Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - July 22, 2008

EasyPublish SQL Injection and Cross-Site Scripting

Secunia Advisory: SA31193
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of sensitive information

Where: From remote

Solution Status: Unpatched


Software: EasyPublish 3.x

Description:
Khashayar Fereidani has discovered two vulnerabilities in EasyPublish, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

1) Input passed to the "read" parameter in staticpages/easypublish/index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "read" parameter in staticpages/easypublish/index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability allows e.g. retrieval of administrator usernames and passwords.

The vulnerabilities are confirmed in version 3.0 trial edition. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Khashayar Fereidani a.k.a. Dr.Crash

Original Advisory:
http://seclists.org/bugtraq/2008/Jul/0166.html

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - July 22, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - July 22, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
EasyE-Cards SQL Injection and Cross-Site Scripting

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31192
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: EasyE-Cards 3.x

Description:
Khashayar Fereidani has discovered some vulnerabilities in EasyE-Cards, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Khashayar Fereidani a.k.a. Dr.Crash

Original Advisory:
http://seclists.org/bugtraq/2008/Jul/0168.html

Collapse -
EasyBookMarker "rs" Cross-Site Scripting

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31191
Release Date: 2008-07-22


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Unpatched


Software: EasyBookMarker 4.x

Description:
Khashayar Fereidani has discovered a vulnerability in EasyBookMarker, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "rs" parameter in ajaxp_backend.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 4.0 trial edition. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Khashayar Fereidani a.k.a. Dr.Crash

Original Advisory:
http://seclists.org/bugtraq/2008/Jul/0163.html

Collapse -
MyReview Disclosure of Sensitive Information

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31190
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote

Solution Status: Unpatched


Software: MyReview 1.x

Description:
Julien Thomas has reported a security issue in MyReview, which can be exploited by malicious people to disclose potentially sensitive information.

The security issue is caused due to the application storing potentially sensitive files with a predictable filename in a public directory, which can be exploited to guess and download the files.

The vulnerability is reported in version 1.9.9. Other versions may also be affected.

Solution:
Restrict access to the upload directory (e.g. ".htaccess).

Provided and/or discovered by:
Julien Thomas

Original Advisory:
http://aispirit.over-blog.com/article-21322827.html

Collapse -
EasyDynamicPages SQL Injection and Cross-Site Scripting

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31189
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: EasyDynamicPages 3.x

Description:
Khashayar Fereidani has discovered two vulnerabilities in EasyDynamicPages, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Khashayar Fereidani a.k.a. Dr.Crash

Original Advisory:
http://seclists.org/bugtraq/2008/Jul/0174.html

Collapse -
EMC Retrospect Multiple Vulnerabilities

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31186
Release Date: 2008-07-22


Critical:
Less critical
Impact: Brute force
Exposure of sensitive information
DoS

Where: From local network

Solution Status: Vendor Patch


Software: EMC Retrospect 7.x
EMC Retrospect Client for Windows 7.x

Description:
Some vulnerabilities and a security issue has been reported in EMC Retrospect, which can be exploited by malicious people to disclose sensitive information or cause a DoS (Denial of Service).

Solution:
Update to the latest versions.
http://www.emcinsignia.com/updates

Provided and/or discovered by:
Zhenhua Liu, Fortinet's FortiGuard Global Security Research Team

Original Advisory:
Fortinet:
http://www.fortiguardcenter.com/advisory/FGA-2008-16.html
http://lists.grok.org.uk/pipermail/full-disclosure/2008-July/063354.html
http://lists.grok.org.uk/pipermail/full-disclosure/2008-July/063353.html
http://lists.grok.org.uk/pipermail/full-disclosure/2008-July/063351.html

Collapse -
ZDaemon Denial of Service Vulnerability

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31185
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: DoS

Where: From remote

Solution Status: Unpatched


Software: ZDaemon 1.x

Description:
Luigi Auriemma has reported a vulnerability in ZDaemon, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error and can be exploited to cause the ZDaemon server to crash via a type 6 command.

The vulnerability is reported in version 1.08.07. Other versions may also be affected.

Solution:
Restrict access to game servers to trusted people only.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/zdaemonull-adv.txt

Collapse -
Gentoo Bacula MySQL Director Password Disclosure Weakness

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31184
Release Date: 2008-07-22


Critical:
Not critical
Impact: Exposure of sensitive information

Where: Local system

Solution Status: Unpatched


OS: Gentoo Linux 1.x

Description:
Gentoo has acknowledged a weakness in bacula, which can be exploited by malicious, local users to disclose potentially sensitive information.

For more information:
SA27243

Solution:
The vendor recommends not to use the make_catalog_backup script.

Original Advisory:
http://www.gentoo.org/security/en/glsa/glsa-200807-10.xml

Other References:
SA27243:
http://secunia.com/advisories/27243/

Collapse -
Gentoo update for peercast

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31182
Release Date: 2008-07-22


Critical:
Highly critical
Impact: DoS
System access

Where: From remote

Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for peercast. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

Solution:
Update to "media-sound/peercast-0.1218-r1" or later.

Original Advisory:
http://www.gentoo.org/security/en/glsa/glsa-200807-11.xml

Other References:
SA29962:
http://secunia.com/advisories/29962/

Collapse -
Debian update for ruby1.8

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31181
Release Date: 2008-07-22


Critical:
Highly critical
Impact: DoS
System access

Where: From remote

Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for ruby1.8. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

Solution:
Apply updated packages.

Original Advisory:
http://www.us.debian.org/security/2008/dsa-1612

Other References:
SA29794:
http://secunia.com/advisories/29794/

SA30924:
http://secunia.com/advisories/30924/

Collapse -
Gentoo BitchX Multiple Vulnerabilities

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31180
Release Date: 2008-07-22


Critical:
Highly critical
Impact: Privilege escalation
System access

Where: From remote

Solution Status: Unpatched


OS: Gentoo Linux 1.x

Description:
Gentoo has acknowledged a security issue and a vulnerability in bitchx, which can be exploited by malicious, local users to perform certain actions with escalated privileges and by malicious people to potentially compromise a user's system.

Solution:
The vendor recommends to unmerge bitchx and use another IRC client.

Original Advisory:
http://www.gentoo.org/security/en/glsa/glsa-200807-12.xml

Other References:
SA26578:
http://secunia.com/advisories/26578/

SA27463:
http://secunia.com/advisories/27463/

Collapse -
OpenSSH "X11UseLocalhost" X11 Forwarding Security Issue

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31179
Release Date: 2008-07-22


Critical:
Not critical
Impact: Exposure of sensitive information

Where: Local system

Solution Status: Vendor Patch


Software: OpenSSH 4.x
OpenSSH 5.x

Description:
A security issue has been reported in OpenSSH, which can be exploited by malicious, local users to disclose sensitive information.

The security issue is caused due to the sshd server setting the SO_REUSEADDR option for the listening socket used by the X11 forwarding server. This can be exploited to intercept an X11 forwarding session by binding a socket to the X11 forwarding port.

Successful exploitation requires that "X11UseLocalhost" is disabled (enabled by default) and that the underlying operating system allows the re-binding of a port without checking the effective user id or the overlapping of addresses (e.g. HP/UX).

The security issue is reported in versions prior to 5.1.

Solution:
Update to version 5.1 or 5.1p1.

Provided and/or discovered by:
The vendor credits sway2004009.

Original Advisory:
http://www.openssh.com/txt/release-5.1

http://openssh.com/security.html

Collapse -
Century Systems Routers Cross-Site Request Forgery

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31173
Release Date: 2008-07-22


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Partial Fix


OS: Century Systems XR Routers

Description:
A vulnerability has been reported in various Century Systems routers, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability is caused due to the device allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. change the administrator password by enticing a logged-in administrator to visit a malicious site.

The vulnerability reportedly affects the following router and firmware versions:
* XR-410 version 1.6.8 and prior
* XR-440 version 1.7.7 and prior
* XR-510 version 3.5.0 and prior
* XR-540 version 3.5.2 and prior
* XR-640 version 1.6.7 and prior
* XR-730 version 3.5.0 and prior
* XR-1100 version 1.6. And prior
* XR-410-L2 version 1.6.1 and prior
* XR-640-L2 version 1.6.1 and prior

Solution:
Update to the fixed firmware versions.

XR-410 version 1.6.9:
http://www.centurysys.co.jp/support/XR410TX2/XR410TX2_dl.html

XR-510 version 3.5.3:
http://www.centurysys.co.jp/support/xr510c/xr510c_dl.html

The vendor is reportedly working on a fix for the other router firmware versions.

Provided and/or discovered by:
Reported via JVN.

Original Advisory:
JVN#67573833:
http://jvn.jp/jp/JVN67573833/index.html

Collapse -
HRS Multi "key" SQL Injection Vulnerability

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31170
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: HRS Multi

Description:
Mr.SQL has reported a vulnerability in HRS Multi, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "key" parameter in picture_pic_bv.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Mr.SQL

Original Advisory:
http://milw0rm.com/exploits/6105

Collapse -
Debian update for libgd2

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31168
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: DoS
System access

Where: From remote

Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for libgd2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.

Solution:
Apply updated packages.

