Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - December 3, 2007

by Marianna Schmudlach / December 3, 2007 12:59 AM PST

Apache HTTP Method Request Entity Too Large Cross-Site Scripting

Secunia Advisory: SA27906
Release Date: 2007-12-03


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Unpatched


Software: Apache 2.0.x
Apache 2.2.x

Description:
Adrian Pastor and Amir Azam have discovered a vulnerability in Apache, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the HTTP method is not properly sanitised before being returned to the user when displaying a "413 Request Entity Too Large" error page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 2.2.4 and reported in versions 2.0.46, 2.0.51, 2.0.55, 2.0.59, and 2.2.3. Other versions may also be affected.

NOTE: Exploiting the vulnerability might be dependent on the Flash player version installed on the target machine.

For more information:
SA21172

Solution:
Do not browse untrusted websites or follow untrusted links.

Provided and/or discovered by:
Adrian Pastor and Amir Azam, ProCheckUp

Original Advisory:
http://procheckup.com/Vulnerability_PR07-37.php

Other References:
SA21172:
http://secunia.com/advisories/21172/

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - December 3, 2007
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - December 3, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Typespeed Division By Zero Denial of Service
by Marianna Schmudlach / December 3, 2007 1:01 AM PST

Secunia Advisory: SA27905
Release Date: 2007-12-03


Critical:
Moderately critical
Impact: DoS

Where: From remote

Solution Status: Vendor Patch


Software: Typespeed 0.x


Description:
A vulnerability has been reported in Typespeed, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when handling certain packets, which can be exploited to cause a division by zero via a specially crafted packet.

The vulnerability is reported in versions prior to 0.6.4.

Solution:
Update to version 0.6.4.
http://tobias.eyedacor.org/typespeed/

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://tobias.eyedacor.org/typespeed/#News
http://tobias.eyedacor.org/typespeed/ChangeLog

Collapse -
F5 FirePass 4100 SSL VPN Cross-Site Scripting Vulnerabilitie
by Marianna Schmudlach / December 3, 2007 1:02 AM PST

Secunia Advisory: SA27904
Release Date: 2007-12-03


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Partial Fix


OS: FirePass 5.x
FirePass 6.x

Description:
Some vulnerabilities have been reported in F5 FirePass 4100 SSL VPN, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the URL to my.activation.php3 and my.logon.php3 is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in FirePass versions 5.4.1 to 5.5.2 and FirePass versions 6.0 to 6.0.1.

Solution:
The vendor has issued cumulative hotfix HF-601-6 for version 6.0.1:
https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html

Filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
Adrian Pastor, Jan Fry, and Richard Brain of ProCheckUp Ltd.

Original Advisory:
F5:
https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html

Procheckup Ltd:
http://www.procheckup.com/Vulnerability_PR07-14.php
http://www.procheckup.com/Vulnerability_PR07-15.php

Collapse -
Zabbix "UserParameter" Privilege Escalation Weakness
by Marianna Schmudlach / December 3, 2007 1:03 AM PST

Secunia Advisory: SA27903
Release Date: 2007-12-03


Critical:
Not critical
Impact: Privilege escalation

Where: From local network

Solution Status: Unpatched


Software: ZABBIX 1.x

Description:
A weakness has been reported in Zabbix, which can be exploited by malicious users to perform certain actions with escalated privileges.

The weakness is caused due to the "daemon_start()" function in src/libs/zbxnix/daemon.c not correctly dropping the privileges. This can be exploited to e.g. execute "UserParameter" scripts as group "root".

This affects the agent for UNIX-like operating systems only.

The weakness is reported in version 1.4.2. Other versions may also be affected.

Solution:
Reportedly, this will be fixed in version 1.4.3.

Provided and/or discovered by:
Bas van Schaik

Original Advisory:
http://www.zabbix.com/forum/showthread.php?t=8400
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452682

Collapse -
IBM Tivoli Netcool Security Manager Unspecified Cross-Site S
by Marianna Schmudlach / December 3, 2007 1:04 AM PST

IBM Tivoli Netcool Security Manager Unspecified Cross-Site Scripting

Secunia Advisory: SA27900
Release Date: 2007-12-03


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Vendor Workaround


Software: IBM Tivoli Netcool Security Manager 1.x



Description:
A vulnerability has been reported in IBM Tivoli Netcool Security Manager, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability reportedly affects version 1.3.0.

