VULNERABILITIES \ FIXES - October 17, 2008

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Mantis 1.x

Description:
EgiX has discovered a vulnerability in Mantis, which can be exploited by malicious users to compromise a vulnerable system.

Input passed to the "sort" parameter in manage_proj_page.php is not properly sanitised before being used in a "create_function()" call. This can be exploited to execute arbitrary PHP code.

Successful exploitation requires valid user credentials.

The vulnerability is confirmed in version 1.1.2 and reported in version 1.1.3. Other versions may also be affected.

Solution:
Restrict access to manage_proj_page.php (e.g. with ".htaccess").

Provided and/or discovered by:
EgiX

Original Advisory:
http://milw0rm.com/exploits/6768

Release Date: 2008-10-17

Critical:
Less critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


OS: Avaya Message Networking 2.x
Avaya Modular Messaging 2.x
Avaya Modular Messaging 3.x
Avaya SIP Enablement Services (SES) 3.x



Software: Avaya Application Enablement Services 3.x
Avaya Application Enablement Services 4.x
Avaya Communication Manager 3.x
Avaya Communication Manager 4.x
Avaya Communication Manager 5.x
Avaya Modular Messaging 4.x

Description:
Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2008-404.htm

Other References:
SA29410:
http://secunia.com/advisories/29410/

PokerMax Pro Poker League "ValidUserAdmin" Cookie Security Bypass

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: PokerMax Pro Poker League 0.x

Description:
DaRkLiFe has discovered a vulnerability in PokerMax Pro Poker League, which can be exploited by malicious people to bypass certain security restrictions.

The problem is that the application allows access to the admin interface by checking if a certain cookie exists. This can be exploited to gain administrative access to the application by creating the cookie "ValidUserAdmin" and assigning it the user name of a valid administrator.

This vulnerability is confirmed in version 0.13. Other versions may also be affected

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
DaRkLiFe

Original Advisory:
http://milw0rm.com/exploits/6766

Release Date: 2008-10-17

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: Habari 0.x

Description:
swappie has discovered a vulnerability in Habari, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "habari_username" parameter when logging in is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 0.5.1. Other versions may also be affected.

Solution:
Filter malicious characters and character sequences in a proxy.

Provided and/or discovered by:
swappie aka faithlove

Original Advisory:
http://packetstorm.linuxsecurity.com/0810-exploits/habaricms-xss.txt

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: CafeEngine

Description:
0xFFFFFF has reported two vulnerabilities in CafeEngine, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in dish.php and menu.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
0xFFFFFF

Original Advisory:
http://milw0rm.com/exploits/6762

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: EasyCafeEngine 1.x

Description:
0xFFFFFF has reported a vulnerability in EasyCafeEngine (Easy Cafe Engine), which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "itemid" parameter in index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in version 1.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
0xFFFFFF

Original Advisory:
http://milw0rm.com/exploits/6762

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


OS: Avaya Message Networking 2.x
Avaya Modular Messaging 2.x
Avaya Modular Messaging 3.x
Avaya SIP Enablement Services (SES) 3.x



Software: Avaya Application Enablement Services 3.x
Avaya Application Enablement Services 4.x
Avaya Communication Manager 3.x
Avaya Communication Manager 5.x
Avaya Modular Messaging 4.x
Avaya SIP Enablement Services (SES) 4.x

Description:
Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2008-402.htm

Other References:
SA31566:
http://secunia.com/advisories/31566/

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch


Software: XOOPS hisa_cart Module 1.x



Description:
Some vulnerabilities have been reported in the hisa_cart module for XOOPS, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerabilities are caused due to unspecified errors. No more information is currently available.

The vulnerabilities are reported in versions prior to 1.29.

Solution:
Update to version 1.29.

Provided and/or discovered by:
JVN

Original Advisory:
http://jvn.jp/jp/JVN67334580/index.html

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: Security Bypass
Cross Site Scripting
Manipulation of data

Where: From remote
Solution Status: Vendor Patch


Software: WebGUI 7.x

Description:
Two vulnerabilities have been reported in WebGUI, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions.

1) Input passed to unspecified parameters in operation pages is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) A vulnerability is caused due to improper access restriction in the email based password recovery. This can be exploited to reset any user's password by supplying the victim's username and an e-mail address belonging to the attacker and not to the victim.

The vulnerabilities are reported in version 7.5.25. Prior versions may also be affected.

Solution:
Update to version 7.5.26.

Provided and/or discovered by:
1) Reported by the vendor.
2) Graham

Original Advisory:
http://www.webgui.org/getwebgui/advisories/webgui-7.5.26-stable-released

2) http://www.webgui.org/bugs/tracker/8790

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


OS: Avaya Message Networking 2.x
Avaya Modular Messaging 2.x
Avaya Modular Messaging 3.x
Avaya SIP Enablement Services (SES) 3.x



Software: Avaya Application Enablement Services 3.x
Avaya Communication Manager 3.x
Avaya Communication Manager 4.x
Avaya Communication Manager 5.x
Avaya Modular Messaging 4.x

Description:
Avaya has acknowledged some vulnerabilities in various Avaya products, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Avaya Voice Portal:
Upgrade to version 4.1 or later.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2008-403.htm

Other References:
SA31450:
http://secunia.com/advisories/31450/

SA31478:
http://secunia.com/advisories/31478/

Release Date: 2008-10-17

Critical:
Less critical
Impact: Exposure of sensitive information
Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: rPath Linux 1.x

Description:
rPath has issued an update for postfix. This fixes some security issues, which can be exploited by malicious, local users to disclose potentially sensitive information and perform certain actions with escalated privileges.

Solution:
Update to:
postfix=conary.rpath.com@rpl:1/2.2.7-2.2-1

Original Advisory:
rPSA-2008-0294:
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0294

Other References:
SA31485:
http://secunia.com/advisories/31485/

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Vendor Patch


OS: rPath Linux 1.x

Description:
rPath has issued an update for rails. This fixes some vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks.

Solution:
Update to "rails=conary.rpath.com@rpl:1/1.2.5-2.3-1".

Original Advisory:
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0295

Other References:
SA31875:
http://secunia.com/advisories/31875/

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: Unknown

Where: From remote
Solution Status: Vendor Patch


Software: Slaytanic Scripts Content Plus 2.x

Description:
Some vulnerabilities with an unknown impact have been reported in Slaytanic Scripts Content Plus.

The vulnerabilities are caused due to an unspecified error. No further information is currently available.

The vulnerabilities are reported in version 2.1.1. Other versions may also be affected.

Solution:
Update to version 2.2.0:

Provided and/or discovered by:
Reported by vendor.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=632842

Release Date: 2008-10-17

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: WEB//NEWS 1.x

Description:
David Vieira-Kurz has discovered a vulnerability in WEB//NEWS, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "catid" parameter when performing a search is not properly sanitised before being used in an SQL query in parse/module_search.php. This can be exploited manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is confirmed in version 1.4. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
David Vieira-Kurz, HACKATTACK

Release Date: 2008-10-17

Critical:
Highly critical
Impact: Manipulation of data
Exposure of sensitive information
System access

Where: From remote
Solution Status: Vendor Patch


Software: PhpWebGallery 1.x

Description:
EgiX has reported two vulnerabilities in PhpWebGallery, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct SQL injection attacks.

Solution:
Update to version 1.7.3.

Provided and/or discovered by:
EgiX

Original Advisory:
http://milw0rm.com/exploits/6755

Internet Explorer 6 ComponentFromPoint() Memory Disclosure and Code Execution

17 Oct. 2008

Summary
There is a bug in Internet Explorer 6 JavaScript implementation enabling remote memory disclosure and remote code execution. The vulnerability is caused by improper implementation of componentFromPoint() method of XML object.

Credit:
The information has been provided by Ivan Fratric.
The original article can be found at: http://ifsec.blogspot.com/2008/10/internet-explorer-6-componentfrompoint.html


http://www.securiteam.com/windowsntfocus/6I00B20MUQ.html

Posted by Dancho Danchev

According to SophosLabs Adobe?s owned seriousmagic.com has been automatically SQL injected by the Asprox botnet, becoming the very latest high profile legitimate web sites injected with links to exploits and malware serving sites :

?The infection, which resides at hxxp://www.seriousmagic.com/help/tuts/tutorials.cfm?p=1, instructs users browsers to silently install a malicious file from a series of domains known to host attack sites. Adobe announced its acquisition of Serious Magic two years ago and whois records indicate the company is the owner of the seriousmagic.com domain.

More: http://blogs.zdnet.com/security/?p=2039

17 October 2008

Adobe is warning of some dangerous security holes in Flash Player 9. An Adobe advisory says that programming errors affect all versions of Flash Player up to and including 9.0.124.0. A hole in the FileReference API could be particularly critical: it is said to enable the injection of arbitrary malicious code, which is then executed with the user's rights.

More: http://www.heise-online.co.uk/security/Critical-security-holes-in-Adobe-Flash-Player-9--/news/111740

17 October 2008

A security advisory recently published by Core Security Technologies has noted that VLC version 0.9.3 fixed a critical security hole in the multimedia player. Since the update, the VideoLAN project has also released version 0.9.4.

More: http://www.heise-online.co.uk/security/VLC-update-fixes-critical-hole--/news/111741

New attacks spread via networking site

Written by Shaun Nichols in San Francisco

vnunet.com, 17 Oct 2008


Security experts are warning users and administrators of a new crop of Facebook malware.

F-Secure said in a recent blog posting that the company has tracked down a number of pages on the social networking site which attempt to infect users by promising free videos.

The new attacks propagate by way of a malicious worm which hijacks Facebook information. The user is sent a message from an infected friend which promises a link to a YouTube video.

More: http://www.vnunet.com/vnunet/news/2228485/fresh-facebook-malware-attack

Fake security app may be on the way

Written by Shaun Nichols in San Francisco

vnunet.com, 17 Oct 2008

A new rogue security application for the Mac could be on the way, according to one industry executive.

Sunbelt Software chief executive Alex Eckelberry revealed that researchers at his company had uncovered a web site advertising a product known as 'MacGuard'.

AdvertisementThe product claims to offer spyware and antivirus protection, as well as the ability to remove adware and block phishing attacks on OS X systems.

No downloadable software has been found on the site, but Eckelberry is urging users to remain vigilant.

More: http://www.vnunet.com/vnunet/news/2228488/early-alarms-mac-malware

Further blow to business credibility

Written by Iain Thomson in San Francisco

vnunet.com, 17 Oct 2008


IT administrators are being hassled by disgruntled staff who have found themselves cut off from Gmail with little explanation.

Google reported yesterday evening that a "small number of customers" were having problems and that the situation would be resolved shortly. However, some IT administrators have reported outages of nearly 24 hours.

More: http://www.vnunet.com/vnunet/news/2228479/gmail-outage-irks