VULNERABILITIES - May 21, 2007

by Marianna Schmudlach / May 21, 2007 12:58 AM PDT

Sun Solaris "snmpd" TCP Packets Handling Remote Denial of Service Vulnerability


Advisory ID : FrSIRT/ADV-2007-1883
CVE ID : CVE-2005-2177
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in Sun Solaris, which could be exploited by remote attackers to cause a denial of service. This issue is caused by an error in the "snmpd" daemon when processing specially crafted TCP packets, which could be exploited by attackers to disable the SNMP service, creating a denial of service condition.

Affected Products

Solaris 10

Solution

Solaris 10 (SPARC) - Apply patch 120272-08 or later

References

http://www.frsirt.com/english/advisories/2007/1883
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102725-1

Credits

Vulnerability reported by the vendor

You are posting a reply to: VULNERABILITIES - May 21, 2007
You are reporting the following post: VULNERABILITIES - May 21, 2007
OSK Advance-Flow Unspecified Parameter Handling Cross Site S
by Marianna Schmudlach / May 21, 2007 1:00 AM PDT

OSK Advance-Flow Unspecified Parameter Handling Cross Site Scripting Vulnerability

Advisory ID : FrSIRT/ADV-2007-1884
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in OSK Advance-Flow, which could be exploited by attackers to execute arbitrary scripting code. This issue is caused by unspecified input validation errors when processing user-supplied parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Affected Products

OSK Advance-Flow version 4.41 and prior

Solution

Upgrade to OSK Advance-Flow version 4.42 :
http://www.evalue.jp/pro/af/

References

http://www.frsirt.com/english/advisories/2007/1884
http://jvn.jp/jp/JVN%2392832583/index.html
http://www.evalue.jp/support/security/IPA_92832583.asp

Credits

Vulnerability reported by JVN

HLstats "hlstats.php" URL Processing Client-Side Cross Site
by Marianna Schmudlach / May 21, 2007 1:01 AM PDT

HLstats "hlstats.php" URL Processing Client-Side Cross Site Scripting Vulnerability

Advisory ID : FrSIRT/ADV-2007-1882
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in HLstats, which could be exploited by attackers to execute arbitrary scripting code. This issue is caused by an input validation error in the "hlstats.php" script when processing user-supplied URLs, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Affected Products

HLstats version 1.35 and prior

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

References

http://www.frsirt.com/english/advisories/2007/1882

Credits

Vulnerability reported by John Martinelli

SunLight CMS "root" Parameter Handling Remote PHP File Inclu
by Marianna Schmudlach / May 21, 2007 1:02 AM PDT

SunLight CMS "root" Parameter Handling Remote PHP File Inclusion Vulnerability

Advisory ID : FrSIRT/ADV-2007-1885
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in SunLight CMS, which could be exploited by remote attackers to compromise a vulnerable web server. This issue is caused by input validation errors in the "_connect.php" and "modules/startup.php" scripts when processing the "root" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

Affected Products

SunLight CMS version 5.3 and prior

Solution

Upgrade to SunLight CMS version 5.3.3 :
http://sunlight.profitux.cz/sekce-na-stazeni-10.html

References

http://www.frsirt.com/english/advisories/2007/1885

Credits

Vulnerability reported by Cyber-Security

Libstats "rInfo[content]" Parameter Handling Remote PHP File
by Marianna Schmudlach / May 21, 2007 1:03 AM PDT

Libstats "rInfo[content]" Parameter Handling Remote PHP File Inclusion Vulnerability

Advisory ID : FrSIRT/ADV-2007-1880
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in Libstats, which could be exploited by remote attackers to compromise a vulnerable web server. This issue is caused by an input validation error in the "template_csv.php" script when processing the "rInfo[content]" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

Affected Products

Libstats version 1.0.3 and prior

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

References

http://www.frsirt.com/english/advisories/2007/1880

Credits

Vulnerability reported by Cyber-Security

Debian Security Update Fixes XFree86 Code Execution and Priv
by Marianna Schmudlach / May 21, 2007 1:05 AM PDT

