VULNERABILITIES \ FIXES - October 23, 2008

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


OS: Cisco Adaptive Security Appliance (ASA) 7.x
Cisco PIX 7.x

Description:
A vulnerability has been reported in Cisco ASA and PIX appliances, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the processing of IPv6 packets and can be exploited to reload an affected device by sending specially crafted IPv6 packets to an IPv6 interface of the device.

Successful exploitation requires that the device is configured for IPv6.

The vulnerability is reported in version 7.2(4)9 and 7.2(4)10.

NOTE: 7.0, 7.1, 8.0, and 8.1 releases are reportedly not affected.

Solution:
Update to version 7.2(4)11.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml

Release Date: 2008-10-23

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


Software: Drupal 5.x
Drupal 6.x

Description:
A vulnerability has been reported in Drupal, which can potentially be exploited by malicious, local users to gain escalated privileges.

Input passed to unspecified parameters is not properly verified before being used to include files. This can be exploited to include specially named files from local resources and potentially escalate privileges.

Successful exploitation requires that the web server is configured to use virtual hosts.

The vulnerability is reported in all 5.x versions prior to 5.12 and all 6.x versions prior to 6.6.

Solution:
Update to version 5.12 or 6.6.

Apply the vendor's official patches to versions 5.11 or 6.5:

Drupal 5.11:
http://drupal.org/files/sa-2008-067/SA-2008-067-5.11.patch

Drupal 6.5:
http://drupal.org/files/sa-2008-067/SA-2008-067-6.5.patch

Provided and/or discovered by:
The vendor credits Anthony Ferrara.

Original Advisory:
DRUPAL-SA-2008-067:
http://drupal.org/node/324824

Release Date: 2008-10-23

Critical:
Less critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote
Solution Status: Vendor Patch


Software: Localization client 5.x (module for Drupal)
Localization client 6.x (module for Drupal)

Description:
A vulnerability has been reported in the Localization client module for Drupal, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to manipulate translation data by enticing a user to visit a malicious web page.

The vulnerability is reported in all 5.x versions prior to 5.x-1.1 and all 6.x versions prior to 6.x-1.6.

Solution:
Update to version 5.x-1.1 or 6.x-1.6.

Provided and/or discovered by:
The vendor credits G

Release Date: 2008-10-23

Critical:
Not critical
Impact: DoS

Where: Local system
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Solution:
Apply updated packages.

Original Advisory:
DSA-1658-1:
http://lists.debian.org/debian-security-announce/2008/msg00250.html

Other References:
SA32127:
http://secunia.com/advisories/32127/

Release Date: 2008-10-23

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Vendor Patch


Software: EMC NetWorker (formerly Legato NetWorker) 7.x
EMC NetWorker Module for Meditech 2.x
EMC NetWorker Module for Microsoft Applications 2.x
EMC NetWorker Module for Microsoft Exchange Server 5.x
EMC NetWorker PowerSnap Module 2.x



Description:
A vulnerability has been reported in several EMC NetWorker Products, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "nsrexecd.exe" process when allocating memory. This can be exploited exhaust all available memory via specially crafted RPC requests.

The vulnerability affects the following products and versions:
* NetWorker Server, Storage Node and Client 7.3.x, 7.4, 7.4.1, and 7.4.2
* NetWorker Client and Storage Node for Open VMS 7.3.2 ECO6 and earlier
* NetWorker Module for Microsoft Exchange 5.1 and earlier
* NetWorker Module for Microsoft Applications 2.0 and earlier
* NetWorker Module for Meditech 2.0 and earlier
* NetWorker PowerSnap 2.4 SP1 and earlier

Solution:
Update to a fixed version.

NetWorker Server, Storage Node and Client 7.3.x:
Update to version 7.3 SP4 build 565.

NetWorker Server, Storage Node and Client 7.4.x:
Update to version 7.4 SP3.

NetWorker Client and Storage Node for Open VMS:
Update to version 7.3.2 ECO7.

NetWorker Module for Microsoft Exchange:
Update to version 5.1 SP1.

NetWorker Module for Microsoft Applications:
Update to version 2.1.

NetWorker Module for Meditech:
Update to version 2.0 SP1.

NetWorker PowerSnap:
Update to version 2.4 SP2.

Provided and/or discovered by:
Zhenhua Liu, Xiaopeng Zhang and Junfeng Jia of Fortinet's FortiGuard Global Security Research Team

Original Advisory:
Fortinet:
http://www.fortiguardcenter.com/advisory/FGA-2008-23.html

Release Date: 2008-10-23

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Iamma Simple Gallery 2.x



Description:
X0r has discovered a vulnerability in Iamma Simple Gallery, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the "upload.php" script not properly verifying uploaded files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script to the "uploads" directory in the webroot.

This vulnerability is confirmed in version 2.0. Other versions may also be affected.

Solution:
Grant access to trusted users only.

Provided and/or discovered by:
X0r

Original Advisory:
http://milw0rm.com/exploits/6803

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: phpcrs 2.x

Description:
Pepelux has discovered a vulnerability in phpcrs, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "importFunction" parameter in frame.php (when "btnStartImport" is set to a non NULL value) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

This vulnerability is confirmed in version 2.06. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Pepelux

Original Advisory:
http://milw0rm.com/exploits/6806

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: LoudBlog 0.x

Description:
Xianur0 has discovered a vulnerability in LoudBlog, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "colpick" parameter in loudblog/ajax.php (when "action" is set to "singleread" and the "lbauth" cookie is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames and password hashes.

The vulnerability is confirmed in version 0.8.0a. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Xianur0

Original Advisory:
http://milw0rm.com/exploits/6808

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: ionFiles 4.x (component for Joomla)

Description:
Vrs-hCk has discovered a vulnerability in the ionFiles component for Joomla!, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "file" parameter in download.php (when "download" is set to "1") is not properly sanitised before being used. This can be exploited to download arbitrary files via directory traversal attacks.

The vulnerability is confirmed in version 4.4.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Vrs-hCk

Original Advisory:
http://milw0rm.com/exploits/6809

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Unpatched


Software: GoodTech SSH Server 6.x

Description:
r0ut3r has discovered a vulnerability in GoodTech SSH Server, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when processing overly long strings passed as arguments to e.g. the SFTP "open", "opendir", and "unlink" commands, and can be exploited to cause a stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 6.4. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
r0ut3r

Original Advisory:
http://milw0rm.com/exploits/6804

Release Date: 2008-10-23

Critical:
Less critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


Software: freeSSHd 1.x

Description:
Jeremy Brown has discovered two vulnerabilities in freeSSHd, which can be exploited by malicious users to cause a DoS (Denial of Service).

The vulnerabilities are caused due to NULL-pointer dereference errors in the processing of the SFTP "rename" and "realpath" commands. These can be exploited to crash a freeSSHd server via an overly long string passed as an argument to the affected commands.

The vulnerabilities are confirmed in version 1.2.1.14. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
Jeremy Brown

Original Advisory:
http://milw0rm.com/exploits/6800
http://milw0rm.com/exploits/6812

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Dorsa CMS

Description:
syst3m_f4ult has reported a vulnerability in Dorsa CMS, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "PageIDF" parameter in ShowPage.aspx (when "page_" is set to "news") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
syst3m_f4ult

Original Advisory:
http://www.milw0rm.com/exploits/6810

Release Date: 2008-10-23

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: Snoopy 1.x

Description:
A vulnerability has been discovered in Snoopy, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "_httpsrequest()" function isn't properly sanitised before being used in an "exec()" call. This can be exploited to inject arbitrary shell commands via a script calling the "fetch()" or "submit()" function with an URL controlled by the attacker.

This is related to:
SA17330

This vulnerability is confirmed in version 1.2.3. Prior versions may also be affected.

Solution:
Update to version 1.2.4.
http://sourceforge.net/project/showfiles.php?group_id=2091

Provided and/or discovered by:
Reported by vendor.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=635111

Other References:
SA17330:
http://secunia.com/advisories/17330/

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


OS: Cisco Adaptive Security Appliance (ASA) 7.x
Cisco Adaptive Security Appliance (ASA) 8.x
Cisco PIX 7.x
Cisco PIX 8.x

Description:
A vulnerability has been reported in Cisco ASA and PIX appliances, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error, which can be exploited to bypass the VPN authentication in Cisco ASA or Cisco PIX security appliances.

Successful exploitation requires that the device is configured for IPSec or SSL-based remote access VPN using Microsoft Windows NT Domain authentication.

Solution:
Update to fixed versions (please see the vendor's advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: Unknown

Where: From remote
Solution Status: Vendor Patch


Software: imlib2 1.x

Description:
Some vulnerabilities with unknown impact have been reported in imlib2.

The vulnerabilities are caused due to unspecified errors. No further information is currently available.

The vulnerabilities are reported in versions prior to 1.4.2.

Solution:
Update to version 1.4.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=634778

Release Date: 2008-10-23

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: WebSVN 2.x

Description:
James Bercegay has reported two vulnerabilities in WebSVN, which can be exploited by malicious people to conduct cross-site scripting attacks and manipulate data.

1) Input passed in the URL to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "rev" parameter in rss.php is not properly sanitised before being used. This can be exploited to overwrite arbitrary files via directory traversal attacks.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

The vulnerabilities are reported in version 2.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
James Bercegay, GulfTech Security Research Team

Original Advisory:
GulfTech Security Research Team:
http://www.gulftech.org/?node=research&article_id=00132-10202008

Release Date: 2008-10-23

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Drupal 6.x

Description:
A vulnerability has been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks.

Input passed as book page titles is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.

Successful exploitation requires valid user credentials with the "create book content" permission or the permission to edit book nodes.

The vulnerability is reported in all 6.x versions prior to 6.6.

Solution:
Update to version 6.6.

Apply the vendor's official patch to version 6.5:
http://drupal.org/files/sa-2008-067/SA-2008-067-6.5.patch

Provided and/or discovered by:
The vendor credits Maarten van Grootel.

Original Advisory:
DRUPAL-SA-2008-067:
http://drupal.org/node/324824

23 Oct. 2008

Summary
Secunia Research has discovered a vulnerability in various HP products, which can be exploited by malicious people to cause a DoS (Denial of Service).

Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2007-83/


http://www.securiteam.com/windowsntfocus/6C00M0UMUI.html

23 Oct. 2008

Summary
A resource exhaustion vulnerability exists throughout multiple EMC products through an exploited RPC interface.

Credit:
The information has been provided by FortiGuard Global Security Research Team.
The original article can be found at: http://www.fortiguardcenter.com/advisory/FGA-2008-23.html

http://www.securiteam.com/windowsntfocus/6F00P0UMUY.html

23 Oct. 2008

Summary
Veritas Storage Foundation 5.0 from Symantec provides "a complete solution for heterogeneous online storage management. Based on the industry-leading Veritas Volume Manager and Veritas File System, it provides a standard set of integrated tools to centrally manage explosive data growth, maximize storage hardware investments, provide data protection and adapt to changing business requirements". VxFS is an extent based, journaling filesystem. It implements a "Quick I/O for Databases" feature; qioadmin which comes part of the Veritas Storage Foundation product is the setuid root administration utility for this functionality. When given an arbitrary filename, it will write the file's contents to the standard error stream.

Credit:
The information has been provided by Security Objectives Corporation.
The original article can be found at: http://www.security-objectives.com/advisories/SECOBJSADV-2008-05.txt

http://www.securiteam.com/unixfocus/6D00N0UMUK.html

23 Oct. 2008

Summary
A new approach to introducing HTML and/or JavaScript vulnerabilities into devices has been found, this new approach utilizes SNMP write capabilities to inject the malicious content into the device, which the device displays whenever someone access the device.

Credit:
The information has been provided by ProCheckUp Research.
The original article can be found at: http://www.procheckup.com/PDFs/SNMP_injection.pdf

http://www.securiteam.com/securityreviews/6B00L0UMUW.html

23 Oct. 2008

Summary
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities:
* Windows NT Domain Authentication Bypass Vulnerability
* IPv6 Denial of Service Vulnerability
* Crypto Accelerator Memory Leak Vulnerability

Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml


http://www.securiteam.com/securitynews/6E00O0UMUU.html

Critical flaw clocked

By John Oates

23rd October 2008

Microsoft is about to issue an emergency security update to plug a vulnerability which could allow an internet worm to be spread via a computer without the user doing anything.

The update is rated as critical for users of Windows 2000, XP and Server 2003 and the less severe rating of "important" for users of Windows Server 2008 and Windows Vista. The patch is scheduled for 10.00am Pacific Time (6pm BST).

There will be a webcast at 1.00pm Pacific Time (9pm BST) explaining the issue in more detail.

The exploit potentially allows remote code to be executed.

More: http://www.theregister.co.uk/2008/10/23/windows_emergency_update/

23 October 2008

Opera had hardly released security update 9.61 for its browser, and already the Full Disclosure security mailing list is discussing another critical security hole. Discussions were started by a report about a Stored Cross Site Scripting vulnerability in Opera which allows attackers to execute JavaScript code in the context of another page due to a flaw in the browser history search function. This gave rise to the question whether the search function accessible through opera:historysearch can be exploited for other malicious activities in the local database and whether the flaw gives potential attackers access to other files or data.

More: http://www.heise-online.co.uk/security/Another-cross-site-hole-in-Opera--/news/111777

added October 23, 2008 at 07:59 am

Cisco Security Advisory cisco-sa-20081022-asa was released to address multiple vulnerabilities in Cisco ASA and PIX. These vulnerabilities may allow an attacker to bypass authentication mechanisms or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Cisco Security Advisory cisco-sa-20081022-asa and apply any necessary updates or workarounds to help mitigate the risks.


http://www.us-cert.gov/current/current_activity.html#cisco_releases_advisory_for_cisco1

Microsoft confirms release date for major update

Written by Iain Thomson in San Francisco

vnunet.com, 23 Oct 2008


Microsoft has confirmed that the next service pack for Office 2007 will be released February-April next year.

"Historically, we have waited to communicate details about service packs until their release (or very shortly before)," said the Microsoft Office Sustained Engineering Team in a blog posting.

"As we communicated with SP3 for Office 2003 and SP1 for the 2007 Office System, we will be taking steps to increase transparency and visibility into the Office servicing model at the request of our customers."

The team went into some detail on new features that will be included in the software update.

More: http://www.vnunet.com/vnunet/news/2228866/office-2007-sp2-due-spring

Release Date: 2008-10-23

Critical:
Highly critical
Impact: System access

Where: From local network
Solution Status: Vendor Patch


OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the Server Service component when processing RPC requests and can be exploited via specially crafted RPC requests.

Successful exploitation allows execution of arbitrary code, but requires authenticated access on Windows Vista and Windows Server 2008.

NOTE: According to Microsoft, the vulnerability is currently being actively exploited.

Solution:
Apply patches.

Provided and/or discovered by:
Reported as a 0-day.

Original Advisory:
MS08-067 (KB958644):
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx