VULNERABILITIES \ FIXES - October 6, 2008

Release Date: 2008-10-06

Critical:
Highly critical
Impact: Security Bypass
Exposure of system information
Exposure of sensitive information
DoS
System access

Where: From remote
Solution Status: Partial Fix


Software: VMware VirtualCenter 2.x

Description:
VMware has acknowledged a weakness and some vulnerabilities in VMware VirtualCenter, which can be exploited by malicious, local users to disclose sensitive information, and by malicious people to bypass certain security restrictions, disclose system information or potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system.

Solution:
VirtualCenter 2.5:
Update to version 2.5 update 3 build 119838.
www.vmware.com/download/download.do

VirtualCenter 2.0.2:
Reportedly, an updated version is pending release.

Provided and/or discovered by:
1) The vendor credits Mark Woollatt.

Original Advisory:
http://www.vmware.com/security/advisories/VMSA-2008-0016.html

Other References:
SA31010:
http://secunia.com/advisories/31010/

Release Date: 2008-10-06

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: Website Directory

Description:
Ghost Hacker has reported a vulnerability in Website Directory, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "keyword" parameter in index.php (when "action" is set to "search") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Ghost Hacker

Release Date: 2008-10-06



Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for libxml2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages using the yum utility ("yum update libxml2").

Original Advisory:
FEDORA-2008-8582:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00130.html

FEDORA-2008-8575:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00125.html

Other References:
SA32130:
http://secunia.com/advisories/32130/

Release Date: 2008-10-06

Critical:
Less critical
Impact: Security Bypass

Where: Local system
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for pam_krb5. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions

Solution:
Apply updated packages via the yum utility ("yum update pam_krb5").

Original Advisory:
FEDORA-2008-8605:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00150.html

FEDORA-2008-8618:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00166.html

Other References:
SA32119:
http://secunia.com/advisories/32119/

Release Date: 2008-10-06

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Vendor Patch


Software: AdaptCMS Lite 1.x
AdaptCMS Pro 1.x

Description:
A vulnerability has been reported in AdaptCMS, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "user_name" parameter in includes/check_user.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in AdaptCMS Lite and AdaptCMS Pro version 1.3. Other versions may also be affected.

Solution:
Apply the fix.
http://downloads.sourceforge.net/adaptcms/AdaptCMS_1.3_Fix.zip

Provided and/or discovered by:
StAkeR

Original Advisory:
http://www.adaptcms.com/article/51/Ne...NT-AdaptCMS-13-Security-Fix-Released/

http://milw0rm.com/exploits/6662

Release Date: 2008-10-06

Critical:
Less critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: AmpJuke 0.x

Description:
S_DLA_S has discovered a vulnerability in AmpJuke, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed to the "special" parameter in index.php (if "what" is set to "performerid") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is confirmed in version 0.7.5. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised. Restrict access to trusted people only.

Provided and/or discovered by:
S_DLA_S

Original Advisory:
http://packetstorm.linuxsecurity.com/0810-exploits/ampjuke-sql.txt

Release Date: 2008-10-06

Critical:
Less critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


Software: Dovecot 1.x



Description:
Two security issues have been reported in Dovecot, which can be exploited by malicious users to bypass certain security restrictions.

Solution:
Update to version 1.1.4.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html

Release Date: 2008-10-06

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: VMware ESX Server 3.x
VMware ESXi 3.x

Description:
A vulnerability has been reported in VMware ESX / ESXi, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to an error in the emulation of "JMP" instructions to "non-canonical" 64-bit addresses. This can be exploited to run arbitrary code with escalated privileges inside a VMware guest.

Solution:
Apply vendor patches.

Provided and/or discovered by:
The vendor credits Derek Soeder.

Original Advisory:
VMware:
http://www.vmware.com/security/advisories/VMSA-2008-0016.html

Derek Soeder:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-October/064860.html

Release Date: 2008-10-06

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Kontiki Delivery Management System 5.x

Description:
A vulnerability has been reported in Kontiki Delivery Management System, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "action" parameter to zodiac/servlet/zodiac is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in version 5.0. Other versions may also be affected.

Solution:
Apply vendor patch (login required).
https://customersupport.kontiki.com/software/patch-20102

Provided and/or discovered by:
Mazin Faour, Information Risk Management

Original Advisory:
Information Risk Management:
http://www.irmplc.com/researchlab/advisories/170

Release Date: 2008-10-06

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for feta. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the "to-upgrade" plugin creating temporary files in an insecure manner. This can be exploited to e.g. overwrite and delete arbitrary files via symlink attacks.

Solution:
Apply updated packages.

Provided and/or discovered by:
Dmitry E. Oboukhov

Original Advisory:
DSA-1643-1:
http://lists.debian.org/debian-security-announce/2008/msg00234.html

Release Date: 2008-10-06

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for mplayer. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system.

