Re: SQL injection vulnerability in boastMachine
Discovered 2008-01-21, covered by CVE-2008-0422 / OSVDB 40960. On Sat, 5 Jun 2010, advis...@htbridge.ch wrote: : Vulnerability ID: HTB22398 : Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_boastmachine.html : Product: boastMachine : Vendor: Kailash Nadh : Vulnerable Version: 3.1 and Probably Prior Versions : Vendor Notification: 20 May 2010 : Vulnerability Type: SQL Injection : Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response : Risk level: High : Credit: High-Tech Bridge SA (http://www.htbridge.ch/) : : Vulnerability Details: : The vulnerability exists due to failure in the /mail.php script to properly sanitize user-supplied input in id variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. : : Attacker can use browser to exploit this vulnerability. The following PoC is available: : : : http://host/mail.php?blog=1id=-1%27+union+select+1,2,user%28%29,4+--+ : : :
[security bulletin] HPSBPI02532 SSRT100111 rev.2 - HP MFP Digital Sending Software Running on Windows, Local Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02161624 Version: 2 HPSBPI02532 SSRT100111 rev.2 - HP MFP Digital Sending Software Running on Windows, Local Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-05-12 Last Updated: 2010-06-11 Potential Security Impact: Local unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP MFP Digital Sending Software running on Windows. The vulnerability could be exploited by a local user to gain unauthorized access to Send to e-mail and other functionality of an HP Multifunction Peripheral (MFP) controlled by the HP Digital Sending Software. References: CVE-2010-1558 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP MFP Digital Sending Software prior to v4.18.3 running on Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-1558(AV:L/AC:M/Au:N/C:C/I:N/A:N) 4.7 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 Note: For further information on Secure Printing and Imaging please refer to http://www.hp.com/go/secureprinting RESOLUTION HP has provided a preliminary update to resolve this vulnerability. The HP MFP Digital Sending Software v4.18.5 update is available using ftp: Host Account Password ftp.usa.hp.com sb02532 Secure12 Optionally verify the SHA-1 sum. HP MFP Digital Sending Software v4.18.5 File SHA-1 Sum DSS4185.zip ebe6-dbf8-e0e1-6d1d-4c9f-8c06-683b-65d8-b0d6-fb8b Note: HP MFP Digital Sending Software v4.18.3 was recommended in rev.1 of this Security Bulletin. That version introduced a defect not related to security. The new defect and the security vulnerability are resolved in v4.18.5. PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 12 May 2010 Initial release Version:2 (rev.2) - 11 June 2010 HP MFP Digital Sending Software v4.18.5 is available Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the
DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
Hello Bugtraq! I want to warn you about Denial of Service vulnerabilities in Firefox, Internet Explorer, Chrome and Opera. Which belong to type of DoS via protocol handlers. Earlier I already wrote about DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera and DoS attacks on email clients via protocol handlers. This new advisory will show you the situation of browsers behavior with other protocol handlers. All those who doubt that these DoS vulnerabilities in browsers and email clients are security vulnerabilities, must read my first advisory on this topic (http://www.securityfocus.com/archive/1/511327/30/0/threaded). Where I mentioned about Mozilla's MFSA 2010-23 (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html), for which created CVE-2010-0181 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0181). If they consider img with mailto (via redirect) as vulnerability, then iframes with different protocols is indeed vulnerability (in browsers and email clients). - Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera - URL: http://websecurity.com.ua/4283/ - Affected products: Mozilla Firefox, Internet Explorer 6, Google Chrome, Opera. - Timeline: 26.05.2010 - found vulnerabilities. 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. 12.06.2010 - disclosed at my site. - Details: Now I'm informing about DoS in different browsers via protocols chrome, wmk and outlook. Attacks via mail clients are also possible, as I wrote about in corresponding advisory. These Denial of Service vulnerabilities belong to type (http://websecurity.com.ua/2550/) blocking DoS and resources consumption DoS. These attacks can be conducted as with using JS, as without it (via creating of a page with large quantity of iframes). DoS: http://websecurity.com.ua/uploads/2010/Chrome%20%20Opera%20DoS%20Exploit.html This exploit for chrome protocol works in Google Chrome 1.0.154.48 and Opera 9.52. In Chrome occurs blocking of the browser. And in Opera occurs resources consumption (CPU and memory). http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20%20Opera%20DoS%20Exploit4.html This exploit for wmk protocol works in Mozilla Firefox 3.0.19 (and besides previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180), Google Chrome 1.0.154.48 and Opera 9.52. For work of exploit the WebMoney Keeper Classic must be installed. In browsers Firefox and IE occurs blocking and overloading of the system from starting of WebMoney Keeper (also must work in IE8, but there was no WebMoney Keeper at the computer with IE8 to check it). In Chrome occurs blocking of the browser. And in Opera the attack is going without blocking, only resources consumption (more slowly then in other browsers). http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20%20Opera%20DoS%20Exploit5.html This exploit for outlook protocol works in Mozilla Firefox 3.0.19 (and besides previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180), Google Chrome 1.0.154.48 and Opera 9.52. For work of exploit the Microsoft Outlook must be installed. In browsers Firefox and IE occurs blocking and overloading of the system from starting of Outlook (doesn't work in IE8). At that, if to allow automatic start of the program handler of this protocol in Firefox, by setting checkbox, then insead of blocking of the browser, there will be blocking and overloading of the system (as in occurs in IE). In Chrome occurs blocking of the browser. And in Opera the attack is going without blocking, only resources consumption (more slowly then in other browsers). If there is no Outlook at the computer, then in Firefox occurs blocking of the browser, and in IE and Opera occurs resources consumption. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
[SECURITY] [DSA 2060-1] New cacti packages fix SQL injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- Debian Security Advisory DSA-2060-1 secur...@debian.org http://www.debian.org/security/ Nico Golde June 13th, 2010 http://www.debian.org/security/faq - --- Package: cacti Vulnerability : insufficient input sanitization Problem type : remote Debian-specific: no Debian bug : 582691 CVE ID : CVE-2010-2092 Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring systems and services, is not properly validating input passed to the rra_id parameter of the graph.php script. Due to checking the input of $_REQUEST but using $_GET input in a query an unauthenticated attacker is able to perform SQL injections via a crafted rra_id $_GET value and an additional valid rra_id $_POST or $_COOKIE value. For the stable distribution (lenny), this problem has been fixed in version 0.8.7b-2.1+lenny3. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 0.8.7e-4. We recommend that you upgrade your cacti packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny3.dsc Size/MD5 checksum: 1117 bd9650c8f8a8cd1ab9bcf9385516948f http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny3.diff.gz Size/MD5 checksum:37818 5a336fe8cf710c833521544c121827d2 http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz Size/MD5 checksum: 1972444 aa8a740a6ab88e3634b546c3e1bc502f Architecture independent packages: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny3_all.deb Size/MD5 checksum: 1855976 a7f99b878d484cb6efaab85357b53b66 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwU+NYACgkQHYflSXNkfP+jBgCggIKGf/tX0g2M2zf0aXizh7gR V7EAmwRVYu2tWL+5pzJCNj219Vu5QvaD =6jQZ -END PGP SIGNATURE-
[ GLSA 201006-21 ] UnrealIRCd: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: UnrealIRCd: Multiple vulnerabilities Date: June 14, 2010 Bugs: #260806, #323691 ID: 201006-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in UnrealIRCd might allow remote attackers to compromise the unrealircd account, or cause a Denial of Service. Background == UnrealIRCd is an Internet Relay Chat (IRC) daemon. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-irc/unrealircd 3.2.8.1-r1 = 3.2.8.1-r1 Description === Multiple vulnerabilities have been reported in UnrealIRCd: * The vendor reported a buffer overflow in the user authorization code. * The vendor reported that the distributed source code of UnrealIRCd was compromised and altered to include a system() call that could be called with arbitrary user input. Impact == A remote attacker could exploit these vulnerabilities to cause the execution of arbitrary commands with the privileges of the user running UnrealIRCd, or a Denial of Service condition. NOTE: By default UnrealIRCd on Gentoo is run with the privileges of the unrealircd user. Workaround == There is no known workaround at this time. Resolution == All UnrealIRCd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-irc/unrealircd-3.2.8.1-r1 References == [ 1 ] UnrealIRCd Security Advisory 20090413 http://www.unrealircd.com/txt/unrealsecadvisory.20090413.txt [ 2 ] UnrealIRCd Security Advisory 20100612 http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-21.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature