RE: Internet explorer 7.0 spoofing
Ok, I'm missing it, what exactly is the spoof here? When the popup comes up for me, the address of the page is http://www.google.com.ar/#www.microsoft.com and I see in the address bar #www.microsoft.com. If I'm understanding the wording below correctly, it's because the # keeps the browser from interpreting Microsoft.com and thus giving a bad URL, and presumably, the browser cannot or does not have the ability to show the full address (and perhaps in other browsers or scenarios people don't see the # like I did - and also don't realize that the browser always prefixes it's URLs with HTTP, so seeing a URL starting with # is a bit fishy)... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 28, 2008 3:02 PM To: bugtraq@securityfocus.com Subject: Internet explorer 7.0 spoofing Hello, as they are? This time I communicate with you to let you know of a vulnerability such as spoofing in the Internet Explorer 7.0 (tested at 8.0 and does not work). Creating a pop-up malformated can put any address in the address bar in the body any page or content. This flaw is possible because if in the address bar we eg Address # direction The numeral makes the first address is run and what comes after the numeral does not interfere with the original page. This is why creating popup with the special measures and to try to pass such an easterly direction popup displayed the end of the address and did not show the direction it runs. (Special measures are important because if it does not work largest). Just a single click in the body popup to this reveals the true direction, which can be equal to dodge an event like javascript onblur or onfocus .. Anyway that's more serious an attack that a proof of concept. Here I leave the proof of concept. http://es.geocities.com/jplopezy/iespoof.html Greetings from Argentina! Juan Pablo Lopez Yacubian fuzzertina.blogspot.com No virus found in this incoming message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.1/1347 - Release Date: 3/27/2008 7:15 PM No virus found in this outgoing message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.3/1354 - Release Date: 4/1/2008 5:38 AM
Re: Re: Re: Internet explorer 7.0 spoofing
Dear w0lfd33m: Not fail in firefox, these poorly understood failure. The fault is not that they are both directions numeral (#) if it is that when you create a popup with this small sample size the end of the address complete numeral only makes what is behind it is irrelevant to the The first address, then create the popup which is only the end of the address is the address false and there is failure. This only works in Internet Explorer. Greetings.
Writers Block SQL Injection Vulnerabilities
[] Writers Block SQL Injection Vulnerabilities [] [x] Vendor Information If the written word is the wheel, then Writers Block is the sweet, sweet fossil fuel in the engine that keeps it spinning. A free, flexible, elegant Content Management System that helps you maintain any web site you want, at any size you want, with no hassle and no restrictions. In fact, its running this entire site right now. http://www.desiquintans.com [x] Attack Information The variable PostID can be filled with malicious content to execute SQL code: permalink.php, line 212: $getpost = @mysql_query(SELECT Title, Timestamp, Body, PostCat1, PostCat2, PostCat3, PostCat4, Author FROM .POSTS_TBL. WHERE PostID='.$_GET['PostID'].' AND Draft=0); permalink.php, line 298: $prevlink = mysql_query(SELECT PostID FROM .POSTS_TBL. WHERE PostID.$_GET['PostID']. AND Draft=0 ORDER BY Timestamp DESC LIMIT 1); permalink.php, line 304: $nextlink = mysql_query(SELECT PostID FROM .POSTS_TBL. WHERE PostID.$_GET['PostID']. AND Draft=0 ORDER BY Timestamp ASC LIMIT 1); [x] Exploit The issue can be exploited through a web browser. [x] Patch Just add an intval(): permalink.php, line 212: $getpost = @mysql_query(SELECT Title, Timestamp, Body, PostCat1, PostCat2, PostCat3, PostCat4, Author FROM .POSTS_TBL. WHERE PostID='.intval($_GET['PostID']).' AND Draft=0); permalink.php, line 298: $prevlink = mysql_query(SELECT PostID FROM .POSTS_TBL. WHERE PostID.intval($_GET['PostID']). AND Draft=0 ORDER BY Timestamp DESC LIMIT 1); permalink.php, line 304: $nextlink = mysql_query(SELECT PostID FROM .POSTS_TBL. WHERE PostID.intval($_GET['PostID']). AND Draft=0 ORDER BY Timestamp ASC LIMIT 1); [x] Credits The vulnerability has been discovered by katharsis - www.katharsis.x2.to
HPSBMA02317 SSRT080026 rev.1 - HP Select Identity Software, Gain Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01391833 Version: 1 HPSBMA02317 SSRT080026 rev.1 - HP Select Identity Software, Gain Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-03-11 Last Updated: 2008-04-01 Potential Security Impact: Gain unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Select Identity software. The vulnerabilities could be exploited by an authenticated user to gain unauthorized access to other user accounts. References: CVE-2008-0709 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Select Identity software v4.00, v4.01, v4.11, v4.12, v4.13, v4.20 running on HP-UX, Windows 2003 Server, Red Hat Linux AS3 and AS4, and Solaris. BACKGROUND CVSS 2.0 Base Metrics Reference Base Vector Base Score CVE-2008-0709 (AV:L/AC:L/Au:S/C:P/I:P/A:N) 3.2 Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following software patches to resolve the vulnerability. The patches are available for download from http://support.openview.hp.com/selfsolve/patches Note: To locate the patches on http://support.openview.hp.com/selfsolve/patches 1. set Product=select identity 2. set Product version=All Versions 3. enter the Patch from the table below into the Optional: Enter keyword(s) or phrases window 4. select Search HP Select Identity Software Version - v4.00 Operating Systems - Windows 2003 Server, and Red Hat Linux AS3 Patch - HPSI patch 4.00.013 HP Select Identity Software Version - v4.01 Operating Systems - HP-UX, Windows 2003 Server, Red Hat Linux AS3, and Solaris Patch - HPSI patch 4.01.015 HP Select Identity Software Version - v4.11 Operating Systems - HP-UX, Windows 2003 Server, and Red Hat Linux AS3 Patch - HPSI patch 4.11.001HF2 HP Select Identity Software Version - v4.12 Operating Systems - HP-UX, Windows 2003 Server, Red Hat Linux AS3, and Solaris Patch - HPSI patch 4.12.000HF7 HP Select Identity Software Version - v4.13 Operating Systems - HP-UX, Windows 2003 Server, Red Hat Linux AS3, and Solaris Patch - HPSI patch 4.13.005 HP Select Identity Software Version - v4.20 Operating Systems - HP-UX, Windows 2003 Server, and Red Hat Linux AS4 Patch - HPSI patch 4.20.001HF1 MANUAL ACTIONS: Yes - Update Install appropriate patch. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) HP-UX B.11.11 HP-UX B.11.23 HP-UX B.11.31 === action: upgrade Select Identity software if in use. END AFFECTED VERSIONS (for HP-UX) HISTORY Version: 1 (rev.1) - 1 April 2008 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP
Datalife Engine 6.7 XSRF
# Datalife Engine 6.7 XSRF Vulnerability By IRCRASH # # # #Discovered by : IRCRASH (R3d.w0rm) # #IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm # # # # # # #Script Download : http://datalifecms.ir/download/DatalifeEngine6.7.zip # # # # XSRF # #XSRF Address : http://site.com/datalife-path/engine/modules/imagepreview.php?image=[XSRF] # # # # Our site : Http://IRCRASH.COM # #
[USN-597-1] OpenSSH vulnerability
