Spyware, viruses, & security forum: VULNERABILITIES / FIXES - July 26, 2012

Release Date : 2012-07-26

Criticality level : Highly critical
Impact : Security Bypass
Cross Site Scripting
Spoofing
Exposure of sensitive information
System access
Where : From remote
Solution Status : Unpatched

Software: Apple Safari 5.x

Description:
Multiple vulnerabilities have been reported in Apple Safari for Mac OS X, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, disclose sensitive information, bypass certain security restrictions, and compromise a user's system.

1) An error when handling "feed:" URLs can be exploited to conduct cross-site scripting attacks.

2) An access control error within the handling of the "feed:" URLs can be exploited to upload arbitrary files to a server by tricking the user to visiting a malicious site.

3) An error within the autocomplete feature can be exploited to bypass the attribute and autocomplete passwords.

4) An error when handling the HTTP "Content-Disposition" header can be exploited to open an attachment without showing the "Open" dialog prompt and conduct cross-site scripting attacks.

5) Multiple errors exist due to a bundled vulnerable version of WebKit.

8) A cross-origin error in the WebKit component when handling drag and drop events can be exploited to bypass the same-origin policy and disclose certain files by tricking the user into visiting a malicious website.

9) A cross-origin error in the WebKit component when handling CSS property values can be exploited to bypass the same-origin policy and disclose certain information by tricking the user into visiting a malicious website.

10) An error exists within the cross-origin policy when parenting pop-up windows.

11) A cross-origin error can be exploited to disclose the iFrame fragment ID.

12) An error within the International Domain Name (IDN) support feature can be exploited to spoof a URL containing look-alike characters and trick a user into visiting a malicious website.

13) An error within the WebKit component when handling drag and drop events can be exploited to disclose filesystem path of certain files.

14) A canonicalization error within the handling of URLs can be exploited to conduct cross-site scripting attacks via a specially crafted "location.href" property.

15) An error when handling WebSockets can be exploited to conduct HTTP request splitting attacks.

16) An error within the history handling can be exploited to spoof the URL bar.

17) An error exists within the WebProcess and can be exploited to bypass the sandbox restrictions.

18) An error when handling SVG images can be exploited to disclose the contents of arbitrary memory locations.

The vulnerabilities are reported in versions prior to 6.0 on OS X Lion version 10.7.4 and OS X Lion Server version 10.7.4.

Solution:
Upgrade to Safari version 6.0 via Apple Software Update.

Provided and/or discovered by:
9, 18) Reported by the vendor.

The vendor credits:
1) Masato Kinugawa
2, 17) Aaron Sigel, vtty.com
3) Dan Poltawski, Moodle
4) Mickey Shkatov of laplinker.com, Kyle Osborn, and Hidetake Jo of Microsoft Vulnerability Research (MSVR)
7, 8) David Bloom, Cue
13) Daniel Cheng, Google and Aaron Sigel, vtty.com
14) Masato Kinugawa
15) David Belcher, BlackBerry Security Incident Response Team

The vendor also credits Dave Mandelin of Mozilla, Martin Barbella of Google, Jose A. Vazquez of spa-s3c.blogspot.com via iDefense, Dave Mandelin of Mozilla, miaubiz, Skylined of Google, Abhishek Arya of Google, David Levin of Chromium development community, Cris Neckar of Google, Stephen Chenney of the Chromium development community, Slawomir Blazek, Julien Chaffraix of the Chromium development community, Thomas Sepez of the Chromium development community, Trevor Squires of propaneapp.com, Arthur Gerkis, Chris Leary of Mozilla, Adam Barth of Google, wushi of team509 via iDefense, Robin Cao of Torch Mobile (Beijing)

Original Advisory:
APPLE-SA-2012-07-25-1:
http://support.apple.com/kb/HT5400

http://secunia.com/advisories/50058/

Release Date : 2012-07-26

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: NetBSD 4.0

Description:
NetBSD has issued an update for bind. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Fixed in the CVS repository (please see the vendor advisory for details).

Original Advisory:
NetBSD-SA2012-004:
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-004.txt.asc

http://secunia.com/advisories/50054/

Drupal Gallery Formatter Module Unspecified Script Insertion Vulnerability

Release Date : 2012-07-26

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Gallery formatter Module 7.x

Description:
A vulnerability has been reported in the Gallery formatter module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.

Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires permission to create the nodes or entities using the formatter.

The vulnerabilities are reported in 7.x-1.x. versions prior to 7.x-1.2.http://secunia.com/advisories/50065/

Solution:
Update to version 7.x-1.2.

Provided and/or discovered by:
The vendor credits Sudipta Bandyopadhyay.

Original Advisory:
SA-CONTRIB-2012-115:
http://drupal.org/node/1700578

http://secunia.com/advisories/50065/

Release Date : 2012-07-26

Criticality level : Less critical
Impact : Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Dell SonicWALL Scrutinizer 9.x

Description:
muts has reported a vulnerability in Dell SonicWALL Scrutinizer, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "q" parameter to d4d/statusFilter.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in versions 9.0.0, 9.0.1, and 9.5.0.

Solution:
Update to version 9.5.2.

Provided and/or discovered by:
muts, Offensive Security.

Original Advisory:
muts:
http://www.exploit-db.com/exploits/20033/

US-CERT (VU#404051)
http://www.kb.cert.org/vuls/id/404051

Dell:
http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf

http://secunia.com/advisories/50052/

RT Authen::ExternalAuth Extension Security Bypass Vulnerability

Release Date : 2012-07-26

Criticality level : Moderately critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch

Software: RT Authen::ExternalAuth Extension 0.x

Description:
A vulnerability has been reported in the Authen::ExternalAuth extension for RT, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when handling the URLs of RSS feeds and can be exploited to gain a logged-in session of a user hosting a RSS feed.

The vulnerability is reported in versions 0.10 and prior.

Solution:
Apply update or patch.

Provided and/or discovered by:
Reported by the vendor.

http://secunia.com/advisories/50060/

Release Date : 2012-07-26

Criticality level : Moderately critical
Impact : Unknown
Where : From remote
Solution Status : Vendor Patch

Software: SAP Sybase IQ 15.x
Sybase Adaptive Server Enterprise 15.x
Sybase EAServer 6.x
Sybase Open Server 15.x
Sybase OpenServer/SDK 15.x
Sybase RAP 4.x
Sybase Replication Server 15.x

Description:
A vulnerability with an unknown impact has been reported in multiple Sybase products.

The vulnerability is caused due to an unspecified error related to TDS login protocol. No further information is currently available.

Please see the vendor's advisory for a list of affected products.

Solution:
Apply the latest EBFs (please see the vendor's advisory for details).

Provided and/or discovered by:
The vendor credits Martin Rakhmanov, Application Security Inc.

Original Advisory:
http://www.sybase.com/detail?id=1098869

http://secunia.com/advisories/50037/

RT Authen::ExternalAuth Extension Security Bypass Vulnerability

Release Date : 2012-07-26

Criticality level : Moderately critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch

Software: RT Authen::ExternalAuth Extension 0.x

Description:
A vulnerability has been reported in the Authen::ExternalAuth extension for RT, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when handling the URLs of RSS feeds and can be exploited to gain a logged-in session of a user hosting a RSS feed.

The vulnerability is reported in versions 0.10 and prior.

Solution:
Apply update or patch.

Provided and/or discovered by:
Reported by the vendor.

http://secunia.com/advisories/50060/

Release Date : 2012-07-26

Criticality level : Not critical
Impact : Spoofing
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Secure Login Module 7.x

Description:
A weakness has been reported in the Secure Login module for Drupal, which can be exploited by malicious people to conduct spoofing attacks.

Certain unspecified input is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

The weakness is reported in 7.x-1.x versions prior to 7.x-1.3.

Solution:
Update to version 7.x-1.3.

Provided and/or discovered by:
The vendor credits Albert Martin.

Original Advisory:
SA-CONTRIB-2012-118:
http://drupal.org/node/1700594

http://secunia.com/advisories/50067/