Solution:
Apply updated packages.

Original Advisory:
DSA-1644-1:
http://lists.debian.org/debian-security-announce/2008/msg00235.html

Other References:
SA32045:
http://secunia.com/advisories/32045/

Release Date: 2008-10-06

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: JMweb MP3 Music Audio Search and Download Script

Description:
SirGod has discovered some vulnerabilities in JMweb MP3 Music Audio Search and Download Script, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "src" parameter in listen.php and download.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
SirGod

Original Advisory:
http://milw0rm.com/exploits/6669

Release Date: 2008-10-06

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Fastpublish CMS 1.x

Description:
Multiple vulnerabilities have been discovered in Fastpublish CMS, which can be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
~!Dok_tOR!~

Original Advisory:
http://milw0rm.com/exploits/6678

Release Date: 2008-10-06

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Nucleus 3.x

Description:
A vulnerability has been reported in Nucleus EUC-JP, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to certain unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation may require that the victim uses the Internet Explorer browser.

The vulnerability is reported in Nucleus EUC-JP version 3.31 SP1 and prior.

Note: Reportedly, this affects the Japanese version only.

Solution:
Update to version 3.31 SP2.
http://japan.nucleuscms.org/bb/viewtopic.php?t=4131

Provided and/or discovered by:
JVN credits Gaku Mochizuki of Mitsui Bussan Secure Directions, Ltd.

Original Advisory:
JVN:
http://jvn.jp/en/jp/JVN92651529/index.html

Nucleus:
http://japan.nucleuscms.org/bb/viewtopic.php?t=4131

Release Date: 2008-10-06

Critical:
Not critical
Impact: DoS

Where: Local system
Solution Status: Unpatched


OS: Microsoft Windows Vista

Description:
Defsanguje has discovered a vulnerability in Microsoft Windows Vista, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the handling of page faults caused by repeated attempts to access a virtual address from a "PAGE_NOACCESS" memory page and can be exploited to cause a system crash.

The vulnerability is confirmed on a fully patched Microsoft Windows Vista system.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Defsanguje

Original Advisory:
http://milw0rm.com/exploits/6671

Release Date: 2008-10-06

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: RPortal CMS 1.x

Description:
Kad has discovered a vulnerability in RPortal, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "file_op" parameter in index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

The vulnerability has been confirmed in version 1.1. Prior versions may also be affected.

Solution:
Update to version 1.1.1.

Provided and/or discovered by:
Kad

Original Advisory:
http://milw0rm.com/exploits/6648

Release Date: 2008-10-06

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Recepies 1.x (module for PHP-Fusion)

Description:
boom3rang has discovered a vulnerability in the Recepies (Recept) module for PHP-Fusion, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "kat_id" parameter in recept.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames, password hashes, and e-mail addresses, but requires knowledge of the database table prefix and that "magic_quotes_gpc" is disabled.

The vulnerability is confirmed in version 1.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
boom3rang

Original Advisory:
http://milw0rm.com/exploits/6683

added October 6, 2008 at 07:58 am

Novell has released eDirectory 8.7.3 SP10 FTF1 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition on the affected system.

US-CERT encourages users to review Novell document 3477912 and apply any necessary patches to help mitigate the risks.


http://www.us-cert.gov/current/current_activity.html#novell_releases_edirectory_version_8

added October 6, 2008 at 09:14 am

VMware has released Security Advisory VMSA-2008-0016 to address multiple vulnerabilities. These vulnerabilities affect VMware hosted products, VirtualCenter, ESX, and ESXi. Exploitation of these vulnerabilities may allow an attacker to operate with escalated privileges in a guest operating system, obtain sensitive information, bypass security restrictions, or cause a denial-of-service condition.

More: http://www.us-cert.gov/current/current_activity.html#vmware_security_advisory_vmsa_2008

6 October 2008

Apple has released an Apple TV 2.2 update, which also fixes three vulnerabilities in the Apple TV living room iTunes client and streaming media box. Two critical holes can be exploited to inject and execute code on the box. They are based on incorrect processing of STSZ and other atoms in manipulated films. In this context, the term "atom" refers to a container that can contain descriptions or data.

More: http://www.heise-online.co.uk/security/Update-for-Apple-TV-closes-critical-holes--/news/111670

Published: 2008-10-06,
Last Updated: 2008-10-07 00:08:02 UTC
by Jim Clausing (Version: 1)

Novell released an update to eDirectory last week and this morning US-CERT recommends updating as soon as possible. To quote the advisory, "US-CERT encourages users to review Novell document 3477912 and apply any necessary patches to help mitigate the risks." Thanx, Roseman for alerting us to this one..



References:

http://www.us-cert.gov/current/current_activity.html#novell_releases_edirectory_version_8

More: http://isc.sans.org/