNU/Linux sid - Upgrade to postfix-policyd version 1.80-2.2

References

http://www.frsirt.com/english/advisories/2007/3012
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00123.html
http://svn.linuxrulz.org/WebSVN/diff.php?repname=Policyd&path=%2Ftrunk%2Fsockets.c&rev=4&sc=0

Credits

Vulnerability reported by Raphael Marichez.

Collapse -
Debian Security Update Fixes Lighttpd Denial of Service and

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Debian Security Update Fixes Lighttpd Denial of Service and Security Bypass

Advisory ID : FrSIRT/ADV-2007-3013
CVE ID : CVE-2007-3946 - CVE-2007-3947 - CVE-2007-3949 - CVE-2007-3950
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-30
Technical Description

Multiple vulnerabilities have been identified in Debian, which could be exploited by attackers to cause a denial of service or bypass security restrictions. These issues are caused by errors in Lighttpd. For additional information, see : FrSIRT/ADV-2007-2585

Affected Products

Debian GNU/Linux etch
Debian GNU/Linux sid

Solution

Debian GNU/Linux etch - Upgrade to lighttpd version 1.4.13-4etch3
Debian GNU/Linux sid - Upgrade to lighttpd version 1.4.16-1

References

http://www.frsirt.com/english/advisories/2007/3013
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00124.html

Collapse -
Vista Patches?

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Published: 2007-08-30,
Last Updated: 2007-08-30 05:20:04 UTC
by Mark Hofman (Version: 1)
Some of you will have noticed some vista patches coming through today.

It looks like there are 5 patches, 2 important, 2 recommended and one optional.

http://isc.sans.org/

Collapse -
Apache mod_proxy "date" Denial of Service Vulnerability

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Secunia Advisory: SA26636
Release Date: 2007-08-30


Critical:
Less critical
Impact: DoS

Where: From remote

Solution Status: Vendor Workaround


Software: Apache 2.0.x
Apache 2.2.x

Description:
A vulnerability has been reported in the Apache mod_proxy module, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to the improper handling of date headers within the "ap_proxy_date_canon()" function in proxy_util.c. This can be exploited to cause a DoS by sending specially crafted requests to the affected server.

Successful exploitation results in a crash if a threaded Multi-Processing Module is used on servers where a reverse or forward proxy is configured.

The vulnerability is reported in Apache 2.0.x versions 2.0.59 and prior, and Apache 2.2.x versions 2.2.4 and prior.

Solution:
The vulnerability is fixed in Apache 2.0.61-dev and Apache 2.2.6-dev.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html

Collapse -
SUSE update for opera

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Secunia Advisory: SA26635
Release Date: 2007-08-30


Critical:
Highly critical
Impact: System access

Where: From remote

Solution Status: Vendor Patch


OS: openSUSE 10.2
SUSE Linux 10
SUSE Linux 10.1

Description:
SUSE has issued an update for opera. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise vulnerable system.

For more information:
SA26477

Solution:
Apply updated packages.

Original Advisory:
http://lists.opensuse.org/opensuse-security-announce/2007-08/msg00006.html

Other References:
SA26477:
http://secunia.com/advisories/26477/

Collapse -
eScan Multiple Products Insecure File Permissions

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Secunia Advisory: SA26581
Release Date: 2007-08-30


Critical:
Less critical
Impact: Privilege escalation

Where: Local system

Solution Status: Unpatched


Software: eScan for Vista 9.x

Description:
Edi Strosar has discovered a security issue in multiple eScan products, which can be exploited by malicious, local users to gain escalated privileges.

The problem is caused due to insecure default file permissions being set on the installation directory. This can be exploited to gain escalated privileges by placing malicious files or replacing e.g certain DLL files in the directory.

The security issue is confirmed in eScan Internet Security version 9.0.722.1, eScan Virus Control version 9.0.722.1, and eScan Anti-Virus 9.0.722.1. Other versions may also be affected.

Solution:
Grant only trusted users access to the affected system.

Provided and/or discovered by:
Edi Strosar, Team Intell

Collapse -
InterWorx-CP Multiple Cross-Site Scripting

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Secunia Advisory: SA26586
Release Date: 2007-08-30


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Vendor Patch


Software: InterWorx-CP 3.x

Description:
Doz has reported some vulnerabilities in InterWorx-CP, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the URL to multiple scripts, e.g. nodeworx/index.php and siteworx/index.php, is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

NOTE: Reportedly, other scripts are also affected.

The vulnerabilities are reported in version 3.0.2. Prior versions may also be affected.

Solution:
Update to version 3.0.3.

Provided and/or discovered by:
Doz, Hackers Center Security Group.

Original Advisory:
InterWorx:
http://interworx.com/forums/showthread.php?t=2501

http://www.hackerscenter.com/archive/view.asp?id=27884

Collapse -
Doomsday Multiple Vulnerabilities

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Collapse -
Firebird Multiple Vulnerabilities

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

TITLE:
Firebird Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA26615

VERIFY ADVISORY:
http://secunia.com/advisories/26615/

CRITICAL:
Less critical

IMPACT:
Unknown, DoS

WHERE:
From local network

SOFTWARE:
Firebird 1.x
http://secunia.com/product/1449/
Firebird 2.x
http://secunia.com/product/11516/

DESCRIPTION:
Some vulnerabilities have been reported in Firebird, where some have
unknown impact and others can be exploited by malicious users to
cause a DoS (Denial of Service).

1) An error exists in the processing of event registration requests.
This can potentially be exploited by a client application connected
via XNET to crash the Firebird server by registering several events
in parallel.

2) An error exists in the processing of network packets. This can
potentially be exploited to increase the CPU load to a high value and
consume large amounts of memory by sending large network packets
containing garbage data.

3) An unspecified error exists in the processing of Service API
calls. This can be exploited to cause a DoS on the affected Firebird
server.

4) An unspecified vulnerability with unknown impact exists in the
processing of "attach database" and "create database" commands when
the passed filename is larger than "MAX_PATH_LEN".

The vulnerabilities are reported in versions prior to 2.0.2.

SOLUTION:
Update to version 2.0.2.
http://www.firebirdsql.org/index.php?op=files&id=engine_202

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://sourceforge.net/project/shownotes.php?release_id=535898
1) http://tracker.firebirdsql.org/browse/CORE-1403
2) http://tracker.firebirdsql.org/browse/CORE-1397

Collapse -
Ubuntu update for tcp-wrappers

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

TITLE:
Ubuntu update for tcp-wrappers

SECUNIA ADVISORY ID:
SA26567

VERIFY ADVISORY:
http://secunia.com/advisories/26567/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass

WHERE:
From remote

OPERATING SYSTEM:
Ubuntu Linux 7.04
http://secunia.com/product/14068/

DESCRIPTION:
Ubuntu has acknowledged a vulnerability in tcp-wrappers, which can be
exploited by malicious people to bypass certain security
restrictions.

The vulnerability is caused due to an error within the
"daemon_or_port_match()" function in host_access.c when handling
connections to services that have no server socket details specified
in the hosts.deny file. This can be exploited to connect to services
from locations which were intended to be blocked.

SOLUTION:
Apply updated packages.

ORIGINAL ADVISORY:
http://www.ubuntu.com/usn/usn-507-1

OTHER REFERENCES:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405342

Collapse -
Python tarfile Module Directory Traversal and Symlink Vulner

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

TITLE:
Python tarfile Module Directory Traversal and Symlink Vulnerability

SECUNIA ADVISORY ID:
SA26623

VERIFY ADVISORY:
http://secunia.com/advisories/26623/

CRITICAL:
Less critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Python 2.5.x
http://secunia.com/product/14172/

DESCRIPTION:
Some vulnerabilities have been reported in the Python tarfile module,
which can be exploited by malicious people to compromise a vulnerable
system.

The vulnerabilities are caused due to input validation errors when
extracting tar archives. This can be exploited to extract files to
arbitrary locations outside the specified directory with the
permissions of the application using the tarfile module by using the
"../" directory traversal sequence or malicious symlinks in a
specially crafted tar archive.

The vulnerabilities are reported in Python 2.5. Other versions may
also be affected.

SOLUTION:
Do not extract untrusted tar archives.

PROVIDED AND/OR DISCOVERED BY:
Jan Matejek

ORIGINAL ADVISORY:
http://mail.python.org/pipermail/python-dev/2007-August/074290.html
http://bugs.python.org/issue1044

Collapse -
Pakupaku CMS File Upload and Local File Inclusion

In reply to: VULNERABILITIES \ FIXES - August 30, 2007

Secunia Advisory: SA26598
Release Date: 2007-08-30


Critical:
Highly critical
Impact: Exposure of system information
Exposure of sensitive information
System access

Where: From remote

Solution Status: Unpatched


Software: Pakupaku CMS 0.x

Description:
GoLd_M has discovered two vulnerabilities in Pakupaku CMS, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system.

1) The index.php script fails to validate the extension of an uploaded file. This can be exploited to upload files with arbitrary extensions (e.g. ".php") and execute arbitrary PHP code on the server.

2) Input passed to the "page" parameter in index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.

Successful exploitation of this vulnerability with arbitrary file extensions requires that "magic_quotes_gpc" is disabled.

The vulnerabilities are confirmed in version 0.4. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified. Implement whitelisting functionality that only lets people upload files with certain extensions.

Use another product.

Provided and/or discovered by:
GoLd_M a.k.a. Mahmood_ali

Original Advisory:
http://milw0rm.com/exploits/4341

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.