Re: Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: > Apache Tomcat/4.1.31 ships with built in examples. One of the example > calendar.jsp suffers from input validation error and could be exploited for > cross site scriptingand cross site request forgery. This is CVE-2006-7196 which is fixed in 4.1.32 & 5.5.16. Kind regards, Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG3finb7IeiTPGAkMRApxAAJ9sMCfco8GUEe9LcqbcA+5GE0AKCQCgsEG+ nH4eUojS1ccH9YKtma/GtQU= =3NtA -END PGP SIGNATURE-
[USN-511-1] Kerberos vulnerability
=== Ubuntu Security Notice USN-511-1 September 04, 2007 krb5, librpcsecgss vulnerability CVE-2007-3999 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libkadm55 1.4.3-5ubuntu0.5 librpcsecgss1 0.7-0ubuntu1.1 Ubuntu 6.10: libkadm55 1.4.3-9ubuntu1.4 librpcsecgss2 0.13-2ubuntu0.1 Ubuntu 7.04: libkadm55 1.4.4-5ubuntu3.2 librpcsecgss3 0.14-2ubuntu1.1 In general, a standard system upgrade is sufficient to affect the necessary changes. Details follow: It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An unauthenticated remote user could send a specially crafted request and execute arbitrary code with root privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3-5ubuntu0.5.diff.gz Size/MD5: 1454013 e0f79745ca1acc84173b53ebb7299f4f http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3-5ubuntu0.5.dsc Size/MD5: 848 128052acaa0626c68420a8f025e0edc9 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3.orig.tar.gz Size/MD5: 7279788 43fe621ecb849a83ee014dfb856c54af http://security.ubuntu.com/ubuntu/pool/universe/libr/librpcsecgss/librpcsecgss_0.7-0ubuntu1.1.diff.gz Size/MD5: 2786 8d09e08f37b57a1049d0439198cbfaa0 http://security.ubuntu.com/ubuntu/pool/universe/libr/librpcsecgss/librpcsecgss_0.7-0ubuntu1.1.dsc Size/MD5: 659 99959b1c73b0bdc04cc8e5e7acf2 http://security.ubuntu.com/ubuntu/pool/universe/libr/librpcsecgss/librpcsecgss_0.7.orig.tar.gz Size/MD5: 344397 8bd8c6b4a330708f795550398832ac91 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-doc_1.4.3-5ubuntu0.5_all.deb Size/MD5: 853084 461a2bb122d6303c6f5c846dfb53b5bf amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-5ubuntu0.5_amd64.deb Size/MD5: 190716 0a1e1e27fe5f4eb791d88b96f2c1983e http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-5ubuntu0.5_amd64.deb Size/MD5: 768534 9de9b7442d9ffd52750a4b8ba1095b21 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-5ubuntu0.5_amd64.deb Size/MD5: 425582 a69d0d64bd365cde9da4c8f2af086db2 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-5ubuntu0.5_amd64.deb Size/MD5:80256 c37c98e82a8fc59359512ec2b5a9b172 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-5ubuntu0.5_amd64.deb Size/MD5: 223090 1fe80afa39f4cb9f528442ccc095388a http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-5ubuntu0.5_amd64.deb Size/MD5:60246 f43c2d363a9a9b1834590dce53eda93a http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-5ubuntu0.5_amd64.deb Size/MD5: 135108 297d70bc92ddf59eaa337da3bdda990b http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-5ubuntu0.5_amd64.deb Size/MD5:85142 0b2014189db2b73865162079c355aacf http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-5ubuntu0.5_amd64.deb Size/MD5:67480 c64caf6bee3d856ae1c1f71c07be4661 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-5ubuntu0.5_amd64.deb Size/MD5: 129790 d9ef095d6680b901247affb931f0970a http://security.ubuntu.com/ubuntu/pool/universe/libr/librpcsecgss/librpcsecgss-dev_0.7-0ubuntu1.1_amd64.deb Size/MD5:45454 8628ba9dfefcf4cf4d4a68e817f61163 http://security.ubuntu.com/ubuntu/pool/universe/libr/librpcsecgss/librpcsecgss1_0.7-0ubuntu1.1_amd64.deb Size/MD5:24530 179ab4fabbe9aa14970cf2e30fde30d2 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-5ubuntu0.5_i386.deb Size/MD5: 165532 047ea8d0b1c916108047cbe44f276701 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-5ubuntu0.5_i386.deb Size/MD5: 647022 6b547f81ce4ecb3d42dd633bd2b47a19 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-5ubuntu0.5_i386.deb Size/MD5: 380992 b307b278bcefd4b107a85eae0b5c98e3 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-5ubuntu0.5_i386.deb Size/MD5:72194 bc9c6f66b96ecb20124b5d2dffa302cd http://security.ubuntu.
[ MDKSA-2007:173 ] - Updated tar packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:173 http://www.mandriva.com/security/ ___ Package : tar Date: September 4, 2007 Affected: 2007.0, 2007.1, Corporate 4.0 ___ Problem Description: Dmitry V. Levin discovered a path traversal flaw in how GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary fiels that the user running tar has write access to. Updated packages have been patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131 ___ Updated Packages: Mandriva Linux 2007.0: 8f82a3a1e903928948584afac733c0be 2007.0/i586/tar-1.15.91-1.2mdv2007.0.i586.rpm 65e7c9a6300a397c71cbfe1c1854e491 2007.0/SRPMS/tar-1.15.91-1.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e4d6a38673a213ee0011624ecd6b5667 2007.0/x86_64/tar-1.15.91-1.2mdv2007.0.x86_64.rpm 65e7c9a6300a397c71cbfe1c1854e491 2007.0/SRPMS/tar-1.15.91-1.2mdv2007.0.src.rpm Mandriva Linux 2007.1: 003db92130c44646c89d127db26a4fd8 2007.1/i586/tar-1.16-3.1mdv2007.1.i586.rpm d929dd2ef2716987b8890542fb762693 2007.1/SRPMS/tar-1.16-3.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 92323c0cb0bd466e2a35e6b02f01778b 2007.1/x86_64/tar-1.16-3.1mdv2007.1.x86_64.rpm d929dd2ef2716987b8890542fb762693 2007.1/SRPMS/tar-1.16-3.1mdv2007.1.src.rpm Corporate 4.0: ecc995d361f75e3618cb23e000f012cf corporate/4.0/i586/tar-1.15.1-5.3.20060mlcs4.i586.rpm 1831cb7c8437d7f68c6e53d3980a0049 corporate/4.0/SRPMS/tar-1.15.1-5.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 61513a4da673ea8d5ffb4fe26f346488 corporate/4.0/x86_64/tar-1.15.1-5.3.20060mlcs4.x86_64.rpm 1831cb7c8437d7f68c6e53d3980a0049 corporate/4.0/SRPMS/tar-1.15.1-5.3.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG3eWimqjQ0CJFipgRAnYAAJ0RL4xQslR0uit2VfqOLtshNBWACwCgxbh8 nMLWpKWv+9ZVFr3CDD5CNc4= =lmMn -END PGP SIGNATURE-
rPSA-2007-0176-1 gd php php-mysql php-pgsql php5 php5-cgi php5-mysql php5-pear php5-pgsql php5-soap php5-xsl
rPath Security Advisory: 2007-0176-1 Published: 2007-09-05 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: gd=/[EMAIL PROTECTED]:devel//1/2.0.33-4.5-1 php=/[EMAIL PROTECTED]:devel//1/4.3.11-15.13-1 php-mysql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.13-1 php-pgsql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.13-1 php5=/[EMAIL PROTECTED]:1/5.2.3-7-1 php5-cgi=/[EMAIL PROTECTED]:1/5.2.3-7-1 php5-mysql=/[EMAIL PROTECTED]:1/5.2.3-7-1 php5-pear=/[EMAIL PROTECTED]:1/5.2.3-7-1 php5-pgsql=/[EMAIL PROTECTED]:1/5.2.3-7-1 php5-soap=/[EMAIL PROTECTED]:1/5.2.3-7-1 php5-xsl=/[EMAIL PROTECTED]:1/5.2.3-7-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3478 https://issues.rpath.com/browse/RPL-1643 Description: Previous versions of the gd, php, and php5 packages are vulnerable to multiple attacks in which an attacker may cause unbounded CPU consumption or application crashes (Denial of Service), possibly leading to the execution of malicious code (Unauthorized Access). These attacks are generally limited to uses of the gd library to load existing images rather than generate new images. Many applications that use gd (including all uses of gd within rPath Linux) us gd only for generating new images, not for loading existing images. While rPath Linux itself is not vulnerable to these attacks, some uses of gd, particularly when loading attacker-supplied images, will be vulnerable. Some applications which use gd to load images supplied by remote users are web applications written in PHP. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
Cisco Security Advisory: Cisco Video Surveillance IP Gateway and Services Platform Authentication Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Video Surveillance IP Gateway and Services Platform Authentication Vulnerabilities Advisory ID: cisco-sa-20070905-video http://www.cisco.com/warp/public/707/cisco-sa-20070905-video.shtml Revision 1.0 For Public Release 2007 September 5 1600 UTC (GMT) + Summary === Cisco Video Surveillance IP Gateway video encoder and decoder, Services Platform (SP), and Integrated Services Platform (ISP) devices contain authentication vulnerabilities that allow remote users with network connectivity to gain the complete administrative control of vulnerable devices. There are no workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070905-video.shtml. Affected Products = Vulnerable Products +-- These products are vulnerable: * Cisco Video Surveillance IP Gateway Encoder/Decoder (Standalone and Module) firmware version 1.8.1 and earlier * Cisco Video Surveillance SP/ISP Decoder Software firmware version 1.11.0 and earlier * Cisco Video Surveillance SP/ISP firmware version 1.23.7 and earlier Users should consult their Stream Manager configuration management tool to determine the versions of firmware installed on deployed video surveillance devices. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Video Surveillance IP Gateway video encoders and decoders allow the video feeds of cameras to be sent over an IP network. This function provides an upgrade path for users to convert from existing analog surveillance systems. Cisco Video Surveillance Services Platforms and Integrated Services Platforms record and aggregate video feeds received from IP Gateways. Stored video can be viewed and manipulated using the Cisco Video Surveillance Stream Manager software. * IP Gateway Encoder/Decoder Telnet Authentication Vulnerability: The Telnet server installed on Cisco Video Surveillance IP Gateway video encoders and decoders does not prompt for authentication. This may allow a remote user with network connectivity to gain interactive shell access with administrative privileges on vulnerable devices. This issue is documented in Cisco Bug ID CSCsj31729. * Services Platform/Integrated Services Platform Default Authentication Vulnerability: Cisco Video Surveillance Services Platform and Integrated Services Platform devices ship with default passwords for the sypixx and root user accounts. Users are not able to change these passwords due to application requirements. Users with knowledge of the default passwords may be able to gain interactive shell access with administrative privileges to vulnerable devices. This issue is documented in Cisco Bug ID CSCsj34681. Vulnerability Scoring Details + Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerabilities in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsj31729 - Encoder/Decoder Telnet Daemon Fails to Authenticate CVSS Base Score - 10.0 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level -Official-Fix Report Confidence -Confirmed CSCsj34681 - Services Platform Contains Default Authentication Credentials CVSS Base Score - 9.0 Access Vector -Network Access Complexity -Low Authentication - Single Instance Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - High Remediation Level -Official-Fix Report Confidence -Confirmed Impact
Cisco Security Advisory: Denial of Service Vulnerabilities in Content Switching Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Denial of Service Vulnerabilities in Content Switching Module Document ID: 97826 Advisory ID: cisco-sa-20070905-csm http://www.cisco.com/warp/public/707/cisco-sa-20070905-csm.shtml Revision 1.0 For Public Release 2007 September 5 1600 UTC (GMT) - - Summary === The Cisco Content Switching Modules (CSM) and Cisco Content Switching Module with SSL (CSM-S) contain two vulnerabilities that can lead to a denial of service (DoS) condition. The first vulnerability exists when processing TCP packets, and the second vulnerability affects devices with service termination enabled. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070905-csm.shtml Affected Products = Vulnerable Products +-- These vulnerabilities were identified in CSM software version 4.2 and CSM-S software version 2.1. The following table helps illustrate the vulnerable software versions for these products: +---+ | Vulnerability |CSM| CSM-S | |---+---+---| | TCP packet| 4.2 Prior | 2.1 Prior | | Processing| to 4.2.3a | to 2.1.2a | | DOS | | | |---+---+---| | Service | 4.2 Prior | 2.1 Prior | | Termination | to 4.2.7 | to 2.1.6 | +---+ To determine the software running on a Content Switching Module, log in to the Catalyst switch and issue the show version command. The following example shows a CSM running software version 4.2(2) in a Supervisor running CatOS. Supervisors running CatOS or IOS will have similar output. The version of the CSM is shown on the module labeled WS-X6066-SLB-APC as illustrated in the following output. Console>show version WS-C6506 Software, Version NmpSW: 7.6(9) Copyright (c) 1995-2004 by Cisco Systems NMP S/W compiled on Aug 27 2004, 20:05:14 System Bootstrap Version: 7.1(1) System Boot Image File is 'disk0:cat6000-sup2k8.7-6-9.bin' System Configuration register is 0x2102 Hardware Version: 3.0 Model: WS-C6506 Serial #: TBA05360375 PS1 Module: WS-CAC-1300WSerial #: ACP05061071 PS2 Module: WS-CAC-1300WSerial #: ACP05060407 Mod Port Model Serial #Versions --- --- --- -- 