Re: phpMyBible 0.5.1 Mutiple XSS
Hi, This is a discontinued product from 2007 also we can do a simple patch to all variables here: ### Vulnerable code $book = $_REQUEST['book']; $chapter = $_REQUEST['chapter']; $version = $_REQUEST['version']; $curl = $_SERVER['REQUEST_URI']; $searchword = $_REQUEST['searchword']; # # Patch here $book = intval($_REQUEST['book']); $chapter = intval($_REQUEST['chapter']); $version = htmlspecialchars($_REQUEST['version']); $curl = $_SERVER['REQUEST_URI']; $searchword = htmlspecialchars($_REQUEST['searchword']); ## Thnx For your time !! -- atentamente: Lostmon (lost...@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon -- La curiosidad es lo que hace mover la mente
FYI: We're now paying up to $20,000 for web vulns in our services
Hey, Hopefully this won't offend the moderators: http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html I suspect I know how the debate will be shaped - and I think I can offer a personal insight. I helped shape our vulnerability reward program from the start (November 2010), and I was surprised to see that simply having an honest, no-nonsense, and highly responsive process like this... well, it works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards. This puts an interesting spin on the conundrum of the black / gray market vulnerability trade: you can't realistically outcompete all buyers of weaponized exploits, but you can make the issue a lot less relevant. By having several orders of magnitude more people reporting bugs through a "white hat" channel, you are probably making "underground" vulnerabilities a lot harder to find, and fairly short-lived. Cheers, /mz
WebCalendar <= 1.2.4 Two Security Vulnerabilities
-
WebCalendar <= 1.2.4 Two Security Vulnerabilities
-
author..: Egidio Romano aka EgiX
mail: n0b0d13s[at]gmail[dot]com
software link...: https://sourceforge.net/projects/webcalendar/
[-] vulnerable code in /install/index.php (CVE-2012-1495)
674.$y = getPostValue ( 'app_settings' );
675.if ( ! empty ( $y ) ) {
676. $settings['single_user_login'] = getPostValue (
'form_single_user_login' );
677. $settings['readonly'] = getPostValue ( 'form_readonly' );
...
724. // Save settings to file now.
725.if ( ! empty ( $x ) || ! empty ( $y ) ){
726. $fd = @fopen ( $file, 'w+b', false );
727. if ( empty ( $fd ) ) {
728.if ( @file_exists ( $file ) ) {
729. $onloadDetailStr =
730.translate ( 'Please change the file permissions of this file',
true );
731.} else {
732. $onloadDetailStr =
733.translate ( 'Please change includes dir permission', true );
734.}
735.$onload = "alert('" . $errorFileWriteStr . $file. "\\n" .
736. $onloadDetailStr . ".');";
737. } else {
738.if ( function_exists ( "date_default_timezone_set" ) )
739. date_default_timezone_set ( "America/New_York");
740.fwrite ( $fd, " $v ) {
743. if ( $v != '' && $v != '' )
744. fwrite ( $fd, $k . ': ' . $v . "\r\n" );
745.}
Restricted access to this script isn't properly realized, so an attacker
might be able
to update /includes/settings.php with arbitrary values or inject PHP
code into it.
[-] vulnerable code to LFI in /pref.php (CVE-2012-1496)
70.if ( ! empty ( $_POST ) && empty ( $error )) {
71. $my_theme = '';
72. $currenttab = getPostValue ( 'currenttab' );
73. save_pref ( $_POST, 'post' );
74.
75. if ( ! empty ( $my_theme ) ) {
76.$theme = 'themes/'. $my_theme . '_pref.php';
77.include_once $theme;
78.save_pref ( $webcal_theme, 'theme' );
79. }
Input passed through $_POST['pref_THEME'] isn't properly sanitized before
being assigned
to $my_theme variable, this can be exploited to include arbitrary local files
at line 77.
Exploitation of this vulnerability requires authentication and
magic_quotes_gpc = off.
[-] Disclosure timeline:
[02/10/2011] - Vulnerabilities discovered
[04/10/2011] - Vendor notified to
http://sourceforge.net/support/tracker.php?aid=3418570
[20/02/2012] - First vendor response
[28/02/2012] - Vendor fix committed to CVS
[29/02/2012] - Version 1.2.5 released
[02/03/2012] - CVE numbers requested
[02/03/2012] - Assigned CVE-2012-1495 and CVE-2012-1496
[23/04/2012] - Public disclosure
AST-2012-006: Remote Crash Vulnerability in SIP Channel Driver
Asterisk Project Security Advisory - AST-2012-006 Product Asterisk Summary Remote Crash Vulnerability in SIP Channel Driver Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions SeverityModerate Exploits Known No Reported On April 16, 2012 Reported By Thomas Arimont Posted OnApril 23, 2012 Last Updated On April 23, 2012 Advisory ContactMatt Jordan < mjordan AT digium DOT com > CVE Name Description A remotely exploitable crash vulnerability exists in the SIP channel driver if a SIP UPDATE request is processed within a particular window of time. For this to occur, the following must take place: 1. The setting 'trustrpid' must be set to True 2. An UPDATE request must be received after a call has been terminated and the associated channel object has been destroyed, but before the SIP dialog associated with the call has been destroyed. Receiving the UPDATE request before the call is terminated or after the SIP dialog associated with the call will not cause the crash vulnerability described here. 3. The UPDATE request must be formatted with the appropriate headers to reflect an Asterisk connected line update. The information in the headers must reflect a different Caller ID then what was previously associated with the dialog. When these conditions are true, Asterisk will attempt to perform a connected line update with no associated channel, and will crash. Resolution Asterisk now ensures a channel exists before performing a connected line update, when that connected line update is initiated via a SIP UPDATE request. In Asterisk versions not containing the fix for this issue, setting the 'trustrpid' setting to False will prevent this crash from occurring (default is False) Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Business Edition C.3.x All versions Corrected In Product Release Asterisk Open Source 1.8.11.1, 10.3.1 Asterisk Business Edition C.3.7.4 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-006-10.diff v.10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19770 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-006.pdf and http://downloads.digium.com/pub/security/AST-2012-006.html
AST-2012-005: Heap Buffer Overflow in Skinny Channel Driver
Asterisk Project Security Advisory - AST-2012-005 Product Asterisk Summary Heap Buffer Overflow in Skinny Channel Driver Nature of Advisory Exploitable Heap Buffer Overflow Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On March 26, 2012 Reported By Russell Bryant Posted OnApril 23, 2012 Last Updated On April 23, 2012 Advisory ContactMatt Jordan < mjordan AT digium DOT com > CVE Name Description In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun. Resolution The length of the buffer is now checked before appending a value to the end of the buffer. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All Versions Asterisk Open Source1.8.x All Versions Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-005-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-005-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-005-10.diffv10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19592 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-005.pdf and http://downloads.digium.com/pub/security/AST-2012-005.html Revision History Date Editor Revisions Made 04/16/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-005 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
AST-2012-004: Asterisk Manager User Unauthorized Shell Access
Asterisk Project Security Advisory - AST-2012-004 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On February 23, 2011 Reported By David Woolley Posted OnApril 23, 2012 Last Updated On April 23, 2012 Advisory ContactJonathan Rose < jrose AT digium DOT com > CVE Name Description A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any functions or applications that run system commands. Resolution Asterisk now performs checks against manager commands that cause these behaviors for each of the affected actions. Affected Versions Product Release Series Asterisk Open Source1.6.2.x All versions Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Business Edition C.3.x All versions Corrected In Product Release Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1 Asterisk Business Edition C.3.7.4 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-004-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-004-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-004-10.diffv10 Links https://issues.asterisk.org/jira/browse/ASTERISK-17465 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-004.pdf and http://downloads.digium.com/pub/security/AST-2012-004.html Revision History Date Editor Revisions Made 04/23/2012 Jonathan Rose Initial Release Asterisk Project Security Advisory - AST-2012-004 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
ChurchCMS 0.0.1 'admin.php' Multiple SQLi
# Exploit Title: ChurchCMS 0.0.1 'admin.php' Multiple SQLi # Date: 04/21/12 # Author: G13 # Twitter: @g13net # Software Link: http://sourceforge.net/projects/churchcms/?source=directory # Version: 0.0.1 # Category: webapps (php) # # Description # ChurchCMS is the software to place on your church's website that is easily managed, self-intuitive, yet expandable via our module library. Included features are: announcements, calendar, prayer requests manager, and help wanted manager. # Vulnerability # The admin.php page has multiple SQL injection vulnerabilities. Both the 'uname' and 'pass' parameters are vulnerable to SQL Injection. The vulnerability exists via the POST method. # Exploit # POST http://localhost/churchcms/admin.php?op=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Proxy-Connection: keep-alive Referer: http://localhost/churchcms/index.php Cookie: PHPSESSID=eq342ldrgqt4i5fshe6q2kvj17 Content-Type: application/x-www-form-urlencoded Content-length: 40 uname=[SQLi]&pass=[SQLi] # Vendor Notification # 04/21/12 - Vendor notified Per my disclosure policy, advisory is released. http://www.g13net.com/vuln-disc.txt
.NET Framework EncoderParameter integer overflow vulnerability
.NET Framework EncoderParameter integer overflow vulnerability
Yorick Koster, September 2011
Abstract
An integer overflow vulnerability has been discovered in the
EncoderParameter class of the .NET Framework. Exploiting this
vulnerability results in an overflown integer that is used to allocate a
buffer on the heap. After the incorrect allocation, one or more
user-supplied buffers are copied in the new buffer, resulting in a
corruption of the heap.
By exploiting this vulnerability, it is possible for an application
running with Partial Trust permissions to to break from the CLR sandbox
and run arbitrary code with Full Trust permissions.
Affected versions
It has been verified that this vulnerability exists in the .NET
Framework versions 2.0, 3.0, 3.5 & 4. Earlier versions of the .NET
Framework may or may not be vulnerable as well as the affected class is
also available the .NET Framework versions 1.0 & 1.1.
See also
- MS12-025 [2]: Vulnerability in .NET Framework Could Allow Remote Code
Execution (2671605)
- KB2671605 [3] MS12-025: Vulnerabilities in the .NET Framework could
allow remote code execution: April 10, 2012
- SSD: [4] SecuriTeam Secure Disclosure program
- MS12-025 [5]: IKVM.NET Weblog
Fix
This issue was resolved with the release of MS12-025 [6]. It appears the
fix was part of a security push for System.Drawing.dll.
Introduction
The EncoderParameter class (System.Drawing.Imaging.EncoderParameter [7])
is used to pass a value, or an array of values, to an image encoder
(GDI+). An image encoder can be used to translate an Image or Bitmap
object to a particular file format, for example GIF, JPEG or PNG.
EncoderParameter is implemented in the System.Drawing.dll Assembly,
which is located in the Global Assembly Cache [8] (GAC). Consequently,
the Assembly is trusted by the .NET Framework and therefore this
Assembly will run with Full Trust permissions. In addition, the Assembly
is compiled with the AllowPartiallyTrustedCallers [9] attribute, which
allows it to be called from Assemblies running with Partial Trust
permissions.
Integer overflow
The EncoderParameter class contains various constructor methods. All of
these constructors allocate memory on the heap. The size of the
allocated buffer depends on the constructor's parameters. After
allocation, the values of these constructor parameters are copied into
the new buffer. For example the constructor EncoderParameter(Encoder,
Int64) accepts a 64-bit (8-byte) long value, thus 8 bytes are allocated
on the heap after which the value of the long parameter is copied into
this heap buffer. The heap buffer is freed by calling the Dispose()
method. This method is also called when the EncoderParameter object is
destroyed.
Some constructor methods accept one or more arrays. For these methods,
the number of allocated bytes is the size of one array member multiplied
by the number of members in the array. These methods do not check
whether the resulting integer value (used for heap allocation)
overflows. In some cases it is possible to trigger an integer overflow
resulting in the allocation of a buffer that is too small for the
supplied constructor parameters. Not all methods are exploitable as an
overly long array is required to trigger an integer overflow. The .NET
Framework limits the number of array members.
