General discussion

VULNERABILITIES - March 5, 2007

webSPELL PHP Code Execution (Exploit)

"webSPELL is a free Content Management System (CMS) for clans and gaming communities, providing all needed features like forums, gallery, clanwar system and co."

There is a PHP code execution vulnerability in webSPELL.

Vulnerable Systems:
* webSPELL versions 4.01.02 and prior.


Credit:
The information has been provided by milw0rm.
The original article can be found at:
http://www.milw0rm.com/exploits/3402

Discussion is locked
Follow
Reply to: VULNERABILITIES - March 5, 2007
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VULNERABILITIES - March 5, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
TurboFTP Multiple DoS (Exploit)

TurboFTP is "a secure FTP client program (supports FTP over SSL/TLS and SFTP over SSH2) for Windows 9x/ME/NT4/2000/XP/2003". Multiple vulnerabilities in TurboFTP allows remote attackers to cause the FTP client to crash.

Credit:
The information has been provided by Marsu.
The original article can be found at: http://www.milw0rm.com/exploits/3341

- Collapse -
FTP Voyager CWD Stack Overflow (Exploit)

FTP Voyager is "the most powerful FTP client for Windows on the market". A vulnerability in the way FTP Voyager handles CWD responses allows attackers to overflow the product's internal buffer allowing an attacker to cause it to execute arbitrary code.

Credit:
The information has been provided by Marsu.
The original article can be found at: http://www.milw0rm.com/exploits/3343

- Collapse -
Lenovo Intel PRO/1000 LAN Adapter Software Unspecified Vuln.

Lenovo Intel PRO/1000 LAN Adapter Software Unspecified Vulnerability
Software: Lenovo Intel PRO/1000 LAN Adapter Software 4.x
Description:
A vulnerability with unknown impact has been reported in Lenovo's Intel PRO/1000 LAN adapter software for Windows.

The vulnerability is caused due to an unspecified error in the Intel PRO/1000 LAN adapter software.

Solution: Update to build 135400.

Provided and/or discovered by: Reported by the vendor.

Original Advisory:
Lenovo: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-62922
http://secunia.com/advisories/24349/

- Collapse -
Simple Invoices PDF Print Preview Security Bypass

TITLE:
Simple Invoices PDF Print Preview Security Bypass

SECUNIA ADVISORY ID:
SA24402

VERIFY ADVISORY:
http://secunia.com/advisories/24402/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass

WHERE:
From remote

SOFTWARE:
Simple Invoices
http://secunia.com/product/13415/

DESCRIPTION:
justin has reported a vulnerability in Simple Invoices, which can be
exploited by malicious people to bypass certain security
restrictions.

The vulnerability is caused due to the print preview pages not
properly supporting the login authentication mechanism. This can be
exploited to preview invoices without proper authentication.

The vulnerability is reported in versions prior to 2007 03 05.

SOLUTION:
Update to version 2007 03 05.

PROVIDED AND/OR DISCOVERED BY:
justin

ORIGINAL ADVISORY:
http://code.google.com/p/simpleinvoices/issues/detail?id=35

- Collapse -
rpath update for tcpdump

TITLE:
rpath update for tcpdump

SECUNIA ADVISORY ID:
SA24354

VERIFY ADVISORY:
http://secunia.com/advisories/24354/

CRITICAL:
Less critical

IMPACT:
DoS

WHERE:
From remote

OPERATING SYSTEM:
rPath Linux 1.x
http://secunia.com/product/10614/

DESCRIPTION:
rpath has issued an update for tcpdump. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

For more information:
SA24318

SOLUTION:
Update to tcpdump=/conary.rpath.com@rpl:devel//1/3.9.5-0.1-1.

ORIGINAL ADVISORY:
http://lists.rpath.com/pipermail/security-announce/2007-March/000155.html

OTHER REFERENCES:
SA24318:
http://secunia.com/advisories/24318

- Collapse -
MailEnable IMAP Service "APPEND" Buffer Overflow

TITLE:
MailEnable IMAP Service "APPEND" Buffer Overflow

SECUNIA ADVISORY ID:
SA24361

VERIFY ADVISORY:
http://secunia.com/advisories/24361/

CRITICAL:
Moderately critical

IMPACT:
DoS, System access

WHERE:
From remote

SOFTWARE:
MailEnable Professional 2.x
http://secunia.com/product/10625/
MailEnable Enterprise Edition 2.x
http://secunia.com/product/10427/

DESCRIPTION:
mu-b has discovered a vulnerability in MailEnable, which can be
exploited by malicious users to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the IMAP
service when processing arguments passed to the "APPEND" command.
This can be exploited to cause a stack-based buffer overflow via an
overly long (greater than 128 bytes), specially crafted string as
argument to the affected command.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version MailEnable Professional
2.37. Other versions may also be affected.