1 2WS-X6K-SUP2-2GE SAD055104YY Hw : 3.2 Fw : 7.1(1) Fw1: 6.1(3) Sw : 7.6(9) Sw1: 7.6(9) WS-F6K-PFC2 SAD055104H5 Hw : 3.0 Sw : WS-X6K-SUP2-2GE SAD055104YY Hw : 3.2 Sw : 2 48 WS-X6248-RJ-45 SAD0501084U Hw : 1.4 Fw : 5.4(2) Sw : 7.6(9) 5 4WS-X6066-SLB-APCSAD105003DW Hw : 1.9 Fw : Sw : 4.2(2) DRAMFLASH NVRAM Module Total UsedFreeTotal UsedFreeTotal Used Free -- --- --- --- --- --- --- - - - 1 262144K 70354K 191790K 32768K 23251K 9517K 512K 253K 259K Uptime is 43 days, 22 hours, 7 minutes The following configuration segment shows a vserver with service terminations enabled: vserver WWW:2 virtual x.x.x.x tcp www service termination Products Confirmed Not Vulnerable + Only Catalyst CSM modules running indicated 4.2 versions are affected by these vulnerabilities. CSM software versions 4.1, 3.2 and 3.1 are not affected by these vulnerabilities. Catalyst CSM-S modules running indicated 2.1 versions are the only vulnerable versions of software for that product. No other Cisco products are currently known to be affected by this vulnerability. The Cisco Secure Content Accelerator is not affected by this vulnerability. Details === The Catalyst CSM is an integrated Server Load Balancing line card for the Catalyst 6500 and 7600 Series designed to enhance the response time for client traffic to end points including servers, caches, firewalls, Secure Sockets Layer (SSL) devices, and VPN termination devices. The Catalyst 6500 CSM-S combines high-performance server load balancing (SLB) with Secure Socket Layer (SSL) offload. The CSM-S is similar to the CSM; however, it can a
PHP < 5.2.3 glob() denial of service
Application: PHP < 5.2.3 Web Site: http://php.net Platform: unix Bug: denial of service fonction: glob() special condition:default php memory-limit value === 1) Introduction 2) Bug 3) Proof of concept 4) greets 5) Credits === 1) Introduction === "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." == 2) Bug == glob() is vulnerable to a denial of service = 3)Proof of concept = Proof of concept example : result: (gdb) run ./3.php Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1215031616 (LWP 11156)] 0xb79d3a5a in globfree () from /lib/tls/i686/cmov/libc.so.6 4)Greets Ivanlef0u,Deimos,benji,soh ,and everyones on worldnet: #futurezone & #nibbles = 5)Credits = Laurent gaffie contact : [EMAIL PROTECTED] stay tuned, site comming soon
PHP < 5.2.4 setlocale() denial of service
Application: PHP < 5.2.4 Web Site: http://php.net Platform: unix Bug: denial of service fonction: setlocale() special condition: default php-memory-limit --- 1) Introduction 2) Bug 3) Proof of concept 4) Greets 5) Credits === 1) Introduction === "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." == 2) Bug == setlocale() is vulnerable to a denial of service = 3)Proof of concept = Proof of concept example : result: (gdb) run ./1.php Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1215805760 (LWP 10504)] 0xb78a584b in setlocale () from /lib/tls/i686/cmov/libc.so.6 4)Greets Ivanlef0u,Deimos,benji,soh,and everyones on worldnet: #futurezone & #nibbles = 5)Credits = Laurent gaffie contact : [EMAIL PROTECTED] stay tuned, site comming soon
Format string and clients disconnection in Alien Arena 2007 6.10
### Luigi Auriemma Application: Alien Arena 2007 http://red.planetarena.org Versions: <= 6.10 and current SVN Platforms:Windows and Linux Bugs: A] in-game format string in safe_bprintf B] clients disconnection through spoofed client_connect Exploitation: A] remote versus server B] remote versus clients Date: 05 Sep 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Alien Arena 2007 is an open source FPS game developed by COR Entertainment (alias John "Irritant" Diamond) and based on the GPL code of the Quake 2 engine. ### === 2) Bugs === A] in-game format string in safe_bprintf A format string vulnerability is located in the safe_bprintf function caused by the usage of cprintf without the needed format argument. The bug can be exploited in-game (so with the usual possible password and banning limitations) using a malformed nickname: from game/acesrc/acebot_cmds.c: void safe_bprintf (int printlevel, char *fmt, ...) { int i; charbigbuffer[0x1]; int len; va_list argptr; edict_t *cl_ent; va_start (argptr,fmt); len = vsprintf (bigbuffer,fmt,argptr); va_end (argptr); if (dedicated->value) gi.cprintf(NULL, printlevel, bigbuffer); for (i=0 ; ivalue ; i++) { cl_ent = g_edicts + 1 + i; if (!cl_ent->inuse || cl_ent->is_bot) continue; gi.cprintf(cl_ent, printlevel, bigbuffer); } } --- B] clients disconnection through spoofed client_connect --- When queried the game server returns many informations included the list of players which are currently playing and their IP addresses too. Although the Quake 2 protocol isn't prone to spoofing attacks (differently to what happens with Quake 3 and the disconnect packet) here is possible to block and disconnect all the clients which are playing on the server simply using the "client_connect" command. So an attacker needs only to query the server, getting the list of IP:port of the players and sending this command to them using the IP and the port of the server as source. The client will be no longer able to move or send commands in the server and after some minutes it will time out, until this moment it cannot rejoin the same server. ### === 3) The Code === http://aluigi.org/poc/aa2k7x.zip ### == 4) Fix == No fix. The developer has not been contacted because he is too stupid for understanding a bug report: http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1 ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org
PHP < 5.2.3 fnmatch() denial of service
Application: PHP < 5.2.3 Web Site: http://php.net Platform: unix Bug: denial of service fonction: fnmatch() special condition: default php-memory-limit --- 1) Introduction 2) Bug 3) Proof of concept 4) Greets 5) Credits === 1) Introduction === "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." == 2) Bug == fnmatch() is vulnerable to a denial of service = 3)Proof of concept = Proof of concept example : result: (gdb) run 2.php Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1215469888 (LWP 11079)] 0xb7970d99 in fnmatch () from /lib/tls/i686/cmov/libc.so.6 4)Greets Ivanlef0u,Deimos,benji,soh,and everyones on worldnet: #futurezone & #nibbles = 5)Credits = Laurent gaffie contact : [EMAIL PROTECTED] stay tuned, site comming soon
PHP <=5.2.4 iconv_substr() denial of service
Application: PHP <=5.2.4 Web Site: http://php.net Platform: unix Bug: denial of service function: iconv_substr() special condition: default php-memory-limit --- 1) Introduction 2) Bug 3) Proof of concept 4) Greets 5) Credits === 1) Introduction === "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." == 2) Bug == iconv_substr() is vulnerable to a denial of service = 3)Proof of concept = Proof of concept example : result: (gdb) run 2.php /*(2 mn later...)*/ Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1215904064 (LWP 11430)] 0xb796e1af in _dl_open () from /lib/tls/i686/cmov/libc.so.6 4)Greets Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet: #futurezone & #nibbles = 5)Credits = Laurent gaffie contact : [EMAIL PROTECTED] stay tuned, site comming soon
rPSA-2007-0177-1 kdebase kdelibs
rPath Security Advisory: 2007-0177-1 Published: 2007-09-05 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Weakness Updated Versions: kdebase=/[EMAIL PROTECTED]:devel//1/3.4.2-3.12-1 kdelibs=/[EMAIL PROTECTED]:devel//1/3.4.2-5.15-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225 https://issues.rpath.com/browse/RPL-1615 Description: Previous versions of the kdebase and kdelibs packages permit multiple URL address-bar spoofing attacks against the konquerer web browser. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
Re: Olate Download 3.4.2 ~ userupload.php ~ Upload Executable Files
Unfortunately user can upload files by default. Olate 3.4.2 check the extension of uploaded file and by default you can't upload anything. Admin have to indicate which extensions are allowed for uploading. Here is code: if ($site_config['enable_useruploads'] == 1) { // Upload file if (isset($_FILES['uploadfile'])) { $ext = strrchr($_FILES['uploadfile']['name'], '.'); $allowed_ext = explode(',', $site_config['uploads_allowed_ext']); if (in_array($ext, $allowed_ext)) { Good Luck. On Friday 31 August 2007, imei Addmimistrator wrote: > VISIT ORIGINAL ADVISORY FOR MORE DETAILS > http://myimei.com/security/2007-09-01/olate-download-342-useruploadphp-uplo >ad-executable-files.html VISIT ORIGINAL ADVISORY FOR MORE DETAILS/ > ——-Summary—— > Software: Olate Download > Sowtware's Web Site: http://www.olate.co.uk/ > Versions: 3.4.2 > Class: Remote > Status: Unpatched > Exploit: Available > Solution: Not Available > Discovered by: imei Addmimistrator > Risk Level: High > > VISIT ORIGINAL ADVISORY FOR MORE DETAILS > > http://myimei.com/security/2007-09-01/olate-download-342-useruploadphp-uplo >ad-executable-files.html VISIT ORIGINAL ADVISORY FOR MORE DETAILS/
rPSA-2007-0178-1 fetchmail
rPath Security Advisory: 2007-0178-1 Published: 2007-09-05 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Non-deterministic Denial of Service Updated Versions: fetchmail=/[EMAIL PROTECTED]:devel//1/6.3.8-0.3-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565 https://issues.rpath.com/browse/RPL-1690 Description: Previous versions of the fetchmail package may crash when attempting to deliver an internal warning or error message through an untrusted or compromised SMTP server, leading to a possible Denial of Service. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
updated patch: MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The MIT Kerberos Team has discovered a problem with the originally published patch for svc_auth_gss.c [CVE-2007-3999], which allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch in the updated advisory (below) correctly checks the buffer length. Thanks to Kevin Coffman (UMich), Will Fiveash (Sun), and Nico Williams (Sun) for discovering the bug in the initial CVE-2007-3999 patch and for help with developing the revised patch for CVE-2007-3999. MIT krb5 Security Advisory 2007-006 Original release: 2007-09-04 Last update: 2007-09-05 Topic: kadmind RPC lib buffer overflow, uninitialized pointer [CVE-2007-3999/VU#883632] RPC library buffer overflow CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact:Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed [CVE-2007-4000/VU#377544] kadmind uninitialized pointer CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C See DETAILS for the expanded CVSSv2 metrics for this vulnerability. SUMMARY === This advisory concerns two vulnerabilities. CVE-2007-3999 is much easier to exploit than CVE-2007-4000. [CVE-2007-3999] The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected. We have received a proof-of-concept exploit that does not appear to execute malicious code, and we believe that this exploit is not publicly circulated. This is a bug in the RPC library in MIT krb5. It is not a bug in the Kerberos protocol. [CVE-2007-4000] The MIT krb5 Kerberos administration daemon (kadmind) can write data through an uninitialized pointer. We know of no working exploit code for this vulnerability, and do not believe that any exploit code for this vulnerability is circulating. This is a bug in the kadmind in MIT krb5. It is not a bug in the Kerberos protocol. IMPACT == [CVE-2007-3999] An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. [CVE-2007-4000] An authenticated user with "modify policy" privilege may be able to cause a host running kadmind to execute arbitrary code. Successful exploitation of either vulnerability can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing. Third-party applications calling the RPC library provided with MIT krb5 may be vulnerable to CVE-2007-3999. AFFECTED SOFTWARE = [CVE-2007-3999] * kadmind in MIT releases krb5-1.4 through krb5-1.6.2 * third-party RPC server programs linked against the RPC library included in MIT releases krb5-1.4 through krb5-1.6.2 * MIT releases prior to krb5-1.4 did not contain the vulnerable code [CVE-2007-4000] * kadmind in MIT releases krb5-1.5 through krb5-1.6.2 * MIT releases prior to krb5-1.5 did not contain the vulnerable code FIXES = * The patch for CVE-2007-3999 has been revised; the patch originally released for svc_auth_gss.c allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch below correctly checks the buffer length. * The upcoming krb5-1.6.3 release, as well as the upcoming krb5-1.5.5 maintenance release, will contain fixes for this vulnerability. Prior to that release you may apply the following patch. Note that releases prior to krb5-1.5 will not need the svr_policy.c patch. *** src/lib/kadm5/srv/svr_policy.c (revision 20254) - --- src/lib/kadm5/srv/svr_policy.c(local) *** *** 211,218 if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; ! ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); ! if( ret && (cnt==0) ) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) - --- 211,219 if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; ! if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) ! return ret; ! if (cnt != 1) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) *** src/lib/rpc/svc_auth_gss.c (revision 20474) - --- src/lib/rpc/svc_auth_gss.c(local) *** *** 355,360 - --- 355,369 memset(rpchdr, 0, sizeof(rpchdr));