 |
AproxEngine Multiple Vulnerabilities
updated: 2-Jan-10
Some vulnerabilities were reported in AproxEngine 5.3.04 and AproxEngine 6.0, which can be exploited by malicious users to manipulate certain data, conduct spoofing, SQL injection, and script insertion attacks and by malicious people to conduct SQL injection and script insertion attacks.
Ensure that "magic_quotes_gpc" is enabled and grant only trusted users administrative access to the application.
Reference
http://secunia.com/secunia_research/2009-2/
SQL-Ledger Multiple Vulnerabilities
updated: 2-Jan-10
Multiple vulnerabilities were found in SQL-Ledger 2.8.24, namely Cross-Site-Request-Forgery (XSRF), persistent cross site scripting, SQL injection, local file inclusion, and secure cookie flag not set. Successful exploitation allows attacks on the confidentiality and availability of business-critical data stored within SQL-Ledger.
Ruby on Rails Multiple Vulnerabilities
updated: 2-Jan-10
Multiple vulnerabilities have been discovered in Rails < 2.2.2, the worst of which leading to the execution of arbitrary SQL statements.
A remote attacker could send specially crafted requests to a vulnerable application, possibly leading to the execution of arbitrary SQL statements or a circumvention of access control. A remote attacker could also conduct session fixation attacks to hijack a user's session or bypass the CSRF protection mechanism, or furthermore conduct Cross-Site Scripting attacks or forge a digest via multiple attempts.
Upgrade to the latest version.
Reference
http://security.gentoo.org/glsa/glsa-200912-02.xml
Hewlett-Packard OpenView Data Protector Backup Client Service Buffer Overflow
updated: 2-Jan-10
Hewlett-Packard OpenView Data Protector contains a flaw within the backup client service daemon (OmniInet.exe), which binds to TCP port 5555. During the processing of long arguments to the 'MSG_PROTOCOL' command, a stack based buffer overflow occurs and can result in code execution under the context of the daemon.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Storage Data Protector. Authentication is not required to exploit this vulnerability.
Install the update from HP.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-09-099
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817
HP OpenView Data Protector Cell Manager Heap Overflow
updated: 2-Jan-10
Hewlett-Packard OpenView contains a flaw within the Cell Manager Database Service, rds.exe, which binds to TCP port 1530. The service receives socket data via _ncp32._NtrpTCPReceiveMsg().
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Data Protector. Authentication is not required to exploit this vulnerability.
Reference
http://dvlabs.tippingpoint.com/advisory/TPTI-09-15
Multiple Cisco WebEx WRF Player Vulnerabilities
updated: 2-Jan-10
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user.
Install the software updates from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
HP OpenView Storage Data Protector, Remote Arbitrary Code Execution
updated: 2-Jan-10
Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code.
HP OpenView Data Protector Application Recovery Manager v5.50 and v6.0 are affected. Install the fix from HP.
Winamp Impulse Tracker Instrument Parsing Buffer Overflows
updated: 2-Jan-10
3 vulnerabilities were found in Winamp 5.56, which can be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused by boundary errors in the Module Decoder Plug-in (IN_MOD.DLL) when parsing instrument definitions and can be exploited to cause heap-based buffer overflows via a specially crafted Impulse Tracker file.
Successful exploitation may allow execution of arbitrary code. Update to version 5.57.
Reference
http://secunia.com/secunia_research/2009-52/
Winamp Ultratracker File Parsing Buffer Overflow
updated: 2-Jan-10
Winamp 5.56 Media Player contains an error in the Module Decoder Plug-in (IN_MOD.DLL) when parsing Ultratracker files and can be exploited to cause a heap-based buffer overflow.
Successful exploitation may allow execution of arbitrary code. Update to version 5.57.
Reference
http://secunia.com/secunia_research/2009-56/
Authentication Bypass and File Manipulation in Sitecore Staging Module
updated: 2-Jan-10
The Staging Webservice (normally found in "/sitecore modules/staging/service/api.asmx") used for transmitting files between the Sitecore Master and Slave Server is vulnerable to authentication bypass.
An attacker is able to upload a shell, modify or delete sensitive data or gain the whole source code of the application. Furthermore it is possible to retrieve directory listings of directories of the whole server and the webroot. All these actions are performed with the rights of the webserver user. One tested server allowed us to compromise the whole server by uploading a shell into the webroot.
Sitecore Staging Module <= v5.4.0 rev.080625 is affected. Upgrade to the latest version.
