HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - January 24, 2008

by Marianna Schmudlach / January 24, 2008 12:17 AM PST

Red Hat update for kernel

Secunia Advisory: SA28643
Release Date: 2008-01-24


Critical:
Less critical
Impact: Security Bypass
Manipulation of data
Exposure of sensitive information
DoS
System access

Where: From local network

Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Description:
Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a Denial of Service (DoS), disclose potentially sensitive information, bypass certain security restrictions, and corrupt a file system, and by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-0089.html

Other References:
SA25771:
http://secunia.com/advisories/25771/

SA27666:
http://secunia.com/advisories/27666/

SA27908:
http://secunia.com/advisories/27908/

SA28146:
http://secunia.com/advisories/28146/

SA28485:
http://secunia.com/advisories/28485/

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - January 24, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - January 24, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
SDL_image Two Buffer Overflow Vulnerabilities
by Marianna Schmudlach / January 24, 2008 12:18 AM PST

Secunia Advisory: SA28640
Release Date: 2008-01-24


Critical:
Moderately critical
Impact: DoS
System access

Where: From remote

Solution Status: Vendor Workaround


Software: SDL_image 1.x



Description:
Two vulnerabilities have been reported in SDL_image, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.

1) A boundary error within the "LWZReadByte()" function in IMG_gif.c can be exploited to trigger the overflow of a static buffer via a specially crafted GIF file.

2) A boundary error within the "IMG_LoadLBM_RW()" function in IMG_lbm.c can be exploited to cause a heap-based buffer overflow via a specially crafted IFF ILBM file.

The vulnerabilities are reported in version 1.2.6. Prior versions may also be affected.

Solution:
Fixed in SVN repository.
http://www.libsdl.org/cgi/viewvc.cgi/...L_image/IMG_gif.c?r1=2970&r2=3462
http://www.libsdl.org/cgi/viewvc.cgi/...L_image/IMG_lbm.c?r1=3341&r2=3521

Provided and/or discovered by:
1) The vendor credits Michael Skladnikiewicz. Also reported by Gynvael Coldwind, Team Vexillium.
2) The vendor credits David Raulo.

Original Advisory:
1) http://www.libsdl.org/cgi/viewvc.cgi/...HANGES?revision=3462&view=markup
http://vexillium.org/?sec-sdlgif
2) http://www.libsdl.org/cgi/viewvc.cgi/...L_image/IMG_lbm.c?r1=3341&r2=3521

Collapse -
Web Wiz Rich Text Editor "sub" Directory Traversal Vulnerabi
by Marianna Schmudlach / January 24, 2008 12:19 AM PST

Secunia Advisory: SA28639
Release Date: 2008-01-24


Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote

Solution Status: Vendor Patch


Software: Web Wiz Rich Text Editor 4.x

Description:
AmnPardaz Security Research Team has reported a vulnerability in Web Wiz Rich Text Editor, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "sub" parameter in RTE_file_browser.asp is not properly sanitised before being used to generate directory listings. This can be exploited to display arbitrary directory listings via directory traversal attacks.

The vulnerability is reported in version 4.0. Prior versions may also be affected.

Solution:
Update to version 4.01.
http://www.webwizguide.com/webwizrichtexteditor/downloads.asp

Provided and/or discovered by:
AmnPardaz Security Research Team

Original Advisory:
Web Wiz:
http://www.webwizguide.com/webwizrichtexteditor/kb/release_notes.asp

AmnPardaz Security Research Team:
http://www.bugreport.ir/?/31

Collapse -
Drupal Workflow Module Workflow Message Script Insertion
by Marianna Schmudlach / January 24, 2008 12:21 AM PST

Secunia Advisory: SA28633
Release Date: 2008-01-24


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Vendor Patch


Software: Drupal Workflow Module 4.x
Drupal Workflow Module 5.x

Description:
A vulnerability has been reported in the Workflow module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the workflow messages shown on the workflow tab is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.

Successful exploitation requires valid user credentials.

The vulnerability is reported in all 4.7.x versions before 4.7.x-1.2 and all 5.x versions before 5.x-1.2.

Solution:
Update to version 4.7.x-1.2 or 5.x-1.2.

Provided and/or discovered by:
The vendor credits Greg Knaddison a.k.a. greggles.

Original Advisory:
DRUPAL-SA-2008-009:
http://drupal.org/node/213473

Collapse -
Drupal Archive Module Unspecified Cross-Site Scripting
by Marianna Schmudlach / January 24, 2008 12:23 AM PST

Secunia Advisory: SA28632
Release Date: 2008-01-24


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Vendor Patch


Software: Drupal Archive Module 5.x

Description:
Some vulnerabilities have been reported in the Archive module for Drupal, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the target user has access content permissions.

The vulnerabilities are reported in all 5.x versions before 5.x-1.8.

Solution:
Update to version 5.x-1.8.

Provided and/or discovered by:
The vendor credits G

Collapse -
HTTP File Server Multiple Vulnerabilities
by Marianna Schmudlach / January 24, 2008 12:30 AM PST

Secunia Advisory: SA28631
Release Date: 2008-01-24


Critical:
Moderately critical
Impact: Cross Site Scripting
Spoofing
Manipulation of data
Exposure of system information
DoS
System access

Where: From remote

Solution Status: Partial Fix


Software: HTTP File Server 2.x

Description:
Felipe Aragon and Alec Storm have reported some vulnerabilities and security issues in HTTP File Server, which can be exploited by malicious people to disclose system information, conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, manipulate data, and potentially compromise a vulnerable system.

1) The application does not correctly log certain input. This can be exploited to e.g. spoof the username or inject arbitrary content into the logfile when logging in.

2) Certain input is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected server.

3) It is possible to disclose certain information (e.g. number of connections, transfer speed, traffic statistics, or uptime) by sending specially crafted request containing template symbols.

4) The application does not correctly handle the username before using it to create the file name of the logfile. This can be exploited to create directories, append data to files, or to cause a buffer overflow by sending specially crafted requests to a vulnerable server.

Successful exploitation allows the execution of arbitrary code, but requires that the "%user%" template symbol is used to define the name of the logfile.

Solution:
Some of the vulnerabilities are fixed in version 2.2c.
http://www.rejetto.com/hfs/?f=dl

Provided and/or discovered by:
Felipe Aragon and Alec Storm, Syhunt Security Research Team

Original Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2008-q1/0008.html
http://archives.neohapsis.com/archives/vulnwatch/2008-q1/0009.html
http://archives.neohapsis.com/archives/vulnwatch/2008-q1/0010.html

Collapse -
MediaWiki Cross-Site Scripting Vulnerability
by Marianna Schmudlach / January 24, 2008 12:31 AM PST

Secunia Advisory: SA28629
Release Date: 2008-01-24


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Vendor Patch


Software: MediaWiki 1.x

Description:
A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via unspecified parameters to api.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability affects users of Microsoft Internet Explorer only.

Successful exploitation requires that the API interface is enabled.

The vulnerability is reported in the following versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.2
* 1.9 <= 1.9.4
* 1.8 any version (if $wgEnableAPI has been switched on)

NOTE: MediaWiki 1.7 is reportedly not affected, but the BotQuery extension is similarly vulnerable unless updated to the latest SVN version.

Solution:
Update to version 1.11.1, 1.10.3, or 1.9.5.

1.11.1:
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.1.tar.gz
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.1.patch

1.10.3:
http://download.wikimedia.org/mediawiki/1.10/mediawiki-1.10.3.tar.gz
http://download.wikimedia.org/mediawiki/1.10/mediawiki-1.10.3.patch

1.9.5:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.5.tar.gz
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.5.patch

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-January/000068.html

Collapse -
Cisco PIX and ASA Time-To-Live Denial of Service Vulnerabili
by Marianna Schmudlach / January 24, 2008 12:32 AM PST

Secunia Advisory: SA28625
Release Date: 2008-01-24


Critical:
Moderately critical
Impact: DoS

Where: From remote

Solution Status: Vendor Patch


OS: Cisco Adaptive Security Appliance (ASA) 7.x
Cisco Adaptive Security Appliance (ASA) 8.x
Cisco PIX 7.x
Cisco PIX 8.x

Description:
Cisco has acknowledged a vulnerability in Cisco PIX and ASA appliances, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the processing of IP packets. This can be exploited to reload an affected device via specially crafted IP packets.

Successful exploitation requires that the Time-To-Live (TTL) decrement feature is enabled (disabled by default).

The vulnerability affects software versions 7.2(2) and later, prior to 7.2(3)006 or 8.0(3).

