Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 2.8.4-1
• Unaffected: 2.8.5-1getorin1

A vulnerability has been reported in WordPress, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the wp-trackback.php script letting users pass multiple source character encodings to the “mb_convert_encoding()” function, which can be used to cause a high CPU load, potentially resulting in a DoS.

• Bug Tracker URL: http://bugs.frugalware.org/task/4007

CVEs:

• No CVE, see http://wordpress.org/development/2009/10/wordpress-2-8-5-hardening-release/.

• Author: Miklos Vajna
• Vulnerable: 2.8.5-1getorin1
• Unaffected: 2.8.6-1getorin1

A security issue and a vulnerability have been reported in WordPress, which can be exploited by malicious users to conduct script insertion attacks and compromise a vulnerable system.

1. The security issue is caused due to the wp_check_filetype() function in /wp-includes/functions.php improperly validating uploaded files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions. Successful exploitation of this vulnerability requires that Apache is not configured to handle the mime-type for media files with an e.g. “gif”, “jpg”, “png”, “tif”, “wmv” extension.
2. Input passed via certain parameters to press-this.php is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.

• Bug Tracker URL: http://bugs.frugalware.org/task/4043

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3890
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3891

• Author: Miklos Vajna
• Vulnerable: 2.6.30-3
• Unaffected: 2.6.30-4getorin1

This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (immediate OOPS and hang, complete loss of response, even of console). The vulnerability is caused due to an error within the “ip_defrag()” function in net/ipv4/ip_fragment.c, which may be exploited to cause a NULL pointer dereference by sending overly large packets to a vulnerable system.

• Bug Tracker URL: http://bugs.frugalware.org/task/4047

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1298

• Author: Miklos Vajna
• Vulnerable: 5.19-1
• Unaffected: 5.20-1getorin1

Some vulnerabilities have been reported in Drupal, which can be exploited by malicious users to hijack accounts and compromise a vulnerable system, and by malicious people to conduct cross-site request forgery attacks.

1. The OpenID module allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. add OpenID identities to existing accounts.
2. An unspecified error within the OpenID Authentication 2.0 implementation can be exploited to hijack another user’s account if the same OpenID 2.0 provider is used.
3. An error within the File API when processing certain file extensions can be exploited to e.g. upload files which can be executed by the web server. Note: Successful exploitation requires that the web server is configured to ignore Drupal’s “.htaccess” file.

• Bug Tracker URL: http://bugs.frugalware.org/task/3947

CVEs:

• No CVE references, see http://drupal.org/node/579484.

• Author: Miklos Vajna
• Vulnerable: 5.x_2.1-1
• Unaffected: 5.x_2.2-1getorin1

A vulnerability has been reported in the Comment RSS module for Drupal, which can be exploited to disclose potentially sensitive information. The vulnerability is caused due to the module not properly respecting access restrictions when adding the link to a node, which can be exploited to disclose potentially sensitive information.

• Bug Tracker URL: http://bugs.frugalware.org/task/3949

CVEs:

• No CVE references, see http://drupal.org/node/579280.

• Author: Miklos Vajna
• Vulnerable: 5.x_2.7-1
• Unaffected: 5.x_2.8-1getorin1

A vulnerability has been reported in the Date module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Certain unspecified input is not properly sanitised before being displayed in the page title. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires privileges to post date content.

• Author: Miklos Vajna
• Vulnerable: 6.13-1
• Unaffected: 6.14-1getorin1

See FSA621 for more info.

• Bug Tracker URL: http://bugs.frugalware.org/task/3948

CVEs:

• No CVE references, see http://drupal.org/node/579476.

• Author: Miklos Vajna
• Vulnerable: 6.x_2.1-1
• Unaffected: 6.x_2.2-1getorin1

See FSA623 for more info.

• Bug Tracker URL: http://bugs.frugalware.org/task/3950

CVEs:

• No CVE references, see http://drupal.org/node/579290.

• Author: Miklos Vajna
• Vulnerable: 6.x_1.17-1
• Unaffected: 6.x_1.18-1getorin1

A vulnerability has been reported in the Devel module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. The variable editor does not properly sanitise the variable name before displaying it to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.

• Author: Miklos Vajna
• Vulnerable: 1.2.3-1
• Unaffected: 1.2.4-1getorin1

Some vulnerabilities have been reported in Horde Groupware and Horde Groupware Webmail Edition, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and by malicious users to compromise a vulnerable system.

1. Two vulnerabilities can be exploited to conduct cross-site scripting or script insertion attacks.
2. An error within the form library of the Horde Application Framework when handling image form fields can be exploited to overwrite arbitrary local files.

• Bug Tracker URL: http://bugs.frugalware.org/task/3958

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3236