VULNERABILITIES \ FIXES - October 8, 2008

Release Date: 2008-10-08

Critical:
Moderately critical
Impact: Exposure of sensitive information
DoS

Where: From remote
Solution Status: Vendor Patch


Software: Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)

Description:
Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information and cause a DoS (Denial of Service) and malicious people to cause a DoS..

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2008-0857:
https://rhn.redhat.com/errata/RHSA-2008-0857.html

Other References:
SA31366:
http://secunia.com/advisories/31366/

SA31509:
http://secunia.com/advisories/31509/

Release Date: 2008-10-08

Critical:
Moderately critical
Impact: Security Bypass
DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: Condor 7.x

Description:
Some vulnerabilities have been reported Condor, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system, and by malicious people to bypass certain security restrictions.

Solution:
Update to version 7.0.5.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Condor 7.0.5 Release Notes:
http://www.cs.wisc.edu/condor/manual/...ease.html#SECTION00931000000000000000

Release Date: 2008-10-08

Critical:
Moderately critical
Impact: Privilege escalation
DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for wordnet. This fixes some vulnerabilities, which can potentially be exploited by malicious, local users to gain escalated privileges, and by malicious people to compromise a vulnerable system.

Solution:
Update to "app-dicts/wordnet-3.0-r2" or later.

Original Advisory:
GLSA-200810-01:
http://www.gentoo.org/security/en/glsa/glsa-200810-01.xml

Other References:
SA30242:
http://secunia.com/advisories/30242/

Release Date: 2008-10-08

Critical:
Highly critical
Impact: Security Bypass
Exposure of system information
Exposure of sensitive information
DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: Opera 5.x
Opera 6.x
Opera 7.x
Opera 8.x
Opera 9.x

Description:
Some vulnerabilities have been reported in Opera, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, or potentially compromise a user's system.

Solution:
Update to version 9.6.
http://www.opera.com/download/

Provided and/or discovered by:
The vendor credits:
1) Chris of Matasano Security
2) Nate McFeters

Original Advisory:
http://www.opera.com/support/search/view/901/
http://www.opera.com/support/search/view/902/

Release Date: 2008-10-08

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: FreeRADIUS 1.x
FreeRADIUS 2.x

Description:
Some vulnerabilities have been reported in FreeRADIUS, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerabilities are caused due to the "dialup_admin/bin/backup_radacct", "dialup_admin/bin/clean_radacct", "dialup_admin/bin/monthly_tot_stats", "dialup_admin/bin/tot_stats", and "dialup_admin/bin/truncate_radacct" scripts handling temporary files in an insecure manner. These can be exploited via symlink attacks to e.g. overwrite arbitrary files with escalated privileges.

The vulnerabilities are reported in version 2.0.4. Other versions may also be affected.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Reported by Dmitry E. Oboukhov in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496389
http://uvw.ru/report.lenny.txt

Release Date: 2008-10-08

Critical:
Less critical
Impact: Security Bypass
Exposure of sensitive information

Where: From remote
Solution Status: Vendor Workaround


Software: Adobe Flash Player 9.x

Description:
A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information.

The vulnerability is caused due to a design error and can be exploited to e.g. gain access to the system's camera and microphone by tricking the user into clicking Flash Player access control dialogs disguised as normal graphical elements.

The vulnerability is reported in version 9.0.124.0. Other versions may also be affected.

Solution:
The vendor recommends disabling Flash Player camera and microphone interactions. Please see the vendor's advisory for more information.

Provided and/or discovered by:
The vendor credits Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat Security, Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu.

Original Advisory:
http://www.adobe.com/support/security/advisories/apsa08-08.html
http://blogs.adobe.com/psirt/2008/10/clickjacking_security_advisory.html

Release Date: 2008-10-08

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHP Realtor 1.x



Description:
Mr.SQL has discovered a vulnerability in PHP Realtor, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "v_cat" parameter in view_cat.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames and password hashes.

The vulnerability is confirmed in version 1.5.0 ionCube PHP5 trial edition. Other versions may also be affected.

Solution:
Filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
Mr.SQL

Original Advisory:
http://milw0rm.com/exploits/6694

Release Date: 2008-10-08

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHP Auto Dealer 2.x

Description:
Mr.SQL has reported a vulnerability in PHP Auto Dealer, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "v_cat" parameter in view_cat.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 2.7. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Mr.SQL

Other References:
http://milw0rm.com/exploits/6695

Release Date: 2008-10-08

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: PHP Autos 2.x

Description:
Mr.SQL has reported a vulnerability in PHP Autos, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "catid" parameter in searchresults.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 2.9.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Mr.SQL

Other References:
http://milw0rm.com/exploits/6696

Release Date: 2008-10-08

Critical:
Less critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: TorrentTrader 1.x

Description:
BazOka-HaCkEr has discovered a vulnerability in TorrentTrader Classic, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed to the "id" parameter in completed-advance.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires valid user credentials.

The vulnerability is confirmed in version 1.08 and reported in version 1.04. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
BazOka-HaCkEr

Original Advisory:
http://milw0rm.com/exploits/6698

Release Date: 2008-10-08

Critical:
Moderately critical
Impact: Security Bypass
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Yerba SACphp 6.x

Description:
Some vulnerabilities have been discovered in Yerba SACphp, which can be exploited by malicious people to disclose sensitive information or bypass certain security restrictions.

These vulnerabilities are confirmed in version 6.3. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified and implement proper access restrictions.

Provided and/or discovered by:
1) Pepelux
2, 3) StAkeR

Original Advisory:
http://milw0rm.com/exploits/6687
http://milw0rm.com/exploits/6691

Release Date: 2008-10-08

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Hero DVD player 3.x

Description:
Parvez Anwar has discovered a vulnerability in Hero DVD Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the included Mplayer.exe binary when processing M3U files. This can be exploited to cause a heap-based buffer overflow via an M3U file containing an overly long entry.

Successful exploitation allows execution of arbitrary code, but requires that the user is tricked into loading a malicious M3U file.

The vulnerability is confirmed in version 3.0.8. Other versions may also be affected.

Solution:
Do not open untrusted M3U files using the application.

Provided and/or discovered by:
Parvez Anwar

8 October 2008

Better email and smoother surfing with Opera 9.6
Two weeks after the beta version, Norwegian browser developer Opera haS released version 9.6 of its eponymous free web browser.

The most notable improvements are in the M2 email client. This now has better threading and a special low-bandwidth mode for those on narrowband connections. In IMAP mode, M2 only retrieves email headers; the body text is only fetched upon request. For POP3 accounts, it only fetches the first 100 lines of a message automatically.

More: http://www.heise-online.co.uk/security/Better-email-and-smoother-surfing-with-Opera-9-6--/news/111684

Published: 2008-10-08,
Last Updated: 2008-10-08 15:49:32 UTC
by Johannes Ullrich (Version: 1)

Some name servers hosted by Godaddy deliver somewhat odd results, similar from what you would expect to see as a result of a DNS hijacking attack. Any query to ns51.domaincontrol.com and ns52.domaincontrol.com returns the same IP address (68.178.232.99) and additional information making these two domain servers authoritative for .com or .org respectively.

More: http://isc.sans.org/

updated October 8, 2008 at 09:27 am

US-CERT is aware of public reports of a new cross-browser exploit technique called "clickjacking." According to one of the reports, clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.

More: http://www.us-cert.gov/current/current_activity.html#multiple_web_browsers_affected_by

Security giant extends online services

Written by Ian Williams

vnunet.com, 08 Oct 2008

Anti-virus firm Symantec has announced plans to acquire messaging and web security company MessageLabs for nearly $700m (

added October 8, 2008 at 02:37 pm

Cisco Security Advisory cisco-sa-20081008-unity was released to address a vulnerability in Cisco Unity, a voice and unified messaging platform. This vulnerability may allow an attacker to view and alter configuration parameters of the Cisco Unity server.

US-CERT encourages users to do the following:


Review Cisco Security Advisory cisco-sa-20081008-unity
Apply software updates and workaround provided by Cisco

http://www.us-cert.gov/current/current_activity.html#cisco_releases_advisory_for_cisco