Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - November 11, 2008

by Marianna Schmudlach / November 11, 2008 12:37 AM PST

SAP GUI MDrmSap ActiveX Control Code Execution Vulnerability

Release Date: 2008-11-11

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: SAP GUI 6.x
SAP GUI 7.x

Description:
A vulnerability has been reported in SAPgui, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error in the bundled MDrmSap ActiveX control (mdrmsap.dll). This can be exploited to compromise a user's system by e.g. tricking the user into visiting a malicious website.

Solution:
The vendor has reportedly issued a patch via SAP Note 1142431.
http://service.sap.com/sap/support/notes/1142431

Provided and/or discovered by:
Will Dormann, CERT/CC.

Original Advisory:
US-CERT VU#277313:
http://www.kb.cert.org/vuls/id/277313

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - November 11, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - November 11, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Dizi Film Portal "film" SQL Injection Vulnerability
by Marianna Schmudlach / November 11, 2008 12:38 AM PST

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Dizi Film Portal

Description:
Kaan KAMIS has discovered a vulnerability in Dizi Film Portal, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "film" parameter in film.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Kaan KAMIS

http://secunia.com/advisories/32675/

Collapse -
WIMS "account.sh" Insecure Temporary Files
by Marianna Schmudlach / November 11, 2008 12:39 AM PST

Release Date: 2008-11-11

Critical:
Not critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: WIMS 3.x

Description:
A security issue has been reported in WIMS, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the "bin/account.sh" script using temporary files in an insecure manner. This can be exploited to erase the content of arbitrary files via symlink attacks.

The security issue affects version 3.64. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496387

Collapse -
Linux Kernel Denial of Service Vulnerabilities
by Marianna Schmudlach / November 11, 2008 12:41 AM PST
Collapse -
WOW Raid Manager "auth_phpbb3.php" Authentication Bypass
by Marianna Schmudlach / November 11, 2008 12:42 AM PST

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


Software: WOW Raid Manager 3.x

Description:
A vulnerability has been reported in WOW Raid Manager, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the "auth/auth_phpbb3.php" script improperly interpreting the return value of the "CheckPassword()" function. This can be exploited to gain access to the application by logging in with an arbitrary password.

The vulnerability is reported in versions prior to 3.6.0.

Solution:
Update to version 3.6.0.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://github.com/Illydth/wowraidmana...6367ae85003dd5d715431b6ab695f2c2f200a
http://www.wowraidmanager.net/e107_plugins/forum/forum_viewtopic.php?2153

Collapse -
OptiPNG BMP Reader Buffer Overflow Vulnerability
by Marianna Schmudlach / November 11, 2008 12:43 AM PST

Release Date: 2008-11-11

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: OptiPNG 0.x

Description:
A vulnerability has been reported in OptiPNG, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the BMP reader and can be exploited to cause a buffer overflow by tricking a user into processing a specially crafted file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 0.6.2.

Solution:
Update to version 0.6.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/showno...release_id=639631&group_id=151404

Collapse -
Sanusart Simple PHP Guestbook Script PHP Code Execution
by Marianna Schmudlach / November 11, 2008 12:44 AM PST

Release Date: 2008-11-11

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: Sanusart Simple PHP Guestbook Script

Description:
GoLd_M has reported a vulnerability in Sanusart Simple PHP Guestbook Script, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "message" parameter in act.php is not properly sanitised before it is written to the "messages.txt" file. This can be exploited to execute PHP by including PHP code in the message body.

Solution:
Update to latest version.
http://www.sanusart.com/php/FREEsimplePHPguestbook.zip

Provided and/or discovered by:
GoLd_M

Original Advisory:
http://milw0rm.com/exploits/7079

Collapse -
op5 Monitor Cross-Site Request Forgery
by Marianna Schmudlach / November 11, 2008 12:45 AM PST

Release Date: 2008-11-11

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: op5 Monitor 4.x

Description:
A vulnerability has been reported in op5 Monitor, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to execute certain commands (e.g. to disable notifications) when a logged-in administrator visits a malicious web site.

Solution:
Update to version 4.0.1.

Original Advisory:
http://www.op5.com/support/news/389-i...ecurity-fix-available-for-op5-monitor

Other References:
SA32610:
http://secunia.com/advisories/32610/

Collapse -
Sweex RO002 Router Undocumented Account Security Issue
by Marianna Schmudlach / November 11, 2008 12:46 AM PST

Release Date: 2008-11-11

Critical:
Less critical
Impact: Security Bypass

Where: From local network
Solution Status: Unpatched


OS: Sweex RO002 Router

Description:
Rob Stout has reported a security issue in the Sweex RO002 Router, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the device including an undocumented account for the web configuration interface with a default password ("rdc123" / "rdc123"). This can be exploited to gain access to the LAN web interface and e.g. modify the configuration.

The security issue is reported in firmware version Ts03-072. Other versions may also be affected.

Solution:
Restrict network access to the web configuration interface.

Reportedly, the vendor is working on a fix.

Provided and/or discovered by:
Rob Stout

Collapse -
Joomla! Script Insertion Vulnerabilities
by Marianna Schmudlach / November 11, 2008 12:47 AM PST

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Joomla! 1.x



Description:
Some vulnerabilities have been reported in Joomla!, which can be exploited by malicious users and potentially malicious people to conduct script insertion attacks.

The vulnerabilities are reported in version 1.5.7 and prior.

Solution:
Update to version 1.5.8..

Provided and/or discovered by:
The vendor credits:
1) Johan Janssens
2) Gergo Erdosi

Original Advisory:
http://developer.joomla.org/security/...ore-comcontent-xss-vulnerability.html
http://developer.joomla.org/security/...re-comweblinks-xss-vulnerability.html

Collapse -
Zeeways Shaadi Clone Authentication Bypass Vulnerability
by Marianna Schmudlach / November 11, 2008 12:48 AM PST

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Zeeways Shaadi Clone

Description:
G4N0K has reported a vulnerability in Zeeways Shaadi Clone, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to "admin/home.php" not being properly restricted to administrators. This can be exploited to e.g. perform administrative actions by accessing the affected file directly.

Solution:
Ensure that administrative scripts are properly restricted (e.g. via ".htaccess").

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/7066

Collapse -
Apertium Insecure Temporary Files
by Marianna Schmudlach / November 11, 2008 12:49 AM PST

Release Date: 2008-11-11

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: Apertium 3.x

Description:
Some security issues have been reported in Apertium, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issues are caused due to the "apertium-gen-deformat", "apertium-gen-reformat", and "apertium" scripts using temporary files in an insecure manner. This can be exploited to delete or overwrite arbitrary files via symlink attacks.

The security issues are reported in version 3.0.7. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496395

Collapse -
Zeeways PhotoVideoTube Authentication Bypass Vulnerability
by Marianna Schmudlach / November 11, 2008 12:50 AM PST

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Zeeways PhotoVideoTube

Description:
Mountassif Moad has reported a vulnerability in Zeeways PhotoVideoTube, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to "admin/home.php" not being properly restricted to administrators. This can be exploited to e.g. perform administrative actions by accessing the affected file directly.

Solution:
Ensure that administrative scripts are properly restricted (e.g. via ".htaccess").

Provided and/or discovered by:
Mountassif Moad

Original Advisory:
http://milw0rm.com/exploits/7070

Collapse -
NeoOffice Multiple Vulnerabilities
by Marianna Schmudlach / November 11, 2008 12:52 AM PST
Collapse -
PHP Shop "admin_username" SQL Injection Vulnerability
by Marianna Schmudlach / November 11, 2008 12:53 AM PST

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHP Shop 1.x

Description:
ZoRLu has reported a vulnerability in PHP Shop, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "admin_username" parameter in login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://milw0rm.com/exploits/7025

Collapse -
sISAPILocation HTTP Header Rewrite Security Bypass
by Marianna Schmudlach / November 11, 2008 12:54 AM PST

Release Date: 2008-11-11

Critical:
Less critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


Software: sISAPILocation 1.x

Description:
A vulnerability has been reported in sISAPILocation, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when rewriting HTTP headers and can be exploited to bypass character encoding and cookie settings.

The vulnerability is reported in versions prior to 1.0.2.2.

Solution:
Update to version 1.0.2.2.

Provided and/or discovered by:
Reported via JVN.

Original Advisory:
JVN:
http://jvn.jp/jp/JVN67060882/index.html
http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000076.html

Collapse -
Yosemite Backup "DtbClsLogin()" Buffer Overflow Vulnerabilit
by Marianna Schmudlach / November 11, 2008 12:55 AM PST

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: DoS
System access

Where: From local network
Solution Status: Unpatched


Software: Yosemite Backup 8.x

Description:
Abdul-Aziz Hariri has discovered a vulnerability in Yosemite Backup, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "DtbClsLogin()" function in ytwindtb.dll (Windows) or libytlindtb.so (Linux), which can be exploited to cause a stack-based buffer overflow by sending specially crafted requests to the application.

Successful exploitation allows to crash the application on a Windows system and execute arbitrary code on a Linux system.

The vulnerability is confirmed in Yosemite Backup 8.70 (41769) Trial version.

Solution:
Restrict network access to the application.

Provided and/or discovered by:
Abdul-Aziz Hariri

Collapse -
ClamAV get_unicode_name() Off-By-One Buffer Overflow
by Marianna Schmudlach / November 11, 2008 12:56 AM PST

11 Nov. 2008

Summary
"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library."

ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the `clamd' process by sending an email with a prepared attachment.

Credit:
The information has been provided by Moritz Jodeit.

http://www.securiteam.com/securitynews/6S00B0AN5E.html

Collapse -
Vulnerability closed in ClamAV 0.94.1
by Marianna Schmudlach / November 11, 2008 2:10 AM PST

11 November 2008

In version 0.94.1 of the open source ClamAV virus scanner, which was released at the end of October, the developers closed a vulnerability that allowed denial of service attacks on the scanner. According to Moritz Jodeit, the problem is caused by an off-by-one heap overflow in the get_unicode_name function in libclamav/vba_extract.c. It is usually not possible to directly inject and execute arbitrary code using an off-by-one buffer overflow, as typically only one single byte is overwritten in the process. This may be used to offset a function pointer, so that attackers can still potentially exploit the hole for executing their own code.

More: http://www.heise-online.co.uk/security/Vulnerability-closed-in-ClamAV-0-94-1--/news/111932

Collapse -
Openfire Jabber-Server Multiple Vulnerabilities
by Marianna Schmudlach / November 11, 2008 12:57 AM PST

11 Nov. 2008

Summary
The jabber server Openfire contains several serious vulnerabilities. Depending on the particular runtime environment these issues can potentially even be used by an attacker to execute code on operating system level.

Credit:
The information has been provided by Andreas Kurtz.
The original article can be found at: http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

Collapse -
VMware Emulation Flaw x64 Guest Privilege Escalation (IRET)
by Marianna Schmudlach / November 11, 2008 12:58 AM PST

11 Nov. 2008

Summary
By exploiting either of the VMware flaws described in this document, user-mode code executing in a virtual machine may gain kernel privileges within the virtual machine, dependent upon the guest operating system. The flaws have been proven exploitable on x64 versions of Windows, and they have produced potentially exploitable crashes on x64 versions of *BSD. The Linux kernel does not allow exploitation of these flaws on x64 versions of Linux.

Credit:
The information has been provided by Derek Soeder.

http://www.securiteam.com/securitynews/6U00D0AN5G.html

Collapse -
Acrobat continued activity in the wild
by Marianna Schmudlach / November 11, 2008 1:00 AM PST

Published: 2008-11-11,
Last Updated: 2008-11-11 16:10:02 UTC
by Swa Frantzen (Version: 1)

It seems those responsible for the prior reported attacks, and followed up only yesterday, are still busy and most probably successful at it.

Holger reported a site that via obfuscation and redirection pointed back to the same site as where Bojan initially found his malcious pdfs.

Interesting the pdfs are new files.

Checking the new pdf again (both file names have the same content (MD5: e51f24ec2e3d2cf71aa1ba74a7210841) on virustotal to get an up to date idea of the coverage, we get this:

More: http://isc.sans.org/

Collapse -
Apple patches critical holes in iLife
by Marianna Schmudlach / November 11, 2008 2:11 AM PST

11 November 2008,

Apple has released iLife Support 8.3.1, a security update for iLife that closes three critical security holes. All three holes make it possible for attackers to inject their own code onto a computer and execute it using specially crafted TIFF and JPEG images. For the attack to work, the victim has to open the images. The vulnerabilities are caused by a number of memory errors that occur when ImageIO processes images.

More: http://www.heise-online.co.uk/security/Apple-patches-critical-holes-in-iLife--/news/111929

Collapse -
Microsoft Windows SMB Authentication Credential Replay Vulne
by Marianna Schmudlach / November 11, 2008 4:00 AM PST

Release Date: 2008-11-11

Popularity: 260 views

Critical:
Moderately critical
Impact: Security Bypass
Spoofing
Where: From local network
Solution Status: Vendor Patch

OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to bypass certain security features.

The vulnerability is caused due to an authentication error within SMB when handling NTLM credentials. This can be exploited via replay attacks to gain access with the privileges of the user whose credentials are being resent.

Solution:
Apply patches.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
MS08-068 (KB957097):
http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx

Collapse -
Microsoft Releases November Security Bulletin
by Marianna Schmudlach / November 11, 2008 8:00 AM PST

added November 11, 2008 at 01:45 pm

Microsoft has released updates to address vulnerabilities in Microsoft Windows as part of the Microsoft Security Bulletin Summary for November 2008. These vulnerabilities could allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.


http://www.us-cert.gov/current/current_activity.html#microsoft_releases_november_security_bulletin

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?