Reference
https://www.sec-consult.com/advisories_e.html#a63
Winamp Impulse Tracker Sample Parsing Buffer Overflow
updated: 2-Jan-10
Winamp 5.56 Media Player contains a boundary error in the Module Decoder Plug-in (IN_MOD.DLL) when parsing samples and can be exploited to cause a heap-based buffer overflow via a specially crafted Impulse Tracker file.
Successful exploitation may allow execution of arbitrary code. Update to version 5.57.
Reference
http://secunia.com/secunia_research/2009-53/
Cisco ASA <= 8.x VPN SSL module Clientless URL-list Control Bypass
updated: 2-Jan-10
Cisco VPN SSL Clientless lets administrators define rules to specific targets within the private network that WebVPN users will be able to access. These specific targets are published using links in VPN SSL home page. These links (URL) are protected (obfuscated) using a ROT13 substitution and converting ASCII characters to hexadecimal.
An user with a valid account and without "URL entry" can access any internal/external resource simply taken an URL, encrypt with ROT 13, convert ASCII characters to hexadecimal and appending this string to Cisco VPN SSL URL.
Always set "webtype" ACL and "filter" to block access in Web VPN SSL (not activated by default). Included in Cisco site now.
Reference
http://tools.cisco.com/security/center/viewAlert.x?alertId=19609
Winamp Oktalyzer Parsing Integer Overflow Vulnerability
updated: 2-Jan-10
Winamp 5.56 Media Player contains an integer overflow error in the Module Decoder Plug-in (IN_MOD.DLL) when parsing Oktalyzer files. Successful exploitation may allow execution of arbitrary code.
Update to version 5.57.
Reference
http://secunia.com/secunia_research/2009-57/
PasswordManager Pro 6.1 Script Injection Vulnerability
updated: 2-Jan-10
An input validation error was reported in PasswordManager Pro 6.1, which enabled an attacker to perform various web-based attacks.
The processing method for the search function fails to perform proper input validation on the data that is being submitted via HTTP GET. The parameter "searchtext" lacks validation and is therefore vulnerable to script injection. While there is a basic input filtering method in place, it fails to detect more advanced (e.g. encoded) payloads. Other parts of the application might be affected too.
Upgrade to a safer version.
Reference
http://forums.manageengine.com/#Topic/49000003740390
VMware vCenter, ESX Patch and vCenter Lab Manager Releases Address Cross-Site Scripting
updated: 2-Jan-10
VMware vCenter and ESX update releases address cross-site scripting issues in the Help functionality of WebAccess. A vCenter Lab Manager release addresses the same issues which are present in the online Help functionality of Lab Manager and Stage Manager.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731
Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
updated: 2-Jan-10
Insecure permissions have been detected in the multiple Kaspersky Lab antivirus products. "Everyone" group has "Full Control" rights to the BASES folder. The folder consists of antivirus bases, configuration files and executable modules. Local attacker (unprivileged user) can replace some files (for example, executable modules) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
Install the fix from vendor.
APC Switched Rack PDU XSS Vulnerability
updated: 2-Jan-10
The APC Switch RACK PDU web administration login page is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
The script "login1" located in the Forms directory fails to properly sanitize user input data in the login_username field
E-Store SQL Injection Vulnerability
updated: 2-Jan-10
E-Store is affected by a SQL Injection bug. The GET where parameter passed to SearchResults.php has not properly sanitised. Because of the affected query, the Magic Quotes GPC flag (php.in) may be on.
phpCollegeExchange Multiple SQL Injection
updated: 2-Jan-10
PhpCollegeExchange 0.1.5C is affected by many SQL Injection flaws.
Using a SQL Injection in the login process, a guest can bypass the authentication. In order to exploit it, The Magic Quotes GPG flag must be Off.
Besides, searchend.php is affected by multiple SQL injection issues that allow a guest to view reserved information stored into the database.
Another SQL injection may be seen in forgotpass.php. It can be manipulate to send to an arbitrary email address the password of a registered user, knowing the AES key.
Reference
http://poc.salvatorefresta.net/PoC-phpCollegeExchange.txt
Certain HP Color LaserJet Printers, Remote Unauthorized Access to Data, Denial of Servic
updated: 2-Jan-10
A potential security vulnerability has been identified with certain HP Color LaserJet printers. The vulnerability could be exploited remotely to gain unauthorized access to data or to create a Denial of Service (DoS).
