VULNERABILITIES \ FIXES - January 2, 2009

Release Date: 2009-01-02

Critical:
Highly critical
Impact: Manipulation of data
System access

Where: From remote
Solution Status: Vendor Patch


Software: CMScout 2.x

Description:
SirGod has discovered some vulnerabilities in CMScout, which can be exploited by malicious people and malicious users to conduct SQL injection attacks, and by malicious people to compromise a vulnerable system.

Solution:
Update to version 2.07.

Provided and/or discovered by:
SirGod

Original Advisory:
http://www.milw0rm.com/exploits/7625

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Vacation Script

Description:
x0r has reported a vulnerability in Vacation Script, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "editid1" parameter in properties_view.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
x0r

Original Advisory:

http://www.milw0rm.com/exploits/7626

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Pixel8 Web Photo Album 3.x

Description:
AlpHaNiX has reported a vulnerability in Pixel8 Web Photo Album, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "AlbumID" parameter in Photo.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 3.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
AlpHaNiX

Original Advisory:
http://www.milw0rm.com/exploits/7627

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: 2Capsule's Sticker Extreme Edition 4.x

Description:
A vulnerability has been discovered in 2Capsule's Sticker Extreme Edition, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in sticker.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation may require that "magic_quotes_gpc" is disabled.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Zenith

Original Advisory:
http://www.milw0rm.com/exploits/7631

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Memberkit 1.x



Description:
Lo$er has reported a vulnerability in Memberkit, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to the application allowing the upload of files with arbitrary extensions to a folder inside the webroot. This can be exploited to execute arbitrary PHP code by uploading a PHP file through the "My Picture Album" section.

The vulnerability is reported in version 1.0. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
Lo$er

Original Advisory:
http://www.milw0rm.com/exploits/7638

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: Security Bypass
Cross Site Scripting
Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHPFootball 1.x

Description:
Some vulnerabilities have been discovered in PHPFootball, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
1) KinG-LioN
2-4) Reported by an anonymous person

Original Advisory:
http://www.milw0rm.com/exploits/7636

Release Date: 2009-01-02

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: eggblog 3.x
eggBlog 4.x



Description:
x0r has discovered a vulnerability in eggBlog, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change the administrator's password by tricking the user into visiting a malicious web site.

The vulnerability is confirmed in version 4.1.0 and reported in version 3.1.10. Other versions may also be affected.

Solution:
Do not visit untrusted websites or follow untrusted links while logged on to the application.

Provided and/or discovered by:
x0r

Original Advisory:
http://www.milw0rm.com/exploits/7633

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Vendor Patch


Software: w3blabor CMS 3.x

Description:
DNX has discovered a vulnerability in w3blabor CMS, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "benutzername" parameter in admin/index.php (when "action" is set to "login") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

This vulnerability affects versions prior to 3.4.0.

Solution:
Update to version 3.4.0.

Provided and/or discovered by:
DNX

Original Advisory:
DNX:
http://www.milw0rm.com/exploits/7640

w3blaborCMS:
http://forum.w3blaborcms.de/viewtopic.php?f=5&t=235

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: PowerNews 2.x


Description:
Virangar Security has discovered a vulnerability in PowerNews, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "newsid" parameter in news.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

This vulnerability is confirmed in version 2.5.4. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Virangar Security

Original Advisory:
http://www.milw0rm.com/exploits/7641

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: Security Bypass
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: PowerClan 1.x



Description:
Virangar Security has discovered a vulnerability in PowerClan, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "loginemail" parameter in admin/index.php (when "login" is set to "YES") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is confirmed in version 1.14a. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Virangar Security

Original Advisory:
http://www.milw0rm.com/exploits/7642

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Audacity 1.x

Description:
A vulnerability has been discovered in Audacity, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the "String_parse::get_nonspace_quoted()" function in lib-src/allegro/strparse.cpp. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into importing a specially crafted *.gro file.

The vulnerability is confirmed in version 1.2.6. Other versions may also be affected.

Solution:
Do not import untrusted *.gro files.

Provided and/or discovered by:
Houssamix

Original Advisory:
http://www.milw0rm.com/exploits/7634

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Elecard MPEG Player 5.x

Description:
aBo MoHaMeD has discovered a vulnerability in Elecard MPEG Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when processing M3U files and can be exploited to cause a stack-based buffer overflow via an overly long M3U entry.

Successful exploitation allows execution of arbitrary code, but requires that the user is tricked into loading a malicious M3U file.

The vulnerability is confirmed in version 5.5 build 15884.081218. Other versions may also be affected.

Solution:
Do not load untrusted M3U files in Elecard MPEG Player.

Provided and/or discovered by:
aBo MoHaMeD

Original Advisory:
http://www.milw0rm.com/exploits/7637

Release Date: 2009-01-02

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Megacubo 5.x

Description:
pyrokinesis has discovered a vulnerability in Megacubo, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the application improperly sanitising parameters received via e.g. "mega://" URIs. This can be exploited to inject and execute arbitrary PHP code via a specially crafted URI.

The vulnerability is confirmed in version 5.0.7. Other versions may also be affected.

Solution:
Do not browse untrusted websites or follow untrusted links.

Provided and/or discovered by:
pyrokinesis, Nine Situations Group

Original Advisory:
http://www.milw0rm.com/exploits/7623

Release Date: 2009-01-02

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Unpatched


Software: Audio File Library 0.x

Description:
A vulnerability has been reported in Audio File Library, which potentially can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to a boundary error within the "ms_adpcm_decode_block()" function in libaudiofile/modules/msadpcm.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 0.2.6. Other versions may also be affected.

Solution:
Do not process untrusted files using the library.

Provided and/or discovered by:
Reported in a Debian bug report by Max Kellermann.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205

Release Date: 2009-01-02

Critical:
Less critical
Impact: Manipulation of data

Where: From remote
Solution Status: Vendor Workaround


Software: GForge 4.x

Description:
A vulnerability has been reported in GForge, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed to the "create()" function in common/include/GroupJoinRequest.class is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in versions 4.5 and 4.6. Other versions may also be affected.

Solution:
Fixed in the SVN repository.

Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Reported in Debian's security tracker.

Original Advisory:
Debian:
http://security-tracker.debian.net/tracker/CVE-2008-2381

GForge:
http://gforge.org/scm/viewvc.php/bran...equest.class?root=gforge&view=log

Old bug, new tricks

By Bill Ray
2nd January 2009

Mobile phone security vendors were rejoicing last night when it emerged that an obscure bug in an old version of the Symbian OS could allow an attacker to crash a target's mobile phone with a specially-formatted text message.

The attack has been rather dramatically branded the "Curse of Silence", and is a genuine bug that prevents incoming SMS messages being received once a specially-formatted text has been sent to the target as, demonstrated by Tobias Engel. Phones running Nokia's S60 interface, versions 2.6 to 3.1, can be attacked in this way, and some models need a hard reset to recover.

The bug comes courtesy of the way that SMS was designed to integrate with internet email services: no one really understood what the relationship between email and SMS would eventually be, and in the early days there were many email-to-SMS gateway services. Short messaging was seen as the ideal way of delivering email alerts, but the combination of price and increasing spam levels paid to most of them, especially as spam filtering was unknown at the time.

More: http://www.theregister.co.uk/2009/01/02/nokia_security/

2 January 2009

RealNetworks has released an update to its Helix streaming media server, fixing four security vulnerabilities. According to the update notes, a heap overflow when processing RTSP DESCRIBE commands allows attackers to execute arbitrary code on the server. Similar issues occur with the Helix Server DataConvertBuffer and NTLM authentication with particular Base64 encoded data. The server is also vulnerable to a denial of service attack, using just three crafted packets.

More: http://www.heise-online.co.uk/security/Security-update-for-RealNetworks-Helix-Server--/news/112338

Published: 2009-01-01,
Last Updated: 2009-01-02 16:23:39 UTC
by Lorna Hutcheson (Version: 2)

It's hard to believe that 2009 is already here. It hardly seems possible. I have, as I'm sure most of you have as well, been doing a lot of thinking about what the New Year will bring. What will be the new threat for the security professional in the upcoming year? The SSL MD5 issue is one that will surely make the new year interesting. I know that you're supposed to bring the New Year in with a bang, but that is certainly one we could have all done without.

SANS Technology Institute has posted a nice compilation of what challenges the security community will face. I would like to focus this compilation on what you think the threat will be. Coming from a military background, I hold to the belief that you have to know your enemy and the tactics they will use. You cannot defend against what you don't know and you can't afford to sit idle till something happens.

More: http://isc.sans.org/