Ad: Manage updates with the Download App
ie8 fix

Spyware, viruses, & security forum: VULNERABILITIES / FIXES - February 21, 2013

by: Carol~ February 21, 2013 7:17 AM PST

Like this

0 people like this thread

Staff pick

VULNERABILITIES / FIXES - February 21, 2013

by Carol~ Moderator - 2/21/13 7:17 AM

Drupal Image Derivatives Generation Denial of Service Vulnerability

Release Date : 2013-02-21

Criticality level : Less critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Software: Drupal 7.x

Description:
A vulnerability has been reported in Drupal, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error related to on-demand generation of image derivatives and can be exploited to exhaust resources.

The vulnerability is reported in versions prior to 7.20.

Solution:
Update to version 7.20.

Provided and/or discovered by:
The vendor credits Ber Kessels, aBrookland, and Chad Fennell.

Original Advisory:
http://drupal.org/SA-CORE-2013-002
http://drupal.org/drupal-7.20-release-notes

http://secunia.com/advisories/52302/


Reply
Report offensive post
Email to friend

Drupal Menu Reference Module Menu Link Title Script

by Carol~ Moderator - 2/21/13 7:22 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Drupal Menu Reference Module Menu Link Title Script Insertion Vulnerability

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Menu Reference Module 7.x

Description:
A vulnerability has been reported in the Menu Reference module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.

Input passed via the menu link title is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires the "Administer menus and menu items" permission.

The vulnerability is reported in 7.x-1.x versions prior to 7.x-1.0.

Solution:
Update to version 7.x-1.1.

Provided and/or discovered by:
The vendor credits Tamas Demeter-Haludka

Original Advisory:
SA-CONTRIB-2013-022:
http://drupal.org/node/1922446

http://secunia.com/advisories/52296/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Drupal Varnish HTTP Accelerator Integration Module Script

by Carol~ Moderator - 2/21/13 7:22 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Drupal Varnish HTTP Accelerator Integration Module Script Insertion Vulnerabilities

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Varnish HTTP Accelerator Integration Module 6.x

Description:
Some vulnerabilities have been reported in the Varnish HTTP Accelerator Integration module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.

Certain input related to configuration settings is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires the "Administer Varnish" permission.

The vulnerabilities are reported in 6.x-1.x versions prior to 6.x-1.2.

Solution:
Update to version 6.x-1.2.

Provided and/or discovered by:
The vendor credits Ivo Van Geertruyen, Drupal Security Team.

Original Advisory:
SA-CONTRIB-2013-023:
http://drupal.org/node/1922756

http://secunia.com/advisories/52295/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Drupal Taxonomy Manager Module Cross-Site Request

by Carol~ Moderator - 2/21/13 7:23 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Drupal Taxonomy Manager Module Cross-Site Request Forgery Vulnerability

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Taxonomy Manager Module 6.x

Description:
A vulnerability has been reported in the Taxonomy Manager module for Drupal, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified requests if a logged-in administrative user visits a malicious web site.

The vulnerability is reported in 6.x-2.x versions prior to 6.x-2.2.

Solution:
Update to version 6.x-2.3.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
SA-CONTRIB-2013-018:
http://drupal.org/node/1922410

http://secunia.com/advisories/52300/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Ubuntu update for keystone

by Carol~ Moderator - 2/21/13 7:23 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Security Bypass
Exposure of sensitive information
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Ubuntu Linux 12.04

Description:
Ubuntu has issued an update for keystone. This fixes multiple vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and disclose certain sensitive information and by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
USN-1730-1:
http://www.ubuntu.com/usn/usn-1730-1/

http://secunia.com/advisories/52288/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for java-1.6.0-sun

by Carol~ Moderator - 2/21/13 7:23 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Highly critical
Impact : Exposure of sensitive information
System access
Where: From remote
Solution Status : Vendor Patch

Software:
Red Hat Enterprise Linux Desktop Supplementary (v. 6)
Red Hat Enterprise Linux HPC Node Supplementary (v. 6)
Red Hat Enterprise Linux Server Supplementary (v. 6)
Red Hat Enterprise Linux Workstation Supplementary (v. 6)
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for java-1.6.0-sun. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information and compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0531-01:
https://rhn.redhat.com/errata/RHSA-2013-0531.html

http://secunia.com/advisories/52307/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for java-1.7.0-oracle

by Carol~ Moderator - 2/21/13 7:24 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Highly critical
Impact : Exposure of sensitive information
Manipulation of data
System access
Where: From remote
Solution Status : Vendor Patch

Software:
Red Hat Enterprise Linux Desktop Supplementary (v. 6)
Red Hat Enterprise Linux HPC Node Supplementary (v. 6)
Red Hat Enterprise Linux Server Supplementary (v. 6)
Red Hat Enterprise Linux Workstation Supplementary (v. 6)
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for java-1.7.0-oracle. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information, manipulate certain data, and compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0532-01:
https://rhn.redhat.com/errata/RHSA-2013-0532.html

http://secunia.com/advisories/52121/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Drupal Display Suite Module Script Insertion Vulnerability

by Carol~ Moderator - 2/21/13 7:28 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Display Suite Plugin 7.x

Description:
A vulnerability has been reported in the Display Suite module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.

Certain input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires a contributed module being installed that alter usernames e.g. the realname module and the author field must be displayed as plain text "author".

The vulnerability is reported in 7.x-1.x versions prior to 7.x-1.7 and 7.x-2.x versions prior to 7.x-2.1.

Solution:
Update the a fixed version.

Provided and/or discovered by:
The vendor credits Stephane Corlosquet, Drupal Security Team.

Original Advisory:
SA-CONTRIB-2013-021:
http://drupal.org/node/1922438

http://secunia.com/advisories/52297/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for dovecot

by Carol~ Moderator - 2/21/13 7:28 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Spoofing
Where : From remote
Solution Status : Vendor Patch

Operating System:
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for dovecot. This fixes a security issue, which can be exploited by malicious people to conduct spoofing attacks.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0520-2:
https://rhn.redhat.com/errata/RHSA-2013-0520.html

http://secunia.com/advisories/52311/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for sssd

by Carol~ Moderator - 2/21/13 7:28 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Patch

Operating System:
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for sssd. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0508-02:
https://rhn.redhat.com/errata/RHSA-2013-0508.html

http://secunia.com/advisories/52315/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

NEC Universal RAID Utility Unrestricted Access Permissions

by Carol~ Moderator - 2/21/13 7:28 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

NEC Universal RAID Utility Unrestricted Access Permissions Security Issue

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Security Bypass
Where : From local network
Solution Status : Vendor Patch

Software:
NEC Universal RAID Utility 1.x
NEC Universal RAID Utility 2.x

Description:
A security issue has been reported in NEC Universal RAID Utility, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the application improperly restricting access permissions, which can be exploited to conduct arbitrary operations on a hard disk being managed by the application via TCP port 52805.

The security issue is reported in versions 1.40 Rev 680 and prior running on Windows and versions 2.31 Rev 1492 and prior and versions 2.5 Rev 2244 and prior running on Windows, Linux and VMware ESX.

Solution:
Update to a fixed version.

Provided and/or discovered by:
The vendor credits Development Department, SAKURA Internet Inc.

Original Advisory:
NEC (Japanese):
http://jpn.nec.com/security-info/secinfo/nv13-004.html

JVN (English):
http://jvn.jp/en/jp/JVN75585394/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000012.html

JVN (Japanese):
http://jvn.jp/jp/JVN75585394/index.html

http://secunia.com/advisories/52241/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Piwigo Cross-Site Request Forgery Vulnerability

by Carol~ Moderator - 2/21/13 7:28 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Piwigo 2.x

Description:
A vulnerability has been reported in Piwigo, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to perform certain actions related to LocalFiles Editor when a logged-in user visits a specially crafted web page.

The vulnerability is reported in versions prior to 2.4.7.

Solution:
Update to version 2.4.7.

Provided and/or discovered by:
The vendor credits High-Tech Bridge SA.

Original Advisory:
http://piwigo.org/forum/viewtopic.php?id=21470
http://freecode.com/projects/piwigo/releases/352431
http://piwigo.org/bugs/view.php?id=0002844

http://secunia.com/advisories/52228/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for openchange

by Carol~ Moderator - 2/21/13 7:33 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Operating System :
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for openchange. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0515-2:
https://rhn.redhat.com/errata/RHSA-2013-0515.html

http://secunia.com/advisories/52317/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for httpd

by Carol~ Moderator - 2/21/13 7:33 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Operating System:
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for httpd. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0512-2:
https://rhn.redhat.com/errata/RHSA-2013-0512.html

http://secunia.com/advisories/52319/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Debian update for postgresql

by Carol~ Moderator - 2/21/13 7:33 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Patch

Operating System: Debian GNU/Linux 6.0

Description:
Debian has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service).

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2630-1:
http://www.debian.org/security/2013/dsa-2630

http://secunia.com/advisories/52287/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for pam

by Carol~ Moderator - 2/21/13 7:33 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Privilege escalation
DoS
Where : Local system
Solution Status : Vendor Patch

Operating System:
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for pam. This fixes two vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0521-2:
https://rhn.redhat.com/errata/RHSA-2013-0521.html

http://secunia.com/advisories/52291/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for squid

by Carol~ Moderator - 2/21/13 7:33 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System :
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0505-2:
https://rhn.redhat.com/errata/RHSA-2013-0505.html

http://secunia.com/advisories/52324/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for pcsc-lite

by Carol~ Moderator - 2/21/13 7:34 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : System access
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System:
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for pcsc-lite. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0525-2:
https://rhn.redhat.com/errata/RHSA-2013-0525.html

http://secunia.com/advisories/52281/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for pki-core

by Carol~ Moderator - 2/21/13 7:34 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Operating System :
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for pki-core. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0511-02:
https://rhn.redhat.com/errata/RHSA-2013-0511.html

http://secunia.com/advisories/52313/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for 389-ds-base

by Carol~ Moderator - 2/21/13 7:36 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Security Bypass
Where : From local network
Solution Status : Vendor Patch

Operating System:
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for 389-ds-base. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0503-03:
https://rhn.redhat.com/errata/RHSA-2013-0503.html

http://secunia.com/advisories/52323/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for samba4

by Carol~ Moderator - 2/21/13 7:37 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Operating System :
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for samba4. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0506-02:

http://secunia.com/advisories/52321/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for dhcp

by Carol~ Moderator - 2/21/13 7:37 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Patch

Operating System :
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for dhcp. This fixes a security issue, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0504-02:
https://rhn.redhat.com/errata/RHSA-2013-0504.html

http://secunia.com/advisories/52322/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

WordPress Pretty Link Lite Plugin "get-file" Cross-Site

by Carol~ Moderator - 2/21/13 9:19 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

WordPress Pretty Link Lite Plugin "get-file" Cross-Site Scripting Vulnerability

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: WordPress Pretty Link Lite Plugin 1.x

Description:
A vulnerability has been discovered in the Pretty Link Lite plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "get-file" GET parameter to wp-content/plugins/pretty-link/includes/version-2
-kvasir/open-flash-chart.swf is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's web browser session in the context of an affected site.

The vulnerability is confirmed in version 1.6.2. Prior versions may also be affected.

Solution:
Update to version 1.6.3.

Provided and/or discovered by:
hip

Original Advisory:
Pretty Link Lite:
http://wordpress.org/extend/plugins/pretty-link/changelog/
http://plugins.trac.wordpress.org/changeset/658428/pretty-link/trunk

hip:
http://packetstormsecurity.org/files/120433/WordPress-Pretty-Link-1.6.3-Cross-Site-Scripting.html

http://secunia.com/advisories/52246/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SUSE update for postgresql91

by Carol~ Moderator - 2/21/13 10:12 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Release Date : 2013-02-21

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Patch

Operating System:
openSUSE 12.1
openSUSE 12.2

Description:
SUSE has issued an update for postgresql91. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service).

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2013:0318-1:
http://lists.opensuse.org/opensuse-updates/2013-02/msg00059.html

http://secunia.com/advisories/52290/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

WordPress Contact Form Plugin "cntctfrm_contact_message"

by Carol~ Moderator - 2/21/13 10:12 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

WordPress Contact Form Plugin "cntctfrm_contact_message" Cross-Site Scripting Vulnerability

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: WordPress Contact Form Plugin 3.x

Description:
A vulnerability has been discovered in the Contact Form plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "cntctfrm_contact_message" GET parameter to index.php is not properly sanitised in wp-content/plugins/contact-form-plugin/trunk/contact_form.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in the context of an affected site.

The vulnerability is confirmed in version 3.34. Prior versions may also be affected.

Solution:
Update to version 3.35.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://wordpress.org/extend/plugins/contact-form-plugin/changelog/
http://plugins.trac.wordpress.org/changeset/670240/contact-form-plugin/trunk

http://secunia.com/advisories/52179/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

WordPress Contact Form Plugin "cntctfrm_contact_email"

by Carol~ Moderator - 2/21/13 10:12 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

WordPress Contact Form Plugin "cntctfrm_contact_email" Cross-Site Scripting Vulnerability

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched

Software: WordPress Contact Form Plugin 3.x

Description:
A vulnerability has been discovered in the Contact Form plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "cntctfrm_contact_email" POST parameter to index.php is not properly sanitised in wp-content/plugins/contact-form-plugin/trunk/contact_form.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in the context of an affected site.

The vulnerability is confirmed in version 3.36. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Disclosed within a SVN commit.

Original Advisory:
http://wordpress.org/extend/plugins/contact-form-plugin/changelog/
http://plugins.trac.wordpress.org/changeset/670240/contact-form-plugin/trunk

http://secunia.com/advisories/52250/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SAP NetWeaver Exportability Check Service Directory

by Carol~ Moderator - 2/21/13 10:12 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

SAP NetWeaver Exportability Check Service Directory Traversal Vulnerability

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Exposure of sensitive information
Where : From local network
Solution Status : Vendor Patch

Software: SAP NetWeaver 7.x

Description:
ERPScan has reported a vulnerability in SAP NetWeaver, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an unspecified error in the Exportability Check Service and can be exploited to disclose files from the SAP Portal server file system via directory traversal sequences.

Solution:
Apply SAP Note 1628537.

Provided and/or discovered by:
Dmitriy Chastukhin, ERPScan

Original Advisory:
SAP:
https://service.sap.com/sap/support/notes/1628537

DSECRG-13-003:
http://erpscan.com/advisories/dsecrg-13-003-sap-netweaver-exportability-check-service-unauthorized-directory-traversal/

http://secunia.com/advisories/52256/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SAP NetWeaver GRMGApp XML External Entity and Security

by Carol~ Moderator - 2/21/13 10:14 AM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

SAP NetWeaver GRMGApp XML External Entity and Security Bypass Vulnerabilities

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Exposure of sensitive information
Security Bypass
Where : From local network
Solution Status : Vendor Patch

Software: SAP NetWeaver 7.x

Description:
ERPScan has reported two vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to disclose potentially sensitive information and bypass certain security restrictions.

1) An error within GRMGApp due to the application not properly restricting access can be exploited to e.g send administrative commands to the Gateway or Message server.

2) An unspecified error within GRMGApp when parsing external XML entities can be exploited to e.g. disclose local files.

Solution:
Apply SAP Note 1729293 and 1725390.

Provided and/or discovered by:
Dmitriy Chastukhin, ERPScan

Original Advisory:
SAP:
https://service.sap.com/sap/support/notes/1729293
https://service.sap.com/sap/support/notes/1725390

DSECRG-13-002:
http://erpscan.com/advisories/dsecrg-13-002-sap-grmgapp-xxe-and-authentication-bypass/

http://secunia.com/advisories/52272/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Linux Kernel Extended Verification Module NULL Pointer

by Carol~ Moderator - 2/21/13 12:14 PM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Linux Kernel Extended Verification Module NULL Pointer Dereference Local Denial of Service

Release Date : 2013-02-21

Criticality level: Not critical
Impact: DoS
Where : Local system
Solution Status : Vendor Patch

Operating System :
Linux Kernel 3.4.x
Linux Kernel 3.7.x

Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error in Extended Verification Module (EVM) within the "evm_update_evmxattr()" function (security/integrity/evm/evm_crypto.c) when accessing extended attribute routines of the sockfs inode object. This can be exploited to crash the kernel via a specially crafted program.

Successful exploitation requires that the kernel is built and configured with EVM.

The vulnerability is reported in versions prior to 3.4.28 and 3.7.5.

Solution:
Update to versions 3.4.28 and 3.7.5 or later.

Provided and/or discovered by:
Dmitry Kasatkin

Original Advisory:
Kernel.org:
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.28
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.7.5
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a67adb997419fb53540d4a4f79c6471c60bc69b6

Open Source Security Mailing List:
http://www.openwall.com/lists/oss-security/2013/02/20/15

http://secunia.com/advisories/52202/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Drupal Ubercart Views Module "full name" Script Insertion

by Carol~ Moderator - 2/21/13 12:14 PM

In Reply to: VULNERABILITIES / FIXES - February 21, 2013 by Carol~ Moderator

Drupal Ubercart Views Module "full name" Script Insertion Vulnerability

Release Date : 2013-02-21

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Ubercart Views Module 6.x

Description:
A vulnerability has been reported in the Ubercart Views module for Drupal, which can be exploited by malicious people to conduct script insertion attacks.

Certain input related to the "full name" field in Views is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires the ability to store a name in an order within the checkout process.

The vulnerability is reported in versions prior to 6.x-3.3.

Solution:
Update to version 6.x-3.3.

Provided and/or discovered by:
The vendor credits 20th.

Original Advisory:
SA-CONTRIB-2013-019:
http://drupal.org/node/1922416

http://secunia.com/advisories/52299/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close