Full Path Disclosure In Photolibrary 1.009(Update)
There has been a change to the solution. !solution Change line 48 so that the include statement stops null input and incorrect input: if($page == NULL) echo(Get lost! Stop Trying to get path disclosure!); else { if(!file_exists($page.'.css')) { echo(Get lost! Stop Trying to get path disclosure!); } else { include($page.'.css'); } } The vendor has not yet been notified. !author Xia Shing Zee
SEP(Symantec) Bug
Hi, There is a bug with the Symantec Endpoint Protection( Tested on all versions till 11.0.4000) When you execute the following command smc.exe -p ~ the smcgui.exe crashes. You don't need admin privilege for this. Regards, Sandeep 51l3n7[at]live.in
Re: LFI in Drupal CMS
I am unable to reproduce on the pre- or post-install phase of Drupal 6.9. Can you please provide additional details? -- Drupal security team
Denial of Service using Partial GET Request in Mozilla Firefox 3.06
!vuln Mozilla Firefox 3.06 Previous versions may also be affected. !risk Medium There are currently many users using Mozilla Firefox. However, there has been no confirmation of remote execution of arbitrary code yet. !info Tested on: Windows Vista Version Service Pack 1 Build 6001 Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 2401 Mhz, 2 Core(s), 2 Logical Processor(s) User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) !discussion The Partial GET Request (HTTP 206 Status Code) of a WAV file results in a Denial of Service of the application. Last HTTP packet from Firefox before the DoS is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: NSPlayer/11.0.6001.7001 WMFSDK/11.0 UA-CPU: x86 Accept-Encoding: gzip, deflate Range: bytes=34848- Unless-Modified-Since: Mon, 09 Jul 2007 12:44:57 GMT If-Range: 4f0018-440f2-434d403204440 Host: www.footprints-inthe-sand.com Connection: Keep-Alive The OK GET Request (HTTP 200 Status Code) of the WAV file is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: Windows-Media-Player/10.00.00.3802 UA-CPU: x86 Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: www.footprints-inthe-sand.com !Proof of Concept http://www.footprints-inthe-sand.com/index.php?page= Poem/Poem.php !solution There is currently no solution. The vendor has not yet been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
RE: SEP(Symantec) Bug
Confirmed on XP and Vista. Error message Symantec CMC Smc has stopped working or encountered a problem and needs to close Works with smc.exe -p (anything) as long as you don't pass a command after the password. -p is the password switch.
[ MDVSA-2009:036 ] python
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:036 http://www.mandriva.com/security/ ___ Package : python Date: February 12, 2009 Affected: Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864) Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031. Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031) The updated Python packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031 ___ Updated Packages: Corporate 3.0: c9668bc25f1306f610bfdfc94b4b944c corporate/3.0/i586/libpython2.3-2.3.7-0.2.C30mdk.i586.rpm f2720b0908488c72a4591c89a5d6be6e corporate/3.0/i586/libpython2.3-devel-2.3.7-0.2.C30mdk.i586.rpm 261fbcfe8cd18a217845051c7c2fdd75 corporate/3.0/i586/python-2.3.7-0.2.C30mdk.i586.rpm 1df9dfe4bacd9982da477f84daf4179e corporate/3.0/i586/python-base-2.3.7-0.2.C30mdk.i586.rpm c848a40db3729c5d730409cc8b53ede2 corporate/3.0/i586/python-docs-2.3.7-0.2.C30mdk.i586.rpm a6844df32103497417ed829693fb60f5 corporate/3.0/i586/tkinter-2.3.7-0.2.C30mdk.i586.rpm c5f2ad7e5986ab7232658b40e8dea295 corporate/3.0/SRPMS/python-2.3.7-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 0969a75152e437953cae2c309697536c corporate/3.0/x86_64/lib64python2.3-2.3.7-0.2.C30mdk.x86_64.rpm e297c080c4ab2cd7c5f536a5cda758b2 corporate/3.0/x86_64/lib64python2.3-devel-2.3.7-0.2.C30mdk.x86_64.rpm d6ddee2f8c6bbe82acb7d5fdaaa75913 corporate/3.0/x86_64/python-2.3.7-0.2.C30mdk.x86_64.rpm 1556e502527f22fad6771d95b288b9cc corporate/3.0/x86_64/python-base-2.3.7-0.2.C30mdk.x86_64.rpm acdefbc7a2ed2dd31b6569002e4253e3 corporate/3.0/x86_64/python-docs-2.3.7-0.2.C30mdk.x86_64.rpm 49fd4e84a697d91c64ac5d91b63bf43c corporate/3.0/x86_64/tkinter-2.3.7-0.2.C30mdk.x86_64.rpm c5f2ad7e5986ab7232658b40e8dea295 corporate/3.0/SRPMS/python-2.3.7-0.2.C30mdk.src.rpm Multi Network Firewall 2.0: cabb486b4f3c24c9fea9920db0576137 mnf/2.0/i586/libpython2.3-2.3.7-0.2.M20mdk.i586.rpm 60b4f62da866083a1c37ad42d532171b mnf/2.0/i586/libpython2.3-devel-2.3.7-0.2.M20mdk.i586.rpm b5a2dc2a80a304b2095549b1d0c7c4c8 mnf/2.0/i586/python-2.3.7-0.2.M20mdk.i586.rpm 5964fa32ade61fc6d217481252e75d92 mnf/2.0/i586/python-base-2.3.7-0.2.M20mdk.i586.rpm f8eb4c23e80dc5ee7cf4abdacc0d01cc mnf/2.0/i586/python-docs-2.3.7-0.2.M20mdk.i586.rpm 8ca87fc328dd2d3c4f21edc5f244e1cc mnf/2.0/i586/tkinter-2.3.7-0.2.M20mdk.i586.rpm 6bdfd7584a2e4094ce39424311368ce8 mnf/2.0/SRPMS/python-2.3.7-0.2.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE-
[USN-719-1] pam-krb5 vulnerabilities
=== Ubuntu Security Notice USN-719-1 February 12, 2009 libpam-krb5 vulnerabilities CVE-2009-0360, CVE-2009-0361 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libpam-krb5 3.10-1ubuntu0.8.04.1 Ubuntu 8.10: libpam-krb5 3.10-1ubuntu0.8.10.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that pam_krb5 parsed environment variables when run with setuid applications. A local attacker could exploit this flaw to bypass authentication checks and gain root privileges. (CVE-2009-0360) Derek Chan discovered that pam_krb5 incorrectly handled refreshing existing credentials when used with setuid applications. A local attacker could exploit this to create or overwrite arbitrary files, and possibly gain root privileges. (CVE-2009-0361) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1.diff.gz Size/MD5:12322 2915d0d5b4133bcc65b6bc03346033b0 http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1.dsc Size/MD5: 816 cbc0e2b13d48682ec29127649d9d3407 http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10.orig.tar.gz Size/MD5: 156259 6ec6bd6637f8c91bf5386ed95fa975ba amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_amd64.deb Size/MD5:78068 6f201eda9f6df9d527c165c21756084d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_i386.deb Size/MD5:77412 199ba52d9440d89f70fab1544fa90d7f lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_lpia.deb Size/MD5:77246 ff9cce0bbaf03a1a348fcd1fb0ca6745 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_powerpc.deb Size/MD5:80536 e3ec20dbf0fb9666549f801c012f72b0 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_sparc.deb Size/MD5:77196 6e8a12a640e6c9163d65709d68c14775 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1.diff.gz Size/MD5:12322 9646c596627edf91af8799f78b9bffb2 http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1.dsc Size/MD5: 1234 39b9545e294f6937092fbf8316ffc9d1 http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10.orig.tar.gz Size/MD5: 156259 6ec6bd6637f8c91bf5386ed95fa975ba amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_amd64.deb Size/MD5:78348 9be5305e9bb4f8b85d0857230cc2acda i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_i386.deb Size/MD5:77494 2e37aba551e192fffaf17754b96fee1a lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_lpia.deb Size/MD5:77452 d89fdc271a18c000d84a2ce6c1c1db4a powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_powerpc.deb Size/MD5:80632 5312557a64d26867ac5472ee56f3ac2e sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_sparc.deb Size/MD5:76978 9fc7e9ee619bd7ce77fafe13a2dc46b8 signature.asc Description: This is a digitally signed message part
Re: Denial of Service using Partial GET Request in Mozilla Firefox 3.06
Hi, How is this related to Firefox ? See further: On Feb 12, 2009, at 09:14 , xiash...@gmail.com wrote: !vuln Mozilla Firefox 3.06 Previous versions may also be affected. !risk Medium There are currently many users using Mozilla Firefox. However, there has been no confirmation of remote execution of arbitrary code yet. !info Tested on: Windows Vista Version Service Pack 1 Build 6001 Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 2401 Mhz, 2 Core(s), 2 Logical Processor(s) User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) This is the firefox user agent string... !discussion The Partial GET Request (HTTP 206 Status Code) of a WAV file results in a Denial of Service of the application. Last HTTP packet from Firefox before the DoS is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: NSPlayer/11.0.6001.7001 WMFSDK/11.0 Is this firefox ? UA-CPU: x86 Only MS set this header... Accept-Encoding: gzip, deflate Range: bytes=34848- Unless-Modified-Since: Mon, 09 Jul 2007 12:44:57 GMT If-Range: 4f0018-440f2-434d403204440 Host: www.footprints-inthe-sand.com Connection: Keep-Alive This is not firefox. The OK GET Request (HTTP 200 Status Code) of the WAV file is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: Windows-Media-Player/10.00.00.3802 UA-CPU: x86 Oh ! It's seems that you've found the problem... May be a bug in the Windows Media Player ? Did your try this on IE ?
[ GLSA 200902-03 ] Valgrind: Untrusted search path
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200902-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Valgrind: Untrusted search path Date: February 12, 2009 Bugs: #245317 ID: 200902-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An untrusted search path vulnerability in Valgrind might result in the execution of arbitrary code. Background == Valgrind is an open-source memory debugger. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 dev-util/valgrind3.4.0 = 3.4.0 Description === Tavis Ormandy reported that Valgrind loads a .valgrindrc file in the current working directory, executing commands specified there. Impact == A local attacker could prepare a specially crafted .valgrindrc file and entice a user to run Valgrind from the directory containing that file, resulting in the execution of arbitrary code with the privileges of the user running Valgrind. Workaround == Do not run valgrind from untrusted working directories. Resolution == All Valgrind users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-util/valgrind-3.4.0 References == [ 1 ] CVE-2008-4865 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4865 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200902-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200902-02 ] OpenSSL: Certificate validation error
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200902-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Certificate validation error Date: February 12, 2009 Bugs: #251346 ID: 200902-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An error in the OpenSSL certificate chain validation might allow for spoofing attacks. Background == OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-libs/openssl 0.9.8j = 0.9.8j Description === The Google Security Team reported that several functions incorrectly check the result after calling the EVP_VerifyFinal() function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affects the signature checks on DSA and ECDSA keys used with SSL/TLS. Impact == A remote attacker could exploit this vulnerability and spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information. Workaround == There is no known workaround at this time. Resolution == All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/openssl-0.9.8j References == [ 1 ] CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200902-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.