VULNERABILITIES \ FIXES - November 3, 2008

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: GeSHi 1.x

Description:
A vulnerability has been reported in GeSHI, which can potentially be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error, which may allow execution of arbitrary code on an affected system.

The vulnerability is reported in versions prior to 1.0.8.1.

Solution:
Update to version 1.0.8.1.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=637321

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Adult Directory
SFS EZ Affiliate
SFS EZ Gaming Directory
SFS EZ Home Business Directory
SFS EZ Hosting Directory
SFS EZ Links Directory

Description:
A vulnerability has been reported in multiple SFS products, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat_id" parameter in directory.php (when "ax" is set to "list") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in the following SFS products:
- SFS EZ Links Directory
- SFS EZ Adult Directory
- SFS EZ Hosting Directory
- SFS EZ Home Business Directory
- SFS EZ Gaming Directory
- SFS EZ Affiliate

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
BeyazKurt and Darckc0de

Original Advisory:
http://milw0rm.com/exploits/6911
http://milw0rm.com/exploits/6908
http://milw0rm.com/exploits/6907
http://milw0rm.com/exploits/6906
http://milw0rm.com/exploits/6905
http://milw0rm.com/exploits/6895

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ BIZ PRO

Description:
d3b4g has reported a vulnerability in SFS EZ BIZ PRO, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in directory.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
d3b4g

Original Advisory:
http://milw0rm.com/exploits/6910

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Webring

Description:
d3b4g has reported a vulnerability in SFS EZ Webring, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat" parameter in category.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
d3b4g

Original Advisory:
http://milw0rm.com/exploits/6913

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Cross Site Scripting
Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Tribiq CMS 5.x

Description:
Some vulnerabilities have been discovered in Tribiq CMS, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose sensitive information.

Solution:
Edit the source code to ensure that input is properly verified and sanitised.

Provided and/or discovered by:
1) GoLd_M
2) an anonymous researcher

Original Advisory:
http://milw0rm.com/exploits/6888

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Logz CMS 1.x

Description:
Some vulnerabilities have been discovered in Logz CMS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
1) ZoRLu
2) an anonymous researcher

Original Advisory:
http://milw0rm.com/exploits/6896

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Hotscripts-like Site

Description:
Some vulnerabilities have been reported in SFS EZ Hotscripts-like Site, which can be exploited by malicious people to conduct SQL injection attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
1) TR-ShaRk
2) x0r

Original Advisory:
1) http://milw0rm.com/exploits/6903
2) http://milw0rm.com/exploits/6915

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Hot ot Not

Description:
d3b4g has reported a vulnerability in SFS EZ Hot ot Not, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "phid" parameter in viewcomments.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
d3b4g

Original Advisory:
http://milw0rm.com/exploits/6914

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Exposure of sensitive information
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Auction

Description:
Mountassif Moad has reported a vulnerability in SFS EZ Auction, which can be exploited by malicious people to conduct SQL Injection attacks.

Input passed to the "cat" parameter in viewfaqs.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure input is properly sanitised.

Provided and/or discovered by:
Mountassif Moad

Original Advisory:
http://milw0rm.com/exploits/6918

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Career

Description:
Mountassif Moad has reported a vulnerability in SFS EZ Career, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "topic" parameter in content.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Mountassif Moad

Original Advisory:
http://milw0rm.com/exploits/6919

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Top Sites

Description:
Mountassif Moad has reported a vulnerability in SFS EZ Top Sites, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "ts" parameter in topsite.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Mountassif Moad

Original Advisory:
http://milw0rm.com/exploits/6920

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ e-store

Description:
ZoRLu has reported a vulnerability in SFS EZ e-store, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "where" parameter in SearchResults.php (when "ord1" is set to a valid field name) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://milw0rm.com/exploits/6922

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Pub Site

Description:
Hakxer has reported a vulnerability in SFS EZ Pub Site, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat" parameter in directory.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hakxer

Original Advisory:
http://milw0rm.com/exploits/6923

Release Date: 2008-11-03
Popularity: 116 views


Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: SFS EZ Gaming Cheats

Description:
ZoRLu has reported a vulnerability in SFS EZ Gaming Cheats, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in view_reviews.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://milw0rm.com/exploits/6924

Release Date: 2008-11-03

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Flash Tree Gallery 1.x (component for Joomla!)

Description:
NoGe has reported a vulnerability in the Flash Tree Gallery component for Joomla!, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mosConfig_live_site" parameter in administrator/components/com_treeg/admin.treeg.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability is reported in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
NoGe

Original Advisory:
http://milw0rm.com/exploits/6928

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Security Bypass
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Article Publisher Pro 1.x

Description:
Some vulnerabilities have been reported in Article Publisher Pro, which can be exploited by malicious people to conduct SQL injection attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
1) Mountassif Moad
2) Hakxer

Original Advisory:
1) http://milw0rm.com/exploits/6917
2) http://milw0rm.com/exploits/6912

Release Date: 2008-11-03

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: Dns2tcp 0.x

Description:
A vulnerability has been reported in Dns2tcp, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "dns_decode()" function in server/dns_decode.c. This can be exploited to cause a buffer overflow via specially crafted encoded DNS data.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 0.4.2.

Solution:
Update to version 0.4.2.

