Problems in Oracle Reports
by Noel Davis
07/29/2005
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in Oracle Reports, Skype for
Linux, MediaWiki, Kate, Kwrite, Shorewall, ekg, libgadu, PHPNews, phpSurveyor,
Affix, Heartbeat, and phpPgAdmin.
- Oracle Reports
- Skype for Linux
- MediaWiki
- Kate and Kwrite
- Shorewall
libgadu Library and ekg- PHPNews
- phpSurveyor
- Affix
- Heartbeat
- phpPgAdmin
Oracle Reports
Oracle's enterprise reporting tool Oracle Reports is reported to be vulnerable
to cross-site scripting attacks; attacks that allow an attacker to read and
write to arbitrary files; and attacks that allow an attacker to execute arbitrary
code with the permissions of the oracle user account.
The report states that the cross-site scripting vulnerability affects version
9.0.2 + patchset 2 of Oracle Reports. The versions of Oracle Reports affected
by the code-execution attack include 6.0, 6i, 9i, and 10g. All versions of
Oracle Reports may be vulnerable to the read-any-file problem. The writing-of-any-file problem is only reported to affect versions 6.0, 6i, 9i, and 10g.
Users should contact Oracle for a resolution or workaround for these vulnerabilities.
Skype for Linux
Skype is an application for making voice chat connections
across the internet to other users of Skype. It is very popular and has many
features, such as conference calls, calling normal phone numbers, and file transfers.
Its available for Windows, Mac OS, Linux, and Pocket PC.
Version 1.1.0.20 of Skype is reported to be vulnerable to a temporary-file,
symbolic-link race condition when the user adds an image to his or her personal
profile. This could allow a local attacker to overwrite arbitrary files on
the system with the permissions of the victim.
Every affected user on multiuser systems should avoid updating the image in his or her
profile until this problem has been fixed.
MediaWiki is the software behind the very popular Wikipedia web site and hundreds
of public and private Wikis. A Wiki ("What I Know Is") is a collaborative online
database that displays its data as web pages that can be edited by anyone or
by a group of authorized users. Under some conditions, users of a MediaWiki
server are vulnerable to a cross-site scripting attack that could result in
arbitrary JavaScript code being executed by their web browsers with their permissions.
MediaWiki versions earlier than 1.4.7 are reported to be vulnerable.
All MediaWiki servers should be upgraded to version 1.4.7 or newer as soon
as possible.
Kate and Kwrite
Local users can, under some conditions, read backup files created by Kate and
Kwrite, even if the originating files have more restrictive permissions. The
problem with the backup files is caused by a bug in the kdelib library.
Affected users should watch their vendors for an updated kdelib package.
Shorewall
Shorewall, a front-end tool for configuring Netfilter, contains a bug in its
MAC address filtering code that may result in a remote authenticated client
bypassing all security restrictions. Netfilter is a firewall included in the
Linux kernel.
Users of Shorewall version 2.0.17 or later should apply the firewall script
(which is available in the errata files) for their version. Users of earlier versions
should upgrade to a supported version and apply the updated firewall version.
Another option is to upgrade to Shorewall version Shorewall 2.4.2 or newer.
libgadu Library and ekg
The libgadu library is used in ekg and other instant messenger clients to
provide Gadu-Gadu protocol support. A buffer overflow in the libgadu library
is reported to be exploitable to execute arbitrary code with the permissions
of the user running the messengering client. There are also other problems
reported in the library and in ekg.
It is strongly recommended that all users of ekg upgrade to version 1.6rc3
or newer. This version of ekg includes a repaired version of the libgadu library.
Users of other instant messaging clients that use libgadu should watch their
vendors or the maintainers of the client for updated versions.
PHPNews
PHPNews, a popular web-based news application written in PHP, is reported
to be vulnerable (under some conditions) to several attacks that can result in
arbitrary code being executed with the permissions of the user account used
to run the web server. The vulnerabilities reportedly allow the attacker use
SQL injection to log in to the admin panel, upload code instead of a image using
the upload images functionality, and edit the template and add code. PHPNews
version 1.2.6 and earlier are reported to be vulnerable.
All vulnerable users of PHPNews should upgrade to version 1.3.0 as soon as
possible.
phpSurveyor
phpSurveyor is a web-based survey creation tool written using PHP and MySQL.
Version 0.98 Stable is reported to be vulnerable to multiple SQL injection
bugs and many cross-site scripting vulnerabilities.
Users of phpSurveyor should watch for a repaired version and should consider
disabling the software until it has been patched or upgraded.
Affix
Affix is a Bluetooth protocol stack for Linux. A buffer overflow in code dealing
with the FTP protocol can, under some circumstances, be exploitable to execute
arbitrary code with root permissions.
Users of Affix should apply the available patch or watch their vendors for
a repaired version.
Heartbeat
Heartbeat, a system monitoring tool that is part of High-Availability Linux,
is reported to be vulnerable to a temporary-file, symbolic-link race condition.
Affected users should watch their vendors for a repaired package.
phpPgAdmin
phpPgAdmin is a web-based administration tool written using PHP for the PostgreSQL
database. The parameter formlanguage in the index.php script is
not validated before it is used to include files. As a result, an attacker who
can create or write to a file on the server can cause arbitrary code to be
executed. Systems with magic quotes enabled are not vulnerable to this problem.
It is recommended that all users upgrade to phpPgAdmin version 3.5.4 or newer
as soon as possible.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts
columns.
Return to LinuxDevCenter.com
