VULNERABILITIES \ FIXES - October 3, 2008

Release Date: 2008-10-03

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: XAMPP 1.x

Description:
Jaykishan Nirmal has discovered some vulnerabilities in XAMPP, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "dbserver", "host", "user", "password", "database", and "table" parameters in xmapp/adodb.php is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are confirmed in version 1.6.8 (Windows Installer). Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Jaykishan Nirmal, Aujas Networks

OpenBSD IPv6 Neighbor Discovery Protocol Neighbor Solicitation Vulnerability

Release Date: 2008-10-03

Critical:
Less critical
Impact: Spoofing
Exposure of sensitive information
DoS

Where: From local network
Solution Status: Vendor Patch


OS: OpenBSD 4.2
OpenBSD 4.3
OpenBSD 4.4

Description:
A vulnerability has been reported in OpenBSD, which can be exploited by malicious people to conduct spoofing attacks, disclose potentially sensitive information, or to cause a DoS (Denial of Service).

Solution:
Fixed in the CVS repository.

Provided and/or discovered by:
FreeBSD credits David Miles.

Original Advisory:
OpenBSD:
http://openbsd.org/errata43.html#006_ndp

Other References:
SA32112:
http://secunia.com/advisories/32112/

Release Date: 2008-10-03

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: MediaWiki 1.x

Description:
A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "useskin" parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that $wgUseSiteCss is enabled, which is the default.

The vulnerability is reported in version 1.12.0 and all 1.13.x versions prior to 1.13.2.

Solution:
Update to version 1.12.1 or 1.13.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-October/000078.html
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_1/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_2/phase3/RELEASE-NOTES

Release Date: 2008-10-03

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


Software: Libxml2 2.x

Description:
A vulnerability has been reported in Libxml2, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the processing of XML files and can be exploited to exhaust all available memory via a specially crafted XML file containing a predefined entity inside an entity definition.

The vulnerability is reported in versions 2.7.0 and 2.7.1.

Solution:
Update to version 2.7.2.
ftp://xmlsoft.org/libxml2/

Provided and/or discovered by:
Reported by Christian Weiske in a Libxml2 bug report.

Original Advisory:
http://bugzilla.gnome.org/show_bug.cgi?id=554660

Release Date: 2008-10-03

Critical:
Not critical
Impact: DoS

Where: Local system
Solution Status: Unpatched


OS: Avaya Call Management System (CMS)

Description:
Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability affects Avaya CMS R12, R13/R13.1, and R14/R14.1.

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2008-383.htm

Other References:
SA31919:
http://secunia.com/advisories/31919/

Release Date: 2008-10-03

Critical:
Less critical
Impact: Privilege escalation
DoS

Where: Local system
Solution Status: Vendor Workaround


OS: Linux Kernel 2.6.x

Description:
Eugene Teo has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users in a VMI guest to cause a DoS (Denial of Service) and potentially gain escalated privileges.

The vulnerability is caused due to an error within the "vmi_write_ldt_entry()" function in arch/x86/kernel/vmi_32.c. This can be exploited to write values into the IDT by e.g. calling "sys_modify_ldt()".

Successful exploitation requires that the kernel is running as VMI guest on a x86 system.

Solution:
Fixed in the GIT repository.
http://git.kernel.org/?p=linux/kernel...9985e3a623d4d5d6207f1777398ca0606ab1c

Provided and/or discovered by:
Eugene Teo, Red Hat

Original Advisory:
http://git.kernel.org/?p=linux/kernel...9985e3a623d4d5d6207f1777398ca0606ab1c

Release Date: 2008-10-03

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


OS: Blue Coat Security Gateway OS (SGOS) 4.x
Blue Coat Security Gateway OS (SGOS) 5.x

Description:
Juan Pablo Lopez Yacubian has reported a vulnerability in Blue Coat Security Gateway OS (SGOS), which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the URL is not properly sanitised by the ICAP Patience Page before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability affects SGOS versions 4.2, 5.2, and 5.3.

Solution:
The vendor recommends customizing the settings of the ICAP Patience Page in order to avoid printing the URL. Please see the vendor's advisory for more information.

Provided and/or discovered by:
Juan Pablo Lopez Yacubian

Original Advisory:
Blue Coat:
http://www.bluecoat.com/support/securityadvisories/icap_patience

Release Date: 2008-10-03

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


OS: Apple TV 1.x
Apple TV 2.x

Description:
Some vulnerabilities have been reported in Apple TV, which can be exploited by malicious people to compromise a vulnerable system.

Solution:
Update to version 2.2.

Provided and/or discovered by:
The vendor credits:
1) Cody Pierce, TippingPoint DVLabs
2) Reported by an anonymous person via ZDI.

Original Advisory:
APPLE-SA-2008-10-02:
http://lists.apple.com/archives/security-announce/2008/Oct/msg00000.html

Other References:
SA27523:
http://secunia.com/advisories/27523/

SA31821:
http://secunia.com/advisories/31821/

Release Date: 2008-10-03

Critical:
Moderately critical
Impact: Security Bypass
Cross Site Scripting
Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch



Software: Red Hat Application Server v2 EL4


Description:
Red Hat has issued an update for tomcat. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, malicious users to disclose potentially sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, or disclose sensitive information.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
RHSA-2008-0862:
https://rhn.redhat.com/errata/RHSA-2008-0862.html

Other References:
SA27398:
http://secunia.com/advisories/27398/

SA28274:
http://secunia.com/advisories/28274/

SA30500:
http://secunia.com/advisories/30500/

SA31379:
http://secunia.com/advisories/31379/

Release Date: 2008-10-03

Critical:
Less critical
Impact: Security Bypass

Where: Local system
Solution Status: Vendor Patch


Software: pam_krb5 2.x

Description:
A security issue has been reported in pam_krb5, which can be exploited by malicious, local users to bypass certain security restrictions.

The security issue is caused due to pam_krb5 not correctly restricting users from reusing the existing credentials of another user. This can be exploited to e.g. switch into another user's account by setting the "KRB5CCNAME" variable to point to the credentials cache of the target user.

Successful exploitation requires that the "existing_ticket" option is enabled.

The security issue is reported in versions 2.2.0 to 2.2.25, 2.3.0, and 2.3.1. Other versions may also be affected.

Solution:
Update to version 2.3.2-1.

Provided and/or discovered by:
St

Release Date: 2008-10-03

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: OpenX 2.x

Description:
d00m3r4ng has discovered a vulnerability in OpenX, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "bannerid" parameter in www/delivery/ac.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is confirmed in version 2.6.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
d00m3r4ng

Original Advisory:
http://milw0rm.com/exploits/6655

Release Date: 2008-10-03

Critical:
Moderately critical
Impact: DoS
System access

Where: From local network
Solution Status: Vendor Patch


Software: Novell eDirectory 8.x

Description:
Some vulnerabilities have been reported in Novell eDirectory, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

Solution:
Apply 8.7.3 SP10 FTF1.

Provided and/or discovered by:
The vendor credits ZDI.

Original Advisory:
http://www.novell.com/support/viewContent.do?externalId=3477912

Release Date: 2008-10-03

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: mIRC 6.x

Description:
securfrog has discovered a vulnerability in mIRC, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the processing of "PRIVMSG" IRC messages. This can be exploited to cause a stack-based buffer overflow by tricking a user into connecting to a malicious IRC server.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 6.34. Other versions may also be affected.

Solution:
Do not connect to untrusted IRC servers.

Do not follow untrusted links or browse untrusted websites.

Provided and/or discovered by:
securfrog

Original Advisory:
http://milw0rm.com/exploits/6654

Release Date: 2008-10-03

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: phpScheduleIt 1.x

Description:
EgiX has discovered a vulnerability in phpScheduleIt, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "start_date" parameter in reserve.php is not properly sanitised before being used in "eval()" calls. This can be exploited to execute arbitrary PHP code.

Successful exploitation of this vulnerability requires that "magic_quotes_pgc" is disabled.

This vulnerability has been confirmed in version 1.2.10. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
EgiX

Original Advisory:
http://milw0rm.com/exploits/6646

Release Date: 2008-10-03

Critical:
Less critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


OS: Microsoft Windows Mobile 6.x

Description:
Julien Bedard has reported a vulnerability in Microsoft Windows Mobile, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the handling of advertised Bluetooth device names. This can be exploited to trigger a device reboot by setting up a Bluetooth device with an overly long name, in the range of the vulnerable device.

Solution:
Disable Bluetooth support.

Provided and/or discovered by:
Julien Bedard

Original Advisory:
http://milw0rm.com/exploits/6582

Release Date: 2008-10-03

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: WebBiscuits Blog 1.x
WebBiscuits Contact Form 1.x
WebBiscuits Customer Helpdesk 1.x
WebBiscuits eCommerce 1.x
WebBiscuits Events Calendar 1.x
WebBiscuits Excel Importer/Exporter 1.x
WebBiscuits FAQ Support 1.x
WebBiscuits Form Designer 1.x
WebBiscuits Forum 1.x
WebBiscuits Guestbook 1.x
WebBiscuits Links Directory 1.x
WebBiscuits Misc Tools 1.x
WebBiscuits News Publisher 1.x
WebBiscuits Newsletter 1.x
WebBiscuits Photo Galleries 1.x
WebBiscuits Vote Caster 1.x

Description:
A vulnerability has been reported in various WebBiscuits products, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "path[docroot]" and "component" parameters in common/theme/default/header_setup.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local and remote resources.

Successful exploitation may require that "register_globals" is enabled.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
"kevin mitnick"

Original Advisory:
http://packetstorm.linuxsecurity.com/0809-exploits/eventscal-rfi.txt

Release Date: 2008-10-03

Critical:
Not critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.04
Ubuntu Linux 7.10



Description:
Ubuntu has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when processing specially crafted tar archives and can be exploited to cause a stack-based buffer overflow and crash the vulnerable application.

Solution:
Apply updated packages.

Original Advisory:
USN-650-1:
http://www.ubuntu.com/usn/usn-650-1

Release Date: 2008-10-03

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: AutoNessus 1.x

Description:
Frank Breedijk has reported a vulnerability in AutoNessus, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "remark" parameter in bulk_update.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected website.

Solution:
Update to version 1.2.2.

Provided and/or discovered by:
Frank Breedijk

Original Advisory:
http://sourceforge.net/tracker/index....&group_id=216367&atid=1037394

Release Date: 2008-10-03

Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PowerPortal 2.x

Description:
r45c4l has discovered a vulnerability in PowerPortal, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "path" parameter in index/Gallery is not properly sanitised before being used. This can be exploited to list the contents of arbitrary directories and to display images from arbitrary directories via directory traversal attacks.

The vulnerability is confirmed in version 2.0.13. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
r45c4l

Original Advisory:
http://milw0rm.com/exploits/6604

Release Date: 2008-10-03

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHP infoBoard 7.x

Description:
CWH Underground has reported two vulnerabilities in PHP infoBoard, which can be exploited by malicious people to conduct script insertion and SQL injection attacks.

The vulnerabilities are reported in version 7 Plus. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
CWH Underground

Original Advisory:
http://milw0rm.com/exploits/6566

Release Date: 2008-10-03

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


OS: Avaya Call Management System (CMS)

Description:
Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability affects Avaya CMS R12, R13/R13.1, and R14/R14.1.

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2008-387.htm

Other References:
SA31895:
http://secunia.com/advisories/31895/

Juniper Netscreen Firewall Cross-Site-Scripting (XSS) Event Log Injection

Summary
A Cross-Site Scripting (XSS) Injection vulnerability was discovered within the Juniper Netscreen firewall NetOS version 5.4.0r9.0. The vulnerability is caused by failure to validate input from the web interface login, and telnet session login. This makes it possible for an attacker to inject javascript as part of the user name during login. The javascript is then stored in the device event logs. When the event logs are viewed within the Netscreen web console the javascript is executed. A successful attack would allow an attacker to run JavaScript on the computer system connecting to the netscreen web management console which could lead to system compromise.

Credit:
The information has been provided by Deral Heiland.

http://www.securiteam.com/securitynews/6A0010UMUI.html

Summary
vxFtpSrv is "the common FTP server for mobile devices: wm, ppc etc". The vxFtpSrv suffers from an overflow when it recieves too long data string by the CWD command.

Credit:
The information has been provided by Julien Bedard.
The original article can be found at: http://www.kosseclab.com/xpl/vxFtpSrv-dos.txt

http://www.securiteam.com/exploits/6B0020UMUW.html

October 3, 2008

Posted by Stephen Shankland

Google has brought to Linux the beta version of its new Picasa 3 software for image editing, cataloging, and uploading.

The new release catches the open-source operating system up with Windows, which got the Picasa 3 beta one month earlier. There's still no word about a Mac OS X version, although Mike Horowitz, Google's Picasa product manager, told me earlier that "Macs are important to us...We're always looking for new ways of making sure our users are happy, so it's something we're looking at."

More: http://news.cnet.com/8301-13580_3-10057452-39.html

3 October 2008

WinZip has admitted to a security problem relating to Windows 2000 and its WinZip file compression program. WinZip versions 11.0, 11.1 and 11.2 apparently contain a vulnerable version of Microsoft's gdiplus.dll graphics library. The bug can result in infection when users view crafted images. When installing the affected versions, WinZip places the gdiplus.dll file in the WinZip program folder.

More: http://www.heise-online.co.uk/security/WinZip-blasts-hole-in-Windows-2000-security--/news/111655