RE: Internet explorer 7.0 spoofing

2008-04-02 Thread Darth Jedi 
Ok, I'm missing it, what exactly is the spoof here?  When the popup comes up
for me, the address of the page is
http://www.google.com.ar/#www.microsoft.com and I see in the address bar
#www.microsoft.com.  

If I'm understanding the wording below correctly, it's because the # keeps
the browser from interpreting Microsoft.com and thus giving a bad URL, and
presumably, the browser cannot or does not have the ability to show the full
address (and perhaps in other browsers or scenarios people don't see the #
like I did - and also don't realize that the browser always prefixes it's
URLs with HTTP, so seeing a URL starting with # is a bit fishy)...






-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 28, 2008 3:02 PM
To: bugtraq@securityfocus.com
Subject: Internet explorer 7.0 spoofing

Hello, as they are? This time I communicate with you to let you know of a
vulnerability such as spoofing in the Internet Explorer 7.0 (tested at 8.0
and does not work). 

Creating a pop-up malformated can put any address in the address bar in the
body any page or content. 


This flaw is possible because if in the address bar we eg 


Address # direction 


The numeral makes the first address is run and what comes after the numeral
does not interfere with the original page. This is why creating popup with
the special measures and to try to pass such an easterly direction popup
displayed the end of the address and did not show the direction it runs.
(Special measures are important because if it does not work largest). 


Just a single click in the body popup to this reveals the true direction,
which can be equal to dodge an event like javascript onblur or onfocus ..
Anyway that's more serious an attack that a proof of concept. 


Here I leave the proof of concept.


http://es.geocities.com/jplopezy/iespoof.html


Greetings from Argentina!


Juan Pablo Lopez Yacubian

fuzzertina.blogspot.com


No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.519 / Virus Database: 269.22.1/1347 - Release Date: 3/27/2008
7:15 PM
 

No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.519 / Virus Database: 269.22.3/1354 - Release Date: 4/1/2008
5:38 AM

Re: Re: Re: Internet explorer 7.0 spoofing

2008-04-02 Thread jplopezy 
Dear w0lfd33m: 


Not fail in firefox, these poorly understood failure. 

The fault is not that they are both directions numeral (#) if it is that when 
you create a popup with this small sample size the end of the address complete 
numeral only makes what is behind it is irrelevant to the The first address, 
then create the popup which is only the end of the address is the address false 
and there is failure. This only works in Internet Explorer. 



Greetings.

Writers Block SQL Injection Vulnerabilities

2008-04-02 Thread nebelfrost23 
[] Writer’s Block SQL Injection Vulnerabilities []



[x] Vendor Information


If the written word is the wheel, then Writer’s Block is the sweet, sweet 
fossil fuel in the 

engine that keeps it spinning. A free, flexible, elegant Content Management 
System that helps 

you maintain any web site you want, at any size you want, with no hassle and no 
restrictions.

In fact, it’s running this entire site right now.


http://www.desiquintans.com


[x] Attack Information


The variable PostID can be filled with malicious content to execute SQL code:





permalink.php, line 212:


$getpost = @mysql_query(SELECT Title, Timestamp, Body, PostCat1, PostCat2, 
PostCat3, PostCat4, Author FROM .POSTS_TBL. WHERE

  PostID='.$_GET['PostID'].' AND Draft=0);





permalink.php, line 298:


$prevlink = mysql_query(SELECT PostID FROM .POSTS_TBL. WHERE 
PostID.$_GET['PostID']. AND Draft=0 ORDER BY Timestamp DESC LIMIT 1);





permalink.php, line 304:


$nextlink = mysql_query(SELECT PostID FROM .POSTS_TBL. WHERE 
PostID.$_GET['PostID']. AND Draft=0 ORDER BY Timestamp ASC LIMIT 1);





[x] Exploit


The issue can be exploited through a web browser.