HP Color LaserJet M3530 Multifunction Printer with firmware 53.021.2 (earlier versions are not vulnerable) HP Color LaserJet CP3525 Printer with firmware 05.058.4 (earlier versions are not vulnerable) are affected.
Install the firmware updates from HP.
HP OpenView Network Node Manager Remote Execution of Arbitrary Code
updated: 2-Jan-10
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code.
HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows are affected. Install the patch from HP.
Reference
http://support.openview.hp.com/selfsolve/patches
Camino 1.6.10 Remote Array Overrun
updated: 2-Jan-10
Remote array overrun vulnerability was reported in Camino 1.6.10. The main problem exists in dtoa implementation. Camino has the same dtoa as Firefox, SeaMonkey, Chrome, Opera etc.
Upgrade to Camino 2.0.
Reference
http://securityreason.com/achievement_securityalert/76
Symantec Multiple Products VRTSweb.exe Remote Code Execution
updated: 2-Jan-10
A remote code execution vulnerability was reported within the VRTSweb.exe Web Server component of Symantec products, which listens by default on TCP ports 8181, 8443, and 14300. The process fails to properly validate an authentication request made to port 14300.
By providing a specific request an attacker can bypass the authentication and instruct the process to unpack and execute data within an arbitrary WAR file. This can be leveraged to execute arbitrary code under the context of the SYSTEM user.
Symantec Symantec Backup Exec Continuous Protection Server, Symantec Veritas CommandCentral Storage, Symantec Veritas Cluster Server, Symantec Veritas Traffic Director, Symantec Veritas NetBackup and Symantec Veritas Storage Foundation are affected.
Install the update from Symantec.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-09-098
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091209_00
Multiple XSS and Injection Vulnerabilities in TestLink Test Management and Execution System
updated: 2-Jan-10
XSS and SQL injection vulnerabilities have been discovered in Testlink 1.8.4 or prior. One of the XSS vulnerabilities, discovered in its login screen, can be exploited without an authenticated session.
Upgrade to a non-vulnerable version, such as 1.8.5.
Reference
http://www.coresecurity.com/content/testlink-multiple-injection-vulnerabilities
Novell iPrint Client Date/Time Parsing Buffer Overflow
updated: 2-Jan-10
Novell iPrint Client 4.38 and 5.30 contains a vulnerability, caused by a boundary error in the parsing of certain time information and can be exploited to cause a stack-based buffer overflow via overly long strings passed to certain parameters and methods.
Successful exploitation allows execution of arbitrary code when a user e.g. views a malicious web page.
Update to version 5.32.
Reference
http://secunia.com/secunia_research/2009-44/
Adobe Flash Player ActionScript Exception Handler Integer Overflow Vulnerability
updated: 2-Jan-10
An integer overflow vulnerability exists in the generation of ActionScript exception handlers of Adobe Flash Player. In Verifier::parseExceptionHandlers(), a large value for exception_count will result in an integer overflow condition leading to a memory corruption which can be leveraged to execute arbitrary code under the context of the currently logged in user.
Install the update from Adobe.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-09-093
http://www.adobe.com/support/security/bulletins/apsb09-19.html
Adobe Flash Player JPEG Parsing Heap Overflow Vulnerability
updated: 2-Jan-10
Adobe Flash Player contains a flaw when parsing of JPEG dimensions contained within an SWF file. Due to the lack of sanity checking when calculating the frame size of an image it is possible to overflow a heap based buffer. Successful exploitation of this issue can lead to remote system compromise under the credentials of the currently logged in user.
Install the update from Adobe.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-09-092
http://www.adobe.com/support/security/bulletins/apsb09-19.html
PHPIDS Unserialize() Vulnerability
updated: 2-Jan-10
PHPIDS <= 0.6.2 unserializes() user input which allows an attacker to send a carefully crafted cookie that when unserialized can utilize existing classes which e.g. can lead to upload of arbitrary files or execution of arbitrary PHP code in Zend Framework Applications.
Upgrade to the latest version of PHPIDS.
Reference
http://www.suspekt.org/downloads/RSS09-WebApplicationFirewallBypassesAndPHPExploits.pdf
Security Notice for CA Service Desk
updated: 2-Jan-10
A cross-site scripting vulnerability exists in CA Service Desk 12.1 that can allow a remote attacker to potentially gain sensitive information. CA has issued patches to address the vulnerability.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4149
MS07-073 - Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution
updated: 2-Jan-10
A vulnerability was reported in Microsoft WordPad and Microsoft Office text converters. The vulnerability could allow remote code execution if a specially crafted Word 97 file is opened in WordPad or Microsoft Office Word. An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
Office 2003 SP3, Office XP SP3 , Works 8.5 Gold, Office Converter Pack, Word 2002 SP3, and Word 2003 SP3 are affected. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-073.mspx
MS07-070 - Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution
updated: 2-Jan-10
2 vulnerabilities were reported in Microsoft Windows 2003 and 2008. The more severe of these vulnerabilities could allow remote code execution if an attacker sent a specially crafted HTTP request to an ADFS-enabled Web server. An attacker would need to be an authenticated user in order to exploit either of these vulnerabilities.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-070.mspx
MS09-069 - Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service
updated: 2-Jan-10
A vulnerability was reported in Microsoft Windows 2000, 2003 and XP. The vulnerability could allow a denial of service if a remote, authenticated attacker, while communicating through Internet Protocol security (IPsec), sends a specially crafted ISAKMP message to the Local Security Authority Subsystem Service (LSASS) on an affected system.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-069.mspx
MS09-072 - Cumulative Security Update for Internet Explorer
updated: 2-Jan-10
5 vulnerabilities were reported in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
An ActiveX control built with Microsoft Active Template Library (ATL) headers could also allow remote code execution; this vulnerability has been described in Microsoft Security Advisory 973882 and Microsoft Security Bulletin MS09-035.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-072.mspx
MS09-074 - Vulnerability in Microsoft Office Project Could Allow Remote Code Execution
updated: 2-Jan-10
A vulnerability was reported in Microsoft Office Project, which allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Project 2003, Project 2002, and Project 2000 are affected. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-074.mspx
MS09-071 - Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution
updated: 2-Jan-10
2 vulnerabilities were reported in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if messages received by the Internet Authentication Service server are copied incorrectly into memory when handling PEAP authentication attempts. On Windows Server 2008, the Internet Authentication Service is replaced by Network Policy Server (NPS).
An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. Servers using Internet Authentication Service or Network Policy Server are only affected when using PEAP with MS-CHAP v2 authentication.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-071.mspx
Novell iPrint Client "target-frame" Parameter Buffer Overflow
updated: 2-Jan-10
Novell iPrint Client 5.30 has a vulnerability, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused by a boundary error in ienipp.ocx when parsing the "target-frame" parameter and can be exploited to cause a stack-based buffer overflow via an overly long parameter value. Successful exploitation allows execution of arbitrary code when a user e.g. views a malicious web page.
Update to version 5.32.
Reference
http://secunia.com/secunia_research/2009-40/
Roxio Creator Image Rendering Integer Overflow
updated: 2-Jan-10
Roxio Easy Media Creator 9.0.136 and Roxio Creator 2010 contain a vulnerability, which can be exploited by malicious people to potentially compromise a user's system.
The vulnerability is caused by an integer overflow error when allocating memory for an image based on its dimensions and can be exploited to corrupt memory via a specially crafted image. Successful exploitation may allow execution of arbitrary code.
Apply Creator 2010 SP1.
Reference
http://secunia.com/secunia_research/2009-38/
OpenSSL Multiple Vulnerabilities
updated: 2-Jan-10
Multiple vulnerabilities were reported in OpenSSL < 0.9.8l-r2, that might allow remote attackers to conduct multiple attacks, including the injection of arbitrary data into encrypted byte streams.
A remote unauthenticated attacker, acting as a Man in the Middle, could inject arbitrary plain text into a TLS session, possibly leading to the ability to send requests as if authenticated as the victim. A remote attacker could furthermore send specially crafted DTLS packages to a service using OpenSSL for DTLS support, possibly resulting in a Denial of Service. Also, a remote attacker might be able to create rouge certificates, facilitated by a MD2 collision. NOTE: The amount of computation needed for this attack is still very large.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
PHP Multiple Issues
updated: 2-Jan-10
PHP, an open source scripting language, suffers from several bugs that may pose a security risk.
Issues have been discovered in several API functions, issues include buffer overflows, near null reads/writes, arbitrary memory read and an off-by-one issue. Some of the issues have been previously reported in older versions of PHP but they either have not been fixed or they were re-introduced in a later time. The issues have been discovered in both core and, in some cases, PECL functions/classes/methods.
Upgrade to PHP >= 5.3.1.
Reference
http://www.ocert.org/advisories/ocert-2009-017.html
|
|
