Weekend Vulnerability Roundup

Published: 2006-10-01. Last Updated: 2006-10-01 23:44:11 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)
Our readers told us about several vulnerabilities that caught the public's eye this weekend. Here's a brief summary:

Firefox

CNet reported that an unpatched vulnerability in the Firefox JavaScript engine was demonstrated at ToorCon the other day. According to the article:

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

A Bugtraq listing for this issue states that the cause of the problem is Firefox' failure "to properly sanitize user-supplied input before using it to create new JavaScript objects." (Thanks for the pointers, Juha-Matti.)

We don't have any additional information regarding this vulnerability. In the mean time, we suspect using the NoScript extension to only enable JavaScript for trusted sites might be an effective mitigating measure.

OpenSSH

OpenSSH patched two vulnerabilities in the release of OpenSSH 4.4. (Thanks for letting us know, Hamid.)
See also http://isc.sans.org/diary.php?storyid=1743

One denial-of-service condition was discovered by Tavis Ormandy, and could cause the SSH daemon "to spin until the login grace time expired." This issue affects OpenSSH if it has support for SSH version 1 enabled. (Please migrate to SSH version 2, if you can do so and haven't already.) A proof-of-concept exploit for this vulnerability is floating around. The CVE reference for this vulnerability is CVE-2006-4924.

The other denial-of-service condition was discovered by Mark Dowd. It could, theoretically, lead to remote execution of arbitrary code. This is probably the strongest reason to upgrade to OpenSSH 4.4 sooner, rather than later, although the release also includes some enticing new functionality.

phpMyAdmin

An XSRF/CSRF vulnerability was reported in phpMyAdmin, a web-based front-end for managing MySQL servers. The bug could allow an attacker "to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link." The issue was fixed in the first release candidate for phpMyAdmin 2.9.1.

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
Keywords:
0 comment(s)

Comments


Diary Archives