VULNERABILITIES \ FIXES - November 6, 2008

Release Date: 2008-11-06

Critical:
Less critical
Impact: Security Bypass

Where: Local system
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0



Description:
Debian has issued an update for mysql-dfsg-5.0. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions.


Solution:
Apply updated packages.

Original Advisory:
DSA-1662-1:
http://lists.debian.org/debian-security-announce/2008/msg00254.html

Other References:
SA30134:
http://secunia.com/advisories/30134/

Release Date: 2008-11-06

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Unpatched


OS: Cisco Catalyst 6500 Series 12.x
Cisco CATOS 5.x
Cisco CATOS 6.x
Cisco CATOS 7.x
Cisco CATOS 8.x
Cisco IOS 10.x
Cisco IOS 11.x
Cisco IOS 12.x
Cisco IOS R11.x
Cisco IOS R12.x
Cisco IOS XR 3.x

Description:
A vulnerability has been reported in Cisco IOS/CatOS, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the handling of VLAN Trunking Protocol (VTP) packets. This can be exploited to crash an affected device by sending a specially crafted packet to a switch interface configured to operate as a trunk port.

Successful exploitation requires that "VTP Operating Mode" is set to "server" or "client".

The vulnerability is reported in Cisco IOS, CatOS, and Cisco IOS with Ethernet Switch Modules for Cisco 1800/2600/2800/3600/3700/3800 Series Routers.

Solution:
Apply configuration best practices to limit exposure to exploitation (please see the vendor advisory for details).

Provided and/or discovered by:
The vendor credits showrun.lee.

Original Advisory:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml

Release Date: 2008-11-06

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Drupal Content Construction Kit 5.x
Drupal Content Construction Kit 6.x

Description:
Some vulnerabilities have been reported in the Drupal Content Construction Kit (CCK), which can be exploited by malicious users to conduct script insertion attacks.

Input passed to unspecified field labels and "content-type" names is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.

Successful exploitation requires "administer content" privileges.

The vulnerabilities are reported in the following versions:
* CCK for Drupal 5.x prior to 5.x-1.10
* CCK for Drupal 6.x prior to 6.x-2.0

Solution:
Drupal 5.x:
Update to CCK version 5.x-1.10.
http://drupal.org/node/330570

Drupal 6.x:
Update to CCK version 6.x-2.0.
http://drupal.org/node/330573

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://drupal.org/node/330546

Release Date: 2008-11-06

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: VLC media player 0.x



Description:
Two vulnerabilities have been reported in VLC Media Player, which potentially can be exploited by malicious people to compromise a user's system.

Solution:
Update to version 0.9.6.

Provided and/or discovered by:
The vendor credits Tobias Klein.

Original Advisory:
VideoLAN:
http://www.videolan.org/security/sa0810.html

Tobias Klein:
http://www.trapkit.de/advisories/TKADV2008-011.txt
http://www.trapkit.de/advisories/TKADV2008-012.txt

Release Date: 2008-11-06

Critical:
Less critical
Impact: Security Bypass

Where: Local system
Solution Status: Vendor Patch


Software: Adobe ColdFusion 8.x
Adobe ColdFusion MX 7.x

Description:
A vulnerability has been reported in Adobe ColdFusion, which can be exploited by malicious, local users to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error. This can be exploited to bypass sandbox security and e.g. gain access to restricted files.

The vulnerability affects ColdFusion 8, ColdFusion 8.0.1, and ColdFusion MX 7.0.2.

Solution:
Apply patches. Please see the vendor's advisory for more information.

ColdFusion 8.0.1:
http://www.adobe.com/support/security/bulletins/downloads/hf801-73122.jar

ColdFusion 8.0.0:
http://www.adobe.com/support/security/bulletins/downloads/hf800-73122.jar

ColdFusion 7.0.2:
http://www.adobe.com/support/security/bulletins/downloads/hf702-73122.jar

Provided and/or discovered by:
The vendor credits Jochem van Dieten.

Original Advisory:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb08-21.html

Release Date: 2008-11-06

Critical:
Not critical
Impact: Brute force

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 8.10

Description:
Ubuntu has issued an update for system-tools-backend. This fixes a weakness, which can be exploited by malicious people to conduct brute force attacks.

The weakness is caused due to the "Users and Groups" tool using 3DES instead of MD5 when setting passwords for users. This may weaken the security as passwords are limited to 8 characters.

Solution:
Apply updated packages.

Provided and/or discovered by:
Reported in a bug by Ivan Zorin.

Original Advisory:
USN-663-1:
https://lists.ubuntu.com/archives/ubu...ty-announce/2008-November/000771.html

Release Date: 2008-11-06

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHPX 3.x

Description:
StAkeR has discovered a vulnerability in PHPX, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "news_id" parameter to includes/news.inc.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

This vulnerability is confirmed in version 3.5.16. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
StAkeR

Original Advisory:
http://milw0rm.com/exploits/6996

Release Date: 2008-11-06

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Pre Podcast Portal

Description:
G4N0K has reported a vulnerability in Pre Podcast Portal, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in tour.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
G4N0K

Original Advisory:
http://www.milw0rm.com/exploits/6997

Release Date: 2008-11-06

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Pre Classified Listings PHP
Pre Shopping Mall

Description:
G4N0K has reported a vulnerability in multiple PreProjects products, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the applications allowing access to the admin interface by checking if certain cookies exist. This can be exploited to gain administrative access to the applications by creating the cookies "adminname" with the value "admin" and "adminid" with the value "admin".

