Re: SQL injection vulnerability in boastMachine

[security curmudgeon]

Discovered 2008-01-21, covered by CVE-2008-0422 / OSVDB 40960.

On Sat, 5 Jun 2010, advis...@htbridge.ch wrote:

: Vulnerability ID: HTB22398
: Reference: 
http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_boastmachine.html
: Product: boastMachine
: Vendor: Kailash Nadh
: Vulnerable Version: 3.1 and Probably Prior Versions
: Vendor Notification: 20 May 2010 
: Vulnerability Type: SQL Injection
: Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
: Risk level: High 
: Credit: High-Tech Bridge SA (http://www.htbridge.ch/) 
: 
: Vulnerability Details:
: The vulnerability exists due to failure in the /mail.php script to properly 
sanitize user-supplied input in id variable. Attacker can alter queries to 
the application SQL database, execute arbitrary queries to the database, 
compromise the application, access or modify sensitive data, or exploit various 
vulnerabilities in the underlying SQL database.
: 
: Attacker can use browser to exploit this vulnerability. The following PoC is 
available: 
: 
: 
: http://host/mail.php?blog=1id=-1%27+union+select+1,2,user%28%29,4+--+
: 
: 
: 

[security bulletin] HPSBPI02532 SSRT100111 rev.2 - HP MFP Digital Sending Software Running on Windows, Local Unauthorized Access

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02161624
Version: 2

HPSBPI02532 SSRT100111 rev.2 - HP MFP Digital Sending Software Running on 
Windows, Local Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2010-05-12
Last Updated: 2010-06-11

Potential Security Impact: Local unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP MFP Digital 
Sending Software running on Windows. The vulnerability could be exploited by a 
local user to gain unauthorized access to Send to e-mail and other 
functionality of an HP Multifunction Peripheral (MFP) controlled by the HP 
Digital Sending Software.

References: CVE-2010-1558

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP MFP Digital Sending Software prior to v4.18.3 running on Windows

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2010-1558(AV:L/AC:M/Au:N/C:C/I:N/A:N)   4.7
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

Note: For further information on Secure Printing and Imaging please refer to 
http://www.hp.com/go/secureprinting

RESOLUTION

HP has provided a preliminary update to resolve this vulnerability.

The HP MFP Digital Sending Software v4.18.5 update is available using ftp:

Host
 Account
 Password

ftp.usa.hp.com
 sb02532
 Secure12

Optionally verify the SHA-1 sum.

HP MFP Digital Sending Software v4.18.5 File
 SHA-1 Sum

DSS4185.zip
 ebe6-dbf8-e0e1-6d1d-4c9f-8c06-683b-65d8-b0d6-fb8b

Note: HP MFP Digital Sending Software v4.18.3 was recommended in rev.1 of this 
Security Bulletin. That version introduced a defect not related to security. 
The new defect and the security vulnerability are resolved in v4.18.5.

PRODUCT SPECIFIC INFORMATION
None

HISTORY
Version:1 (rev.1) - 12 May 2010 Initial release
Version:2 (rev.2) - 11 June 2010 HP MFP Digital Sending Software v4.18.5 is 
available

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-al...@hp.com
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.

To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing  Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.

HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all user situations and, consequently, HP will not be 
responsible for any damages resulting from user's use or disregard of the 

DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera

[MustLive]

Hello Bugtraq!

I want to warn you about Denial of Service vulnerabilities in Firefox,
Internet Explorer, Chrome and Opera. Which belong to type of DoS via
protocol handlers. Earlier I already wrote about DoS vulnerabilities in
Firefox, Internet Explorer, Chrome and Opera and DoS attacks on email
clients via protocol handlers. This new advisory will show you the situation
of browsers behavior with other protocol handlers.

All those who doubt that these DoS vulnerabilities in browsers and email
clients are security vulnerabilities, must read my first advisory on this
topic (http://www.securityfocus.com/archive/1/511327/30/0/threaded). Where I
mentioned about Mozilla's MFSA 2010-23
(http://www.mozilla.org/security/announce/2010/mfsa2010-23.html), for which
created CVE-2010-0181
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0181). If they
consider img with mailto (via redirect) as vulnerability, then iframes with
different protocols is indeed vulnerability (in browsers and email clients).

-
Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
Opera
-
URL: http://websecurity.com.ua/4283/
-
Affected products: Mozilla Firefox, Internet Explorer 6, Google Chrome,
Opera.
-
Timeline:

26.05.2010 - found vulnerabilities.
26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
12.06.2010 - disclosed at my site.
-
Details:

Now I'm informing about DoS in different browsers via protocols chrome, wmk
and outlook. Attacks via mail clients are also possible, as I wrote about in
corresponding advisory. These Denial of Service vulnerabilities belong to
type (http://websecurity.com.ua/2550/) blocking DoS and resources
consumption DoS. These attacks can be conducted as with using JS, as without
it (via creating of a page with large quantity of iframes).

DoS:

http://websecurity.com.ua/uploads/2010/Chrome%20%20Opera%20DoS%20Exploit.html

This exploit for chrome protocol works in Google Chrome 1.0.154.48 and Opera
9.52.

In Chrome occurs blocking of the browser. And in Opera occurs resources
consumption (CPU and memory).

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20%20Opera%20DoS%20Exploit4.html

This exploit for wmk protocol works in Mozilla Firefox 3.0.19 (and besides
previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
(6.0.2900.2180), Google Chrome 1.0.154.48 and Opera 9.52.

For work of exploit the WebMoney Keeper Classic must be installed. In
browsers Firefox and IE occurs blocking and overloading of the system from
starting of WebMoney Keeper (also must work in IE8, but there was no
WebMoney Keeper at the computer with IE8 to check it). In Chrome occurs
blocking of the browser. And in Opera the attack is going without blocking,
only resources consumption (more slowly then in other browsers).

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20%20Opera%20DoS%20Exploit5.html

This exploit for outlook protocol works in Mozilla Firefox 3.0.19 (and
besides previous versions, it must work in 3.5.x and 3.6.x), Internet
Explorer 6 (6.0.2900.2180), Google Chrome 1.0.154.48 and Opera 9.52.

For work of exploit the Microsoft Outlook must be installed. In browsers
Firefox and IE occurs blocking and overloading of the system from starting
of Outlook (doesn't work in IE8). At that, if to allow automatic start of
the program handler of this protocol in Firefox, by setting checkbox, then
insead of blocking of the browser, there will be blocking and overloading of
the system (as in occurs in IE). In Chrome occurs blocking of the browser.
And in Opera the attack is going without blocking, only resources
consumption (more slowly then in other browsers). If there is no Outlook at
the computer, then in Firefox occurs blocking of the browser, and in IE and
Opera occurs resources consumption.

Best wishes  regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

[SECURITY] [DSA 2060-1] New cacti packages fix SQL injection

[Nico Golde]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- ---
Debian Security Advisory DSA-2060-1 secur...@debian.org
http://www.debian.org/security/  Nico Golde
June 13th, 2010  http://www.debian.org/security/faq
- ---

Package: cacti
Vulnerability  : insufficient input sanitization
Problem type   : remote
Debian-specific: no
Debian bug : 582691
CVE ID : CVE-2010-2092

Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring
systems and services, is not properly validating input passed to the rra_id
parameter of the graph.php script.  Due to checking the input of $_REQUEST
but using $_GET input in a query an unauthenticated attacker is able to
perform SQL injections via a crafted rra_id $_GET value and an additional
valid rra_id $_POST or $_COOKIE value.


For the stable distribution (lenny), this problem has been fixed in
version 0.8.7b-2.1+lenny3.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.7e-4.


We recommend that you upgrade your cacti packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny3.dsc
Size/MD5 checksum: 1117 bd9650c8f8a8cd1ab9bcf9385516948f
  
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny3.diff.gz
Size/MD5 checksum:37818 5a336fe8cf710c833521544c121827d2
  http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz
Size/MD5 checksum:  1972444 aa8a740a6ab88e3634b546c3e1bc502f

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny3_all.deb
Size/MD5 checksum:  1855976 a7f99b878d484cb6efaab85357b53b66


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-annou...@lists.debian.org
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwU+NYACgkQHYflSXNkfP+jBgCggIKGf/tX0g2M2zf0aXizh7gR
V7EAmwRVYu2tWL+5pzJCNj219Vu5QvaD
=6jQZ
-END PGP SIGNATURE-

[ GLSA 201006-21 ] UnrealIRCd: Multiple vulnerabilities

[Alex Legler]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201006-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: UnrealIRCd: Multiple vulnerabilities
  Date: June 14, 2010
  Bugs: #260806, #323691
ID: 201006-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities in UnrealIRCd might allow remote attackers to
compromise the unrealircd account, or cause a Denial of Service.

Background
==

UnrealIRCd is an Internet Relay Chat (IRC) daemon.

Affected packages
=

---
 Package /   Vulnerable   / Unaffected
---
  1  net-irc/unrealircd  3.2.8.1-r1 = 3.2.8.1-r1

Description
===

Multiple vulnerabilities have been reported in UnrealIRCd:

* The vendor reported a buffer overflow in the user authorization
  code.

* The vendor reported that the distributed source code of UnrealIRCd
  was compromised and altered to include a system() call that could be
  called with arbitrary user input.

Impact
==

A remote attacker could exploit these vulnerabilities to cause the
execution of arbitrary commands with the privileges of the user running
UnrealIRCd, or a Denial of Service condition. NOTE: By default
UnrealIRCd on Gentoo is run with the privileges of the unrealircd
user.

Workaround
==

There is no known workaround at this time.

Resolution
==

All UnrealIRCd users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =net-irc/unrealircd-3.2.8.1-r1

References
==

  [ 1 ] UnrealIRCd Security Advisory 20090413
http://www.unrealircd.com/txt/unrealsecadvisory.20090413.txt
  [ 2 ] UnrealIRCd Security Advisory 20100612
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-201006-21.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2010 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


signature.asc
Description: PGP signature