Spyware, viruses, & security forum: VULNERABILITIES / FIXES - June 21, 2012

IBM System Storage Products Storage Manager Cross-Site Scripting and SQL Injection Vulnerabilities

Release Date : 2012-06-21

Criticality level : Less critical
Impact : Cross Site Scripting
Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Operating System: IBM System Storage DCS3700
IBM System Storage DS3200
IBM System Storage DS3300
IBM System Storage DS3400
IBM System Storage DS3512
IBM System Storage DS3950
IBM System Storage DS4200
IBM System Storage DS4300
IBM System Storage DS4500
IBM System Storage DS4800
IBM System Storage DS5020
IBM System Storage DS5100
IBM System Storage DS5300
IBM TotalStorage DS4100 (formerly FAStT100)
IBM TotalStorage DS4400 Midrange Disk System

Software: IBM DS4700 0.x

Description:
Two vulnerabilities have been reported in IBM System Storage products, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

1) Input passed via the "updateRegn" parameter to SoftwareRegistration.do is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the "selectedModuleOnly" parameter to ModuleServlet.do is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are reported in IBM System Storage DS Storage Manager versions prior to 10.83.xx.18.

Solution:
Update IBM System Storage DS Storage Manager to version 10.83.xx.18 or later.

Provided and/or discovered by:
Gjoko Krstic aka LiquidWorm, Zero Science Lab.

Original Advisory:
IBM:
https://www.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172?lang=en_gb
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5090850&brandind=5000028

Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php

http://secunia.com/advisories/49582/

Release Date : 2012-06-21

Criticality level : Moderately critical
Impact : Security Bypass
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Description:
Gentoo has issued an update for asterisk. This fixes multiple vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service), bypass certain security restrictions, and compromise a vulnerable system and by malicious people to cause a DoS (Denial of Service).

Solution:
Update to "net-misc/asterisk-1.8.12.1" or later.

Original Advisory:
GLSA 201206-05:
http://www.gentoo.org/security/en/glsa/glsa-201206-05.xml

http://secunia.com/advisories/49536/

Release Date : 2012-06-21

Criticality level : Moderately critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch

Software: JBoss Enterprise Application Platform 5.x
JBoss Enterprise Web Platform 5.x
Red Hat JBoss Enterprise Application Platform 5.x

Description:
Red Hat has issued an update for multiple JBoss products. This fixes a security issue and a vulnerability, which can be exploited by malicious users and malicious people to bypass certain security restrictions.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:1026-1:
https://rhn.redhat.com/errata/RHSA-2012-1026.html

RHSA-2012:1027-1:
https://rhn.redhat.com/errata/RHSA-2012-1027.html

http://secunia.com/advisories/49658/

Commentics Cross-Site Scripting and Request Forgery Vulnerabilities

Release Date : 2012-06-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched

Software: Commentics 2.x

Description:
Jean Pascal Pereira has discovered two vulnerabilities in Commentics, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks.

1) Input passed via the "id" parameter to admin/index.php (when "page" is set to "edit_page") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change the administrator's password by tricking a logged-in administrator into visiting a malicious web site.

The vulnerabilities are confirmed in version 2.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted websites or follow untrusted links while logged in to the application.

Provided and/or discovered by:
Jean Pascal Pereira

Original Advisory:
http://archives.neohapsis.com/archives/bugtraq/2012-06/0126.html

http://secunia.com/advisories/49659/

Release Date: 2012-06-21

Criticality level : Not critical
Impact : DoS
Where : Local system
Solution Status : Vendor Patch

Software: InfoSphere Guardium 8.x

Description:
A vulnerability has been reported in InfoSphere Guardium, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "aix_ktap" S-TAP module when monitoring multiple database connections, which use shared memory. This can be exploited to cause a system crash via a specially crafted multi-threaded application.

The vulnerability is reported in version 8.x running on AIX only.

Solution:
Update to revision r39471 or later.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21599077

http://secunia.com/advisories/49638/

Release Date : 2012-06-21

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: XnView 1.x

Description:
Francis Provencher has discovered multiple vulnerabilities in XnView, which can be exploited by malicious people to compromise a user's system.

1) Insufficient validation when decompressing SGI32LogLum compressed TIFF images can be exploited to cause a heap-based buffer overflow.

2) Insufficient validation when decompressing SGI32LogLum compressed TIFF images where the PhotometricInterpretation encoding is set to LogL can be exploited to cause a heap-based buffer overflow.

3) Insufficient validation when decompressing PCT images can be exploited to cause a heap-based buffer overflow.

4) An indexing error when processing the ImageDescriptor structure of GIF images can be exploited to corrupt memory via a specially crafted "ImageLeftPosition" value.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code by tricking a user into viewing a malicious image.

The vulnerabilities are confirmed in version 1.98.8. Other versions may also be affected.

Solution:
Update to version 1.99.

