VULNERABILITIES \ FIXES - Novermber 12, 2008

Release Date: 2008-11-12

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9



Description:
Fedora has issued an update for blender. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges.

Solution:
Apply updated packages via the yum utility ("yum update blender").

Original Advisory:
FEDORA-2008-9411:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00303.html

FEDORA-2008-9447:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00243.html

Other References:
SA32680:
http://secunia.com/advisories/32680/

Release Date: 2008-11-12

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: ooVoo 1.x

Description:
bruiser has discovered a vulnerability in ooVoo, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the handling of command line arguments. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious web site, which passes an overly long string to the "ooVoo:" URI handler.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in versions 1.7.1.35 and 1.7.1.57. Other versions may also be affected.

Solution:
Do not follow untrusted links or browse untrusted websites.

Provided and/or discovered by:
bruiser, Nine Situations Group

Original Advisory:
http://milw0rm.com/exploits/7090

Release Date: 2008-11-12

Critical:
Not critical
Impact: Security Bypass
Exposure of sensitive information

Where: Local system
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10

Description:
Ubuntu has issued an update for gnome-screensaver. This fixes a weakness and a security issue, which can be exploited by malicious people with physical access to disclose potentially sensitive information or bypass certain security restrictions.

Solution:
Apply updated packages.

Original Advisory:
USN-669-1:
https://lists.ubuntu.com/archives/ubu...ty-announce/2008-November/000776.html

Other References:
SA29595:
http://secunia.com/advisories/29595/

Release Date: 2008-11-12

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: Apple Aperture 2.x
Apple iLife 8.x

Description:
Apple has acknowledged some vulnerabilities in Apple iLife and Aperture, which can potentially be exploited by malicious people to compromise a user's system.

Solution:
Apply iLife Support 8.3.1.
http://www.apple.com/support/downloads/ilifesupport831.html

Original Advisory:
Apple:
http://support.apple.com/kb/HT3276

Other References:
SA31610:
http://secunia.com/advisories/31610/

SA31882:
http://secunia.com/advisories/31882/

Release Date: 2008-11-12

Critical:
Moderately critical
Impact: Security Bypass
Spoofing

Where: From remote
Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop Workstation (v. 5 client)

Description:
Red Hat has issued an update for gnutls. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-0982.html

Other References:
SA32619:
http://secunia.com/advisories/32619/

Release Date: 2008-11-12

Critical:
Less critical
Impact: Cross Site Scripting
DoS

Where: From remote
Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop Workstation (v. 5 client)
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4

Description:
Red Hat has issued an update for httpd. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks or potentially cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
http://rhn.redhat.com/errata/RHSA-2008-0967.html

Other References:
SA30621:
http://secunia.com/advisories/30621/

SA31384:
http://secunia.com/advisories/31384/

Release Date: 2008-11-12

Critical:
Moderately critical
Impact: Security Bypass
Spoofing

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for gnutls. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions.

Solution:
Apply updated packages via the yum utility ("yum update gnutls").

Original Advisory:
FEDORA-2008-9600:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00293.html

FEDORA-2008-9530:
https://www.redhat.com/archives/fedor...-announce/2008-November/msg00222.html

Other References:
SA32619:
http://secunia.com/advisories/32619/

Release Date: 2008-11-12

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: Blender 2.x

Description:
A vulnerability has been reported in Blender, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to Blender using the current working directory as part of the module search path, which can be exploited to e.g. execute arbitrary Python code with the privileges of another user by tricking the user into executing Blender in a directory containing a Python file named like one of the modules Blender uses.

The vulnerability is reported in version 2.48. Other versions may also be affected.

Solution:
Do not execute Blender in untrusted directories.

Provided and/or discovered by:
James Vega

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632

Release Date: 2008-11-12

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


Software: smcFanControl 2.x

Description:
KaiJern Lau has reported a vulnerability in smcFanControl, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to a boundary error in the "main()" function of the "smc" setuid root binary. This can be exploited to cause a stack-based buffer overflow via an overly long "-k" option.

Successful exploitation allows the execution of arbitrary code with escalated privileges.

The vulnerability is reported in version 2.1.2. Prior versions may also be affected.

