CA ARCserve DoS, Multiple CMS Vulns

Computer Associates ARCserve Backup 12.0.5454.0 and earlier can be Denial of Serviced by sending a specially crafted packet to port 41523. For more specific information please see CVE-2008-1979.

Several Content Management Systems are vulnerable to Remote File Inclusion (RFI) and SQL injection. As Adam said in a previous post, it appears that application developers are still not embracing the proper coding procedures that allow for these exploits to be developed. If you are an admin of a CMS please make sure that your application is tested regulary for any injection vulnerabilities.

F5 FirePass SSL VPN XSS

The F5 FirePass SSL VPN appliance is vulnerable to cross site scripting attacks within the management console. This device, designed to protect against XSS attacks, contains a XSS within the /vdesk/admincon/webyfiers.php and /vdesk/admincon/index.php pages that could permit an attacker to force premature termination of the parameter value and to inject an event handler script. This vulnerability has been confirmed in version 6.0.2, hotfix 3. Previous versions may be affected. There’s no fix for it at the moment, so users/admins should not browse to untrusted sites while logged in to the management interface.

Lotus Domino Cross Site Scripting and Buffer Overflows

At least two injection attack vectors have been discovered in IBM’s Lotus Domino Web Servers versions 6.x, 7.x and 8.x. These can lead to a stack based buffer overflow which may allow remote code execution and Cross Site Scripting attacks that can allow the execution of arbitrary HTML and script code. We recommend that you update your web servers as is appropriate.

The original advisories can be viewed at:
http://www-1.ibm.com/support/docview.wss?uid=swg21303057

and

http://www-1.ibm.com/support/docview.wss?uid=swg21303296

High Profile XSS

A security issue in Barack Obama’s website has been exploited by a user to redirect users to Hillary Clinton’s website. Visitors of the community blogs section of his website were sent to Hillary Clintons home page via a Cross Site Scripting (XSS) vulnerability. This story highlights the importance of secure coding practices, as well as finding and remediating any XSS that are found on your site. Had the intentions of the user posting the XSS been malicious, he could have infected all of the visitors with malware/spyware. Moral of the story, XSS is not a vulnerability that should be taken lightly.

Symantec Internet Security 2008 Vulnerable ActiveX

There appears to be two vulnerable ActiveX controls in Symantec Internet Security 2008. The following ActiveX controls are vulnerable:

Progid: SymAData.ActiveDataInfo.1

Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8

File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll

Version: 2.7.0.1

  Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
  File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
  Version 2.7.0.1

These ActiveX are marked safe for scripting by Symantec. According to Symantec, although they are marked safe for scripting, they will only run from the “symantec.com” domain. Successful exploitation would require the use of XSS or DNS poisoning techniques, but could allow for complete control over a users system simply by viewing a malicious page. Symantec has issued updates to fix these vulnerabilities.

CiscoWorks Remote Command Shell?

A vulnerability has been reported in CiscoWorks Internetwork Performance Monitor.   The vulnerability appears to be the result of a command shell bound to a random port. The could be exploited  to execute commands on the system. Cisco has released patch IPM version 2.6 CSCsj06260.

A cross site scripting vulnerability has been reported in Nagios. From the description, it appears to be a reflective XSS, but further information is unavailable at this time. We also do not have the input fields that are vulnerable.  Versions prior to 2.11 are vulnerable. Please apply version 2.11 if you are running Nagios.

Checkpoint VPN XSS, Multiple Java Vulns

Checkpoint VPN-1 UTM Edge is vulnerable to cross site scripting. This particular XSS vulnerability allows for reflective cross site scripting pre authentication. This could allow attackers to embed the login form in an html form for deceptive and malicious purposes. The latest firmware version, 7.5.48, reportedly does not contain this vulnerability.

There are multiple vulnerabilities in Java. This includes Java Web Start, the JRE and SDK. These vulnerabilities could lead to a Denial of Service or system compromise. All of the more recent versions of Java are vulnerable, so if you haven’t updated your Java install in a few weeks, now would be the time to do so.

Lighttpd, a popular light open source web server, is vulnerable to CGI source exposure and potential denial of service. Version 1.4.18-r2 is affected and a newer version is available.

Sun Java Identity Manager Vulnerabilities

Sun released two advisories today. The first details Coss-Site Scripting vulnerabilites in Sun Java System Identity Manager. They consist of input validation errors in the parameters “cntry” and “lang” of /idm/login.jsp, the “resultsForm” parameter of /idm/account/findForSelect.jsp and the “helpUrl” parameter of /idm/help/index.jsp. The original advisory can be found at:http://sunsolve.sun.com/search/document.do?assetkey=1-26-103180-1

The second involves

VMWare ESX Update, XSS Testing for Webmail Systems

A recent update of VMWare ESX server contains many fixes, but a few of them are critical to the security of the application. Now should be the time to look in to updating VMWare on you computers.

A new XSS testing tool has been released. XSS testing tools are nothing new, however this is the first dedicated solely to testing XSS in webmail applications. Written in perl, it tests XSS in mail messages sent to an account you specify. It’s called Excess, and can be found at http://www.scanit.be/excess.html

Also, striking similarities between the Quicktime bug found in 2002 and the recent RTSP bug have been noticed. CVE 2002-0252 and 2007-6166 are very much alike each other. Has Apple reintroduced the same bug from 2002?