[ MDKSA-2007:138 ] - Updated kdebase packages fix Flash Player interaction vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:138 http://www.mandriva.com/security/ ___ Package : kdebase Date: July 3, 2007 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: An issue with the interaction between the Flash Player and the Konqueror web browser was discovered, which could lead to key presses leaking to the Flash Player instead of to the browser. This only affects users who have actually installed the Adobe Flash Player plugin. Updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2022 ___ Updated Packages: Mandriva Linux 2007.0: 55b6183eea4b1c059c04d98050e485ca 2007.0/i586/kdebase-3.5.4-35.1mdv2007.0.i586.rpm ff76838aaa3d313145a99550799cfb5e 2007.0/i586/kdebase-common-3.5.4-35.1mdv2007.0.i586.rpm c07814d4e91ca1b0665c68a5effd2e0d 2007.0/i586/kdebase-kate-3.5.4-35.1mdv2007.0.i586.rpm 38374a7263d94731d158bb538b5ad2c1 2007.0/i586/kdebase-kdeprintfax-3.5.4-35.1mdv2007.0.i586.rpm 3bf97c5d170d4a79130358f9221bca9c 2007.0/i586/kdebase-kdm-3.5.4-35.1mdv2007.0.i586.rpm 04fd7df030c04077b4e78793cc1a8776 2007.0/i586/kdebase-kmenuedit-3.5.4-35.1mdv2007.0.i586.rpm bc239eb585d37b0de83f3863aea30b69 2007.0/i586/kdebase-konsole-3.5.4-35.1mdv2007.0.i586.rpm feb76c618ff56425ad8d3ab39a8eac65 2007.0/i586/kdebase-nsplugins-3.5.4-35.1mdv2007.0.i586.rpm 1a1d30a4e59b70c71f57b2059cc14c05 2007.0/i586/kdebase-progs-3.5.4-35.1mdv2007.0.i586.rpm 23eac5d97fae7f19d7c00231b8a82937 2007.0/i586/libkdebase4-3.5.4-35.1mdv2007.0.i586.rpm 210c86bddf57723bd4d734347f02b762 2007.0/i586/libkdebase4-devel-3.5.4-35.1mdv2007.0.i586.rpm dd7c8293315ca7e6da8d216443a0df5e 2007.0/i586/libkdebase4-kate-3.5.4-35.1mdv2007.0.i586.rpm ee4eda9bba5d44a835f24575e1a2c8ad 2007.0/i586/libkdebase4-kate-devel-3.5.4-35.1mdv2007.0.i586.rpm e96c71ae5dfe9197546a2901bfff8f19 2007.0/i586/libkdebase4-kmenuedit-3.5.4-35.1mdv2007.0.i586.rpm 51cf95097a2bf7c0534487751789a184 2007.0/i586/libkdebase4-konsole-3.5.4-35.1mdv2007.0.i586.rpm c434ee3ab338242ab884fdcea88c62b8 2007.0/SRPMS/kdebase-3.5.4-35.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: facf219153303c396c67d4e5a3bb5934 2007.0/x86_64/kdebase-3.5.4-35.1mdv2007.0.x86_64.rpm 53eac5989c35cc0aa3ee78258b4bdf4d 2007.0/x86_64/kdebase-common-3.5.4-35.1mdv2007.0.x86_64.rpm e0bfc27d8c189768bf0c8faccf7cbd5c 2007.0/x86_64/kdebase-kate-3.5.4-35.1mdv2007.0.x86_64.rpm 0a6b7d77759f36770cf83b7e5d9e8142 2007.0/x86_64/kdebase-kdeprintfax-3.5.4-35.1mdv2007.0.x86_64.rpm 267d1c1b27653db1d1b4b71f4b5fadce 2007.0/x86_64/kdebase-kdm-3.5.4-35.1mdv2007.0.x86_64.rpm bae8ef34f45daedbdbde017df664a2fa 2007.0/x86_64/kdebase-kmenuedit-3.5.4-35.1mdv2007.0.x86_64.rpm 32a906facb7d3a5df421fcc85492ff55 2007.0/x86_64/kdebase-konsole-3.5.4-35.1mdv2007.0.x86_64.rpm 8a91816a3c8e41aa5d4d8bb2219a9de9 2007.0/x86_64/kdebase-nsplugins-3.5.4-35.1mdv2007.0.x86_64.rpm 0d5bbf7b6ac0a194d9e1b4ad1b6317ea 2007.0/x86_64/kdebase-progs-3.5.4-35.1mdv2007.0.x86_64.rpm 796d6bd603d4fe9a80a1daa95e6af15f 2007.0/x86_64/lib64kdebase4-3.5.4-35.1mdv2007.0.x86_64.rpm cb6bac260530b4fefdad824f959a5b08 2007.0/x86_64/lib64kdebase4-devel-3.5.4-35.1mdv2007.0.x86_64.rpm fb24ed311d2d7e6ef3049236fbb3e48b 2007.0/x86_64/lib64kdebase4-kate-3.5.4-35.1mdv2007.0.x86_64.rpm 05626565318404732bff67277a144d5a 2007.0/x86_64/lib64kdebase4-kate-devel-3.5.4-35.1mdv2007.0.x86_64.rpm 8456fc55f957a0cbade25cd14712bbc9 2007.0/x86_64/lib64kdebase4-kmenuedit-3.5.4-35.1mdv2007.0.x86_64.rpm 592d53cfe6b19da4c85789f88bdfdfa3 2007.0/x86_64/lib64kdebase4-konsole-3.5.4-35.1mdv2007.0.x86_64.rpm c434ee3ab338242ab884fdcea88c62b8 2007.0/SRPMS/kdebase-3.5.4-35.1mdv2007.0.src.rpm Mandriva Linux 2007.1: bdc38df1330e408d01915a4a858ffdae 2007.1/i586/kdebase-3.5.6-34.1mdv2007.1.i586.rpm 64885636d6aaf2bd35f9065dfe55b242 2007.1/i586/kdebase-common-3.5.6-34.1mdv2007.1.i586.rpm 