Spyware, viruses, & security forum: VULNERABILITIES / FIXES - April 17, 2012

Joomla! Phoca Favicon Component Insecure Directory Permissions Weakness

Release Date : 2012-04-17

Criticality level : Not critical
Impact : Security Bypass
Manipulation of data
Privilege escalation
Where : Local system
Solution Status : Unpatched

Software: Phoca Favicon 2.x (Joomla! component)

Description:
A weakness has been reported in the Phoca Favicon component for Joomla!, which can be exploited by malicious, local users to manipulate certain data and potentially gain escalated privileges.

The weakness is caused due to the component setting insecure permissions (777) for the "images/phocafavicon" folder. This can be exploited to e.g. modify, create, or delete files contained in the folder.

The weakness is reported in version 2.0.2. Other versions may also be affected.

Solution:
Modify the directory permissions to restrict access.

Provided and/or discovered by:
Reported by the Joomla! VEL team.

Original Advisory:
Joomla:
http://docs.joomla.org/Vulnerable_Extensions_List#Phoca_Fav_Icon

http://secunia.com/advisories/48806/

Release Date : 2012-04-17

Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Operating System: openSUSE 12.1

Description:
SUSE has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:0507-1:
http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00011.html

http://secunia.com/advisories/48844/

Ushahidi Cross-Site Request Forgery and Script Insertion Vulnerabilities

Release Date : 2012-04-17

Criticality level : Moderately critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched

Software: Ushahidi 2.x

Description:
Two vulnerabilities have been discovered in Ushahidi, which can be exploited by malicious people to conduct cross-site request forgery and script insertion attacks.

1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site.

2) Input passed via the "name" parameter to index.php/login (when parameter "action" is set to "new") when creating an user account is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

The vulnerabilities are confirmed in version 2.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted sites or follow untrusted links while being logged-in to the application.

Provided and/or discovered by:
shpendk

Original Advisory:
http://www.exploit-db.com/exploits/18737/

http://secunia.com/advisories/48845/

Release Date : 2012-04-17

Criticality level : Highly critical
Impact : Unknown
Security Bypass
Exposure of system information
Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Software: HP Secure Web Server for OpenVMS 2.x

Description:
HP has issued an update for Secure Web Server in OpenVMS. This fixes multiple vulnerabilities, where one has unknown impacts and others can be exploited by malicious people to disclose system and potentially sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a vulnerable system.

The vulnerabilities are reported in HP Secure Web Server (SWS) version 2.2 and earlier, running PHP.

Solution:
Apply updates.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
HPSBOV02763 SSRT100826:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03281867

http://secunia.com/advisories/48802/

Release Date : 2012-04-17

Criticality level : Not critical
Impact : Manipulation of data
Where : Local system
Solution Status : Unpatched

Software: Munin 1.4.x

Description:
A security issue has been reported in Munin, which can be exploited by malicious, local users to manipulate certain data.

The security issue is caused due to the qmailscan plugin creating temporary files in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 1.4.7. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
Helmut Grohne in a Debian bug report.

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668778

http://secunia.com/advisories/48859/

IBM Tivoli Directory Server Paged Searches Denial of Service Vulnerability

Release Date : 2012-04-17

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Workaround

Software: IBM Tivoli Directory Server 6.x

Description:
A vulnerability has been reported in IBM Tivoli Directory Server, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when handling malformed paged search requests and can be exploited to cause a crash.

The vulnerability is reported in versions 6.1 prior to 6.1.0.47, 6.2 prior to 6.2.0.22, and 6.3 prior to 6.3.0.11.

Note: A weakness also exists due to support of NULL ciphers.

Solution:
Apply interim fixes.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM:
http://www-01.ibm.com/support/docview.wss?uid=swg21591267
http://www-01.ibm.com/support/docview.wss?uid=swg21591272

http://secunia.com/advisories/48872/

Release Date: 2011-11-17
Last Update: 2012-04-17

Criticality level : Highly critical
Impact : Cross Site Scripting
Manipulation of data
System access
Where : From remote
Solution Status : Unpatched

Software: V-CMS 1.x

Description:
AutoSec Tools has discovered multiple vulnerabilities in V-CMS, which can be exploited by malicious people to conduct cross-site scripting attacks, SQL injection attacks, and compromise a vulnerable system.

1) Input passed via the "p" parameter to redirect.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the "box" parameter to includes/TrueColorPicker/index.php is not properly sanitised in includes/TrueColorPicker/class.TrueColorPicker.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed via the "user" parameter to process.php is not properly sanitised in session.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

4) The includes/inline_image_upload.php script allows the upload of files with arbitrary extensions to a folder inside the webroot. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with e.g. an appended ".gif" file extension.

Successful exploitation requires that Apache is not configured to handle the mime-type for media files with e.g. a ".jpg" or ".gif" extension.

The vulnerabilities are confirmed in version 1.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised. Restrict access to the includes/inline_image_upload.php script (e.g. via .htaccess).

Provided and/or discovered by:
AutoSec Tools

http://secunia.com/advisories/46861

Release Date: 2012-03-07
Last Update: 2012-04-17

Criticality level : Moderately critical
Impact : Security Bypass
Manipulation of data
Privilege escalation
DoS
System access
Where : From local network
Solution Status : Vendor Patch

Software: IBM DB2 9.x

Description:
Multiple vulnerabilities have been reported in IBM DB2, which can be exploited by malicious, local users to manipulate certain data and gain escalated privileges, by malicious users to bypass certain security restrictions and gain escalated privileges and by malicious people to cause a DoS (Denial of Service) or compromise the application.

1) A security issue exists within the Common Code Infrastructure due to the nodes.reg file having insecure world-writable permissions.

This vulnerability is reported in versions prior to 9.5 Fix Pack 9.

2) An error within the Server component can be exploited to cause a crash by sending a specially crafted Distributed Relational Database Architecture (DRDA) request.

This vulnerability is reported in versions prior to 9.1 Fix Pack 11, prior to 9.5 Fix Pack 9, prior to 9.7 Fix Pack 5, and prior to 9.8 Fix Pack 4.

3) An error within the Install component may allow local users to escalate their privileges.

This vulnerability is reported in versions prior to 9.5 Fix Pack 9.

4) A signedness error in the "UidKey::getHashCode()" function within the DAS component can be exploited to dereference arbitrary heap memory as a function pointer via a specially crafted login request.

Note: This vulnerability does not affect DAS components running on Windows platforms.

This vulnerability is reported in versions 9.1, prior to 9.5 Fix Pack 9, and 9.7.

5) An unspecified error within the XML feature can be exploited to cause a DoS.

Successful exploitation of this vulnerability requires CONNECT privileges.

6) An unspecified error within some authorization checks can be exploited to gain access to certain tables.

Successful exploitation of this vulnerability requires CONNECT and CREATEIN privileges.

The vulnerabilities #5 and #6 are reported in versions prior to 9.5 Fix Pack 9, 9.7, and 9.8.

Solution:
Update to version 9.1 FP11, 9.5 FP9, 9.7 FP5, and 9.8 FP4.

Provided and/or discovered by:
1-3) Reported by the vendor.
4) An anonymous person via iDefense VCP.
5) The vendor credits an anonymous person via iDefense.
6) The vendor credits Martin Rakhmanov, Application Security Inc.

Original Advisory:
IBM (IC76781, IC76899, IC76901, IC76902, IC79970, IC80728, IC81379, IC81387):
http://www.ibm.com/support/docview.wss?uid=swg21586193
http://www.ibm.com/support/docview.wss?uid=swg21588090
http://www.ibm.com/support/docview.wss?uid=swg21588093
http://www.ibm.com/support/docview.wss?uid=swg21588098
http://www.ibm.com/support/docview.wss?uid=swg21588100
http://www.ibm.com/support/docview.wss?uid=swg1IC76781
http://www.ibm.com/support/docview.wss?uid=swg1IC76899
http://www.ibm.com/support/docview.wss?uid=swg1IC76901
http://www.ibm.com/support/docview.wss?uid=swg1IC76902
http://www.ibm.com/support/docview.wss?uid=swg1IC79970
http://www.ibm.com/support/docview.wss?uid=swg1IC80728
http://www.ibm.com/support/docview.wss?uid=swg1IC81379
http://www.ibm.com/support/docview.wss?uid=swg1IC81387

iDefense:
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=972

http://secunia.com/advisories/48279