SOLUTION:
Grant access to trusted users only.

PROVIDED AND/OR DISCOVERED BY:
mu-b

- Collapse -
WordPress Command Execution and PHP "eval()" Injection

TITLE:
WordPress Command Execution and PHP "eval()" Injection

SECUNIA ADVISORY ID:
SA24374

VERIFY ADVISORY:
http://secunia.com/advisories/24374/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
WordPress 2.x
http://secunia.com/product/6745/

DESCRIPTION:
Ivan Fratric has reported two vulnerabilities in WordPress, which can
be exploited by malicious people to compromise vulnerable systems.

1) Input passed to the "ix" parameter in wp-includes/feed.php is not
properly sanitised before being used in "eval()" calls. This can be
exploited to execute arbitrary PHP code.

2) Input passed to the "iz" parameter in wp-includes/theme.php is not
properly sanitised before being used to execute commands. This can be
exploited to execute arbitrary shell commands.

NOTE: The vulnerabilities were reportedly added by someone breaking
into WordPress's servers.

The vulnerabilities are reported in version 2.1.1 downloaded on
2007-02-25 or later.

SOLUTION:
Update to version 2.1.2.

PROVIDED AND/OR DISCOVERED BY:
Ivan Fratric

ORIGINAL ADVISORY:
Ivan Fratric:
http://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.html

WordPress:
http://wordpress.org/development/2007/03/upgrade-212/

- Collapse -
Apache Tomcat JK Web Server Connector Long URL Buffer Overfl

TITLE:
Apache Tomcat JK Web Server Connector Long URL Buffer Overflow

SECUNIA ADVISORY ID:
SA24398

VERIFY ADVISORY:
http://secunia.com/advisories/24398/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Apache Tomcat 5.x
http://secunia.com/product/3571/
Apache Tomcat 4.x
http://secunia.com/product/328/
Apache Tomcat JK Web Server Connector 1.x
http://secunia.com/product/13598/

DESCRIPTION:
A vulnerability has been reported in Apache Tomcat JK Web Server
Connector, which can be exploited by malicious people to compromise a
vulnerable system.

The vulnerability is caused due to a boundary error within the
"map_uri_to_worker()" function in the mod_jk.so library. This can be
exploited to cause a stack-based buffer overflow via an overly long
(more than 4,095 bytes) URL request.

Successful exploitation allows execution of arbitrary code.

The vulnerability reportedly only affects versions 1.2.19 and 1.2.20.
Tomcat versions 5.5.20 and 4.1.34 are reportedly also affected as they
contain the vulnerable connector version in their source packages.

SOLUTION:
Update to version 1.2.21.

PROVIDED AND/OR DISCOVERED BY:
Discovered by an anonymous researcher and reported via ZDI.

ORIGINAL ADVISORY:
Apache Tomcat:
http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
http://tomcat.apache.org/security-jk.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-07-008.html

- Collapse -
Lenovo Intel PRO/1000 LAN Adapter Software Unspecified Vulne

TITLE:
Lenovo Intel PRO/1000 LAN Adapter Software Unspecified Vulnerability

SECUNIA ADVISORY ID:
SA24349

VERIFY ADVISORY:
http://secunia.com/advisories/24349/

CRITICAL:
Moderately critical

IMPACT:
Unknown

WHERE:
From remote

SOFTWARE:
Lenovo Intel PRO/1000 LAN Adapter Software 4.x
http://secunia.com/product/13599/

DESCRIPTION:
A vulnerability with unknown impact has been reported in Lenovo's
Intel PRO/1000 LAN adapter software for Windows.

The vulnerability is caused due to an unspecified error in the Intel
PRO/1000 LAN adapter software.

SOLUTION:
Update to build 135400.
http://www-307.ibm.com/pc/support/site.wss/license.do?filename=mobiles/7ira09ww.exe

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
Lenovo:
http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-62922

- Collapse -
Kaspersky Anti-Virus Engine UPX Processing Denial of Service

TITLE:
Kaspersky Anti-Virus Engine UPX Processing Denial of Service

SECUNIA ADVISORY ID:
SA24391

VERIFY ADVISORY:
http://secunia.com/advisories/24391/

CRITICAL:
Moderately critical

IMPACT:
DoS

WHERE:
From remote

SOFTWARE:
Kaspersky Anti-Virus 4.x
http://secunia.com/product/916/
Kaspersky Anti-Virus 5.x
http://secunia.com/product/2781/
Kaspersky Anti-Virus 6.x
http://secunia.com/product/10470/
Kaspersky Internet Security 6.x
http://secunia.com/product/10471/
Kaspersky Online Scanner 5.x
http://secunia.com/product/12705/
Kaspersky Personal Security Suite 1.x
http://secunia.com/product/5804/
Kaspersky SMTP Gateway 5.x
http://secunia.com/product/4100/

DESCRIPTION:
A vulnerability has been reported in Kaspersky's Anti-Virus engine,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

The vulnerability is caused due to an error within the handling of
UPX-compressed executables that contain negative data offsets. This
can be exploited to cause the application to consume large amounts of
CPU resources, which can e.g. render a client-system unusable or
degrade the performance of a server.

The vulnerability is reported in version 6.0.1.411 for Windows and
5.5-10 for Linux. Other versions may also be affected.

SOLUTION:
The fix is reportedly available via automatic updates since February
7, 2007.

PROVIDED AND/OR DISCOVERED BY:
Discovered by an anonymous researcher and reported via iDefense Labs.

ORIGINAL ADVISORY:
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=485

- Collapse -
Red Hat update for thunderbird

TITLE:
Red Hat update for thunderbird

SECUNIA ADVISORY ID:
SA24395

VERIFY ADVISORY:
http://secunia.com/advisories/24395/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

OPERATING SYSTEM:
RedHat Enterprise Linux AS 4
http://secunia.com/product/4669/
RedHat Enterprise Linux ES 4
http://secunia.com/product/4668/
RedHat Enterprise Linux WS 4
http://secunia.com/product/4670/

DESCRIPTION:
Red Hat has issued an update for thunderbird. This fixes some
vulnerabilities, which potentially can be exploited by malicious
people to compromise a user's system.

For more information:
SA24252

SOLUTION:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

ORIGINAL ADVISORY:
http://rhn.redhat.com/errata/RHSA-2007-0078.html

OTHER REFERENCES:
SA24252:
http://secunia.com/advisories/24252/

- Collapse -
Fedora update for kernel

TITLE:
Fedora update for kernel

SECUNIA ADVISORY ID:
SA24400

VERIFY ADVISORY:
http://secunia.com/advisories/24400/

CRITICAL:
Less critical

IMPACT:
Privilege escalation, DoS

WHERE:
From local network

OPERATING SYSTEM:
Fedora Core 6
http://secunia.com/product/12487/
Fedora Core 5
http://secunia.com/product/8808/

DESCRIPTION:
Fedora has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service) and potentially gain escalated
privileges, and by malicious people to cause a DoS.

For more information:
SA23955
SA24215

SOLUTION:
Apply updated packages.

ORIGINAL ADVISORY:
http://fedoranews.org/cms/node/2739
http://fedoranews.org/cms/node/2740

OTHER REFERENCES:
SA23955:
http://secunia.com/advisories/23955/

SA24215:
http://secunia.com/advisories/24215/

- Collapse -
Gentoo update for emul-linux-x86-qtlibs

TITLE:
Gentoo update for emul-linux-x86-qtlibs

SECUNIA ADVISORY ID:
SA24347

VERIFY ADVISORY:
http://secunia.com/advisories/24347/

CRITICAL:
Moderately critical

IMPACT:
DoS, System access

WHERE:
From remote

OPERATING SYSTEM:
Gentoo Linux 1.x
http://secunia.com/product/339/

DESCRIPTION:
Gentoo has issued an update for emul-linux-x86-qtlibs. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise an application
using the library.

For more information:
SA22380

SOLUTION:
Update to "app-emulation/emul-linux-x86-qtlibs-10.0" or later.

ORIGINAL ADVISORY:
http://www.gentoo.org/security/en/glsa/glsa-200703-06.xml

OTHER REFERENCES:
SA22380:
http://secunia.com/advisories/22380/

- Collapse -
Debian update for gnomemeeting and ekiga

TITLE:
Debian update for gnomemeeting and ekiga

SECUNIA ADVISORY ID:
SA24379

VERIFY ADVISORY:
http://secunia.com/advisories/24379/

CRITICAL:
Moderately critical

IMPACT:
DoS, System access

WHERE:
From remote

OPERATING SYSTEM:
Debian GNU/Linux 3.1
http://secunia.com/product/5307/
Debian GNU/Linux unstable alias sid
http://secunia.com/product/530/

DESCRIPTION:
Debian has issued an update for gnomemeeting and ekiga. This fixes a
vulnerability, which potentially can be exploited by malicious people
to compromise a user's system.

