Monthly Archives: September 2014

Drupal

SA-CONTRIB-2014-092 – Services – Cross Site Scripting, Access bypass

Leave a comment

Description

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.

New user’s password set to weak password in _user_resource_create()

When creating a new user account via Services, the new user’s password was set to a weak password.

This issue is mitigated by the fact that the user resource must be enabled (or least have been enabled in the past) and new user registration permitted via Services.

Action required: This release of Services comes with an interface and a drush command to perform actions in order to secure your site and get rid of this vulnerability. After installing this release and running the regular database updates, make sure to read all the information provided at admin/config/services/services-security, and pick the option most suited to your site. For example, you can reset the password of all user accounts that have been created since August 30th, 2013 (recommended).

Unfiltered JSONP callback parameter (XSS)

The JSONP response of a callback parameter is unfiltered and outputs raw HTTP data. This can lead to arbitrary JavaScript execution.

This issue is mitigated by the fact that JSONP is not enabled by default in the REST server response formatters and the HTTP client Accept header must be set to text/javascript or application/javascript if the “xml” formatter is enabled.

Services module now restricts callback parameters to alphanumeric characters only and a hard limit of 60 characters.

Flood control for user login bypass

Flood control was not properly enforced leaving it vulnerable to brute force attacks. Services now implements flood control just like core Drupal does.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Services 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.

Solution

Install the latest version:

  1. If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.10
  2. follow the security update instructions at admin/config/services/services-security

Also see the Services project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: 
Drupal 7.x
Mandriva

[ MDVSA-2014:185 ] libgadu

Leave a comment 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:185
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libgadu
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated libgadu packages fix security vulnerability:
 
 Libgadu before 1.12.0 was found to not be performing SSL certificate
 validation (CVE-2013-4488).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4488
 http://advisories.mageia.org/MGASA-2014-0375.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 de3454fe7c663ecd08d4e1eeb2638776  mbs1/x86_64/
Mandriva

[ MDVSA-2014:184 ] net-snmp

Leave a comment 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:184
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : net-snmp
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated net-snmp packages fix security vulnerabilities:
 
 A remote denial-of-service flaw was found in the way snmptrapd handled
 certain SNMP traps when started with the -OQ option. If an attacker
 sent an SNMP trap containing a variable with a NULL type where an
 integer variable type was expected, it would cause snmptrapd to crash
 (CVE-2014-3565).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565
 http://advisories.mageia.
Mandriva

[ MDVSA-2014:183 ] phpmyadmin

Leave a comment 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:183
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : phpmyadmin
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated phpmyadmin package fixes security vulnerability:
 
 In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on
 a crafted URL, it is possible to perform remote code execution and in
 some cases, create a root account due to a DOM based XSS vulnerability
 in the micro history feature (CVE-2014-6300).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6300
 http://advisories.mageia.org/MGASA-2014-0383.html
 _______
Mandriva

[ MDVSA-2014:182 ] zarafa

Leave a comment 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:182
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : zarafa
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated zarafa packages fix security vulnerabilities:
 
 Robert Scheck reported that Zarafa's WebAccess stored session
 information, including login credentials, on-disk in PHP session
 files. This session file would contain a user's username and password
 to the Zarafa IMAP server (CVE-2014-0103).
 
 Robert Scheck discovered that the Zarafa Collaboration Platform has
 multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448,
 CVE-2014-5449, CVE-2014-5450).
 _______________________________________________
Mandriva

[ MDVSA-2014:181 ] dump

Leave a comment 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:181
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : dump
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated dump packages fix security vulnerability:
 
 An integer overflow in liblzo before 2.07 allows attackers to cause
 a denial of service or possibly code execution in applications using
 performing LZO decompression on a compressed payload from the attacker
 (CVE-2014-4607).
 
 The dump package is built with a bundled copy of minilzo, which is
 a part of liblzo containing the vulnerable code.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?nam
Avast

Avast! Mobile Security gets award from AV Comparatives

Leave a comment

AV Comparatives Aug2014AV Comparatives awarded avast! Mobile Security for its malware protection and highly developed theft-protection.

Most people would not dream of neglecting the security of their PCs or laptop, but those same folks forget that the device in their pocket is just as powerful, if not more so. You’ve heard it before –your expensive smartphone, which stores personal data, private photos, Internet banking information and even company data, is an attractive target for cybercrooks and thieves.

AV Comparatives, an independent organization which tests antivirus products and mobile security solutions, released new testing results and gave avast! Mobile Security the highest “Approved Award” for Android security products.

avast! Mobile Security has a wide range of features with innovative functionality. We particularly liked the wide range of configuration options and remote commands, which provide the user with a comprehensive remote control function,” wrote the authors of the final report.

AV Comparatives gives avast! Mobile Security it's Approved Award for mobile security and anti-theft features.

AV Comparatives gives avast! Mobile Security it’s Approved Award for mobile security and anti-theft features.

Malware protection

Mobile phones attacks are getting more and more sophisticated, and it is growing exponentially. “We now have more than 1 million malicious samples in our database, up from 100,000 in 2011,” said Avast’s CCO, Ondřej Vlček. “Mobile threats are increasing – we expect them to reach the same magnitude as PC malware by 2018.”

avast! Mobile Security scans all installed applications for malware and has various real-time protection shields which protect against

  • Malicious apps and phishing sites
  • Sites containing malware
  • Typo-squatting if an incorrect URL is entered
  • Incoming messages with phishing/malware URLs
  • Malicious behavior during read or write processes

Anti-theft protection

Avast! Anti-theft is a stand-alone app that can be installed separately from avast! Mobile Security. The app is hidden from view, and can be accessed remotely for functions such as lock, locate and wipe, redirection of calls, texts and call logs, etc.

In addition to the malware and anti-theft protection, AV Comparatives liked the standalone avast! Mobile Backup which enables personal data to be backed up to Google Drive.

The Backup, App Locker and Privacy Scan features, which were promised last year, have now been implemented and complete the program’s functionality. (avast! Mobile Security) is a very comprehensive security product with a wide range of configuration options.

Protect your Android smartphone and tablet with avast! Mobile Security and Antivirus from the Google Play store.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.