Solution:
Update to version 7.2(3)6, 8.0(3) or later (please see the vendor's advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml

Collapse -
Mozilla Firefox "chrome:" Directory Traversal Security Issue
by Marianna Schmudlach / January 24, 2008 12:33 AM PST

Secunia Advisory: SA28622
Release Date: 2008-01-24


Critical:
Less critical
Impact: Security Bypass

Where: From remote

Solution Status: Unpatched


Software: Mozilla Firefox 2.0.x


Description:
Gerry Eisenhaur has discovered a security issue in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to an error within the handling of "chrome:" URIs. This can be exploited to include arbitrary scripts from local resources via directory traversal attacks.

Successful exploitation requires that an extension which doesn't store it's contents inside a .jar file is installed.

The security issue is confirmed in version 2.0.0.11 for Windows. Other versions may also be affected.

Solution:
Do not open untrusted web pages.

Provided and/or discovered by:
Gerry Eisenhaur

Original Advisory:
http://www.hiredhacker.com/2008/01/19...ome-url-handling-directory-traversal/

Collapse -
Liquid-Silver CMS "update" Local File Inclusion
by Marianna Schmudlach / January 24, 2008 12:34 AM PST

Secunia Advisory: SA28619
Release Date: 2008-01-24


Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote

Solution Status: Unpatched


Software: Liquid-Silver CMS 0.x

Description:
Stack-Terrorist has discovered a vulnerability in Liquid-Silver CMS, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "update" parameter in update/index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.

Successful exploitation with arbitrary file extensions requires that "magic_quotes_gpc" is disabled.

The vulnerability is confirmed in version 0.35. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Stack-Terrorist

Original Advisory:
http://milw0rm.com/exploits/4976

Collapse -
aconon Mail "template" Information Disclosure
by Marianna Schmudlach / January 24, 2008 12:36 AM PST

Secunia Advisory: SA28617
Release Date: 2008-01-24


Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote

Solution Status: Unpatched


Software: aconon Mail

Description:
Arno T

Collapse -
Mandriva update for x11-server-xgl
by Marianna Schmudlach / January 24, 2008 12:37 AM PST

Secunia Advisory: SA28616
Release Date: 2008-01-24


Critical:
Less critical
Impact: Exposure of sensitive information
Privilege escalation
DoS

Where: Local system

Solution Status: Vendor Patch


OS: Mandriva Linux 2007

Description:
Mandriva has issued an update for x11-server-xgl. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose potentially sensitive information, or to gain escalated privileges.

Solution:
Apply updated packages.


Original Advisory:
http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:025

Other References:
SA28532:
http://secunia.com/advisories/28532/

Collapse -
HP-UX ARPA Transport Unspecified Denial of Service Vulnerabi
by Marianna Schmudlach / January 24, 2008 12:38 AM PST

Secunia Advisory: SA28612
Release Date: 2008-01-24


Critical:
Moderately critical
Impact: DoS

Where: From remote

Solution Status: Vendor Patch


OS: HP-UX 11.x

Description:
A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error when running ARPA Transport. No further information is currently available.

The vulnerability is reported in HP-UX B.11.31.

Solution:
Apply patch.

HP-UX B.11.31:
Install UNOF_37676.depot.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
HPSBUX02306 SSRT071463:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01328657

Collapse -
Debian update for exiv2
by Marianna Schmudlach / January 24, 2008 12:40 AM PST

Secunia Advisory: SA28610
Release Date: 2008-01-24


Critical:
Moderately critical
Impact: DoS
System access

Where: From remote

Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0

Description:
Debian has issued an update for exiv2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.

Solution:
Apply updated packages.

Original Advisory:
http://lists.debian.org/debian-securi...-security-announce-2008/msg00036.html

Other References:
SA28132:
http://secunia.com/advisories/28132/

Collapse -
IBM AIX Multiple Vulnerabilities
by Marianna Schmudlach / January 24, 2008 12:41 AM PST

Secunia Advisory: SA28609
Release Date: 2008-01-24


Critical:
Less critical
Impact: Manipulation of data
Exposure of sensitive information
Privilege escalation

Where: Local system

Solution Status: Vendor Patch


OS: AIX 5.x
AIX 6.x

Description:
Some vulnerabilities have been reported in IBM AIX, which can be exploited by malicious, local users to disclose potentially sensitive information, manipulate certain files, or gain escalated privileges.

1) A boundary error in the pioout command can be exploited to cause a buffer overflow and execute arbitrary code with root privileges.

2) An unspecified error in the ps command allows users to access potentially sensitive information from an arbitrary process.