Provided and/or discovered by:
The vendor credits John Lampe.

Release Date: 2008-11-03

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: RateMe 1.x



Description:
Russ McRee has reported some vulnerabilities in RateMe, which can be exploited by malicious people to conduct cross-site request forgery and cross-site scripting attacks.

Solution:
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted sites while being logged-in to the application.

Provided and/or discovered by:
Russ McRee, HolisticInfoSec

Original Advisory:
http://holisticinfosec.org/content/view/85/45/

Release Date: 2008-11-03

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: SignMe 1.x

Description:
Russ McRee has discovered a vulnerability in SignMe, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "hash" parameter to signme.inc.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in 1.5 and confirmed in 1.55. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Russ McRee, HolisticInfoSec

Original Advisory:
http://holisticinfosec.org/content/view/88/45/

Release Date: 2008-11-03

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: MyGallery 1.x

Description:
Russ McRee has discovered a vulnerability in MyGallery, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "mghash" parameter in gallery.inc.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in version 1.7.2 and confirmed in version 1.8.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Russ McRee, HolisticInfoSec

Original Advisory:
http://holisticinfosec.org/content/view/86/45/

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: YourFreeWorld Autoresponder Hosting Script
YourFreeWorld Blog Blaster Script
YourFreeWorld Reminder Service Script

Description:
Hussin X has reported a vulnerability in various YourFreeWorld products, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in tr.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in the following products:
* Reminder Service Script
* Blog Blaster Script
* Autoresponder Hosting Script

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hussin X

Original Advisory:
http://milw0rm.com/exploits/6938
http://milw0rm.com/exploits/6943
http://milw0rm.com/exploits/6944

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: YourFreeWorld Shopping Cart Script with Affiliate Program



Description:
Hussin X has reported a vulnerability in YourFreeWorld Shopping Cart Script with Affiliate Program, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "c" parameter in index.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hussin X

Original Advisory:
http://milw0rm.com/exploits/6952

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Joovili 3.x

Description:
ZoRLu has reported a vulnerability in Joovili, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application allowing access to the admin interface by checking if certain cookies exist. This can be exploited to gain administrative access to the application by creating the cookies "session_admin_id" with the value "1", "session_admin_username" with the value "admin", and "session_admin" with the value "true".

This vulnerability is reported in version 3.1.4. Other versions may also be affected.

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://milw0rm.com/exploits/6955

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: NetRisk 2.x

Description:
StAkeR has discovered some vulnerabilities in NetRisk, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

The vulnerabilities are confirmed in version 2.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
StAkeR

Original Advisory:
http://milw0rm.com/exploits/6957

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Chipmunk CMS 1.x

Description:
JosS has discovered a vulnerability in Chipmunk CMS, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the "board/admin/reguser.php" script not being properly restricted to administrators. This can be exploited to e.g. add new administrative users by sending certain POST requests to the affected script.

The vulnerability is confirmed in version 1.3. Other versions may also be affected.

Solution:
Restrict access to the admin area (e.g. via ".htaccess").

Provided and/or discovered by:
JosS

Original Advisory:
http://milw0rm.com/exploits/6959

Release Date: 2008-11-03

Critical:
Less critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: deV!L'z Clanportal 1.x

Description:
h0yt3r has discovered a vulnerability in deV!L'z Clanportal, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed to the "users" parameter in index.php (if "action" is set to "buddys" and "do" is set to "addbuddy") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is confirmed in version 1.4.9.6. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
h0yt3r

Original Advisory:
http://milw0rm.com/exploits/6961

3 November 2008

According to reports in the US media, Google has started to deploy the first security update for its Android mobile operating system. The users of T-Mobile's G1 are offered the update for automatic installation. According to a system message, no emergency calls can be made while the update is being installed. A reboot is required after installation.

More: http://www.heise-online.co.uk/security/Google-closes-critical-security-hole-in-Android--/news/111857

November 3, 2008 5:00 AM PST
Microsoft: Trojans are huge and China is tops in browser exploits

Posted by Elinor Mills

China gets more browser-based exploits than any other country, according to the Microsoft Security Intelligence Report for the first half of 2008.

(Credit: Microsoft)

Three things you might not know: Vulnerabilities are decreasing but becoming easier to exploit. Trojans are the biggest threat. And Chinese computers are infected with more browser-based exploits than anywhere else.

Those are findings in the Microsoft Security Intelligence Report, due to be released on Monday. Covering the first half of this year, the report provides statistics compiled from Microsoft's Malware Protection Center that reveal trends about threats, breaches, and infection rates.

More: http://news.cnet.com/8301-1009_3-10080428-83.html

Release Date: 2008-11-03

Critical:
Moderately critical
Impact: Privilege escalation
System access
Where: From remote
Solution Status: Vendor Patch

Software: UW-imapd

Description:
Two vulnerabilities have been reported in UW-imapd, which can be exploited by malicious, local users to potentially gain escalated privileges, and by malicious people to potentially compromise a vulnerable system.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the utilities are configured as a delivery backend for a mail transfer agent allowing overly long destination mailbox names.

The vulnerabilities are reported in versions prior to 2007d.

Solution:
Update to version 2007d.
ftp://ftp.cac.washington.edu/imap

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002267.html
http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002268.html