Spyware, viruses, & security forum: VULNERABILITIES / FIXES - September 19, 2012

Release Date : 2012-09-19

Criticality level : Highly critical
Impact: System access
Where : From remote
Solution Status : Vendor Patch

Software: SumatraPDF 2.x

Description:
Microsoft has reported two vulnerabilities in SumatraPDF, which can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to unspecified errors when processing PDF files and can be exploited to corrupt memory.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into opening a malicious file.

The vulnerabilities are reported in version 2.0.1 and prior.

Solution:
Update to version 2.1.

Provided and/or discovered by:
John Leitch, Microsoft

Original Advisory:
Microsoft (MSVR12-014):
http://technet.microsoft.com/en-us/security/msvr/msvr12-014

http://secunia.com/advisories/50656/

Release Date : 2012-09-19

Criticality level : Less critical
Impact: Dos
Where : From local network
Solution Status : Vendor Patch

Operating System : Ubuntu Linux 10.04

Description:
Ubuntu has issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
USN-1572-1:
http://www.ubuntu.com/usn/usn-1572-1

USN-1573-1:
http://www.ubuntu.com/usn/usn-1573-1

http://secunia.com/advisories/50677/

Release Date : 2012-09-19

Criticality level : Moderately critical
Impact: Security Bypass
Exposure of sensitive information
System access
Where : From remote
Solution Status : Unpatched

Software: TorrentTrader 2.x

Description:
Janek Vind has discovered a weakness and two vulnerabilities in TorrentTrader, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to enumerate user names and bypass certain security restrictions.

1) The application sends different responses when using a valid or an invalid user name via the account-login.php script and can be exploited to enumerate user names.

2) The application improperly restricts access to the account-ce.php script and can be exploited to change the email address of an arbitrary user and subsequently request a password reset.

3) Input passed via the "id" parameter to nfo-edit.php is not properly sanitised before being used to create a .nfo file. This can be exploited to execute arbitrary PHP code by creating a PHP file with appended ".nfo" extension in an arbitrary location via directory traversal sequences.

Successful exploitation requires access rights to edit .nfo files and that Apache is not configured to handle the mime-type for a ".nfo" extension (not configured to handle by default).

The weakness and the vulnerabilities are confirmed in version 2.0.8. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Janek Vind "waraxe"

Original Advisory:
http://www.waraxe.us/advisory-89.html

http://secunia.com/advisories/50657/

Release Date : 2012-09-19

Criticality level : Moderately critical
Impact: Security Bypass
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Operating System : Debian GNU/Linux 6.0

Description:
Debian has issued an update for asterisk. This fixes multiple vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a vulnerable system.

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2550-1:
http://www.debian.org/security/2012/dsa-2550

http://secunia.com/advisories/50687/

Release Date : 2012-09-19

Criticality level : Highly critical
Impact: DoS
System access
Where : From remote
Solution Status : Vendor Patch

Operating System : Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6
RHEL Desktop Workstation 5

Description:
Red Hat has issued an update for libxml2. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise an application using the library.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:1288-1:
https://rhn.redhat.com/errata/RHSA-2012-1288.html

http://secunia.com/advisories/50658/

Release Date : 2012-09-19

Criticality level : Highly critical
Impact: Unknown
Cross Site Scripting
System access
Where : From remote
Solution Status : Vendor Patch

Operating System : openSUSE 12.1

Description:
SUSE has issued an update for chromium. This fixes multiple vulnerabilities, where some have an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:1215-1:
http://lists.opensuse.org/opensuse-updates/2012-09/msg00080.html

http://secunia.com/advisories/50667/

Release Date : 2012-09-19

Criticality level : Less critical
Impact: DoS
Where : From local network
Solution Status : Vendor Patch

Operating System : Ubuntu Linux 10.04
Ubuntu Linux 11.04
Ubuntu Linux 11.10
Ubuntu Linux 12.04

Description:
Ubuntu has issued an update for isc-dhcp and dhcp3. This fixes a security issue, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
USN-1571-1:
http://www.ubuntu.com/usn/usn-1571-1/

http://secunia.com/advisories/49084/

Release Date : 2012-09-19

Criticality level : Less critical
Impact: Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Operating System : Cisco Identity Services Engine (ISE) 1.x

Description:
A vulnerability has been reported in Cisco Identity Services Engine, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The device allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to perform certain unspecified actions against the Administrator user interface when a logged-in user visits a specially crafted web page.

