TITLE: MySQL MERGE Table Privilege Revoke Bypass

SECUNIA ADVISORY ID: SA21259

VERIFY ADVISORY: http://secunia.com/advisories/21259/

CRITICAL: Not critical

IMPACT: Security Bypass

WHERE: >From local network

SOFTWARE:
MySQL 5.x - http://secunia.com/product/8355/
MySQL 4.x - http://secunia.com/product/404/
MySQL 3.x - http://secunia.com/product/99/

DESCRIPTION: Peter Gulutzan has reported a vulnerability in MySQL, which can be exploited by malicious users to bypass certain security restrictions.

The vulnerability is caused due to a design error in the user privilege verification for MERGE tables. This can be exploited to keep access to a table via an in advance created MERGE table even after the privileges has been revoked for the table.

SOLUTION:
MySQL 4.1.x: Update to version 4.1.21.
MySQL 5.x: The vulnerability has been fixed in the CVS repository and will also be fixed in the upcoming 5.0.24 version.
Grant only trusted users access to the database.
NOTE: The vulnerability has been fixed by introducing the "--skip-merge" command line option which disables the MERGE storage engine.

PROVIDED AND/OR DISCOVERED BY: Peter Gulutzan

ORIGINAL ADVISORY: MySQL:
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-24.html

TITLE: Apache mod_rewrite Off-By-One Buffer Overflow Vulnerability

SECUNIA ADVISORY ID: SA21197

VERIFY ADVISORY: http://secunia.com/advisories/21197/

CRITICAL: Moderately critical

IMPACT: DoS, System access

WHERE: >From remote

SOFTWARE: Apache 1.3.x -- http://secunia.com/product/72/
Apache 2.0.x -- http://secunia.com/product/73/
Apache 2.2.x -- http://secunia.com/product/9633/

DESCRIPTION: A vulnerability has been reported in Apache HTTP Server, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused by a off-by-one error in mod_rewrite and can be exploited to cause a one-byte buffer overflow.

Successful exploitation may crash the web server process or allow execution of arbitrary code. However, this depends on the manner which Apache HTTP Server was compiled and also requires the following:
* Certain types of Rewrite rules are used where the beginning of the rewritten URL is controlled.
* The RewriteRule flags do not include the Forbidden (F), Gone (G), or NoEscape (NE) flag.

The vulnerability affects Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.

SOLUTION: Update to version 1.3.37, 2.0.59, or 2.2.3.

PROVIDED AND/OR DISCOVERED BY: The vendor credits Mark Dowd, McAfee Avert Labs.

ORIGINAL ADVISORY:
http://www.apache.org/dist/httpd/Announcement1.3.html
http://www.apache.org/dist/httpd/Announcement2.0.html
http://www.apache.org/dist/httpd/Announcement2.2.html

nb1 writes:  

This is a couple of days old but worth reading

An identity-stealing keylogger that disguises itself as a Firefox extension and installs silently in the background was discovered Tuesday by security vendor McAfee. According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan horse monitors mouse movements and key presses to steal online banking or credit card usernames and passwords, other login information, and URLs typed into Firefox, the popular open-source browser. Another component of the Trojan sniffs out passwords from ICQ and FTP sessions, and IMAP and POP3 traffic, said McAfee. All collected information is sent to an IP address hard-coded into the Trojan.

The scam starts with spam posing as a message from the billing support department of mega-retailer Wal-Mart, said Craig Schmugar, the virus research manager at McAfee's Avert Labs. "There's an order number in the message, which matches the number of the attachment," said Schmugar. "When someone opens the attachment, the Trojan downloads and installs two components, a keylogger as well as a sniffer." As of Tuesday afternoon, FormSpy had gained little traction

TechWeb

TITLE: Apache "Expect" Header Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID: SA21172

VERIFY ADVISORY: http://secunia.com/advisories/21172/

CRITICAL: Less critical

IMPACT: Cross Site Scripting

WHERE: >From remote

SOFTWARE:
Apache 1.3.x -- http://secunia.com/product/72/
Apache 2.0.x -- http://secunia.com/product/73/
Apache 2.2.x -- http://secunia.com/product/9633/

DESCRIPTION: Thiago Zaninotti has discovered a vulnerability in Apache HTTP Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "Expect:" header is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

The vulnerability affects versions prior to 1.3.35, 2.0.58, and 2.2.2.

Secunia has constructed a test, which is available at: http://secunia.com/expect_header_cross-site_scripting_vulnerability_test/

NOTE: This issue was originally not considered a vulnerability by the researcher and vendor due to the fact that no known vectors existed to exploit it. However, additional research by Amit Klein has proven that this can be exploited via a specially crafted Flash file.

SOLUTION: Update to version 1.3.35, 2.0.58, 2.2.2, or later.

PROVIDED AND/OR DISCOVERED BY: Thiago Zaninotti

Additional information about exploitation:  Read More...

nb1 writes:  

Managed IT security services provider SecureWorks announced Tuesday that they have seen a significant rise in the number of attempted SQL injection hacks aimed at some of its financial and utility company clients over the last three months. “From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day,” said SecureWorks CTO Jon Ramsey. “As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day,” said Ramsey.

“The majority of the attacks are coming from overseas," said Ramsey. “And although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack.” This is a type of attack where the hacker has targeted a particular organization, versus a worm which spreads indiscriminately.

“The CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, is a prime example of a SQL Injection attack,” said Ramsey. A more recent example of a SQL Injection attack occurred last December when Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.

SecureWorks

TITLE: Symantec pcAnywhere CIF Files Privilege Escalation

SECUNIA ADVISORY ID: SA21113

VERIFY ADVISORY: http://secunia.com/advisories/21113/

CRITICAL: Less critical

IMPACT: Privilege escalation

WHERE: Local system

SOFTWARE: Symantec pcAnywhere 12.x
http://secunia.com/product/11089/

DESCRIPTION: Zee has reported a security issue in Symantec pcAnywhere, which can be exploited by malicious, local users to gain escalated privileges. The problem is caused due to CIF files containing a superuser flag and being stored insecurely by default in "Documents and SettingsAll UsersApplication DataSymantecpcAnywhereHosts" where any user can read the contents of files and create new files. This can be exploited to gain administrative user privileges via pcAnywhere by crafting a new CIF file, setting the superuser flag, and placing the file in the "Hosts" directory.

The security issue has been reported in version 12.5. Other versions may also be affected.

SOLUTION: Grant only trusted users access to affected systems.

PROVIDED AND/OR DISCOVERED BY: Zee

ORIGINAL ADVISORY: http://www.digitalbullets.org/?p=3