www file share pro 5.30 insecure multiple
this server that now has reached 5.30 per version still contains many elements of insecurity: does not control the file extensions loaded not figure the pass not esitone setting permits 666 777 etc. Min poc: http://gmda.altervista.org/wfsp530xpl/wfsp530exp.bat.txt
iDefense Security Advisory 05.21.08: Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability
iDefense Security Advisory 05.21.08 http://labs.idefense.com/intelligence/vulnerabilities/ May 21, 2008 I. BACKGROUND Snort is an open source network intrusion detection (IDS) and prevention system (IPS). In addition to being available as a package for most Unix operating system distributions, various commercial hardware devices also use Snort as an IDS/IPS. For more information, see the vendor's website found at the following URL. http://www.snort.org/ II. DESCRIPTION Remote exploitation of a design error vulnerability in Snort, as included in various vendors' operating system distributions, could allow an attacker to bypass filter rules. Due to a design error vulnerability, Snort does not properly reassemble fragmented IP packets. When receiving incoming fragments, Snort checks the Time To Live (TTL) value of the fragment, and compares it to the TTL of the initial fragment. If the difference between the initial fragment and the following fragments is more than a configured amount, the fragments will be silently discard. This results in valid traffic not being examined and/or filtered by Snort. III. ANALYSIS Exploitation of this vulnerability allows an attacker to bypass all Snort rules. In order to exploit this vulnerability, an attacker would have to fragment IP packets destined for a targeted host, ensuring that the TTL difference is greater than the configured maximum. By default, the maximum difference is 5. If an attacker is successful, all fragments with invalid TTL differences will be dropped. No rules will be applied to them. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Snort 2.8 and 2.6. Snort 2.4 is not vulnerable. V. WORKAROUND In the snort.conf file, set the ttl_limit configuration value to 255 as shown below. preprocessor frag3_engine: ttl_limit 255 This will set the allowable difference to the maximum possible value, and prevent fragments from being dropped. VI. VENDOR RESPONSE Sourcefire has addressed this vulnerability by releasing version 2.8.1 of Snort. For more information consult their change log and source differences at the following URLs. http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11 http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1804 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/26/2008 Initial vendor notification 02/26/2008 Initial vendor response 05/21/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Silvio Cesare. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
CORE-2008-0126: Multiple vulnerabilities in iCal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Multiple vulnerabilities in iCal *Advisory Information* Title: Multiple vulnerabilities in iCal Advisory ID: CORE-2008-0126 Advisory URL: http://www.coresecurity.com/?action=item&id=2219 Date published: 2008-05-21 Date of last update: 2008-05-21 Vendors contacted: Apple Inc. Release mode: Coordinated release *Vulnerability Information* Class: Input Validation Remotely Exploitable: Yes (client-side) Locally Exploitable: No Bugtraq ID: 28629 28632 28633 CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007 *Vulnerability Description* iCal is a personal calendar application from Apple Inc. included on the Mac OS X operating system. The calendar application can be used as a stand-alone application or as a client-side component to calendar server that lets users create and share multiple calendars and subscribe to other user's calendars. Apple's iCal uses the iCalendar standard for its calendar file format (which uses the '.ics' filename extension) [1] and the CalDAV protocol for calendar sharing [2]. There is a growing number of web sites providing calendars files and open subscription to calendar updates [3][4][5]. Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatean resource liberationdly execute a denial of service attack to crash the iCal application. The most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be triggered with a malformed '.ics' calendar file specially crafted by a would-be attacker. The other two vulnerabilities lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered while parsing a malformed '.ics' files. The ability to inject and execute arbitrary code on vulnerable systems using these two vulnerabilities was researched but not proven possible. Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted '.ics' file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server. *Vulnerable Packages* . iCal version 3.0.1 on MacOS X 10.5.1 (Leopard). *Non-vulnerable Packages* . Available through Apple security updates (see vendor information below). *Vendor Information, Solutions and Workarounds* The following information was provided by the vendor: Availability Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/ Cross-References If you provide cross-referencing information in your advisory please link to the following URL: http://support.apple.com/kb/HT1222 *Credits* These vulnerabilities were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies during Bugweek 2007. Additional research was done by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT). *Technical Description / Proof of Concept Code* Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application. A client-side attack directed to the end-users of the iCal application can be executed by sending an email with a malicious .ics file attachment, by hosting a malicious .ics file on web site and directing users to open it or by injecting a malicous .ics file on a CalDAV enabled server to which potential victims are subscribed to update their calendars automatically. In the three reported cases the vulnerabilities arise from improper validation of input while or after parsing of the calendar file format. 1) Null pointer de-reference #1 (Bugtraq ID 28629, CVE-2008-2006) Improper sanitization of integer input may lead to null pointer dereference and possibly to an application that loses control of its execution, resulting in a denial of service. A vulnerable .ics file will contain the following line: /--- RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 - ---/ The 'COUNT' value causes an integer overflow, which leads to a null pointer dereference when iCal tries to use it after the .ics file is imported. The following Proof of Concept (PoC) file is provided to demonstrate its feasibility, to trigger the
Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
This exploit is valid. We've just exploted it. VBulletin 3.7.0 Gold. [EMAIL PROTECTED] wrote: This is invalid. the variable q is taken, split into words, and then each word is escaped for usage within the DB. Once again, this is invalid
[SECURITY] [DSA 1584-1] New libfissound packages fix execution of arbitrary code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1584-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp May 21, 2008 http://www.debian.org/security/faq - Package: libfishsound Vulnerability : integer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-1686 Debian Bug : 475152 It was discovered that libfishsound, a simple programming interface that wraps Xiph.Org audio codecs, didn't correctly handle negative values in a particular header field. This could allow malicious files to execute arbitrary code. For the stable distribution (etch), this problem has been fixed in version 0.7.0-2etch1. For the unstable distribution (sid), this problem has been fixed in version 0.7.0-2.2. We recommend that you upgrade your libfishsound package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0.orig.tar.gz Size/MD5 checksum: 426487 00ece8c9a0363b37957ce670bcf270d3 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0-2etch1.dsc Size/MD5 checksum: 659 d72d4922c70c6bb10dff6ace5a814455 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound_0.7.0-2etch1.diff.gz Size/MD5 checksum:16054 c5842b27bd7a05ef9bd26e701dfc56dc alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_alpha.deb Size/MD5 checksum:34582 9ef817deb3b892d9fa9f7fdc4a94e6a5 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_alpha.deb Size/MD5 checksum:15304 eed92cc88865ae99cc768c0a7b33019c http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_alpha.deb Size/MD5 checksum: 7740 57cd0eae0976b9d78be65d0aeba32a3e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_amd64.deb Size/MD5 checksum:30786 64fd312521a927ceb867f63e5f4734a5 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_amd64.deb Size/MD5 checksum: 7794 8fb36c5bdd40a8dc5c370802da6ec050 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_amd64.deb Size/MD5 checksum:14334 a6845973bc2f61f4783710a5797e5484 arm architecture (ARM) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_arm.deb Size/MD5 checksum:29224 35d4c9d5a750ba8dd53ba6fd5bb248df http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_arm.deb Size/MD5 checksum:12462 6693b054221d19c6da6c2069466ef7dc http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_arm.deb Size/MD5 checksum: 7882 560e18366ae1e15d5aef32855f0ab731 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_hppa.deb Size/MD5 checksum:15162 68e6bc1466fcfa4d73edb3d760a9e5b8 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_hppa.deb Size/MD5 checksum: 7802 5922374807b136070b2f002ba716807f http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_hppa.deb Size/MD5 checksum:31662 3c9fbc584f7942ff0ea88dd27daebbfd i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dev_0.7.0-2etch1_i386.deb Size/MD5 checksum:29344 74a5b956c3dc3450f3da2ec91dcf2a34 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1_0.7.0-2etch1_i386.deb Size/MD5 checksum:13384 559730ed3949728fc0dcf77d19a05712 http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_i386.deb Size/MD5 checksum: 7614 c2b9b6a8343bda423068fa8965411bf6 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2etch1_ia64.deb Size/MD5 checksum: 7832 dfc5dbc81fb32225763581dbd7c04b9b
