VULNERABILITIES \ FIXES - November 10, 2008

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 8.10

Description:
Ubuntu has issued an update for dovecot. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Original Advisory:
USN-666-1:
https://lists.ubuntu.com/archives/ubu...ty-announce/2008-November/000775.html

Other References:
SA32479:
http://secunia.com/advisories/32479/

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: AjaxPortal 3.x
EasyCalendar 4.x
MyioSoft EasyBookMarker 4.x


Description:
ZoRLu has discovered a vulnerability in multiple MyioSoft products, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed in the "rsargs" parameter to the "loginADP()" function in ajaxp.php (via the username value) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is confirmed in the following products:
- AjaxPortal 3.0
- EasyBookMarker 4.0
- EasyCalendar 4.0

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://milw0rm.com/exploits/7044
http://milw0rm.com/exploits/7045
http://milw0rm.com/exploits/7046

Release Date: 2008-11-10

Critical:
Less critical
Impact: Privilege escalation
DoS

Where: Local system
Solution Status: Unpatched


Software: Anti-Trojan Elite 4.x

Description:
alex has discovered a vulnerability in Anti-Trojan Elite, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges.

The vulnerability is caused due to the Atepmon.sys driver improperly validating parameters received via IOCTL code 0x00222494. This can be exploited to cause a system crash or potentially execute arbitrary code in kernel space.

Successful exploitation requires that the Anti-Trojan Elite GUI is not running.

The vulnerability is confirmed in version 4.2.2. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
alex, NT Internals

Original Advisory:
http://www.ntinternals.org/ntiadv0802/ntiadv0802.html

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: DoS
System access

Where: From local network
Solution Status: Vendor Patch


OS: Sun Solaris 10
Sun Solaris 8
Sun Solaris 9

Description:
Some vulnerabilities have been reported in Sun Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

Solution:
Apply patches.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-243806-1

Release Date: 2008-11-10

Critical:
Not critical
Impact: DoS

Where: Local system
Solution Status: Vendor Patch


Software: Solstice X.25 9.x

Description:
A vulnerability has been reported in Solstice X.25, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error allowing users with read permissions for "/dev/xty" (all users by default) to cause a panic on systems with multiple CPUs.

Solution:
Apply patches.

X.25 9.2 (for Solaris 8, 9 and 10 on SPARC):
http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-108669-21-1

X.25 9.2 (for Solaris 8, 9 and 10 on x86):
http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-108670-21-1

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-243106-1

Release Date: 2008-11-10

Critical:
Less critical
Impact: Spoofing
DoS
System access

Where: From local network
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for net-snmp. This fixes some vulnerabilities, which can be exploited by malicious people to spoof authenticated SNMPv3 packets, cause a DoS (Denial of Service), and compromise a vulnerable system.

Solution:
Apply updated packages.

Original Advisory:
DSA-1663-1:
http://lists.debian.org/debian-security-announce/2008/msg00255.html

Other References:
SA30187:
http://secunia.com/advisories/30187/

SA30574:
http://secunia.com/advisories/30574/

SA32560:
http://secunia.com/advisories/32560/

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: Clam AntiVirus (clamav) 0.x

Description:
Moritz Jodeit has reported a vulnerability in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

The vulnerability is caused due to an off-by-one error within the "get_unicode_name()" function in libclamav/vba_extract.c. This can be exploited to cause a heap-based buffer overflow with a zero byte via a specially crafted VBA project.

Successful exploitation may allow execution of arbitrary code.

Solution:
Update to version 0.94.1.

Provided and/or discovered by:
Moritz Jodeit

Original Advisory:
ClamAV:
http://sourceforge.net/project/showno...?release_id=637952&group_id=86638

Moritz Jodeit:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-November/065530.html

Release Date: 2008-11-10

Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information
Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for gallery. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks and disclose potentially sensitive information.

Solution:
Gallery 1 users:
Update to "www-apps/gallery-1.5.9" or later.

Gallery 2 users:
Update to "www-apps/gallery-2.2.6" or later.

Original Advisory:
GLSA-200811-02:
http://www.gentoo.org/security/en/glsa/glsa-200811-02.xml

Other References:
SA31367:
http://secunia.com/advisories/31367/

SA31858:
http://secunia.com/advisories/31858/

SA31912:
http://secunia.com/advisories/31912/

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for faad2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system.

Solution:
Update to "media-libs/faad2-2.6.1-r2" or later.

Original Advisory:
GLSA-200811-03:
http://www.gentoo.org/security/en/glsa/glsa-200811-03.xml

Other References:
SA32006:
http://secunia.com/advisories/32006/

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for graphviz. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system.

