TITLE: PHP-Nuke MyHeadlines Module "myh_op" Cross-Site Scripting

SECUNIA ADVISORY ID: SA21653

VERIFY ADVISORY: http://secunia.com/advisories/21653/

CRITICAL: Less critical

IMPACT: Cross Site Scripting

WHERE: >From remote

SOFTWARE: MyHeadlines 4.x (module for PHP-Nuke)- http://secunia.com/product/11722/

DESCRIPTION: Thomas Pollet has discovered a vulnerability in the MyHeadlines module for PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "myh_op" parameter in modules.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example: http://[host]/modules.php?op=modload&name=MyHeadlines&file=index&myh=user&myh_op=show_all[code]&eid=2474

The vulnerability has been confirmed in version 4.3.1. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY: Thomas Pollet

TITLE: Internet Explorer URL Parsing Buffer Overflow Vulnerability

SECUNIA ADVISORY ID: SA21557

VERIFY ADVISORY: http://secunia.com/advisories/21557/

CRITICAL: Highly critical

IMPACT: System access

WHERE: >From remote

SOFTWARE: Microsoft Internet Explorer 6.x - http://secunia.com/product/11/

DESCRIPTION: A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when processing URLs on a website using HTTP 1.1 and compression. This can be exploited to cause a buffer overflow via an overly long URL. Successful exploitation allows execution of arbitrary code when a user is e.g. tricked into visiting a malicious website. The vulnerability affects Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1 and was introduced by the MS06-042 patches.

SOLUTION: The vendor recommends disabling the HTTP 1.1 protocol in Internet Explorer (see the vendor's advisory for details).

PROVIDED AND/OR DISCOVERED BY:
Dejan Kovacevic, Bold Internet Solutions.
Derek Soeder, eEye Digital Security.

ORIGINAL ADVISORY:
Microsoft:
http://www.microsoft.com/technet/security/advisory/923762.mspx
http://support.microsoft.com/kb/923762/

OTHER REFERENCES: US-CERT VU#821156: http://www.kb.cert.org/vuls/id/821156

TITLE: PHP Multiple Vulnerabilities

SECUNIA ADVISORY ID: SA21546

VERIFY ADVISORY: http://secunia.com/advisories/21546/

CRITICAL: Less critical

IMPACT: Unknown, Security Bypass

WHERE: Local system

SOFTWARE: PHP 4.4.x -- http://secunia.com/product/5768/
PHP 5.1.x -- http://secunia.com/product/6796/

DESCRIPTION: Some vulnerabilities have been reported in PHP, where some have unknown impacts, and others can be exploited by malicious, local users to bypass certain security restrictions.

1) Missing safe_mode and open_basedir verification exists in the "file_exists()", "imap_open()", and "imap_reopen()" functions.

2) Some unspecified boundary errors exists in the "str_repeat()" and "wordwrap()" functions on 64-bit systems.

3) The open_basedir and safe_mode protection mechanisms can be bypassed via the cURL extension and the realpath cache.

4) An unspecified boundary error exists in the GD extension when handling malformed GIF images.

5) A boundary error in the "stripos()" function can be exploited to cause an out-of-bounds memory read.

6) Incorrect memory_limit restrictions exists on 64-bit systems.

Other issues which may be security related have also been reported.

SOLUTION: Update to version 4.4.4 or 5.1.5. -- http://www.php.net/downloads.php

PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.

ORIGINAL ADVISORY: http://www.php.net/release_4_4_4.php -- http://www.php.net/release_5_1_5.php

TITLE: Mambo Coppermine Component File Inclusion Vulnerability

SECUNIA ADVISORY ID: SA21539

VERIFY ADVISORY: http://secunia.com/advisories/21539/

CRITICAL: Highly critical

IMPACT: System access

WHERE: >From remote

SOFTWARE: Coppermine 1.x (component for Mambo) -- http://secunia.com/product/11551/

DESCRIPTION: k1tk4t has discovered a vulnerability in the Coppermine component for Mambo, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in components/com_cpg/cpg.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources. Successful exploitation requires that "register_globals" is enabled. The vulnerability has been confirmed in version 1.0. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly verified.
Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY: k1tk4t

ORIGINAL ADVISORY: http://milw0rm.com/exploits/2196

TITLE: Zen Cart SQL Injection and File Inclusion Vulnerabilities

SECUNIA ADVISORY ID: SA21484

VERIFY ADVISORY: http://secunia.com/advisories/21484/

CRITICAL: Highly critical

IMPACT: Manipulation of data, System access

WHERE: >From remote

SOFTWARE: Zen Cart 1.x -- http://secunia.com/product/3488/

DESCRIPTION: James Bercegay has reported some vulnerabilities in Zen Cart, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system.

1) Input passed to the "ipn_get_stored_session", "whos_online_session_recreate", and the "add_cart" functions is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Certain input is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Examples:
http://[host]/index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=[remote file] * The "typefilter" parameter (only local resources)

The vulnerabilities have been reported in version 1.3.0.2. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised and verified.

PROVIDED AND/OR DISCOVERED BY: James Bercegay, GulfTech Security Research

ORIGINAL ADVISORY: http://www.gulftech.org/?node=research&article_id=00109-08152006

TITLE: Linux Kernel Multiple Vulnerabilities

SECUNIA ADVISORY ID: SA21476

VERIFY ADVISORY: http://secunia.com/advisories/21476/

CRITICAL: Moderately critical

IMPACT: Security Bypass, Exposure of sensitive information, DoS

WHERE: >From remote

OPERATING SYSTEM: Linux Kernel 2.4.x -- http://secunia.com/product/763/

DESCRIPTION: Multiple vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service), bypass certain security restrictions, and disclose potentially sensitive information and by malicious people to cause a DoS.

For more information: SA20185 SA19990 SA19869 SA19709 SA13572

SOLUTION: Update to version 2.4.33. -- http://kernel.org/

ORIGINAL ADVISORY: http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.33

OTHER REFERENCES:
SA20185: SA20185
SA19990: SA19990
SA19869: SA19869
SA19709: SA19709
SA13572: SA13572