Solution:
Apply Interim Fix 2 (see vendor advisories for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM (IY95615):
http://www-1.ibm.com/support/docview.wss?uid=swg24017385
http://www-1.ibm.com/support/docview.wss?uid=swg24017633

Collapse -
Zsh difflog.pl Insecure Temporary Files
by Marianna Schmudlach / December 3, 2007 1:05 AM PST

Secunia Advisory: SA27899
Release Date: 2007-12-03


Critical:
Less critical
Impact: Privilege escalation

Where: Local system

Solution Status: Unpatched


Software: Zsh 4.x



Description:
A security issue has been reported in Zsh, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the Util/difflog.pl script using temporary files in an insecure manner. This can be exploited to overwrite or delete arbitrary files via symlink attacks.

The security issue is reported in version 4.3.4. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Gentoo credits Elias Pipping.

Original Advisory:
https://bugs.gentoo.org/show_bug.cgi?id=201022

Collapse -
Claws Mail sylprint.pl Insecure Temporary Files
by Marianna Schmudlach / December 3, 2007 1:07 AM PST

Secunia Advisory: SA27897
Release Date: 2007-12-03


Critical:
Less critical
Impact: Privilege escalation

Where: Local system

Solution Status: Unpatched


Software: Claws Mail 3.x



Description:
A security issue has been reported in Claws Mail, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the sylprint.pl script using temporary files in an insecure manner. This can be exploited to overwrite or delete arbitrary files via symlink attacks.

The security issue is reported in version 3.1.0. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Nico Golde, Debian

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454089

Collapse -
Slackware update for rsync
by Marianna Schmudlach / December 3, 2007 1:08 AM PST

Secunia Advisory: SA27896
Release Date: 2007-12-03


Critical:
Moderately critical
Impact: Security Bypass
DoS
System access

Where: From remote

Solution Status: Vendor Patch


OS: Slackware Linux 10.0
Slackware Linux 11.0
Slackware Linux 8.x
Slackware Linux 9.0
Slackware Linux 9.1



Description:
Slackware has issued an update for rsync. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or potentially compromise a vulnerable system.

For more information:
SA26493
SA27863

Solution:
Apply updated packages.

Original Advisory:
http://slackware.com/security/viewer....=2007&m=slackware-security.481089

Other References:
SA26493:
http://secunia.com/advisories/26493/

SA27863:
http://secunia.com/advisories/27863/

Collapse -
tellmatic "tm_includepath" File Inclusion Vulnerabilities
by Marianna Schmudlach / December 3, 2007 1:09 AM PST

Secunia Advisory: SA27895
Release Date: 2007-12-03


Critical:
Highly critical
Impact: System access

Where: From remote

Solution Status: Unpatched


Software: tellmatic 1.x

Description:
ShAy6oOoN has discovered some vulnerabilities in tellmatic, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the parameter "tm_includepath" in include/Classes.inc.php, include/statistic.inc.php, include/status.inc.php, include/status_top_x.inc.php, and include/libchart-1.1/libcharinclude/libchart-1.1/libchart.phpt.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or remote resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities are reported in version 1.0.7 and confirmed in 1.0.7.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
ShAy6oOoN

Original Advisory:
http://milw0rm.com/exploits/4684

Collapse -
Debian update for asterisk
by Marianna Schmudlach / December 3, 2007 1:11 AM PST

Secunia Advisory: SA27892
Release Date: 2007-12-03


Critical:
Less critical
Impact: Manipulation of data

Where: From remote

Solution Status: Vendor Patch


OS: Debian GNU/Linux 3.1
Debian GNU/Linux 4.0

Description:
Debian has issued an update for asterisk. This fixes a vulnerability, which can be exploited by malicious users to conduct SQL injection attacks.

For more information:
SA27827

Solution:
Apply updated packages.

Note: Updated packages for Debian GNU/Linux 4.0 alias etch for the ia64 architecture will reportedly be available later.


Original Advisory:
http://lists.debian.org/debian-securi...-security-announce-2007/msg00199.html

Other References:
SA27827:
http://secunia.com/advisories/27827/

Collapse -
Debian update for cacti
by Marianna Schmudlach / December 3, 2007 1:12 AM PST

Secunia Advisory: SA27891
Release Date: 2007-12-03


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Vendor Patch


OS: Debian GNU/Linux 3.1
Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for cacti. This fixes a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks.

For more information:
SA27719

Solution:
Apply updated packages.

Original Advisory:
http://lists.debian.org/debian-securi...-security-announce-2007/msg00198.html

Other References:
SA27719:
http://secunia.com/advisories/27719/

Collapse -
VLC Media Player ActiveX Plugin and FLAC Vulnerabilities
by Marianna Schmudlach / December 3, 2007 1:13 AM PST

Secunia Advisory: SA27878
Release Date: 2007-12-03


Critical:
Highly critical
Impact: DoS
System access

Where: From remote

Solution Status: Vendor Patch


Software: VLC media player 0.x

Description:
Some vulnerabilities have been reported in VLC Media Player, which potentially can be exploited by malicious people to compromise a user's system.

1) An error within the ActiveX plugin of VLC Media Player can be exploited to overwrite certain memory zones and execute arbitrary code when a user e.g. visits a malicious website.

Note: This affects the Windows versions only.

2) Some vulnerabilities are caused due to the use of a vulnerable version of the FLAC library, which contains multiple integer overflows.

For more information:
SA27210

Note: This may affect the Windows and Mac OS X binaries only.

Solution:
Update to version 0.8.6d.
http://www.videolan.org/vlc/

Provided and/or discovered by:
1) The vendor credits Ricardo Narvaja (Ricnar), Core Security Technologies.
2) Originally reported in FLAC by Sean de Regge via iDefense Labs and Greg Linares, eEye Digital Security.

Original Advisory:
http://www.videolan.org/sa0703.html
http://www.videolan.org/developers/vlc/NEWS

Other References:
SA27210:
http://secunia.com/advisories/27210/

Collapse -
Solaris 10 Linux Branded Zones Denial of Service
by Marianna Schmudlach / December 3, 2007 1:14 AM PST

Secunia Advisory: SA27877
Release Date: 2007-12-03


Critical:
Not critical
Impact: DoS

Where: Local system

Solution Status: Vendor Patch


OS: Sun Solaris 10


Description:
A vulnerability has been reported in Solaris 10, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error when using Linux branded zones and can be exploited to cause a system panic.

The vulnerability is reported on Solaris 10 x86 systems running in 64bit mode.

Solution:
Solaris 10:
Apply patch 127112-04 or later.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103153-1

Collapse -
p.mapper "_SESSION[PM_INCPHP]" File Inclusion
by Marianna Schmudlach / December 3, 2007 1:16 AM PST

Secunia Advisory: SA27876
Release Date: 2007-12-03


Critical:
Highly critical
Impact: Exposure of system information
Exposure of sensitive information
System access

Where: From remote

Solution Status: Unpatched


Software: p.mapper 3.x

Description:
ShAy6oOoN has reported a vulnerability in p.mapper, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system.

Input passed to the "_SESSION[PM_INCPHP]" parameter in incphp/globals.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability is reported in version 3.1.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
ShAy6oOoN

Original Advisory:
http://packetstormsecurity.org/0711-exploits/pmapper-rfi.txt

Collapse -
CRM-CTT "CheckCustomerAccess()" Security Bypass
by Marianna Schmudlach / December 3, 2007 1:17 AM PST

Secunia Advisory: SA27874
Release Date: 2007-12-03


Critical:
Less critical
Impact: Security Bypass

Where: From remote

Solution Status: Vendor Patch


Software: CRM-CTT 4.x

Description:
A security issue has been reported in CRM-CTT, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to the "CheckCustomerAccess()" function in functions.php improperly checking if a user has full rights to edit another user. This can be exploited by malicious "LIMITTOCUSTOMERS" users to edit the settings of any non-active user.

The security issue is reported in CRM-CTT versions prior to CRM-CTT Interleave 4.2.0.

Solution:
Update to CRM-CTT Interleave 4.2.0.
http://sourceforge.net/project/showfi...ackage_id=57399&release_id=558602

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/showfi...ackage_id=57399&release_id=558602

Collapse -
rPath update for nss_ldap
by Marianna Schmudlach / December 3, 2007 1:18 AM PST

Secunia Advisory: SA27839
Release Date: 2007-12-03


Critical:
Less critical
Impact: Manipulation of data

Where: From remote

Solution Status: Vendor Patch


OS: rPath Linux 1.x

Description:
rPath has issued an update for nss_ldap. This fixes a security issue, which can be exploited by malicious people to manipulate certain data.

For more information:
SA27670

Solution:
Update to:
nss_ldap=conary.rpath.com@rpl:1/239-9.2-1

Original Advisory:
http://wiki.rpath.com/wiki/Advisories:rPSA-2007-0255

Other References:
SA27670:
http://secunia.com/advisories/27670/

Collapse -
Ascential DataStage Multiple Security Issues
by Marianna Schmudlach / December 3, 2007 1:19 AM PST

Secunia Advisory: SA26801
Release Date: 2007-12-03


Critical:
Less critical
Impact: Manipulation of data
Exposure of system information
Exposure of sensitive information

Where: From remote

Solution Status: Partial Fix


Software: Ascential DataStage

Description:
Ryan NA has reported some security issues in Ascential DataStage, which can be exploited by malicious, local users to disclose sensitive information and to manipulate certain data, and by malicious users to disclose sensitive information.

1) The dsjob parameters are specified on the command line, which can be exploited e.g. to disclose passwords.

2) Insecure file permissions under the installation directory and the project directory can be exploited to manipulate certain files.

3) Additional logging output options include passwords within the log files.

The security issues are reported in version 7.5. Other versions may also be affected.

Solution:
Patches that fix security issue #3 are reportedly available from the vendor.

Grant only trusted users access to affected systems.

Provided and/or discovered by:
Ryan NA

Collapse -
Citrix NetScaler Web Management Cookie Weakness
by Marianna Schmudlach / December 3, 2007 1:21 AM PST

Summary
For most web application logins a user fills out an HTTP form, which sets up the user with a session cookie. The cookie content is merely a session ID, which allows the server-side application to match incoming requests to a specific user and session. If the cookie gets compromised, such as using XSS, the attacker might be able to impersonate the user for the duration of the session but it typically does not allow the attacker to obtain the user's login credentials.

A weakness in Citrix's NetScaler allows attacks that can gain access to the cookie used for authentication against the product to retrieve the the plaintext information stored by it by using a chosen plaintext attack.

Credit:
The information has been provided by nnposter.

http://www.securiteam.com/windowsntfocus/6K0070KKKS.html

Collapse -
27Mhz Wireless Keyboard Analysis Report aka "We Know What Yo
by Marianna Schmudlach / December 3, 2007 1:22 AM PST

27Mhz Wireless Keyboard Analysis Report aka "We Know What You Typed Last Summer"

Summary
Using just a simple radio receiver, a soundcard and suitable software, the remote-exploit.org members Max Moser & Philipp Schroedel have managed to tap and decode the radio frequencies transmitted between the keyboard and PC/notebook computer.

Credit:
The information has been provided by Max Moser.
The original article can be found at: http://www.remote-exploit.org/Press_Release_Dreamlab_Technologies_Wireless_Keyboard.pdf

http://www.securiteam.com/securityreviews/6G0030KKKI.html

Collapse -
Web pages infect PCs via Apple QuickTime vulnerability
by Marianna Schmudlach / December 3, 2007 1:24 AM PST

Report of 03.12.2007

The vulnerability in Apple's QuickTime media player reported last week is apparently already actively being exploited by the first web pages to infect visitors' Windows PCs with malware. Attackers can cause a buffer overflow and inject malicious code into vulnerable systems by sending crafted content type headers in RTSP datastreams. Users of Apple's iTunes multimedia software are also affected, as a current version of QuickTime is installed as part of the iTunes installation.

More: http://www.heise-security.co.uk/news/99918

Collapse -
Vulnerability in FIPS OpenSSL module
by Marianna Schmudlach / December 3, 2007 1:25 AM PST

The developers of OpenSSL have published a security advisory pointing out a coding error in FIPS Object Module v1.1.1. Due to this error in the FIPS self-test there is no auto-seeding. This could, for example, result in the seed of the last self-test being used for creating subsequent pseudorandom numbers, making the generated random numbers more predictable than they should be.

More: http://www.heise-security.co.uk/news/99915

Collapse -
Microsoft says Internet Explorer more secure than Firefox
by Marianna Schmudlach / December 3, 2007 1:26 AM PST

Jeff Jones, Security Strategy Director at Microsoft's Trustworthy Computing Group, is fond of comparing his company's products with others. Following his recent report putting Windows Vista ahead of Linux and Mac OS X for security, he has now placed Internet Explorer ahead of the open source Firefox browser in a long-term comparative study. Here too the result is no great surprise - according to his analysis, fewer security vulnerabilities needed fixing in Internet Explorer than in the competition.

More: http://www.heise-security.co.uk/news/99955

Collapse -
Xunlei X-ploit X-amined
by Marianna Schmudlach / December 3, 2007 1:29 AM PST

December 3rd, 2007 by Justine Paredes
There have been reports of a vulnerability in XunleiThunder PPlayer?s ActiveX control, a component of the Chinese software Xunlei Thunder 5.7.4 40.

TrendLabs Researcher Jonell Baltazar reveals that the talked about vulnerability on Xunlei Thunder is in the file pplayer.dll (version 1.2.3.49) included in the Thunder 5.x software package, specifically in the ?FlvPlayerUrl? method where passing a specially crafted string can cause an overflow within the program and can lead to code execution.

This vulnerability is also being actively exploited. It is included in one of the malicious Web pages as a result of the iFrames found while visiting gameige.com. The related blog entry can be found here.

More: http://blog.trendmicro.com/

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!