Debian Security Update Fixes XFree86 Code Execution and Privilege Escalation Issues

Advisory ID : FrSIRT/ADV-2007-1871
CVE ID : CVE-2007-1003 - CVE-2007-1351 - CVE-2007-1352 - CVE-2007-1667
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

Multiple vulnerabilities have been identified in Debian, which could be exploited by attackers to execute arbitrary code. These issues are caused by errors in XFree86. For additional information, see : FrSIRT/ADV-2007-1217

Affected Products

Debian GNU/Linux sarge

Solution

Upgrade to xfree86 version 4.3.0.dfsg.1-14sarge4.

References

http://www.frsirt.com/english/advisories/2007/1871
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00051.html

Mandriva Security Update Fixes Squirrelmail Multiple Cross S
by Marianna Schmudlach / May 21, 2007 1:06 AM PDT

Mandriva Security Update Fixes Squirrelmail Multiple Cross Site Scripting Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-1869
CVE ID : CVE-2007-1262 - CVE-2007-2589
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

Multiple vulnerabilities have been identified in Mandriva, which could be exploited by attackers to execute arbitrary scripting code. These issues are caused by errors in Squirrelmail. For additional information, see : FrSIRT/ADV-2007-1748

Affected Products

Mandriva Corporate 3.0
Mandriva Corporate 4.0

Solution

Upgrade the affected packages

References

http://www.frsirt.com/english/advisories/2007/1869
http://archives.mandrivalinux.com/security-announce/2007-05/msg00021.php

Mandriva Security Update Fixes Evolution Information Disclos
by Marianna Schmudlach / May 21, 2007 1:08 AM PDT

Mandriva Security Update Fixes Evolution Information Disclosure Security Weakness

Advisory ID : FrSIRT/ADV-2007-1870
CVE ID : CVE-2007-1558
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A weakness has been identified in Mandriva, which could be exploited by remote attackers to gain knowledge of sensitive information. This issue is caused by an error in Evolution. For additional information, see : FrSIRT/ADV-2007-1467

Affected Products

Mandriva Linux 2007.0
Mandriva Linux 2007.1
Mandriva Corporate 3.0

Solution

Upgrade the affected package

References

http://www.frsirt.com/english/advisories/2007/1870
http://archives.mandrivalinux.com/security-announce/2007-05/msg00022.php

Debian Security Update Fixes XFree86 Code Execution and Priv
by Marianna Schmudlach / May 21, 2007 1:09 AM PDT

Debian Security Update Fixes XFree86 Code Execution and Privilege Escalation Issues

Advisory ID : FrSIRT/ADV-2007-1871
CVE ID : CVE-2007-1003 - CVE-2007-1351 - CVE-2007-1352 - CVE-2007-1667
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

Multiple vulnerabilities have been identified in Debian, which could be exploited by attackers to execute arbitrary code. These issues are caused by errors in XFree86. For additional information, see : FrSIRT/ADV-2007-1217

Affected Products

Debian GNU/Linux sarge

Solution

Upgrade to xfree86 version 4.3.0.dfsg.1-14sarge4.

References

http://www.frsirt.com/english/advisories/2007/1871
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00051.html

Debian Security Update Fixes PHP5 Buffer Overflow and Securi
by Marianna Schmudlach / May 21, 2007 1:10 AM PDT

Debian Security Update Fixes PHP5 Buffer Overflow and Security Bypass Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-1872
CVE ID : CVE-2007-2509 - CVE-2007-2510
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

Multiple vulnerabilities have been identified in Debian, which could be exploited by attackers to bypass security checks and execute arbitrary code. These issues are caused by errors in PHP. For additional information, see : FrSIRT/ADV-2007-1657

Affected Products

Debian GNU/Linux etch
Debian GNU/Linux sid

Solution

Debian GNU/Linux etch - Upgrade to php5 version 5.2.0-8+etch4
Debian GNU/Linux sid - Upgrade to php5 version 5.2.2-1

References

http://www.frsirt.com/english/advisories/2007/1872
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00052.html

Slackware Security Update Fixes Libpng tRNS Chunk Processing
by Marianna Schmudlach / May 21, 2007 1:11 AM PDT

Slackware Security Update Fixes Libpng tRNS Chunk Processing Denial of Service

Advisory ID : FrSIRT/ADV-2007-1873
CVE ID : CVE-2007-2445
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in Slackware, which could be exploited by attackers to cause a denial of service. This issue is caused by an error in Libpng. For additional information, see : FrSIRT/ADV-2007-1838

Affected Products

Slackware 8.1
Slackware 9.0
Slackware 9.1
Slackware 10.0
Slackware 10.1
Slackware 10.2
Slackware 11.0

Solution

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/libpng-1.2.18-i386-1_slack8.1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libpng-1.2.18-i386-1_slack9.0.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/libpng-1.2.18-i486-1_slack9.1.tgz

Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/libpng-1.2.18-i486-1_slack10.0.tgz

Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/libpng-1.2.18-i486-1_slack10.1.tgz

Updated package for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/libpng-1.2.18-i486-1_slack10.2.tgz

Updated package for Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/libpng-1.2.18-i486-1_slack11.0.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libpng-1.2.18-i486-1.tgz

References

http://www.frsirt.com/english/advisories/2007/1873
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.492650

Turbolinux Security Update Fixes PHP Code Execution and Secu
by Marianna Schmudlach / May 21, 2007 1:12 AM PDT

Turbolinux Security Update Fixes PHP Code Execution and Security Bypass Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-1874
CVE ID : CVE-2007-1001 - CVE-2007-1285 - CVE-2007-1286 - CVE-2007-1583 - CVE-2007-1711 - CVE-2007-1718
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

Multiple vulnerabilities have been identified in Turbolinux, which could be exploited by attackers to bypass security restrictions, cause a denial of service or execute arbitrary code. These issues are caused by errors in PHP. For additional information, see : FrSIRT/ADV-2007-1269 - FrSIRT/ADV-2007-0791

Affected Products

Turbolinux Appliance Server 2.0
Turbolinux 10 Server x64 Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux 10 Server
Turbolinux Home
Turbolinux 10 F...
Turbolinux 10 Desktop
Turbolinux Multimedia
Turbolinux Personal
Turbolinux 8 Server

Solution

Upgrade the affected packages :
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/

References

http://www.frsirt.com/english/advisories/2007/1874
http://www.turbolinux.com/security/2007/TLSA-2007-29.txt

rPath Security Update Fixes Libpng tRNS Chunk Processing Den
by Marianna Schmudlach / May 21, 2007 1:14 AM PDT

rPath Security Update Fixes Libpng tRNS Chunk Processing Denial of Service Issue

Advisory ID : FrSIRT/ADV-2007-1875
CVE ID : CVE-2007-2445
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in rPath, which could be exploited by attackers to cause a denial of service. This issue is caused by an error in Libpng. For additional information, see : FrSIRT/ADV-2007-1838

Affected Products

rPath Linux 1

Solution

Upgrade the affected package to :
libpng=/conary.rpath.com at rpl:devel//1/1.2.18-1-0.1

References

http://www.frsirt.com/english/advisories/2007/1875
http://lists.rpath.com/pipermail/security-announce/2007-May/000188.html

rPath Security Update Fixes Python "PyLocale_strxfrm()" Memo
by Marianna Schmudlach / May 21, 2007 1:15 AM PDT

rPath Security Update Fixes Python "PyLocale_strxfrm()" Memory Disclosure Issue

Advisory ID : FrSIRT/ADV-2007-1876
CVE ID : CVE-2007-2052
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in rPath, which could be exploited by attackers to gain knowledge of potentially sensitive information. This issue is caused by an error in Python. For additional information, see : FrSIRT/ADV-2007-1465

Affected Products

rPath Linux 1

Solution

Upgrade the affected packages :
python=/conary.rpath.com at rpl:devel//1/2.4.1-20.9-1
idle=/conary.rpath.com at rpl:devel//1/2.4.1-20.9-1

References

http://www.frsirt.com/english/advisories/2007/1876
http://lists.rpath.com/pipermail/security-announce/2007-May/000189.html

Gentoo Security Update Fixes PhpWiki Arbitrary File Upload C
by Marianna Schmudlach / May 21, 2007 1:16 AM PDT

Gentoo Security Update Fixes PhpWiki Arbitrary File Upload Code Execution Issues

Advisory ID : FrSIRT/ADV-2007-1877
CVE ID : CVE-2007-2024 - CVE-2007-2025
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

Multiple vulnerabilities have been identified in Gentoo, which could be exploited by attackers to execute arbitrary code. These issues are caused by errors in PhpWiki. For additional information, see : FrSIRT/ADV-2007-1400

Affected Products

www-apps/phpwiki versions prior to 1.3.10-r3

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=www-apps/phpwiki-1.3.10-r3"

References

http://www.frsirt.com/english/advisories/2007/1877
http://www.gentoo.org/security/en/glsa/glsa-200705-16.xml

Gentoo Security Update Fixes pptpd "decaps_gre()" Denial of
by Marianna Schmudlach / May 21, 2007 1:17 AM PDT

Gentoo Security Update Fixes pptpd "decaps_gre()" Denial of Service Vulnerability

Advisory ID : FrSIRT/ADV-2007-1878
CVE ID : CVE-2007-0244
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in Gentoo, which could be exploited by remote attackers to cause a denial of service. This issue is caused by errors in pptpd. For additional information, see : FrSIRT/ADV-2007-1743

Affected Products

net-dialup/pptpd versions prior to 1.3.4

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=net-dialup/pptpd-1.3.4"

References

http://www.frsirt.com/english/advisories/2007/1878
http://www.gentoo.org/security/en/glsa/glsa-200705-18.xml

Gentoo Security Update Fixes Apache mod_security Security By
by Marianna Schmudlach / May 21, 2007 1:18 AM PDT

Gentoo Security Update Fixes Apache mod_security Security Bypass Vulnerability

Advisory ID : FrSIRT/ADV-2007-1879
CVE ID : CVE-2007-1359
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-05-21
Technical Description

A vulnerability has been identified in Gentoo, which could be exploited by remote attackers to bypass security checks. This issue is caused by an error in Apache mod_security. For additional information, see : FrSIRT/ADV-2007-0868

Affected Products

net-www/mod_security versions prior to 2.1.1

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=net-www/mod_security-2.1.1"

References

http://www.frsirt.com/english/advisories/2007/1879
http://www.gentoo.org/security/en/glsa/glsa-200705-17.xml

Red Hat update for gimp
by Marianna Schmudlach / May 21, 2007 1:51 AM PDT

TITLE:
Red Hat update for gimp

SECUNIA ADVISORY ID:
SA25346

VERIFY ADVISORY:
http://secunia.com/advisories/25346/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

OPERATING SYSTEM:
RedHat Enterprise Linux AS 2.1
http://secunia.com/product/48/
RedHat Enterprise Linux AS 3
http://secunia.com/product/2534/
RedHat Enterprise Linux AS 4
http://secunia.com/product/4669/
RedHat Enterprise Linux ES 2.1
http://secunia.com/product/1306/
RedHat Enterprise Linux ES 3
http://secunia.com/product/2535/
RedHat Enterprise Linux ES 4
http://secunia.com/product/4668/
RedHat Enterprise Linux WS 2.1
http://secunia.com/product/1044/
RedHat Enterprise Linux WS 3
http://secunia.com/product/2536/
RedHat Enterprise Linux WS 4
http://secunia.com/product/4670/
RedHat Linux Advanced Workstation 2.1 for Itanium
http://secunia.com/product/1326/
Red Hat Enterprise Linux Desktop Workstation (v. 5 client)
http://secunia.com/product/13651/
Red Hat Enterprise Linux (v. 5 server)
http://secunia.com/product/13652/
Red Hat Enterprise Linux Desktop (v. 5 client)
http://secunia.com/product/13653/

DESCRIPTION:
Red Hat has issued an update for gimp. This fixes a vulnerability,
which can be exploited by malicious people to compromise a user's
system.

