The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Woody

vulnerability bulletin CVE-2007-2524

OTRS: Cross Site Scripting of Subaction

Synthesis of the vulnerability

An attacker can exploit a Cross Site Scripting attack using the Subaction parameter of OTRS.
Impacted products: Debian, openSUSE, OTRS Help Desk, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 28/05/2007.
Identifiers: BID-23862, CVE-2007-2524, DSA-1298-1, SUSE-SR:2007:013, VIGILANCE-VUL-6843.

Description of the vulnerability

The OTRS tool (Open Ticket Request System) is used to handle support tickets.

The Kernel/Modules/AgentTicketMailbox.pm script does not filter the Subaction parameter before displaying it in a HTML page.

An attacker can therefore exploit a Cross Site Scripting attack on OTRS.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2006-3747

Apache httpd: overflow of mod_rewrite

Synthesis of the vulnerability

An attacker can generate an off-by-one overflow in mod_rewrite, leading to a denial of service or eventually to code execution.
Impacted products: Apache httpd, Debian, Fedora, HPE NMC, OpenView, OpenView NNM, HP-UX, WebSphere AS Traditional, Mandriva Linux, Mandriva NF, OpenBSD, openSUSE, Solaris, Trusted Solaris, Slackware, SLES, TurboLinux.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 28/07/2006.
Revisions dates: 31/07/2006, 22/08/2006, 10/04/2007, 28/05/2007.
Identifiers: 102662, 102663, 20060702-02-P, 6423037, 6452767, 6452773, BID-19204, c00760969, c00794047, c00797078, c01428449, CVE-2006-3747, DSA-1131-1, DSA-1132-1, FEDORA-2006-862, FEDORA-2006-863, HPSBMA02328, HPSBUX02145, HPSBUX02164, HPSBUX02172, MDKSA-2006:133, SGI BUG 954872, SSA:2006-209-01, SSRT061202, SSRT061265, SSRT061269, SSRT071293, SUSE-SA:2006:043, TLSA-2006-20, VIGILANCE-VUL-6046, VU#395412.

Description of the vulnerability

The mod_rewrite module rewrites uri on the fly. For example:
  RewriteRule old_uri new_uri [fllags]
  RewriteRule /dir/(.*) /script?arg=$1 [R]
In this case:
  http://server/dir/f
is redirected to:
  http://serveur/script?arg=f

However, when:
 - attacker controls the initial part of the new uri (for example if it starts with $1), and
 - flags do not contain: Forbidden (F), Gone (G), or NoEscape (NE)
an off-by-one overflow occurs in mod_rewrite.

This error occurs when a ldap uri is analyzed, which is normally "ldap://hostport/dn?attributes?scope?filter?extensions" (this uri contains 4 parameters separated by '?' characters). However, mod_rewrite searches and writes 5 parameters.

The impact of this overflow depends on the content of the overwritten byte:
 - no impact
 - denial of service
 - code execution
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-0246

GForge: command execution via CVS plugin

Synthesis of the vulnerability

An attacker can use a special url in order to inject shell commands in CVS plugin of GForge.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 24/05/2007.
Identifiers: CVE-2007-0246, DSA-1297-1, VIGILANCE-VUL-6837.

Description of the vulnerability

The GForge development environment supports CVS and Subversion.

The cvsweb.php script uses the passthru() function to run the cvsweb program passing environment variables (simplified code):
  passthru('VAR="value" /bin/cvsweb');

The PATH_INFO environment variable is set from url. However, no filtering is done. An attacker can thus for example use :
  http://serveur/cvsweb.php?`/bin/ls`
to execute:
  passthru('PATH_INFO="`/bin/ls`" /bin/cvsweb');

This vulnerability therefore permits an attacker to execute shell commands.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-1864 CVE-2007-2509 CVE-2007-2510

PHP: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP in order to conduct a denial of service or to execute code.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, PHP, RHEL, Slackware, SLES.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 04/05/2007.
Revision date: 22/05/2007.
Identifiers: BID-23813, BID-23984, BID-24012, CVE-2007-1864, CVE-2007-2509, CVE-2007-2510, CVE-2007-2511, CVE-2007-2727, CVE-2007-2748, DSA-1295-1, DSA-1296-1, DSA-1330-1, DSA-1331-1, FEDORA-2007-503, FEDORA-2007-526, MDKSA-2007:102, MDKSA-2007:103, MDKSA-2007:187, RHSA-2007:0348-01, RHSA-2007:0349-01, RHSA-2007:0355-01, RHSA-2007:0888-01, RHSA-2007:0889-01, SSA:2007-127-01, SUSE-SA:2007:044, SUSE-SR:2007:015, VIGILANCE-VUL-6786.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can inject a line feed in order to add FTP commands in ftp_putcmd(). [severity:3/4; CVE-2007-2509]

An attacker can overwrite super-global variables with import_request_variables(). [severity:3/4]

A remote buffer overflow can occur in libxmlrpc. [severity:3/4; CVE-2007-1864]

A remote buffer overflow can occur in make_http_soap_request() of branch 5 of PHP. [severity:3/4; CVE-2007-2510]

An attacker can create a buffer overflow in user_filter_factory_create() of branch 5 of PHP. [severity:3/4; CVE-2007-2511]

An attacker can read memory fragments with substr_count() function. [severity:3/4; BID-24012, CVE-2007-2748]

The mcrypt_create_iv() function does not correctly initialize the random generator. [severity:3/4; BID-23984, CVE-2007-2727]

These vulnerabilities are local or remote depending on context.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-2754

FreeType: integer overflow via TTF

Synthesis of the vulnerability

An attacker can create a TTF font file leading to an integer overflow in FreeType.
Impacted products: OpenOffice, Debian, Fedora, Mandriva Linux, Mandriva NF, Windows (platform) ~ not comprehensive, openSUSE, Solaris, Trusted Solaris, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 22/05/2007.
Identifiers: 102917, 102967, 103171, 20070602-01-P, 6556877, 6564489, BID-24074, CERTA-2007-AVI-226, CVE-2007-2754, DSA-1302-1, DSA-1334-1, FEDORA-2007-0033, FEDORA-2007-561, FEDORA-2009-5558, FEDORA-2009-5644, MDKSA-2007:121, RHSA-2007:0403-01, RHSA-2009:0329-02, RHSA-2009:1061-02, RHSA-2009:1062-01, SUSE-SA:2007:041, VIGILANCE-VUL-6830.

Description of the vulnerability

The FreeType library handles font files.

An integer overflow can occur in Get_VMetrics() function of src/truetype/ttgload.c when a TTF font file is opened. It leads to a denial of service or to code execution.

An attacker can therefore create a malicious font file and invite user to use it in a FreeType program.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-2692

MySQL: privilege elevation via INVOKER

Synthesis of the vulnerability

An attacker can execute a procedure with INVOKER attribute in order to elevate his privileges in another database.
Impacted products: Debian, Mandriva Linux, MySQL Community, MySQL Enterprise, openSUSE, RHEL.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: user account.
Creation date: 21/05/2007.
Identifiers: 27337, 27515, BID-24011, CVE-2007-2692, DSA-1413-1, MDVSA-2008:028, RHSA-2007:0894-01, RHSA-2008:0364-01, SUSE-SR:2008:003, VIGILANCE-VUL-6825.

Description of the vulnerability

When a procedure is created, the "SECURITY" attribute can be used:
  SECURITY DEFINER : function is run with rights of user who created the function
  SECURITY INVOKER : function is run with rights of user who called the function

During a call to an INVOKER procedure from another database, the THD::db_access variable is not reinitialized.

A local attacker can therefore:
 - connect to a first database named "base1" where he has privileges, then
 - create an INVOKER procedure named "myproc", then
 - connect to a second database named "base2", then
 - call the procedure ("CALL base1.myproc();")
In this case, attacker obtains the same privileges as in base1, whereas he is in base2.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-2172

Linux kernel: overflow of dn_fib_props and fib_props

Synthesis of the vulnerability

A local attacker can create an overflow in dn_fib_props and fib_props arrays in order to create a denial of service, and eventually to elevate his privileges.
Impacted products: Debian, Linux, Mandriva Linux, Mandriva NF, RHEL.
Severity: 2/4.
Consequences: user access/rights, denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 21/05/2007.
Identifiers: BID-23447, CERTA-2002-AVI-162, CVE-2007-2172, DSA-1356-1, DSA-1363-1, DSA-1503-1, MDKSA-2007:171, MDKSA-2007:196, MDKSA-2007:216, RHSA-2007:0347-01, RHSA-2007:0488-01, RHSA-2007:1049-01, RHSA-2008:0787-01, RHSA-2009:0001-01, VIGILANCE-VUL-6824.

Description of the vulnerability

The RTM_MAX value defined in linux/rtnetlink.h indicates the maximal number of netlink message types (around 70). The RTA_MAX value defined in linux/rtnetlink.h indicates the maximal number of netlink message attributes (around 15). Both values where incorrectly used, which generates two vulnerabilities.

Size of dn_fib_props array of net/decnet/dn_fib.c uses RTA_MAX instead of RTN_MAX. This array is thus too short. Moreover, kernel does not check if type is inferior to RTN_MAX. [severity:2/4]

Size of fib_props array of net/ipv4/fib_frontend.c uses RTA_MAX instead of RTN_MAX. This array is thus too short. Moreover, kernel does not check if type is inferior to RTN_MAX. [severity:2/4]

Both overflows permits a local attacker to create a denial of service, and may lead to a privilege elevation.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-2445

libpng: denial of service via tRNS

Synthesis of the vulnerability

An attacker can create a PNG image containing an invalid tRNS chunk in order to stop applications linked to libpng.
Impacted products: Debian, Fedora, libpng, Mandriva Linux, Mandriva NF, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, TurboLinux.
Severity: 2/4.
Consequences: denial of service on client.
Provenance: document.
Creation date: 21/05/2007.
Identifiers: 102987, 20070502-01-P, 200871, 239425, 6555900, BID-24000, BID-24023, CERTA-2007-AVI-242, CVE-2007-2445, DSA-1613-1, DSA-1750-1, FEDORA-2007-0001, FEDORA-2007-528, FEDORA-2007-529, MDKSA-2007:116, RHSA-2007:0356-01, SSA:2007-136-01, SUSE-SR:2007:013, TLSA-2007-45, VIGILANCE-VUL-6823, VU#684664.

Description of the vulnerability

A PNG image is composed of a series of chunks identified by 4 letter:
 - IHDR : image header
 - PLTE : palette
 - IDAT : image data (pixel values)
 - tRNS : transparency
These chunks ends with a CRC in order to check their contents.

The png_handle_tRNS() function of libpng checks the CRC of tRNS chunk. When it is invalid, transparency information should be ignored, however it is not the case. An uninitialized pointer, normally used to indicate a memory area storing transparency, can therefore be dereferenced.

An attacker can thus create an invalid image, in order to generate a denial of service in applications linked with libpng, and accessing to transparency information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-1860

Tomcat JK Connector: access to a protected application

Synthesis of the vulnerability

An attacker can use a double url encoding in order to access to a protected application.
Impacted products: Apache httpd, Tomcat, Debian, HP-UX, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 21/05/2007.
Identifiers: BID-24147, c01178795, CERTA-2002-AVI-130, CERTA-2007-AVI-229, CVE-2007-1860, DSA-1312-1, HPSBUX02262, RHSA-2007:0379-01, RHSA-2007:0380-01, RHSA-2008:0261-01, RHSA-2008:0524-01, SSRT071447, SUSE-SR:2008:005, VIGILANCE-VUL-6820.

Description of the vulnerability

The JkMount directive of Apache httpd indicates uris that mod_jk has to intercept, and to which connector to transmit them. For example:
   JkMount /dir/page*.jsp ajp13

The mod_jk module decodes uris inside Apache httpd, then transmits them to Apache Tomcat, which decodes them again.

This double decoding permits an attacker to change the JkMount prefix in order to access Apache Tomcat applications which are normally blocked by Apache httpd.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-2444 CVE-2007-2446 CVE-2007-2447

Samba: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Samba, the worst one permits a remote attacker to execute code.
Impacted products: Debian, Fedora, Tru64 UNIX, HP-UX, Mandriva Linux, openSUSE, Solaris, RHEL, Samba, Slackware, SLES, TurboLinux.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 14/05/2007.
Revisions dates: 15/05/2007, 16/05/2007.
Identifiers: 102964, 20070502-01-P, 6557101, BID-23972, BID-23973, BID-23974, BID-24195, BID-24196, BID-24197, BID-24198, CERTA-2007-AVI-219, CERTA-2008-AVI-007, CVE-2007-2444, CVE-2007-2446, CVE-2007-2447, DSA-1291-2, DSA-1291-3, DSA-1291-4, emr_na-c01067768-1, emr_na-c01078980-1, emr_na-c01091459-1, FEDORA-2007-507, HPSBTU02218, HPSBTU02233, HPSBUX02218, MDKSA-2007:104, MDKSA-2007:104-1, RHSA-2007:0354-01, SSRT071424, SUSE-SA:2007:031, SUSE-SR:2007:014, TLSA-2007-35, VIGILANCE-VUL-6814, VU#268336, VU#773720, ZDI-07-029, ZDI-07-030, ZDI-07-031, ZDI-07-032, ZDI-07-033.

Description of the vulnerability

Several vulnerabilities were announced in Samba, the worst one permits a remote attacker to execute code.

An error can occur when a name is converted to/from a SID. This error permits an authenticated attacker to issue SMB/CIFS operations as root. [severity:3/4; BID-23974, CERTA-2007-AVI-219, CVE-2007-2444]

MS-RPC queries are encoded in NDR (Network Data Representation). The smbd daemon does not correctly decode NDR data, which leads to several overflows: lsa_io_privilege_set/LsarAddPrivilegesToAccount, netdfs_io_dfs_EnumInfo_d/DFSEnum, smb_io_notify_option_type_data/RFNPCNEX, sec_io_acl/NetSetFileSecurity and lsa_io_trans_names/LsarLookupSids/LsarLookupSids2. These vulnerabilities permit a non authenticated attacker to execute code. [severity:3/4; BID-23973, BID-24195, BID-24196, BID-24197, BID-24198, CERTA-2008-AVI-007, CVE-2007-2446, VU#773720, ZDI-07-029, ZDI-07-030, ZDI-07-031, ZDI-07-032, ZDI-07-033]

The "username map script" directive of smb.conf configuration file indicates a script to associate usernames between client and server. For example:
  username map script = /etc/samba/scripts/mapusers.sh
When user sends his login, server executes following command:
  /bin/sh -c "/etc/samba/scripts/mapusers.sh username"
An attacker can therefore use a malicious username, in a password change query, in order to execute a shell command on servers where this directive is activated.
This vulnerability also affects other directives, but whose scripts are only executed for authenticated users. [severity:3/4; BID-23972, CVE-2007-2447, VU#268336]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Woody: