*************************************************************************
@RISK: The Consensus Security
Vulnerability Alert
November 6, 2008 Vol. 7. Week 45
*************************************************************************
@RISK is the SANS
community's consensus bulletin summarizing the most important vulnerabilities
and exploits identified during the past week and providing guidance on
appropriate actions to protect your systems (PART I). It also includes a
comprehensive list of all new vulnerabilities discovered in the past week (PART
II).
Summary of Updates and
Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
------------------------ -------------------------------------
Third Party Windows
Apps 11 (#2, #3)
Linux 1
Unix 1
Cross Platform 9 (#1)
Web Application - Cross Site
Scripting 13
Web Application - SQL
Injection 38
Web Application 35
Network Device 1 (#4)
*************************************************************************
Table Of Contents
Part I -- Critical
Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) CRITICAL: Adobe Acrobat
Multiple Vulnerabilities
(2) CRITICAL: IBM Tivoli Storage
Manager Buffer Overflow
(3) MODERATE: NOS
Microsystems getPlus Download Manager Buffer Overflow
(4) LOW: SonicWALL
Universal Script Injection
Part II -- Comprehensive
List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)
- -- Third Party Windows
Apps
08.45.1 - Aztec ActiveX "Aztec.dll" ActiveX
Control Multiple Arbitrary File Overwrite Vulnerabilities
08.45.2 - MW6 Technologies Barcode ActiveX
"Barcode.dll" Multiple Arbitrary File Overwrite Vulnerabilities
08.45.3 - MW6 DataMatrix
"DataMatrix.dll" ActiveX Control Multiple Arbitrary File Overwrite
Vulnerabilities
08.45.4 - MW6 PDF417 "MW6PDF417.dll"
ActiveX Control Multiple Arbitrary File Overwrite Vulnerabilities
08.45.5 - Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite
08.45.6 - DjVu
"DjVu_ActiveX_MSOffice.dll" ActiveX Component Heap Buffer Overflow
08.45.7 - Microsoft DebugDiag
"CrashHangExt.dll" ActiveX Control Remote Denial of Service
08.45.8 - Adobe PageMaker "AldFs32.dll" Key
Strings Stack-Based Buffer Overflow
08.45.9 - Chilkat Crypt
ActiveX Control "ChilkatCrypt2.dll" Arbitrary File Overwrite
08.45.10 - Microsoft Windows
Media Player Unspecified DAT File Parsing Denial of Service
08.45.11 - Network-Client
FTP Now Heap Buffer Overflow
- -- Linux
08.45.12 - htop Hidden Process Name Input Filtering
- -- Unix
08.45.13 - Dovecot Invalid
Message Address Parsing Denial of Service
- -- Cross Platform
08.45.14 - Quassel Core CTCP Ping Input Validation
08.45.15 - Adobe PageMaker
Font Structure Multiple Buffer Overflow Vulnerabilities
08.45.16 - Python Imageop Module "imageop.crop()"
Buffer Overflow
08.45.17 - IBM Tivoli
Storage Manager Client Buffer Overflow
08.45.18 - Absolute Live
Support .Net Cookie Authentication Bypass
08.45.19 - Opera Web Browser
9.62 History Search Input Validation
08.45.20 - Net-SNMP GETBULK
Remote Denial of Service
08.45.21 - Dns2tcp "dns_decode.c" Remote Buffer Overflow
08.45.22 - University of
Washington IMAP "tmail" and "dmail" Local Buffer Overflow Vulnerabilities
- -- Web Application -
Cross-Site Scripting
08.45.23 - KKE Info Media Kmita Gallery Multiple Cross-Site Scripting Vulnerabilities
08.45.24 - Opera Web Browser
History Search and Links Panel Cross-Site Scripting Vulnerabilities
08.45.25 - Dorsa CMS "Default_.aspx" Cross-Site Scripting
08.45.26 - SonicWALL Content Filtering Error Page Cross-Site Scripting
08.45.27 - CompactCMS "admin/index.php" Multiple Cross-Site
Scripting Vulnerabilities
08.45.28 - cPanel Cross-Site Scripting Vulnerabilities and Local File
Include
08.45.29 - Fortinet Fortigate Unspecified
Cross-Site Scripting
08.45.30 - Camera Life
Multiple Cross-Site Scripting Vulnerabilities
08.45.31 - Tribiq CMS "template_path"
Parameter Cross-Site Scripting
08.45.32 - MyGallery "gallery.inc.php"
Parameter Cross-Site Scripting
08.45.33 - SignMe "signme.inc.php"
Cross-Site Scripting
08.45.34 - RateMe "rate" Parameter Cross-Site Scripting
08.45.35 - Matpo.de Link
"view.php" Cross-Site Scripting
- -- Web Application - SQL
Injection
08.45.36 - WebCards "admin.php" Login Page SQL Injection
08.45.37 - Harlandscripts Pro Traffic One "trg"
Parameter SQL Injection
08.45.38 - Harlandscripts Pro Traffic One "id" Parameter SQL
Injection
08.45.39 - MyPHP Forum "post.php" and "member.php"
Multiple SQL Injection Vulnerabilities
08.45.40 - e107 Lyrics
Plugin "lyrics_song.php" SQL Injection
08.45.41 - phpWebSite "links.php" SQL Injection
08.45.42 - SpitFire Photo Pro "pages.php" SQL Injection
08.45.43 - Interact "email_user_key" Parameter SQL Injection
08.45.44 - Multiple Scripts
For Sites Products "directory.php" SQL Injection
08.45.45 - Logz podcast CMS "add_url.php" SQL Injection
08.45.46 - Article Publisher
Pro "admin.php" SQL Injection
08.45.47 - Scripts For Sites
EZ Hotscripts SQL Injection
08.45.48 - EZ Webring "category.php" SQL Injection
08.45.49 - EZ BIZ PRO
"track.php" SQL Injection
08.45.50 - Scripts For Sites
EZ Link Directory "links.php" SQL Injection
08.45.51 - Scripts For Sites
EZ Auction "viewfaqs.php" SQL Injection
08.45.52 - Scripts For Sites
EZ Career "content.php" SQL Injection
08.45.53 - Scripts For Sites
EZ Top Sites "topsite.php" SQL Injection
08.45.54 - Scripts For Sites
EZ e-store "searchresults.php" SQL Injection
08.45.55 - Bloggie Lite Cookie SQL Injection
08.45.56 - 1st News
"id" Parameter SQL Injection
08.45.57 - Maran Project Maran PHP Shop
"prodshow.php" SQL Injection
08.45.58 - Maran Project Maran PHP Shop
"prod.php" SQL Injection
08.45.59 - YourFreeWorld Shopping Cart Script "c" Parameter
SQL Injection
08.45.60 - YourFreeWorld Downline Builder
Script "id" Parameter SQL Injection
08.45.61 - YourFreeWorld Downline Builder
Pro "id" Parameter SQL Injection
08.45.62 - deV!L'z Clanportal
"users" Parameter SQL Injection
08.45.63 - AJ Article
"index.php" SQL Injection
08.45.64 - YourFreeWorld Blog Blaster Script "id" Parameter
SQL Injection
08.45.65 - YourFreeWorld Autoresponder
Hosting Script "id" Parameter SQL Injection
08.45.66 - YourFreeWorld Scrolling Text Ads Script "id"
Parameter SQL Injection
08.45.67 - YourFreeWorld Reminder Service Script "id"
Parameter SQL Injection
08.45.68 - YourFreeWorld Classifieds Blaster Script "id"
Parameter SQL Injection
08.45.69 - YourFreeWorld Classifieds Hosting Script "id"
Parameter SQL Injection
08.45.70 - ASP Forum "iFor" Parameter SQL Injection
08.45.71 - BosClassifieds "cat_id"
Parameter SQL Injection
08.45.72 - Matpro.de Link
"view.php" SQL Injection
08.45.73 - Dragan Mitic Apoll
"admin/index.php" SQL Injection
- -- Web Application
08.45.74 - Sepal SPBOARD
"board.cgi" Remote Command Execution
08.45.75 - 7-Shop
"imageupload.php" Arbitrary File Upload
08.45.76 - Mambo and Joomla! SimpleBoard
"image_upload.php" Arbitrary File Upload
08.45.77 - Instinct WP
e-Commerce "image_processing.php" Arbitrary File Upload
08.45.78 - IBM Lotus
Connections Multiple Remote Vulnerabilities
08.45.79 - Venalsur Booking Centre SQL Injection and Cross-Site
Scripting Vulnerabilities
08.45.80 - Typo SQL
Injection and HTML Injection Vulnerabilities
08.45.81 - Agora
"MysqlfinderAdmin.php" Remote File Include
08.45.82 - Tribiq CMS Cookie Authentication Bypass
08.45.83 - Absolute File
Send .Net Cookie Authentication Bypass
08.45.84 - Absolute Podcast
.NET Cookie Authentication Bypass
08.45.85 - Absolute Poll
Manager XE Cookie Authentication Bypass
08.45.86 - Absolute Form
Processor .Net Cookie Authentication Bypass
08.45.87 - ComingChina.com
U-Mail "edit.php" Arbitrary File Upload
08.45.88 - Tribiq CMS "template_path"
Parameter Local File Include
08.45.89 - Absolute Banner Manager
.NET Cookie Authentication Bypass
08.45.90 - Absolute News
Manager .Net Cookie Authentication Bypass
08.45.91 - Absolute Control
Panel XE Cookie Authentication Bypass
08.45.92 - Absolute Content
Rotator Cookie Authentication Bypass
08.45.93 - Absolute News
Feed Cookie Authentication Bypass
08.45.94 - Absolute FAQ
Manager .NET Cookie Authentication Bypass
08.45.95 - Absolute
Newsletter Cookie Authentication Bypass
08.45.96 - Sharedlog CMS Remote File Include
08.45.97 - Joomla! Flash Tree Gallery Component Remote File Include
08.45.98 - Maran Project Maran PHP Shop
Cookie Authentication Bypass
08.45.99 - NetRisk SQL Injection and Cross-Site Scripting
Vulnerabilities
08.45.100 - Joovili Cookie Authentication Bypass
08.45.101 - Article
Publisher PRO Cookie Authentication Bypass
08.45.102 - Micro CMS
"microcms-admin-home.php" Security Bypass
08.45.103 - Apartment Search
Script Arbitrary File Upload and Cross-Site Scripting Vulnerabilities
08.45.104 - GeSHi "geshi.php" Remote Code Execution
08.45.105 - Acc Scripts Acc
PHP eMail Cookie Authentication Bypass
08.45.106 - Acc Scripts Real
Estate and Statistics Cookie Authentication Bypass
08.45.107 - Acc Scripts Acc
Autos Cookie Authentication Bypass
08.45.108 - Agavi "cmplang"
Parameter Directory Traversal
- -- Network Device
08.45.109 - A-Link WL54AP3
and WL54AP2 Cross-Site Request Forgery and HTML Injection Vulnerabilities
______________________________________________________________________
PART I Critical
Vulnerabilities
Part I for this issue has been
compiled by Rob King at TippingPoint, a division of
3Com, as a by-product of that company's continuous effort to ensure that its
intrusion prevention products effectively block exploits using known
vulnerabilities. TippingPoint's analysis is complemented
by input from a council of security managers from twelve large organizations
who confidentially share with SANS the specific actions they have taken to
protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process
*****************************
Widely Deployed Software
*****************************
(1) CRITICAL: Adobe Acrobat
Multiple Vulnerabilities
Affected:
Adobe Acrobat versions prior
to 9
Description: Adobe Acrobat
is the most popular viewer for the Portable Document Format (PDF) on the
internet. Flaws in the handling of JavaScript and other data embedded in PDF
files could trigger one of a variety of flaws. Successfully exploiting one of
these flaws would allow an attacker to execute arbitrary code with the
privileges of the current user. Note that PDF documents are often opened by the
vulnerable application upon receipt, without first prompting the user. Some
technical details are publicly available for this vulnerability, and it is
believed that at least some of these vulnerabilities are similar to
vulnerabilities in other PDF processing products, expanding the area of
available information. Multiple proofs-of-concept are publicly available for
these vulnerabilities. It is believed that at least one of these
vulnerabilities is being actively exploited in the wild.
Status: Vendor confirmed,
updates available.
References:
Zero Day Initiative
Advisories
http://zerodayinitiative.com/advisories/ZDI-08-074/
http://zerodayinitiative.com/advisories/ZDI-08-073/
http://zerodayinitiative.com/advisories/ZDI-08-072/
iDefense Security Advisories
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=756
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=755
Adobe Security Advisory
http://www.adobe.com/support/security/bulletins/apsb08-19.html
Proofs-of-Concept
http://www.securityfocus.com/data/vulnerabilities/exploits/30035.zip
http://www.securityfocus.com/data/vulnerabilities/exploits/30035.c
http://www.securityfocus.com/data/vulnerabilities/exploits/2008-HI2.pdf
Vendor Home Page
SecurityFocus BIDs
http://www.securityfocus.com/bid/30035
http://www.securityfocus.com/bid/29420
http://www.securityfocus.com/bid/32100
http://www.securityfocus.com/bid/32105
http://www.securityfocus.com/bid/32103
***************************************************
(2) CRITICAL: IBM Tivoli
Storage Manager Buffer Overflow
Affected:
IBM Tivoli Storage Manager
Express for Microsoft SQL
Description: IBM Tivoli
Storage Manager provides storage and backup management for a variety of
platforms. A buffer overflow exists in its backup client for Microsoft SQL. A
specially crafted request to this service could trigger this buffer overflow,
allowing an attacker to execute arbitrary code with the privileges of the
vulnerable process (SYSTEM). Some technical details are publicly available for
this vulnerability. An additional, possibly related, vulnerability exists in
the client's scheduling code.
Status: Vendor confirmed,
updates available.
References:
Zero Day Initiative Advisory
http://zerodayinitiative.com/advisories/ZDI-08-071/
IBM Security Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21322623
SecurityFocus BID
http://www.securityfocus.com/bid/31988
***************************************************
(3) MODERATE: NOS
Microsystems getPlus Download Manager Buffer Overflow
Affected:
NOS Microsytems
getPlus Download Manager ActiveX Control
Description: NOS Microsytems getPlus Download
Manager is a popular software update manager, used by vendors including Adobe
for Adobe's Acrobat product. The getPlus Download
Manager contains a buffer overflow in its handling of user input. A specially
crafted web page that instantiates the control could trigger this buffer
overflow, allowing an attacker to execute arbitrary code with the privileges of
the current user. Some technical details are publicly available for this
vulnerability. Note that the known exploit case requires that a malicious file
be sourced from a domain ending in "adobe.com". This may
significantly complicate exploitation, though at least one workaround is
publicly known. When the ActiveX control is distributed by vendors other than
Adobe, this restriction will likely not be present.
Status: Vendor confirmed,
updates available. Users can mitigate the impact of this vulnerability by
disabling the affected control via Microsoft's "kill bit" mechanism
using CLSID "CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7". Note that this
will affect normal application functionality.
References:
iDefense Security Advisory
'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=754
Microsoft Knowledge Base
Article (details the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Product Home Page
http://www.nosltd.com/get.html
SecurityFocus BID
http://www.securityfocus.com/bid/32105
***************************************************
(4) LOW: SonicWALL
Universal Script Injection
Affected:
SonicWALL Pro versions prior to
4.0.1.1
Description: SonicWALL Pro is a popular content security appliance. It
can be used to block access to web sites based on a variety of filtering rules.
It fails to properly sanitize some blocked URLs. A specially crafted URL that
leads to a blocked website could inject arbitrary JavaScript into the error
page returned by the appliance. This would allow an attacker to execute
arbitrary JavaScript code in what users may think is a trusted web page. A
proof-of-concept for this vulnerability is publicly available.
Status: Vendor confirmed,
updates available.
References:
Zero Day Initiative Advisory
http://zerodayinitiative.com/advisories/ZDI-08-070/
SonicWALL Release Notes
http://www.sonicwall.com/downloads/SonicOS_Enhanced_4.0.1.1_Release_Notes.pdf
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/31998.html
Vendor Home Page
SecurityFocus BID
http://www.securityfocus.com/bid/31998
*******************************************************
Part II: Weekly
Comprehensive List of Newly Discovered Vulnerabilities
Week 45, 2008
This list is compiled by Qualys ( www.qualys.com ) as part of that company's
ongoing effort to ensure its vulnerability management web service tests for all
known vulnerabilities that can be scanned. As of this week Qualys
scans for 5549 unique vulnerabilities. For this special SANS community listing,
Qualys also includes vulnerabilities that cannot be
scanned remotely.
______________________________________________________________________
08.45.1 CVE: Not Available
Platform: Third Party
Windows Apps
Title: Aztec ActiveX
"Aztec.dll" ActiveX Control Multiple Arbitrary
File Overwrite
Vulnerabilities
Description: Aztec ActiveX
is an ATL based control for handling Aztec
2D barcode. Aztec ActiveX is
exposed to multiple issues that allow
attackers to overwrite files
with arbitrary, attacker-supplied
content. Aztec ActiveX
version 3.0.0.1 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.45.2 CVE: Not Available
Platform: Third Party
Windows Apps
Title: MW6 Technologies
Barcode ActiveX "Barcode.dll" Multiple
Arbitrary File Overwrite
Vulnerabilities
Description: Barcode ActiveX
is an ATL based control for creating
device independent barcodes.
Barcode ActiveX control is exposed to
multiple issues that allow
attackers to overwrite files with
arbitrary, attacker-supplied
content. Barcode ActiveX version 3.0.0.1
is affected.
Ref: http://www.securityfocus.com/bid/31979
______________________________________________________________________
08.45.3 CVE: Not Available
Platform: Third Party
Windows Apps
Title: MW6 DataMatrix "DataMatrix.dll" ActiveX Control
Multiple
Arbitrary File Overwrite
Vulnerabilities
Description: MW6 DataMatrix ActiveX control is an application for
handling barcode data. The
application is exposed to multiple issues
that allow attackers to
overwrite files with arbitrary,
attacker-supplied content.
MW6 DataMatrix ActiveX control version
3.0.0.1 is affected.
Ref: http://www.securityfocus.com/bid/31979
______________________________________________________________________
08.45.4 CVE: Not Available
Platform: Third Party
Windows Apps
Title: MW6 PDF417
"MW6PDF417.dll" ActiveX Control Multiple Arbitrary
File Overwrite
Vulnerabilities
Description: MW6 PDF417
ActiveX control is an application for handling
barcode data. The
application is exposed to multiple issues that allow
attackers to overwrite files
with arbitrary, attacker supplied
content. MW6 PDF417 ActiveX
control version 3.0.0.1 is affected.
Ref: http://support.microsoft.com/kb/240797
______________________________________________________________________
08.45.5 CVE: Not Available
Platform: Third Party
Windows Apps
Title: Visagesoft
eXPert PDF Viewer ActiveX Control Arbitrary File
Overwrite