For more information:
SA24194

SOLUTION:
Apply updated packages.

ORIGINAL ADVISORY:
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00017.html

OTHER REFERENCES:
SA24194:
http://secunia.com/advisories/24194/

- Collapse -
Gentoo Multiple Vulnerabilities in mozilla and mozilla-bin

TITLE:
Gentoo Multiple Vulnerabilities in mozilla and mozilla-bin

SECUNIA ADVISORY ID:
SA24352

VERIFY ADVISORY:
http://secunia.com/advisories/24352/

CRITICAL:
Highly critical

IMPACT:
Cross Site Scripting, Exposure of sensitive information, System
access

WHERE:
From remote

OPERATING SYSTEM:
Gentoo Linux 1.x
http://secunia.com/product/339/

DESCRIPTION:
Gentoo has acknowledged several vulnerabilities in mozilla and
mozilla-bin, which can be exploited by malicious people to gain
knowledge of potentially sensitive information, conduct cross-site
scripting attacks, and potentially compromise a user's system.

SOLUTION:
The vendor recommends removing the affected "www-client/mozilla" and
"www-client/mozilla-bin" packages.

ORIGINAL ADVISORY:
http://www.gentoo.org/security/en/glsa/glsa-200703-05.xml

- Collapse -
Gentoo update for mozilla-firefox and mozilla-firefox-bin

TITLE:
Gentoo update for mozilla-firefox and mozilla-firefox-bin

SECUNIA ADVISORY ID:
SA24393

VERIFY ADVISORY:
http://secunia.com/advisories/24393/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, System access

WHERE:
From remote

OPERATING SYSTEM:
Gentoo Linux 1.x
http://secunia.com/product/339/

DESCRIPTION:
Gentoo has issued an update for mozilla-firefox and
mozilla-firefox-bin. This fixes some vulnerabilities, which can be
exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting and spoofing attacks,
gain knowledge of sensitive information, and potentially compromise a
user's system.

For more information:
SA24205

SOLUTION:
All Mozilla Firefox 1.5 users should update to:
"www-client/mozilla-firefox-1.5.0.10" or later.

All Mozilla Firefox 1.5 binary users should update to:
"www-client/mozilla-firefox-bin-1.5.0.10" or later.

All Mozilla Firefox 2 users should update to:
"www-client/mozilla-firefox-2.0.0.2" or later.

All Mozilla Firefox 2 binary users should update to:
"www-client/mozilla-firefox-bin-2.0.0.2" or later.

ORIGINAL ADVISORY:
http://www.gentoo.org/security/en/glsa/glsa-200703-04.xml

OTHER REFERENCES:
SA24205:
http://secunia.com/advisories/24205/

- Collapse -
Konqueror DoS via JavaScript Read of FTP iframe

Konqueror crashes if JavaScript code tries to read the source of a child iframe which is set to an ftp:// URL. It is possible for malicious websites to crash Konqueror and possibly other applications with rely on KJS.

Credit:
The information has been provided by Mark.
The original article can be found at:
http://bindshell.net/advisories/konq355


Vulnerable Systems:
* Gentoo and Debian running KDE 3.5.5.

- Collapse -
PHP4 phpinfo() XSS Vulnerability (Reintroduced)

The phpinfo() function "gives detailed information about the current environment of PHP. This includes a dump of the request variables that were sent".

With PHP 4.4.3 a previously fixed bug that was disclosed at the end of October 2005 by the Hardened-PHP Project was reintroduced. Again phpinfo() does not escape the content of user supplied arrays in GET, POST or COOKIE variables when it displays them which leads to an XSS vulnerability.

Credit:
The information has been provided by Hardened-PHP Project.
The original article can be found at:
http://www.php-security.org/MOPB/MOPB-08-2007.html

Vulnerable Systems:
* PHP versions 4.4.3 to 4.4.6
* CVS version of PHP 6.0.

- Collapse -
update - bugs in Oracle's database software

t was previously thought that an attacker needed high-level privileges on the database to exploit so-called PL SQL injection vulnerabilities. With a new attack technique, that's no longer true, David Litchfield, a database security expert with NGS Software, said on Thursday at the Black Hat DC event here.

