HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - September 24, 2007

by Marianna Schmudlach / September 24, 2007 1:14 AM PDT

ImageMagick Multiple Vulnerabilities

Secunia Advisory: SA26926
Release Date: 2007-09-24


Critical:
Highly critical
Impact: DoS
System access

Where: From remote

Solution Status: Vendor Patch


Software: ImageMagick 5.x
ImageMagick 6.x

Description:
Some vulnerabilities have been reported in ImageMagick, which can be exploited by malicious people to conduct DoS (Denial of Service) attacks or compromise a user's system.

1) Some integer overflow errors exist within the "AllocateImageColormap()", "ReadDCMImage()", "ReadDIBImage()", and "ReadXBMImage()" functions when processing image files. These can be exploited to cause heap-based buffer overflows via specially crafted image files.

2) An off-by-one error exists within the "ReadBlobString()" function in magick/blob.c when processing image files. This can be exploited to cause a one-byte buffer overflow via a specially crafted image file.

3) A sign extension error exists within the "ReadDIBImage()" function when processing image files. This can be exploited to cause a heap-based buffer overflow when processing specially crafted DIB files.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

4) Some errors within the "ReadDCMImage()" and "ReadXCFImage()" functions can be exploited to cause the execution of infinite loops via specially crafted DCM or XCF files.

The vulnerabilities are reported in versions prior to 6.3.5-9.

Solution:
Update to version 6.3.5-9.
http://www.imagemagick.org/script/download.php

Provided and/or discovered by:
Discovered by regenrecht and reported via iDefense.

Original Advisory:
ImageMagick:
http://studio.imagemagick.org/piperma...k-announce/2007-September/000037.html
http://www.imagemagick.org/script/changelog.php

iDefense:
1) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=594
2) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595
3) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597
4) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - September 24, 2007
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - September 24, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
NetSupport Manager Client Authentication Bypass Vulnerabilit
by Marianna Schmudlach / September 24, 2007 1:16 AM PDT

Secunia Advisory: SA26927
Release Date: 2007-09-24


Critical:
Moderately critical
Impact: Security Bypass

Where: From local network

Solution Status: Vendor Patch


Software: NetSupport Manager 10.x
NetSupport Manager 5.x
NetSupport Manager 6.x
NetSupport Manager 7.x
NetSupport Manager 8.x
NetSupport Manager 9.x



Description:
A vulnerability has been reported in NetSupport Manager, which can be exploited by malicious people to bypass certain security restrictions.

The problem is that the NetSupport Manager client does not properly handle authentication sessions. This can be exploited to e.g. execute arbitrary commands on the target system.

The vulnerability affects NSM 5.00, NSM 5.01, NSM 5.02, NSM 5.02f1, NSM 5.03, NSM 5.05, NSM 5.30, NSM 5.31, NSM 6.00, NSM 6.10, NSM 6.11, NSM 7.01, NSM 7.10, NSM 8.00, NSM 8.10, NSM 9.00, NSM 8.50, NSM 8.60, NSM 9.10, NSM 9.50, NSM 9.60, NSM 10.00, and NSM 10.20 on Windows systems.

Solution:
Upgrade or update to version 10.20.0004.
https://download.netsupportsoftware.c...distdownload.asp?site=PCS&lang=UK

Provided and/or discovered by:
Digital Defense

Original Advisory:
NetSupport:
http://www.netsupportsoftware.com/support/td.asp?td=543

Collapse -
iziContents Multiple File Inclusion Vulnerabilities
by Marianna Schmudlach / September 24, 2007 1:17 AM PDT

Secunia Advisory: SA26931
Release Date: 2007-09-24


Critical:
Highly critical
Impact: Exposure of sensitive information
System access

Where: From remote

Solution Status: Unpatched


Software: iziContents 1.x

Description:
irk4 has discovered some vulnerabilities in iziContents, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system.

1) Input passed to the "gsLanguage" parameter in modules/search/search.php, modules/poll/inlinepoll.php, modules/poll/showpoll.php, modules/links/showlinks.php, and modules/links/submit_links.php (when "language_home" is set to an empty string and "rootdp" is set to an arbitrary value) is not properly verified before being used to include files. This can be exploited to include arbitrary file from local and external resources.

Successful exploitation requires that "register_globals" is enabled.

2) Input passed to the "admin_home" parameter in modules/poll/poll_summary.php (when "rootdp" is set to an arbitrary value) and to the "rootdp" parameter in include/db.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.

Successful exploitation requires that "register_globals" is enabled and "magic_quotes_gpc" is disabled.

The vulnerabilities are confirmed in version 1RC6. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
irk4

Original Advisory:
http://milw0rm.com/exploits/4441

Collapse -
Gentoo update for jrockit-jdk-bin
by Marianna Schmudlach / September 24, 2007 1:19 AM PDT

Secunia Advisory: SA26933
Release Date: 2007-09-24


Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
DoS
System access

Where: From remote

Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for jrockit-jdk-bin. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, to cause a DoS (Denial of Service), or to compromise a vulnerable system.

For more information:
SA26631

Solution:
Update to "dev-java/jrockit-jdk-bin-1.5.0.11_p1" or later.

Original Advisory:
http://www.gentoo.org/security/en/glsa/glsa-200709-15.xml

Other References:
SA26631:
http://secunia.com/advisories/26631/

Collapse -
Linux Kernel ptrace Local Privilege Escalation Vulnerability
by Marianna Schmudlach / September 24, 2007 1:24 AM PDT
Collapse -
Barracuda Spam Firewall "Monitor Web Syslog" Script Insertio
by Marianna Schmudlach / September 24, 2007 1:31 AM PDT

Barracuda Spam Firewall "Monitor Web Syslog" Script Insertion

Secunia Advisory: SA26937
Release Date: 2007-09-24


Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Vendor Patch


OS: Barracuda Spam Firewall

Description:
Federico Kirschbaum has reported a vulnerability in Barracuda Spam Firewall, which can be exploited by malicious people to conduct script insertion attacks.

Input passed via the username when logging in to the Web Administration Console is not properly sanitised before being displayed in the Monitor Web Syslog screen. This can be exploited to execute arbitrary HTML- and script code in an administrative user's browser session in context of the web administration interface.

Successful exploitation requires that the target user has opened the Monitor Web Syslog screen.

The vulnerability is reported in Barracuda Spam Firewall firmware 3.4.10.102. Other versions may also be affected.

Solution:
Update to firmware version 3.5.10.10.016.

Provided and/or discovered by:
Federico Kirschbaum

Original Advisory:
Barracuda Networks:
http://www.barracudanetworks.com/ns/support/tech_alert.php

Infobyte:
http://www.infobyte.com.ar/adv/ISR-15.html

Collapse -
Xcms "cpass.php" Authentication Bypass Vulnerability
by Marianna Schmudlach / September 24, 2007 1:33 AM PDT

Secunia Advisory: SA26941
Release Date: 2007-09-24


Critical:
Moderately critical
Impact: Security Bypass

Where: From remote

Solution Status: Unpatched


Software: Xcms 1.x



Description:
x0kster has reported a vulnerability in Xcms, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to improper authentication in admin/cpass.php and can be exploited to change the administrative password by sending a specially crafted POST request.

The vulnerability is reported in version 1.71. Other versions may also be affected.

Solution:
Edit the source code to disable the "update password" functionality in cpass.php.

Use another product.

Provided and/or discovered by:
x0kster

Collapse -
ChironFS File Creation Incorrect Ownership Vulnerability
by Marianna Schmudlach / September 24, 2007 1:34 AM PDT

Secunia Advisory: SA26943
Release Date: 2007-09-24


Critical:
Less critical
Impact: Privilege escalation

Where: Local system

Solution Status: Vendor Patch


Software: ChironFS 1.x

Description:
A vulnerability has been reported in ChironFS, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to ChironFS not correctly setting the file ownership if a user created files on a ChironFS file system that was mounted by another user, which can be exploited to e.g. gain escalated privileges by creating malicious files.

The vulnerability is reported in versions prior to 1.0 RC7.

Solution:
Update to version 1.0 RC7.

Provided and/or discovered by:
Neal Becker

Original Advisory:
http://code.google.com/p/chironfs/issues/detail?id=6
http://furquim.org/chironfs/Changelog.html

Collapse -
Balsa "ir_fetch_seq()" Buffer Overflow Vulnerability
by Marianna Schmudlach / September 24, 2007 1:35 AM PDT

Secunia Advisory: SA26947
Release Date: 2007-09-24


Critical:
Less critical
Impact: DoS
System access

Where: From remote

Solution Status: Vendor Patch


Software: Balsa 2.x

Description:
A vulnerability has been reported in Balsa, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary within the "ir_fetch_seq()" function in libbalsa/imap/imap-handle.c when handling an overly long reply to the "FETCH" command. This can be exploited to cause a stack-based buffer overflow by tricking a user into connecting to a malicious IMAP server.

The vulnerability is reported in versions prior to 2.3.20.

Solution:
Update to version 2.3.20.

Provided and/or discovered by:
"Evil Ninja Squirrel"

Original Advisory:
http://bugzilla.gnome.org/show_bug.cgi?id=474366

Collapse -
Kaspersky AntiVirus klif.sys Hooked Functions Denial of Serv
by Marianna Schmudlach / September 24, 2007 1:37 AM PDT

Kaspersky AntiVirus klif.sys Hooked Functions Denial of Service

Secunia Advisory: SA26887
Release Date: 2007-09-24


Critical:
Not critical
Impact: DoS

Where: Local system

Solution Status: Unpatched


Software: Kaspersky Anti-Virus 6.x
Kaspersky Anti-Virus 7.x
Kaspersky Internet Security 6.x
Kaspersky Internet Security 7.x

Description:
EP_X0FF has reported some vulnerabilities in Kasperky AntiVirus, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerabilities are caused due to errors within klif.sys when handling the parameters of certain hooked functions. These can be exploited to cause a DoS by e.g. calling "NtCreateSection()", "NtUserSendInput()", "LoadLibraryA()", or other unknown SSDT entries with specially crafted parameters.

The vulnerabilities are reported in version 7.0 build 125. Other versions may also be affected.

Solution:
The vendor is reportedly working on an update to be released November 2007.

Provided and/or discovered by:
EP_X0FF

Original Advisory:
Kaspersky:
http://www.kaspersky.com/technews?id=203038706

rootkit.com:
http://www.rootkit.com/newsread.php?newsid=778

Collapse -
Mandriva update for php
by Marianna Schmudlach / September 24, 2007 1:38 AM PDT

Secunia Advisory: SA26895
Release Date: 2007-09-24


Critical:
Moderately critical
Impact: Unknown
Security Bypass
Brute force
Exposure of sensitive information
Privilege escalation
DoS

Where: From remote

Solution Status: Vendor Patch


OS: Mandriva Linux 2007

Description:
Mandriva has issued an update for php. This fixes some vulnerabilities, where some have unknown impacts and others can be exploited by malicious, local users to bypass certain security restrictions, malicious users to bypass certain security restrictions, gain escalated privileges, disclose potentially sensitive information, or cause a DoS (Denial of Service), and by malicious people to bypass certain security restrictions and cause a DoS.

For more information:
SA24089
SA25123
SA25306
SA25378
SA25456
SA26642

Solution:
Apply updated packages.

Original Advisory:
http://www.mandriva.com/security/advisories?name=MDKSA-2007:187

Other References:
SA24089:
http://secunia.com/advisories/24089/

SA25123:
http://secunia.com/advisories/25123/

SA25306:
http://secunia.com/advisories/25306/

SA25378:
http://secunia.com/advisories/25378/

SA25456:
http://secunia.com/advisories/25456/

SA26642:
http://secunia.com/advisories/26642/

Collapse -
Wordsmith "_path" File Inclusion Vulnerability
by Marianna Schmudlach / September 24, 2007 1:40 AM PDT

Secunia Advisory: SA26924
Release Date: 2007-09-24


Critical:
Highly critical
Impact: Exposure of system information
Exposure of sensitive information
System access

Where: From remote

Solution Status: Unpatched


Software: Wordsmith 1.x

Description:
ShockShadow has reported a vulnerability in Wordsmith, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system.

Input passed to the "_path" parameter in config.inc.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability is reported in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
ShockShadow

Original Advisory:
http://milw0rm.com/exploits/4446

Collapse -
HP TCP/IP Services for OpenVMS BIND Vulnerability
by Marianna Schmudlach / September 24, 2007 1:41 AM PDT

Secunia Advisory: SA26925
Release Date: 2007-09-24


Critical:
Moderately critical
Impact: Spoofing

Where: From remote

Solution Status: Vendor Patch


Software: HP TCP/IP Services for OpenVMS 5.x

Description:
HP has acknowledged a vulnerability in HP OpenVMS, which can be exploited by malicious people to poison the DNS cache.

For more information:
SA26152

The vulnerability affects the following software versions when running BIND 9.2.1 or BIND 9.3.1:
* HP TCP/IP Services for OpenVMS Alpha 5.4
* HP TCP/IP Services for OpenVMS Alpha 5.5
* HP TCP/IP Services for OpenVMS Alpha 5.6
* HP TCP/IP Services for OpenVMS I64 5.5
* HP TCP/IP Services for OpenVMS I64 5.6

Solution:
The vendor recommends to obtain and install the patches via the standard HP support channels through the HP Customer Support Center, until updates are available in the mainstream product release.

* TCPIP for OpenVMS V5.4 ECO7: (planned for release in HP-Q1FY08)
* TCPIP for OpenVMS V5.5 ECO3: (not yet scheduled for release)
* TCPIP for OpenVMS V5.6 ECO3: (not yet scheduled for release)

Original Advisory:
https://www4.itrc.hp.com/service/cki/docDisplay.do?docId=c01174368

Other References:
SA26152:
http://secunia.com/advisories/26152/

Collapse -
Helplink "file" File Inclusion Vulnerability
by Marianna Schmudlach / September 24, 2007 9:14 AM PDT

TITLE:
Helplink "file" File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA26910

VERIFY ADVISORY:
http://secunia.com/advisories/26910/

CRITICAL:
Highly critical

IMPACT:
Exposure of system information, Exposure of sensitive information,
System access

WHERE:
From remote

SOFTWARE:
Helplink 0.x
http://secunia.com/product/15804/

DESCRIPTION:
Mahmood_ali has discovered a vulnerability in Helplink, which can be
exploited by malicious people to disclose sensitive information or to
compromise a vulnerable system.

Input passed to the "file" parameter in show.php is not properly
verified before being used to include files. This can be exploited to
include arbitrary files from local or external resources.

The vulnerability is confirmed in version 0.1.0. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

PROVIDED AND/OR DISCOVERED BY:
Mahmood_ali

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/4448

Collapse -
Webmin Unspecified Command Execution Vulnerability
by Marianna Schmudlach / September 24, 2007 9:15 AM PDT

TITLE:
Webmin Unspecified Command Execution Vulnerability

SECUNIA ADVISORY ID:
SA26885

VERIFY ADVISORY:
http://secunia.com/advisories/26885/

CRITICAL:
Less critical

IMPACT:
Privilege escalation

WHERE:
From remote

SOFTWARE:
Webmin 1.x
http://secunia.com/product/1115/

DESCRIPTION:
A vulnerability has been reported in Webmin, which can be exploited
by malicious users to gain escalated privileges.

The vulnerability is caused due to an unspecified error and can be
exploited to execute arbitrary commands by requesting a specially
crafted URL.

Successful exploitation requires valid user credentials and that
Webmin is running on a Windows system.

The vulnerability is reported in versions prior to 1.370.

SOLUTION:
Update to version 1.370.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://www.webmin.com/security.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.