This vulnerability is reported in the following products:
- Pre Classified Listings PHP
- Pre Shopping Mall

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
G4N0K

Original Advisory:
http://www.milw0rm.com/exploits/6998
http://www.milw0rm.com/exploits/7000

Release Date: 2008-11-06

Critical:
Less critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: PTK 1.x

Description:
A vulnerability has been reported in PTK, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an input validation error when handling file names within e.g. binary images. This can be exploited to manipulate parameters passed to the "get_file_type()" function in file_content.php, and inject and execute arbitrary commands with the privileges of the web server.

Successful exploitation requires that a user opens a malicious image and examines a file with a specially crafted file name.

The vulnerability is reported in version 1.0.

Solution:
Update to version 1.0.1

Provided and/or discovered by:
Luca "ikki" Carettoni

Original Advisory:
PTK:
http://ptk.dflabs.com/faq.html#security

Luca "ikki" Carettoni:
http://www.ikkisoft.com/stuff/LC-2008-07.txt

Release Date: 2008-11-06

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Dada Mail Manager 2.x (component for Joomla)

Description:
NoGe has discovered a vulnerability in the Dada Mail Manager component for Joomla, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in administrator/components/com_dadamail/config.dadamail.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

This vulnerability is confirmed in Dada Mail Manager version 2.6. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
NoGe

Original Advisory:
http://milw0rm.com/exploits/7002

Release Date: 2008-11-06

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: PHP Auto Listings

Description:
G4N0K has reported a vulnerability in PHP Auto Listings, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "itemno" parameter in moreinfo.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/7003

Release Date: 2008-11-06

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for net-snmp. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages via the yum utility ("yum update net-snmp").

Original Advisory:
FEDORA-2008-9362:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00021.html

FEDORA-2008-9367:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00033.html

Other References:
SA32560:
http://secunia.com/advisories/32560/

Release Date: 2008-11-06

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for enscript. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system.

Solution:
Apply updated packages via the yum utility ("yum update package").

Original Advisory:
FEDORA-2008-9351:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00014.html

FEDORA-2008-9372:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00040.html

Other References:
SA32137:
http://secunia.com/advisories/32137/

Release Date: 2008-11-06

Critical:
Moderately critical
Impact: Security Bypass
System access

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for ktorrent. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system and malicious people to bypass certain security restrictions.

Solution:
Apply updated packages using the yum utility ("yum update ktorrent").

Original Advisory:
FEDORA-2008-9167:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00781.html

FEDORA-2008-9267:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00054.html

Other References:
SA32442:
http://secunia.com/advisories/32442/

Release Date: 2008-11-06

Critical:
Moderately critical
Impact: Privilege escalation
System access

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for uw-imap. This fixes some vulnerabilities, which can be exploited by malicious, local users to potentially gain escalated privileges, and by malicious people to potentially compromise a vulnerable system.

Solution:
Apply updated packages via the yum utility ("yum update uw-imap").

Original Advisory:
FEDORA-2008-9383:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00058.html

FEDORA-2008-9396:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00082.html

Other References:
SA32483:
http://secunia.com/advisories/32483/

6 November 2008

A flaw in ndiswrapper's Windows Wi-Fi driver support compromises the security of Linux systems. It is caused by a buffer overflow, triggered when an extremely long Extended Service Set IDentifier (ESSID) is processed. According to the security notice it is sufficient for an attacker to be within range of a vulnerable client and send specially crafted packets. A security report from Ubuntu says this allows code to be injected into a system and executed at kernel privilege level.

More: http://www.heise-online.co.uk/security/Security-hole-in-ndiswrapper-for-Linux--/news/111895

6 November 2008

The Nagios developers have closed a "Cross Site Request Forgery" vulnerability in version 3.0.5 of the open source tool for monitoring servers and network components. The vulnerability allows attackers to access the tool's web interface without authenticating themselves and change, among other things, the configuration.

More: http://www.heise-online.co.uk/security/Nagios-update-closes-Cross-Site-Request-Forgery-hole--/news/111897

6 November 2008

Apache Struts, an open source framework for Java-based web applications, has been found to contain two vulnerabilities. A directory traversal vulnerability in the "FilterDispatcher" and "DefaultStaticContentLoader" classes allows attackers to traverse the server path and download files without permission. Another vulnerability allows server side objects to be manipulated using specially crafted OGNL (Object-Graph Navigation Language) commands. This problem is rated as critical by the developers.

More: http://www.heise-online.co.uk/security/Patch-for-Apache-Struts-closes-two-holes--/news/111898

6 November 2008

The PTerminal program available from the Android Market can be used to allow a user to log in remotely to HTC's G1 Android smartphone and explore the underlying Linux system with root rights. The terminal program allows the user to run telnetd, the Telnet daemon, on the smartphone. With this running, the user can then use a telnet client to log into the phone. Upon logging in, the user will find that they have root rights and can manipulate any file on the system. Interestingly, the telnetd program does not appear to be set to run setuid-root, posing questions on how Android's security model works.

More: http://www.heise-online.co.uk/security/Root-rights-on-Google-s-Android--/news/111901

6 November 2008

Adobe has released version 9.0.151.0 of Flash Player to avoid letting down those users who for certain reasons can't update to the current version 10. This includes the users of Microsoft Windows 98, Windows ME, Mac OS X 10.1 to 10.3 and Red Hat Enterprise Linux 3 and 4. According to Adobe, version 10 does not work on these systems. Adobe had initially planned to discontinue its support of the series 9 versions.

More: http://www.heise-online.co.uk/security/Adobe-releases-Flash-Player-9-0-151-0-after-all--/news/111902