Spyware, viruses, & security forum: VULNERABILITIES / FIXES - April 19, 2012

Release Date : 2012-04-19

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Unpatched

Operating System: Gentoo Linux

Description:
Gentoo has acknowledged two vulnerabilities in the swftools package, which can be exploited by malicious people to compromise a user's system.

Solution:
The vendor recommends to unmerge swftools.

Original Advisory:
GLSA 201204-05:
http://security.gentoo.org/glsa/glsa-201204-05.xml

http://secunia.com/advisories/48821/

Drupal Gigya - Social optimization Module Cross-Site-Scripting Vulnerability

Release Date : 2012-04-19

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Gigya - Social optimization Module 6.x

Description:
A vulnerability has been reported in the Gigya - Social optimization module for Drupal, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in versions prior to 6.x-3.2.

Solution:
Update to version 6.x-3.2.

Provided and/or discovered by:
The vendor credits Marek Lyczba.

Original Advisory:
SA-CONTRIB-2012-061:
http://drupal.org/node/1538704

http://secunia.com/advisories/48832/

Release Date : 2012-04-19

Criticality level : Less critical
Impact : Cross Site Scripting
Spoofing
Where : From remote
Solution Status : Unpatched

Software: ownCloud 3.x

Description:
Tobias Glemser has discovered a weakness and some vulnerabilities in ownCloud, which can be exploited by malicious people to conduct spoofing, cross-site scripting, and cross-site request forgery attacks.

1) Input passed via the "redirect_url" parameter to index.php is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

2) Input passed via the "redirect_url" parameter to index.php and the "files" parameter to files/ajax/download.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. conduct script insertion attacks via editing contacts when a logged-in user visits a specially crafted web page.

The weakness and the vulnerabilities are confirmed in version 3.0.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised and verified. Do not browse untrusted sites or follow untrusted links while being logged-in to the application.

Provided and/or discovered by:
Tobias Glemser, Tele-Consulting.

Original Advisory:
Tele-Consulting:
http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt

http://secunia.com/advisories/48850/

OpenSSL "asn1_d2i_read_bio()" DER Format Data Processing Vulnerability

Release Date : 2012-04-19

Criticality level : Highly critical
Impact : System access
DoS
Where : From remote
Solution Status : Vendor Patch

Software: OpenSSL 0.x
OpenSSL 1.x

Description:
Tavis Ormandy has reported a vulnerability in OpenSSL, which can be exploited by malicious people to potentially compromise an application using the library.

The vulnerability is caused due to a type casting error in the "asn1_d2i_read_bio()" function when processing DER format data and can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code, but may require a target to be running on a 64-bit system.

NOTE: Applications that use PEM only routines are not affected.

The vulnerability is reported in versions prior to 0.9.8v, 1.0.1a, and 1.0.0i.

Solution:
Update to version 0.9.8v, 1.0.1a, and 1.0.0i.

Provided and/or discovered by:
Tavis Ormandy, Google Security Team

Original Advisory:
OpenSSL:
http://www.openssl.org/news/secadv_20120419.txt

Tavis Ormandy:
http://seclists.org/fulldisclosure/2012/Apr/210

http://secunia.com/advisories/48847/

Release Date : 2012-04-19

Criticality level : Less critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux Server 5

Description:
Red Hat has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "xfrm6_tunnel_rcv()" function (net/ipv6/xfrm6_tunnel.c) when handling IPv6 packets and can be exploited to trigger e.g. a use-after-free error and cause a crash.

Successful exploitation requires the xfrm6_tunnel kernel module is loaded.

Solution:
Updated packages are available via Red Hat Network.

Provided and/or discovered by:
Eric Sesterhenn in a GIT commit.

Original Advisory:
RHSA-2012:0480-01:
https://rhn.redhat.com/errata/RHSA-2012-0480.html

Kernel.org:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d0772b70

http://secunia.com/advisories/48881/

Release Date: 2010-07-27
Last Update: 2012-04-19

Criticality level : Less critical
Impact : Cross Site Scripting
Exposure of system information
Exposure of sensitive information
Where : From remote
Solution Status : Unpatched

Software: SyndeoCMS 2.x

Description:
Multiple vulnerabilities have been discovered in SyndeoCMS, which can be exploited by malicious users to conduct script insertion attacks and disclose sensitive information and by malicious people to conduct cross-site request forgery attacks.

1) Input passed via the "header" parameter to starnet/index.php when using the "Template editor" module is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed

Successful exploitation of this vulnerability requires "Module manager" permissions.

2) Input passed via the "name" and "email" parameters to starnet/index.php when editing alerts is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires "Alerts" access rights.

3) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change the administrative password or edit the module values by tricking a logged in administrative user into visiting a malicious web site.

4) Input passed via the "theme" parameter to starnet/index.php is not properly verified before being used to include files from local resources. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

Successful exploitation of this vulnerability requires "SyndeoCMS Options" access rights and that "magic_quotes_gpc" is disabled.

The vulnerabilities are confirmed in version 2.9.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted websites or follow untrusted links while logged in to the application. Upgrade to version 3.0.01, which fixes vulnerability #1 and partially fixes vulnerability #2.

Provided and/or discovered by:
1, 3) High-Tech Bridge SA
2, 4) abysssec

Original Advisory:
High-Tech Bridge SA:
http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms.html
http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms_1.html
http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms_2.html

abysssec:
http://www.exploit-db.com/exploits/14887/

http://secunia.com/advisories/40769