Solution:
Update to "media-gfx/graphviz-2.20.3" or later.

Original Advisory:
GLSA-200811-04:
http://www.gentoo.org/security/en/glsa/glsa-200811-04.xml

Other References:
SA32186:
http://secunia.com/advisories/32186/

Release Date: 2008-11-10

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: phpMyAdmin (phpmyadmin) Extension for TYPO3 4.x


Description:
A vulnerability has been reported in the phpMyAdmin extension for TYPO3, which can be exploited by malicious people to conduct cross-site scripting attacks.

Solution:
Update to version 4.1.1:
http://typo3.org/extensions/repository/view/phpmyadmin/4.1.1/

Original Advisory:
http://typo3.org/teams/security/security-bulletins/typo3-20081110-1/

Other References:
SA32449:
http://secunia.com/advisories/32449/

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Spoofing
DoS

Where: From remote
Solution Status: Vendor Patch


Software: Trac 0.x

Description:
Some vulnerabilities have been reported in Trac, which can be exploited by malicious people to cause a DoS (Denial of Service) or to conduct phishing attacks.

1) An unspecified error in the HTML sanitiser filter can be exploited to conduct phishing attacks.

2) An unspecified error when processing wiki markup can be exploited to cause a DoS.

The vulnerabilities are reported in versions prior to 0.11.2.

Solution:
Update to version 0.11.2.

Provided and/or discovered by:
The vendor credits:
1) Simon Willison
2) Matt Murphy

Original Advisory:
http://trac.edgewall.org/wiki/ChangeLog

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Mole Group Rental Script

Description:
Cyber-Zone has reported a vulnerability in Mole Group Rental Script, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "username" parameter in admin/index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
Cyber-Zone

Original Advisory:
http://milw0rm.com/exploits/7043

E-topbiz Online Store 1 "user" and "cat_id" SQL Injection Vulnerabilities


Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: E-topbiz Online Store 1

Description:
Some vulnerabilities have been reported in E-topbiz Online Store 1, which can be exploited by malicious people to conduct SQL injection attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
1) ZoRLu
2) Stack

Original Advisory:
1) http://milw0rm.com/exploits/7041
2) http://milw0rm.com/exploits/7048

Mini Web Calendar Cross-Site Scripting and Local File Disclosure

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Cross Site Scripting
Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Mini Web Calendar 1.x

Description:
ahmadbady has discovered two vulnerabilities in Mini Web Calendar, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose sensitive information.

Solution:
Edit the source code to ensure that input is properly sanitised and verified.

Use another product.

Provided and/or discovered by:
ahmadbady

Original Advisory:
http://milw0rm.com/exploits/7049

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: E-topbiz Number Links 1

Description:
Hussin X has reported a vulnerability in E-topbiz Number Links 1, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in admin/admin_catalog.php (when "action" is set to "edit") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised,

Provided and/or discovered by:
Hussin X

Original Advisory:
http://milw0rm.com/exploits/7050

TYPO3 eluna_pagecomments Extension Cross-Site Scripting and SQL Injection

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: eLuna Page Comments (eluna_pagecomments) Extension for TYPO3 1.x

Description:
Some vulnerabilities have been reported in the eluna_pagecomments extension for TYPO3, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

The vulnerabilities are reported in version 1.1.2. Other versions may also be affected.

Solution:
Filter malicious characters and character sequences in a proxy.

Provided and/or discovered by:
The vendor credits Rove Monteux.

Original Advisory:
http://typo3.org/teams/security/security-bulletins/typo3-20081110-2/

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Domain Seller Pro 1.x

Description:
TR-ShaRk has reported a vulnerability in Domain Seller Pro, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in version 1.5. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
TR-ShaRk

Original Advisory:
http://milw0rm.com/exploits/7052

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: MyioSoft EasyBookMarker 4.x

Description:
G4N0K has discovered a vulnerability in MyioSoft EasyBookMarker, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "Parent" parameter in plugins/bookmarker/bookmarker_backend.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is confirmed in version 4.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/7053

Release Date: 2008-11-10

Critical:
Less critical
Impact: Privilege escalation
DoS

Where: Local system
Solution Status: Unpatched


Software: Anti-Keylogger Elite 3.x

Description:
alex has discovered some vulnerabilities in Anti-Keylogger Elite, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or to potentially gain escalated privileges.

The vulnerabilities are caused due to the "AKEProtect.sys" driver improperly validating parameters received via IOCTL codes 0x002224A4, 0x002224C0, and 0x002224CC. This can be exploited to cause a system crash or potentially execute arbitrary code in kernel space.

Successful exploitation requires that the Anti-Keylogger Elite GUI is not running.

The vulnerabilities are confirmed in version 3.3.3. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
alex, NT Internals

Original Advisory:
http://www.ntinternals.org/ntiadv0802/ntiadv0802.html

Release Date: 2008-11-10

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Enthusiast 3.x



Description:
AmnPardaz Security Research Team has discovered a vulnerability in Enthusiast, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "path" parameter in show_joined.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability is confirmed in version 3.1.4. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
AmnPardaz Security Research Team

Original Advisory:
http://www.bugreport.ir/index_57.htm

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Security Bypass
Spoofing

Where: From remote
Solution Status: Vendor Patch


Software: GnuTLS 2.x

Description:
A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when validating the X.509 certificate chain and can be exploited to spoof arbitrary names e.g. during a Man-in-the-Middle (MitM) attack.

The vulnerability is reported in versions prior to 2.6.1.

Solution:
Update to version 2.6.1.

Provided and/or discovered by:
The vendor credits Martin von Gagern.

Original Advisory:
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: V3 Chat Live Support 3.x
V3 Chat Profiles/Dating 3.x

Description:
Cyber-Zone has reported a vulnerability in multiple V3 Chat products, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the applications allowing access to the admin interface by checking if a certain cookie exists. This can be exploited to gain administrative access to the applications by creating the cookie "admin" and assigning it the value "1".

This vulnerability is reported in the following products:
- Profiles/Dating version 3.0.2
- Live Support version 3.0.4

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
Cyber-Zone

Original Advisory:
http://milw0rm.com/exploits/7063
http://milw0rm.com/exploits/7069

Release Date: 2008-11-10

Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From local network
Solution Status: Vendor Patch


Software: Orb 2.x

Description:
A vulnerability has been reported in Orb, which can be exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to an input validation error when processing HTTP GET requests. This can be exploited to read arbitrary files from the affected system via directory traversal attacks.

The vulnerability is reported in versions prior to 2.01.0022.

Solution:
Update to version 2.01.0022.

Provided and/or discovered by:
Digital Defense

Original Advisory:
DDIVRT-2008-17:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-November/065491.html

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Arab Portal 2.x

Description:
IRCRASH has reported a vulnerability in Arab Portal, which can be exploited by malicious people to disclose sensitive information.

Input passed via the "file" parameter in mod.php (when "mod" is set to "html" and "modfile" is set to "show") is not properly verified before being used to display files. This can be exploited to display arbitrary files from local resources via directory traversal attacks.

Successful exploitation may require that the script runs on a Windows System.

This vulnerability is reported in version 2.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
IRCRASH

Original Advisory:
http://www.milw0rm.com/exploits/7019

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Mole Group Airline Ticket Sale Script

Description:
Cyb3r-1sT has reported a vulnerability in Mole Group Airline Ticket Sale Script, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "flight" parameter in info.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
Cyb3r-1sT

Original Advisory:
http://milw0rm.com/exploits/7009

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Mole Group Taxi Google Api Script

Description:
Cyb3r-1sT has reported a vulnerability in Mole Group Taxi Google Api Script, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the user name to login.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
Cyb3r-1sT

Original Advisory:
http://milw0rm.com/exploits/7010

Release Date: 2008-11-10

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: IBM Lotus Quickr 8.x

Description:
Some vulnerabilities have been reported in IBM Lotus Quickr, which can be exploited by malicious people to conduct cross-site scripting attacks.

Unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Update to version 8.1.0.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM (THES7F9NVR, CWIR7KMPVP):
http://www-01.ibm.com/support/docview.wss?uid=swg27013341

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: x10 Automatic MP3 Script 1.x

Description:
THUNDER has reported a vulnerability in x10 Automatic MP3 Script, which can be exploited by malicious people to disclose potentially sensitive information.

Input passed to the "url" parameter in download.php is not properly verified before being used. This can be exploited to e.g. download arbitrary local files.

The vulnerability is reported in version 1.6. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
THUNDER

Original Advisory:
http://milw0rm.com/exploits/7074

Release Date: 2008-11-10

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Openfire 3.6.x

Description:
Andreas Kurtz has discovered a vulnerability in Openfire, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error in the "AuthCheck" filter when imposing access restrictions. This can be exploited to access administrative resources without authentication by using a specially crafted URL containing the "setup/setup-" string followed by directory traversal sequences.

NOTE: An SQL injection in the SIP plugin has also been reported.

The vulnerability is confirmed in version 3.6.0a. Other versions may also be affected.

Solution:
Restrict access to the administrative interface.

Provided and/or discovered by:
Andreas Kurtz

Original Advisory:
http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt