VULNERABILITIES \ FIXES - November 11, 2008

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Dizi Film Portal

Description:
Kaan KAMIS has discovered a vulnerability in Dizi Film Portal, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "film" parameter in film.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Kaan KAMIS

http://secunia.com/advisories/32675/

Release Date: 2008-11-11

Critical:
Not critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: WIMS 3.x

Description:
A security issue has been reported in WIMS, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the "bin/account.sh" script using temporary files in an insecure manner. This can be exploited to erase the content of arbitrary files via symlink attacks.

The security issue affects version 3.64. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496387

Release Date: 2008-11-11

Critical:
Not critical
Impact: DoS

Where: Local system
Solution Status: Vendor Patch


OS: Linux Kernel 2.4.x

Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

Solution:
Update to version 2.4.36.9.

Original Advisory:
http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.9

Other References:
SA32510:
http://secunia.com/advisories/32510/

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


Software: WOW Raid Manager 3.x

Description:
A vulnerability has been reported in WOW Raid Manager, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the "auth/auth_phpbb3.php" script improperly interpreting the return value of the "CheckPassword()" function. This can be exploited to gain access to the application by logging in with an arbitrary password.

The vulnerability is reported in versions prior to 3.6.0.

Solution:
Update to version 3.6.0.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://github.com/Illydth/wowraidmana...6367ae85003dd5d715431b6ab695f2c2f200a
http://www.wowraidmanager.net/e107_plugins/forum/forum_viewtopic.php?2153

Release Date: 2008-11-11

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: OptiPNG 0.x

Description:
A vulnerability has been reported in OptiPNG, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the BMP reader and can be exploited to cause a buffer overflow by tricking a user into processing a specially crafted file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 0.6.2.

Solution:
Update to version 0.6.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/showno...release_id=639631&group_id=151404

Release Date: 2008-11-11

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: Sanusart Simple PHP Guestbook Script

Description:
GoLd_M has reported a vulnerability in Sanusart Simple PHP Guestbook Script, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "message" parameter in act.php is not properly sanitised before it is written to the "messages.txt" file. This can be exploited to execute PHP by including PHP code in the message body.

Solution:
Update to latest version.
http://www.sanusart.com/php/FREEsimplePHPguestbook.zip

Provided and/or discovered by:
GoLd_M

Original Advisory:
http://milw0rm.com/exploits/7079

Release Date: 2008-11-11

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: op5 Monitor 4.x

Description:
A vulnerability has been reported in op5 Monitor, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to execute certain commands (e.g. to disable notifications) when a logged-in administrator visits a malicious web site.

Solution:
Update to version 4.0.1.

Original Advisory:
http://www.op5.com/support/news/389-i...ecurity-fix-available-for-op5-monitor

Other References:
SA32610:
http://secunia.com/advisories/32610/

Release Date: 2008-11-11

Critical:
Less critical
Impact: Security Bypass

Where: From local network
Solution Status: Unpatched


OS: Sweex RO002 Router

Description:
Rob Stout has reported a security issue in the Sweex RO002 Router, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the device including an undocumented account for the web configuration interface with a default password ("rdc123" / "rdc123"). This can be exploited to gain access to the LAN web interface and e.g. modify the configuration.

The security issue is reported in firmware version Ts03-072. Other versions may also be affected.

Solution:
Restrict network access to the web configuration interface.

Reportedly, the vendor is working on a fix.

Provided and/or discovered by:
Rob Stout

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Joomla! 1.x



Description:
Some vulnerabilities have been reported in Joomla!, which can be exploited by malicious users and potentially malicious people to conduct script insertion attacks.

The vulnerabilities are reported in version 1.5.7 and prior.

Solution:
Update to version 1.5.8..

Provided and/or discovered by:
The vendor credits:
1) Johan Janssens
2) Gergo Erdosi

Original Advisory:
http://developer.joomla.org/security/...ore-comcontent-xss-vulnerability.html
http://developer.joomla.org/security/...re-comweblinks-xss-vulnerability.html

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Zeeways Shaadi Clone

Description:
G4N0K has reported a vulnerability in Zeeways Shaadi Clone, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to "admin/home.php" not being properly restricted to administrators. This can be exploited to e.g. perform administrative actions by accessing the affected file directly.

Solution:
Ensure that administrative scripts are properly restricted (e.g. via ".htaccess").

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/7066

Release Date: 2008-11-11

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: Apertium 3.x

Description:
Some security issues have been reported in Apertium, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issues are caused due to the "apertium-gen-deformat", "apertium-gen-reformat", and "apertium" scripts using temporary files in an insecure manner. This can be exploited to delete or overwrite arbitrary files via symlink attacks.

The security issues are reported in version 3.0.7. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496395

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Zeeways PhotoVideoTube

Description:
Mountassif Moad has reported a vulnerability in Zeeways PhotoVideoTube, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to "admin/home.php" not being properly restricted to administrators. This can be exploited to e.g. perform administrative actions by accessing the affected file directly.

Solution:
Ensure that administrative scripts are properly restricted (e.g. via ".htaccess").

Provided and/or discovered by:
Mountassif Moad

Original Advisory:
http://milw0rm.com/exploits/7070

Release Date: 2008-11-11

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: NeoOffice 2.x



Description:
Some vulnerabilities in NeoOffice have been reported, which potentially can be exploited to compromise a user's system.

Solution:
Update to version 2.2.5 Patch 3.

Original Advisory:
http://neowiki.neooffice.org/index.php/NeoOffice_2.2.5_Patch_3_New_Features

Other References:
SA32419:
http://secunia.com/advisories/32419/

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHP Shop 1.x

Description:
ZoRLu has reported a vulnerability in PHP Shop, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "admin_username" parameter in login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://milw0rm.com/exploits/7025

Release Date: 2008-11-11

Critical:
Less critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


Software: sISAPILocation 1.x

Description:
A vulnerability has been reported in sISAPILocation, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when rewriting HTTP headers and can be exploited to bypass character encoding and cookie settings.

The vulnerability is reported in versions prior to 1.0.2.2.

Solution:
Update to version 1.0.2.2.

Provided and/or discovered by:
Reported via JVN.

Original Advisory:
JVN:
http://jvn.jp/jp/JVN67060882/index.html
http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000076.html

Release Date: 2008-11-11

Critical:
Moderately critical
Impact: DoS
System access

Where: From local network
Solution Status: Unpatched


Software: Yosemite Backup 8.x

Description:
Abdul-Aziz Hariri has discovered a vulnerability in Yosemite Backup, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "DtbClsLogin()" function in ytwindtb.dll (Windows) or libytlindtb.so (Linux), which can be exploited to cause a stack-based buffer overflow by sending specially crafted requests to the application.

Successful exploitation allows to crash the application on a Windows system and execute arbitrary code on a Linux system.

The vulnerability is confirmed in Yosemite Backup 8.70 (41769) Trial version.

Solution:
Restrict network access to the application.

Provided and/or discovered by:
Abdul-Aziz Hariri

11 Nov. 2008

Summary
"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library."

ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the `clamd' process by sending an email with a prepared attachment.

Credit:
The information has been provided by Moritz Jodeit.

http://www.securiteam.com/securitynews/6S00B0AN5E.html

11 Nov. 2008

Summary
The jabber server Openfire contains several serious vulnerabilities. Depending on the particular runtime environment these issues can potentially even be used by an attacker to execute code on operating system level.

Credit:
The information has been provided by Andreas Kurtz.
The original article can be found at: http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

11 Nov. 2008

Summary
By exploiting either of the VMware flaws described in this document, user-mode code executing in a virtual machine may gain kernel privileges within the virtual machine, dependent upon the guest operating system. The flaws have been proven exploitable on x64 versions of Windows, and they have produced potentially exploitable crashes on x64 versions of *BSD. The Linux kernel does not allow exploitation of these flaws on x64 versions of Linux.

Credit:
The information has been provided by Derek Soeder.

http://www.securiteam.com/securitynews/6U00D0AN5G.html

Published: 2008-11-11,
Last Updated: 2008-11-11 16:10:02 UTC
by Swa Frantzen (Version: 1)

It seems those responsible for the prior reported attacks, and followed up only yesterday, are still busy and most probably successful at it.

Holger reported a site that via obfuscation and redirection pointed back to the same site as where Bojan initially found his malcious pdfs.

Interesting the pdfs are new files.

Checking the new pdf again (both file names have the same content (MD5: e51f24ec2e3d2cf71aa1ba74a7210841) on virustotal to get an up to date idea of the coverage, we get this:

More: http://isc.sans.org/

11 November 2008,

Apple has released iLife Support 8.3.1, a security update for iLife that closes three critical security holes. All three holes make it possible for attackers to inject their own code onto a computer and execute it using specially crafted TIFF and JPEG images. For the attack to work, the victim has to open the images. The vulnerabilities are caused by a number of memory errors that occur when ImageIO processes images.

More: http://www.heise-online.co.uk/security/Apple-patches-critical-holes-in-iLife--/news/111929

Release Date: 2008-11-11

Popularity: 260 views

Critical:
Moderately critical
Impact: Security Bypass
Spoofing
Where: From local network
Solution Status: Vendor Patch

OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to bypass certain security features.

The vulnerability is caused due to an authentication error within SMB when handling NTLM credentials. This can be exploited via replay attacks to gain access with the privileges of the user whose credentials are being resent.

Solution:
Apply patches.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
MS08-068 (KB957097):
http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx

added November 11, 2008 at 01:45 pm

Microsoft has released updates to address vulnerabilities in Microsoft Windows as part of the Microsoft Security Bulletin Summary for November 2008. These vulnerabilities could allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.


http://www.us-cert.gov/current/current_activity.html#microsoft_releases_november_security_bulletin