For more information:
SA25012

SOLUTION:
Updated packages are available from Red Hat Network.
http://rhn.redhat.com

ORIGINAL ADVISORY:
https://rhn.redhat.com/errata/RHSA-2007-0343.html

OTHER REFERENCES:
SA25012:
http://secunia.com/advisories/25012/

Packeteer PacketShaper TCP ISN Generation Weakness
by Marianna Schmudlach / May 21, 2007 1:52 AM PDT

TITLE:
Packeteer PacketShaper TCP ISN Generation Weakness

SECUNIA ADVISORY ID:
SA25344

VERIFY ADVISORY:
http://secunia.com/advisories/25344/

CRITICAL:
Not critical

IMPACT:
Spoofing

WHERE:
From local network

OPERATING SYSTEM:
PacketWise 7.x
http://secunia.com/product/7652/

DESCRIPTION:
nnposter has reported a weakness in Packeteer PacketShaper, which can
be exploited by malicious people to spoof TCP connections.

The problem is that TCP ISNs (Initial Sequence Numbers) are generated
in a predictable way and can be exploited to spoof TCP connections.

The weakness is reported in versions 7.3.0g2 and 7.5.0g1. Other
versions may also be affected.

SOLUTION:
Restrict network access to the device management interfaces.

PROVIDED AND/OR DISCOVERED BY:
nnposter

Opera Torrent File Handling Buffer Overflow Vulnerability
by Marianna Schmudlach / May 21, 2007 3:09 AM PDT

TITLE:
Opera Torrent File Handling Buffer Overflow Vulnerability

SECUNIA ADVISORY ID:
SA25278

VERIFY ADVISORY:
http://secunia.com/advisories/25278/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Opera 9.x
http://secunia.com/product/10615/

DESCRIPTION:
A vulnerability has been reported in Opera, which can be exploited by
malicious people to compromise a user's system.

The vulnerability is caused due to an error in the handling of
torrent files and can be exploited to cause a buffer overflow when a
user right-clicks a malicious torrent entry in the transfer manager.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in versions prior to 9.21 for Windows.

SOLUTION:
Update to version 9.21.
http://www.opera.com/download/

PROVIDED AND/OR DISCOVERED BY:
The vendor credits iDefense Labs.

WordPress "admin-ajax.php" SQL Injection
by Marianna Schmudlach / May 21, 2007 3:10 AM PDT

TITLE:
WordPress "admin-ajax.php" SQL Injection

SECUNIA ADVISORY ID:
SA25345

VERIFY ADVISORY:
http://secunia.com/advisories/25345/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, Exposure of sensitive information

WHERE:
From remote

SOFTWARE:
WordPress 2.x
http://secunia.com/product/6745/

DESCRIPTION:
Janek Vind has discovered a vulnerability in WordPress, which can be
exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cookie" parameter in wp-admin/admin-ajax.php is
not properly sanitised before being used in SQL queries. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving administrator password
hashes, but requires knowledge of the database table prefix.

The vulnerability is confirmed in version 2.1.3. Prior versions may
also be affected.

SOLUTION:
Update to version 2.2.

PROVIDED AND/OR DISCOVERED BY:
Janek Vind a.k.a. waraxe

ORIGINAL ADVISORY:
http://www.waraxe.us/advisory-50.html

LEADTOOLS LEAD Thumbnail Browser Control ActiveX Control Buf
by Marianna Schmudlach / May 21, 2007 6:40 AM PDT

TITLE:
LEADTOOLS LEAD Thumbnail Browser Control ActiveX Control Buffer
Overflow

SECUNIA ADVISORY ID:
SA25376

VERIFY ADVISORY:
http://secunia.com/advisories/25376/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
LEADTOOLS LEAD Thumbnail Browser Control 14.x
http://secunia.com/product/14277/

DESCRIPTION:
shinnai has discovered a vulnerability in LEADTOOLS LEAD Thumbnail
Browser Control ActiveX control, which can be exploited by malicious
people to compromise a user's system.

