VULNERABILITIES \ FIXES - October 29, 2008

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Security Bypass
Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch


Software: RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for flash-plugin. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, and manipulate certain data.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
RHSA-2008-0945:
https://rhn.redhat.com/errata/RHSA-2008-0945.html

Other References:
SA32163:
http://secunia.com/advisories/32163/

SA32270:
http://secunia.com/advisories/32270/

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Security Bypass
System access

Where: From remote
Solution Status: Unpatched


Software: KTorrent 2.x

Description:
Some vulnerabilities have been reported in KTorrent, which can be exploited by malicious users to compromise a vulnerable system and malicious people to bypass certain security restrictions.

The vulnerability is reported in version 2.2.7. Other versions may also be affected.

Solution:
Restrict network access to the web interface.

The vulnerabilities are fixed in 3.1.4.

Original Advisory:
https://bugs.gentoo.org/show_bug.cgi?id=244741

Release Date: 2008-10-29

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: Kmita Gallery

Description:
cize0f has reported some vulnerabilities in Kmita Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input passed to the "begin" parameter in index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "searchtext" parameter in search.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
cize0f

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Privilege escalation
DoS

Where: From remote
Solution Status: Vendor Patch


OS: openSUSE 11.0

Description:
SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges, and by malicious people to cause a DoS.

Solution:
Apply updated packages.


Original Advisory:
SUSE-SA:2008:053:
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00010.html

Other References:
SA32124:
http://secunia.com/advisories/32124/

Release Date: 2008-10-29

Critical:
Highly critical
Impact: Security Bypass
System access

Where: From remote
Solution Status: Unpatched


Software: H2O-CMS 3.x

Description:
Some vulnerabilities have been discovered in H2O-CMS, which can be exploited by malicious people to bypass certain security restrictions or by malicious users to compromise a vulnerable system.

Solution:
Ensure that proper access restrictions are implemented and that input is properly sanitised.

Provided and/or discovered by:
StAkeR

Original Advisory:
http://milw0rm.com/exploits/6861

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: H&H WebSoccer 2.x

Description:
d3v1l has reported a vulnerability in H&H WebSoccer, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in liga.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 2.80. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
d3v1l

Original Advisory:
http://packetstorm.linuxsecurity.com/0810-exploits/hhwebsoccer-sql.txt

Release Date: 2008-10-29

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: OpenOffice.org 2.x

Description:
Some vulnerabilities have been reported in OpenOffice, which potentially can be exploited by malicious people to compromise a user's system.

Solution:
Update to version 2.4.2.

Provided and/or discovered by:
The vendor credits:
1) an anonymous researcher working with the SureRun Security Team
2) an anonymous researcher working with iDefense

Original Advisory:
http://www.openoffice.org/security/cves/CVE-2008-2237.html
http://www.openoffice.org/security/cves/CVE-2008-2238.html

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Persia BME E-Catalogue

Description:
AmnPardaz Security Research Team have reported a vulnerability in Persia BME E-Catalogue, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "q" parameter in search.asp (when "action" is set to "search") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of usernames and passwords.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
AmnPardaz Security Research Team

Original Advisory:
http://www.bugreport.ir/index_56.htm

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: Aj Square RSS Reader

Description:
yassine_enp has reported a vulnerability in Aj Square RSS Reader, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "url" parameter in EditUrl.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
yassine_enp

Original Advisory:
http://milw0rm.com/exploits/6829

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHP-Daily 1.x

Description:
0xFFFFFF has discovered some vulnerabilities in PHP-Daily, which can be exploited by malicious people to disclose sensitive information and conduct SQL injection attacks.

The vulnerabilities are confirmed in version 1.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
0xFFFFFF

Original Advisory:
http://milw0rm.com/exploits/6833

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of system information

Where: From remote
Solution Status: Unpatched


Software: SiteEngine 5.x

Description:
Some vulnerabilities have been reported in SiteEngine, which can be exploited by malicious people to disclose system information and conduct SQL injection attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
xuanmumu

Release Date: 2008-10-29

Critical:
Moderately critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Partial Fix


Software: Atlassian JIRA Enterprise Edition 3.x

Description:
Thomas Pollet has discovered some vulnerabilities in Atlassian JIRA, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks, and by malicious users to conduct script insertion attacks.

The vulnerabilities are confirmed in Atlassian JIRA Enterprise Edition version 3.13. Other versions may also be affected.

Solution:
Update to version 3.13.1, which fixes vulnerabilities #1 and #2.

Do not browse untrusted sites or follow untrusted links while logged on to the application.

Provided and/or discovered by:
Thomas Pollet

Original Advisory:
Atlassian:
http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29

Release Date: 2008-10-29

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Adobe Pagemaker 7.x

Description:
Secunia Research has discovered two vulnerabilities in Adobe PageMaker, which can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors when processing certain structures in a .PMD file. These can be exploited to cause stack-based and heap-based buffer overflows via e.g. a .PMD file containing a specially crafted font structure.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are confirmed in version 7.0.1. Other versions may also be affected.

Solution:
Do not open untrusted .PMD files.

The vendor will be releasing a fix for one of the vulnerabilities shortly.

Provided and/or discovered by:
JJ Reyes, Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2007-80/

29 Oct. 2008

Summary
"Protect your desktops, laptops, and file servers with OfficeScan, comprehensive security against today's complex, blended threats and Web-based attacks." Secunia Research has discovered a vulnerability in Trend Micro OfficeScan Server, which can be exploited by malicious people to compromise a vulnerable system.

Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2008-40/


http://www.securiteam.com/windowsntfocus/6X00P2KMUC.html

Eaton MGE OPS Network Shutdown Module Authentication Bypass Vulnerability and Code Execution

29 Oct. 2008

Summary
EATON MGE Office Protection Systems designs and manufactures secured power products and solutions for enterprises, small business and homes. The Network Shutdown Module continuously wait for information from the Management Proxy or Management Card connected to the EATON UPS and warns administrators and users if AC power fails and proceeds with graceful system shutdown before the end of battery backup power is reached.

Remote exploitation of an authentication bypass vulnerability in Eaton MGE OPS Network Shutdown Module could allow an attacker to execute arbitrary code.

In detail, the following flaw was determined:
- Custom actions can be added to the MGE frontend without authentication required (pane_actionbutton.php)
- Actions can be executed (tested) without authentication required (exec_action.php)

Credit:
The information has been provided by n.runs AG.

http://www.securiteam.com/securitynews/6W00O2KMUK.html

29 October 2008

The developers of NetBSD have released information about two vulnerabilities that have been fixed in the networking. The patches incorporated into current versions solve a problem with the implementation of the Neighbor Discovery Protocol (NDP) for IPv6 allowing attackers to redirect the network traffic for Man-in-Middle attacks or to overload router links.

More: http://www.heise-online.co.uk/security/Patches-for-NetBSD--/news/111818

29 October 2008,

The OpenOffice development team has announced the release of version 2.4.2, which fixes two critical security vulnerabilities. According to the security advisories, the vulnerabilities are heap overflows when processing EMF and WMF files, which can be exploited using crafted documents to inject and execute malicious code. All versions prior to 2.4.2 are affected. According to the OpenOffice developers, the bugs are not present in version 3.0. OpenOffice 2.4.2 is now available to download from the OpenOffice site.

More: http://www.heise-online.co.uk/security/OpenOffice-2-4-2-fixes-critical-vulnerabilities--/news/111821

Web 2.0 driving browser vulnerabilities, warns Radware

Written by Ian Williams

vnunet.com, 29 Oct 2008


The demand that the development of web 2.0 has placed on browsers to become more interactive and act as a portal rather than just a viewing platform is opening up new vulnerabilities to unsuspecting users, Itzik Kotler, team leader of the Security Operation Center at IT security firm Radware, has warned.

As well as developing new signatures and analytics tools for Radware scanning software, Kotler also works on finding new classes of vulnerabilities before they appear in the wild.

More: http://www.vnunet.com/vnunet/news/2229325/javascript-core-malware

29 Oct. 2008

Summary
A vulnerability in PacketTrap's TFTPD allows remote attackers to cause the TFTP server to fail by sending it a pipe (|) character as the filename that is being uploaded.

Credit:
The information has been provided by Jeremy Brown.

http://www.securiteam.com/exploits/6T00L2KMUI.html