Solution:
Update to version 1.1.0.665 Cumulative Patch 1 or later.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
CSCty46684:
http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html

http://secunia.com/advisories/50680/

Release Date : 2012-08-28
Last Update : 2012-09-19

Criticality level : Moderately critical
Impact : Security Bypass
Cross Site Scripting
Exposure of sensitive information
Where : From remote
Solution Status : Unpatched

Software: Symantec Messaging Gateway 9.x

Description:
A weakness and multiple vulnerabilities have been reported in Symantec Messaging Gateway, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to disclose certain sensitive information and conduct cross-site scripting, request forgery, and script insertion attacks.

1) Certain input passed via web content is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session.

2) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. add an administrative user when a logged-in administrative user visits a specially crafted web page.

3) An error within the management interface can be exploited to perform otherwise restricted actions and e.g. modify the underlying web application.

4) The weakness is caused due to the application disclosing detailed component version information.

5) Certain input passed via email content is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

The vulnerabilities are reported in versions 9.5.x and prior.

Solution:
Upgrade to version 10.

Provided and/or discovered by:
Ben Williams, NCC Group.

Original Advisory:
SYM12-013:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00

NCC Group (NGS00263, NGS00265, NGS00268):
http://archives.neohapsis.com/archives/bugtraq/current/0086.html
http://archives.neohapsis.com/archives/bugtraq/current/0087.html
http://archives.neohapsis.com/archives/bugtraq/current/0085.html

http://secunia.com/advisories/50435

WordPress Answer My Question Plugin "user_name" and "subject" Script Insertion Vulnerabilities

Release Date : 2012-09-19

Criticality level : Moderately critical
Impact: Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: WordPress Answer My Question Plugin 1.x

Description:
Two vulnerabilities have been reported in the Answer My Question plugin for WordPress, which can be exploited by malicious people to conduct script insertion attacks.

Input passed via the "user_name" and "subject" parameters is not properly sanitised in record_question.php before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

The vulnerabilities are reported in versions prior to 1.2.

Solution:
Update to version 1.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://wordpress.org/extend/plugins/answer-my-question/changelog/
http://plugins.trac.wordpress.org/changeset/600481/answer-my-question

http://secunia.com/advisories/50655/

osCommerce Website Payments Standard Module Merchant Email Address Security Bypass

Release Date : 2012-09-19

Criticality level : Less critical
Impact: Security Bypass
Where : From remote
Solution Status : Unpatched

Software: osCommerce 2.x

Description:
A vulnerability has been reported in osCommerce, which can be exploited by malicious users to bypass certain security restrictions.

Input passed via the merchant's PayPal email address is not properly verified before being used to initiate a PayPal transaction and can be exploited to modify a merchant's email address and subsequently the payee of a PayPal transaction.

Successful exploitation requires the PayPal Website Payments Standard module to be enabled, a PayPal transaction utilising the module, and the "Encrypted Web Payments" module configuration to be disabled (disabled by default).

The vulnerability is reported in osCommerce version 2.3.1 running with PayPal Website Payments Standard module version 1.0.

Solution:
No official solution is currently available. Reportedly, an updated version 2.3.4 with PayPal Website Payments Standard module version 1.1 will address this vulnerability.

Provided and/or discovered by:
US-CERT credits Giancarlo Pellegrino, SAP Research.

Original Advisory:
US-CERT VU#459446:
http://www.kb.cert.org/vuls/id/459446

http://secunia.com/advisories/50640/