[x] Patch


Just add an intval():





permalink.php, line 212:


$getpost = @mysql_query(SELECT Title, Timestamp, Body, PostCat1, PostCat2, 
PostCat3, PostCat4, Author FROM .POSTS_TBL. WHERE

  PostID='.intval($_GET['PostID']).' AND Draft=0);





permalink.php, line 298:


$prevlink = mysql_query(SELECT PostID FROM .POSTS_TBL. WHERE 
PostID.intval($_GET['PostID']). AND Draft=0 ORDER BY Timestamp DESC LIMIT 
1);





permalink.php, line 304:


$nextlink = mysql_query(SELECT PostID FROM .POSTS_TBL. WHERE 
PostID.intval($_GET['PostID']). AND Draft=0 ORDER BY Timestamp ASC LIMIT 1);





[x] Credits


The vulnerability has been discovered by katharsis -


www.katharsis.x2.to

HPSBMA02317 SSRT080026 rev.1 - HP Select Identity Software, Gain Unauthorized Access

2008-04-02 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01391833
Version: 1

HPSBMA02317 SSRT080026 rev.1 - HP Select Identity Software, Gain Unauthorized 
Access

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2008-03-11
Last Updated: 2008-04-01

Potential Security Impact: Gain unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Select Identity 
software. The vulnerabilities could be exploited by an authenticated user to 
gain unauthorized access to other user accounts.

References: CVE-2008-0709

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Select Identity software v4.00, v4.01, v4.11, v4.12, v4.13, v4.20 running on 
HP-UX, Windows 2003 Server, Red Hat Linux AS3 and AS4, and Solaris.

BACKGROUND

CVSS 2.0 Base Metrics 

Reference  Base Vector  Base Score
CVE-2008-0709  (AV:L/AC:L/Au:S/C:P/I:P/A:N)  3.2

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

RESOLUTION
HP has provided the following software patches to resolve the vulnerability. 
The patches are available for download from 
http://support.openview.hp.com/selfsolve/patches 

Note: To locate the patches on http://support.openview.hp.com/selfsolve/patches 
1. set Product=select identity 
2. set Product version=All Versions 
3. enter the Patch from the table below into the Optional: Enter keyword(s) or 
phrases window 
4. select Search 

HP Select Identity Software Version - v4.00  
Operating Systems - Windows 2003 Server, and Red Hat Linux AS3
Patch - HPSI patch 4.00.013
 
HP Select Identity Software Version - v4.01 
Operating Systems - HP-UX, Windows 2003 Server, Red Hat Linux AS3, and Solaris
Patch - HPSI patch 4.01.015
 
HP Select Identity Software Version - v4.11
Operating Systems - HP-UX, Windows 2003 Server, and Red Hat Linux AS3
Patch - HPSI patch 4.11.001HF2
 
HP Select Identity Software Version - v4.12 
Operating Systems - HP-UX, Windows 2003 Server, Red Hat Linux AS3, and Solaris
Patch - HPSI patch 4.12.000HF7
 
HP Select Identity Software Version - v4.13 
Operating Systems - HP-UX, Windows 2003 Server, Red Hat Linux AS3, and Solaris
Patch - HPSI patch 4.13.005
 
HP Select Identity Software Version - v4.20 
Operating Systems - HP-UX, Windows 2003 Server, and Red Hat Linux AS4
Patch - HPSI patch 4.20.001HF1
 


MANUAL ACTIONS: Yes - Update 
Install appropriate patch. 

PRODUCT SPECIFIC INFORMATION 

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application 
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins 
issued by HP and lists recommended actions that may apply to a specific HP-UX 
system. It can also download patches and create a depot automatically. For more 
information see https://www.hp.com/go/swa 

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS (for HP-UX) 

HP-UX B.11.11 
HP-UX B.11.23 
HP-UX B.11.31 
=== 
action: upgrade Select Identity software if in use. 

