Re: WordPress Search Function SQL-Injection
Justin Frydman - Thinkweb Media wrote: > Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then? i have the same feeling tested on multiple wp instances and can't reproduce on >= 2.0.1 <= 2.0.7 regards, Francesco 'ascii' Ongaro http://www.ush.it/
[NETRAGARD-20070220 SECURITY ADVISORY] [McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard, L.L.C Advisory* *** Strategic Reconnaissance Team http://www.netragard.com -- "We make I.T. Safe." [POSTING NOTICE] - --- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. http://www.netragard.com/html/recent_research.html> Netragard Research [About Netragard] - --- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Advisory Information] - --- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070220 Product Name: McAfee VirusScan for Mac (Virex) Product Version : <= Virex 7.7 Vendor Name : McAfee Type of Vulnerability : Local root exploit and Scan Bypass Effort : Easy [Product Description] - --- Guard your Macintosh systems and users against all types of viruses and malicious code, even new unknown threats with McAfee VirusScan for Mac." - -- http://www.mcafee.com -- [Technical Summary] - --- McAfee Virex contains an exploitable feature that enables users to define what files should be excluded for scanning. This feature relies on a configuration file with insecure privileges and is located in /Library/Application Support. Any user on the system can modify or delete the configuration file thus affecting what Virex will scan. A simple example of such a modification would be to echo into the file which in turn would cause Virex to ignore all files on the entire system. [Technical Details] - --- An exploitable vulnerability exists in McAfee Virex that can be used to gain root privileges on an affected system. This vulnerability exists within the feature that enables users to define files for scan exclusion. The configuration file used to store scan exclusion files has insecure permissions of "rw-rw-rw" and as such can be modified or removed by any user. Upon system boot the VShieldCheck process that runs with root privileges verifies the existence of the VShieldExecute.txt file located at: /Library/Application/Sypport/Virex/VShieldExecute.txt If VShieldCheck does not find the file at boot then it recreates the file with the rw-rw-rw permissions. The exact command that it uses to set those permissions is shown below: SNOsoft-virexuser$ strings /usr/local/vscanx/VShieldCheck | grep chmod /bin/chmod a+rw '%s' >/dev/null 2>&1 The VShieldCheck process does not check for symlinks prior to creating the VShieldExecute.txt file. If an attacker creates a symlinks to: /var/cron/tabs/root from /Library/Application Support/Virex/VShieldExclude.txt then the file /var/cron/tabs/root will be created with writable permissions by the VShieldCheck process at the next system boot. Once the file is created the attacker can insert arbitrary commands into the newly created cron file that will be executed with root privileges. Example: SNOsoft-virexuser$ crontab -l crontab: no crontab for virexuser SNOsoft-virexuser$ Desktop/pwn_virex.pl Usage: Desktop/pwn_virex.pl Targets: 0 . Virex 7.7.dmg SNOsoft-virexuser$ Desktop/pwn_virex.pl 0 *** Target: Virex 7.7.dmg "/Library/Application Support/Virex/VShieldExclude.txt" wait for a reboot a cron run... SNOsoft-virexuser$ crontab -l * * * * * /usr/bin/perl /Users/Shared/droptab.pl SNOsoft-virexuser$ ls -al /Library/Application\ Support/Virex/ total 88 drwxrwxr-x5 root admin170 Oct 15 22:08 . drwxrwxr-x 10 root admin340 Nov 3 11:11 .. lrwxr-xr-x1 virusbar admin 19 Oct 15 22:08 VShieldExclude.txt - -> /var/cron/tabs/root - -rwxr-xr-x1 root wheel530 A
RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass
Yes, with physical access a specialized, dedicated attacker can always compromise the device. With this bug, the specialized skills needed include pressing three buttons. That's the problem. You can't just blow off the difficulty rating as inconsequential. Yes, I agree with your other commonsense attestations. But my main beef isn't with this particular exploit, it's with Palm's policy of not fixing a security vulnerability in millions of phones. Roger *** *Roger A. Grimes, Banneret Computer Security, Consultant *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: [EMAIL PROTECTED] *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 *** -Original Message- From: McCarty, Eric C. [mailto:[EMAIL PROTECTED] Sent: Thursday, February 22, 2007 5:55 PM To: Roger A. Grimes; [EMAIL PROTECTED]; bugtraq@securityfocus.com Subject: RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass This vulnerability also assumes the attacker has physical access to the device. Once a device is stolen or accessed physically by an attacker it will be cracked, one way or another. Remote Device policies should dictate the importance of notifying IT staff immediately if a device is lost or stolen so it can be remotely "bricked". I agree that more and more companies are lacking in responsibility for their security vulnerabilities. Yet often times mitigating factors can assist a company in determining the priority to put on patches or updates. For example the fact that someone needs physical access to exploit this security risk certainly dictates a much lower priority for patching. Eric McCarty -Original Message- From: Roger A. Grimes [mailto:[EMAIL PROTECTED] Sent: Thursday, February 22, 2007 11:13 AM To: [EMAIL PROTECTED]; bugtraq@securityfocus.com Subject: RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass Is it truly an "emergency call" if you need to lookup the number? Why not put in your valid password and make a regular call. Security is a lot about expectations. If a device is locked or password-protected, the expectation is that all the data is fully protected all the time. If it's not, then communicate it in the documentation so I can make a valid marketing choice when buying a product. If the concern is that some people would like to have this feature as-is, make it a checkmark decision on the Preferences page. Then both sides are happy. The bigger issue isn't this particular bug. It's a symptom of more and more companies, who when faced with a security problem just decide not to fix it. I think that as long as the product is still expected to be reasonably used, or unless a shorter warranty period is communicated, if a security bug gets revealed, it should be fixed. Note, we're not arguing how long they should have to fix it, but rather if they will fix it ever. That's the central issue. And it's one I'll personally remember when purchasing my next Treo product. I may buy another Treo product, I don't know, but this will absolutely be on my mind as I look at competitor devices. Roger *** *Roger A. Grimes, Banneret Computer Security, Consultant *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: [EMAIL PROTECTED] *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 *** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 21, 2007 9:52 PM To: bugtraq@securityfocus.com Subject: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass I can understand why Palm does not want to fix it. This is my opinion, it stems from feature richness: The initial state the phone is lock and then you received a call, then it provides the user the ability to search for contact/number/meeting/memo...etc (header/prefix only). If this Find feature is blocked, then user would have to hang-up the call and unlock the phone to retrieve the info, then call the user back. I have run into this situation on many occasion, since I did not know of Find feature can be used in this mode. The SecurityLockFindFix.prc is available to block the Find feature, but for the non-security minded person flexibility may way overshadow security, but that is a personal matter. There is no personal choice when the Palm Treo is corporate own, so the fix should be applied.
Re: WordPress Search Function SQL-Injection
This looks like the bug described here: http://trac.wordpress.org/ticket/3722 "DB error when sanitized search string results in empty query" (Filed January 31) According to that page: > I guess it's also worth mentioning that commas > _are_ being sanitized. The reason for the error is > that once the commas are gone WordPress attempts > to wrap the search query with "AND ( $search )" > > Since $search is null MySQL throws up an error. The same error results from searching for just a space. In either case, adding other characters to the field results in the expected query. It doesn't look like injection would be possible.
Xbox 360 Hypervisor Privilege Escalation Vulnerability
Security Advisory
Xbox 360 Hypervisor Privilege Escalation Vulnerability
Release Date:
February 28, 2007
Author:
Anonymous Hacker <[EMAIL PROTECTED]>
Timeline:
Oct 31, 2006 - release of 4532 kernel, which is the first version
containing the bug
Nov 16, 2006 - proof of concept completed; unsigned code running in
hypervisor context
Nov 30, 2006 - release of 4548 kernel, bug still not fixed
Dec 15, 2006 - first attempt to contact vendor to report bug
Dec 30, 2006 - public demonstration
Jan 03, 2007 - vendor contact established, full details disclosed
Jan 09, 2007 - vendor releases patch
Feb 28, 2007 - full public release
Patch Development Time (In Days): 6
Severity:
Critical (Unsigned Code Execution in Hypervisor Mode)
Vendor:
Microsoft
Systems Affected:
All Xbox 360 systems with a kernel version of 4532 (released Oct 31,
2006) and 4548 (released Nov 30, 2006). Versions prior to 4532 are not
affected. Bug was fixed in version 4552 (released Jan 09, 2007 - not a
Patch Tuesday).
Overview:
We have discovered a vulnerability in the Xbox 360 hypervisor that allows
privilege escalation into hypervisor mode. Together with a method to
inject data into non-privileged memory areas, this vulnerability allows
an attacker with physical access to an Xbox 360 to run arbitrary code
such as alternative operating systems with full privileges and full
hardware access.
Technical details:
The Xbox 360 security system is designed around a hypervisor concept. All
games and other applications, which must be cryptographically signed with
Microsoft's private key, run in non-privileged mode, while only a small
hypervisor runs in privileged ("hypervisor") mode. The hypervisor
controls access to memory and provides encryption and decryption
services.
The policy implemented in the hypervisor forces all executable code to be
read-only and encrypted. Therefore, unprivileged code cannot change
executable code. A physical memory attack could modify code; however,
code memory is encrypted with a unique per-session key, making meaningful
modification of code memory in a broadly distributable fashion difficult.
In addition, the stack and heap are always marked as non-executable, and
therefore data loaded there can never be jumped to by unpriviledged code.
Unprivileged code interacts with the hypervisor via the "sc" ("syscall")
instruction, which causes the machine to enter hypervisor mode. The
vulnerability is a result of incomplete checking of the parameters passed
to the syscall dispatcher, as illustrated below.
Preconditions (registers set by unpriviledged code):
%r0 syscall no.
%r3-%r12 syscall arguments
Priviledged code:
13D8: cmplwi %r0, 0x61
13DC: bge illegal_syscall
...
13F0: rldicr %r1, %r0, 2, 61
13F4: lwz %r4, syscall_table(%r1)
13F8: mtlr %r4
...
1414: blrl
The problem is that the "cmplwi" instruction compares only the lower 32
bits of the given syscall number; the upper 32 bits are ignored. The
"rldicr" instruction, however, operates on the complete 64 bit register
value.
The syscall handler address is fetched from the syscall handler offset
table at 0x.1F68+%r0*4. Setting the upper 32 bits of %r0 to
something other than 0 will change the upper 30 bits of the address used
for the syscall handler offset table lookup. We will now explain how the
Xbox 360 security architecture interprets and aliases these upper bits.
When processing the syscall, the processor is running in "hypervisor real
mode", with the MMU switched off. However, when accessing memory
locations with the MSB cleared, an additional offset, the Hypervisor Real
Mode Offset (HRMO), will be applied to all memory addresses.
Due to the Xbox 360 security architecture, main memory is aliased to
different addresses with different properties, in order to conditionally
enable the security features (encryption and hashing). The hypervisor
sets the value of the HRMO special register so that the hypervisor code,
including the syscall jump table, resides in memory which is hashed as
well as encrypted, even when using zero-based addresses.
When accessing memory locations with the most significant address bit
set, the HRMOR setting is not applied. Due to the bug in the "cmplwi"
instruction, setting the corresponding bits in %r0 on syscall entry
allows setting the MSB, thereby overriding the HRMOR setting and tricking
the address lookup of the syscall handler to fetch from memory without
any security features.
With the syscall handler offset table aliased to unencrypted memory, the
syscall handler table can now be modified to direct the hypervisor to
jump to any location in code space that is designated for the hypervisor.
In the proof of concept implementation, a jump to existing hypervisor
code is used with a pre-loaded register value as a trampoline to force
the ultimate execution path to an arbitrary, unencrypted and exec
[ GLSA 200702-12 ] CHMlib: User-assisted remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200702-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CHMlib: User-assisted remote execution of arbitrary code Date: February 27, 2007 Bugs: #163989 ID: 200702-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A memory corruption vulnerability in CHMlib could lead to the remote execution of arbitrary code. Background == CHMlib is a library for the MS CHM (Compressed HTML) file format plus extracting and HTTP server utils. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-doc/chmlib < 0.39 >= 0.39 Description === When certain CHM files that contain tables and objects stored in pages are parsed by CHMlib, an unsanitized value is passed to the alloca() function resulting in a shift of the stack pointer to arbitrary memory locations. Impact == An attacker could entice a user to open a specially crafted CHM file, resulting in the execution of arbitrary code with the permissions of the user viewing the file. Workaround == There is no known workaround at this time. Resolution == All CHMlib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-doc/chmlib-0.39" References == [ 1 ] Original Advisory http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=468 [ 2 ] CVE-2007-0619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0619 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200702-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpJ41CBnwyHU.pgp Description: PGP signature
[ GLSA 200702-11 ] MPlayer: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200702-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MPlayer: Buffer overflow Date: February 27, 2007 Bugs: #159727 ID: 200702-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow was found in MPlayer's RTSP plugin that could lead to a Denial of Service or arbitrary code execution. Background == MPlayer is a media player capable of playing multiple media formats. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-video/mplayer < 1.0_rc1-r2>= 1.0_rc1-r2 Description === When checking for matching asm rules in the asmrp.c code, the results are stored in a fixed-size array without boundary checks which may allow a buffer overflow. Impact == An attacker can entice a user to connect to a manipulated RTSP server resulting in a Denial of Service and possibly execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All MPlayer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_rc1-r2" References == [ 1 ] Original Advisory http://www.mplayerhq.hu/design7/news.html#vuln14 [ 2 ] CVE-2006-6172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6172 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200702-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpM7Fl6bo5cs.pgp Description: PGP signature
Re: WordPress Search Function SQL-Injection
Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then? On Tue, 27 Feb 2007 21:39:55 +0100 (CET), SaMuschie <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > +--- - -- - > | SaMuschie Research Labs proudly presents . . . > +--- -- - - > | Application: wordpress > | Version: <= 2.1.1 > | Vuln./Exploit Type: SQL-Injection > | Status: 0day > +- -- - - > | Discovered by: Samenspender > | Released: 20070227 > | SaMuschie Release Number: 2 > +--- - -- - > > Searching for a single ,,comma,, generates a sql error message. > > e.g.: > > http://wordpress-deutschland.org/?s=, > > results in: > > "WordPress Datenbank-Fehler: [You have an error in your SQL syntax; > check the > manual that corresponds to your MySQL server version for the right syntax > to > use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER > BY > post_date DE' at line 1] > SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND > () > AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date > DESC > LIMIT 0, 10" > > +- -- - > | Lameness Disclaimer > +- - -- - - > | SaMuschie Research Labs was found to publish > | vulnerabilities within well known software products, > | which are easy to discover and exploit. > | > | SaMuschie researchers just spend a minimum of time > | and knowledge for each vulnerability. Hence readers of > | this advisory are requested not to ask any questions > | to the researchers they don't know the answer ;) > +-- - -- - - > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8 > ZfylSi7g8HINHkpBYzYgUqE= > =fBdH > -END PGP SIGNATURE---
WordPress Search Function SQL-Injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 +--- - -- - | SaMuschie Research Labs proudly presents . . . +--- -- - - | Application: wordpress | Version: <= 2.1.1 | Vuln./Exploit Type: SQL-Injection | Status: 0day +- -- - - | Discovered by: Samenspender | Released: 20070227 | SaMuschie Release Number: 2 +--- - -- - Searching for a single ,,comma,, generates a sql error message. e.g.: http://wordpress-deutschland.org/?s=, results in: "WordPress Datenbank-Fehler: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DE' at line 1] SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND () AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DESC LIMIT 0, 10" +- -- - | Lameness Disclaimer +- - -- - - | SaMuschie Research Labs was found to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers they don't know the answer ;) +-- - -- - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8 ZfylSi7g8HINHkpBYzYgUqE= =fBdH -END PGP SIGNATURE- ___ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
iDefense Security Advisory 02.27.07: Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability
Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability iDefense Security Advisory 02.27.07 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 27, 2007 I. BACKGROUND Computer Associates eTrust Intrusion Detection is a network intrusion management and prevention system, that includes real-time session monitoring and Internet web filtering capabilities. More information can be found on the vendors site at the following URL. http://www3.ca.com/solutions/Product.aspx?ID=163 II. DESCRIPTION The eTrust Intrusion Detection process listens on TCP port 9191 for remote administration functions. Administrator login requires that keys be exchanged including a session key with blowfish encryption of the login and the password. Since the administration server fails to properly validate the key length value, it is possible to cause the product to crash. During decryption, 4 is subtracted from the specified length and the result used as the length of the data to decrypt. The decryption loop will proceed to overwrite the entire heap segment. This leads to an unhandled exception. III. ANALYSIS Exploitation of this vulnerability allows attackers to cause the administration service to crash. Since the heap is not used once corrupted, the heap overflow cannot be exploited for more than a denial of service. IV. DETECTION iDefense has confirmed this vulnerability in Computer Associates eTrust Intrusion Detection version 3.0.5.57. Other versions are suspected vulnerable. V. WORKAROUND iDefense is not aware of any workarounds for this issue. VI. VENDOR RESPONSE Computer Associates has issued patches to correct this vulnerability. More information is available in their advisory which can be found at the following URL. http://supportconnectw.ca.com/public/ca_common_docs/eid_secnotice.asp VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1005 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/16/2007 Initial vendor notification 01/16/2007 Initial vendor response 02/27/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Nullsoft ShoutcastServer Persistant XSS - 0day
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
+--- - -- -
| SaMuschie Research Labs proudly presents . . .
+--- -- - -
| Application: Nullsoft ShoutcastServer
| Version: 1.9.7/Win32 (other versions/platforms not tested)
| Vuln./Exploit Type: Persistant XSS
| Status: -0day
+- -- - -
| Discovered by: Muschiemann
| Released: 20070227
| SaMuschie Release Number: 3
+--- - -- -
It is possible to inject scriptcode into the applications logfile without
authentication. Once the admin is viewing the logfile via the web interface,
the scriptcode will be executed.
e.g.:
http://victim:8001/"/>alert(document.getElementsByTagName("PRE")[0].firstChild.data)
By abusing this vuln it is possible to send the complete logfile to an evil
host.
+- -- -
| Lameness Disclaimer
+- - -- - -
| SaMuschie Research Labs was found to publish
| vulnerabilities within well known software products,
| which are easy to discover and exploit.
|
| SaMuschie researchers just spend a minimum of time
| and knowledge for each vulnerability. Hence readers of
| this advisory are requested not to ask any questions
| to the researchers they don't know the answer ;)
+-- - -- - -
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (MingW32)
iD8DBQFF5H4RCrtcl+ifKZARAsHoAJ9xBhoq8tuX/I5mPU1OjmJbRJSPggCfTNFj
8kqRWw8smOdqvIoKPWTuZuA=
=oALk
-END PGP SIGNATURE-
___
Der frühe Vogel fängt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail:
http://mail.yahoo.de
rPSA-2007-0043-1 php php-mysql php-pgsql
rPath Security Advisory: 2007-0043-1 Published: 2007-02-27 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Remote System User Deterministic Unauthorized Access Updated Versions: php=/[EMAIL PROTECTED]:devel//1/4.3.11-15.9-1 php-mysql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.9-1 php-pgsql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.9-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988 https://issues.rpath.com/browse/RPL-1088 Description: Previous versions of the php package are vulnerable to multiple vulnerabilities of varying severity. The most severe of these vulnerabilities are expected to enable remote code execution as the "apache" user via php applications that call certain functions such as str_replace(), imap_mail_compose(), or odbc_result_all() functions.
Re: [Full-disclosure] ViewCVS 0.9.4 issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Moritz Naumann wrote: > This was previously considered a HTTP response splitting vulnerability > by Jose Antonio Coret (Joxean Koret) > http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030514.html > (BID 12112, couldn't find a CVE, AFAICT it is _not_ CAN-2004-1062) > and, according to him, a patch has been stored on the 1.0-dev CVS > branch. The 0.9.4 release on viewvc.tigris.org seems to be unpatched and > it's possible that some Linux distributions and whoever would normally > care were never patched against this. I was wrong when I assumed that the 0.9.4 release on viewvc.tigris.org was unpatched against the issues discovered by Jose Antonio Coret (Joxean Koret). This issue was actually fixed by the ViewCVS developers in version 0.9.3. I am sorry for the misconception and the confusion this has caused. This does not impact how much the rest of my report applies. My findings are now being discussed on the ViewVC developers mailing list [1]. They apparently also impact ViewVC. Whether and to which degree what I am reporting can be considered a security issue is, however, currently subject to discussion. For now, please follow up there only. I will be back to the security mailing lists as soon as this has been sufficiently discussed and there is something noteworthy to be said. Moritz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF440Vn6GkvSd/BgwRApdwAKCL+aPccWHsmq4Y6MP/SzrjMDtpVACbBVUE bh85P5I1agzH5TdDwk8KxiM= =Gsp7 -END PGP SIGNATURE-
Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities scip AG Vulnerability ID 2962 (02/27/2007) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962 I. INTRODUCTION "WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability." More information is available on the project web site at the following URL: http://www.wordpress.org II. DESCRIPTION Stefan Friedli found several vulnerabilities based on an advisory entitled "WordPress AdminPanel CSRF/XSS - 0day" by "Samenspender" which described a lack of input validation when deleting posts that allows injection of arbitrary code. The vulnerability was reported on February, 26th and is referenced in section VII. Further to this vulnerability which was limited on manipulating the "post"-parameter, there are several other vulnerabilities which are very similar to the one mentioned above. Every operation that makes use of the common confirm-dialog is vulnerable for this type of attack. Possible injection... ... when deleting posts as mentioned in Samenspenders advisory (unvalidated parameter: post, file: post.php) http://target.tld/wp-admin/post.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting comments (unvalidated parameter: c, file: comment.php) http://target.tld/wp-admin/comment.php?action=deletecomment&p=39&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting pages (unvalidated parameter: page, file: page.php) http://target.tld/wp-admin/page.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting categories (unvalidated parameter: cat_ID, file: categories.php) http://target.tld/wp-admin/categories.php?action=delete&cat_ID='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting comments (unvalidated parameter: c, file: comment.php) http://target.tld/wp-admin/comment.php?action=deletecomment&p=35&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E IV. IMPACT This list may not be exhaustive. It illustrated that the flaw with confirmation dialogs in Wordpress is not limited to the "Delete Post"-function. Fixing the validation of the post parameter as suggested by e.g. Secunia does not fix the problem and does not reduce the threat of cross-site-scripting or any other webbased exploitation. V. DETECTION This flaws can be detected by using any web browser. VI. SOLUTION Until these issues are patched, possible workarounds are manual fixing or the usage of a application level filter like mod_security for Apache. VII. SOURCES Samenspender - WordPress AdminPanel CSRF/XSS - 0day http://seclists.org/bugtraq/2007/Feb/0494.html scip AG - Security Consulting Information Process (german) http://www.scip.ch scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962 IX. DISCLOSURE TIMELINE 02/26/06 Release of "Delete Post"-Confirmation Vulnerability 02/27/06 Identification of further vulnerabilities 02/27/06 Immediated Release for informational purposes IX. CREDITS The vulnerabilities were discovered by Stefan Friedli. Stefan Friedli, scip AG, Zuerich, Switzerland stfr-at-scip.ch http://www.scip.ch A2. LEGAL NOTICES Copyright (c) 2007 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 iQA/AwUBReRJv1J79Mw3xa1EEQJXagCdHOT7ib4I8XSqMsaUAKA8vaO8i8QAn2SS oTWNsT+cOMwFq+XKsZqq6yJ/ =REO6 -END PGP SIGNATURE-
Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
On Tue, 27 Feb 2007, Richard Moore wrote: > > > http://slashdot.org/";>http://slashdot.org/ > > Yeah, and the other way round: http://lcamtuf.coredump.cx/ietrap/, when used with FF 2.0.0.2, puts you on a page that: 1) Has URL bar data and favicon from the target site, 2) Views source of what you added with document.write(), 3) Displays as blank. Moreover, repeatedly setting document.location = "xxx"; on departure may land you at slashdot.org/xxx instead (meaning the update is being performed in the context of the new page). Although this looks like a Really Bad Thing (tm), I didn't succeed in modifying /ietrap/ to display a malicious payload (though feels like it's sooo close), nor in manipulating DOM in the latter example to do anything other than annoying the user (because 2.0.0.1 kept crashing ;-). Still, I'm not gonna sleep well until this is fixed. /mz