"It is a trick that can be used by attackers with minimal privileges to gain complete control of the database server," Litchfield said in an interview. "You can use the trick through a large number of vulnerabilities that were previously thought not to be that significant."

Litchfield, who has had Oracle in his crosshairs for some time, detailed his technique, dubbed "cursor injection," in a paper that was originally published last weekend (PDF) and discussed at the event. Examples of attack code that takes advantage of the tricks have already appeared, Litchfield said.

http://news.zdnet.com/2100-1009_22-6163545.html?tag=nl.e550

- Collapse -
Apple QuickTime Multiple File Format Handling Remote Command

Execution Vulnerabilities

Multiple vulnerabilities have been identified in Apple QuickTime, which could be exploited by remote attackers to take complete control of an affected system.

The first issue is due to an integer overflow error when handling malformed 3GP video files, which could be exploited by attackers to execute arbitrary commands via a malicious web page.

The second flaw is due to a heap overflow error when handling a specially crafted MIDI file, which could be exploited by attackers to execute arbitrary commands by tricking a user into visiting a malicious web site.

The third vulnerability is due to a buffer overflow error when processing malformed QuickTime movies, which could be exploited by attackers to execute arbitrary commands via a malicious web page.

The fourth issue is due to an ineteger overflow error when handling malformed UDTA atoms in movie files, which could be exploited by attackers to execute arbitrary commands by convincing a user to visit a malicious web site.

The fifth issue is due to a heap overflow error when processing malformed PICT files, which could be exploited by attackers to execute arbitrary commands via a malicious web site.

The sixth vulnerability is due to a stack overflow error when handling a specially crafted QTIF file, which could be exploited by attackers to execute arbitrary commands by tricking a user into visiting a malicious web site.

The seventh issue is due to a integer overflow error when processing a malformed QTIF file, which could be exploited by attackers to execute arbitrary commands via a malicious web site.

The eighth vulnerability is due to a heap overflow error when handling a specially crafted QTIF file, which could be exploited by attackers to execute arbitrary commands by convincing a user to visit a malicious web site.

Affected Products

Apple QuickTime version 7.1.4 and prior

Solution

Upgrade to QuickTime version 7.1.5 :
http://www.apple.com/quicktime/download/

References

http://www.frsirt.com/english/advisories/2007/0825
http://docs.info.apple.com/article.html?artnum=305149

Credits

Vulnerabilities reported by JJ Reyes, Mike Price (McAfee AVERT Labs), Piotr Bania, Artur Ogloza, Sowhat (Nevis Labs), Zero Day Initiative, Ruben Santamarta and iDefense Labs.

ChangeLog

2007-03-05 : Initial release

- Collapse -
Apple QuickTime Color Table ID Heap Corruption Vulnerability
Apple QuickTime Color Table ID Heap Corruption Vulnerability

DESCRIPTION

Remote exploitation of a heap corruption vulnerability in Apple Computer Inc.'s QuickTime media player could allow an attacker to execute arbitrary commands in the context of the current user.

The vulnerability specifically exists in QuickTime players handling of Video media atoms. When the 'Color table ID' field in the Video Sample Description is 0, QuickTime expects a color table to be present immediately after the description. A byte swap process is then performed on the memory following the description, regardless if a table is present or not. Heap corruption will occur in the case when the memory following the description is not part of the heap chunk being processed.

ANALYSIS

Exploitation allows an attacker to execute arbitrary code in the context of the current user.

In order to exploit this vulnerability, an attacker must persuade a victim into opening a specially crafted media file. This could be accomplished by either a direct link or referenced from a website under the attacker's control. No further interaction is required in the default configuration.

DETECTION

iDefense Labs confirmed this vulnerability exists in version 7.1.3 of QuickTime on Windows. Previous versions are suspected to be vulnerable.

WORKAROUND

iDefense is currently unaware of any effective workarounds for this vulnerability.

VENDOR RESPONSE


Apple has addressed this vulnerability by releasing version 7.1.5 of Quicktime. More information can be found in Apple Advisory APPLE-SA-2007-03-05 at the following URL.
http://docs.info.apple.com/article.html?artnum=305149

DISCLOSURE TIMELINE

12/06/2006 Initial vendor notification
12/11/2007 Initial vendor response
02/01/2007 Second vendor notification
03/05/2007 Coordinated public disclosure

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=486

CNET Forums