[CERT-daily] Tageszusammenfassung - Montag 17-06-2013

Mon Jun 17 18:03:06 CEST 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 14-06-2013 18:00 − Montag 17-06-2013 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

*** [webapps] - LibrettoCMS 2.2.2 - Arbitrary File Upload ***
---------------------------------------------
LibrettoCMS is provided a file upload function to unauthenticated users. Allows for write/read/edit/delete download arbitrary file uploaded , which results attacker might arbitrary write/read/edit/delete files and folders.
---------------------------------------------
http://www.exploit-db.com/exploits/26213


*** Adobe Flash exploit grabs video and audio, long after “fix” ***
---------------------------------------------
Demonstration code shows a new trick defeats Flash privacy fix.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/72PWd3AAReE/


*** Microsoft Sharepoint (Cloud) Persistent Script Insertion ***
---------------------------------------------
Topic: Microsoft Sharepoint (Cloud) Persistent Script Insertion Risk: Low Text:Title: Microsoft SharePoint (Cloud) - Persistent Exception-Handling Web Vulnerability Date: == 2013-06-14 Re...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013060124


*** Avira AntiVir Engine Denial Of Service / Filter Evasion ***
---------------------------------------------
Topic: Avira AntiVir Engine Denial Of Service / Filter Evasion Risk: Medium Text: LSE Leading Security Experts GmbH - Security Advisory 2013-06-13 Avira AntiVir Engine -- Denial of Service / Filtering E...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013060123


*** Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection ***
---------------------------------------------
Topic: Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection Risk: Medium Text:SEC Consult Vulnerability Lab Security Advisory  == title: Multiple vulner...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013060121


*** Firefox und Twitter schützen vor eingeschleusten Skripten ***
---------------------------------------------
"Du kommst hier nicht rein" heißt es für Schadcode, wenn man als Webseiten-Betreiber den HTTP-Header "Content Security Policy" benutzt. Google, Mozilla und Twitter gehen mit gutem Beispiel voran.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Firefox-und-Twitter-schuetzen-vor-eingeschleusten-Skripten-1887585.html


*** Security Bulletin: WebSphere Commerce vulnerability could allow disclosure of user personal data (CVE-2013-0523) ***
---------------------------------------------
Some WebSphere Commerce data may be encrypted using an encryption algorithm that is susceptible to a padding oracle attack which may allow for the disclosure of user personal data.  CVE(s): ...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_websphere_commerce_vulnerability_could_allow_disclosure_of_user_personal_data_cve_2013_0523?lang=en_us


*** Joomla com_extplorer Components shell upload Vulnerability ***
---------------------------------------------
Topic: Joomla com_extplorer Components shell upload Vulnerability Risk: Medium Text: # ISlamic Republic Of Iran Security Team # Www.IrIsT.Ir ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013060127


*** Microsoft Outlook Vulnerability S/MIME Loss of Integrity ***
---------------------------------------------
Topic: Microsoft Outlook Vulnerability S/MIME Loss of Integrity Risk: Medium Text:** Attention script bunnies: This is not an RCE, XSS, etc. Please move along :) ** Microsoft Outlook (all versions) suffers ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013060129


*** Mozilla Firefox and Microsoft Internet Explorer DoS vulnerability ***
---------------------------------------------
Topic: Mozilla Firefox and Microsoft Internet Explorer DoS vulnerability Risk: Medium Text:I want to warn you about Denial of Service vulnerability in Mozilla Firefox and Microsoft Internet Explorer. Earlier Jean ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013060128


*** Vulnerability Disclosure – Open or Private? ***
---------------------------------------------
At the end of May, two Google security engineers announced Mountain View’s new policy regarding zero-day bugs and disclosure. They strongly suggested that information about zero-day exploits currently in the wild should be released no more than seven days after the vendor has been notified. Ideally, the notification or patch should come from the vendor, [...]Post from: Trendlabs Security Intelligence Blog - by Trend MicroVulnerability Disclosure – Open or Private?
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/1qT_zYH1FxU/


*** Oracle Java pre-announcement: Upcoming JRE patch will plug 37 remotely exploitable holes. 
---------------------------------------------
See http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html, (Mon, Jun 17th)
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16013&rss


*** Fortinet FortiOS (FortiGate) Guest User Permission Security Bypass Security Issue ***
---------------------------------------------
Fortinet FortiOS (FortiGate) Guest User Permission Security Bypass Security Issue
---------------------------------------------
https://secunia.com/advisories/53875


*** Debian Security Advisory for fail2ban ***
---------------------------------------------
When using Fail2ban to monitor Apache logs, improper input validation in log parsing could enable a remote attacker to trigger an IP ban on arbitrary addresses, thus causing a denial of service.
---------------------------------------------
http://www.debian.org/security/2013/dsa-2708