Provided and/or discovered by:
Francis Provencher via Secunia

http://secunia.com/advisories/48666/

Release Date : 2012-06-21

Criticality level : Less critical
Impact : Cross Site Scripting
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System : Debian GNU/Linux 6.0

Description:
Debian has issued an update for quagga. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2497-1:
http://www.debian.org/security/2012/dsa-2497

http://secunia.com/advisories/48969/

Release Date : 2012-06-21

Criticality level : Moderately critical
Impact : Manipulation of data
Where : From remote
Solution Status :Unpatched

Software: PD Cars Gallery
PD Companies Website
PD E-Store

Description:
Two vulnerabilities have been reported in PD E-Store, PD Companies Website, and PD Cars Gallery, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "id" and "p_id" parameters to page.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Taurus Omar

Original Advisory:
http://packetstormsecurity.org/files/113985/PD-Professional-Designer-SQL-Injection.html

http://secunia.com/advisories/49623/

Release Date : 2012-06-21

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Operating System: Gentoo Linux

Description:
Gentoo has issued an update for nginx. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system.

Solution:
Update to "www-servers/nginx-1.0.15" or later.

Original Advisory:
GLSA 201206-07:
http://security.gentoo.org/glsa/glsa-201206-07.xml

http://secunia.com/advisories/49655/

Release Date : 2012-06-21

Criticality level : Highly critical
Impact : System access
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: F5 TMOS 11.x

Description:
F5 has acknowledged multiple vulnerabilities in multiple F5 products, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1) The vulnerability is caused due to a bundled vulnerable version of BIND.

2) The vulnerability is caused due to a bundled vulnerable version of ImageMagick.

The vulnerabilities are reported in version 11.1.0 of the following products:
* BIG-IP LTM
* BIG-IP GTM
* BIG-IP ASM
* BIG-IP Link Controller
* BIG-IP WebAccelerator
* BIG-IP PSM
* BIG-IP WOM
* BIG-IP APM
* BIG-IP Edge Gateway

Solution:
Update to version 11.2.0. Additionally, a hotfix is available for vulnerability #1.

Original Advisory:
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-0.html
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13343.html

http://secunia.com/advisories/49478/

Globus Toolkit GridFTP Server Invalid User Authentication Security Bypass

Release Date : 2012-06-21

Criticality level : Less critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch

Software: Globus Toolkit 5.x

Description:
A security issue has been reported in Globus Toolkit, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to an error in the GridFTP server during the authentication phase and can be exploited to login as the last user in the "/etc/passwd" file.

Successful exploitation requires a gridmap file to be improperly configured with a valid user DN mapped to an invalid user account.

The security issue is reported in the following versions:
* Globus Toolkit releases 5.2.0 and 5.2.1.
* Globus Toolkit pre-5.2.0 for *threaded* flavor servers only.

Solution:
Install updated GridFTP package (please see the vendor's advisory for details).

Provided and/or discovered by:
The vendor credits Doug Strain and Neha Sharma.

Original Advisory:
http://lists.globus.org/pipermail/security-announce/2012-May/000019.html

http://secunia.com/advisories/49661/

Release Date : 2012-06-21

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: Winamp 5.x

Description:
Multiple vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user's system.

1) An error in bmp.w5s when allocating memory using values from the "strf" chunk to process BI_RGB video data within AVI files can be exploited to cause a heap-based buffer overflow.

2) An error in bmp.w5s when allocating memory using values from the "strf" chunk to process UYVY video data within AVI files can be exploited to cause a heap-based buffer overflow.

3) An error in bmp.w5s when processing decompressed TechSmith Screen Capture Codec (TSCC) data within AVI files can be exploited to cause a heap-based buffer overflow.

4) Some unspecified errors in the in_mod.dll module when processing Impulse Tracker (IT) files can be exploited to corrupt memory.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

The vulnerabilities #1 through #3 are confirmed in version 5.622. Other versions may also be affected.

Solution:
Update to version 5.63 Build 3234.

Provided and/or discovered by:
1 - 3) Hossein Lotfi via Secunia.
4) The vendor credits Jeremy Brown via MSVR.

Original Advisory:
Winamp:
http://forums.winamp.com/showthread.php?t=345684

http://secunia.com/advisories/46624/

Cisco Adaptive Security Appliances Denial of Service Vulnerability

Release Date : 2012-06-21

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Cisco Adaptive Security Appliance (ASA) 8.x
Cisco ASA 5500 Series Adaptive Security Appliances

Description:
A vulnerability has been reported in Cisco Adaptive Security Appliances (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error when handling IPv6 transit traffic and can be exploited to cause a reload of the affected device.

Successful exploitation requires the device to be configured in transparent firewall mode with system logging enabled for message ID 110003.

Please see the vendor's advisory for a list of affected versions.

Solution:
Update to a fixed version (please see the vendor's advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Cisco:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaipv6

http://secunia.com/advisories/49647/

Release Date : 2012-06-21

Criticality level : Less critical
Impact : Security Bypass
Where : From local network
Solution Status : Unpatched

Operating System: Huawei HG866

Description:
A vulnerability has been reported in Huawei HG866, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the device allowing unrestricted access to the "password.html" script. This can be exploited to e.g. change the administrator password via a specially crafted HTTP request and gain administrative access to the device.

Solution:
Restrict access to trusted hosts only.

Provided and/or discovered by:
hkm

http://secunia.com/advisories/49575/