Spyware, viruses, & security forum: VULNERABILITIES / FIXES - February 19, 2013

dbus-glib D-Bus GLib Bindings "NameOwnerChanged" Signal Handling Vulnerability

Release Date : 2013-02-19

Criticality level: Less critical
Impact : Privilege escalation
Where: Local system
Solution Status : Vendor Patch

Software: dbus-glib D-Bus GLib Bindings 0.x

Description:
A vulnerability has been reported in dbus-glib D-Bus GLib Bindings, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to the "dbus_g_proxy_manager_filter()" function (dbus/dbus-gproxy.c) not properly verifying the sender of "NameOwnerChanged" signals, which can be exploited to spoof a privileged signal.

The vulnerability is reported in versions prior to 0.100.1.

Solution:
Update to version 0.100.1.

Provided and/or discovered by:
The vendor credits Sebastian Krahmer.

Original Advisory:
https://bugs.freedesktop.org/show_bug.cgi?id=60916
http://www.openwall.com/lists/oss-security/2013/02/15/10

http://secunia.com/advisories/52225/

WordPress Car Demon Plugin Multiple Script Insertion Vulnerabilities

Release Date : 2013-02-19

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched

Software: WordPress Car Demon Plugin 1.x

Description:
Zhao Liang has discovered multiple vulnerabilities in the Car Demon plugin for WordPress, which can be exploited by malicious users to conduct script insertion attacks.

1) Input passed via the "_msrp_value", "_rebates_value", "_discount_value", "_price_value", " _exterior_color_value", "_interior_color_value", "_mileage_value", "_stock_value", "_images_value", " _cylinders_value", "_doors_value", and "_fuel_type_value" parameters to /wp-admin/post.php (when "post_type" is set to "cars_for_sale") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in content of an affected site when the malicious data is being viewed.

2) Input passed via the "default_service_name", "default_parts_name", and "default_finance_name" parameters to /wp-admin/edit.php (when "post_type" is set to "cars_for_sale" and "page" is set to "car_demon_plugin_options") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in content of an affected site when the malicious data is being viewed.

Successful exploitation of the vulnerabilities requires "Editor" permissions.

The vulnerabilities are confirmed in version 1.0.1. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Zhao Liang, Beijing Leadsec Technology via Secunia.

http://secunia.com/advisories/51088/

nss-pam-ldapd File Descriptor Handling Buffer Overflow Vulnerability

Release Date : 2013-02-19

Criticality level : Less critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Software: nss-pam-ldapd 0.x

Description:
A vulnerability has been reported in nss-pam-ldapd, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an array indexing error when handling FD_SETSIZE and performing NSS lookups, which can be exploited to cause a stack-based buffer overflow.

Successful exploitation may allow execution of arbitrary code but requires an application that performs NSS lookups.

The vulnerability is reported in versions prior to 0.7.18 and 0.8.11.

Solution:
Update to version 0.7.18 or 0.8.11.

Provided and/or discovered by:
The vendor credits Garth Mollett.

Original Advisory:
http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690319

http://secunia.com/advisories/52212/

Release Date : 2013-02-19

Criticality level : Highly critical
Impact : Manipulation of data
Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Operating System : openSUSE 12.1

Description:
SUSE has issued an update for java-1_6_0-openjdk. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2013:0308-1:
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00013.html

http://secunia.com/advisories/52220/

Release Date : 2013-02-19

Criticality level : Moderately critical
Impact : Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Software: PHP-Fusion 7.x

Description:
Two vulnerabilities have been discovered in PHP-Fusion, which can be exploited by malicious users and malicious people to conduct SQL injection attacks.

Input passed via the "user" and "admin" cookies to e.g. news.php is not properly sanitised in includes/classes/Authenticate.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are confirmed in version 7.02.05. Other versions may also be affected.

Solution:
Update to version 7.02.06.

Provided and/or discovered by:
Krzysztof Katowicz-Kowalewski

Original Advisory:
Krzysztof Katowicz-Kowalewski:
http://packetstormsecurity.com/files/120368/PHP-Fusion-CMS-7.02.05-SQL-Injection.html

http://secunia.com/advisories/52226/

Release Date : 2013-02-19

Criticality level : Less critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch

Software: Sonar 3.x

Description:
A security issue has been reported in Sonar, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to an error when handling project analysis, which leads to a reset of project roles to default values.

The security issue is reported in version 3.4. Prior versions may also be affected.

Solution:
Update to version 3.4.1 (please see the vendor's advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://docs.codehaus.org/display/SONAR/Release+3.4.1+Upgrade+Notes
https://jira.codehaus.org/browse/SONAR-4050

http://secunia.com/advisories/52069/

Release Date : 2013-02-19

Criticality level : Less critical
Impact : Cross Site Scripting
Exposure of system information
Where : From remote

Software: CometChat 4.x

Description:
Two vulnerabilities have been reported in CometChat, which can be exploited by malicious users to disclose certain system information and by malicious people to conduct cross-site scripting attacks.

1) Input passed via the "id" GET parameter to plugins/handwrite/index.php (when "basedata" is set to "null" and "embed" is set to "web") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

2) Input passed via the "action" GET parameter to modules/chatrooms/chatrooms.php is not properly sanitised before being passed to the "call_user_func()" function. This can be exploited to e.g. disclose certain system information by invoking the "phpinfo()" method.

The vulnerabilities are reported in version 4.6. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
B127Y

Original Advisory:
B127Y:
http://www.janissaries.org/exploits/1

http://secunia.com/advisories/52182/