[ MDVSA-2010:073-1 ] cups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:073-1 http://www.mandriva.com/security/ ___ Package : cups Date: April 14, 2010 Affected: 2010.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in cups: CUPS in does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs (CVE-2009-2820). Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information (CVE-2009-3553). Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553 (CVE-2010-0302). The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers (CVE-2010-0393). The updated packages have been patched to correct these issues. Update: Packages for Mandriva Linux 2010.0 was missing with MDVSA-2010:073. This advisory provides packages for 2010.0 as well. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2820 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0393 ___ Updated Packages: Mandriva Linux 2010.0: ba3d43f654fd15aea9f81eadb57c3022 2010.0/i586/cups-1.4.1-12.1mdv2010.0.i586.rpm b1f275796b029190380e40ae23ae8ed0 2010.0/i586/cups-common-1.4.1-12.1mdv2010.0.i586.rpm 296b30522aa7c008767c6b285aa4b715 2010.0/i586/cups-serial-1.4.1-12.1mdv2010.0.i586.rpm b3abb3c2299c1cb32848c0ee5954eed8 2010.0/i586/libcups2-1.4.1-12.1mdv2010.0.i586.rpm d91c255a1e42e5988f1d8d2d94ffd369 2010.0/i586/libcups2-devel-1.4.1-12.1mdv2010.0.i586.rpm ba336d918bbe9d03cf4fa823293bfb37 2010.0/i586/php-cups-1.4.1-12.1mdv2010.0.i586.rpm c3aee001d1629963053f475a49b7cd5d 2010.0/SRPMS/cups-1.4.1-12.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 7c089025f467e5b366e57a15e85857ce 2010.0/x86_64/cups-1.4.1-12.1mdv2010.0.x86_64.rpm 0e0e4ad3a4d42022d22a88ee8568f8bf 2010.0/x86_64/cups-common-1.4.1-12.1mdv2010.0.x86_64.rpm cb7b4cadce5a174bbd4027f478b38c26 2010.0/x86_64/cups-serial-1.4.1-12.1mdv2010.0.x86_64.rpm 653bd25375281b919c6438e71052359d 2010.0/x86_64/lib64cups2-1.4.1-12.1mdv2010.0.x86_64.rpm 7bebd27fa6ce2aa5667d28fd7b06702e 2010.0/x86_64/lib64cups2-devel-1.4.1-12.1mdv2010.0.x86_64.rpm 34452fc88d7a16591eb653a32c6daa28 2010.0/x86_64/php-cups-1.4.1-12.1mdv2010.0.x86_64.rpm c3aee001d1629963053f475a49b7cd5d 2010.0/SRPMS/cups-1.4.1-12.1mdv2010.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security
Ziggurat CMS Multiple Vulnerabilities
# # Securitylab.ir # # Application Info: # Name: Ziggurat CMS # Vendor: http://www.farsi-cms.com # Vulnerability: # Arbitrary File Upload http://site.com/manager/upload.asp # Remote File Download http://site.com/manager/backup.asp?bck=./../file.asp # Cross Site Scripting http://site.com/index.asp?id=script(xss)/script # # 2010-04-10 - Vendor notified # 2010-04-15 - Public disclosure # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.Securitylab.ir # Contacts: info[at]securitylab.ir whh_iran[at]yahoo.com ###
[ MDVSA-2010:073 ] cups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:073 http://www.mandriva.com/security/ ___ Package : cups Date: April 14, 2010 Affected: 2008.0, 2009.0, 2009.1, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in cups: CUPS in does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs (CVE-2009-2820). Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information (CVE-2009-3553). Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7, 1.3.9, 1.3.10, and 1.4.1, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553 (CVE-2010-0302). The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers (CVE-2010-0393). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2820 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0393 ___ Updated Packages: Mandriva Linux 2008.0: a32a4128da2ed9e16c9c32dfc9096808 2008.0/i586/cups-1.3.10-0.2mdv2008.0.i586.rpm 711dcd4a509abd67bf967ae828370bfe 2008.0/i586/cups-common-1.3.10-0.2mdv2008.0.i586.rpm aff4928b801486fafa9a799dee913245 2008.0/i586/cups-serial-1.3.10-0.2mdv2008.0.i586.rpm b23f0c512bd99b3c36b155a585e14648 2008.0/i586/libcups2-1.3.10-0.2mdv2008.0.i586.rpm 4d5a3e7f8cc569b7eeed96a4f1b5d43a 2008.0/i586/libcups2-devel-1.3.10-0.2mdv2008.0.i586.rpm a5222f5bb8861a38b43c7a8151b21954 2008.0/i586/php-cups-1.3.10-0.2mdv2008.0.i586.rpm d8bdac011d50accff618549a1fb0ea87 2008.0/SRPMS/cups-1.3.10-0.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: bc2c7e3fc59bb883e104018d1b24c7db 2008.0/x86_64/cups-1.3.10-0.2mdv2008.0.x86_64.rpm da1a026eaaa97507103dd99956367e2a 2008.0/x86_64/cups-common-1.3.10-0.2mdv2008.0.x86_64.rpm 7315d16e8a97793d40a313a330f1abb7 2008.0/x86_64/cups-serial-1.3.10-0.2mdv2008.0.x86_64.rpm c6d4513b8137ec1bd51932f4f4a234af 2008.0/x86_64/lib64cups2-1.3.10-0.2mdv2008.0.x86_64.rpm e656177d1b558cb1a0514f167d66bb95 2008.0/x86_64/lib64cups2-devel-1.3.10-0.2mdv2008.0.x86_64.rpm 30335b899039b4873a7a963367565e95 2008.0/x86_64/php-cups-1.3.10-0.2mdv2008.0.x86_64.rpm d8bdac011d50accff618549a1fb0ea87 2008.0/SRPMS/cups-1.3.10-0.2mdv2008.0.src.rpm Mandriva Linux 2009.0: f597fcba45e4fe74d94461a85c95e8e3 2009.0/i586/cups-1.3.10-0.3mdv2009.0.i586.rpm feca5a7f5ac3b520d33fee752ab4f8fc 2009.0/i586/cups-common-1.3.10-0.3mdv2009.0.i586.rpm cc460c58ee0684a7fba6e4bf2d3b62e5 2009.0/i586/cups-serial-1.3.10-0.3mdv2009.0.i586.rpm 099fa99032ba0ce9b228c58299cd4143 2009.0/i586/libcups2-1.3.10-0.3mdv2009.0.i586.rpm 0a6a1219b2a6abe9011deb9de06ad7ad 2009.0/i586/libcups2-devel-1.3.10-0.3mdv2009.0.i586.rpm 9fc21c66b8e8d0a88c38f5fbaf5e2218 2009.0/i586/php-cups-1.3.10-0.3mdv2009.0.i586.rpm 977d5d5d741abd078f9c778c9c5f87d4 2009.0/SRPMS/cups-1.3.10-0.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: f3caa52b521fe6a2435c909fe3d749e2 2009.0/x86_64/cups-1.3.10-0.3mdv2009.0.x86_64.rpm 723d9585ffe96108b3cfb200c66416c0 2009.0/x86_64/cups-common-1.3.10-0.3mdv2009.0.x86_64.rpm
VUPEN Security Research - Adobe Acrobat and Reader PNG Data Buffer Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader PNG Data Buffer Overflow Vulnerability http://www.vupen.com/english/research.php I. BACKGROUND - Adobe Acrobat and Reader are the global standards for electronic document sharing. They are used to create, view, search, digitally sign, verify, print, and collaborate on Adobe PDF files. II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Acrobat and Reader. This vulnerability is caused by a buffer overflow error when processing malformed PNG data, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a specially crafted PDF document. III. AFFECTED PRODUCTS Adobe Reader version 9.3.1 and prior Adobe Reader version 8.2.1 and prior Adobe Acrobat version 9.3.1 and prior Adobe Acrobat version 8.2.1 and prior IV. Binary Analysis Proof-of-concept --- In-depth binary analysis of the vulnerability and a code execution exploit with DEP bypass have been released by VUPEN through the VUPEN Binary Analysis Exploits Service : http://www.vupen.com/exploits/ V. SOLUTION Upgrade to Adobe Acrobat and Reader version 9.3.2 or 8.2.2. VI. CREDIT -- The vulnerability was discovered by Nicolas Joly of VUPEN Security VII. ABOUT VUPEN Security - VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services/ * VUPEN Binary Analysis Exploits Service : http://www.vupen.com/exploits/ VIII. REFERENCES -- http://www.vupen.com/english/advisories/2010/0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0198 IX. DISCLOSURE TIMELINE --- 2010-03-16 - Vendor notified 2010-03-16 - Vendor response 2010-04-07 - Status update received 2010-04-13 - Coordinated public Disclosure
VUPEN Web Security Research - WebAsyst Shop-Script Multiple Input Validation Vulnerabilities
VUPEN Web Security Research - WebAsyst Shop-Script Multiple Input Validation Vulnerabilities http://www.vupen.com/english/research-web.php I. BACKGROUND - WebAsyst Shop-Script FREE - simple and free PHP shopping cart script. It provides basic shopping cart functionality and allows to create a nice looking simple shopping cart add-on for your website. Or to learn how shopping cart systems are designed. II. DESCRIPTION - VUPEN Web Vulnerability Research Team discovered 27 vulnerabilities in WebAsyst Shop-Script FREE. These issues are caused by input validation errors in various scripts when processing user-supplied data and parameters, which could allow local file inclusion, sql injection and cross site scripting attacks. III. AFFECTED PRODUCTS --- WebAsyst Shop-Script FREE IV. SOLUTION --- The vendor does not support the script any longer. Remove WebAsyst Shop-Script FREE from your web site. V. CREDIT -- The vulnerability was discovered by Mohammed Boumediane of VUPEN Security VI. ABOUT VUPEN Security VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services/ * VUPEN Binary Analysis Exploits Service : http://www.vupen.com/exploits/ VII. REFERENCES -- http://www.vupen.com/english/advisories/2010/0882 VIII. DISCLOSURE TIMELINE --- 2010-04-13 - Vendor notified 2010-04-14 - Vendor response (script not supported any longer) 2010-04-14 - Public Disclosure
VUPEN Security Research - Adobe Acrobat and Reader JPEG Data Buffer Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader JPEG Data Buffer Overflow Vulnerability http://www.vupen.com/english/research.php I. BACKGROUND - Adobe Acrobat and Reader are the global standards for electronic document sharing. They are used to create, view, search, digitally sign, verify, print, and collaborate on Adobe PDF files. II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Acrobat and Reader. This vulnerability is caused by a buffer overflow error when processing malformed JPEG data, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a specially crafted PDF document. III. AFFECTED PRODUCTS --- Adobe Reader version 9.3.1 and prior Adobe Reader version 8.2.1 and prior Adobe Acrobat version 9.3.1 and prior Adobe Acrobat version 8.2.1 and prior IV. Binary Analysis Proof-of-concept --- In-depth binary analysis of the vulnerability and a code execution exploit with DEP bypass have been released by VUPEN through the VUPEN Binary Analysis Exploits Service : http://www.vupen.com/exploits/ V. SOLUTION Upgrade to Adobe Acrobat and Reader version 9.3.2 or 8.2.2. VI. CREDIT -- The vulnerability was discovered by Nicolas Joly of VUPEN Security VII. ABOUT VUPEN Security VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services/ * VUPEN Binary Analysis Exploits Service : http://www.vupen.com/exploits/ VIII. REFERENCES -- http://www.vupen.com/english/advisories/2010/0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0199 IX. DISCLOSURE TIMELINE --- 2010-03-16 - Vendor notified 2010-03-16 - Vendor response 2010-04-07 - Status update received 2010-04-13 - Coordinated public Disclosure
VUPEN Security Research - Adobe Acrobat and Reader BMP Data Buffer Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader BMP Data Buffer Overflow Vulnerability http://www.vupen.com/english/research.php I. BACKGROUND - Adobe Acrobat and Reader are the global standards for electronic document sharing. They are used to create, view, search, digitally sign, verify, print, and collaborate on Adobe PDF files. II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Acrobat and Reader. This vulnerability is caused by a buffer overflow error when processing malformed BitMap (BMP) data, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a specially crafted PDF document. III. AFFECTED PRODUCTS - Adobe Reader version 9.3.1 and prior Adobe Reader version 8.2.1 and prior Adobe Acrobat version 9.3.1 and prior Adobe Acrobat version 8.2.1 and prior IV. Binary Analysis Proof-of-concept - In-depth binary analysis of the vulnerability and a code execution exploit with DEP bypass have been released by VUPEN through the VUPEN Binary Analysis Exploits Service : http://www.vupen.com/exploits/ V. SOLUTION - Upgrade to Adobe Acrobat and Reader version 9.3.2 or 8.2.2. VI. CREDIT -- The vulnerability was discovered by Nicolas Joly of VUPEN Security VII. ABOUT VUPEN Security VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services/ * VUPEN Binary Analysis Exploits Service : http://www.vupen.com/exploits/ VIII. REFERENCES -- http://www.vupen.com/english/advisories/2010/0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0203 IX. DISCLOSURE TIMELINE --- 2010-03-16 - Vendor notified 2010-03-16 - Vendor response 2010-04-07 - Status update received 2010-04-13 - Coordinated public Disclosure
ZDI-10-072: Cisco Secure Desktop CSDWebInstaller ActiveX Control Remote Code Execution Vulnerability
ZDI-10-072: Cisco Secure Desktop CSDWebInstaller ActiveX Control Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-072 April 14, 2010 -- Affected Vendors: Cisco -- Affected Products: Cisco Secure Desktop -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8247. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of Cisco Secure Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the Secure Desktop Web Install ActiveX control (705EC6D4-B138-4079-A307-EF13E4889A82). The control fails to properly verify the signature of the downloaded executable being installed. By not verifying the executable a malicious attacker can force the user to download and run any code of their choosing. Successful exploitation leads to full system compromise under the credentials of the currently logged in user. -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b25d01.shtml -- Disclosure Timeline: 2009-02-24 - Vulnerability reported to vendor 2010-04-14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
[DSecRG-09-053] VMware Remoute Console - format string
Digital Security Research Group [DSecRG] Advisory DSECRG-09-053 Application:VMware Remoute Console Version:e.x.p build-158248 Vendor URL: http://vmware.com Bugs: Format String Vulnerabilitys Exploits: YES (PoC) Reported: 07.08.2009 Vendor response:13.08.2009 Date of Public Advisory:09.04.2010 CVE:CVE-2009-3732 VSA:VMSA-2010-0007 Authors:Alexey Sintsov of Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description VMware Remote Console Plug-in can be installed from WEB interface of VMware vSphere. This software contains of ActiveX objects and executable files for remote console of guest OS. VMrc vulnerable to format string attacks. Exploitation of this issue may lead to arbitrary code execution on the system where VMrc is installed. Details *** Details on official advisory http://dsecrg.com/pages/vul/show.php?id=153 References ** http://dsecrg.com/pages/vul/show.php?id=153 http://lists.vmware.com/pipermail/security-announce/2010/90.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005, PCI DSS and PA-DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA, PA-QSA. Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-049] IBM BladeCenter Management Module - DoS vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-049 Application: IBM BladeCenter Managmet Module Versions Affected: before BPET50G Vendor URL: http://www-03.ibm.com/systems/bladecenter/ Bug: DoS Exploits:YES Reported:24.07.2009 Vendor response: 26.07.2009 Date of Public Advisory: 15.04.2010 Solution:YES Author: Alexey Sintsov of Digital Security Research Group [DSecRG] Description *** The BladeCenter management module is a hot-swappable hardware device plugged into the BladeCenter chassis management bay. The management module functions as a system-management processor (service processor) and keyboard, video, and mouse (KVM) multiplexor for blade servers. This device can be remotely rebooted. Details *** Details in official Advisory http://dsecrg.com/pages/vul/show.php?id=149 Solution The issue has been fixed in AMM firmware version bpet50g and later. Refernces * http://dsecrg.com/pages/vul/show.php?id=149 http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5083945brandind=520 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com
Vulnerability in CB Captcha for Joomla and Mambo
Hello Bugtraq! I want to warn you about security vulnerability in plugin CB Captcha (plug_cbcaptcha) for component Community Builder (com_comprofiler) for Joomla and Mambo. The posting of this advisory to mailing lists was delayed, because I found that there are two different vulnerable versions of plugin developed by different authors, so I needed to inform all authors. - Advisory: Vulnerability in CB Captcha for Joomla and Mambo - URL: http://websecurity.com.ua/4087/ - Affected products: CB Captcha 1.0.2 and previous versions (developed by Kotofeich), CB Captcha 2.2 and previous versions (developed by Beat). - Timeline: 17.03.2010 - found vulnerability. 31.03.2010 - disclosed at my site. 01.04.2010 - informed developer of CB Captcha 1.x. And because I found other version of the plugin by another author, and after checking it later I informed author of CB Captcha 2.x. 13.04.2010 - additionally informed developers of Community Builder (both joomlapolis.com and communitybuilder.ru). - Details: This is Insufficient Anti-automation vulnerability. This plugin is based on captcha script CaptchaSecurityImages.php and I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). And in plugin plug_cbcaptcha were fixed all Insufficient Anti-automation and Denial of Service vulnerabilities from original script, except one. Insufficient Anti-automation: In the plugin it's possible to bypass captcha with using of session reusing with constant captcha bypass method (http://websecurity.com.ua/1551/), which was described in project Month of Bugs in Captchas. With using of this method it's possible to bypass protection by sending the same code of captcha. It can be done at all pages where this plugin is used. In CB Captcha 1.x it's using at registration page, lost password form and lost email form. In CB Captcha 2.x, in addition to before-mentioned forms, it's using at contact form (in the presence of component CB Contact 1.1) and login form (in the presence of login module of CB 1.2). PoC: The PoC for this Insufficient Anti-automation vulnerability was provided to developers. Everyone who want can create such PoC from exploit provided in above-mentioned article from MoBiC project. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Cisco Security Advisory: Cisco Secure Desktop ActiveX Control Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Secure Desktop ActiveX Control Code Execution Vulnerability Advisory ID: cisco-sa-20100414-csd Revision 1.0 +- Summary === Cisco Secure Desktop contains a vulnerable ActiveX control that could allow an attacker to execute arbitrary code with the privileges of the user who is currently logged into the affected system. Cisco has released a free software update that addresses this vulnerability. There is a workaround that mitigates this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100414-csd.shtml Affected Products = Vulnerable Products +-- Cisco Secure Desktop versions prior to 3.5.841 are affected. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === A Cisco-signed ActiveX control that is used by Cisco Secure Desktop fails to properly verify the integrity of an executable file that is used by the Cisco Secure Desktop installation process. If an attacker can entice a user to visit an attacker controlled web page, the vulnerable ActiveX control could be invoked to download an attacker-modified package. The package could contain a malicious executable file that executes with the privileges of the affected user. A successful exploit could result in a complete compromise of a vulnerable system. This vulnerability is documented in Cisco Bug ID CSCta25876 and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0589. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta25876 CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact- Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of this vulnerability could result in a complete compromise of the affected system. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Secure Desktop version 3.5.841 can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=3.5.841mdfid=280277835sftType=CSD+package-+ASA+DistributionoptPlat=nodecount=2edesignator=nullmodelName=Cisco+Secure+DesktoptreeMdfId=268438162treeName=Securitymodifmdfid=nullimname=hybrid=imst=lr=Y Note: Cisco Secure Desktop versions 3.0 and 3.1 are only supported for operation with certain versions of Cisco IOS software and Cisco Adaptive Security Appliance (ASA) software version 7.x. Cisco Secure Desktop versions 3.2 through 3.5 are only supported for operation with Cisco ASA software version 8.x. Customers running Cisco Secure Desktop versions 3.2 through 3.5 with a supported Cisco ASA software version are encouraged to upgrade to Cisco Secure Desktop version 3.5.841. Customers with active software licenses for Cisco Secure Desktop versions 3.0 and 3.1 should send email to the following address for instructions on migrating to non-vulnerable software: csd-activex-inqu...@cisco.com Workarounds === Administrators can mitigate this vulnerability by using the kill bit feature of Microsoft Windows to prevent the loading and execution of the vulnerable ActiveX control. Administrators must use the Class identifier
[CVE-2010-0432] Apache OFBiz Multiple XSS Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/
Multiple XSS in Apache OFBiz
1. *Advisory Information*
Title: Multiple XSS in Apache OFBiz
Advisory ID: BONSAI-2010-0103
Advisory URL:
http://www.bonsai-sec.com/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
Date published: 2010-04-14
Vendors contacted: Apache Software Foundation
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-0432
3. *Software Description*
Apache Open For Business (Apache OFBiz) is a community-driven
Open Source Enterprise Resource Planning (ERP) system.
It provides a suite of enterprise applications that integrate
and automate many of the business processes of an enterprise.
Apache OFBiz is a foundation and starting point for reliable,
secure and scalable enterprise solutions.
OFBiz is an Apache Software Foundation top level project.
4. *Vulnerability Description*
Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user
in the output it generates without validating or encoding it.
This vulnerability can be exploited to force a logged in Administrator
to run arbitrary SQL commands [3] or create a new user with Full Privileges [4].
You can find customized XSS PoC payloads here.
For additional information and a demostrative video, please read [1] and [2].
5. *Vulnerable packages*
Apache OFBiz:
- Stable Version = 9.04
- SVN Revision = 920371
- Release Branch Candidate 4.0 Revision = 920381
Products based on Apache OFBiz:
- Opentaps Version = 1.4
- Neogia Version = 1.0
- Entente Oya Version = 1.6
Since there are more products based on Apache OFBiz, these vulnerabilities
resides
in some of them but unconfirmed. Check [2] for updates.
6. *Mitigation*
SVN Trunk users should update to at least revision 920372
from svn or apply the following patches [5].
Release Branch Candidate 09.04 should update to at least revision 920382
from svn or applythe following patches [6].
Apache Software Foundation developers informed us that all users should
upgrade to the latest version of Apache OFBiz, which fixes this vulnerability.
More information to be found here:
http://ofbiz.apache.org
7. *Credits*
These vulnerabilities were discovered by Lucas Apa ( lucas -at- bonsai-sec.com
).
8. *Technical Description*
8.1 A Reflected Cross Site Scripting vulnerability was found in the
productStoreId variable within the 'Export Product Listing' section.
When rendering menu widget item links of type hidden-form, the hidden
input value attributes were not being html encoded. In many cases these
hidden input values are derived from request parameters and could be used
in a Reflected Cross-Site Scripting attack.
For a page that contains a menu widget with the following menu item definition:
menu-item name=ebayExportAllCategoryToEbayStore
title=${uiLabelMap.EbayExportAllCategoryToEbayStore}
link target=exportCategoryEbayStore
parameter param-name=productStoreId
value=${parameters.productStoreId}/
/link
/menu-item
The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/ebaystore/control/exportProductListing?productStoreId=90100;
style=width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px
onMouseOver=alert(document.cookie)
8.2 A Reflected Cross Site Scripting vulnerability was found in the
partyId variable within the 'View Profile' section.
This is because the application does not properly sanitise
the users input. The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/partymgr/control/viewprofile?partyId=aa;
style=width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px
onMouseOver=alert(document.cookie)
https://www.neogia-example.com/partymgr/control/login;partyId=aa;
style=width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px
onMouseOver=alert(document.cookie)
https://www.opentaps-example.com/partymgr/control/viewprofile?partyId=aa;
style=width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px
onMouseOver=alert(document.cookie)
8.3 A Reflected Cross Site Scripting vulnerability was found in the
start variable within the 'Show Portal Page' section.
During page rendering, if a FreeMarker TemplateException is thrown
then the stack trace is printed directly into the
Nucleus CMS v.3.51 (DIR_LIBS) Multiple Vulnerability
Vulnerability: Nucleus v3.51 ( other or lower version may also be affected) Vendor: http://nucleuscms.org/ Category: Input Validation Error Impact: (rfi/lfi) Multiple Vulnerability Details: Multiple Vulnerability has been found in Nucleus v3.51 because it fails to sufficiently sanitize user-supplied data. Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible. Nucleus v3.51 and prior versions are vulnerable. P0C: The following example URIs are available: Http://127.0.0.1/[path_to_nucleus]/action.php?DIR_LIBS=[inj3ct0r sh3ll] Http://127.0.0.1/[path_to_nucleus]/nucleus/xmlrpc/server.php?DIR_LIBS=[inj3ct0r sh3ll] Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=../../../var/log/httpd/access_log%00
ZDI-10-076: Apple Preview libFontParser SpecialEncoding Remote Code Execution Vulnerability
ZDI-10-076: Apple Preview libFontParser SpecialEncoding Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-076 April 14, 2010 -- CVE ID: CVE-2010-1120 -- Affected Vendors: Apple -- Affected Products: Apple Preview -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9686. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Preview. User interaction is required in that a target must open a malicious file or visit a malicious page. The specific flaw exists within the routine TType1ParsingContext::SpecialEncoding() defined in libFontParser.dylib. While parsing glyphs from a PDF document, a malformed offset greater than 0x400 can result in a heap corruption which can be leveraged by an attacker to execute arbitrary code under the context of the current user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4131 -- Disclosure Timeline: 2010-03-26 - Vulnerability reported to vendor 2010-04-14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Charlie Miller -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
