Note: the current version of the following document is available here:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04491186
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04491186
Version: 1
HPSBUX03159 SSRT101785 rev.1 - HP-UX kernel, Local Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-10-28
Last Updated: 2014-10-28
Potential Security Impact: Local Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified in the HP-UX kernel.
This vulnerability could allow local users to create a Denial of Service
DoS).
____________________________________________________________
___________
Mandriva Linux Security Advisory MDVSA-2014:211
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : wpa_supplicant
Date : October 29, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated wpa_supplicant packages fix security vulnerability:
A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root in common use cases) (CVE-2014-3686).
Using the wpa_supplicant package, systems are exposed to the
vulnerability if operating as a WPS registrar.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
http://advisories.mageia.org/MGASA-2014-0429.html
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:212 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________
Package : wget
Date : October 29, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated wget package fixes security vulnerability:
Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).
The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves
the pointed-to file in such a retrieval. The old behaviour can be
attained by passing the --retr-symlinks=no option to the wget command.
_______________________________________________________________________
Advisory ID: HTB23238Product: EspoCRMVendor: http://www.espocrm.comVulnerable Version(s): 2.5.2 and probably priorTested Version: 2.5.2Advisory Publication: October 8, 2014 [without technical details]Vendor Notification: October 8, 2014Vendor Patch: October 10, 2014Public Disclosure: October 29, 2014Vulnerability Type: PHP File Inclusion [CWE-98], Improper Access Control [CWE-284], Cross-Site Scripting [CWE-79]CVE References: CVE-2014-7985, CVE-2014-7986, CVE-2014-7987Risk Level: HighCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Solution Status: Fixed by VendorDiscovered and Provided: High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/ )------------------------------------------------------------
-----------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple high-risk vulnerabilities in EspoCRM, which can be exploited by remote attacker to execute arbitrary PHP code on a vulnerable system, reinstall the application from scratch, and compromise the entire system as the result. EspoCRM is also vulnerable to less critical Cross-Site Scripting attacks.
1. PHP File Inclusion in EspoCRM: CVE-2014-7985
The vulnerability exists due to absence of sanitization of input data passed via the "action" HTTP GET parameter to "/install/index.php" script before using them in PHP "include()" function. A remote unauthenticated attacker can include and execute arbitrary local PHP files on the system with privileges of the web server.
Successful exploitation of the vulnerability may allow complete application and system compromise.
Below is a simple PoC (Proof-of-Concept) code that uses path traversal technique to include "/tmp/file.php" file (you can include any other file, content of which you control):
http://[host]/install/index.php?installProcess=1&action=../../../../../../../../ tmp/file
The installation script is not deleted after installation, and is accesible without any authentication by default.
