Spyware, viruses, & security forum: VULNERABILITIES / FIXES - June 14, 2012

Release Date : 2012-06-14

Criticality level : Moderately critical
Impact : System access
Security Bypass
Where : From local network
Solution Status : Vendor Patch

Operating System: HP-UX 11.x

Description:
HP has issued an update for CIFS Server in HP-UX. This fixes two vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to compromise a vulnerable system.

The vulnerabilities are reported in versions HP-UX B.11.23 and B.11.31 running HP-UX CIFS-Server (Samba) A.03.01.04 or prior.

Solution:
Update to version A.03.01.05.

Original Advisory:
HPSBUX02789 SSRT100824:
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03365218

http://secunia.com/advisories/49566/

Release Date : 2012-06-14

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6
RHEL Desktop Workstation 5

Description:
Red Hat has issued an update for expat. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:0731-1:
https://rhn.redhat.com/errata/RHSA-2012-0731.html

http://secunia.com/advisories/49504/

Release Date : 2012-06-14

Criticality level : Highly critical
Impact : Cross Site Scripting
Manipulation of data
Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Software: Red Hat Enterprise Linux Desktop Supplementary (v. 6)
Red Hat Enterprise Linux HPC Node Supplementary (v. 6)
Red Hat Enterprise Linux Server Supplementary (v. 6)
Red Hat Enterprise Linux Workstation Supplementary (v. 6)
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for java-1.6.0-sun. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:0734-01:
https://rhn.redhat.com/errata/RHSA-2012-0734.html

http://secunia.com/advisories/49565/

Joomla! Easy Flash Uploader Module Arbitrary File Upload Vulnerability

Release Date : 2012-06-14

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: Easy Flash Uploader 2.x (module for Joomla!)

Description:
Sammy Forgit has reported a vulnerability in the Easy Flash Uploader module for Joomla!, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the plugins/content/efup_files/helper.php script allowing the upload of files with arbitrary extensions to a folder inside the webroot. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script.

The vulnerability is reported in version 2.0. Prior versions may also be affected.

Solution:
Update to version 2.1.

Provided and/or discovered by:
Sammy Forgit, OpenSysCom

Original Advisory:
Easy Flash Uploader:
https://www.valorapps.com/12-notices/27-easy-flash-uploader-version-2-1-is-released.html

OpenSysCom:
http://www.opensyscom.fr/Actualites/joomla-plugins-easy-flash-uploader-arbitrary-file-upload-vulnerability.html

http://secunia.com/advisories/49535/

Release Date : 2012-06-14

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Operating System: Slackware Linux 10.0
Slackware Linux 11.0
Slackware Linux 9.0
Slackware Linux 9.1

Description:
Slackware has issued an update for libtiff. This fixes two vulnerabilities, which can be exploited by malicious people to compromise an application using the library.

Solution:
Apply updated packages

Original Advisory:
SSA:2012-098-01:
http://slackware.com/security/viewer.php?l=slackware-security&y=2012&m=slackware-security.120407

http://secunia.com/advisories/49511/

WordPress Zingiri Web Shop Plugin Arbitrary File Upload Vulnerability

Release Date : 2012-06-14

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Unpatched

Software: WordPress Zingiri Web Shop Plugin 2.x

Description:
Sammy Forgit has discovered a vulnerability in the Zingiri Web Shop plugin for WordPress, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the wp-content/plugins/zingiri-web-shop/fwkfor/ajax/uploadfilexd.php script allowing to upload files to a folder inside the webroot. This can be exploited to e.g. execute arbitrary PHP code by uploading a malicious PHP script.

The vulnerability is confirmed in version 2.4.3. Other versions may also be affected.

Solution:
Restrict access to the wp-content/plugins/zingiri-web-shop/fwkfor/ajax/APHPS_TEMP_DIR folder (e.g. via .htaccess).

Provided and/or discovered by:
Sammy Forgit, OpenSysCom

Original Advisory:
http://www.opensyscom.fr/Actualites/wordpress-plugins-zingiri-web-shop-arbitrary-file-upload-vulnerability.html

http://secunia.com/advisories/49553/

Release Date : 2012-06-14

Criticality level : Moderately critical
Impact : Manipulation of data
Where : From remote
Solution Status : Unpatched

Software: Cells Blog CMS 1.x

Description:
Some vulnerabilities have been discovered in Cells Blog CMS, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via various parameters to multiple scripts is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Examples:
http://[host]/cells/fourm.php?bgid=[sql]
http://[host]/cells/fourm.php?bgid=1&fmid=[sql]
http://[host]/cells/pub_readpost.php?bgid=1&ptid=[sql]
http://[host]/cells/pub_readpost.php?bgid=[sql]
http://[host]/cells/pub_nmsg.php?report=pst&bgid=1&fmid=8&ptid=[sql]
http://[host]/cells/pub_openpic.php?fnid=10&bgid=1&fmid=[sql]
http://[host]/cells/my_newpost.php?fmid=[sql]

The vulnerabilities are confirmed in version 1.21. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
snup, Vulnerability Research Laboratory

Original Advisory:
http://www.exploit-db.com/exploits/19133/

http://secunia.com/advisories/49527/

Release Date : 2012-06-14

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Unpatched

Software: WordPress Evarisk Plugin 5.x

Description:
Sammy Forgit has discovered a vulnerability in the Evarisk plugin for WordPress, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the wp-content/plugins/evarisk/include/lib/actionsCorrectives/activite/uploadPhotoApres.php script allowing to upload files to a folder inside the webroot. This can be exploited to e.g. execute arbitrary PHP code by uploading a malicious PHP script.

The vulnerability is confirmed in version 5.1.5.4. Other versions may also be affected.

Solution:
Restrict access to the wp-content/plugins/evarisk/include/lib/actionsCorrectives/activite folder (e.g. via .htaccess).

Provided and/or discovered by:
Sammy Forgit, OpenSysCom

Original Advisory:
http://www.opensyscom.fr/Actualites/wordpress-plugins-evarisk-arbitrary-file-upload-vulnerability.html

http://secunia.com/advisories/49521/

Release Date : 2012-06-14

Criticality level : Not critical
Impact : Spoofing
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Janrain Capture Module 6.x
Drupal Janrain Capture Module 7.x

Description:
A weakness has been reported in the Janrain Capture module for Drupal, which can be exploited by malicious people to conduct spoofing attacks.

Certain input when synchronising user data is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

The weakness is reported in versions 6.x-1.0 and 7.x-1.0.

Solution:
Update to a patched version.

Provided and/or discovered by:
The vendor credits Peter Wolanin, Drupal Security Team.

Original Advisory:
SA-CONTRIB-2012-098:
http://drupal.org/node/1632734

http://secunia.com/advisories/49480/

Release Date : 2012-06-14

Criticality level : Moderately critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Protected Node Module 6.x

Description:
A security issue has been reported in the Protected Node module for Drupal, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the application not properly restricting access when nodes are accessed outside of the standard node view and can be exploited to access otherwise restricted nodes.

The security issue is reported in versions 6.x-1.x prior to 6.x-1.6.

Solution:
Update to version 6.x-1.6.

Provided and/or discovered by:
The vendor credits Martin Barbella.

Original Advisory:
SA-CONTRIB-2012-101:
http://drupal.org/node/1632918

http://secunia.com/advisories/49509/

Release Date : 2012-06-14

Criticality level : Moderately critical
Impact : Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Contao 2.x

Description:
Fabian Mihailowitsch has reported a vulnerability in Contao, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed via the "field" parameter to system/modules/backend/Ajax.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries and overwrite certain fields in the database.

The vulnerability is reported in version 2.11.3. Prior versions may also be affected.

Solution:
Update to version 2.11.4.

Provided and/or discovered by:
Reported by Fabian Mihailowitsch in a bug ticket.

Original Advisory:
Contao:
http://www.contao.org/en/changelog/auto_item/changelog/versions/2.11.html
https://github.com/contao/core/issues/4427

http://secunia.com/advisories/49564/

Release Date : 2012-06-13

Criticality level : Moderately critical
Impact : Cross Site Scripting
System access
Where : From remote
Solution Status : Vendor Patch

Software: Gallery 3.x

Description:
Some vulnerabilities have been reported in Gallery, which can be exploited by malicious users to conduct script insertion attacks and compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks.

1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

3) Some unspecified errors can be exploited to upload and execute arbitrary PHP files.

The vulnerabilities are reported in versions prior to 3.0.4.

Solution:
Update to version 3.0.4.

Provided and/or discovered by:
The vendor credits Chalk, Mateusz Goik, James 'albino' Kettle, Emanuel Bronshtein, and Sergey Markov.

Original Advisory:
http://gallery.menalto.com/gallery_3_0_4

http://secunia.com/advisories/49473/

Release Date : 2012-06-14

Criticality level : Highly critical
Impact : Hijacking
Cross Site Scripting
Spoofing
Manipulation of data
Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Software: IBM Rational AppScan 8.x

Description:
IBM has acknowledged a weakness and multiple vulnerabilities in IBM Rational AppScan, which can be exploited by malicious users to disclose certain information and by malicious people to conduct spoofing and cross-site scripting attacks, disclose potentially sensitive information, hijack a user's session, conduct DNS cache poisoning attacks, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) An error can be exploited to conduct spoofing and Man-in-the-Middle (MitM) attacks.

2) Two errors can be exploited to conduct spoofing and cross-site scripting attacks.

3) Multiple vulnerabilities are caused due to a bundled vulnerable version of IBM Java.

The vulnerabilities are reported in versions 8.0, 8.0.0.1, 8.0.0.2, 8.5, and 8.5.0.1.

Solution:
Update to version 8.6.

Original Advisory:
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21598423

http://secunia.com/advisories/49552/

NetBSD 64-bit Mode Sanity Check Privilege Escalation Vulnerability

Release Date : 2012-06-14

Criticality level : Less critical
Impact : Privilege escalation
Where : Local system
Solution Status : Vendor Workaround

Operating System: NetBSD 4.0

Description:
A vulnerability has been reported in NetBSD, which can be exploited by malicious, local users to gain escalated privileges.

Solution:
Fixed in the CVS repository (please see the vendor advisory for details).

Provided and/or discovered by:
The vendor credits Rafal Wojtczuk.

Original Advisory:
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc

http://secunia.com/advisories/49516/