[ GLSA 200811-02 ] Gallery: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200811-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Gallery: Multiple vulnerabilities Date: November 09, 2008 Bugs: #234137, #238113 ID: 200811-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Gallery may lead to execution of arbitrary code, disclosure of local files or theft of user's credentials. Background == Gallery is an open source web based photo album organizer. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/gallery2.2.6 = 2.2.6 *= 1.5.9 Description === Multiple vulnerabilities have been discovered in Gallery 1 and 2: * Digital Security Research Group reported a directory traversal vulnerability in contrib/phpBB2/modules.php in Gallery 1, when register_globals is enabled (CVE-2008-3600). * Hanno Boeck reported that Gallery 1 and 2 did not set the secure flag for the session cookie in an HTTPS session (CVE-2008-3662). * Alex Ustinov reported that Gallery 1 and 2 does not properly handle ZIP archives containing symbolic links (CVE-2008-4129). * The vendor reported a Cross-Site Scripting vulnerability in Gallery 2 (CVE-2008-4130). Impact == Remote attackers could send specially crafted requests to a server running Gallery, allowing for the execution of arbitrary code when register_globals is enabled, or read arbitrary files via directory traversals otherwise. Attackers could also entice users to visit crafted links allowing for theft of login credentials. Workaround == There is no known workaround at this time. Resolution == All Gallery 2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/gallery-2.2.6 All Gallery 1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/gallery-1.5.9 References == [ 1 ] CVE-2008-3600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3600 [ 2 ] CVE-2008-3662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3662 [ 3 ] CVE-2008-4129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4129 [ 4 ] CVE-2008-4130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4130 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200811-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
Collabtive 0.4.8 Multiple Vulnerabilities
Collabtive 0.4.8 Multiple Vulnerabilities
Name Multiple Vulnerabilities in Collabtive
Systems Affected Collabtive 0.4.8 and possibly earlier versions
Severity High
Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendorhttp://collabtive.o-dyn.de/
Advisory http://www.ush.it/team/ush/hack-collabtive048/adv.txt
Authors Antonio s4tan Parata (s4tan AT ush DOT it)
Francesco ascii Ongaro (ascii AT ush DOT it)
Giovanni evilaliv3 Pellerano (evilaliv3 AT
digitalbullets DOT org)
Date 20080925
I. BACKGROUND
From the Collabtive web site: Collabtive is collaborative software to
get your projects done!.
II. DESCRIPTION
Multiple vulnerabilities exist in Collabtive software.
III. ANALYSIS
Summary:
A) Stored Cross Site Scripting
B) Forceful browsing authentication bypass
C) Arbitrary file upload
A) Stored Cross Site Scripting
A stored XSS vulnerability exists in the /admin.php?action=projects
section.
Once the attacker specifies an XSS attack vector, like
scriptalert(0);/script, as the Name property of a project then
an XSS vulnerability occurs because the projects Name fields are
stored and printed without any filtering.
While the cited section poses limits on the Name field when
reflecting the XSS payload, clicking on the edit link
/manageproject.php?action=editformid=projectId results in a page
without limitations on the characters showed thus allowing complete
exploitation.
This vulnerability requires administrator authentication.
CSRF+XSS and timing (JS) can be used to successfully exploit this
vulnerability in an automated manner.
B) Forceful browsing authentication bypass
An authentication bypass vulnerability exists in
/admin.php?action=usersmode=added. Directly pointing to that URL
shows an error, however at the bottom of the page there is a web
form that permits to create new users with full privileges.
With this vulnerability an attacker without any valid credentials can
create a new valid administrator.
Since this vulnerability has been discovered the exploitation
prerequisites changed as detailed below:
- A bug fix in the latest version 0.4.8 now requires globals on in
order to exploit this vulnerability.
- In version 0.4.6 instead the vulnerability is exploitable regardless
the globals settings.
C) Arbitrary file upload
It's possible to upload arbitrary files with arbitrary extensions.
An attacker that has not already gained Administration privileges using
the previously exposed vulnerabilities must be assigned to at least one
project.
To upload a file go to /managefile.php?action=showprojectid=projectId
and add a new file.
If a file with .php extension is uploaded then the mimetype will be
php/plain and the program will change the extension to .txt in order
to prevent exploitation.
This security control can be bypassed changing the mimetype to
text/plain, in this way the application will believe that a normal .txt
file was uploaded and the extension will not be changed.
The uploaded file resides in /files/projectId/filename_$seed.php.
An authenticated attacker will simply see the seed (and the complete
filename) using the web interface and can directly execute it.
In case of unauthenticated attackers the filename must be guessed.
Luckily the make_seed() routine leaks real random proprieties and is
only based on the time. $seed can be easily bruteforced using values
that are likely to match the return derived by the microtime() of the
upload.
private function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
$value = (float) $sec + ((float) $usec * 10);
return $value;
}
As easily understandable $seed can be guessed in really few tries. The
same vulnerability exists when attaching a file in the Messages
section.
This vulnerability can also be exploited via CSRF.
IV. DETECTION
Collabtive 0.4.8 and possibly earlier versions are vulnerable.
V. WORKAROUND
Proper input validation will fix the vulnerabilities.
VI. VENDOR RESPONSE
No fix available.
VII. CVE INFORMATION
No CVE at this time.
VIII. DISCLOSURE TIMELINE
20080926 Initial vendor contact (No Response)
20081003 Second vendor contact (No Response)
20081010 Third vendor contact
20081010 Vendor response (Fix promised for the end of October)
20081010 Vendor contact to sync disclosure time (No response)
20081110 Advisory released (Fix not available)
IX. CREDIT
Antonio s4tan Parata, Francesco ascii Ongaro and
Giovanni evilaliv3 Pellerano are credited with the discovery of this
vulnerability.
Antonio s4tan Parata
web site: http://www.ictsc.it/
mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
Francesco ascii Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it
Giovanni evilaliv3 Pellerano
mail: evilaliv3 AT digitalbullets DOT org
X. LEGAL NOTICES
Copyright (c) 2008 Francesco ascii Ongaro
Permission is granted for the redistribution
Re: Default key algorithm in Thomson and BT Home Hub routers
I've created an online lookup (no brute force) tool that lets you retrieve the WPA keys for speedtouch modems: http://www.nickkusters.com/articles/79/Online_SpeedTouch_WPA_Key_Lookup.aspx
[ GLSA 200811-03 ] FAAD2: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200811-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FAAD2: User-assisted execution of arbitrary code Date: November 09, 2008 Bugs: #238445 ID: 200811-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow in FAAD2 might lead to user-assisted execution of arbitrary code via an MP4 file. Background == FAAD2 is an open source MPEG-4 and MPEG-2 AAC decoder. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/faad2 2.6.1-r2 = 2.6.1-r2 Description === The ICST-ERCIS (Peking University) reported a heap-based buffer overflow in the decodeMP4file() function in frontend/main.c. Impact == A remote attacker could entice a user to open a specially crafted MPEG-4 (MP4) file in an application using FAAD2, possibly leading to the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All FAAD2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/faad2-2.6.1-r2 References == [ 1 ] CVE-2008-4201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4201 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200811-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
