Spyware, viruses, & security forum: VULNERABILITIES / FIXES - September 20, 2011

MetaServer RT Packet Processing Denial of Service Vulnerability

Release Date : 2011-09-20

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Unpatched

Software: MetaServer RT 3.x

Description:
Luigi Auriemma has discovered a vulnerability in MetaServer RT, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when processing certain packets and can be exploited to cause a crash via a specially crafted packet sent to TCP port 2194.

The vulnerability is confirmed in version 3.2.1.450. Other versions may also be affected.

Solution:
Restrict access to trusted hosts only.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/metaserver_1-adv.txt

http://secunia.com/advisories/46059/

Release Date : 2011-09-20

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched

Software: Gerry GuestBook 1.x

Description:
A vulnerability has been discovered in Gerry GuestBook, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "gbText" parameter to guestbook.php (when "sign" is set to "2") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 1.21. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Pr@fesOr X

http://secunia.com/advisories/46082/

Release Date : 2011-09-20

Criticality level : Highly critical
Impact : System access
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Fedora 14

Description:
Fedora has issued an update for openttd. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

Solution:
Apply updated packages via the yum utility ("yum update openttd").

Original Advisory:
FEDORA-2011-12975:
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066128.html

http://secunia.com/advisories/46075/

Release Date : 2011-09-20

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Unpatched

Software: EViews 7.x

Description:
Luigi Auriemma has discovered a vulnerability in EViews, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when handling "subroutine" declarations within program files. This can be exploited to cause a heap-based buffer overflow via a specially crafted ".prg" file.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into opening a malicious file.

The vulnerability is confirmed in version 7.0.0.1. Other versions may also be affected.

Solution:
Do not open files from untrusted sources.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/eviews_1-adv.txt

http://secunia.com/advisories/46094/

Red Hat Multiple JBoss Products Web Services Native Denial of Service Vulnerability

Release Date : 2011-09-20

Criticality level : Less critical
Impact : Dos
Where : From remote
Solution Status : Vendor Patch

Software: JBoss Communications Platform 1.x
JBoss Communications Platform 5.x
JBoss Enterprise Application Platform 5.x
JBoss Enterprise BRMS Platform 5.x
JBoss Enterprise Portal Platform 4.x
JBoss Enterprise Portal Platform 5.x
JBoss Enterprise SOA Platform 4.x
JBoss Enterprise SOA Platform 5.x
JBoss Enterprise Web Platform 5.x
Red Hat JBoss Enterprise Application Platform 4.2.x
Red Hat JBoss Enterprise Application Platform 4.3.x

Description:
Red Hat has acknowledged a vulnerability in multiple JBoss products, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within JBoss Web Services Native when handling recursive entity resolution with embedded DTDs (Document Type Definitions), which can be exploited to cause CPU resource exhaustion by using a specially crafted POST HTTP request.

The vulnerability is reported in the following products (please see vendor's advisories for details):
* JBoss Communications Platform 1.2.11
* JBoss Communications Platform 5.1.1
* JBoss Enterprise Application Platform 4.2.0.CP09
* JBoss Enterprise Application Platform 4.3.0
* JBoss Enterprise Application Platform 5.1.1
* JBoss Enterprise BRMS Platform 5.1.0
* JBoss Enterprise Portal Platform 4.3.CP06
* JBoss Enterprise Portal Platform 5.1.1
* JBoss Enterprise SOA Platform 4.2.CP05 and 4.3.CP05
* JBoss Enterprise SOA Platform 5.1.0
* JBoss Enterprise Web Platform 5.1.1

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
Red Hat Bug#692584:
https://bugzilla.redhat.com/show_bug.cgi?id=692584

RHSA-2011:1301-01:
https://rhn.redhat.com/errata/RHSA-2011-1301.html

RHSA-2011:1302-01:
https://rhn.redhat.com/errata/RHSA-2011-1302.html

RHSA-2011:1303-01:
https://rhn.redhat.com/errata/RHSA-2011-1303.html

RHSA-2011:1304-01:
https://rhn.redhat.com/errata/RHSA-2011-1304.html

RHSA-2011:1305-01:
https://rhn.redhat.com/errata/RHSA-2011-1305.html

RHSA-2011:1306-01:
https://rhn.redhat.com/errata/RHSA-2011-1306.html

RHSA-2011:1307-01:
https://rhn.redhat.com/errata/RHSA-2011-1307.html

RHSA-2011:1308-01:
https://rhn.redhat.com/errata/RHSA-2011-1308.html

RHSA-2011:1309-01:
https://rhn.redhat.com/errata/RHSA-2011-1309.html

RHSA-2011:1310-01:
https://rhn.redhat.com/errata/RHSA-2011-1310.html

RHSA-2011:1311-01:
https://rhn.redhat.com/errata/RHSA-2011-1311.html

RHSA-2011:1312-01:
https://rhn.redhat.com/errata/RHSA-2011-1312.html

RHSA-2011:1313-01:
https://rhn.redhat.com/errata/RHSA-2011-1313.html

http://secunia.com/advisories/46048/

WordPress AllWebMenus Plugin "abspath" File Inclusion Vulnerability

Release Date : 2011-09-20

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: WordPress AllWebMenus Plugin 1.x

Description:
Ben Schmidt has discovered a vulnerability in the AllWebMenus plugin for WordPress, which can be exploited by malicious people to compromise a vulnerable system.

Input passed via the "abspath" parameter to wp-content/plugins/allwebmenus-wordpress-menu-plugin/actions.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

The vulnerability is confirmed in version 1.1.3. Prior versions may also be affected.

Solution:
Update to version 1.1.4.

Provided and/or discovered by:
Ben Schmidt

Original Advisory:
AllWebMenus:
http://plugins.trac.wordpress.org/changeset/438959/allwebmenus-wordpress-menu-plugin/trunk/actions.php?old=408304&old_path=allwebmenus-wordpress-menu-plugin%2Ftrunk%2Factions.php

Ben Schmidt:
http://spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos/

http://secunia.com/advisories/46068/

WordPress Mailing List Plugin "wpabspath" File Inclusion Vulnerability

Release Date : 2011-09-20

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: WordPress Mailing List Plugin 1.x

Description:
Ben Schmidt has discovered a vulnerability in the Mailing List plugin for WordPress, which can be exploited by malicious people to compromise a vulnerable system.

Input passed via the "wpabspath" parameter to e.g. wp-content/plugins/mailz/lists/lt.php or wp-content/plugins/mailz/lists/index.php is not properly verified in wp-content/plugins/mailz/lists/config/config.php before being used to include files. This can be exploited to include arbitrary files from local or external resources.

The vulnerability is confirmed in version 1.3.3. Prior versions may also be affected.

Solution:
Update to version 1.3.4 or later.

Provided and/or discovered by:
Ben Schmidt

Original Advisory:
WordPress Mailing List Plugin:
http://wordpress.org/extend/plugins/mailz/changelog

Ben Schmidt:
http://spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos/

http://secunia.com/advisories/46040/

WordPress Annonces Plugin "abspath" and "mainPluginFile" File Inclusion Vulnerabilities

Release Date : 2011-09-20

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Unpatched

Software: WordPress Annonces Plugin 1.x

Description:
Two vulnerabilities have been discovered in the Annonces plugin for WordPress, which can be exploited by malicious people to compromise a vulnerable system.

1) Input passed via the "abspath" parameter to wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

2) Input passed via the "mainPluginFile" parameter to wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php (when "abspath" is set to e.g. "../../../../../../") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

The vulnerabilities are confirmed in version 1.2.0.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
1, 2) Ben Schmidt. Additional information provided by Secunia Research.

Original Advisory:
Ben Schmidt:
http://spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos/

http://secunia.com/advisories/46070/

Release Date : 2011-09-20

Criticality level : Moderately critical
Impact : System access
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Ubuntu Linux 10.04
Ubuntu Linux 10.10

Description:
Ubuntu has issued an update for ffmpeg. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

Solution:
Apply updated packages.

Original Advisory:
USN-1209-1:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-September/001419.html

http://secunia.com/advisories/46062/

Release Date : 2011-09-20

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Pligg CMS 1.x

Description:
Multiple vulnerabilities have been discovered in Pligg CMS, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input passed to the "date" parameter in search.php (when "advancedsearch" is set to any value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

This vulnerability is confirmed in version 1.1.4. Other versions may also be affected.

2) Input passed to the "return" parameter in login.php, "q" and "search" parameters in search.php, and "page" parameter in index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed to the "keyword" parameter in user.php (when "view" is set to "search") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

These vulnerabilities are confirmed in version 1.1.5. Prior versions may also be affected.

Solution:
Update to version 1.2.0.

Provided and/or discovered by:
1) Sow Ching Shiong, via Secunia.

Additional information about vulnerabilities #2 and #3 provided by Secunia Research.

Original Advisory:
http://forums.pligg.com/current-version/24251-pligg-content-management-system-1-2-0-download.html

http://secunia.com/advisories/44352/

Release Date : 2011-09-20

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched

Software: JasperServer 3.x

Description:
A vulnerability has been reported in JasperServer, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. add new users when a logged-in administrator visits a specially crafted web page.

The vulnerability is reported in JasperServer version 3.7.0 CE and 3.7.1 CE. Other versions may also be affected.

Solution:
Do not browse untrusted websites while being logged in to the application.

Provided and/or discovered by:
Jose Vila Montaner, S2Grupo CSIRT-cv.

Original Advisory:
http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf

http://secunia.com/advisories/46023/