Original Advisory:
http://www.us.debian.org/security/2008/dsa-1613

Other References:
SA25292:
http://secunia.com/advisories/25292/

SA25855:
http://secunia.com/advisories/25855/

SA26642:
http://secunia.com/advisories/26642/

Collapse -
MojoClassifieds "cat_a" SQL Injection Vulnerability

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31166
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: MojoClassifieds 2.x

Description:
Mr.SQL has reported a vulnerability in MojoClassifieds, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat_a" parameter in mojoClassified.cgi is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in version 2.0. Other versions may also be affected.

Solution:
Filter malicious characters and character sequences with a web proxy.

Provided and/or discovered by:
Mr.SQL

Original Advisory:
http://milw0rm.com/exploits/6108

Collapse -
MojoPersonals "cat" SQL Injection Vulnerability

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31165
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: MojoPersonals 4.x

Description:
Mr.SQL has reported a vulnerability in MojoPersonals, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat" parameter in mojoClassified.cgi is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters and character sequences with a web proxy.

Provided and/or discovered by:
Mr.SQL

Original Advisory:
http://www.milw0rm.com/exploits/6109

Collapse -
MojoJobs "cat_a" SQL Injection Vulnerability

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31164
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: MojoJobs 2.x

Description:
Mr.SQL has reported a vulnerability in MojoJobs, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat_a" parameter in mojoJobs.cgi is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters and character sequences in a proxy.

Provided and/or discovered by:
Mr.SQL

Original Advisory:
http://milw0rm.com/exploits/6110

Collapse -
MojoAuto "cat_a" SQL Injection Vulnerability

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31162
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: MojoAuto 2.x

Description:
Mr.SQL has reported a vulnerability in MojoAuto, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat_a" parameter in mojoAuto.cgi is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters and character sequences in a proxy.

Provided and/or discovered by:
Mr.SQL

Original Advisory:
http://milw0rm.com/exploits/6111

Collapse -
ShopCartDx "pid" SQL Injection Vulnerability

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31156
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: ShopCartDx 4.x



Description:
Cr@zy_King has reported a vulnerability in ShopCartDX, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "pid" parameter in product_detail.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters and character sequences using a proxy.

Provided and/or discovered by:
Cr@zy_King

Original Advisory:
http://milw0rm.com/exploits/6114

Collapse -
Interact "file" Local File Inclusion

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31150
Release Date: 2008-07-22


Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote

Solution Status: Vendor Workaround


Software: Interact 2.x

Description:
Digital Security Research Group have discovered a vulnerability in Interact, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "file" parameter in help/help.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.

The vulnerability is confirmed in version 2.4.1. Other versions may also be affected.

Solution:
The vendor recommends deleting the help/help.php script, as it is no longer needed:
http://sourceforge.net/forum/forum.php?thread_id=2104908&forum_id=237160

Provided and/or discovered by:
Digital Security Research Group

Original Advisory:
http://milw0rm.com/exploits/6107

Collapse -
Red Hat update for acroread

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

Secunia Advisory: SA31136
Release Date: 2008-07-22


Critical:
Highly critical
Impact: Privilege escalation
DoS
System access

Where: From remote

Solution Status: Vendor Patch


Software: Red Hat Enterprise Linux Extras v. 3
Red Hat Enterprise Linux Extras v. 4
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for acroread. This fixes a security issue and a vulnerability, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-0641.html

Other References:
SA29229:
http://secunia.com/advisories/29229/

SA30832:
http://secunia.com/advisories/30832/

Collapse -
DNS security problem details released

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

22 July 2008

The cat is out of the bag. Illuminating details about the DNS security problem have been publicised more or less by accident, before Dan Kaminsky has had the opportunity to reveal them at the upcoming Black Hat Conference. The secret of how to launch the simplified cache poisoning attack is apparently "in bailiwick records". Bailiwick checking ensures that a cacheing nameserver does not accept any unrequested additional resource records if they do not come from the queried domain, i.e. out of bailiwick. This is how the server prevents being slipped an entry for www.noexample.com when it is querying www.example.com.

More: http://www.heise-online.co.uk/security/DNS-security-problem-details-released--/news/111145

Collapse -
DNS Implementations Vulnerable to Cache Poisoning

In reply to: VULNERABILITIES \ FIXES - July 22, 2008

updated July 22, 2008 at 07:50 am

US-CERT is aware of deficiencies in the DNS protocol. Implementations of this protocol may leave the affected system vulnerable to DNS cache poisoning attacks. If an attacker can successfully conduct a cache poisoning attack, they may be able to cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. This may allow an attacker to obtain sensitive information or mislead users into believing they are visiting a legitimate website.

UPDATE: Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately.

US-CERT encourages users to review "VU#800113 - Multiple DNS implementations vulnerable to cache poisoning" and apply any necessary solutions listed in that document to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

http://www.us-cert.gov/current/current_activity.html#dns_implementations_vulnerable_to_cache

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.