=== Ubuntu Security Notice USN-597-1 April 01, 2008 openssh vulnerability CVE-2008-1483 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: openssh-client 1:4.2p1-7ubuntu3.3 Ubuntu 6.10: openssh-client 1:4.3p2-5ubuntu1.2 Ubuntu 7.04: openssh-client 1:4.3p2-8ubuntu1.2 Ubuntu 7.10: openssh-client 1:4.6p1-5ubuntu0.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Timo Juhani Lindfors discovered that the OpenSSH client, when port forwarding was requested, would listen on any available address family. A local attacker could exploit this flaw on systems with IPv6 enabled to hijack connections, including X11 forwards. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.3.diff.gz Size/MD5: 171837 216f11e247dfeb681cd75c033cc2fc5c http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.3.dsc Size/MD5: 1003 3902e4c29bba7ee62b48c9641bd0bc76 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1.orig.tar.gz Size/MD5: 928420 93295701e6bcd76fabd6a271654ed15c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.2p1-7ubuntu3.3_all.deb Size/MD5: 1052 5e47eabdf3306595bef55704b3d80702 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_amd64.udeb Size/MD5: 165878 c18cc9d5cbf4f83e9e7730a43c18dba6 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_amd64.deb Size/MD5: 610832 5479cad40052592557e93b64536a45c6 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_amd64.deb Size/MD5: 236222 4d98f6e82ae9d26e73d12ec2e429dd14 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_amd64.deb Size/MD5:87126 9e041ad9534dc99cb01aa6261acf071f http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_amd64.udeb Size/MD5: 182086 7b52e535986415799f89b04ea95df8ae i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_i386.udeb Size/MD5: 140116 99bac142d2bfd0d1bdd61ce8a6a917fc http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_i386.deb Size/MD5: 537108 c828718a152abc20cd547c39653ec67b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_i386.deb Size/MD5: 205484 c495cf9d7d25e95b9d9baa9a873ccfca http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_i386.deb Size/MD5:86768 a3a6c7aa8840720498b811b5a0b814b5 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_i386.udeb Size/MD5: 151548 c657878eb1b8a91897925914aab0bab8 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_powerpc.udeb Size/MD5: 158552 4aada820956ab80eb424713956347551 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_powerpc.deb Size/MD5: 594088 26dbbb6ff0359f11dfe280f06d9ebaf0 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_powerpc.deb Size/MD5: 226268 8916980ee9d4ef41b77a89ca56f891d9 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_powerpc.deb Size/MD5:88420 dca6aabe6e164cd90e2b35cffe934a14 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_powerpc.udeb Size/MD5: 165904 e6e6f51d1c67732ed9dbc7fad4669ef0 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_sparc.udeb Size/MD5: 149268 6a92b75179eea1972b082892bd8750de http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_sparc.deb Size/MD5: 543862 be125ef3611c0aa2f2e5ed0f8c36a250 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_sparc.deb Size/MD5: 208864 9f9c4e3b1ec44ccda77a00e674f200be
HPSBTU02325 SSRT080006 rev.1 - HP Internet Express for Tru64 UNIX running PostgreSQL, Arbitrary Code Execution, Privilege Elevation, or Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01420154 Version: 1 HPSBTU02325 SSRT080006 rev.1 - HP Internet Express for Tru64 UNIX running PostgreSQL, Arbitrary Code Execution, Privilege Elevation, or Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-04-01 Last Updated: 2008-04-01 Potential Security Impact: Arbitrary code execution, privilege elevation, or Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in PostgreSQL v 8.2.4 and earlier running on HP Internet Express for Tru64 UNIX. The vulnerabilities could be exploited to execute arbitrary code, elevation of privilege, or cause a Denial of Service (DoS). References: CVE-2007-3278, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The following supported software versions are affected: PostgreSQL v 8.2.4 and earlier as provided with... HP Internet Express for Tru64 UNIX v 6.7 HP Internet Express for Tru64 UNIX v 6.6 BACKGROUND CVSS 2.0 Base Metrics Reference Base VectorBase Score CVE-2007-3278 (AV:L/AC:M/Au:N/C:C/I:C/A:C)6.9 CVE-2007-4769 (AV:N/AC:L/Au:S/C:N/I:N/A:C)6.8 CVE-2007-4772 (AV:N/AC:L/Au:S/C:N/I:N/A:P)4.0 CVE-2007-6067 (AV:N/AC:L/Au:S/C:N/I:N/A:C)6.8 CVE-2007-6600 (AV:N/AC:L/Au:S/C:P/I:P/A:N)5.5 CVE-2007-6601 (AV:L/AC:L/Au:N/C:C/I:C/A:C)7.2 Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP is releasing the following Early Release Patch (ERP) kits publicly for use by any customer until updates are available in mainstream release patch kits. The resolutions contained in the ERP kits are targeted for availability in the following mainstream kit: HP Internet Express for Tru64 UNIX v 6.8 The ERP kits use dupatch to install and will not install over any Customer Specific Patches (CSPs) that have file intersections with the ERPs. Contact your service provider for assistance if the installation of the ERPs is blocked by any of your installed CSPs. The ERP kit provides PostgreSQL v 8.2.6, plus sources and license. HP Internet Express for Tru64 UNIX v 6.6 or v 6.7 PREREQUISITE: HP Tru64 UNIX v 5.1B-4 PK6 (BL27) or v 5.1B-3 PK5 (BL26) Name: POSTGRESQL_8.2.6-ES-20080320.tar.gz Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=POSTGRESQL_8.2.6-ES-20080320 MD5 checksums are available from the ITRC patch database main page. From the patch database main page, click Tru64 UNIX, then click verifying MD5 checksums under useful links. PRODUCT SPECIFIC INFORMATION HISTORY Version:1 (rev.1) - 1 April 2008 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is
ANNOUNCE: Apache-SSL security release - apache_1.3.41+ssl_1.59
Folks, Following information/research provided by Alexander Klink, a new release is out, fixing a low priority security issue as detailed below. The release is on the primary Apache-SSL ftp server and should hit the mirrors over the next few hours, according to their schedules. See http://www.apache-ssl.org for mirrors. Advisory follows: ||| Security Advisory AKLINK-SA-2008-005 ||| ||| CVE-2008-0555 (CVE candidate)||| Apache-SSL memory disclosure Date released: 02.04.2008 Date reported: 17.01.2008 $Revision: 1.1 $ by Alexander Klink Cynops GmbH [EMAIL PROTECTED] https://www.cynops.de/advisories/CVE-2008-0555.txt (S/MIME signed: https://www.cynops.de/advisories/CVE-2008-0555-signed.txt) https://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555 Vendor: Adam Ben Laurie Product: Apache-SSL Website: http://www.apache-ssl.org Vulnerability: memory disclosure, potential privilege escalation in web applications Class: remote Status: patched Severity: low Releases known to be affected: apache_1.3.34+ssl_1.57 Releases known NOT to be affected: apache_1.3.41+ssl_1.59 + Background: Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL. + Overview: Apache-SSL provides environment variables that are filled with (client) certificate data. If the subject of a client certificate contains special characters, parts of these variables can be overwritten or be filled with other parts of memory. + Technical details: The certificate DN as returned by the OpenSSL X509_NAME_online is passed into the following function: static void ExpandCert(pool *p,table *pEnv,char *szPrefix, char *szDN, char *szCert) { char buf[HUGE_STRING_LEN]; char *s,*t; /* Expand a X509_oneline entry into it's base components and register them as environment variables. Needed if you want to pass certificate information to CGI's. The naming convention SHOULD be fairly compatible with CGI's written for stronghold's certificate info - Q */ /* FIXME - strtok() and strcspn() may cause problems on some systems - Q */ ap_table_setn(pEnv,szDN,ap_pstrdup(p,szCert)); ap_cpystrn(buf,szCert,sizeof buf); for(s=strtok(buf,/) ; s != NULL ; s=strtok(NULL,/)) { int n=strcspn(s,=); s[n]='\0'; StrUpper(s); t=ap_pstrcat(p,szPrefix,s,NULL); ap_table_setn(pEnv,t,ap_pstrdup(p,s+n+1)); } } The function assumes that the relative distinguished name does not contain a '/'. If a / is contained in for example the common name, strcspn(s,=) returns the size of s, so s+n+1 points beyond the current token. Furthermore, environment variables can be overwritten by including '/' and '='. For example, to overwrite the OPENSSL_S_CLIENT_DN_OU variable, one could use a certificate with a CN of /OU=Fake OU. If an application relies on this information to distinguish certificates into different authorization classes, it can be fooled this way. + Communication: * 17.01.2008: Reported the bug to Ben Laurie * 17.01.2008: Ben replies and acknowledges the bug * 01.02.2008: Checking back with Ben on the status * 01.02.2008: Ben replies that he'll be looking into a patch over the weekend * 06.02.2008: Ben sends patch and asks for help with testing it * 07.02.2008: Reply with test results (still a small problem unrelated to the original issue) * 09.02.2008: Ben sends updated patch * 11.02.2008: Told Ben that patch works fine * 18.02.2008: Requested update * 18.02.2008: Ben replies that he'll deal with it in the next week or so * 27.02.2008: Requested update * 27.02.2008: Patch for Apache 1.3.41 is ready, but release is normally managed by Adam Laurie, who is on holiday till March, 11th * 28.02.2008: Agreed to wait for Adam to return * 12.03.2008: Ben informs Adam of the new release * 25.03.2008: Requested update * 25.03.2008: Ben replies, they are waiting for an updated advisory from me * 25.03.2008: Sent out updated advisory * 27.03.2008: Adam says sorry for the delays and that he will try to work on this while he is at a conference in Amsterdam * 01.04.2008: Coordination with Adam and Ben on a release + Solution: Upgrade to apache_1.3.41+ssl_1.59. + Credits: - Alexander Klink, Cynops GmbH (discovery) cheers, Adam -- Adam Laurie Tel: +44 (0) 1304
Directory traversal in LANDesk Management Suite 8.80.1.1
### Luigi Auriemma Application: LANDesk Management Suite http://www.landesk.com/products/ldms/index.aspx Versions: = 8.80.1.1 Platforms:Windows Bug: directory traversal Exploitation: remote Date: 01 Apr 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === LANDesk is a well known system management software. ### == 2) Bug == The PXE TFTP Service is vulnerable to a classical directory traversal vulnerability exploitable through the adding of one or more chars before the usual dotdot pattern. The interesting thing is that version 8.80.1.1 has been released just to fix another directory traversal vulnerability. ### === 3) The Code === http://aluigi.org/testz/tftpx.zip tftpx SERVER x\..\..\..\..\..\..\..\boot.ini none tftpx SERVER what_you_want/../../../../../../../windows/win.ini none ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org
RE: Internet explorer 7.0 spoofing
He's basically saying that if you create a popup small enough width-wise, then you can hide everything before the # so that unless the user actually goes into the address bar and scrolls left, all they will see is what you put after the #. Here's a screenshot so you can see what he's talking about: http://lh6.google.com/mikediaz.360/R_PpsHN-hCI/ABc/_F2JZMpUiS4/Screenshot.png
[ MDVSA-2008:081 ] - Updated CUPS packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:081 http://www.mandriva.com/security/ ___ Package : cups Date: April 2, 2008 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: A heap-based buffer overflow in CUPS 1.2.x and later was discovered by regenrecht of VeriSign iDenfense that could allow a remote attacker to execute arbitrary code via a crafted CGI search expression (CVE-2008-0047). A validation error in the Hp-GL/2 filter was also discovered (CVE-2008-0053). Finally, a vulnerability in how CUPS handled GIF files was found by Tomas Hoger of Red Hat, similar to previous issues corrected in PHP, gd, tk, netpbm, and SDL_image (CVE-2008-1373). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1373 ___ Updated Packages: Mandriva Linux 2007.0: 4ecbfe664ba6820bf06dc406133e265c 2007.0/i586/cups-1.2.4-1.8mdv2007.0.i586.rpm 6d51733a95884e36cca9570738537ff6 2007.0/i586/cups-common-1.2.4-1.8mdv2007.0.i586.rpm abe0591d8b2b390a82dffcd2fed43b14 2007.0/i586/cups-serial-1.2.4-1.8mdv2007.0.i586.rpm 91ffe19d342810de71e056e213056552 2007.0/i586/libcups2-1.2.4-1.8mdv2007.0.i586.rpm 71fd9246da1e48b2dc6a60ceeae41e48 2007.0/i586/libcups2-devel-1.2.4-1.8mdv2007.0.i586.rpm bd0f3b69fe5dc7bddd6c121200db014d 2007.0/i586/php-cups-1.2.4-1.8mdv2007.0.i586.rpm cb50a10a1096424175c1a49e8e22a8a1 2007.0/SRPMS/cups-1.2.4-1.8mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d9423a942f4f779959cfe489866b52f5 2007.0/x86_64/cups-1.2.4-1.8mdv2007.0.x86_64.rpm 8b13ba591a7dc53c658876dae447ce17 2007.0/x86_64/cups-common-1.2.4-1.8mdv2007.0.x86_64.rpm 9e434edde16c05fded1b706adaae859d 2007.0/x86_64/cups-serial-1.2.4-1.8mdv2007.0.x86_64.rpm 9733f3116c8488148471af3d5bdafd16 2007.0/x86_64/lib64cups2-1.2.4-1.8mdv2007.0.x86_64.rpm fbb5010088c23aa2cf635875179adc3c 2007.0/x86_64/lib64cups2-devel-1.2.4-1.8mdv2007.0.x86_64.rpm 00e05d49f33ef5d0067287ef1a27246c 2007.0/x86_64/php-cups-1.2.4-1.8mdv2007.0.x86_64.rpm cb50a10a1096424175c1a49e8e22a8a1 2007.0/SRPMS/cups-1.2.4-1.8mdv2007.0.src.rpm Mandriva Linux 2007.1: dc81f96bd48732eed770b0090b333695 2007.1/i586/cups-1.2.10-2.6mdv2007.1.i586.rpm 3545d312400a8f5aad55e323d2ff3543 2007.1/i586/cups-common-1.2.10-2.6mdv2007.1.i586.rpm f4656b26df51f63813a49006415a783b 2007.1/i586/cups-serial-1.2.10-2.6mdv2007.1.i586.rpm ab1869c8ddeda927fdfbc49c386756f1 2007.1/i586/libcups2-1.2.10-2.6mdv2007.1.i586.rpm 5de192ed26380212896fcd376a1b3e23 2007.1/i586/libcups2-devel-1.2.10-2.6mdv2007.1.i586.rpm a347c58fc3e76e064cabf8425d0245ab 2007.1/i586/php-cups-1.2.10-2.6mdv2007.1.i586.rpm 15c9274e61f9dbe98150fa1ae58ef7bc 2007.1/SRPMS/cups-1.2.10-2.6mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 1faa57f00d0577f6d25cddf7fccd7edb 2007.1/x86_64/cups-1.2.10-2.6mdv2007.1.x86_64.rpm 26a14fabfef38f2fd4ab88c6184d4e2f 2007.1/x86_64/cups-common-1.2.10-2.6mdv2007.1.x86_64.rpm b5a49bfbeb004af58e1e5f9c1660dece 2007.1/x86_64/cups-serial-1.2.10-2.6mdv2007.1.x86_64.rpm 6b81f4e888dec6e94231b01fd5d162bf 2007.1/x86_64/lib64cups2-1.2.10-2.6mdv2007.1.x86_64.rpm 256313a9ac10203a7d59deb6ff0a3da0 2007.1/x86_64/lib64cups2-devel-1.2.10-2.6mdv2007.1.x86_64.rpm 41e268b0e9e8a5e256c9af6192dfcae0 2007.1/x86_64/php-cups-1.2.10-2.6mdv2007.1.x86_64.rpm 15c9274e61f9dbe98150fa1ae58ef7bc 2007.1/SRPMS/cups-1.2.10-2.6mdv2007.1.src.rpm Mandriva Linux 2008.0: 27ee99856a1c4448cdee618f2db8ae52 2008.0/i586/cups-1.3.6-1.1mdv2008.0.i586.rpm 09a6026a683b1ea029b63b0480aa2d4b 2008.0/i586/cups-common-1.3.6-1.1mdv2008.0.i586.rpm 7974c9c3a572a389fea83250cd57c8e1 2008.0/i586/cups-serial-1.3.6-1.1mdv2008.0.i586.rpm a6432e417d401b7900113763255bf8c3 2008.0/i586/libcups2-1.3.6-1.1mdv2008.0.i586.rpm cfb0fd68a1d60f1dfa985da0bb79190f 2008.0/i586/libcups2-devel-1.3.6-1.1mdv2008.0.i586.rpm aba1862f9db0e18f09d581ef0a95fde8 2008.0/i586/php-cups-1.3.6-1.1mdv2008.0.i586.rpm e034c775d5b04fffb14cb441b8174a55 2008.0/SRPMS/cups-1.3.6-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: b18f356dc9fc5cda784e576e3f20a801 2008.0/x86_64/cups-1.3.6-1.1mdv2008.0.x86_64.rpm bccc98b2ad3205d2c301036ba9d28f61 2008.0/x86_64/cups-common-1.3.6-1.1mdv2008.0.x86_64.rpm 1c1837c8a8eb04609daa405553ab7fe8 2008.0/x86_64/cups-serial-1.3.6-1.1mdv2008.0.x86_64.rpm 5748bf84c1239e2b4255446cbf6c8285