Spyware, viruses, & security forum: VULNERABILITIES / FIXES - March 22, 2013

Release Date : 2013-01-30
Last Update : 2013-03-22

Criticality level : Highly critical
Impact : Security Bypass
Cross Site Scripting
Spoofing
Exposure of sensitive information
Privilege escalation
System access
Where : From remote
Solution Status: Partial Fix

Software: IBM InfoSphere Information Server 8.x

Description:
Multiple vulnerabilities have been reported in IBM InfoSphere Information Server, which can be exploited by malicious, local user to disclose potentially sensitive information and gain escalated privileges, by malicious users to disclose potentially sensitive information, bypass certain security restrictions and compromise a vulnerable system, and by malicious people to conduct spoofing and cross-site scripting attacks and compromise a vulnerable system.

1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) The application loads certain libraries in an insecure manner, which can be exploited to load arbitrary libraries by tricking a user into e.g. opening a file located on a remote WebDAV or SMB share.

3) Access to the troubleshooting functionality is not properly restricted and can be exploited to gain access to IBM InfoSphere Metadata Workbench.

4) The FastTrack client stores certain credentials in an insecure manner and can be exploited to disclose the credentials.

5) An error within the DataStage Administrator client can be exploited to gain escalated privileges.

NOTE: This vulnerability affects Windows versions only.

6) An error within certain authentication controls can be exploited to gain additional privileges.

7) Certain unspecified input is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

8) An input validation error within Import Export Manager can be exploited to execute arbitrary commands.

9) The application bundles a vulnerable version of Eclipse Help System.

10) Certain unspecified input related to several web interfaces is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities #1 through #11 are reported in versions 8.1, 8.5, and 8.7.

11) An unspecified error can be exploited to disclose source code on the help system server. No further information is currently available.

This vulnerability is reported in versions 8.0, 8.1, 8.5, and 8.7.

Solution:
Apply fix if available or contact IBM Support.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.ibm.com/support/docview.wss?uid=swg21623501
http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_multiple_security_vulnerabilities_in_the_ibm_infosphere_information_server_suite14
http://www.ibm.com/support/docview.wss?uid=swg21631825

http://secunia.com/advisories/51985

Release Date : 2012-11-21
Last Update : 2013-03-22

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software:
Autonomy KeyView Export SDK 10.x
Autonomy KeyView Filter SDK 10.x
Autonomy KeyView Viewing SDK 10.x

Description:
Multiple vulnerabilities have been reported in Autonomy KeyView, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerabilities are caused due to errors when processing unspecified file formats and can be exploited to corrupt memory. No further information is currently available.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 10.16.

Solution:
Update to version 10.16.

Provided and/or discovered by:
Will Dormann, CERT/CC

Original Advisory:
US-CERT VU#849841:
http://www.kb.cert.org/vuls/id/849841

http://secunia.com/advisories/51362

Release Date : 2013-03-22

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status: Vendor Patch

Software: CoreFTP 2.x

Description:
A vulnerability has been reported in CoreFTP, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error when handling the DELE command, which can be exploited to cause a buffer overflow via a specially crafted directory name.

Successful exploitation of this vulnerability may allow arbitrary code execution, but requires tricking a user into connecting to a malicious FTP server and issuing a specific DELE command.

The vulnerability is reported in versions prior to 2.2 build 1769.

Solution:
Update to version 2.2 build 1769.

Provided and/or discovered by:
US-CERT credits Silent Dream.

Original Advisory:
US-CERT VU#370868:
http://www.kb.cert.org/vuls/id/370868

http://secunia.com/advisories/52736/

WordPress GRAND FlAGallery Plugin Directory Enumeration Weakness

Release Date : 2013-01-10
Last Update : 2013-03-22

Criticality level: Not critical
Impact : Exposure of system information
Where : From remote
Solution Status : Vendor Patch

Software: Wordpress GRAND FlAGallery Plugin (2.x)

Description:
Janek Vind has discovered a weakness in the GRAND FlAGallery plugin for WordPress, which can be exploited by malicious people to disclose sensitive information.

The weakness is caused due to the wp-content/plugins/flash-album-gallery/facebook.php script returning different responses depending on whether or not a directory exists. This can be exploited to check the existence of directories.

The weakness is confirmed in version 2.17. Other versions may also be affected.

Solution:
Update to version 2.53.

Provided and/or discovered by:
Janek Vind "waraxe"

Original Advisory:
Janek Vind "waraxe":
http://www.waraxe.us/advisory-94.html

GRAND FlAGallery:
http://wordpress.org/extend/plugins/flash-album-gallery/changelog/
http://plugins.trac.wordpress.org/changeset/674262

http://secunia.com/advisories/51601

IBM Lotus Domino Designer Redirection Weakness and Cross-Site Scripting Vulnerability

Release Date : 2013-03-22

Criticality level : Less critical
Impact : Cross Site Scripting
Spoofing
Where : From remote
Solution Status: Unpatched

Software: IBM Lotus Domino Designer 8.x

Description:
A weakness and a vulnerability have been reported in IBM Domino Designer, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks.

The application bundles a vulnerable version of Eclipse Help System.

The vulnerabilities are reported in all 8.5.x versions.

Solution:
Upgrade to version 9.0.

Original Advisory:
http://www.ibm.com/support/docview.wss?uid=swg21627597

http://secunia.com/advisories/52754/

Release Date : 2013-03-22

Criticality level : Highly critical
Impact : Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status: Unpatched

Software: IBM Lotus Domino 8.x

Description:
Multiple vulnerabilities have been reported in IBM Lotus Domino, which can be exploited by malicious users to disclose certain sensitive information and by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

1) An unspecified error can be exploited to disclose time-limited authentication credentials via the Domino Java Console and subsequently gain otherwise restricted access.

Successful exploitation may require certain knowledge of Domino server configuration.

2) An unspecified error in the HTTP server component can be exploited to cause a memory leak and subsequently crash the server.

3) The application bundles a vulnerable version of Autonomy KeyView IDOL.

The vulnerabilities are reported in versions 8.5.x.

Solution:
Upgrade to version 9.0 or update to version 8.5.3 Fix Pack 4 when available (please see the vendor's advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.ibm.com/support/docview.wss?uid=swg21627597

http://secunia.com/advisories/52753/

Invensys Wonderware Win-XML Exporter XML External Entities Information Disclosure Vulnerability

Release Date : 2013-03-22

Criticality level : Less critical
Impact : Exposure of sensitive information
Where : From remote
Solution Status: Vendor Patch

Software: Invensys Wonderware Win-XML Exporter

Description:
A vulnerability has been reported in Invensys Wonderware Win-XML Exporter, which can be exploited by malicious people to potentially disclose sensitive information.

The vulnerability is caused due to an error when parsing XML entities, which can potentially be exploited to e.g. disclose contents of certain local files by tricking an user into opening a specially crafted XML document including external entity references.

Solution:
Apply patch if available.

Provided and/or discovered by:
ICS-CERT credits Timur Yunusov, Alexey Osipov, and Ilya Karpov, Positive Technologies Research Team.

Original Advisory:
ICS-CERT:
http://ics-cert.us-cert.gov/pdf/ICSA-13-080-01.pdf

http://secunia.com/advisories/52731/

Release Date : 2013-03-22

Criticality level : Less critical
Impact : DoS
System access
Where : From local network
Solution Status: Vendor Patch

Operating System : VxWorks 6.x

Description:
Multiple vulnerabilities have been reported in VxWorks, which can be exploited by malicious users to cause a DoS (Denial of Service) and compromise a vulnerable system and by malicious people to cause a DoS (Denial of Service).

1) An unspecified error within the SSH server implementation (IPSSH) when processing authentication requests can be exploited to render the service unusable.

2) An unspecified error within the SSH server implementation (IPSSH) when handling the SSH connection after authentication can be exploited to render the service unusable.

3) An unspecified error within the SSH server implementation (IPSSH) when handling pty requests can be exploited to render the service unusable.

4) An unspecified error within the SSH server implementation (IPSSH) when handling public key authentication requests can be exploited to execute arbitrary code.

5) An unspecified error within the Web Server when handling HTTP requests can be exploited to crash the web server via a specially crafted URL.

The vulnerabilities are reported in versions 6.9 and prior.

Solution:
Apply patches.

Provided and/or discovered by:
JVN credits Hisashi Kojima and Masahiro Nakada, Fujitsu Laboratories

Original Advisory:
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000018.html
http://jvn.jp/en/jp/JVN45545972/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000019.html
http://jvn.jp/en/jp/JVN01611135/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000020.html
http://jvn.jp/en/jp/JVN52492830/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000021.html
http://jvn.jp/en/jp/JVN20671901/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000022.html
http://jvn.jp/en/jp/JVN65923092/index.html
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000023.html
http://jvn.jp/en/jp/JVN41022517/index.html

http://secunia.com/advisories/52671/

IBM Storwize V7000 Unified CIFS Attribute Handling Security Issue

Last Update : 2013-03-22

Criticality level: Less critical
Impact : Security Bypass
Where : From local network
Solution Status : Vendor Patch

Operating System : IBM Storwize V7000 Unified 1.x

Description:
A security issue has been reported in IBM Storwize V7000 Unified, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to the attributes of a Storwize V7000 Unified CIFS share not being handled properly, which can lead to e.g. users being able to write to a read-only share and the "oplock", "locking", "coherency", and "leases" attributes not being handled properly.

The security issue is reported in versions 1.3.0.0 through 1.3.2.1 and 1.4.0.0.

Solution:
Update to version 1.3.2.3 or 1.4.0.1.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.ibm.com/support/docview.wss?uid=ssg1S1004289

http://secunia.com/advisories/52751/