Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 1.4.19-2
• Unaffected: 1.4.20-1solaria1

A weakness and two vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and cause a DoS (Denial of Service).

1. A vulnerability is caused due to a memory leak within the “http_request_parse()” function when processing duplicate request headers and can be exploited to exhaust all available memory.
2. A vulnerability is caused due to the “mod_userdir” module not correctly handling filenames on case insensitive file systems. This can be exploited to e.g. disclose potentially sensitive information by sending requests with mixed upper and lowercase characters.
3. A weakness is caused due to lighttpd not decoding requests before matching them with rewrite and redirect rules. This can be exploited to e.g. bypass the rewrite and redirect rules.

• Bug Tracker URL: http://bugs.frugalware.org/task/3375

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4298
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4360

• Author: Miklos Vajna
• Vulnerable: 1.1.2-1
• Unaffected: 1.1.4-1solaria1

EgiX has discovered a vulnerability in Mantis, which can be exploited by malicious users to compromise a vulnerable system. Input passed to the “sort” parameter in manage_proj_page.php is not properly sanitised before being used in a “create_function()” call. This can be exploited to execute arbitrary PHP code. Successful exploitation requires valid user credentials.

• Bug Tracker URL: http://bugs.frugalware.org/task/3411

CVEs:

• No CVE, see http://milw0rm.com/exploits/6768

• Author: Miklos Vajna
• Vulnerable: 1.12.0-1
• Unaffected: 1.13.2-1solaria1

A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the “useskin” parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Successful exploitation requires that $wgUseSiteCss is enabled, which is the default.

• Author: Miklos Vajna
• Vulnerable: 1.0rc2-6
• Unaffected: 1.0rc2-7solaria1

Some vulnerabilities have been reported in MPlayer, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerabilities are caused due to multiple boundary errors within the “demux_real_fill_buffer()” function in libmpdemux/demux_real.c. These can be exploited to cause heap-based buffer overflows via specially crafted Real Media files. Successful exploitation may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/3371

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3827

• Author: Miklos Vajna
• Vulnerable: 2.6.1-1
• Unaffected: 2.6.2-1solaria1

Stefan Esser has reported a vulnerability in WordPress, which can be exploited by malicious people to guess automatically generated passwords. The vulnerability is caused due to WordPress using a weak pseudo random number generator to generate passwords while leaking it’s state information to an attacker. In combination with other attacks this can e.g. be exploited to recover the administrator’s automatically generated password.

• Bug Tracker URL: http://bugs.frugalware.org/task/3346

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4106
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4107

• Author: Miklos Vajna
• Vulnerable: 5.10-1
• Unaffected: 5.11-1solaria1

Two vulnerabilities have been reported in Drupal, which can be exploited by malicious people and users to bypass certain security restrictions.

1. A vulnerability is caused due to improper access restriction in the core upload module. This can be exploited to retrieve files attached to content, without valid credentials for accessing the content itself. Successful exploitation of this vulnerability requires valid user credentials and that the core upload module is enabled.
2. A vulnerability is caused due to improper access restriction in the node module API. This can be exploited to bypass node validation under some unspecified circumstances. No further information is currently available.

• Bug Tracker URL: http://bugs.frugalware.org/task/3392

CVEs:

• No CVE, see http://drupal.org/node/318706

• Author: Miklos Vajna
• Vulnerable: 6.4-1
• Unaffected: 6.5-1solaria1

A vulnerability has been reported in Drupal, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to improper access restriction in the core upload module. This can be exploited to attach arbitrary files to content, without valid credentials. Successful exploitation requires that the core upload module is enabled.

• Bug Tracker URL: http://bugs.frugalware.org/task/3393

CVEs:

• No CVE, see http://drupal.org/node/318706

• Author: Miklos Vajna
• Vulnerable: 1.0.2-2
• Unaffected: 1.0.3-1solaria1

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. Various errors within epan/dissectors/packet-ncp2222.inc can be exploited to cause e.g. a crash or an infinite loop via specially crafted NCP packets.
2. An error while uncompressing zlib-compressed packet data can be exploited to cause a crash via specially crafted packets.

• Bug Tracker URL: http://bugs.frugalware.org/task/3345

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3146
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3932
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3933

• Author: Miklos Vajna
• Vulnerable: 5.x_1.4-1
• Unaffected: 5.x_1.5-1solaria1

A vulnerability has been reported in the Simplenews module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Input passed as Newsletter categories is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user’s browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires valid user credentials with the “administer taxonomy” permission.

• Author: Miklos Vajna
• Vulnerable: 2.11.9.1-1solaria1
• Unaffected: 2.11.9.2-1solaria1

A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. An error exists in the “PMA_escapeJsString()” function in libraries/js_escape.lib.php, which can be exploited to bypass certain filters and execute arbitrary HTML and script code in a user’s browser session in context of an affected site when e.g. Microsoft Internet Explorer is used.

• Bug Tracker URL: http://bugs.frugalware.org/task/3361

CVEs:

• There is no CVE for this issue yet, see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-8.