VULNERABILITIES \ FIXES - October 28, 2008

Release Date: 2008-10-28

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Unpatched


Software: Blaze Media Pro 8.x

Description:
A vulnerability has been reported in Blaze Media Pro, which can be exploited by malicious people to potentially compromise a user's system.

For more information:
SA31936

The vulnerability is reported in Blaze Media Pro 8.02 Special Edition (8.2.0.9, trial version). Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
Originally reported by bruiser, Nine Situations Group. Reported in Blaze Media Pro SE by ipsdix.

Other References:
SA31936:
http://secunia.com/advisories/31936/

Release Date: 2008-10-28

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: rPath Linux 1.x




Description:
rPath has issued an update for pcre. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

For more information:
SA30916

Solution:
Update to "pcre=conary.rpath.com@rpl:1/7.6-0.2-1".

Original Advisory:
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0305

Other References:
SA30916:
http://secunia.com/advisories/30916/

Release Date: 2008-10-28

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: rPath Linux 1.x

Description:
rPath has issued an update for libxslt. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

For more information:
SA31230

Solution:
Update to "libxslt=conary.rpath.com@rpl:1/1.1.15-1.3-1".

Original Advisory:
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0306

Other References:
SA31230:
http://secunia.com/advisories/31230/

Release Date: 2008-10-28

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: phpMyAdmin 2.x
phpMyAdmin 3.x


Description:
Hadi Kiamarsi has discovered a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "db" parameter in pmd_pdf.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation may require that the victim has valid user credentials.

The vulnerability is confirmed in version 2.11.9.2 and 3.0.1 and reported in version 3.0.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hadi Kiamarsi

Original Advisory:
http://seclists.org/bugtraq/2008/Oct/0199.html

Release Date: 2008-10-28

Critical:
Less critical
Impact: Security Bypass

Where: Local system
Solution Status: Vendor Patch


Software: Citrix Web Interface 5.x


Description:
A security issue has been reported in Citrix Web Interface, which can be exploited by malicious, local users to bypass certain security restrictions.

The security issue is caused due to the application improperly terminating a user session and can be exploited to gain access to the session via the same browser instance.

Successful exploitation requires valid Citrix Web Interface credentials and access to the victim's browser instance.

The security issue affects versions 5.0 and 5.0.1 when deployed with a Java application server.

Solution:
Update to version 5.0.2.
https://www.citrix.com/site/SS/downloads/

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://support.citrix.com/article/CTX118768

Release Date: 2008-10-28

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: phplist 2.x

Description:
A vulnerability has been reported in phplist, which potentially can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to the "admin/FCKeditor/editor/filemanager/browser/default/connectors/phplist/connector.php" script improperly validating the extensions of uploaded files. This can potentially be exploited to upload files containing malicious file extensions and e.g. execute arbitrary PHP code.

Successful exploitation requires valid administrator credentials.

The vulnerability is reported in versions prior to 2.10.7.

Solution:
Update to version 2.10.7.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=636287

Release Date: 2008-10-28

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: WebGUI 7.x

Description:
A vulnerability has been reported in WebGUI, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to an error within the "loadModule()" function in lib/WebGUI/Asset.pm while loading Perl modules. This can be exploited to execute arbitrary code contained within an uploaded Perl module by requesting a specially crafted URL.

Successful exploitation allows execution of arbitrary code, but requires upload permissions.

The vulnerability is reported in versions prior to 7.5.30.

Solution:
Update to version 7.5.30.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.webgui.org/getwebgui/advisories/webgui-7.5.30-stable-released

http://www.webgui.org/bugs/tracker/8980

Release Date: 2008-10-28

Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: MyKtools 3.x

Description:
A vulnerability has been discovered in MyKtools, which can be exploited by malicious users to disclose sensitive information.

Input passed to the "langage" parameter in configuration_script.php is not properly verified before being used to include files. This can be exploited to include files from local resources via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires valid administrator credentials and that "magic_quotes_gpc" is disabled.

The vulnerability is confirmed in version 3.0. Other versions may also be affected.

Solution:
Restrict access to the application (e.g. with ".htaccess").

Provided and/or discovered by:
x0r and an anonymous person

Original Advisory:
http://milw0rm.com/exploits/6850

Release Date: 2008-10-28

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: All In One Control Panel 1.x

Description:
ExSploiters has discovered a vulnerability in All In One Control Panel (AIOCP), which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "poll_id" parameter in public/code/cp_polls_results.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is confirmed in version 1.4.001 and reported in version 1.4.000. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
ExSploiters

Original Advisory:
http://milw0rm.com/exploits/6854

Release Date: 2008-10-28

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: tlAds 1.x



Description:
X0r has discovered a vulnerability in tlAds, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application allowing access to the admin interface by checking if a certain cookie exists. This can be exploited to gain administrative access to the application by creating the cookie "tlAds_login" and assigning it the value "admin".

This vulnerability is confirmed in version 1.0. Other versions may also be affected.

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
X0r

Original Advisory:
http://milw0rm.com/exploits/6848

Release Date: 2008-10-28

Critical:
Not critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4
RedHat Linux Advanced Workstation 2.1 for Itanium

Description:
Red Hat has issued an update for lynx. This fixes a weakness, which can be exploited by malicious, local users to gain escalated privileges.

For more information:
SA32407

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
RHSA-2008-0965:
http://rhn.redhat.com/errata/RHSA-2008-0965.html

Other References:
SA32407:
http://secunia.com/advisories/32407/

Release Date: 2008-10-28

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: TUGZip 3.x

Description:
Stefan Marin has discovered a vulnerability in TUGzip, which can be exploited by malicious people to compromise a vulnerable system.

The buffer overflow is caused due to a boundary error when processing .zip files. This can be exploited to cause a stack-based buffer overflow via a specially crafted .zip file containing an overly long file name.

This vulnerability is confirmed in version 3.5.0.0. Other versions may also be affected.

Solution:
Do not open files from untrusted sources.

Provided and/or discovered by:
Stefan Marin

Original Advisory:
http://milw0rm.com/exploits/6831

Release Date: 2008-10-28

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Ocean12 Calendar Manager Gold 2.x
Ocean12 Contact Manager Pro 1.x
Ocean12 Poll Manager Pro 1.x

Description:
Pouya_Server has reported some security issues in multiple Ocean12 products, which can be exploited by malicious people to disclose potentially sensitive information.

The security issue is caused due to databases "o12con.mdb", "o12poll.mdb", and "o12cal.mdb" being stored with insecure permissions inside the web root. This can be exploited to gain knowledge of potentially sensitive information by downloading the file.

Solution:
Restrict access to the database files.

Provided and/or discovered by:
Pouya_Server

Original Advisory:
http://packetstorm.linuxsecurity.com/0810-exploits/ocean12-database.txt

Release Date: 2008-10-28

Critical:
Not critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


Software: Lynx 2.x

Description:
A weakness has been reported in Lynx, which can be exploited by malicious, local users to potentially gain escalated privileges.

The weakness is caused due to Lynx processing the ".mailcap" and ".mime.types" files in the current working directory. This can be exploited to e.g. execute arbitrary commands by tricking a user into running Lynx in a specially set up directory.

The weakness is reported in versions prior to 2.8.4rel.1e, 2.8.5rel.6, and 2.8.6rel.4.

Solution:
Update to version 2.8.4rel.1e, 2.8.5rel.6, or 2.8.6rel.4.
http://lynx.isc.org/lynx2.8.6/patches/index.html

Provided and/or discovered by:
Reported in Debian Bug #396949 by Piotr Engelking.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=396949

Release Date: 2008-10-28

Critical:
Less critical
Impact: Spoofing
Exposure of sensitive information
DoS

Where: From local network
Solution Status: Vendor Patch


OS: NetBSD 3.1
NetBSD 4.0

Description:
A vulnerability has been reported in NetBSD, which can be exploited by malicious people to conduct spoofing attacks, disclose potentially sensitive information, or to cause a DoS (Denial of Service).

For more information:
SA32112

Solution:
Fixed in the CVS repository. See vendor advisory for details.

Original Advisory:
NetBSD-SA2008-013:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-013.txt.asc

Other References:
SA32112:
http://secunia.com/advisories/32112/

Release Date: 2008-10-28

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Unpatched


Software: libtirpc 0.x

Description:
A vulnerability has been reported in libtirpc, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "__rpc_taddr2uaddr_af()" function in src/rpc_generic.c and can be exploited to crash an application using the library via a specially crafted RPC request.

This may be related to:
SA23700

The vulnerability is reported in version 0.1.9. Other versions may also be affected.

Solution:
Do not process untrusted RPC requests using the library.

Provided and/or discovered by:
Reported by Tomas Hoger in a Red Hat bug report.

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=468014

Other References:
SA23700:
http://secunia.com/advisories/23700/

Release Date: 2008-10-28

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Ads Pro 1.x

Description:
S0l1D has reported a vulnerability in Ads Pro, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "page" parameter in dhtml.pl is not properly sanitised before being used. This can be exploited to inject arbitrary shell commands by appending a command using the pipe character ("|").

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
S0l1D

Original Advisory:
http://milw0rm.com/exploits/6845

Release Date: 2008-10-28

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


OS: NetBSD 3.1
NetBSD 4.0


Description:
NetBSD has acknowledged a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

For more information:
SA31745

Note: The vulnerability only affects systems with IPv6 support.

Solution:
Fixed in the CVS repository. See vendor advisory for details.

Original Advisory:
NetBSD-SA2008-015:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-015.txt.asc

Other References:
SA31745:
http://secunia.com/advisories/31745/

Release Date: 2008-10-28

Critical:
Less critical
Impact: Security Bypass
Privilege escalation
DoS

Where: Local system
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10
Ubuntu Linux 8.04

Description:
Ubuntu has issued an update for linux, linux-source-2.6.15, and linux-source-2.6.22. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), bypass certain security restrictions, and potentially gain escalated privileges.

Solution:
Apply updated packages.

Note: The updated kernel packages for Ubuntu 8.04 LTS contain an ABI change. See the vendor's advisory for more information.

Original Advisory:
USN-659-1:
https://lists.ubuntu.com/archives/ubu...ity-announce/2008-October/000767.html

Other References:
SA31509:
http://secunia.com/advisories/31509/

SA31366:
http://secunia.com/advisories/31366/

SA32320:
http://secunia.com/advisories/32320/

Address Bar Spoofing Attacks Against Microsoft Internet Explorer 6

28 Oct. 2008

Summary
IE6 is the second most popular web browser (after IE7), with market share of around 25% (according to recent surveys e.g.
http://marketshare.hitslink.com/report.aspx?qprid=2).

This write-up presents two new phishing attack techniques, abusing an address bar issue (security vulnerability) with IE6 in combination with non-standard DNS domain names. The net result is that a phishing site may present itself via a link that when clicked in IE6 displays an almost indistinguishable URL from the one in used by the genuine site. The technique is new, i.e. it's different than the ASCII similar characters and IDN homographs attacks.

There are two techniques: the first technique presents an address bar which is very similar (visually) to the address bar expected for the genuine domain, by abusing the NBSP character. The second technique presents an address bar visually identical to the one expected for the genuine domain, using the fact that a non-DNSish characters are not displayed in the address bar in some cases. This technique requires registration of a non-standard domain, hence it is probably theoretic only (although "site down" imitation is still possible).

The attacks were verified with Windows XP SP2 and Windows XP SP3.

Credit:
The information has been provided by Amit Klein.

http://www.securiteam.com/windowsntfocus/6J00L2AMUK.html

28 October 2008

Industry group Safecode hasn't managed to encourage any open source players to join in its mission to improve the inherent security of software despite being around for nearly a year. Speaking at the RSA Security Conference Europe, in London, the organisation's executive director Paul Kurtz admitted that although the foundation of the organisation was announced at last year's show, the group hasn't managed to add any open source players to its ranks so far.

More: http://www.heise-online.co.uk/security/Safecode-initiative-fails-to-attract-open-source-players--/news/111804

28 October 2008

KTorrent version 3.1.4 is the new version of the free BitTorrent client for the KDE and Gnome Linux desktops. The new release of KTorrent fixes some stability problems and plugs a number of security vulnerabilities in the web interface. Secunia, the security services provider, says the latter included the possibility of PHP code being injected into the system and run by the use of crafted parameters, while access restrictions on uploads could be circumvented by specially crafted HTTP POST requests, allowing any Torrent files to be uploaded

More: http://www.heise-online.co.uk/security/New-KTorrent-version-plugs-security-vulnerabilities--/news/111806

Outdated components leave handset vulnerable

Written by Shaun Nichols in San Francisco

vnunet.com, 28 Oct 2008


A trio of researchers has disclosed the first security flaw for the Google Android platform and pointed out a fundamental security problem in the open source process.

The vulnerability was discovered by researchers Charlie Miller, Mark Daniel and Jake Honoroff from security testing and analysis firm Independent Security Evaluators.

While the three have elected not to disclose details about the flaw until a fix can be issued, they said that a successful exploit could allow an attacker to retrieve all stored information in the victim's browser.

More: http://www.vnunet.com/vnunet/news/2229190/first-android-flaws-surface