VULNERABILITIES \ FIXES - October 13, 2008

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Security Bypass
DoS

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for ruby1.8. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
DSA-1651-1:
http://www.us.debian.org/security/2008/dsa-1651

Other References:
SA31430:
http://secunia.com/advisories/31430/

SA31602:
http://secunia.com/advisories/31602/

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Security Bypass
DoS

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for ruby1.9. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
DSA-1652-1:
http://www.us.debian.org/security/2008/dsa-1652

Other References:
SA31430:
http://secunia.com/advisories/31430/

SA31602:
http://secunia.com/advisories/31602/

Release Date: 2008-10-13

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for openldap. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
http://www.us.debian.org/security/2008/dsa-1650

Other References:
SA30853:
http://secunia.com/advisories/30853/

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Ayco Okul

Description:
Crackers_Child has reported a vulnerability in Ayco Okul, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "linkid" parameter in default.asp (when "tip" is set to "sollinkicerik") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Crackers_Child

Original Advisory:
http://milw0rm.com/exploits/6720

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch


Software: Ignite Gallery 0.x (component for Joomla)

Description:
H!tm@N has reported a vulnerability in the Ignite Gallery component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "gallery" parameter in the Joomla! installation's index.php script (when "option" is set to "com_ignitegallery" and "task" to "view") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames and password hashes, but requires knowledge of the database table prefix.

The vulnerability is reported in versions from 0.8.0 up to and including 0.8.3.

Solution:
Update to version 0.8.3.1.

Provided and/or discovered by:
H!tm@N

Original Advisory:
Ignite Gallery:
http://www.ignitejoomlaextensions.com/

H!tm@N:
http://milw0rm.com/exploits/6723

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch


Software: Mad4Joomla Mailforms 1.x (component for Joomla)

Description:
H!tm@N has reported a vulnerability in the Mad4Joomla Mailforms component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "jid" parameter in the Joomla! installation's index.php script (when "option" is set to "com_mad4joomla") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames and password hashes, but requires knowledge of the database table prefix.

The vulnerability is reported in all versions prior to 1.1.8.2.

Solution:
Update to version 1.1.8.2.

Provided and/or discovered by:
H!tm@N

Original Advisory:
Mad4Joomla Mailforms:
http://www.mad4media.de/mad4joomla-mailforms.html

H!tm@N:
http://milw0rm.com/exploits/6724

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: MunzurSoft Wep Portal W3

Description:
LUPUS has reported a vulnerability in MunzurSoft Wep Portal W3, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "kat" parameter in kategori.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
LUPUS

Original Advisory:
http://milw0rm.com/exploits/6725

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: OwnBiblio 1.x (component for Joomla)

Description:
H!tm@N has discovered a vulnerability in the OwnBiblio component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "catid" parameter in the Joomla! installation's index.php script (when "option" is set to "com_ownbiblio" and "view" to "catalogue") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames and password hashes, but requires knowledge of the database table prefix.

The vulnerability is confirmed in version 1.5.3 (1.5_fixed). Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
H!tm@N

Original Advisory:
http://milw0rm.com/exploits/6730

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Real Estates Classifieds

Description:
Hakxer has reported a vulnerability in Real Estates Classifieds, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cat" parameter in index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hakxer

Original Advisory:
http://milw0rm.com/exploits/6736

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Unpatched


Software: GuildFTPd 0.x

Description:
dmnt has discovered a vulnerability in GuildFTPd, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when handling FTP "LIST" requests. This can be exploited to cause a heap-based buffer overflow via a combination of specially crafted "CWD" and "LIST" commands.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 0.999.14. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
dmnt

Original Advisory:
http://milw0rm.com/exploits/6738

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Vendor Workaround


Software: GForge 4.x

Description:
Some vulnerabilities have been reported in Gforge, which can be exploited by malicious people and users to conduct SQL injection attacks.

Solution:
Fixed in the SVN repository.

Provided and/or discovered by:
beford and Fernando Mu

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: My PHP Indexer 1.x

Description:
JosS has discovered a vulnerability in My PHP Indexer, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "d" parameter in index.php is not properly sanitised before being used. This can be exploited to download arbitrary files via directory traversal attacks.

The vulnerability is confirmed in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
JosS

Original Advisory:
http://milw0rm.com/exploits/6740

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: NewLife Blogger 3.x

Description:
Pepelux has reported a vulnerability in NewLife Blogger, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed in the "nlb3" cookie through index.php to system/nlb_user.class.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in versions 3.0.0 and 3.3.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Pepelux

Original Advisory:
http://milw0rm.com/exploits/6739

Release Date: 2008-10-13

Critical:
Not critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


Software: Apache Tomcat 4.x
Apache Tomcat 5.x

Description:
A security issue has been reported in Apache Tomcat, which potentially can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to a synchronisation problem when checking IP addresses and can be exploited to bypass a filter valve that extends "RemoteFilterValve" and potentially gain access to protected contexts.

The security issue affects version 5.5.0 and versions 4.1.0 through 4.1.31.

Solution:
Apache Tomcat 4.x:
Update to version 4.1.32 or later.

Apache Tomcat 5.x:
Update to version 5.5.1 or later.

Provided and/or discovered by:
The vendor credits Kenichi Tsukamoto of Fujitsu Limited.

Original Advisory:
Apache:
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=25835

JVN:
http://jvn.jp/en/jp/JVN30732239/index.html

Release Date: 2008-10-13

Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: ScriptsEz Mini Hosting Panel 1.x

Description:
JosS has reported a vulnerability in ScriptsEz Mini Hosting Panel, which can be exploited by malicious users to disclose sensitive information.

Input passed to the "dir" parameter in members.php (when "act" is set to "view") is not properly sanitised before being used. This can be exploited to display arbitrary files via directory traversal attacks.

Successful exploitation requires valid user credentials.

The vulnerability is reported in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
JosS

Original Advisory:
http://milw0rm.com/exploits/6713

Release Date: 2008-10-13

Critical:
Not critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


Software: WinFTP Server 2.x

Description:
A vulnerability has been discovered in WinFTP, which can be exploited by malicious users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when handling the PASV command. This can potentially be exploited to crash the service by sending multiple login requests ending with the "PASV" command.

The vulnerability is confirmed in version 2.3.0. Other versions may also be affected.

Solution:
Grant access to trusted users only.

Provided and/or discovered by:
dmnt

Original Advisory:
http://milw0rm.com/exploits/6717

Release Date: 2008-10-13

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


Software: NoticeWare Email Server 5.x

Description:
Paul Hand has discovered a vulnerability in NoticeWare Email Server, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when handling multiple POP3 connections. This can be exploited to cause a crash via e.g. a large number of POP3 connections issuing login requests.

The vulnerability is confirmed in version 5.1.2.2. Other versions may also be affected.

Solution:
Restrict network access to the POP3 service.

Provided and/or discovered by:
Paul Hand (rAWjAW)

Original Advisory:
http://milw0rm.com/exploits/6719

Release Date: 2008-10-13

Critical:
Not critical
Impact: Manipulation of data
Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for mon. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to the "test.alert" script creating temporary files in an insecure manner. This can be exploited to e.g. corrupt files via symlink attacks.

Solution:
Apply updated packages.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
DSA-1648-1:
http://www.us.debian.org/security/2008/dsa-1648

Debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496398

13 Oct. 2008

Summary
A vulnerability in the way Windows 2003 handles security tokens allow local attackers that are able to execute code to gain elevated privileges by kidnapping an existing token and using it for their own program.

Credit:
The information has been provided by Cesar.
The original article can be found at: http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html

http://www.securiteam.com/exploits/6S00C0UMUA.html

13 Oct. 2008

Summary
A vulnerability in GuildFTPd allows remote attackers to cause the server to overflow its allocated heap causing the corruption of the registers during the release of the memory allocated in the heap, the following exploit code can be used to test your system for the vulnerability.

Credit:
The information has been provided by dmnt.
The original article can be found at: http://www.milw0rm.com/exploits/6738

http://www.securiteam.com/exploits/6R00B0UMUS.html

By Tony Smith
13th October 2008

Asus today claimed it had "resolved" the unfortunate appearance of a virus on Eee Box mini desktop PCs sold in Japan.

The company said the problem affected punters who bought one of the machines on 2 or 3 October this year, and it asked anyone who bought an Eee Box in Japan on those days to contact it for a replacement machine.

http://www.reghardware.co.uk/2008/10/13/asus_japan_virus_response/

Slates 'Exploitability Index' predictions for tomorrow's bugs
By Gregg Keizer

October 13, 2008 (Computerworld) Microsoft Corp. will debut vulnerability predictions tomorrow when it issues 11 security updates for Windows, Office and Internet Explorer.

Announced more than two months ago, the "Exploitability Index" will be added to the bulletins that accompany each update. Microsoft's security experts will rate each vulnerability using a three-step ranking, in descending order of severity:

Consistent exploit code likely
Inconsistent exploit code likely
Functioning exploit code unlikely

Microsoft expects that users and corporate IT administrators will combine the index rating with the company's current threat rankings, which estimate the potential impact as "critical" through "low," to prioritize patches.

More: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam,_malware_and_vulnerabilities&articleId=9117018&taxonomyId=85&intsrc=kc_top