VULNERABILITIES \ FIXES - October 24, 2008

Release Date: 2008-10-24

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: ClipShare 4.x

Description:
ShockShadow has reported a vulnerability is ClipShare, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "title" parameter in fullscreen.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session, in the context of an affected site.

This vulnerability is reported in version 4.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
ShockShadow

Release Date: 2008-10-24

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for libspf2. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library.

The vulnerability is cause due to a boundary error within the "SPF_dns_resolv_lookup()" function in Spf_dns_resolv.c when processing DNS responses. This can be exploited to cause a heap-based buffer overflow via a specially crafted DNS TXT record.

Successful exploitation may allow execution of arbitrary code.

Solution:
Apply updated packages.

Provided and/or discovered by:
Dan Kaminsky

Original Advisory:
DSA-1659-1:
http://lists.debian.org/debian-security-announce/2008/msg00251.html

Dan Kaminsky:
http://www.doxpara.com/?page_id=1256

Release Date: 2008-10-24

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
Exposure of system information
Exposure of sensitive information
DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: openSUSE 10.2
openSUSE 10.3
openSUSE 11.0
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9



Software: Novell Open Enterprise Server 1.x

Description:
SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious people to conduct script insertion attacks, bypass certain security restrictions, disclose system and potentially sensitive information, or potentially to compromise a vulnerable system.

Solution:
Updated packages are available via YaST Online Update or the SUSE FTP server.

Original Advisory:
SUSE-SR:2008:022:
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00009.html

Other References:
SA31010:
http://secunia.com/advisories/31010/

SA32177:
http://secunia.com/advisories/32177/

Release Date: 2008-10-24

Critical:
Not critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Fedora 9

Description:
Fedora has issued an update for gfs2-utils and rgmanager. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

Solution:
Apply updated packages via the yum utility ("yum update gfs2-utils rgmanager").

Original Advisory:
FEDORA-2008-9042:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00664.html
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00665.html

Other References:
SA31887:
http://secunia.com/advisories/31887/

Release Date: 2008-10-24

Critical:
Not critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Fedora 9

Description:
Fedora has issued an update for cman. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

Solution:
Apply updated packages via the yum utility ("yum update cman")

Original Advisory:
FEDORA-2008-9042:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00666.html

Other References:
SA31887:
http://secunia.com/advisories/31887/

Release Date: 2008-10-24

Critical:
Less critical
Impact: Security Bypass
Privilege escalation
DoS

Where: Local system
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, cause a DoS (Denial of Service), and gain escalated privileges.

Solution:
Apply updated packages via the yum utility ("yum update kernel").

Original Advisory:
FEDORA-2008-8980:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00689.html

FEDORA-2008-8929:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00693.html

Other References:
SA32124:
http://secunia.com/advisories/32124/

SA32320:
http://secunia.com/advisories/32320/

Release Date: 2008-10-24

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 9

Description:
Fedora has issued an update for git. This fixes some vulnerabilities, which can potentially be exploited by malicious people to compromise a user's system.

Solution:
Apply updated packages via the yum utility ("yum update git").

Original Advisory:
FEDORA-2008-9080:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00729.html

Other References:
SA31347:
http://secunia.com/advisories/31347/

Release Date: 2008-10-24

Critical:
Less critical
Impact: Exposure of sensitive information

Where: Local system
Solution Status: Vendor Workaround


Software: eCryptfs Utils

Description:
Jamie Strandboge has reported a security issue in eCryptfs Utils, which can be exploited by malicious, local users to disclose sensitive information.

The security issue is caused due to the "ecryptfs-setup-private" program passing the login and mount passwords via the command line to the "ecryptfs-wrap-passphrase" and "ecryptfs-add-passphrase" programs. This can be exploited to disclose the passwords via the process list.

Solution:
Fixed in the GIT repository.
http://git.kernel.org/?p=linux/kernel...e99afd53f03fe07eda0ad9d61ac6d5d4d9f53
http://git.kernel.org/?p=linux/kernel...27a5d514dc4bbc077f07cf33a5d5b362a9193

Provided and/or discovered by:
Jamie Strandboge

Original Advisory:
http://www.openwall.com/lists/oss-security/2008/10/23/3

Release Date: 2008-10-24

Critical:
Less critical
Impact: Exposure of system information

Where: From remote
Solution Status: Unpatched


Software: Archaic Binary 1.x (component for Joomla)



Description:
H!tm@N has discovered a vulnerability in the Archaic Binary component for Joomla, which can be exploited by malicious people to disclose system information.

Input passed to the "gallery" parameter in index.php (when "option" is set to "com_ab_gallery") is not properly sanitised before being used. This can be exploited to display the contents of directories via directory traversal attacks.

This vulnerability is confirmed in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
H!tm@N

Original Advisory:
http://milw0rm.com/exploits/6826

Release Date: 2008-10-24

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: CSPartner 0.x

Description:
StAkeR has discovered some vulnerabilities in CSPartner, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "pseudo" and "passe" parameters in gestion.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

These vulnerabilities are confirmed in version 0.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
StAkeR

Original Advisory:
http://milw0rm.com/exploits/6814

Release Date: 2008-10-24

Critical:
Less critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


Software: SilverSHielD 1.x



Description:
Jeremy Brown has discovered a vulnerability in SilverSHielD, which can be exploited by malicious users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when processing the SFTP "opendir" command. This can be exploited to crash the service by passing a specially crafted argument to the affected command.

The vulnerability is confirmed in version 1.0.2.34. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
Jeremy Brown

Original Advisory:
http://milw0rm.com/exploits/6815

Release Date: 2008-10-24

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: RWCards 3.x (component for Joomla)

Description:
Vrs-hCk has discovered a vulnerability in the RWCards component for Joomla!, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "img" parameter in captcha/captcha_image.php is not properly sanitised before being used. This can be exploited to display arbitrary files via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerability is confirmed in version 3.0.11. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Vrs-hCk

Original Advisory:
http://milw0rm.com/exploits/6817

Release Date: 2008-10-24

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: KBase 1.x (component for Joomla)

Description:
H!tm@N has discovered a vulnerability in the KBase component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in the Joomla! installation's index.php script (when "option" is set to "com_kbase" and "view" to "article") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is confirmed in version 1.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
H!tm@N

Original Advisory:
http://milw0rm.com/exploits/6827

Release Date: 2008-10-24

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: MindDezign Photo Gallery 2.x

Description:
CWH Underground has discovered a vulnerability in MindDezign Photo Gallery, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in index.php (when "module" is set to "gallery" and "action" to "info") and to the "username" parameter in index.php (when "module" is set to "admin" and "action" to "login") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is confirmed in version 2.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
CWH Underground

Original Advisory:
http://milw0rm.com/exploits/6819
http://milw0rm.com/exploits/6820

Release Date: 2008-10-24

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: ShopMaker 1.x

Description:
Hussin X has reported a vulnerability in ShopMaker, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in product.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator passwords and e-mail addresses.

The vulnerability is reported in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hussin X

Original Advisory:
http://milw0rm.com/exploits/6799

Release Date: 2008-10-24

Critical:
Less critical
Impact: Exposure of sensitive information

Where: Local system
Solution Status: Vendor Patch


Software: Sun Java System Access Manager 6.x
Sun Java System Access Manager 7.x
Sun Java System LDAP Java Development Kit 4.x



Description:
A vulnerability has been reported in Sun Java System LDAP JDK, which can be exploited by malicious, local users to disclose potentially sensitive information.

The vulnerability is caused due to an unspecified error in the search feature of the Sun Java System LDAP JDK and can be exploited to disclose information from applications that use the LDAP JDK library.

The vulnerability is reported in Sun Java System LDAP JDK prior to version 4.20, as included in Sun Java System Access Manager.

Solution:
Apply patches (see vendor advisory for further information).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-242246-1

Release Date: 2008-10-24

Critical:
Not critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


Software: KDE 3.x

Description:
Jeremy Brown has discovered a weakness in KDE, which can be exploited by malicious people to cause a DoS (Denial of Service).

The weakness is caused due to KHTML improperly handling JavaScript "document.load()" calls targeting the current document. This can be exploited to trigger the use of a deleted object within the "HTMLTokenizer::scriptHandler()" method and cause a crash.

The weakness is confirmed with Konqueror using KHTML from KDE versions 3.5.9 and 3.5.10. Other versions may also be affected.

NOTE: Secunia normally does not classify a browser crash as a vulnerability nor issue an advisory about it. However, the potential impact of this issue may be more severe than currently believed.

Solution:
Do not open untrusted HTML documents with applications using KHTML (e.g. Konqueror).

Provided and/or discovered by:
Jeremy Brown

Original Advisory:
http://milw0rm.com/exploits/6718

24 October 2008

Drupal's developers have released versions 6.6 and 5.12 of the Drupal CMS which address a number of vulnerabilities. Among them is a hole which allows attackers to inject and execute scripts and elevate their system access rights this way. The hole can only be exploited on web servers that incorporate a number of virtual host presences.

More: http://www.heise-online.co.uk/security/Holes-in-Drupal-CMS-closed--/news/111779

24 October 2008

Cisco has released updates for its Adaptive Security Appliances (ASA) and PIX Security Appliances to remove several vulnerabilities. If an appliance is configured for IPSec or SSL VPN access, the vulnerabilities allow attackers to bypass authentication when signing into a Windows NT domain.

More: http://www.heise-online.co.uk/security/Cisco-removes-vulnerabilities-in-ASA-and-PIX--/news/111781

24 October 2008

Microsoft has issued a non-routine security update to close a critical hole. This hole is an error in the RPC service which, according to the security advisory, can be exploited to insert code remotely into a system and run it. Crafted RPC requests are all that's needed to carry out such an attack. Under Windows 2000, XP and Server 2003, an attacker doesn't even have to authenticate himself on the target system in order to process the requests.

More: http://www.heise-online.co.uk/security/Microsoft-patches-critical-hole-in-its-RPC-service--/news/111782

F-Secure and Trend Micro forced to patch flaws in their own software

Written by Shaun Nichols in San Francisco

vnunet.com, 24 Oct 2008


Two major security software vendors have released patches for flaws in their own offerings.

F-Secure and Trend Micro have posted updates to address vulnerabilities which could leave customers vulnerable to attack.

Trend Micro issued a fix for its OfficeScan product in which an attacker could use a malformed HTTP request to cause a buffer overflow in the software's server CGI model.

A successful exploit could allow an attacker to remotely execute code on the targeted system.

More: http://www.vnunet.com/vnunet/news/2228990/security-firms-look-within

Latest version lets firms configure their own security settings

Written by Rosalie Marshall

vnunet.com, 24 Oct 2008


Oracle has upgraded its Adaptive Access Manager product to deliver functionality for user access control, single sign-on authentication and fraud detection across heterogeneous application environments.

The updated features will allow Oracle customers to define their own security rules rather than use pre-defined configurations, according to the company.

More: http://www.vnunet.com/vnunet/news/2229017/oracle-updates-adaptive-access