Re: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses)
Hasn't xp always sent out arp on non-assignment (and 2k) and 1918 is a straight grab when unassigned. I don't see a security issue here, you might want to expand on the Issue. --Original Message-- From: wbors...@gmail.com To: bugtraq@securityfocus.com Subject: Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918addresses) Sent: Apr 24, 2010 9:15 PM After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it. After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once! The XP machine was using a self assigned 169.254. Because the bridge group discard rule was discarding their traffic at layer 2. But somehow, I guess because it had open sockets to public IP addresses, it tried to ARP for those addresses to discover what network it was on an where to send the packets. This is extremely dangerous for obvious reasons. Sent via BlackBerry from T-Mobile
Widnows XP TCP/IP Stack Security Issue (ARP for non RFC 1918 addresses)
After putting the port my WAP is plugged into in a bridge group--cisco 2600--and rejecting traffic at layer two from an XP machine, I noticed some odd and insecure behavior. At this point I can only assume what is causing it. After adding the MAC of a machine with active tcp/ip sockets to public ip addresses an odd thing happened. Instead of sending out DNS requests to resolve the hosts, the XP machine started sending ARP requests but ARP requests for ip public addresses! For example it sent out ARP requests like "Who has 74.125.159.103". But not just once! The XP machine was using a self assigned 169.254. Because the bridge group discard rule was discarding their traffic at layer 2. But somehow, I guess because it had open sockets to public IP addresses, it tried to ARP for those addresses to discover what network it was on an where to send the packets. This is extremely dangerous for obvious reasons.
New vulnerabilities in CMS SiteLogic
On 26 April 2010 16:16, MustLive wrote: > > It's not a problem for serious hackers. Even those commands which allowed on > average server are enough for many things ;-). So what? Also a SQL Injection vulnerability may be used to write a file on the system to execute commands, but it isn't a remote commands execution vulnerability. The your is not a command execution vulnerability because there aren't injection on a command execution's function, such as system(). If you can upload a file not allowed by the vulnerable script, you can than upload a malicious file that can be used to execute commands or other operations on the target server, but it isn't a direct command execution vulnerability, understand? The my is only a clarification. -- Salvatore Fresta aka Drosophila http://www.salvatorefresta.net CWNP444351
Re: New vulnerabilities in CMS SiteLogic
Hello Salvatore! with very very low risk (you need to know the access to the control panel). I'm agree with you that it's not vulnerability with very high risk, but it's risk is not such low as you said. Because I have not such value of risk as "very very low" (my minimum value is low aka "1/5") and for this kind of vulnerability (which allow code execution for authenticated users) I'm always giving risk value as moderate (aka "2/5"). Because there is a risk for a site. And taking into account all those holes in CMS SiteLogic which I reported to security mailing lists, which easily allow to gain access to admin panel, the risk of this vulnerability is even growth (in combination with other vulnerabilities). Many web hosting provider doesn't allow an user to execute commands It's not a problem for serious hackers. Even those commands which allowed on average server are enough for many things ;-). This is not a command execution vulnerability but an arbitrary file upload I called this type of vulnerability as Command Execution (as a vulnerability which belongs to Command Execution category in WASC TC v.1, or it can be also used OS Commanding (WASC-31) class in WASC TC), because arbitrary file uploading leads to code execution. Only in case if uploading of scripts is not allowed, only other files, then I used term Arbitrary File Upload (which belongs to Abuse of Functionality (WASC-42) class in WASC TC). There is no "Arbitrary File Upload" class not in WASC TC v.1, not in TC v.2. And in my work I'm using only WASC TC v.1 and TC v.2. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "Salvatore Fresta aka Drosophila" To: "MustLive" ; "Bugtraq" Sent: Monday, April 19, 2010 10:12 PM Subject: Re: [Suspected Spam]New vulnerabilities in CMS SiteLogic 2010/4/18 MustLive : Command Execution: It's possible to upload arbitrary files (shell upload) via module “Banner system” in admin panel. This is not a command execution vulnerability but an arbitrary file upload vulnerability with very very low risk (you need to know the access to the control panel). Many web hosting provider doesn't allow an user to execute commands using the classic functions, such as system, shell_execute and others. -- Salvatore Fresta aka Drosophila http://www.salvatorefresta.net CWNP444351
Conference on Cyber Conflict: speakers selected!
Agenda Announcement! - Conference on Cyber Conflict Tallinn, Estonia, June 15-18, 2010 Cooperative Cyber Defence Centre of Excellence www.ccdcoe.org/conference2010/agenda.html - H.E. Toomas Hendrik Ilves, President of the Republic of Estonia Bruce Schneier, BT Chief Security Technology Officer Mike Schmitt, Dean, Marshall Center Mikko Hyppönen, Chief Research Officer, F-Secure Nart Villeneuve, Chief Technology Officer, Information Warfare Monitor Chris Evans, Security Lead, Google Chrome Susan Brenner, University of Dayton School of Law Haroon Meer, Thinkst Applied Research Bruce Dang, Microsoft Security Response Center Dan Ryan, US National Defence University Derek Jinks, US Naval War College Jeffrey Carr, Greylogic Stuart Starr, US National Defence University Amit Yoran, NetWitness Charlie Miller, Independent Security Evaluators Julie Ryan, George Washington University Richard Favier, BreakingPoint Systems Ryan Kaminski, Columbia University Maarten Van Horenbeeck, Microsoft Security Response Center Thomas Wingfield, US Army Command and General Staff College Antoine Lemay, École Polytechnique de Montréal Bret Michael, Naval Postgraduate School George Bakos, Northrop Grumman Charles Williamson, US Air Force Chris Stace, EU Eric Talbot Jensen, Fordham University School of Law Eneken Tikk, CCD COE Forrest Hare, George Mason University Heli Tiirmaa-Klaar, Estonian MoD Herb Lin, Computer Science and Telecommunications Board Igor Kotenko, Institute for Informatics and Automation, Russia Ilias Chantzos, Symantec Jaak Tepandi, Tallinn Technical University Jason Healey, Cyber Conflicts Studies Association Lieutenant General Ants Laaneots, Commander of the Estonian Defence Forces Lilian Edwards, Russell Buchan, Sheffield University Maeve Dion, George Mason University Marco Gercke, Cybercrime Research Institute Bryan Krekel, Northrop Grumman Mélanie Bernier and Joanne Truerniet, Department of National Defence, Canada Michael B. Jones, The Security Network Nemanja Malisevic, OSCE Olivier Thonnard, Royal Military Academy, Belgium Peeter Lorents, CCDCOE Samuel Liles, Purdue University Calumet Scott J. Shackelford, University of Cambridge Simona Rocchi, NATO NC3A Terry Pudas, Daniel Kuehl, US National Defence University The Lithuanian National CERT Rain Ottis, CCD COE Toomas Kirta , Institute of Cybernetics at TUT Jüri Kivimaa, CCD COE Gloria Craig, UK MoD Ulf Häussler, NATO ACT Maria Mälksoo, International Centre of Defence Studies Vincent Joubert, Raoul Danduran Chair, Montréal, Quebec Panel discussion: NATO and cyber conflicts Panel discussion: Non-state actors in cyber conflicts Panel Discussion: Representatives of ICANN, UN, NATO, G8 -
Madirish Webmail 2.01 (basedir) RFI/LFI Vulnerability
Madirish Webmail is prone to Multiple vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. There is a vulnerability in almost every file directory of Madirish Webmail v2.01. Vendor fix the vulnerability in version 2.0 and update to v2.0.1 But vendor not perfectly fix the vulnerability , they just edit the code to handle Remote file inclusions, but as we see still have RFI vulnerability and now i see possible LFI there. Attackers can exploit these issues via a browser. The following example is available: -=[ P0C RFI ]=- http://127.0.0.1/Madirish_Webmail/lib/addressbook.php?basedir= [sh3ll inj3ct0r] -=[ P0C LFI ]=- http://127.0.0.1/Madirish_Webmail/index.php?basedir= [LFI]%00 etc, etc, etc Solution: Fix / Edit the code or update to new version if available, Example: */ require_once($basedir."lib/sql.php"); // change into require_once("Madirish_Webmail/lib/sql.php"); require_once($basedir."lib/html.php"); // change into require_once("Madirish_Webmail/lib/html.php"); =| -=[ E0F ]=- |=
NovaStor NovaNet <= 13.0 issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All - many of the following were inexplicably fixed in the latest version (NovaBACKUP Network 13.0), but still, a 2.5 year run isn't too bad... http://digit-labs.org/files/exploits/novanet-own-lnx.c - - linux remote root <= 12.0 http://digit-labs.org/files/exploits/novanet-read.c - - arbitrary remote dword read <= 12.0 http://digit-labs.org/files/exploits/novanet-own.c - - Windows (no-DEP/NX, NovaNet 11.0) remote SYSTEM <= 12.0 (messy, there is a cleaner version) They seemed to have missed the last one, so it still works on 13.0, but sadly the most useless :( http://digit-labs.org/files/exploits/novanet-dos.c - - null deref remote DoS <= 13.0 - -- mu-b (m...@digit-labs.org) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP" -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvVgfsACgkQY0H9BP42Ejwp6QCfYNp/kFqtFwmwwmDAz0s9gEoO S2YAoMA5VuJ+2+s+FaZj91TQ11+LEQoS =lwTl -END PGP SIGNATURE-
t2'10: Call for Papers 2010 (Helsinki / Finland)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ### t2'10 - Call For Papers ### Helsinki, Finland October 28 - 29, 2010 We are pleased to announce the annual t2´10 conference, which will take place in Helsinki, Finland, from October 28 to 29, 2010. We are looking for original technical presentations in the fields of information security. Presentations should last a minimum of 60 minutes and a maximum of two hours and be presented in English. Please note that presentations that focus on marketing or directly promoting a company's products will not be accepted. We will be accepting talk proposals until July 1, 2010. All submitted presentations will be reviewed by the t2 Advisory Board. The t2 Advisory Board is comprised of the following individuals: * Mikko Hyppönen, F-Secure * Jussi Jaakonaho, Nokia * Tomi Tuominen, Tieto As usual selected speakers will be reimbursed for travel and hotel costs. We also proud ourselves of taking good care of the speakers and there is always something going on during the evenings :) We suggest strongly that you submit earlier rather than later, since we will close the CFP early once we receive enough quality submissions to fill the slots. Please include the following with your submission: 1. Contact information (email, cell phone and postal address) 2. Country and city of origin for your travel to the conference, as well as nationality/passport for visa requirements 3. Brief biography (including employer and/or affiliations) 4. Title of the presentation 5. Presentation abstract 6. If your presentation references a paper or piece of software that you have published, please provide us with either a copy of the said paper or software, or an URL where we can obtain it. 7. List any other publications or conferences where this material has been or will be published/submitted Please send the above information to cfp-2010 (at) lists.t2.fi === For more information: http://t2.fi/ Links to past schedules: http://t2.fi/schedules/ - -- Tomi 'T' Tuominen Founder - t2 information security conference tel. +358 400 796 064 - fax. +358 401 796 064 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkvUSIoACgkQlPoxKJv6bErxPwCglv6qIenhKpEXIu18ZQil2Cb5 wosAn2hRcNRhEugkvctH+JERXrLO26PB =8HS+ -END PGP SIGNATURE-
hashdays 2010 - Call for Papers (#days CFP)
Call for Paper for hashdays 2010 (#days) Introduction Hashdays is an international security technology and research conference which is preceded by several 2-day workshops delivering IT security training. The event features many international IT security experts sharing their deep technical knowledge in an open environment and takes place November 3rd to 6th, 2010 in Lucerne. The conference is the first of its kind in Switzerland and is organized by DEFCON Switzerland, a non-profit association with the aim to give experts and professionals a platform to transfer insights into the information security domain and to sensitize users to information security topics. The official conference web site is located at: https://www.hashdays.ch. The Call For Paper (CFP) is now open and we are accepting interesting & innovative proposals for 50-minute talks. Scope - In particular, we are looking for topics in the following domains: * Operating system and application security * Wired and wireless network security * Mobile communication security * Forensics and anti-forensics * Digital privacy and anonymous communication * Reverse engineering of software and hardware * Malware collection and analysis * Botnet analysis * Electronic voting * Security metrics and visualization * Intrusion detection and prevention * Cloud computing security * Cryptography and security protocols * Biometric system security * Quantitative and model based IT risk management Submissions from academic and scientific institutions are welcome. Deadlines - * Submission of package until: Sunday, July 4, 2010 * Latest acceptance notification date: Sunday, August 29, 2010 Submission Guidelines - The submission package is assessed by the program committee and the author is notified on the outcome by electronic means. Your submission package must be delivered in non-proprietary electronic formats (e.g. PDF, OpenOffice) and contain the following: Talk details: * Either: - a proposal of your intended talk with at maximum 400 words XOR - a full paper with a minimum of 6 and a maximum of 12 pages XOR - a slide deck with a maximum of 45 slides * 150 word abstract of the talk which will be displayed on our conference website * Rationale why your material is significant and should be presented * Information on whether this talk has been or will be presented elsewhere * Samples of other materials which might help to assess your submission (optional) * Links to your web presence, if relevant (optional) Presenter details: * Your name and contact information * Location of residence * Country where the passport was issued * Name of employer and/or affiliations (optional) * 150 word biography of the speaker for use on our conference website * A photo of yourself which is shown along with your biography (optional) * List of previous significant talks (topic and name of conference) * List of publications To submit your CFP, put all the requested information into an archive and send it by e-mail to c...@defcon-switzerland.org. Speaker Benefits We offer the following benefits to accepted speakers: * Free admission for the two conference days (including lunches and coffee breaks) * Invitation to the complimentary speaker's dinner * Paid accommodation for two nights at the hotel where the conference takes place * Reimbursement of travel expenses in economy class up to a certain amount However, we can reimburse travel and accommodation for one person per talk only. Terms - The author of the content keeps his or her full rights on the submitted material. By submitting the CFP package the author agrees to the following terms: * You confirm that the material submitted is your own except for where explicit references to third-party works are made. * You confirm that you have obtained permission to use and distribute third-party content, like images. * You give permission to DEFCON Switzerland to publishing/distributing your material either in physical or electronic format without royalty. * You give permission to DEFCON Switzerland to create audio and video recordings of your presentation and publish/distribute these without royalty. * You agree that travel and accommodation expenses are reimbursed only upon successful delivery of your talk and upon presenting the receipts. * You agree to reading out a disclaimer to the audience at the beginning of your presentation if deemed necessary by DEFCON Switzerland. * You agree not to hold DEFCON Switzerland liable for any direct or indirect damages or costs in case the event is canceled. Sponsoring -- If you like our conference, you can support us by sponsoring. We offer attractive sponsoring opportunities. For details please contact: sponsor...@defcon-switzerland.org. Thank you and best regards, #days organizing committee
[USN-931-2] FFmpeg regression
=== Ubuntu Security Notice USN-931-2 April 26, 2010 ffmpeg, ffmpeg-debian regression https://launchpad.net/bugs/567913 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libavcodec1d3:0.cvs20070307-5ubuntu7.5 libavformat1d 3:0.cvs20070307-5ubuntu7.5 Ubuntu 8.10: libavcodec513:0.svn20080206-12ubuntu3.3 libavformat52 3:0.svn20080206-12ubuntu3.3 Ubuntu 9.04: libavcodec523:0.svn20090303-1ubuntu6.2 libavformat52 3:0.svn20090303-1ubuntu6.2 Ubuntu 9.10: libavcodec524:0.5+svn20090706-2ubuntu2.2 libavformat52 4:0.5+svn20090706-2ubuntu2.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-931-1 fixed vulnerabilities in FFmpeg. The update introduced a regression when trying to play certain multimedia files. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that FFmpeg contained multiple security issues when handling certain multimedia files. If a user were tricked into opening a crafted multimedia file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20070307-5ubuntu7.5.diff.gz Size/MD5:45498 9afcc5bb1aff70dff28f2b0a4de65102 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20070307-5ubuntu7.5.dsc Size/MD5: 1296 ae578e9e69eacc7c0aa2e27be32538b8 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20070307.orig.tar.gz Size/MD5: 2593100 2fe579de8a26351cc3b0b0e443acb09f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5: 1758398 47908d7dda998aba969d46f290efb0a2 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec1d_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5: 1576006 9a785b5c69a022b072189cd81b4a5078 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavformat-dev_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5: 347064 357e794ce775455e65723f4776ee392d http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavformat1d_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5: 275980 e7d971d3cfe9d5108999809f61f7b3c3 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavutil-dev_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5:52330 fde4242ae9f56162e7ab62b1f9cac84e http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavutil1d_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5:38416 2b3890e7ca7b6fc72f9585998f374f2c http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libpostproc-dev_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5:69202 2221829a3daacadafa090f09f0c7540d http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libpostproc1d_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5:68450 fea54a14e2f009217ac075a2a91bc318 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libswscale-dev_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5: 114286 06d4e69082a1ecaff84b7bcabc6bc7b7 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libswscale1d_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5:96658 d3f36e585bf16fb618f5c6533976ff02 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20070307-5ubuntu7.5_amd64.deb Size/MD5: 196394 f31bebe2b71e34743605c78844845672 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20070307-5ubuntu7.5_i386.deb Size/MD5: 1739264 bd29a03ec699e956c28db4ffc0755d92 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec1d_0.cvs20070307-5ubuntu7.5_i386.deb Size/MD5: 1603628 4a58660beb8cae76fc04f6efb0aa1c88 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavformat-dev_0.cvs20070307-5ubuntu7.5_i386.deb Size/MD5: 333878 53303ded75d83e8a3f737098efcb067d http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavformat1d_0.cvs20070307-5ubuntu7.5_i386.deb Size/MD5: 287600 260f14c67168e0fc248026c2988868d2 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavutil-dev_0.cvs20070307-5ubuntu7.5_i386.deb Size/MD5:51896 41523933d64df19307a6cc78
[security bulletin] HPSBUX02508 SSRT100007 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02009860 Version: 2 HPSBUX02508 SSRT17 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-04-20 Last Updated: 2010-04-20 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running sendmail and STARTTLS enabled. This vulnerability could allow a user to gain remote unauthorized access. References: CVE-2009-4565 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23 and B.11.31 running sendmail 8.13.3 with STARTTLS enabled. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-4565(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following upgrades to resolve the vulnerability. The updates are available from http://software.hp.com. HP-UX Release / Sendmail version / Action B.11.11 / 8.13.3 / Upgrade to B.11.11.02.008 or subsequent B.11.23 / 8.13.3 / Upgrade to B.11.23.1.007 or subsequent B.11.31 / 8.13.3 / Upgrade to C.8.13.3.5 or subsequent Note: Installations of HP-UX B.11.11 running sendmail 8.11.1 should upgrade to sendmail 8.13.3 or subsequent. This Sendmail 8.13.3 Special Release Upgrade is available for download from http://software.hp.com Go to >> Internet ready and networking >> Sendmail 8.13.3 Special Release Upgrade Note: To identify a system in a vulnerable configuration: 1. Log on to the HP-UX system 2. Run .telnet localhost 25. 3. Enter .ehlo xyz. 4. Search the output for .250-STARTTLS. 5. If .250-STARTTLS. is found, the system is in a vulnerable configuration It is recommended that the update be applied even if the system is not currently in a vulnerable configuration. Applying the update will eliminate the possibility of introducing the vulnerability by a configuration change. MANUAL ACTIONS: Yes - Update B.11.11 - install SMAIL B.11.11.02.008 or subsequent B.11.23 - install SMAIL B.11.23.1.007 or subsequent B.11.31 - install SENDMAIL C.8.13.3.5 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 = SMAIL-UPGRADE.INETSVCS-SMAIL action: install B.11.11.02.008 or subsequent HP-UX B.11.23 = SMAIL-UPGRADE.INET-SMAIL SMAIL-UPGRADE.INET2-SMAIL action: install B.11.23.1.007 or subsequent HP-UX B.11.31 = Sendmail.SENDMAIL-AUX Sendmail.SENDMAIL-RUN action: install C.8.13.3.5 or subsequent END AFFECTED VERSIONS HISTORY Version: 1 (rev.1) - 24 March 2010 Initial release Version: 2 (rev.2) - 20 April 2010 Updated revisions for download and download location. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previou
phpegasus 'config.php' Arbitrary File Upload Vulnerability
phpegasus is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. all version is Affected with this vulnerability The following exploit code is available here: http://www.inj3ct0r.com/exploits/11985
SmodCMS 'config.php' Arbitrary File Upload Vulnerability
SmodCMS is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. SmodCMS v.4.07 is affected; other or lowers versions may also be vulnerable as well. The following exploit code is available here: http://www.inj3ct0r.com/exploits/11977
A XSS in User_ChkLogin.asp of PowerEasy 2006
PowerEasy is prone to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PowerEasy 2006 is vulnerable; other versions may also be affected Discuz! Home Page : http://www.powereasy.net i found a xss on "ComeUrl" parameter in "User_ChkLogin.asp" in PowerEasy 2006 , it's "/user/User_ChkLogin.asp?ComeUrl=" for example: http://www.example.com:80/user/User_ChkLogin.asp?ComeUrl="; style="XSS:expression(alert(/liscker/))" Liscker 2010.4.24
[SECURITY] [DSA 2039-1] New cacti packages fix missing input sanitising
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2039-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst April 23, 2010http://www.debian.org/security/faq - Package: cacti Vulnerability : missing input sanitising Problem type : remote Debian-specific: no Debian Bug : 578909 It was discovered that Cacti, a frontend to rrdtool for monitoring systems and services missed input sanitising, making an SQL injection attack possible. For the stable distribution (lenny), this problem has been fixed in version 0.8.7b-2.1+lenny2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your cacti package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny2.diff.gz Size/MD5 checksum:37338 16b43e80a447a185f5372372836104ed http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz Size/MD5 checksum: 1972444 aa8a740a6ab88e3634b546c3e1bc502f http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny2.dsc Size/MD5 checksum: 1408 468d418ebedfd326081cbb159c159b55 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny2_all.deb Size/MD5 checksum: 1826020 b88356b2559091ae8444b93b5234e881 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJL0fvtAAoJECIIoQCMVaAceK0H/jud0EGRDRnk4Lwd2Io8JyTr mJmuYrVrSKa4DnDd4y62xShPqKUvc9Fs4mbQb4an8aNinyTR9m6CSqF5qs1T6oAt zcvSNdDetj3H/wqJ24T3oUpCadNu7FNUBPj0VLjqZL4G7NuHqxoyvPEkDyYBjIUB abqgJWsG7RXiuGbNPsCRzcp2AASaTH4iQ2GELCsZ50TQxW+1v+GHneqjAwSHYI4n cPO+SumkZ5k6oPEwzKpQm9ja3e3rz/kb7SogDVexCeH7sBZG2N2fo6OCv8T8PvpW zYy2pGmZXvtSAu/zeBBXvdox7byfAchKQFRRbZRYhUVODYn5/iFAV8FoGmqXbkE= =0ixH -END PGP SIGNATURE-