[USN-781-2] Gaim vulnerabilities
=== Ubuntu Security Notice USN-781-2 June 03, 2009 gaim vulnerabilities CVE-2009-1373, CVE-2009-1376 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: gaim1:1.5.0+1.5.1cvs20051015-1ubuntu10.2 After a standard system upgrade you need to restart Gaim to effect the necessary changes. Details follow: It was discovered that Gaim did not properly handle certain malformed messages when sending a file using the XMPP protocol handler. If a user were tricked into sending a file, a remote attacker could send a specially crafted response and cause Gaim to crash, or possibly execute arbitrary code with user privileges. (CVE-2009-1373) It was discovered that Gaim did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2.diff.gz Size/MD5:35032 018074e6f3fe79b0334b616c41db8f16 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2.dsc Size/MD5: 1061 fedec169b55ed59a1d258f4261d3342e http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015.orig.tar.gz Size/MD5: 4299145 949ae755e9be1af68eef6c09c36a7530 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-data_1.5.0+1.5.1cvs20051015-1ubuntu10.2_all.deb Size/MD5: 613400 851c17117f60a8bdd7a1a7945295bb95 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.2_amd64.deb Size/MD5: 103268 3e801c048c16f37927274e223006cf12 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2_amd64.deb Size/MD5: 954312 b221c7923480c8f561b19f25602fb42d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.2_i386.deb Size/MD5: 103268 7c5d619c893be0613fc3e9e520180ac3 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2_i386.deb Size/MD5: 836516 36ab380abace72300ba4aa0da8af0423 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.2_powerpc.deb Size/MD5: 103266 f8d87f5da7ae492b3e5564c132afb4de http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2_powerpc.deb Size/MD5: 924684 227c223828b0edcc564397b37281636a sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.2_sparc.deb Size/MD5: 103252 4e6a313eced48612d2f35ab69ebd85b1 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.2_sparc.deb Size/MD5: 856864 9b00254efd713d0001bb7e11817e6bc3 signature.asc Description: This is a digitally signed message part
[USN-781-1] Pidgin vulnerabilities
=== Ubuntu Security Notice USN-781-1 June 03, 2009 pidgin vulnerabilities CVE-2009-1373, CVE-2009-1374, CVE-2009-1375, CVE-2009-1376 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: pidgin 1:2.4.1-1ubuntu2.4 Ubuntu 8.10: pidgin 1:2.5.2-0ubuntu1.2 Ubuntu 9.04: pidgin 1:2.5.5-1ubuntu8.1 After a standard system upgrade you need to restart Pidgin to effect the necessary changes. Details follow: It was discovered that Pidgin did not properly handle certain malformed messages when sending a file using the XMPP protocol handler. If a user were tricked into sending a file, a remote attacker could send a specially crafted response and cause Pidgin to crash, or possibly execute arbitrary code with user privileges. (CVE-2009-1373) It was discovered that Pidgin did not properly handle certain malformed messages in the QQ protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash. This issue only affected Ubuntu 8.10 and 9.04. (CVE-2009-1374) It was discovered that Pidgin did not properly handle certain malformed messages in the XMPP and Sametime protocol handlers. A remote attacker could send a specially crafted message and cause Pidgin to crash. (CVE-2009-1375) It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4.diff.gz Size/MD5:68347 9be15621e9a9801a31b8ae6e4b82e0db http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4.dsc Size/MD5: 1539 7975b51e7a1d4c996282f51a584e0124 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1.orig.tar.gz Size/MD5: 13297380 25e3593d5e6bfc1791475a057778 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.4.1-1ubuntu2.4_all.deb Size/MD5:37846 9c9c3f7775b089058bf603e28bd89240 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.4.1-1ubuntu2.4_all.deb Size/MD5:92352 ed5c3b2560b070733f7385d6a337f155 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.4.1-1ubuntu2.4_all.deb Size/MD5: 234514 e3dc4721dcf091410a41e3d9faf807a6 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.4.1-1ubuntu2.4_all.deb Size/MD5: 1328934 93a62c9f2fd928c3ff1fafca325f3b50 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.4.1-1ubuntu2.4_all.deb Size/MD5:72638 8ad1fef0587ccbf626eb44587ba20e16 http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.4.1-1ubuntu2.4_all.deb Size/MD5:86574 82e3c5c4361510f90b6ae8ea1efd15f6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_amd64.deb Size/MD5: 226874 aa753567d7edd194332eb2bfa8fd60ff http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_amd64.deb Size/MD5: 1604862 dbcc4128429686bfa835d563e6570e26 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_amd64.deb Size/MD5: 4432628 0b9baad686d3e5e1235c7996d104273a http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_amd64.deb Size/MD5: 572090 d0bad2b9275b71af32231f5248393d12 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_i386.deb Size/MD5: 200862 da71501bc4468b027e3d00dd03f607aa http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_i386.deb Size/MD5: 1365220 3853002c7d926ae93163c4bb1cead9b2 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_i386.deb Size/MD5: 4242680 17ba46fc81a67a4e8daa78a0e24881ca http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_i386.deb Size/MD5: 517126 a1728b5ffb4c858df3a3696880ac2866 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_lpia.deb Size/MD5: 197196 52fba9ae4400e779d792c3fac02afbc5 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_lpia.deb Size/MD5: 1415190
Re: TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities
Here's the (mac) exploit module to go along with my simul-report to apple: http://static.dataspill.org/releases/itunes/itms_overflow.rb On Tue, Jun 2, 2009 at 3:27 PM, dvlabs dvl...@tippingpoint.com wrote: TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-09-03 June 2, 2009 -- CVE ID: CVE-2009-0950 -- Affected Vendors: Apple -- Affected Products: Apple iTunes -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8013. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple iTunes. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the URL handlers associated with iTunes. When processing URLs via the protocol handlers itms, itmss, daap, pcast, and itpc an exploitable stack overflow occurs. Successful exploitation can lead to a remote system compromise under the credentials of the currently logged in user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3592 -- Disclosure Timeline: 2009-04-09 - Vulnerability reported to vendor 2009-06-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * James King, TippingPoint DVLabs
[USN-780-1] CUPS vulnerability
=== Ubuntu Security Notice USN-780-1 June 03, 2009 cups, cupsys vulnerability CVE-2009-0949 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: cupsys 1.2.2-0ubuntu0.6.06.14 Ubuntu 8.04 LTS: cupsys 1.3.7-1ubuntu3.5 Ubuntu 8.10: cups1.3.9-2ubuntu9.2 Ubuntu 9.04: cups1.3.9-17ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Anibal Sacco discovered that CUPS did not properly handle certain network operations. A remote attacker could exploit this flaw and cause the CUPS server to crash, resulting in a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14.diff.gz Size/MD5: 101447 1edf4eb6127965001092ac72fc5743ea http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14.dsc Size/MD5: 1060 4843503dffb5c5268a64499cb2cf279e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2.orig.tar.gz Size/MD5: 4070384 2c99b8aa4c8dc25c8a84f9c06aa52e3e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.2.2-0ubuntu0.6.06.14_all.deb Size/MD5: 998 ee02e19aab490d9d97b6d3eb0f0808e4 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5:36236 8f3c604623813d67800c2f06686ccd1b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5:81894 166216227002808778e9a01798409a37 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 2287028 141ace9ca050db86cdef9b44e620c13b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 6094 f338b2ae622333497e2cda10f26590e9 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5:77648 40846208a23006cab7c7bd52813a6343 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5:25756 5b703a78f78465181f785715ef7036cc http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.14_amd64.deb Size/MD5: 130344 6c9d54d7f6c8069d8d69652bf6dbddd7 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5:34762 08037502d74a512a07b184c2999d32ad http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5:77992 260347aa2b7f4ec59fcaa1d29a16e0c3 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 2254260 49e00eabc519426ee5413864c4bdb251 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 6092 0a515dd0fdd48eb70da0b5bfe3019f08 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5:76752 7ee453f379433e22b9451e6282669797 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5:25740 28af462a2e8f13620bb1b70cef1cd08e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.14_i386.deb Size/MD5: 122538 200a588a83e668f621ca41bc41a13413 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5:40462 3937e3b6cb8f6cda2f1e450518a4e136 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5:89516 bf845949727422d0ae4d550966d34c72 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 2301634 8bf6a7e2fcff62817459186c189673d1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.14_powerpc.deb Size/MD5: 6094 cb2ff11f6c55d69b99f39e64ad399774 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.14_powerpc.deb
[SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-0580: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.39 Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected. Description: Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. The attack is possible if form based authenticiaton (j_security_check) with one of the following authentication realms is used: * MemoryRealm * DataSourceRealm * JDBCRealm Mitigation: 6.0.x users should do one of the following: - upgrade to 6.0.20 - apply this patch http://svn.apache.org/viewvc?rev=747840view=rev 5.5.x users should do one of the following: - upgrade to 5.5.28 when released - apply this patch http://svn.apache.org/viewvc?rev=781379view=rev 4.1.x users should do one of the following: - upgrade to 4.1.40 when released - apply this patch http://svn.apache.org/viewvc?rev=781382view=rev Example: The following POST request should trigger an error (500 server error or empty response, depending on the configuration) if the ROOT web application is configured to use FORM authentication: POST /j_security_check HTTP/1.1 Host: localhost j_username=tomcatj_password=% Credit: This issue was discovered by D. Matscheko and T. Hackner of SEC Consult. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkommckACgkQb7IeiTPGAkP75ACg7XYuld/25X2ltLLTeeQx88UB pFgAn1f6mIpzU7QUnjF4lsHcR+6lY67B =a0AC -END PGP SIGNATURE-
[ MDVSA-2009:127 ] gaim
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:127 http://www.mandriva.com/security/ ___ Package : gaim Date: June 3, 2009 Affected: Corporate 3.0 ___ Problem Description: It was discovered that Gaim did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2008-2927) ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927 ___ Updated Packages: Corporate 3.0: f33a114cbf007f28fd6e8198ca1ebca2 corporate/3.0/i586/gaim-1.5.0-0.2.C30mdk.i586.rpm 36237a65920d5ed005aa3a15a4cd3c56 corporate/3.0/i586/gaim-devel-1.5.0-0.2.C30mdk.i586.rpm 638615c071a4118e4ecbec232930308d corporate/3.0/i586/gaim-perl-1.5.0-0.2.C30mdk.i586.rpm c4d0735b587705b70c1423b4a79d89ca corporate/3.0/i586/gaim-tcl-1.5.0-0.2.C30mdk.i586.rpm 7db03353a62b5de39906113c585c5fb4 corporate/3.0/i586/libgaim-remote0-1.5.0-0.2.C30mdk.i586.rpm 671616d112af90f9cffc359aa08c764f corporate/3.0/i586/libgaim-remote0-devel-1.5.0-0.2.C30mdk.i586.rpm 43d70b5e7e3dda956660cda4a88e9e8b corporate/3.0/SRPMS/gaim-1.5.0-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 1c01cd160fc75a94efec2aa945e36b35 corporate/3.0/x86_64/gaim-1.5.0-0.2.C30mdk.x86_64.rpm 8262c9b0566cd80792c0bdc937821125 corporate/3.0/x86_64/gaim-devel-1.5.0-0.2.C30mdk.x86_64.rpm d3ca7daf40fcae4792f3e005e546a1f2 corporate/3.0/x86_64/gaim-perl-1.5.0-0.2.C30mdk.x86_64.rpm 23d7f53561346118cbf3aef045a325a5 corporate/3.0/x86_64/gaim-tcl-1.5.0-0.2.C30mdk.x86_64.rpm d1f44f583038fe88d01afb1df936072f corporate/3.0/x86_64/lib64gaim-remote0-1.5.0-0.2.C30mdk.x86_64.rpm fbb9ef34e9771a666717d6ea45246cf1 corporate/3.0/x86_64/lib64gaim-remote0-devel-1.5.0-0.2.C30mdk.x86_64.rpm 43d70b5e7e3dda956660cda4a88e9e8b corporate/3.0/SRPMS/gaim-1.5.0-0.2.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKJniEmqjQ0CJFipgRAmmYAJ9Ws9bVrOxm9QaFSM7UmlpwR4qYSQCfeaER dMI/55ysmlo17nZXRkr0P2k= =NIbs -END PGP SIGNATURE-
OCS Inventory NG 1.02 - Directory Traversal
OCS Inventory NG - Directory Traversal (May 30 2009)
___
* Product
Open Computer and Software (OCS) Inventory NG
(http://www.ocsinventory-ng.org)
* Vulnerable Versions
OCS Inventory NG 1.02 (Unix)
* Vendor Status
Vendor has been notified and the vulnerability has been fixed in
version 1.02.1.
* Details
The Open Computer and Software (OCS) Inventory Next Generation (NG)
provides relevant inventory information about system configurations and
software on the network. The server can be managed using a web
interface. It is possible for unauthenticated users to extract arbitrary
files from the hosting system due to inadequate file handling in cvs.php.
cvs.php:
} elseif (isset($_GET['log'])){
if (file_exists($_GET['rep'].$_GET['log'])){
$tab = file($_GET['rep'].$_GET['log']);
while(list($cle,$val) = each($tab)) {
$toBeWritten .= $val.\r\n;
}
$filename=$_GET['log'];
}
}
* Impact
Attackers may be able to read arbitrary files from the hosting system.
* Exploit
The vulnerability can be exploited by just using a web browser:
http://example.org/ocsreports/cvs.php?log=/etc/passwd
___
http://www.leidecker.info/advisories/2009-05-30-ocs_inventory_ng_directory_traversal.shtml
Nico Leidecker - http://www.leidecker.info