The vulnerabilities are reported in versions 5.2.0, 5.3.0, 5.3.7, and 6.1.0.

3) Boundary errors in the uspchrp and utape commands can be exploited by users in the 'system' group to cause a buffer overflow and execute arbitrary code with root privileges.

The vulnerabilities are reported in versions 5.2.0, 5.3.0, and 5.3.7.

4) Boundary errors in the lchangevg, ldeletepv, putlvodm, lvaryoffvg, lvgenminor, swap, swapoff, and swapon commands can be exploited by users in the 'system' group to cause a buffer overflow and execute arbitrary code with root privileges.

5) The problem is that some of the WebSM Remote Client files are installed with world-writable permissions, which can be exploited to e.g. write to the installed files.

The vulnerabilities are reported in version 5.2 and 5.3.

Solution:
Apply interim fixes or APARs as soon as they become available:
ftp://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/ps_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/uspchrp_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/utape_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/lvm_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/websm_linux_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/swap_fix.tar

Provided and/or discovered by:
The vendor credits:
1) iDefense Labs
2) Andrea "bunker" Purificato

3-5) Reported by the vendor.

Original Advisory:
IBM:
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4078
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4075
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4072
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4070
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4068
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4066
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4064

Collapse -
Gentoo update for tikiwiki
by Marianna Schmudlach / January 24, 2008 12:43 AM PST

Secunia Advisory: SA28602
Release Date: 2008-01-24


Critical:
Moderately critical
Impact: Unknown
Cross Site Scripting

Where: From remote

Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for tikiwiki. This fixes some vulnerabilities, where some have unknown impacts and others can be exploited by malicious people to conduct cross-site scripting attacks.

Solution:
Update to "www-apps/tikiwiki-1.9.9" or later.

Original Advisory:
http://www.gentoo.org/security/en/glsa/glsa-200801-10.xml

Other References:
SA28225:
http://secunia.com/advisories/28225/

Collapse -
Web Wiz Forums Directory Traversal Vulnerabilities
by Marianna Schmudlach / January 24, 2008 12:44 AM PST

Secunia Advisory: SA28601
Release Date: 2008-01-24


Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote

Solution Status: Vendor Patch


Software: Web Wiz Forums 9.x

Description:
AmnPardaz Security Research Team has reported some vulnerabilities in Web Wiz Forums, which can be exploited by malicious users and malicious people to disclose potentially sensitive information.

1) Input passed via the "sub" parameter to RTE_file_browser.asp is not properly sanitised before being used to list files. This can be exploited to list the content of arbitrary directories via directory traversal attacks.

2) Input passed via the "sub" parameter to file_browser.asp is not properly sanitised before being used to list files. This can be exploited to list the content of arbitrary directories via directory traversal attacks.

Successful exploitation of the vulnerability requires valid user credentials.

The vulnerabilities are reported in version 9.07. Prior versions may also be affected.

Solution:
Update to version 9.08.

Provided and/or discovered by:
AmnPardaz Security Research Team

Original Advisory:
http://www.webwizguide.com/webwizforums/kb/release_notes.asp
http://www.bugreport.ir/?/29

Collapse -
WordPress Permalinks Migration Plugin Cross-Site Request For
by Marianna Schmudlach / January 24, 2008 12:45 AM PST

WordPress Permalinks Migration Plugin Cross-Site Request Forgery

Secunia Advisory: SA28593
Release Date: 2008-01-24


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Unpatched


Software: Permalinks Migration 1.x (plugin for WordPress)

Description:
g30rg3_x has discovered a vulnerability in the Permalinks Migration plugin for WordPress, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. conduct script insertion attacks against the PermalinksMigration page.

The vulnerability is confirmed in version 1.0. Other versions may also be affected.

Solution:
Do not browse untrusted websites while logged on to WordPress.

Provided and/or discovered by:
g30rg3_x

Original Advisory:
http://packetstorm.linuxsecurity.com/0801-advisories/deans-xsrf.txt

Collapse -
Mandriva update for libxfont
by Marianna Schmudlach / January 24, 2008 12:47 AM PST

Secunia Advisory: SA28571
Release Date: 2008-01-24


Critical:
Less critical
Impact: Privilege escalation

Where: Local system

Solution Status: Vendor Patch


OS: Mandriva Linux 2007

Description:
Mandriva has issued an update for libxfont. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges.

Solution:
Apply updated packages.

Original Advisory:
http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:024

Other References:
SA28532:
http://secunia.com/advisories/28532/

Collapse -
Web Wiz NewsPad "sub" Directory Traversal Vulnerability
by Marianna Schmudlach / January 24, 2008 12:48 AM PST

Secunia Advisory: SA28416
Release Date: 2008-01-24


Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote

Solution Status: Vendor Patch


Software: Web Wiz NewsPad 1.x

Description:
AmnPardaz Security Research Team has reported a vulnerability in Web Wiz NewsPad, which can be exploited by malicious people to disclose potentially sensitive information.

Input passed via the "sub" parameter to RTE_file_browser.asp is not properly sanitised before being used to list files. This can be exploited to list the content of arbitrary directories via directory traversal attacks.

The vulnerability is reported in version 1.02. Prior versions may also be affected.

Solution:
Update to version 1.03.

Provided and/or discovered by:
AmnPardaz Security Research Team

Original Advisory:
http://www.webwizguide.com/webwiznewspad/kb/release_notes.asp
http://www.bugreport.ir/?/30

Collapse -
ManageEngine Applications Manager Multiple Vulnerabilities
by Marianna Schmudlach / January 24, 2008 12:50 AM PST

Secunia Advisory: SA28332
Release Date: 2008-01-24


Critical:
Less critical
Impact: Security Bypass
Cross Site Scripting
Exposure of sensitive information

Where: From remote

Solution Status: Vendor Patch


Software: ManageEngine Applications Manager 8.x



Description:
Hector Manuel Escalona Mendoza has discovered some vulnerabilities, a security issue, and a weakness in ManageEngine Applications Manager, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or conduct cross-site scripting attacks.

1) Input passed to "showlink" parameter in /jsp/DiscoveryProfiles.jsp, "attributeIDs", "attributeToSelect", "redirectto", and "resourceid" parameters in /jsp/ThresholdActionConfiguration.jsp, "page" and "redirect" parameters in jsp/UpdateGlobalSettings.jsp, and "haid" and "returnpath" parameters in showTile.do is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Missing authentication checks in certain pages (e.g. monitorType.do) can be exploited to disclose potentially sensitive information or modify certain application settings.

3) It is possible to e.g. view the "Home->Summary" information via a URL with an invalid target location (e.g. "http://[host]/-")

The vulnerabilities, security issue, and weakness are confirmed in version 8.1 (build 8100). Other versions may also be affected.

Solution:
Reportedly, a fix is already available from the vendor and will also be included in the next service pack available approximately by the end of the month.

Provided and/or discovered by:
Hector Manuel Escalona Mendoza

Collapse -
PHP cURL Safe_mode Bypass
by Marianna Schmudlach / January 24, 2008 12:51 AM PST

Summary
PHP is "an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly".

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication.

A vulnerability in PHP's cURL mechanism allows bypassing of the safe_mode mechanism.

Credit:
The information has been provided by aksymilian Arciemowicz.
The original article can be found at: http://securityreason.com/achievement_securityalert/51


http://www.securiteam.com/unixfocus/5YP0N15N5U.html

Collapse -
Cisco PIX and ASA Time-to-Live Vulnerability
by Marianna Schmudlach / January 24, 2008 12:52 AM PST

Summary
A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0028 has been assigned to this vulnerability.

Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml


http://www.securiteam.com/securitynews/5WP0L15N5S.html

Collapse -
Default Passwords in the Cisco Application Velocity System
by Marianna Schmudlach / January 24, 2008 12:53 AM PST

Summary
Versions of the Cisco Application Velocity System (AVS) prior to software version AVS 5.1.0 do not prompt users to modify system account passwords during the initial configuration process. Because there is no requirement to change these credentials during the initial configuration process, an attacker may be able to leverage the accounts that have default credentials, some of which have root privileges, to take full administrative control of the AVS system.

After upgrading to software version AVS 5.1.0, users will be prompted to modify these credentials.

Cisco will make free upgrade software available to address this vulnerability for affected customers. The software upgrade will be applicable only for the AVS 3120, 3180, and 3180A systems. The workaround identified in this document describes how to change the passwords in current releases of software for the AVS 3110.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0029 has been assigned to this vulnerability.

Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml# at ID


http://www.securiteam.com/securitynews/5XP0M15N5M.html

Collapse -
IBM fixes flaws in Tivoli and WebSphere
by Marianna Schmudlach / January 24, 2008 12:56 AM PST

IBM has released updates that eliminate vulnerabilities in several different products. IBM Tivoli Business Service Manager stores passwords in clear text; a vulnerability in IBM Tivoli Provisioning Manager for OS Deployment can be exploited to crash the integrated web server; a hole in IBM WebSphere Business Modeler allows unauthorised users to delete content from the repositories, and there is update to IBM WebSphere Application Server to eliminate a vulnerability of which no details are given

http://www.heise-security.co.uk/news/102371

Collapse -
Drive-by Pharming and attacks against network infrastructure
by Marianna Schmudlach / January 24, 2008 1:00 AM PST

Published: 2008-01-24,

Symantec posted a blog entry about attackers using vulnerabilities in web browsers (CSRF and XSS from our interpretation of the article) to reconfigure home routers/firewalls to change their DNS servers to enable MITM attacks. They report having seen a number of delivery methods for the attacks including email, and compromised or malicious websites.

The full article is here: http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html

Heise.de also has an article about the issue (links to the Symantec post) for those of you who prefer reading german: http://www.heise.de/newsticker/meldung/102281

There are a number of moderately effective mitigations that you can use to prevent this (per Symantec)-

http://isc.sans.org/

Collapse -
Sun Java update creaks under weight of bug fixes
by Marianna Schmudlach / January 24, 2008 1:59 AM PST

Phew what a whopper
By John Leyden

Published Thursday 24th January 2008

Sun has pushed out a major update to its Java software package that features scores of bug fixes, including a number of security updates.

Java 6 Update 4 includes a hefty 370 bug fixes (as explained here). Most of these are minor tweaks to improve performance or application glitches, but some are more notable as they address security flaws. The latest Java SE (Standard Edition) Runtime Environment 6 Update 4 package weighs in at 13.05MB, or 15MB for an offline installation, and is available here.

More: http://www.theregister.co.uk/2008/01/24/sun_java_update/

Collapse -
Sun Releases Java Update
by Marianna Schmudlach / January 24, 2008 5:23 AM PST

added January 24, 2008 at 04:00 pm

US-CERT is aware that Sun has released an update to Java SE 6 containing fixes for 375 bugs. Users are encouraged to install the appropriate updates and should be aware that installing this new version of Java SE may not remove previous versions of the software.

For more information please see the following:


http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_04

http://java.sun.com/javase/downloads/index.jsp

http://www.us-cert.gov/current/current_activity.html#sun_releases_java_update

Collapse -
MS08-001 updated
by Marianna Schmudlach / January 24, 2008 5:16 AM PST
Collapse -
Microsoft Security Bulletin Re-Releases and Revisions
by Marianna Schmudlach / January 24, 2008 5:20 AM PST
In reply to: MS08-001 updated

added January 24, 2008 at 02:07 pm

Microsoft has re-released the following Security Bulletins:


MS08-001, Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution, has been updated to include Windows Small Business Server 2003 Service Pack 2 as an affected product.
MS07-064, Vulnerabilities in DirectX Could Allow Remote Code Execution, has been updated to reflect that DirectX 9.0 and 9.0b are included in the update.
and has revised the following Security Bulletins:

MS07-068, Vulnerability in Windows Media File Format Could Allow Remote Code Execution, has been updated to include information about installing the updates for Windows Media Format Runtime 9.5 on Windows XP Professional x64 Edition.
MS07-057, Cumulative Security Update for Internet Explorer, has been updated to include information about address rendering issues.
US-CERT strongly encourages users to review these bulletins and apply any listed updates or workarounds.


http://www.us-cert.gov/current/current_activity.html#microsoft_security_bulletin_re_releases

Collapse -
GE Fanuc Product Vulnerabilities
by Marianna Schmudlach / January 24, 2008 5:21 AM PST

added January 24, 2008 at 02:17 pm

Vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information Portal could allow an attacker to execute arbitrary code, obtain user credentials, upload and execute arbitrary files, or cause a denial-of-service condition.

US-CERT encourages users to review the following GE Fanuc Knowledgebase Articles for further information:


GE Fanuc Proficy Real-Time Information Portal allows arbitrary file upload and execution (KB12460)
GE Fanuc Proficy Real-Time Information Portal transmits authentication credentials in plain text (KB12459)
Buffer Overflow Allows Remote Code Execution (KB12458)

US-CERT will provide more information as it becomes available.


http://www.us-cert.gov/current/current_activity.html#ge_fanuc_product_vulnerabilities

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.