VULNERABILITIES \ FIXES - November 5, 2008

Release Date: 2008-11-05

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: DHCart

Description:
Lostmon has reported two vulnerabilities in DHCart, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "domain" and "d1" parameters in order.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
Lostmon

Original Advisory:
http://lostmon.blogspot.com/2008/11/dhcart-multiple-variable-xss-and-stored.html

Release Date: 2008-11-05

Critical:
Less critical
Impact: Security Bypass

Where: Local system
Solution Status: Vendor Workaround


Software: Novell Access Manager 3.x

Description:
A security issue has been reported in Novell Access Manager Identity Server, which can be exploited by malicious, local users to bypass certain security restrictions.

The security issue is caused due to the server improperly terminating a session established by using an X509 certificate. This can be exploited to gain access to the session via the same browser instance.

Successful exploitation requires that X509 authentication is enabled and that the attacker has access to the victim's browser instance.

The security issue is reported in Novell Access Manager version 3 Support Pack 4. Other versions may also be affected.

Solution:
Close the browser after logging out. Please see the vendor's advisory for additional workaround information.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.novell.com/support/viewContent.do?externalId=7001788

Release Date: 2008-11-05

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: firmCHANNEL Digital Signage 3.x

Description:
Brad Antoniewicz has reported a vulnerability in firmCHANNEL Digital Signage, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "action" parameter in index.php (when "module" is set to "account") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in firmware version 3.24. Other versions may also be affected.

Solution:
Update to the latest firmware version. Please contact the vendor for more information.

Provided and/or discovered by:
Brad Antoniewicz

Original Advisory:
http://packetstormsecurity.org/0811-exploits/firmchannel-xss.txt

Release Date: 2008-11-05

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: NOS Microsystems getPlus 1.x

Description:
A vulnerability has been reported in the NOS Microsystems getPlus ActiveX control, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error within gp.ocx when processing installation files. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious website.

Successful exploitation allows the execution of arbitrary code, but may require that the attacker can place files on the domain or subdomain of a product using the download manager.

The vulnerability is reported in gp.ocx version 1.2.2.50. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
Peter Vreugdenhil, reported via iDefense.

Original Advisory:
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=754

Release Date: 2008-11-05

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Nagios 3.x

Description:
A vulnerability has been reported in Nagios, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to perform unspecified actions e.g. when a logged-in user visits a malicious web site.

The vulnerability is reported in versions prior to 3.0.5.

Solution:
Update to version 3.0.5.

Provided and/or discovered by:
The vendor credits Tim Starling.

Original Advisory:
http://www.nagios.org/development/history/nagios-3x.php

Release Date: 2008-11-05

Critical:
Moderately critical
Impact: Security Bypass
System access

Where: From remote
Solution Status: Unpatched


Software: U-Mail 4.x

Description:
Shennan Wang has reported a vulnerability in U-Mail, which can be exploited by malicious users to bypass certain security restrictions and potentially compromise a vulnerable system.

The vulnerability is caused due to an error within the "edit.php" file while processing HTTP POST parameters. This can be exploited to write arbitrary data to arbitrary files placed under the webroot via specially crafted parameters.

Successful exploitation may allow execution of arbitrary code by e.g. writing arbitrary PHP code to a file having a ".php" extension.

The vulnerability is reported in version 4.91. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
Shennan Wang

Original Advisory:
http://milw0rm.com/exploits/6898

Joomla VirtueMart Google Base Component "mosConfig_absolute_path" File Inclusion

Release Date: 2008-11-05

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: VirtueMart Google Base 1.x (component for Joomla)



Description:
NoGe has discovered a vulnerability in the VirtueMart Google Base component for Joomla, which can be exploited by malicious people to compromise a vulnerable system

Input passed to the "mosConfig_absolute_path" parameter in administrator/components/com_googlebase/admin.googlebase.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

This vulnerability is confirmed in VirtueMart Google Base version 1.3. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
NoGe

Original Advisory:
http://milw0rm.com/exploits/6975

Joomla Pro Desk Component "include_file" Local File Inclusion Vulnerability

Release Date: 2008-11-05

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Pro Desk 1.x (component for Joomla)

Description:
d3v1l has reported a vulnerability in the Pro Desk component for Joomla, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "include_file" parameter in index.php (when "option" is set to "com_pro_desk") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks.

This vulnerability is reported in versions 1.0 and 1.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
d3v1l

Original Advisory:
http://milw0rm.com/exploits/6980

Release Date: 2008-11-05

Critical:
Moderately critical
Impact: Cross Site Scripting
System access

Where: From remote
Solution Status: Unpatched


Software: Simple Machines Forum 1.x

Description:
A vulnerability has been discovered in Simple Machines Forum, which can be exploited by malicious people to conduct cross-site request forgery attacks and by malicious users to compromise a vulnerable system.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. perform certain administrative actions when a logged-in user visits a malicious site.

Successful exploitation allows e.g. to install arbitrary packages and execute arbitrary PHP code, but requires a valid user account to upload a package file as an attachment.

The vulnerability is confirmed in version 1.1.6. Other versions may also be affected.

Solution:
Disable the usage of attachments. Grant only trusted users access to the application.

Provided and/or discovered by:
Charles FOL

Original Advisory:
http://milw0rm.com/exploits/6993

Release Date: 2008-11-05

Critical:
Highly critical
Impact: Exposure of sensitive information
System access

Where: From remote
Solution Status: Unpatched


Software: Way Of The Warrior (WOTW) 5.x

Description:
Some vulnerabilities have been discovered in Way Of The Warrior (WOTW), which can be exploited by malicious people to disclose sensitive information or compromise a vulnerable system.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
dun

Original Advisory:
http://milw0rm.com/exploits/6992

Release Date: 2008-11-05

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 8.10

Description:
Ubuntu has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the ndiswrapper kernel driver when processing wireless network packets. This can be exploited to cause a buffer overflow via an overly long ESSID (Extended Service Set Identifier).

Successful exploitation may allow execution of arbitrary code.

Solution:
Apply updated packages.

Provided and/or discovered by:
Ubuntu credits Anders Kaseorg.

Original Advisory:
http://www.ubuntu.com/usn/usn-662-1

Release Date: 2008-11-05

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: ToursManager 1.x

Description:
G4N0K has reported a vulnerability in ToursManager, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cityid" parameter in cityview.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/6988

Release Date: 2008-11-05

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: Mahara 1.x

Description:
Some vulnerabilities have been reported in Mahara, which can be exploited by malicious people to compromise a vulnerable system.

These vulnerabilities are caused due to the use of vulnerable versions of PHPMailer and Snoopy.

Solution:
Update to version 1.0.6:
https://eduforge.org/frs/?group_id=176

Provided and/or discovered by:
Reported by vendor.

Original Advisory:
http://freshmeat.net/projects/mahara/?branch_id=70828&release_id=287733

Other References:
SA25626:
http://secunia.com/advisories/25626/

SA32361:
http://secunia.com/advisories/32361/

Release Date: 2008-11-05

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop Workstation (v. 5 client)
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4



Software: RHEL Optional Productivity Applications (v. 5 server)

Description:
Red Hat has issued an update for openoffice.org. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
http://rhn.redhat.com/errata/RHSA-2008-0939.html

Other References:
SA32419:
http://secunia.com/advisories/32419/

History search vuln exorcised

By John Leyden

Opera has updated its browser to plug a pair of critical security holes.

Version 9.62 of the browser fixes a vulnerability in the History Search function which creates a possible mechanism for hacker to inject code. The flaw, discovered by researcher Aviv Raff, left Opera users at risk of attack simply by visiting booby-trapped webpages.

The update also fixes a bug involving the handling of javascript URLs in the Links panel. The flaw left surfers at risk from cross-site scripting attacks when visiting web pages containing frames.

More: http://www.theregister.co.uk/2008/11/05/opera_update/

5 November 2008

Adobe has released version 8.1.3 of Adobe Acrobat and the free Acrobat Reader to close eight security holes. Some of the holes allow attackers to inject code into a system and execute it via specially crafted PDF documents. The current versions 9.x of Acrobat and Reader for Windows and Mac are not affected. Therefore, Mac and Windows users can either switch to version 9 or update to 8.1.3.

More: http://www.heise-online.co.uk/security/Several-critical-holes-closed-in-Adobe-Reader-8-and-Acrobat-8--/news/111878

5 November 2008

According to several antivirus vendors, real worms are now exploiting the recently discovered Windows hole in the server service to inject PCs with code via specially crafted RPC packets and infect them this way. Gimmiv.A, the first malware sample discovered in this connection, was not a real worm as it didn't continue to spread itself from infected PCs.

More: http://www.heise-online.co.uk/security/Even-more-RPC-worms-for-Windows-hole--/news/111883

Attacks reported on recently-patched Windows hole

Written by Shaun Nichols in San Francisco

vnunet.com, 05 Nov 2008

A number of security research groups are reporting the emergence of a worm targeting a flaw in the Windows Server Service.

The vulnerability was disclosed and patched last week by Microsoft in an emergency 'out of cycle' update.

The flaw is especially dangerous for Windows 2000, XP and Server 2003 because it can be exploited without user interaction.

More: http://www.vnunet.com/vnunet/news/2229751/worm-emerges-latest-microsoft