Advisory ID: HTB23219Product: ArticleFRVendor: Free ReprintablesVulnerable Version(s): 11.06.2014 and probably priorTested Version: 11.06.2014Advisory Publication: June 11, 2014 [without technical details]Vendor Notification: June 11, 2014Public Disclosure: July 30, 2014Vulnerability Type: Improper Access Control [CWE-284]CVE Reference: CVE-2014-4170Risk Level: HighCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)Solution Status: Solution AvailableDiscovered and Provided: High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/ )------------------------------------------------------------
-----------------------------------Advisory Details:High-Tech Bridge Security Research Lab discovered vulnerability in ArticleFR, which can be exploited to execute arbitrary UPDATE SQL statements, alter information stored in database and gain complete control over the web site.1) Improper Access Control in ArticleFR: CVE-2014-4170The vulnerability exists due to insufficient access restrictions when accessing the "/data.php" script. A remote attacker can send a specially crafted HTTP GET request to vulnerable script and execute arbitrary UPDATE SQL commands in application’s database. Successful exploitation of the vulnerability allows modification of arbitrary database record. A remote attacker can modify or delete information stored in database and gain complete control over the application.The following exploitation example assigns administrative privileges to the user with "id=2":http://[host]/data.php?pk=2&pkf=id&f=membership&value=admin&t=users
Mandriva Linux Security Advisory MDVSA-2014:142 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : apache Date : July 30, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated apache package fixes security vulnerabilities: A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user (CVE-2014-0226). A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the DEFLATE input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system (CVE-2014-0118). A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely (CVE-2014-0231). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231 http://advisories.mageia.org/MGASA-2014-0304.html
Mandriva Linux Security Advisory MDVSA-2014:143 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : phpmyadmin Date : July 30, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in phpmyadmin: Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page (CVE-2014-4954). Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page (CVE-2014-4955). Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message (CVE-2014-4986). server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request (CVE-2014-4987). This upgrade provides the latest phpmyadmin version (4.2.6) to address these vulnerabilities.
