VULNERABILITIES \ FIXES - October 31, 2008

Release Date: 2008-10-31

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for libspf2. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library.

Solution:
Update to "mail-filter/libspf2-1.2.8" or later.

Original Advisory:
GLSA-200810-03:
http://www.gentoo.org/security/en/glsa/glsa-200810-03.xml

Other References:
SA32396:
http://secunia.com/advisories/32396/

Release Date: 2008-10-31

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for openoffice.org. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system.

Solution:
Apply updated packages via the yum utility ("yum update openoffice.org").

Original Advisory:
FEDORA-2008-9313:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00905.html

FEDORA-2008-9333:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00923.html

Other References:
SA32419:
http://secunia.com/advisories/32419/

Release Date: 2008-10-31

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Partial Fix


OS: VMware ESX Server 3.x

Description:
VMware has issued an update for VMware ESX Server. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:

Apply patches (see vendor advisory for more information).

Original Advisory:
VMSA-2008-0017:
http://lists.vmware.com/pipermail/security-announce/2008/000039.html

Other References:
SA31558:
http://secunia.com/advisories/31558/

Release Date: 2008-10-31

Critical:
Not critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: CrossFire 1.x



Description:
A security issue has been reported in CrossFire, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the "maps/Info/combine.pl" script of the map pack using temporary files in an insecure manner. This can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 1.11.0 of the map pack (Big World).

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496358

Release Date: 2008-10-31

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Fedora update for phpMyAdmin
Secunia Advisory: SA32482 Advisory Toolbox:
Issue ticket
Save in to-do list
Mark as handled
Exploit information
Download as PDF
Review actions
Add comment
Release Date: 2008-10-31
Popularity: 141 views


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9



Subscribe: Instant alerts on relevant vulnerabilities


CVE reference: CVE-2008-4775




Description:
Fedora has issued an update for phpMyAdmin. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks.


Solution:
Apply updated packages via the yum utility ("yum update phpMyAdmin").

Original Advisory:
FEDORA-2008-9316:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00908.html

FEDORA-2008-9336:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00925.html

Other References:
SA32449:
http://secunia.com/advisories/32449/

Release Date: 2008-10-31

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Lyrics 0.x (plugin for e107)

Description:
ZoRLu has discovered a vulnerability in the Lyrics plugin for e107, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "l_id" parameter in lyrics_song.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames and password hashes, but requires knowledge of the database table prefix.

The vulnerability is confirmed in version 0.42. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
ZoRLu

Original Advisory:
http://milw0rm.com/exploits/6885

Release Date: 2008-10-31

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Absolute Podcast .NET 1.x

Description:
Hakxer has reported a vulnerability in Absolute Podcast .NET, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application allowing access to the admin interface by checking if a certain cookie exists. This can be exploited to gain administrative access to the application by creating the cookie "xlaAPCuser" and assigning it the value "userid=1&lvl=1&s=".

The vulnerability is reported in version 1.0. Other versions may also be affected.

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
Hakxer

Original Advisory:
http://milw0rm.com/exploits/6882

Release Date: 2008-10-31

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Partial Fix


Software: CompactCMS 1.x

Description:
Russ McRee has reported some vulnerabilities in CompactCMS, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks.

Solution:
Update to version 1.2, which fixes some of the vulnerabilities.

Provided and/or discovered by:
Russ McRee

Original Advisory:
Russ McRee:
http://holisticinfosec.org/content/view/90/45/

Release Date: 2008-10-31

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: SPBOARD 4.x

Description:
GoLd_M has reported a vulnerability in SPBOARD, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "file" parameter in board.cgi (e.g. if "action" is set to "down_file") is not properly sanitised before being used. This can be exploited to inject and execute arbitrary shell commands.

The vulnerability is reported in version 4.5. Other versions may also be affected.

Solution:
Use another product.

Provided and/or discovered by:
GoLd_M.

Original Advisory:
http://milw0rm.com/exploits/6864

Release Date: 2008-10-31

Critical:
Less critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: eXPert PDF ViewerX ActiveX Control 3.x

Description:
Marco Torti has discovered a vulnerability in eXPert PDF ViewerX ActiveX Control, which can be exploited by malicious people to overwrite arbitrary files.

The vulnerability is caused due to the VSPDFViewerX.VSPDFViewer (VSPDFViewerX.ocx) ActiveX control providing the insecure "savePageAsBitmap()" method. This can be exploited to overwrite arbitrary files on the local system via arguments passed to the affected method.

This vulnerability is confirmed in version 3.0.990. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
Marco Torti

Original Advisory:
http://milw0rm.com/exploits/6875

Release Date: 2008-10-31

Critical:
Less critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: MW6 Technologies 1D Barcode ActiveX Control 3.x
MW6 Technologies Aztec ActiveX Control 3.x
MW6 Technologies DataMatrix ActiveX Control 3.x
MW6 Technologies PDF417 ActiveX Control 3.x

Description:
DeltahackingTEAM has discovered some vulnerabilities in various MW6 Technologies ActiveX controls, which can be exploited by malicious people to overwrite arbitrary files.

The vulnerabilities are caused due to the following ActiveX controls including the insecure "SaveAsBMP()" and "SaveAsWMF()" methods:
* MW6PDF417Lib.PDF417 (MW6PDF417.dll)
* DATAMATRIXLib.MW6DataMatrix (DataMatrix.dll)
* BARCODELib.MW6Barcode (Barcode.dll)
* AZTECLib.MW6Aztec (Aztec.dll)

These can be exploited to overwrite and corrupt arbitrary files on the system, in the context of the currently logged-on user.

The vulnerabilities are confirmed in the following versions:
* MW6PDF417Lib.PDF417 3.0.0.1
* DATAMATRIXLib.MW6DataMatrix 3.0.0.1
* BARCODELib.MW6Barcode 3.0.0.1
* AZTECLib.MW6Aztec 3.0.0.1

Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX controls.

Provided and/or discovered by:
DeltahackingTEAM

Original Advisory:
http://milw0rm.com/exploits/6870
http://milw0rm.com/exploits/6871
http://milw0rm.com/exploits/6872
http://milw0rm.com/exploits/6873

Release Date: 2008-10-31

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: A-LINK WL54AP2 1.x
A-LINK WL54AP3 1.x

Description:
Some vulnerabilities have been reported in A-LINK WL54AP3 and WL54AP2, which can be exploited by malicious people to conduct cross-site scripting or cross-site request forgery attacks.

Solution:
Update to version 1.4.2.
ftp://ftp.a-link.com/wl54ap3/v142-eng1.zip

Provided and/or discovered by:
Jussi Vuokko and Henri Lindberg, Louhi Networks Information Security Research

Original Advisory:
A-LINK:
http://www.a-link.com/WL54AP3.html

Louhi Networks:
http://www.louhinetworks.fi/advisory/alink_081028.txt

31 October 2008,

Google has completed a new beta release of its browser. Users of previous versions should automatically receive Chrome 0.3.154.9 via the update feature found in the "About Google Chrome" menu item. It is worthwhile updating to the new version as it closes a URL spoofing hole that could be exploited for phishing attacks.

Google introduced its own web browser early in September and the public reception on it was that it was a further attack on Microsoft. Google has been moving into Microsoft productivity applications homeground for some time, with products such as Google Docs and Mail, but had been lacking its own web browser. Chrome uses elements of Apple's Webkit and of Mozilla's Firefox. Its JavaScript engine, V8, was developed from scratch for performance reasons. Some security experts criticised the release of a beta browser by Google, pointing out that the browser is the most likely route for attacks to be made.

More: http://www.heise-online.co.uk/security/New-beta-version-of-Google-s-Chrome-browser--/news/111843

Published: 2008-10-31,
Last Updated: 2008-10-31 07:55:40 UTC
by Stephen Hall (Version: 1)

VMWare have released a new security advisory, and has updated two previously announced advisories.

Details are available via the VMWare web site:

- VMSA-2008-0017 (new advisory)
http://lists.vmware.com/pipermail/security-announce/2008/000039.html

Summary : A denial of service flaw was found in the way libxml2 processes certain content. If an application that is linked against libxml2 processes malformed XML content, the XML content might cause the application to stop responding.

More: http://isc.sans.org/

added October 31, 2008 at 09:31 am

Adobe has released a Security Advisory to address vulnerabilities in PageMaker 7.0.1 and 7.0.2. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Adobe's Security Advisory ASPA08-10 and apply any necessary updates to help mitigate the risks. Note that the Adobe Security Advisory indicates that an additional vulnerability remains unaddressed by the update.


http://www.us-cert.gov/current/current_activity.html#adobe_releases_security_advisory_for1

added October 31, 2008 at 09:00 am

VMware has released a Security Advisory indicating it has updated the ESX packages to address vulnerabilities in libxml2, ucd-snmp, and libtiff. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, spoof authenticated SNMPv3 packets, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review VMware Security Advisory VMSA-2008-0017 and apply any necessary updates to help mitigate the risks.


http://www.us-cert.gov/current/current_activity.html#vmware_releases_security_advisory_vmsa1

Patches address a pair of critical flaws

Written by Shaun Nichols in San Francisco

vnunet.com, 31 Oct 2008


A pair of security fixes have been posted for OpenOffice.

Users are being urged to install both updates, which address flaws in the open-source productivity suite that could be used by an attacker to remotely execute code on targeted systems.

Both vulnerabilities affect all versions of OpenOffice prior to the 2.4.2 release. The recently-unveiled OpenOffice 3.0 release is not believed to be at risk from either vulnerability.

More: http://www.vnunet.com/vnunet/news/2229501/open-office-gets-security-fixes

New client and server versions include enhanced connectivity, security and virtualisation tools

Written by Shaun Nichols in San Francisco

vnunet.com, 31 Oct 2008

The latest edition of the Ubuntu Linux operating system has been released.

Canonical, which distributes the open-source operating system, said the new versions of both the desktop and server clients would add major features.

AdvertisementFor desktop users, the 8.10 update will feature support for 3G hardware connections as well as the ability to write and start up a system from an external USB drive. The update also adds support for guest sessions as well as free BBC content available in bundled multimedia applications.

More: http://www.vnunet.com/vnunet/news/2229503/ubuntu-gets-update

Release Date: 2008-10-31

Critical:
Highly critical
Impact: Cross Site Scripting
DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: openSUSE 10.2
openSUSE 10.3
openSUSE 11.0

Description:
SuSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks or potentially, to compromise a user's system.

Solution:
Apply updated packages via YaST Online Update or the SUSE FTP server.

Original Advisory:
SUSE-SR:2008:023:
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00012.html

Other References:
SA30519:
http://secunia.com/advisories/30519/

SA32186:
http://secunia.com/advisories/32186/

SA32452:
http://secunia.com/advisories/32452/

Release Date: 2008-10-31

Critical:
Moderately critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: SonicWALL Pro Series
SonicWALL TZ Series

Description:
A vulnerability has been reported in various SonicWALL products, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via a URL is not properly sanitised before being returned in a Content Filtering Service message that a site is blocked. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a requested site.

The vulnerability is reported in SonicWALL products running SonicOS versions prior to 4.0.1.1.

Solution:
Update to SonicOS version 4.0.1.1 or later.

Provided and/or discovered by:
Adrian Pastor, reported via ZDI

Original Advisory:
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-070/

SonicWALL:
http://www.sonicwall.com/downloads/SonicOS_Enhanced_4.0.1.1_Release_Notes.pdf

Release Date: 2008-10-31

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: Interact 2.x


Description:
Secunia Research has discovered a vulnerability in Interact, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. add new super administrator users by enticing a logged-in super administrator to visit a malicious web page.

The vulnerability is confirmed in version 2.4.1. Other versions may also be affected.

Solution:
Do not browse untrusted websites while logged on to the application.

Provided and/or discovered by:
Secunia Research

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2008-44/