49de64dc835669e62b2553848648fc25 2007.1/i586/kdebase-kate-3.5.6-34.1mdv2007.1.i586.rpm bea6ee3818bdf4dc0367e5e81676eb18 2007.1/i586/kdebase-kdeprintfax-3.5.6-34.1mdv2007.1.i586.rpm 867f7391b7f069bb08a44c7b73b3f02b 2007.1/i586/kdebase-kdm-3.5.6-34.1mdv2007.1.i586.rpm b7ae1f8214d9b23ab995d06a9145f449 2007.1/i586/kdebase-kmenuedit-3.5.6-34.1mdv2007.1.i586.rpm db045c8417506ed76b48be9b9677d5d9 2007.1/i586/kdebase-konsole-3.5.6-34.1mdv2007.1.i586.rpm 1202f927714780385a45044ba53354c9 2007.1/i586/kdebase-nsplugins-3.5.6-34.1mdv2007.1.i586.rpm bbd0c7c7f0413329c693ad9876e21b3b 2007.1/i586/k
[ GLSA 200707-04 ] GNU C Library: Integer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200707-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNU C Library: Integer overflow Date: July 03, 2007 Bugs: #183844 ID: 200707-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An integer overflow in the dynamic loader, ld.so, could result in the execution of arbitrary code with escalated privileges. Background == The GNU C library is the standard C library used by Gentoo Linux systems. It provides programs with basic facilities and interfaces to system calls. ld.so is the dynamic linker which prepares dynamically linked programs for execution by resolving runtime dependencies and related functions. Affected packages = --- Package / Vulnerable / Unaffected --- 1 sys-libs/glibc < 2.5-r4>= 2.5-r4 --- # Package 1 only applies to x86 users. Description === Tavis Ormandy of the Gentoo Linux Security Team discovered a flaw in the handling of the hardware capabilities mask by the dynamic loader. If a mask is specified with a high population count, an integer overflow could occur when allocating memory. Impact == As the hardware capabilities mask is honored by the dynamic loader during the execution of suid and sgid programs, in theory this vulnerability could result in the execution of arbitrary code with root privileges. This update is provided as a precaution against currently unknown attack vectors. Workaround == There is no known workaround at this time. Resolution == All users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.5-r4" References == [ 1 ] CVE-2007-3508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3508 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200707-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpTm77QZVeRj.pgp Description: PGP signature
MySQLDumper vulnerability: Bypassing Apache based access control possible
A critical security issue has been found in the Open Source PHP backup tool MySQLDumper [0]. The issue allows to bypass an Apache based access control created with MySQLDumper. Through this an attacker can easily gain full control about all features of MySQLDumper. The authors of MySQLDumper were informed about the problem on June 12, 2007 via email. In a reply we received on June 24, 2007, one author stated that he does not agree that there is a security issue. Because we don't have the impression that the authors are going to fix this issue and inform the public about the hole, we decided to publish this issue. The issue was found by Henning Pingel and Lars Houmark. About MySQLDumper The main purpose of MySQLDumper is to create full backups of large MySQL databases from a web interface without the need for a shell access. It also allows to administrate MySQL databases. To ensure that only authenticated users have access to an instance of MySQLDumper the tool offers a built-in feature to create a pair of .htaccess and .htpasswd files to password protect the directory in which the tool has been installed on Apache web servers. This feature is documented in a tutorial [2]. Affected versions Every currently available version of mysqldumper listed on [1] has this hole: - MySQLDumper 1.23_pre_release_REV227 - MySQLDumper 1.22 - MySQLDumper 1.21b - MySQLDumper Typo3-Extension 0.0.5 Description of the security issue Inside of the generated .htaccess file the Apache directive LIMIT is used. The parameters used within the LIMIT directive are not sufficient so that the folder protection is not reliable. In the php file main.php in line 52 (line number depends on the version of the tool, please search for "limit get") the content of the file .htaccess is created. Interesting is this section: The problem is, that this means that the password protection is only valid for HTTP GET requests, but not for other request types like HTTP POST requests. For further information on the directive LIMIT please have a look at the Apache documentation [3,4]. To say it more clearly: If one requests a file inside of the protected MySQLDumper folder, one is not asked for user and password if you use a POST request to request the file. That means the whole .htaccess/.htpasswd protection is useless. Proof of concept http://localhost/mysqldumper1.23/main.php"; method="post"> In the same way it is possible to execute the functionality of MySQLDumper to delete .htaccess and .htpasswd file via a POST request. First aid for users of MySQLDumper 1) Delete MySQLDumper folder from web space if it is installed in a guessable path or 2) Correct the content of .htaccess / .htpasswd files to make them reliable. Related links [0] http://www.mysqldumper.de [1] http://www.mysqldumper.de/board/downloads.php?cat=2 [2] http://www.mysqldumper.de/tuts/de/htaccess/msd_htaccess.html [3] http://httpd.apache.org/docs/1.3/mod/core.html#limit [4] http://httpd.apache.org/docs/2.0/mod/core.html#limit
Cross Site Scripting in Oliver Library Management System
BACKGROUND
==
"Oliver is the web-based Library Management System for Schools. Softlink
has built on the understanding of thousands of school clients, over many
years, and has designed a new system for school libraries and learning
resource centres in the 21st century"
-- from http://www.softlink.co.uk:
DETAILS
===
During a penetration test for an educational institution, several XSS
vulnerabilities were found in their Oliver installations. Due to the
test constraints it was not possible to ascertain the exact version of
the product, but all instances that have been tested have been found
trivially vulnerable
Some of the vulnerable input fields include:
1) GET parameters
http://www.victim.com/oliver/gateway/gateway.exe?X_=000f&application=Oliver&displayform=main&updateform=";>alert("XSS");
http://www.victim.com/oliver/gateway/gateway.exe?X_=000f&displayform=main";>alert("XSS");
2) POST parameters in search forms
In the Basic Search page, the following parameters are vulnerable:
- TERMS
- database
- srchad
- SuggestedSearch
- searchform
As a Proof-Of-Concept exploit, the following string can be appended to
any of the listed parameters:
">alert("xss");
3) Username login field:
The application also fails to properly filter the username parameter, as
can be seen when passing to the application the following string as
username:
-->alert("xss")
VENDOR RESPONSE
===
15/06/2007 Vendor contacted. No response received
25/06/2007 Vendor contacted for the second time. No response received
03/07/2007 Advisory published
[ GLSA 200707-02 ] OpenOffice.org: Two buffer overflows
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200707-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenOffice.org: Two buffer overflows Date: July 02, 2007 Bugs: #181773 ID: 200707-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in OpenOffice.org, allowing for the remote execution of arbitrary code. Background == OpenOffice.org is an open source office productivity suite, including word processing, spreadsheet, presentation, drawing, data charting, formula editing, and file conversion facilities. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-office/openoffice < 2.2.1 >= 2.2.1 2 app-office/openoffice-bin < 2.2.1 >= 2.2.1 --- 2 affected packages on all of their supported architectures. --- Description === John Heasman of NGSSoftware has discovered a heap-based buffer overflow when parsing the "prdata" tag in RTF files where the first token is smaller than the second one (CVE-2007-0245). Additionally, the OpenOffice binary program is shipped with a version of FreeType that contains an integer signedness error in the n_points variable in file truetype/ttgload.c, which was covered by GLSA 200705-22 (CVE-2007-2754). Impact == A remote attacker could entice a user to open a specially crafted document, possibly leading to execution of arbitrary code with the rights of the user running OpenOffice.org. Workaround == There is no known workaround at this time. Resolution == All OpenOffice.org users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.2.1" All OpenOffice.org binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.2.1" References == [ 1 ] CVE-2007-0245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0245 [ 2 ] CVE-2007-2754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2754 [ 3 ] GLSA 200705-22 http://www.gentoo.org/security/en/glsa/glsa-200705-22.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200707-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp5If21ushaj.pgp Description: PGP signature
iPhone Security Settings
http://www.andrew.cmu.edu/user/xsk/iPhoneSecuritySettings.html John
Security on AIR: Local file access through JavaScript
Hi! It's just a very first look to AIR (Adobes Integrated Runtime) and its possibilities to process HTML/JS. AIR is beta by now, so Adobe may change things in the final release. ## What is AIR? Quote from Adobe: "Adobe Integrated Runtime (AIR) is a cross- operating system runtime that allows you to leverage your existing web development skills (Flash, Flex, HTML, JavaScript, Ajax) to build and deploy Rich Internet Applications (RIAs) to the desktop." ## Some security related informations on AIR: - The installer throws a warning about it's ability for unrestricted system access (so it's not a real surprise what AIR apps are capable of) - AIR uses WebKit as renderer on both supported platforms, Windows and MacOS - AIR introduces some JavaScript functions to access file systems and remote services, file SQL queries and open sockets - SWF files in the AIR application sandbox can cross-script any SWF file from any domain - Remote SWF files can only read files inside the security sandbox - SWF/ActionScript objects can access DOM and JavaScript (and vice versa I guess) - External JavaScript sources can be included and executed ## File access In general every file on local file system can be accessed by AIR apps. This includes reading, writing, appending or deletion as well as testing for file and directory existence. Another interesting feature is the possibility to overwrite calling files inside compiled AIR application during runtime. ## Example (only tested on OSX so far) For this to work in a real world scenario a service used by an AIR app must be vulnerable to a persistant XSS (or another typical vulnerability), and the app needs to call data in a way that payloads gets rendered and executed. This basic example consists of 4 files: - AIR application descriptor file: App.xml - Calling HTML file inside the AIR app package: caller.html - Malicious external JavaScript: overwrite.js - A file which just contains aliases for AIR runtime: AIRAliases.js (part of AIR SDK) # App.xml http://ns.adobe.com/air/application/1.0.M4"; appId="air.poc.overwrite" version="0.1"> AIR Overwrite caller.htmlrootContent> # caller.html # For lazyness reasons the JS is included straight away # But it also works if exploited and included during runtime AIR Overwrite
Re[2]: Light Blog 4.1 XSS Vulnerability
Hello prodigy, i suggest to not download it at all.. look at main.php, no check for admin rights, you can post up every php files you want.. ;) Saturday, June 30, 2007, 8:39:49 PM, you wrote: > The information on this website is incorrect. Do not download this > version as it is not fixed. For a fixed version, download version 6+ > from http://www.publicwarehouse.co.uk/php_scripts/lightblog.php > There also was never a file called Light.php, There isn't a file > called LightBlog.zip. I suggest asking for information before guessing. -- Best regards, BlackHawkmailto:[EMAIL PROTECTED]
Buffer overflow in HP Instant Support Driver Check (SDD) ActiveX control
John Heasman of NGSSoftware has discovered a high risk vulnerability in the HP Instant Support Driver Check (SDD) ActiveX control, which is marked safe for scripting. The vulnerability affects the following version of the SDD control: HP Instant Support Driver Check versions prior to 1.5.0.3 This vulnerability could be exploited on a malicious web page in order to execute arbitrary code under the user context of the browser. Details *** The queryHub([IN] BSTR bstrValue) method contains a stack based buffer overflow. Solution This issue has now been resolved in version 1.5.0.3. Further details are available at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597 NGSSoftware Insight Security Research http://www.ngssoftware.com http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402
Moodle XSS / Liesbeth base CMS sensitive information disclosure
Dear bugtraq@securityfocus.com,
1.
MustLive (mustlive at websecurity.com dot ua) reported crossite
scripting vulnerability in Moodle 1.7.1 via search parameter of
index.php, example:
http://host/user/index.php?contextid=4&roleid=0&id=2&group=&perpage=20&search=%22style=xss:expression(alert(document.cookie))%20
Detailed information (in Ukranian) http://websecurity.com.ua/1045/
Original message (in Russian) http://securityvulns.ru/Rdocument391.html
2.
Durito [damagelab] (durito at mail dot ru) reported information leak
in Liesbeth base CMS (Vendor: www.doubleflex.com), example:
http://host/config.inc
file accessible through Web contains sensitive information, including
database account.
Original message (in Russian) http://securityvulns.ru/Rdocument392.html
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
Two Unpublished IE Cases
I'd like to publish two IE cases that I know about. Although it's too
late. These two cases have already been patched. Just want to get them
on the record here. Many complained that IE7's new features
roadblocked hacking into this app. Well, those features are like any
other Microsoft's public documents on infosec, they are just sales
pitch.
Talked the talk. Now walk the walk. Both are drag-and-drop remote code
execution. One executes code on reboot. The other runs instantly on
drag-and-drop. Cover up is done using the genius idea by "mikx" from
DE, making the operation look normal on screen. Standard Javascript
features.
The key is drag source and drop destination. Here are two cases:
*
DRAG SRC:
Local page's IFRAME pointing to ftp-or-smb folder containing payload file
(HTTP Redirection to res-protocol page containing IFRAME tag)
DROP DST:
SHELL:STARTUP or:
\\127.0.0.1\c$\Documents and Settings\Administrator\Start Menu\Programs\Startup
*
DRAG SRC:
Any draggable file
("Favorites" control)
DROP DST:
Shortcut file pointing to "C:\WINDOWS\SYSTEM32\mshta.exe" command with
parameters
(On contrary, shortcut file pointing to remote executable will issue a
confirmation dialog)
REFERENCE:
Previously published cases on this topic:
mikx
http://mikx.de/index.php?p=1
Andreas Sandblad and Michael Krax, "Independently"
http://secunia.com/advisories/11165/