Solution:
Update to version 2.1.3.1.
http://www.macupdate.com/info.php/id/23049

Provided and/or discovered by:
KaiJern Lau, vnsecurity

Original Advisory:
smcFanControl:
http://www.macupdate.com/info.php/id/23049

KaiJern Lau:
http://blog.xwings.net/?p=127

Release Date: 2008-11-12

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: buymyscripts.net Lyrics Script


Description:
A vulnerability has been reported in buymyscripts.net Lyrics Script, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "k" parameter in search_results.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Ghost Hacker

Release Date: 2008-11-12

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: buymyscripts.net Clickbank Portal

Description:
A vulnerability has been reported in buymyscripts.net Clickbank Portal, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "keyword" parameter in search.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Ghost Hacker

Release Date: 2008-11-12

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: buymyscripts.net Recipe Website Script

Description:
A vulnerability has been reported in buymyscripts.net Recipe Website Script, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "keyword" parameter in search.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Ghost Hacker

Release Date: 2008-11-12

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: PozScripts Business Directory Script

Description:
Hussin X has reported a vulnerability in PozScripts Business Directory Script, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cid" parameter in showcategory.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hussin X

Original Advisory:
http://milw0rm.com/exploits/7098

Release Date: 2008-11-12

Critical:
Less critical
Impact: Security Bypass

Where: From local network
Solution Status: Unpatched


OS: Siemens SpeedStream 5200

Description:
hkm has reported a vulnerability in Siemens SpeedStream 5200, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error in the authentication process when processing HTTP "Host" headers. This can be exploited to bypass authentication and e.g. download the router configuration via an HTTP request containing a wrong "Host" header.

Solution:
Restrict access to the affected device.

Provided and/or discovered by:
hkm

Original Advisory:
http://milw0rm.com/exploits/7055

Release Date: 2008-11-12

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch


Software: MemHT Portal 4.x

Description:
Ams has discovered a vulnerability in MemHT Portal, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the"title" parameter in files/pages/articles/path.php (when "page" is set to "articles" and "op" is set to "readArticle") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is confirmed in version 4.0.0. Other versions may also be affected.

Solution:
Update to version 4.0.1.

Provided and/or discovered by:
Ams

Original Advisory:
http://milw0rm.com/exploits/7057

Release Date: 2008-11-12

Critical:
Less critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


OS: 2Wire HomePortal Series
2Wire OfficePortal Series

Description:
hkm has reported a vulnerability in various 2Wire Routers, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when processing parameters passed to the "xslt" script. This can be exploited to disrupt network connectivity via a "page" parameter containing a specially crafted value.

Successful exploitation requires that a user e.g. visits a specially crafted web page.

The vulnerability is reported in router models 1701HG, 1800HW, 2071HG, and 2700HG.

Solution:
Do not visit untrusted websites or follow untrusted links.

Provided and/or discovered by:
hkm

Original Advisory:
http://milw0rm.com/exploits/7060

Release Date: 2008-11-12

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: PHPStore Car Dealers
PHPStore Complete Classifieds Script
PHPStore PHP Job Search
PHPStore Real Estate

Description:
ZoRLu has reported a vulnerability in multiple PHPStore products, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to the application not properly verifying the file type of uploaded logos. This can be exploited to upload files with arbitrary extensions and potentially execute arbitrary PHP code.

This vulnerability is reported in the following products:
* PHPStore Car Dealers
* PHPStore Real Estate
* PHPStore Complete Classifieds Script
* PHPStore PHP Job Search

Solution:
Use another product.

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://www.milw0rm.com/exploits/7082
http://www.milw0rm.com/exploits/7083
http://www.milw0rm.com/exploits/7084
http://www.milw0rm.com/exploits/7085

Release Date: 2008-11-12

Critical:
Moderately critical
Impact: Spoofing

Where: From remote
Solution Status: Vendor Patch


OS: Sun Solaris 10



Description:
A vulnerability has been reported in Sun Solaris, which can be exploited by malicious people to poison the DNS cache.

The vulnerability is caused due to an error in the handling of DNS traffic and can be exploited to poison the DNS cache.

Successful exploitation requires that IP Filter (ipfilter(5)) is configured to provide Network Address Translation (NAT) on DNS servers.

Solution:
Apply patches.

Provided and/or discovered by:
The vendor credits CERT/CC.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-245206-1

Other References:
SA31014:
http://secunia.com/advisories/31014/

Release Date: 2008-11-12

Critical:
Moderately critical
Impact: DoS
System access

Where: From local network
Solution Status: Unpatched


Software: Trend Micro ServerProtect for EMC Celerra 5.x
Trend Micro ServerProtect for Network Appliance Filer 5.x
Trend Micro ServerProtect for Windows/NetWare 5.x



Description:
Some vulnerabilities have been reported in Trend Micro ServerProtect, which potentially can be exploited by malicious people to compromise a vulnerable system.

Solution:
Restrict network access to the product.

Provided and/or discovered by:
1) David Dewey of ISS X-Force
2) David Dewey and Chris Valasek of ISS X-Force

Original Advisory:
ISS X-Force:
http://www.iss.net/threats/307.html
http://www.iss.net/threats/308.html
http://www.iss.net/threats/309.html
http://www.iss.net/threats/310.html

Release Date: 2008-11-12

Critical:
Moderately critical
Impact: Security Bypass
Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Sun Java System Identity Manager 6.x
Sun Java System Identity Manager 7.x

Description:
Some vulnerabilities have been reported in Sun Java System Identity Manager, which can be exploited by malicious people to conduct cross-site scripting attacks and to bypass certain security restrictions.

The vulnerabilities are reported in Sun Java System Identity Manager 6.0 (including SP1, SP2, SP3, and SP4), 7.0, and 7.1.

Solution:
Apply patches.

Provided and/or discovered by:
The vendor credits Richard Brain, Adrian Pastor and Jan Fry of ProCheckup Ltd.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-243386-1

Other References:
SA28356:
http://secunia.com/advisories/28356/

Release Date: 2008-11-12

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: AJ Square Free Polling Script



Description:
G4N0K has discovered a vulnerability in AJ Square Free Polling Script, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to various scripts in the "admin" folder (e.g. "include/newpoll.php" and "resetvote.php") not being properly restricted to administrators. This can be exploited to e.g. perform administrative actions by accessing the affected file directly.

Solution:
Ensure that administrative scripts are properly restricted (e.g. via ".htaccess").

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/7086

12 Nov. 2008

Summary
The purpose of this paper is to outline the security measures being taken by vendors to prevent such attacks in their home routing products, what those security measures accomplish, and where they fall short. We will use existing network tools to examine common vulnerabilities in a range of popular devices and demonstrate weaknesses in the security of those devices; additionally, we will examine common trends in security measures that have been duplicated across vendors, and examine how those trends help and hinder the security of their devices. In particular, we will examine the following home routers, which are some of the latest offerings from their respective vendors at the time of this writing:
* Linksys WRT160N
* D-Link DIR-615
* Belkin F5D8233-4v3
* ActionTec MI424-WR

Credit:
The information has been provided by SourceSec DevTeam.
The original article can be found at: http://www.sourcesec.com/Lab/soho_router_report.pdf

http://www.securiteam.com/securityreviews/6D00C0KN5S.html

12 Nov. 2008

Summary
This security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003, and Moderate for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx

http://www.securiteam.com/windowsntfocus/6C00B0KN5K.html

Vulnerabilities in Microsoft XML Core Services Allow Code Execution (MS08-069)

12 Nov. 2008

Summary
This security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Microsoft XML Core Services 3.0 and Important for Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0, and Microsoft XML Core Services 6.0. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx


http://www.securiteam.com/windowsntfocus/6E00D0KN5W.html

12 November 2008

Microsoft has released two security updates for Windows 2000, XP, Server 2003, Vista, Server 2008 and Office 2003 and later. The patch described in Bulletin MS08-069 closes three holes in Microsoft's XML Core Services 3.0, 4.0, 5.0 and 6.0. Microsoft rates one of the errors as critical, since a visit to a specially crafted website is all it takes to become the victim of an attack. According to the report, the cause of the vulnerability is a memory error that occurs when XML code is being parsed that allows code to be injected and executed. This rating only applies to MSXML version 3.0, but in the other versions the company still rates the threat as high.

More: http://www.heise-online.co.uk/security/Microsoft-closes-critical-hole-in-Windows--/news/111941

12 November 2008

The developers of the open source content management system Joomla have released version 1.5.8, which eliminates two vulnerabilities. Joomla's security announcements say an error in the defaults on com_content article submission allow the entry of dangerous HTML tags and JavaScripts. When an article is opened, the code is executed in the victim's browser. Only users with access level Author or higher are reported to be affected.

More: http://www.heise-online.co.uk/security/Joomla-update-eliminates-vulnerabilities--/news/111947

Last Updated: 2008-11-12

It seems those responsible for the prior reported attacks, and followed up only yesterday, are still busy and most probably successful at it.

Interesting the pdfs are new files.

Checking the new pdf again (both file names have the same content (MD5: e51f24ec2e3d2cf71aa1ba74a7210841) on virustotal to get an up to date idea of the coverage, we get this:

More: http://isc.sans.org/