The vulnerability is caused due to a boundary error in the LEAD
Thumbnail Browser Control (lttmb14E.ocx) ActiveX control when
handling the "BrowseDir()" method. This can be exploited to cause a
stack-based buffer overflow via an overly long argument passed to the
affected method.

Successful exploitation allows execution of arbitrary code when a
user visits a malicious web site.

The vulnerability is confirmed in version 14.5.0.44. Other versions
may also be affected.

SOLUTION:
Set the kill-bit for the affected ActiveX control.

PROVIDED AND/OR DISCOVERED BY:
shinnai

ORIGINAL ADVISORY:
http://moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html

LEADTOOLS LEAD Raster Thumbnail Object Library ActiveX Contr
by Marianna Schmudlach / May 21, 2007 6:42 AM PDT

TITLE:
LEADTOOLS LEAD Raster Thumbnail Object Library ActiveX Control Buffer
Overflow

SECUNIA ADVISORY ID:
SA25331

VERIFY ADVISORY:
http://secunia.com/advisories/25331/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
LEADTOOLS LEAD Raster Thumbnail Object Library 14.x
http://secunia.com/product/14278/

DESCRIPTION:
shinnai has discovered a vulnerability in LEADTOOLS LEAD Raster
Thumbnail Object Library ActiveX control, which can be exploited by
malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the LEAD
Raster Thumbnail Object Library (LTRTM14e.DLL) ActiveX control when
handling the "BrowseDir()" method. This can be exploited to cause a
stack-based buffer overflow via an overly long argument passed to the
affected method.

Successful exploitation allows execution of arbitrary code when a
user visits a malicious web site.

The vulnerability is confirmed in version 14.5.0.44. Other versions
may also be affected.

SOLUTION:
Set the kill-bit for the affected ActiveX control.

PROVIDED AND/OR DISCOVERED BY:
shinnai

ORIGINAL ADVISORY:
http://moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html

RM EasyMail Plus "d" Cross-Site Scripting
by Marianna Schmudlach / May 21, 2007 8:09 AM PDT

TITLE:
RM EasyMail Plus "d" Cross-Site Scripting

SECUNIA ADVISORY ID:
SA25326

VERIFY ADVISORY:
http://secunia.com/advisories/25326/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
RM EasyMail Plus
http://secunia.com/product/14267/

DESCRIPTION:
John Martinelli has reported a vulnerability in RM EasyMail Plus,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Input passed to the "d" parameter in cp/ps/Main/login/Login is not
properly sanitised before it is returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

SOLUTION:
Filter malicious requests in a proxy or firewall.

PROVIDED AND/OR DISCOVERED BY:
John Martinelli

ORIGINAL ADVISORY:
http://redlevel.org/wp-content/uploads/2007/05/rmeasymail.txt

GaliX Multiple Cross-Site Scripting Vulnerabilities
by Marianna Schmudlach / May 21, 2007 8:10 AM PDT

TITLE:
GaliX Multiple Cross-Site Scripting Vulnerabilities

SECUNIA ADVISORY ID:
SA25324

VERIFY ADVISORY:
http://secunia.com/advisories/25324/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
GaliX 2.x
http://secunia.com/product/14268/

DESCRIPTION:
John Martinelli has discovered some vulnerabilities in GaliX, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Input passed to the "galix_cat_detail", "galix_gal_detail", and
"galix_cat_detail_sort" parameters in index.php is not properly
sanitised before it is returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

The vulnerabilities are confirmed in version 2.0. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
John Martinelli

ORIGINAL ADVISORY:
http://redlevel.org/wp-content/uploads/2007/05/galix.txt