END AFFECTED VERSIONS (for HP-UX) 

HISTORY 
Version: 1 (rev.1) - 1 April 2008 Initial release 

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP

Datalife Engine 6.7 XSRF

2008-04-02 Thread irancrash 
#

  Datalife Engine 6.7 XSRF Vulnerability
 

   By IRCRASH   
 

#

#   
#

#Discovered by : IRCRASH (R3d.w0rm) 
#

#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm   
#

#   
#

#

#   
#

#Script Download : http://datalifecms.ir/download/DatalifeEngine6.7.zip

#   
#

#

# XSRF  
#

#XSRF Address : 
http://site.com/datalife-path/engine/modules/imagepreview.php?image=[XSRF]

#   
#

#

# Our site : Http://IRCRASH.COM 
#

#

[USN-597-1] OpenSSH vulnerability

2008-04-02 Thread Kees Cook 
=== 
Ubuntu Security Notice USN-597-1 April 01, 2008
openssh vulnerability
CVE-2008-1483
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  openssh-client  1:4.2p1-7ubuntu3.3

Ubuntu 6.10:
  openssh-client  1:4.3p2-5ubuntu1.2

Ubuntu 7.04:
  openssh-client  1:4.3p2-8ubuntu1.2

Ubuntu 7.10:
  openssh-client  1:4.6p1-5ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Timo Juhani Lindfors discovered that the OpenSSH client, when port
forwarding was requested, would listen on any available address family.
A local attacker could exploit this flaw on systems with IPv6 enabled
to hijack connections, including X11 forwards.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.3.diff.gz
  Size/MD5:   171837 216f11e247dfeb681cd75c033cc2fc5c

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.3.dsc
  Size/MD5: 1003 3902e4c29bba7ee62b48c9641bd0bc76

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1.orig.tar.gz
  Size/MD5:   928420 93295701e6bcd76fabd6a271654ed15c

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.2p1-7ubuntu3.3_all.deb
  Size/MD5: 1052 5e47eabdf3306595bef55704b3d80702

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_amd64.udeb
  Size/MD5:   165878 c18cc9d5cbf4f83e9e7730a43c18dba6

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_amd64.deb
  Size/MD5:   610832 5479cad40052592557e93b64536a45c6

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_amd64.deb
  Size/MD5:   236222 4d98f6e82ae9d26e73d12ec2e429dd14

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_amd64.deb
  Size/MD5:87126 9e041ad9534dc99cb01aa6261acf071f

http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_amd64.udeb
  Size/MD5:   182086 7b52e535986415799f89b04ea95df8ae

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_i386.udeb
  Size/MD5:   140116 99bac142d2bfd0d1bdd61ce8a6a917fc

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_i386.deb
  Size/MD5:   537108 c828718a152abc20cd547c39653ec67b

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_i386.deb
  Size/MD5:   205484 c495cf9d7d25e95b9d9baa9a873ccfca

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_i386.deb
  Size/MD5:86768 a3a6c7aa8840720498b811b5a0b814b5

http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_i386.udeb
  Size/MD5:   151548 c657878eb1b8a91897925914aab0bab8

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_powerpc.udeb
  Size/MD5:   158552 4aada820956ab80eb424713956347551

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_powerpc.deb
  Size/MD5:   594088 26dbbb6ff0359f11dfe280f06d9ebaf0

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_powerpc.deb
  Size/MD5:   226268 8916980ee9d4ef41b77a89ca56f891d9

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_powerpc.deb
  Size/MD5:88420 dca6aabe6e164cd90e2b35cffe934a14

http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_powerpc.udeb
  Size/MD5:   165904 e6e6f51d1c67732ed9dbc7fad4669ef0

  sparc architecture (Sun SPARC/UltraSPARC):


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_sparc.udeb
  Size/MD5:   149268 6a92b75179eea1972b082892bd8750de

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_sparc.deb
  Size/MD5:   543862 be125ef3611c0aa2f2e5ed0f8c36a250

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_sparc.deb
  Size/MD5:   208864 9f9c4e3b1ec44ccda77a00e674f200be

HPSBTU02325 SSRT080006 rev.1 - HP Internet Express for Tru64 UNIX running PostgreSQL, Arbitrary Code Execution, Privilege Elevation, or Denial of Service (DoS)

2008-04-02 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01420154
Version: 1

HPSBTU02325 SSRT080006 rev.1 - HP Internet Express for Tru64 UNIX running 
PostgreSQL, Arbitrary Code Execution, Privilege Elevation, or Denial of Service 
(DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2008-04-01
Last Updated: 2008-04-01


Potential Security Impact: Arbitrary code execution, privilege elevation, or 
Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in PostgreSQL v 8.2.4 
and earlier running on HP Internet Express for Tru64 UNIX. The vulnerabilities 
could be exploited to execute arbitrary code, elevation of privilege, or cause 
a Denial of Service (DoS).

References: CVE-2007-3278, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, 
CVE-2007-6600, CVE-2007-6601

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
The following supported software versions are affected: 

PostgreSQL v 8.2.4 and earlier as provided with...

HP Internet Express for Tru64 UNIX v 6.7 
HP Internet Express for Tru64 UNIX v 6.6 

BACKGROUND

CVSS 2.0 Base Metrics 

Reference Base VectorBase Score 
CVE-2007-3278  (AV:L/AC:M/Au:N/C:C/I:C/A:C)6.9
CVE-2007-4769  (AV:N/AC:L/Au:S/C:N/I:N/A:C)6.8
CVE-2007-4772  (AV:N/AC:L/Au:S/C:N/I:N/A:P)4.0
CVE-2007-6067  (AV:N/AC:L/Au:S/C:N/I:N/A:C)6.8
CVE-2007-6600  (AV:N/AC:L/Au:S/C:P/I:P/A:N)5.5
CVE-2007-6601  (AV:L/AC:L/Au:N/C:C/I:C/A:C)7.2

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

RESOLUTION
HP is releasing the following Early Release Patch (ERP) kits publicly for use 
by any customer until updates are available in mainstream release patch kits. 

The resolutions contained in the ERP kits are targeted for availability in the 
following mainstream kit: 

HP Internet Express for Tru64 UNIX v 6.8

The ERP kits use dupatch to install and will not install over any Customer 
Specific Patches (CSPs) that have file intersections with the ERPs. Contact 
your service provider for assistance if the installation of the ERPs is blocked 
by any of your installed CSPs.

The ERP kit provides PostgreSQL v 8.2.6, plus sources and license.

HP Internet Express for Tru64 UNIX v 6.6 or v 6.7 
PREREQUISITE: HP Tru64 UNIX v 5.1B-4 PK6 (BL27) or v 5.1B-3 PK5 (BL26) 
Name: POSTGRESQL_8.2.6-ES-20080320.tar.gz 
Location: 
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=POSTGRESQL_8.2.6-ES-20080320
 
 


MD5 checksums are available from the ITRC patch database main page. From the 
patch database main page, click Tru64 UNIX, then click verifying MD5 checksums 
under useful links.

PRODUCT SPECIFIC INFORMATION 

HISTORY 

Version:1 (rev.1) - 1 April 2008 Initial release

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing  Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 

System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is

ANNOUNCE: Apache-SSL security release - apache_1.3.41+ssl_1.59

2008-04-02 Thread Adam Laurie 

Folks,

Following information/research provided by Alexander Klink, a new 
release is out, fixing a low priority security issue as detailed below. 
The release is on the primary Apache-SSL ftp server and should hit the 
mirrors over the next few hours, according to their schedules.


See http://www.apache-ssl.org for mirrors.

Advisory follows:


||| Security Advisory AKLINK-SA-2008-005 |||
||| CVE-2008-0555 (CVE candidate)|||


Apache-SSL memory disclosure


Date released: 02.04.2008
Date reported: 17.01.2008
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   [EMAIL PROTECTED]
   https://www.cynops.de/advisories/CVE-2008-0555.txt
   (S/MIME signed: 
https://www.cynops.de/advisories/CVE-2008-0555-signed.txt)

   https://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555

Vendor: Adam  Ben Laurie
Product: Apache-SSL
Website: http://www.apache-ssl.org
Vulnerability: memory disclosure, potential privilege escalation in web
   applications
Class: remote
Status: patched
Severity: low
Releases known to be affected: apache_1.3.34+ssl_1.57
Releases known NOT to be affected: apache_1.3.41+ssl_1.59

+
Background:

Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL.

+
Overview:

Apache-SSL provides environment variables that are filled with
(client) certificate data. If the subject of a client certificate
contains special characters, parts of these variables can be overwritten
or be filled with other parts of memory.

+
Technical details:

The certificate DN as returned by the OpenSSL X509_NAME_online is
passed into the following function:

static void ExpandCert(pool *p,table *pEnv,char *szPrefix, char *szDN, 
char *szCert)

{
char buf[HUGE_STRING_LEN];
char *s,*t;
/* Expand a X509_oneline entry into it's base components and register
   them as environment variables. Needed if you want to pass 
certificate
   information to CGI's. The naming convention SHOULD be fairly 
compatible

   with CGI's written for stronghold's certificate info  - Q */
/* FIXME - strtok() and strcspn() may cause problems on some 
systems - Q */


ap_table_setn(pEnv,szDN,ap_pstrdup(p,szCert));

ap_cpystrn(buf,szCert,sizeof buf);
for(s=strtok(buf,/) ; s != NULL ; s=strtok(NULL,/))
{
int n=strcspn(s,=);
s[n]='\0';
StrUpper(s);
t=ap_pstrcat(p,szPrefix,s,NULL);
ap_table_setn(pEnv,t,ap_pstrdup(p,s+n+1));
}
}

The function assumes that the relative distinguished name does not
contain a '/'. If a / is contained in for example the common name,
strcspn(s,=) returns the size of s, so s+n+1 points beyond the
current token.
Furthermore, environment variables can be overwritten by including '/'
and '='. For example, to overwrite the OPENSSL_S_CLIENT_DN_OU variable,
one could use a certificate with a CN of /OU=Fake OU.
If an application relies on this information to distinguish certificates
into different authorization classes, it can be fooled this way.

+
Communication:

* 17.01.2008: Reported the bug to Ben Laurie
* 17.01.2008: Ben replies and acknowledges the bug
* 01.02.2008: Checking back with Ben on the status
* 01.02.2008: Ben replies that he'll be looking into a patch over the 
weekend

* 06.02.2008: Ben sends patch and asks for help with testing it
* 07.02.2008: Reply with test results (still a small problem unrelated to
  the original issue)
* 09.02.2008: Ben sends updated patch
* 11.02.2008: Told Ben that patch works fine
* 18.02.2008: Requested update
* 18.02.2008: Ben replies that he'll deal with it in the next week or so
* 27.02.2008: Requested update
* 27.02.2008: Patch for Apache 1.3.41 is ready, but release is normally
  managed by Adam Laurie, who is on holiday till March, 11th
* 28.02.2008: Agreed to wait for Adam to return
* 12.03.2008: Ben informs Adam of the new release
* 25.03.2008: Requested update
* 25.03.2008: Ben replies, they are waiting for an updated advisory from me
* 25.03.2008: Sent out updated advisory
* 27.03.2008: Adam says sorry for the delays and that he will try to work
  on this while he is at a conference in Amsterdam
* 01.04.2008: Coordination with Adam and Ben on a release

+
Solution:

Upgrade to apache_1.3.41+ssl_1.59.

+
Credits:

- Alexander Klink, Cynops GmbH (discovery)


cheers,
Adam
--
Adam Laurie Tel: +44 (0) 1304

Directory traversal in LANDesk Management Suite 8.80.1.1

2008-04-02 Thread Luigi Auriemma 

###

 Luigi Auriemma

Application:  LANDesk Management Suite
  http://www.landesk.com/products/ldms/index.aspx
Versions: = 8.80.1.1
Platforms:Windows
Bug:  directory traversal
Exploitation: remote
Date: 01 Apr 2008
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:aluigi.org


###


1) Introduction
2) Bug
3) The Code
4) Fix


###

===
1) Introduction
===


LANDesk is a well known system management software.


###

==
2) Bug
==


The PXE TFTP Service is vulnerable to a classical directory traversal
vulnerability exploitable through the adding of one or more chars
before the usual dotdot pattern.

The interesting thing is that version 8.80.1.1 has been released just
to fix another directory traversal vulnerability.


###

===
3) The Code
===


http://aluigi.org/testz/tftpx.zip

  tftpx SERVER x\..\..\..\..\..\..\..\boot.ini none
  tftpx SERVER what_you_want/../../../../../../../windows/win.ini none


###

==
4) Fix
==


No fix


###


--- 
Luigi Auriemma
http://aluigi.org

RE: Internet explorer 7.0 spoofing

2008-04-02 Thread Mike Diaz 
He's basically saying that if you create a popup small enough
width-wise, then you can hide everything before the # so that unless
the user actually goes into the address bar and scrolls left, all they
will see is what you put after the #. Here's a screenshot so you can
see what he's talking about:
http://lh6.google.com/mikediaz.360/R_PpsHN-hCI/ABc/_F2JZMpUiS4/Screenshot.png

[ MDVSA-2008:081 ] - Updated CUPS packages fix multiple vulnerabilities

2008-04-02 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDVSA-2008:081
 http://www.mandriva.com/security/
 ___
 
 Package : cups
 Date: April 2, 2008
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
 ___
 
 Problem Description:
 
 A heap-based buffer overflow in CUPS 1.2.x and later was discovered by
 regenrecht of VeriSign iDenfense that could allow a remote attacker
 to execute arbitrary code via a crafted CGI search expression
 (CVE-2008-0047).
 
 A validation error in the Hp-GL/2 filter was also discovered
 (CVE-2008-0053).
 
 Finally, a vulnerability in how CUPS handled GIF files was found by
 Tomas Hoger of Red Hat, similar to previous issues corrected in PHP,
 gd, tk, netpbm, and SDL_image (CVE-2008-1373).
 
 The updated packages have been patched to correct these issues.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0053
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1373
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 4ecbfe664ba6820bf06dc406133e265c  2007.0/i586/cups-1.2.4-1.8mdv2007.0.i586.rpm
 6d51733a95884e36cca9570738537ff6  
2007.0/i586/cups-common-1.2.4-1.8mdv2007.0.i586.rpm
 abe0591d8b2b390a82dffcd2fed43b14  
2007.0/i586/cups-serial-1.2.4-1.8mdv2007.0.i586.rpm
 91ffe19d342810de71e056e213056552  
2007.0/i586/libcups2-1.2.4-1.8mdv2007.0.i586.rpm
 71fd9246da1e48b2dc6a60ceeae41e48  
2007.0/i586/libcups2-devel-1.2.4-1.8mdv2007.0.i586.rpm
 bd0f3b69fe5dc7bddd6c121200db014d  
2007.0/i586/php-cups-1.2.4-1.8mdv2007.0.i586.rpm 
 cb50a10a1096424175c1a49e8e22a8a1  2007.0/SRPMS/cups-1.2.4-1.8mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 d9423a942f4f779959cfe489866b52f5  
2007.0/x86_64/cups-1.2.4-1.8mdv2007.0.x86_64.rpm
 8b13ba591a7dc53c658876dae447ce17  
2007.0/x86_64/cups-common-1.2.4-1.8mdv2007.0.x86_64.rpm
 9e434edde16c05fded1b706adaae859d  
2007.0/x86_64/cups-serial-1.2.4-1.8mdv2007.0.x86_64.rpm
 9733f3116c8488148471af3d5bdafd16  
2007.0/x86_64/lib64cups2-1.2.4-1.8mdv2007.0.x86_64.rpm
 fbb5010088c23aa2cf635875179adc3c  
2007.0/x86_64/lib64cups2-devel-1.2.4-1.8mdv2007.0.x86_64.rpm
 00e05d49f33ef5d0067287ef1a27246c  
2007.0/x86_64/php-cups-1.2.4-1.8mdv2007.0.x86_64.rpm 
 cb50a10a1096424175c1a49e8e22a8a1  2007.0/SRPMS/cups-1.2.4-1.8mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 dc81f96bd48732eed770b0090b333695  2007.1/i586/cups-1.2.10-2.6mdv2007.1.i586.rpm
 3545d312400a8f5aad55e323d2ff3543  
2007.1/i586/cups-common-1.2.10-2.6mdv2007.1.i586.rpm
 f4656b26df51f63813a49006415a783b  
2007.1/i586/cups-serial-1.2.10-2.6mdv2007.1.i586.rpm
 ab1869c8ddeda927fdfbc49c386756f1  
2007.1/i586/libcups2-1.2.10-2.6mdv2007.1.i586.rpm
 5de192ed26380212896fcd376a1b3e23  
2007.1/i586/libcups2-devel-1.2.10-2.6mdv2007.1.i586.rpm
 a347c58fc3e76e064cabf8425d0245ab  
2007.1/i586/php-cups-1.2.10-2.6mdv2007.1.i586.rpm 
 15c9274e61f9dbe98150fa1ae58ef7bc  2007.1/SRPMS/cups-1.2.10-2.6mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 1faa57f00d0577f6d25cddf7fccd7edb  
2007.1/x86_64/cups-1.2.10-2.6mdv2007.1.x86_64.rpm
 26a14fabfef38f2fd4ab88c6184d4e2f  
2007.1/x86_64/cups-common-1.2.10-2.6mdv2007.1.x86_64.rpm
 b5a49bfbeb004af58e1e5f9c1660dece  
2007.1/x86_64/cups-serial-1.2.10-2.6mdv2007.1.x86_64.rpm
 6b81f4e888dec6e94231b01fd5d162bf  
2007.1/x86_64/lib64cups2-1.2.10-2.6mdv2007.1.x86_64.rpm
 256313a9ac10203a7d59deb6ff0a3da0  
2007.1/x86_64/lib64cups2-devel-1.2.10-2.6mdv2007.1.x86_64.rpm
 41e268b0e9e8a5e256c9af6192dfcae0  
2007.1/x86_64/php-cups-1.2.10-2.6mdv2007.1.x86_64.rpm 
 15c9274e61f9dbe98150fa1ae58ef7bc  2007.1/SRPMS/cups-1.2.10-2.6mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 27ee99856a1c4448cdee618f2db8ae52  2008.0/i586/cups-1.3.6-1.1mdv2008.0.i586.rpm
 09a6026a683b1ea029b63b0480aa2d4b  
2008.0/i586/cups-common-1.3.6-1.1mdv2008.0.i586.rpm
 7974c9c3a572a389fea83250cd57c8e1  
2008.0/i586/cups-serial-1.3.6-1.1mdv2008.0.i586.rpm
 a6432e417d401b7900113763255bf8c3  
2008.0/i586/libcups2-1.3.6-1.1mdv2008.0.i586.rpm
 cfb0fd68a1d60f1dfa985da0bb79190f  
2008.0/i586/libcups2-devel-1.3.6-1.1mdv2008.0.i586.rpm
 aba1862f9db0e18f09d581ef0a95fde8  
2008.0/i586/php-cups-1.3.6-1.1mdv2008.0.i586.rpm 
 e034c775d5b04fffb14cb441b8174a55  2008.0/SRPMS/cups-1.3.6-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 b18f356dc9fc5cda784e576e3f20a801  
2008.0/x86_64/cups-1.3.6-1.1mdv2008.0.x86_64.rpm
 bccc98b2ad3205d2c301036ba9d28f61  
2008.0/x86_64/cups-common-1.3.6-1.1mdv2008.0.x86_64.rpm
 1c1837c8a8eb04609daa405553ab7fe8  
2008.0/x86_64/cups-serial-1.3.6-1.1mdv2008.0.x86_64.rpm
 5748bf84c1239e2b4255446cbf6c8285