[USN-612-8] openssl-blacklist update
=== Ubuntu Security Notice USN-612-8 May 21, 2008 openssl-blacklist update http://www.ubuntu.com/usn/usn-612-1 http://www.ubuntu.com/usn/usn-612-3 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: openssl-blacklist 0.1-0ubuntu0.6.06.1 Ubuntu 7.04: openssl-blacklist 0.1-0ubuntu0.7.04.4 Ubuntu 7.10: openssl-blacklist 0.1-0ubuntu0.7.10.4 Ubuntu 8.04 LTS: openssl-blacklist 0.1-0ubuntu0.8.04.4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check X.509 certificates as well, and provides the corresponding update for Ubuntu 6.06. While the OpenSSL in Ubuntu 6.06 was not vulnerable, openssl-blacklist is now provided for Ubuntu 6.06 for checking certificates and keys that may have been imported on these systems. This update also includes the complete RSA-1024 and RSA-2048 blacklists for all Ubuntu architectures, as well as support for other future blacklists for non-standard bit lengths. You can check for weak SSL/TLS certificates by installing openssl-blacklist via your package manager, and using the openssl-vulnkey command. $ openssl-vulnkey /path/to/certificate_or_key This command can be used on public certificates and private keys for any X.509 certificate or RSA key, including ones for web servers, mail servers, OpenVPN, and others. If in doubt, destroy the certificate and key and generate new ones. Please consult the documentation for your software when recreating SSL/TLS certificates. Also, if certificates have been generated for use on other systems, they must be found and replaced as well. Original advisory details: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.dsc Size/MD5: 548 b437e5037437d46ba896cf28be43fa55 http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.tar.gz Size/MD5: 8998682 154e882671f25f5ef5a100ef2709cd4e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1_all.deb Size/MD5: 4235438 b78f5861f72699f7699e3f60d7e7d235 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.dsc Size/MD5: 600 8045fc0b37070b448b00123c395af0fd http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.tar.gz Size/MD5: 8999060 4a23e360873f70d978401837a5a1a462 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4_all.deb Size/MD5: 4236958 7ec420cb408154facae641776ac1aeaf Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.dsc Size/MD5: 600 e484758b7e017b511fc34eff1878a2eb http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.tar.gz Size/MD5: 8999062 1f59fe1ae585543431a58f050cb8fe46 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4_all.deb Size/MD5: 4237110 8451e9872b23fc0f73ef16f384d4dddb Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.dsc Size/MD5: 600 78f29ecb3d69baf5f529f15a06c41cf4 http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.tar.gz Size/MD5: 8999068 d67755ccd109508c460a4a3a830d699d Architecture independent packages: http://security.ubuntu.com
Cisco Security Advisory: Cisco Voice Portal Privilege Escalation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Voice Portal Privilege Escalation Vulnerability Advisory ID: cisco-sa-20080521-cvp http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml Revision 1.0 For Public Release 2008 May 21 1600 UTC (GMT) Summary === A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP) where an authenticated user can create, modify, or delete a superuser account. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml. Affected Products = Vulnerable Products +-- CVP software versions prior to 4.0(2)_ES14 for the 4.0.x release, 4.1(1)_ES11 for the 4.1.x release, and 7.0(1) for the 7.x release are vulnerable. Note: CVP systems running software release 3.x are not vulnerable. Products Confirmed Not Vulnerable + CVP systems running software release 3.x are not vulnerable. CVP systems running version 7.0(1) or later are not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Unified Customer Voice Portal (CVP), which is part of Cisco Customer Interaction Network solution, provides customer voice and video self-service integration. Using CVP, organizations can provide intelligent, personalized self-service over the phone, allowing customers to efficiently retrieve the information they need from the contact center. There are three different user roles within CVP: superuser, administrator, and read-only access. A vulnerability exists in CVP where a user with an administrator role can create, modify, or delete a superuser account, which has greater system privileges. This vulnerability is documented in the Cisco Bug ID CSCsj93874 and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2008-2053. Vulnerability Scoring Details + Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS Cat http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * Possible to create & delete superuser accounts from user accounts (CSCsj93874) CVSS Base Score - 9.0 Access Vector -Network Access Complexity -Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of the vulnerability may result in full control of the system. Software Versions and Fixes === This vulnerability is fixed in the Cisco Unified Customer Voice Portal (CVP) software version 4.0(2)_ES14 for the 4.0.x release, 4.1(1)_ES11 for the 4.1.x release, and 7.0(1) for the 7.x release. CVP software version 4.0(2)_ES14 can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/36833091037661f49ad8152368c22bbf CVP software version 4.1(1)_ES11 can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/946b57654c80187da8c3cfc0aa02866e When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds === There are no workarounds for this vulnerability. Obtaining Fixed Software Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased
Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080521-ssh http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml Revision 1.0 For Public Release 2008 May 21 1600 UTC (GMT) + Summary === The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device. The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial configuration, or manually. Devices that are not configured to accept SSH connections are not affected by these vulnerabilities. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtm Affected Products = Vulnerable Products +-- Cisco devices running certain 12.4-based IOS releases and configured to be managed via SSH may be affected by this issue. The IOS secure shell server is disabled by default. To determine if SSH is enabled, use the show ip ssh command. Router#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 The previous output shows that SSH is enabled on this device and that the SSH protocol major version that is being supported is 2.0. If the text "SSH Disabled" is displayed, the device is not vulnerable. Possible values for the SSH protocol version reported by IOS are: * 1.5: only SSH protocol version 1 is enabled * 1.99: SSH protocol version 2 with SSH protocol version 1 compatibility enabled * 2.0: only SSH protocol version 2 is enabled For more information about SSH versions in IOS, please check the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html The SSH server is not available in all IOS images. Devices that do not support SSH are not vulnerable. Please consult the table of fixed software in the Software Version and Fixes section for the specific 12.4-based IOS releases that are affected. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". The image name will be displayed between parentheses on the next line of output followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.4(17): Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(17), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Fri 07-Sep-07 16:05 by prod_rel_team ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1) Router uptime is 1 week, 5 hours, 5 minutes System returned to ROM by power-on System image file is "flash:c2600-adventerprisek9-mz.124-17.bin" Additional information about Cisco IOS release naming is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable + Cisco devices that do not run IOS are not affected. Cisco IOS devices that do not have the SSH server feature enabled are not affected. IOS-XR images are not affected. The following IOS release trains are not affected: * 10-based releases * 11-based releases * 12.0-based releases * 12.1-based releases * 12.2-based releases * 12.3-based releases IOS releases prior to 12.4(7), 12.4(13d)JA, and 12.4(9)T are not affected by this vulnerability. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Secure shell (SSH) was developed as a secure replacement for the telnet, ftp, rlogin, rsh, and rcp protocols, which allow for the remote access of devices. The main difference between SSH and older protocols is that SSH provides strong authentication, guarantees confidentiality, and uses encrypted transactions. The server side of the SSH implementation in Cisco IOS contains multiple vulnerabilities that allow an unauthenticated user to generate a spurious memory access or, in certain cases, reload the device. If the attacker is able to reload the device, these vulnerabilities could be repeatedly exp
[USN-613-1] GnuTLS vulnerabilities
=== Ubuntu Security Notice USN-613-1 May 21, 2008 gnutls12, gnutls13 vulnerabilities CVE-2008-1948, CVE-2008-1949, CVE-2008-1950 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libgnutls12 1.2.9-2ubuntu1.2 Ubuntu 7.04: libgnutls13 1.4.4-3ubuntu0.1 Ubuntu 7.10: libgnutls13 1.6.3-1ubuntu0.1 Ubuntu 8.04 LTS: libgnutls13 2.0.4-1ubuntu2.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: Multiple flaws were discovered in the connection handling of GnuTLS. A remote attacker could exploit this to crash applications linked against GnuTLS, or possibly execute arbitrary code with permissions of the application's user. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/gnutls12_1.2.9-2ubuntu1.2.diff.gz Size/MD5: 557563 d4a7ed44e30292434380ed775ee7cee2 http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/gnutls12_1.2.9-2ubuntu1.2.dsc Size/MD5: 818 d46f4919e3988219afc3c80035113f28 http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/gnutls12_1.2.9.orig.tar.gz Size/MD5: 3305475 4e1a2e9c22c7d6459d5eb5e6484a19c4 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/libgnutls-dev_1.2.9-2ubuntu1.2_amd64.deb Size/MD5: 491268 3f1429fa95d972c51f48503d5595f268 http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/libgnutls12_1.2.9-2ubuntu1.2_amd64.deb Size/MD5: 420252 3092516052888efd60451e865f729426 http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls12/gnutls-bin_1.2.9-2ubuntu1.2_amd64.deb Size/MD5: 288160 76016ded0ab79a6aa017aebe328e39be http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls12/libgnutls12-dbg_1.2.9-2ubuntu1.2_amd64.deb Size/MD5: 642376 013235b59022b6a231976f29f60c90f6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/libgnutls-dev_1.2.9-2ubuntu1.2_i386.deb Size/MD5: 445066 1c333142fc9c0c1cc603f05fb8e10e04 http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/libgnutls12_1.2.9-2ubuntu1.2_i386.deb Size/MD5: 372978 1c4022f8f8b61029fc28722861a7c88f http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls12/gnutls-bin_1.2.9-2ubuntu1.2_i386.deb Size/MD5: 271984 ce0d0c0374b5b989d5757798a779623e http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls12/libgnutls12-dbg_1.2.9-2ubuntu1.2_i386.deb Size/MD5: 578016 d9986a566aea73078d41ff9dbd3a6154 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/libgnutls-dev_1.2.9-2ubuntu1.2_powerpc.deb Size/MD5: 484130 98bb92742c5ebac7b22bb01bff8a1bda http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/libgnutls12_1.2.9-2ubuntu1.2_powerpc.deb Size/MD5: 390752 41c3c6175c55b99f62e7a28a1d28aa74 http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls12/gnutls-bin_1.2.9-2ubuntu1.2_powerpc.deb Size/MD5: 288398 f62de58a80a67a5dff81abc77e896777 http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls12/libgnutls12-dbg_1.2.9-2ubuntu1.2_powerpc.deb Size/MD5: 635166 125724549d9a528281ee78d0b4029d4c sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/libgnutls-dev_1.2.9-2ubuntu1.2_sparc.deb Size/MD5: 480438 b5802b82ddb4070da70870cde4c0056f http://security.ubuntu.com/ubuntu/pool/main/g/gnutls12/libgnutls12_1.2.9-2ubuntu1.2_sparc.deb Size/MD5: 376204 7f8da2b38f6874e1c2845703a70b932a http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls12/gnutls-bin_1.2.9-2ubuntu1.2_sparc.deb Size/MD5: 273124 90963120c7d1b8ae3596d4fab4110da1 http://security.ubuntu.com/ubuntu/pool/universe/g/gnutls12/libgnutls12-dbg_1.2.9-2ubuntu1.2_sparc.deb Size/MD5: 570222 83f37a221499cdc6b44eebc891d6d023 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnutls13/gnutls13_1.4.4-3ubuntu0.1.diff.gz Size/MD5:19295 7ede58c7bbcd6215beb11547965ecc15 http://security.ubuntu.com/ubuntu/pool/main/g/gnutls13/gnutls13_1.4.4-3ubuntu0.1.dsc Size/MD5: 1049 f27e68df974f39781754f63d306b0639 http://security.ubuntu.com/ubuntu/pool/main/g/gnutls13/gnutls13_1.4.4.orig.tar.gz Size/MD5: 4752009 c06ada020e2b69caa51833175d59f8b2 Architecture independent packages: ht
Re: Re: Re: Exploiting Google MX servers as Open SMTP Relays
Hi, We would like to let you know that we have updated our report to include the omitted details. You can read it at: http://ece.uprm.edu/~andre/insert/gmail.html Also we have made our proof of concept available at: http://ece.uprm.edu/~andre/insert/gmail.tar.gz Best Regards, Pablo Ximenes Information Security Research Team (INSERT) University of Puerto Rico at Mayaguez (UPRM) State University of Ceara (UECE) http://ece.uprm.edu/~andre/insert/
Re: mjguest 6.7 (ALL VERSION) Xss & Redirection Vuln
I am the developer of MJGUEST. A patch for this vulnerability has been released. The bug is now fixed. See the official topic here: http://www.mdsjack.bo.it/public/phpBB3/viewtopic.php?t=2049 Regards, "mdsjack"
[DSECRG-08-020] Alcatel OmniPCX Office Remote Comand Execution
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-020 Application:Alcatel OmniPCX Office Versions Affected: Alcatel OmniPCX Office since release 210/061.1 Vendor URL: http://alcatel.com Bugs: Remote command execution Exploits: YES Risk: High CVSS Score: 7.31 CVE-number: 2008-1331 Reported: 31.01.2008 Vendor response:01.02.2008 Customers informed: 07.03.2008 Published on PSIRT: 01.04.2008 Date of Public Advisory:21.05.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Introduction The OmniPCX Enterprise is an integrated communications solution for medium-sized businesses and large corporations. It combines the best of the old (legacy TDM phone connectivity) with the new (a native IP platform and support for Session Initiation Protocol, or SIP) to provide an effective and complete communications solution for cost-conscious companies on the cutting edge. (from the vendor's homepage) Description *** Alcatel OmniPCX Office Web Interface has critical security vulnerability Remote command execution The risk of this vulnerability is high. Any user which has access to the web interface of the OmniPCX Enterprise solution will be able to execute arbitrary commands on the server with the permissions of the webserver. Details *** Remote command execution vulnerability found in script /cgi-data/FastJSData.cgi in parameter name id2 Variable id2 not being filtered when passed to the shell. Thus, arbitrary commands can be executed on the server by adding them to the user variable, separated by semicolons. You can find more details on this advisory on vendors website http://www1.alcatel-lucent.com/psirt/statements.htm under reference 2008001 Example: http://[server]/cgi-data/FastJSData.cgi?id1=sh2kerr&id2=91|cat%20/etc/passwd Fix Information *** Alcatel was altered to fix this flaw on 01.04.2008. Updated version can be downloaded here: http://www1.alcatel-lucent.com/enterprise/en/products/ip_telephony/omnipcxenterprise/index.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
[DSECRG-08-023] SAP Web Application Server XSS Security Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-023 Application:SAP Web Application Server Versions Affected: Version 7.0 Vendor URL: http://SAP.com Bugs: XSS Exploits: YES Reported: 25.01.2008 Vendor response:25.01.2008 Date of Public Advisory:21.05.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** SAP Web Application Server system has Linked XSS security vulnerability Details *** Linked XSS vulnerability found in URL /sap/bc/gui/sap/its/webgui/ attacker can inject XSS in URL string also Web Dynpro ABAP and for BSP are vulnerable. Example: http://[server]:8000/sap/bc/gui/sap/its/webgui/aaa";> - Fix Information *** The issue has been solved in the ICF system login and as such it is not only relevant for the Web GUI, but also for Web Dynpro ABAP and for BSP Customers can download patches following the solution is documented in SAP note 1136770 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru
[ MDVSA-2008:105 ] - Updated kernel packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:105 http://www.mandriva.com/security/ ___ Package : kernel Date: May 21, 2008 Affected: 2007.1 ___ Problem Description: The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. (CVE-2007-3740) The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer. (CVE-2007-3851) The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors. (CVE-2007-4133) The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. This vulnerability is now being fixed in the Xen kernel too. (CVE-2007-4573) Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two error. (CVE-2007-4997) The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 relies on user space to close the device, which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device. (CVE-2007-5093) A race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. (CVE-2008-1375) The Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain re-ordered access to the descriptor table. (CVE-2008-1669) To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3851 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4133 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4997 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1669 ___ Updated Packages: Mandriva Linux 2007.1: c4a2d4a2c510a0b264ecc556ae95d9c1 2007.1/i586/kernel-2.6.17.18mdv-1-1mdv2007.1.i586.rpm 8a9067dced69f2a98d84a91b565d53b2 2007.1/i586/kernel-doc-2.6.17.18mdv-1-1mdv2007.1.i586.rpm 3781406fba53b54e10f10c673ad54734 2007.1/i586/kernel-doc-latest-2.6.17-18mdv.i586.rpm 0ab62eecb317efb9f395067acff4f197 2007.1/i586/kernel-enterprise-2.6.17.18mdv-1-1mdv2007.1.i586.rpm fa94fc4948555ddae5f333e51c1edac5 2007.1/i586/kernel-enterprise-latest-2.6.17-18mdv.i586.rpm 0997abceef3793c25a8fa5fee56af005 2007.1/i586/kernel-latest-2.6.17-18mdv.i586.rpm 02b79be3ea9a145e8e264e2f104c27fb 2007.1/i586/kernel-legacy-2.6.17.18mdv-1-1mdv2007.1.i586.rpm 53e8e4e029f99fede270f4a4e9b1f105 2007.1/i586/kernel-legacy-latest-2.6.17-18mdv.i586.rpm b38fcb899cd7e473bd07ab296a0edc52 2007.1/i586/kernel-source-2.6.17.18mdv-1-1mdv2007.1.i586.rpm df638346ea8e84c542b5d54173ef40f7 2007.1/i586/kernel-source-latest-2.6.17-18mdv.i586.rpm 5749113a50606c4f81f1371150c59041 2007.1/i586/kernel-source-stripped-2.6.17.18mdv-1-1mdv2007.1.i586.rpm bb3e512bfc05809a83f9c5e5a568 2007.1/i586/kernel-source-stripped-latest-2.6.17-
Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
This is invalid. the variable q is taken, split into words, and then each word is escaped for usage within the DB. Once again, this is invalid