One constructor method (EncoderParameter(Encoder, Int32[], Int32[],
Int32[], Int32[])) appears to be very suitable for exploiting this
vulnerability. The implementation of this method is listed below.
public EncoderParameter(Encoder encoder,
int[] numerator1, int[] denominator1,
int[] numerator2, int[] denominator2)
{
this.parameterGuid = encoder.Guid;
if (numerator1.Length != denominator1.Length ||
numerator1.Length != denominator2.Length ||
denominator1.Length != denominator2.Length)
{
throw SafeNativeMethods.Gdip.StatusException(2);
HTC IQRD Android Permission Leakage (CVE-2012-2217)
VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: HTC IQRD Android Permission Leakage Release Date: 2012-04-20 Application: IQRD on HTC Android Phones Author: Dan Rosenberg Vendor Status: Patch Released CVE Candidate: CVE-2012-2217 Reference: http://www.vsecurity.com/resources/advisory/20120420-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- The IQRD service is HTC's implementation of a Carrier IQ porting layer on several HTC Android phones. Carrier IQ is a data collection framework that may be deeply integrated into the Android application stack in order to provide cell carriers with detailed metrics data on device and network activity [1]. To complete the integration of Carrier IQ on a specific device, phone manufacturers provide a "porting layer" that allows the Carrier IQ service to perform specific actions that may vary by device. Vulnerability Details - On December 22th, VSR identified a vulnerability in IQRD. The IQRD service listens locally on a TCP socket bound to port 2479. This socket is intended to allow the Carrier IQ service to request device-specific functionality from IQRD. Unfortunately, there is no restriction or validation on which applications may request services using this socket. As a result, any application with the android.permission.INTERNET permission may connect to this socket and send specially crafted messages in order to perform potentially malicious actions. In particular, it is possible for malicious applications to: 1. Trigger UI popup messages 2. Generate tones 3. Send arbitrary outbound SMS messages that do not appear in a user's outbox, facilitating toll fraud 4. Retrieve a user's Network Access Identifier (NAI) and corresponding password, potentially allowing rogue devices to impersonate the user on a CDMA network Versions Affected - The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on AT&T. Vendor Response --- The following timeline details HTC's response to the reported issue: 2011-12-22Vulnerability reported to HTC 2011-12-28HTC confirms receipt, replies that fix is planned for early 2012 2012-03-10VSR requests status update 2012-03-16HTC confirms fix has been published 2012-03-26HTC requests clarification on finding 2012-03-26VSR provides clarification on finding, requests confirmation on status of fix 2012-04-02HTC provides confirmation of fix, requests further clarification 2012-04-02VSR provides clarification on finding 2012-04-12VSR provides draft advisory to HTC 2012-04-13HTC provides corrections to advisory, requests disclosure date 2012-04-20Coordinated disclosure Recommendation -- HTC has issued a fix that will typically be provided as an OTA update by affected cell carriers. If the update has not automatically been installed, it is possible to retrieve the update manually by navigating to Menu -> Settings -> System Updates -> HTC Software Update -> Check Now. The following software versions on Sprint are confirmed to resolve this issue: HTC EVO 4G: 4.67.651.3 HTC EVO Design 4G: 2.12.651.5 HTC EVO Shift 4G: 2.77.651.3 HTC EVO 3D: 2.17.651.5 HTC EVO View 4G:2.23.651.1 The following software versions on AT&T are confirmed to resolve this issue: HTC Vivid: 3.26.502.56 All affected devices except the HTC Hero have received an over-the-air update. HTC and Sprint have declined to update the HTC Hero, citing its 2009 release, minimal current usage, and lack of malicious applications in the Android Marketplace exploiting this vulnerability. Users should be aware that devices that no longer receive updates due to switching carriers may remain vulnerable. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2012-2217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements Thanks to HTC for their response and fix. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Carrier IQ http://www.carrieriq.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantabilit
[HITB-Announce] HITB Magazine Issue 008 (now with print edition!)
The 8th issue of the HITB Quarterly Magazine is now available for download! http://magazine.hitb.org/ This edition is a little bit 'lighter' than previous issues as the editorial team is busy working on an extra special release for our 10th year anniversary conference in October, HITBSecConf2012 - Malaysia. http://conference.hitb.org/hitbsecconf2012kul/ For the first time ever though, we're making print editions of the magazine available (courtesy of HP MagCloud) - A print edition of the HITB Quarterly is a perfect addition for your coffee table or office reception area and we'll be making past issues also available for print over the next couple of weeks. We're hoping that print sales will allow us to pay our authors and contributors for their articles, so ordering a print copy is a way for you to help support them! Putting together content for the magazine is practically a full time job and it would be nice to offer authors some form of compensation for the time and energy taken to produce the high quality articles that you all enjoy. Enjoy the issue and hopefully see you at #HITB2012AMS in May: http://conference.hitb.org/hitbsecconf2012ams/ --- Hafez Kamal HITB Crew Hack in The Box (M) Sdn. Bhd. Suite 26.3, Level 26, Menara IMC, No. 8 Jalan Sultan Ismail, 50250 Kuala Lumpur, Malaysia Tel: +603-20394724 Fax: +603-20318359
XSS and Blind SQL Injection Vulnerabilities in ExponentCMS
Information Name : XSS and Blind SQL Injection Vulnerabilities in ExponentCMS Software : ExponentCMS 2.0.5 and possibly below. Vendor Homepage : http://www.exponentcms.org Vulnerability Type : Cross-Site Scripting and SQL Injection Severity : Critical Researcher : Onur Yılmaz Advisory Reference : NS-12-006 Description Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation. Details Exponent CMS is affected by XSS and SQL Injection vulnerabilities in version 2.0.5. Example PoC urls are as follows : http://example.com/index.php?section=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A) http://example.com/index.php?action=showall_by_tags&tag=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E&controller=news&src=@random4e5433b85bb1f http://example.com/index.php?controller=expTag&action=show&title=changes&src=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E You can read the full article about Cross-Site Scripting and SQL Injection vulnerabilities from here : http://www.mavitunasecurity.com/crosssite-scripting-xss/ http://www.mavitunasecurity.com/sql-injection/ Solution The vendor fixed this vulnerability in the new version. Please see the references. Advisory Timeline 12/03/2012 - First contact: Sent the vulnerability details 20/03/2012 - Vulnerability Fixed in latest version 25/04/2012 - Vulnerability Released Credits It has been discovered on testing of Netsparker, Web Application Security Scanner - http://www.mavitunasecurity.com/netsparker/. References Vendor Url / Patch : http://exponentcms.org/news/-happy-hyperbole-v2-0-6-is-in-full-bloom MSL Advisory Link : http://www.mavitunasecurity.com/blog/xss-and-blind-sql-injection-vulnerabilities-in-exponentcms/ Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/ About Netsparker Netsparker® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner. -- Netsparker Advisories, Homepage, http://www.mavitunasecurity.com/netsparker-advisories/
[Spam] Chengdu Bureau of Commerce - SQL Injection Vulnerability
Title: == Chengdu Bureau of Commerce - SQL Injection Vulnerability Date: = 2012-04-23 References: === http://www.vulnerability-lab.com/get_content.php?id=312 VL-ID: = 312 Introduction: = May 20, by my bureau composed of 10 members, participated in by the Chinese Cycling Association, Chengdu Sports Bureau, Chong City People s Government s second bike fans in Chengdu, China Fitness Festival Second station (Chong City) match. Team members promote unity and cooperation, work hard, beyond the spirit of self, fully demonstrating the business outlook of the bureau team has achieved good results ever, won the Chengdu-class team of 28 community agencies large group of 5 km Team finished sixth. (Copy of the Vendor Homepage: http://www.cdmbc.gov.cn/detail.php?tid=236657 ) Abstract: = The Vulnerability Laboratory Research Team discovered a critical SQL Injection Vulnerability in the Chengdu Bureau of Commerce website. Report-Timeline: 2011-11-08: Vendor Notification 2011-11-09: Vendor Response/Feedback 2012-04-19: Vendor Fix/Patch 2011-04-20: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection vulnerability is detected on the Chinese Academy Of Governance website . The vulnerability is located on the list.php file when processing to request via unsantized cid value parameter. Remote Attackers & privileged user accounts can inject/execute own sql commands to compromise the affected application dbms. Vulnerable Module(s): [+] list.php - CID Proof of Concept: = The SQL Injection vulnerability can be exploited by remote attackers without user inter action. For demonstration or reproduce ... Site: www.cdmbc.gov.cn/ist.php?cid= Path: /ist.php?cid= File: list.php?cid= Value: ?cid=[SQL Injection] Solution: = CLOSED BY COORDINATION OF CHINA NATIONAL VULNERABILITY DATABASE FOR INFORMATION SECURITY (CNNVD PARTNERS). Risk: = The security risk of the remote SQL Injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Chokri Ben Achor (meis...@vulnerability-lab.com) & Benjamin Kunz mejr (rem...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012 Vulnerability-Lab -- VULNERABILITY RESEARCH LABORATORY TEAM Website: www.vulnerability-lab.com Mail: resea...@vulnerability-lab.com
PSFTP v.1.8 Build 921 - Null Pointer (DoS) Vulnerability
Title: == PSFTP v.1.8 Build 921 - Null Pointer (DoS) Vulnerability Date: = 2012-04-23 References: === http://www.vulnerability-lab.com/get_content.php?id=523 VL-ID: = 523 Introduction: = PSFtp ist eine benutzerfreundliche, ergonomische, kompakte und zuverlässige FTP Client Software mit einem großen Funktionsumfang. Was ist ein FTP Client? Das ist ein Programm (einige nennen es auch einfach ein FTP Programm), welches mit einem Dateimanager vergleichbar ist. Nur greift es nicht etwa auf eine andere Partition oder ein anderes Laufwerk zu, sondern auf einen Rechner im Internet - auf einen FTP Server. Ein FTP Client eignet sich bestens für die Homepage-Pflege (natürlich nicht nur dafür). Sie können z.B. Ihre Homepage-Dateien leicht auf einen FTP Server hochladen (engl. Upload) oder auch irgendwelche Dateien herunterladen (engl. Download). (Copy of the Vendor Homepage: http://www.psftp.de/index.php ) Abstract: = The Vulnerability Laboratory Researcher Team discovered Null Pointer Dereference (DoS) Vulnerability in PSFTP v.1.8 Build 921. Report-Timeline: 2012-04-23: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Local Severity: = Medium Details: A Null Pointer Dereference (DoS) Vulnerability is detected in PSFTP v.1.8 Build 921. The vulnerability allows an local privileged user to crash down the service with a persistent effect(stable). The bug is located when processing to load large unicode keys over the license management box of the psftp client software. The inserted unicode or numeric string got saved on the PSFTP_Key.dat which results in the stable null pointer dereference crash after the software restart. Successful exploitation results in a stable (bex exception) application (StackHash_e98d) crash. Vulnerable Module(s): [+] PSFTP_Key --- Windows Error Reports --- Version=1 EventType=BEX EventTime=129792568365093863 ReportType=2 Consent=1 ReportIdentifier=79865f7e-899a-11e1-98b1-a88e8292e5db IntegratorReportIdentifier=79865f7d-899a-11e1-98b1-a88e8292e5db WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=PSFtp.exe Sig[1].Name=Anwendungsversion Sig[1].Value=1.8.1.921 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=2a425e19 Sig[3].Name=Fehlermodulname Sig[3].Value=StackHash_e98d Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value= Sig[6].Name=Ausnahmeoffset Sig[6].Value= Sig[7].Name=Ausnahmecode Sig[7].Value=c005 Sig[8].Name=Ausnahmedaten Sig[8].Value=0008 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7601.2.1.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=e98d DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=e98dfca8bcf81bc1740adb135579ad53 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=6eab DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=6eabdd9e0dc94904be3b39a1c0583635 UI[2]=C:Program Files (x86)PSFtpPSFtp.exe UI[3]=PSFtp - FTP FTPS SFTP Client funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen LoadedModule[0]=C:Program Files (x86)PSFtpPSFtp.exe LoadedModule[1]=C:WindowsSysWOW64ntdll.dll LoadedModule[2]=C:Windowssyswow64kernel32.dll ... ... ... LoadedModule[30]=C:Windowssystem32wsock32.dll LoadedModule[31]=C:Windowssyswow64WS2_32.dll LoadedModule[32]=C:Windowssyswow64NSI.dll LoadedModule[33]=C:Windowssystem32hhctrl.ocx LoadedModule[34]=C:Windowssystem32IMM32.DLL LoadedModule[35]=C:Windowssyswow64MSCTF.dll LoadedModule[36]=C:Windowssystem32uxtheme.dll FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=BEX AppName=PSFtp - FTP FTPS SFTP Client AppPath=C:Program Files (x86)PSFtpPSFtp.exe Picture(s): ../1.png ../2.png Risk: = The security risk of the null pointer (dos) vulnerability is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] -N/A Anonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or it
[Suspected Spam] Havalite CMS v1.0.4 - Multiple Web Vulnerabilities
Title: == Havalite CMS v1.0.4 - Multiple Web Vulnerabilities Date: = 2012-04-23 References: === http://www.vulnerability-lab.com/get_content.php?id=520 VL-ID: = 520 Introduction: = Havalite, a lightweight, open source CMS, based on php and SQLite. It\\\'s licensed under the GNU General Public License. - A Mobile Detector to switch in Mobile mode - Simple 1 step wizard installation - Text, Images and swf files all saved as data in Sqlite Database - Two different image sizes: Original and Thumnail - Backup for the whole system including images in only one Sqlite file. SqLite3 and above allows storing Blobs and a better Utf-8 performance - Export database to any Server without changing a single line or database structure. - A lite weight and clear interface - Many Interface languages done on the fly with our language Creator Tool - FCKEditor a great WYSIWYG Text-Editor - integration of third-party Plugins, specially jQuery, with the ability of plugin configuration - plenty of useful functions for Theme creation + Theme Preview, and Plugins Creation - RSS Feeds for Posts, Categories and Comments (Copy of the Vendor Homepage: http://havalite.com ) Abstract: = The Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in Havalite CMS v1.0.4. Report-Timeline: 2012-04-23: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: 1.1 Multiple persistent input validation vulnerabilities are detected in Havalite v1.0.4 Content Management System. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action because the admin needs to watch the user list. The user includes his scriptcode as profile name and the code is getting executed on the administrator section persistent. Vulnerable Module(s): [+] findReplace - Input/Output Listing [+] Username Profile Input & Username Login or Input Message Miscellaneous [postAuthor] Picture(s): ../1.png ../2.png 1.2 Multiple non persistent cross site scripting vulnerabilities are detected in Havalite v1.0.4 Content Management System. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required user inter action or local low privileged user account. Successful exploitation can result in account steal, phishing & client-side content request manipulation. Vulnerable Module(s): [+] postID [+] userID [+] linkID Picture(s): ../3.png ../4.png Proof of Concept: = 1.1 The persistent input validation vulnerabilities can be exploited by remote attacker with low or medium required user inter action. For demonstration or reproduce ... Review: findReplace - Replace Find: Replace: Find only Find and Replace http://127.0.0.1:8080/havalite/findReplace.php Review: Login Username Form & Edit Article Module Username URL: http://127.0.0.1:8080/havalite/hava_login.php ... or via miscellaneous module postAuthor Date: URL: http://127.0.0.1:8080/havalite/hava_post.php?postId=1 1.2 The client side cross site scripting vulnerabilities can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ... PoC: http://127.0.0.1:8080/havalite/hava_post.php?postId=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://127.0.0.1:8080/havalite/hava_user.php?userId=>"http://www.vulnerability-lab.com> http://127.0.0.1:8080/havalite/hava_link.php?linkId=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C Risk: = 1.1 The security risk of the persistent input validation vulnerabilities are estimated as medium(+). 1.2 The security risk of the client side cross site scripting vulnerabilities are estimated as low(+). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have
[Suspected Spam] IPhone TreasonSMS - HTML Inject & File Include Vulnerability
Title: == IPhone TreasonSMS - HTML Inject & File Include Vulnerability Date: = 2012-04-23 References: === http://www.vulnerability-lab.com/get_content.php?id=154 VL-ID: = 154 Introduction: = treasonSMS allows you to send SMS from your desktop computer. It turns your iPhone into a SMS webserver, so you can send sms and reply to SMS from your computer over wifi. Confirmed working with FF 3.5, Safari and IE8. (Copy of the Vendor Homepage: http://code.google.com/p/treasonsms/) Abstract: = Vulnerability-Lab Team discovered multiple remote Web Vulnerabilities on treasonSMS Webserver for IPhone. Report-Timeline: 2011-04-23: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A HTML Inject & a File Include vulnerabilit is detected on TreasonSMS IPhone application. The vulnerability allows an remote attacker to include malicious persistent script codes on application-side of the iphone. This possible way allows the attacker also to inject for example webshell scripts to get control of the affected application folder. When the IPhone is jailbreaked the vulnerability exploitation can also result full controll of the affected IPhone. The Bug is located in the input fields of the Message Sending & Message Output. An attacker can scan the victim on walkthrough because the ip of the webserver makes the treasonSMS available to anybody without password. To exploit somebody on a walkthourgh its only required to scan for the stable ip via wlan and access the panel for exploitation. Vulnerable Module(s): [+] Send Messages, Kontakte & List Messages Affected Version(s): [+] treasonSMS-1.0.8-src [+] treasonSMS-1.0.8-deb Picture(s): ../1.jpg ../treasonSMS-fileload_malware.png ../treasonSMS-mozilla_exploitation.png ../treasonSMS-Safari_exploitation1.png ../treasonSMS-Safari_exploitation2.jpg Proof of Concept: = The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... 2010-12-28 18:49:22 Wir sind schon los, zuspatkommen macht keinen guten Eindruck. 2011-01-31 17:48:05+49 176 562533492011-02-11 23:16:15Bin jetzt mit dem Minicar unterwegs zum MT..sonst wird das so spät.2011-02-13 00:50:57>"http://www.global-evolution.info"; height="600" width="600">2011-02-13 00:52:34 >"<<== INCLUDE SCRIPTCODE;Webshell+SAFARI EXPLOIT HERE!>< div class='msgBottom'>& lt;/span> Risk: = The security risk of the web vulnerabilities are estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011 Vulnerability-Lab -- VULNERABILITY RESEARCH LABORATORY TEAM Website: www.vulnerability-lab.com Mail: resea...@vulnerability-lab.com
phpMyBible 0.5.1 Mutiple XSS
# Exploit Title: phpMyBible 0.5.1 Mutiple XSS # Date: 04/15/12 # Author: G13 # Twitter: @g13net # Software http://sourceforge.net/projects/phpmybible/?source=directory # Version: 0.5.1 # Category: webapps (php) # # Description # phpMyBible is an online collaborative project to make an e-book of the Holy Bible in as various language as possible. phpMyBible is designed to be flexible to all readers while maintaining the authenticity and originality of the Holy Bible scripture. # Vulnerability # phpMyBible has multiple XSS vulnerabilities. When reading a section of the Bible; both the 'version' and 'chapter' variables are prone to reflective XSS. # Exploit # http://localhost/index.php?book=1&version=[XSS]&chapter=[XSS] # Vendor Notification # 04/15/12 - Vendor Notified 04/22/12 - No response, disclos
[ MDVSA-2012:063 ] libreoffice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:063 http://www.mandriva.com/security/ ___ Package : libreoffice Date: April 21, 2012 Affected: 2011. ___ Problem Description: An XML External Entity expansion flaw was found in the way Raptor processed RDF files. If an application linked against Raptor were to open a specially-crafted RDF file, it could possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user running the application had access to. A bug in the way Raptor handled external entities could cause that application to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2012-0037). libreoffice for Mandriva Linux 2011 has been upgraded to the 3.4.6 version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037 http://www.libreoffice.org/advisories/CVE-2012-0037/ ___ Updated Packages: Mandriva Linux 2011: 3c1d3a34fa0b2119565ad33a1d3db6f7 2011/i586/libreoffice-3.4.6-0.1-mdv2011.0.i586.rpm 4d48acecd9a8c48e604c564a09d44e25 2011/i586/libreoffice-base-3.4.6-0.1-mdv2011.0.i586.rpm 09342e435c0caba3560b3550d29682d1 2011/i586/libreoffice-calc-3.4.6-0.1-mdv2011.0.i586.rpm 98072acc0fbd26e8e65df016a0d21ecc 2011/i586/libreoffice-common-3.4.6-0.1-mdv2011.0.i586.rpm 9432e092e49094717d73c1a73783d13f 2011/i586/libreoffice-core-3.4.6-0.1-mdv2011.0.i586.rpm 7763ce9ccf098fa8a64cf09f38be4e72 2011/i586/libreoffice-devel-3.4.6-0.1-mdv2011.0.i586.rpm 1b935fb9f5937fb022f504ca000e5bae 2011/i586/libreoffice-devel-doc-3.4.6-0.1-mdv2011.0.i586.rpm f1e8f36309d01cc586643a0eb6628c90 2011/i586/libreoffice-draw-3.4.6-0.1-mdv2011.0.i586.rpm c86adb9e1dd7142022c81ed9a29651a4 2011/i586/libreoffice-filter-binfilter-3.4.6-0.1-mdv2011.0.i586.rpm ab43be2ac5fb7b7ff6be957e2173787b 2011/i586/libreoffice-gnome-3.4.6-0.1-mdv2011.0.i586.rpm 8de46ee46d1b0fb09d31ea90b2b9e70b 2011/i586/libreoffice-help-bg-3.4.6-0.1-mdv2011.0.i586.rpm c9049dc23a5d6f9eb15f8d14b317e0c8 2011/i586/libreoffice-help-bn-3.4.6-0.1-mdv2011.0.i586.rpm ed44c74e78bc841adf476d42684d4937 2011/i586/libreoffice-help-bs-3.4.6-0.1-mdv2011.0.i586.rpm 4fb159f724337dc14b9b4e045c6846ca 2011/i586/libreoffice-help-ca-3.4.6-0.1-mdv2011.0.i586.rpm 793bfe18a6d491c4b7d10e3b61188b12 2011/i586/libreoffice-help-cs-3.4.6-0.1-mdv2011.0.i586.rpm aa5616fb2939e8a491c70df7d6fb5978 2011/i586/libreoffice-help-da-3.4.6-0.1-mdv2011.0.i586.rpm fcbffc2ab729e991f919f978928bc53a 2011/i586/libreoffice-help-de-3.4.6-0.1-mdv2011.0.i586.rpm ae24a09858a80149f06003e53401f80b 2011/i586/libreoffice-help-dz-3.4.6-0.1-mdv2011.0.i586.rpm 043650f76857e731e0def744f63afeba 2011/i586/libreoffice-help-el-3.4.6-0.1-mdv2011.0.i586.rpm 98825157e1092453c775526a93dfe91b 2011/i586/libreoffice-help-en_GB-3.4.6-0.1-mdv2011.0.i586.rpm 378bfceaf174a0061e3a6a3a7bcc9d99 2011/i586/libreoffice-help-en_US-3.4.6-0.1-mdv2011.0.i586.rpm 9bd13c1b67b8f6f27b0696af8bddf554 2011/i586/libreoffice-help-es-3.4.6-0.1-mdv2011.0.i586.rpm 5a309d36b141f8e1d45e2d2b0d05793b 2011/i586/libreoffice-help-et-3.4.6-0.1-mdv2011.0.i586.rpm dd66752313a16aea02278e6963747927 2011/i586/libreoffice-help-eu-3.4.6-0.1-mdv2011.0.i586.rpm 9afb3953e0cb6b84a8d5b21814608d0f 2011/i586/libreoffice-help-fi-3.4.6-0.1-mdv2011.0.i586.rpm 877196cd61cb0958e3eb4a6bcaa07201 2011/i586/libreoffice-help-fr-3.4.6-0.1-mdv2011.0.i586.rpm e70c2148fd4ecf964a8d23ebd46e8704 2011/i586/libreoffice-help-gl-3.4.6-0.1-mdv2011.0.i586.rpm 7505fb9d5a7429d08f0c0a7ee23b0d91 2011/i586/libreoffice-help-gu-3.4.6-0.1-mdv2011.0.i586.rpm 369d8284334329b6bdec526c6f7ffbe0 2011/i586/libreoffice-help-he-3.4.6-0.1-mdv2011.0.i586.rpm 0324fabf1dee204930bb706ef8cb2e36 2011/i586/libreoffice-help-hi-3.4.6-0.1-mdv2011.0.i586.rpm a6a035e9661f0cc320c5909356b64643 2011/i586/libreoffice-help-hr-3.4.6-0.1-mdv2011.0.i586.rpm 8b67c9660bc64ce92f5cf326462155af 2011/i586/libreoffice-help-hu-3.4.6-0.1-mdv2011.0.i586.rpm 42a7f91f75a03e212a95c391bec29bcd 2011/i586/libreoffice-help-it-3.4.6-0.1-mdv2011.0.i586.rpm 9c27a1d181c74849aa5f60bb2eac340a 2011/i586/libreoffice-help-ja-3.4.6-0.1-mdv2011.0.i586.rpm 4a3af34db222eadad41a13258e4f9f30 2011/i586/libreoffice-help-ko-3.4.6-0.1-mdv2011.0.i586.rpm e53d0709d364705ec8f1a52c712c3432 2011/i586/libreoffice-help-mk-3.4.6-0.1-mdv2011.0.i586.rpm c75c7da84e52e1883c9db045304cfe5b 2011/i586/libreoffice-help-nb-3.4.6-0.1-mdv2011.0.i586.rpm c5af701e7bf6b5af75e1aea8dfb44651 2011/i586/libreoffice-help-nl-3.4.6-0.
[ MDVSA-2012:062 ] openoffice.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:062 http://www.mandriva.com/security/ ___ Package : openoffice.org Date: April 21, 2012 Affected: Enterprise Server 5.0 ___ Problem Description: An XML External Entity expansion flaw was found in the way Raptor processed RDF files. If an application linked against Raptor were to open a specially-crafted RDF file, it could possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user running the application had access to. A bug in the way Raptor handled external entities could cause that application to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2012-0037). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037 http://www.libreoffice.org/advisories/CVE-2012-0037/ ___ Updated Packages: Mandriva Enterprise Server 5: f7d998d9bc2a5c3567fe4d4ff2da1ce8 mes5/i586/openoffice.org-3.1.1-0.8mdvmes5.2.i586.rpm 0f71b5572e78b3ee2514e651b1d20f3f mes5/i586/openoffice.org-base-3.1.1-0.8mdvmes5.2.i586.rpm 9c42501d01127a42a4392866e864247c mes5/i586/openoffice.org-calc-3.1.1-0.8mdvmes5.2.i586.rpm e2359307684298f3541d86eec86c44d5 mes5/i586/openoffice.org-common-3.1.1-0.8mdvmes5.2.i586.rpm b0dc16d73060970c012e23280c7f0626 mes5/i586/openoffice.org-core-3.1.1-0.8mdvmes5.2.i586.rpm 80a1c3ccfca249a352a58eb4e8416bc9 mes5/i586/openoffice.org-devel-3.1.1-0.8mdvmes5.2.i586.rpm c5f5ecc95c78f15683c04b1dc7393906 mes5/i586/openoffice.org-devel-doc-3.1.1-0.8mdvmes5.2.i586.rpm b151f537eff5fefeb79fee66959e0a68 mes5/i586/openoffice.org-draw-3.1.1-0.8mdvmes5.2.i586.rpm 5d0b7ff0ed0d90b5343f764943d4cd33 mes5/i586/openoffice.org-filter-binfilter-3.1.1-0.8mdvmes5.2.i586.rpm 6c2341254edf0088fa539f3a9ebd539b mes5/i586/openoffice.org-gnome-3.1.1-0.8mdvmes5.2.i586.rpm 5f98111a35ba725e900b45deed344a79 mes5/i586/openoffice.org-help-af-3.1.1-0.8mdvmes5.2.i586.rpm 42a3a6f7f93dab18ab801eed0db55fa4 mes5/i586/openoffice.org-help-ar-3.1.1-0.8mdvmes5.2.i586.rpm d8602c456e44d8584fe732e677dafe8d mes5/i586/openoffice.org-help-bg-3.1.1-0.8mdvmes5.2.i586.rpm 5f7d57ba2a12d986c4b0b36603547dd6 mes5/i586/openoffice.org-help-br-3.1.1-0.8mdvmes5.2.i586.rpm 25b9e7700345e57994c528c9c0a6d5e8 mes5/i586/openoffice.org-help-bs-3.1.1-0.8mdvmes5.2.i586.rpm db7270fcfe6ec5719f238018a4097fe4 mes5/i586/openoffice.org-help-ca-3.1.1-0.8mdvmes5.2.i586.rpm 9aa901dce255e830d24acfc7f3bb2504 mes5/i586/openoffice.org-help-cs-3.1.1-0.8mdvmes5.2.i586.rpm ddd464caeb9114d5cc87b30ed78849fa mes5/i586/openoffice.org-help-cy-3.1.1-0.8mdvmes5.2.i586.rpm 607d9503c253ad788e4edc052a97c1d3 mes5/i586/openoffice.org-help-da-3.1.1-0.8mdvmes5.2.i586.rpm 63a9a2d3e1abce9cb6a62f9aacef9790 mes5/i586/openoffice.org-help-de-3.1.1-0.8mdvmes5.2.i586.rpm 5977e226baad51dc0865979b71216f2f mes5/i586/openoffice.org-help-el-3.1.1-0.8mdvmes5.2.i586.rpm b2c92a0a105e459380a7590641af0e97 mes5/i586/openoffice.org-help-en_GB-3.1.1-0.8mdvmes5.2.i586.rpm a75d6499c9037e6d68166b5899f5d834 mes5/i586/openoffice.org-help-en_US-3.1.1-0.8mdvmes5.2.i586.rpm 9a8d09530aabae91701c0e44cf3dfb53 mes5/i586/openoffice.org-help-es-3.1.1-0.8mdvmes5.2.i586.rpm 53a497a727dd697c97b2bd1de1560490 mes5/i586/openoffice.org-help-et-3.1.1-0.8mdvmes5.2.i586.rpm f1544637c2d78d6c3ffdd92fe3d3509c mes5/i586/openoffice.org-help-eu-3.1.1-0.8mdvmes5.2.i586.rpm 56f3dc905e28ae1e985d745a3fed9e30 mes5/i586/openoffice.org-help-fi-3.1.1-0.8mdvmes5.2.i586.rpm 2da37ed62273a2f31f638c23d8cb807d mes5/i586/openoffice.org-help-fr-3.1.1-0.8mdvmes5.2.i586.rpm 9b1c72e78a7d8462458931f8cb8c5ac7 mes5/i586/openoffice.org-help-he-3.1.1-0.8mdvmes5.2.i586.rpm c10b77405ca870a937d8d3a9d14f5969 mes5/i586/openoffice.org-help-hi-3.1.1-0.8mdvmes5.2.i586.rpm 2dec72546ad823737bf029e620bc3aee mes5/i586/openoffice.org-help-hu-3.1.1-0.8mdvmes5.2.i586.rpm 3a78beb604ae99b470f1aaa56bebad47 mes5/i586/openoffice.org-help-it-3.1.1-0.8mdvmes5.2.i586.rpm b45a825b209da74b6ca365bb843090e2 mes5/i586/openoffice.org-help-ja-3.1.1-0.8mdvmes5.2.i586.rpm 9f8da1b687594fa154654fe3177a1d4a mes5/i586/openoffice.org-help-ko-3.1.1-0.8mdvmes5.2.i586.rpm d59850f271025772d30972b338905f7f mes5/i586/openoffice.org-help-mk-3.1.1-0.8mdvmes5.2.i586.rpm 8d937adc184b79910961af4b04cf4031 mes5/i586/openoffice.org-help-nb-3.1.1-0.8mdvmes5.2.i586.rpm abc3aabfc0cf712bf9c5ad2494bc7156 mes5/i586/openoffice.org-help-nl-3.1.1-0.8mdvmes5.2.i586.rpm 205564d296c78b1b177517bf
[ MDVSA-2012:061 ] raptor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:061 http://www.mandriva.com/security/ ___ Package : raptor Date: April 21, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: An XML External Entity expansion flaw was found in the way Raptor processed RDF files. If an application linked against Raptor were to open a specially-crafted RDF file, it could possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user running the application had access to. A bug in the way Raptor handled external entities could cause that application to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2012-0037). The updated packages have been patched to correct this issue. raptor2 for Mandriva Linux 2011 has been upgraded to the 2.0.7 version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037 http://www.libreoffice.org/advisories/CVE-2012-0037/ ___ Updated Packages: Mandriva Linux 2010.1: 24ec3d87dd77462b556f86859840eae1 2010.1/i586/libraptor1-1.4.21-5.1mdv2010.2.i586.rpm 85d61e2cd9d054d9da9211f4fa342f69 2010.1/i586/libraptor-devel-1.4.21-5.1mdv2010.2.i586.rpm e8b11b034af2de18b785e82cb4a30660 2010.1/i586/raptor-1.4.21-5.1mdv2010.2.i586.rpm 4379f2bfca9cfc03d297058d9635156a 2010.1/SRPMS/raptor-1.4.21-5.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 44aa890dd881c56e92f2b3983f4bc686 2010.1/x86_64/lib64raptor1-1.4.21-5.1mdv2010.2.x86_64.rpm 068c7d529fb465a3238f51179651ba2f 2010.1/x86_64/lib64raptor-devel-1.4.21-5.1mdv2010.2.x86_64.rpm 76bf6ce10c21fcc1c5f27e39d08b260d 2010.1/x86_64/raptor-1.4.21-5.1mdv2010.2.x86_64.rpm 4379f2bfca9cfc03d297058d9635156a 2010.1/SRPMS/raptor-1.4.21-5.1mdv2010.2.src.rpm Mandriva Linux 2011: e94c657f023e62cd238ea2f83ae0d88a 2011/i586/libraptor1-1.4.21-5.1-mdv2011.0.i586.rpm 79e92a9a81648805e7ae4cb28eb888f2 2011/i586/libraptor2_0-2.0.7-0.1-mdv2011.0.i586.rpm 11eef49d485d71baf0a11b66b48db345 2011/i586/libraptor2-devel-2.0.7-0.1-mdv2011.0.i586.rpm ae76f3b8f48824daa66675f4fc007235 2011/i586/libraptor-devel-1.4.21-5.1-mdv2011.0.i586.rpm 9a42145d50101d1b3f8348808638240a 2011/i586/raptor-1.4.21-5.1-mdv2011.0.i586.rpm 6c528626b8a2602fdcb1761eac68e25e 2011/i586/raptor2-2.0.7-0.1-mdv2011.0.i586.rpm 7adcdbaed9ca771c734765e9ed92e8c4 2011/SRPMS/raptor-1.4.21-5.1.src.rpm 404f1edc446a93566026bbee0fbc8210 2011/SRPMS/raptor2-2.0.7-0.1.src.rpm Mandriva Linux 2011/X86_64: c4c7ac5bf156c0d3f9bb1fd5740f347f 2011/x86_64/lib64raptor1-1.4.21-5.1-mdv2011.0.x86_64.rpm 83b05b1707a083e7cf76c67d5f646320 2011/x86_64/lib64raptor2_0-2.0.7-0.1-mdv2011.0.x86_64.rpm f6c697b5e8ee115eb4e318a886105c35 2011/x86_64/lib64raptor2-devel-2.0.7-0.1-mdv2011.0.x86_64.rpm aba11394c42aed7d4f99200900723837 2011/x86_64/lib64raptor-devel-1.4.21-5.1-mdv2011.0.x86_64.rpm f557b8057cb4b8aa371f48626d8e2c11 2011/x86_64/raptor-1.4.21-5.1-mdv2011.0.x86_64.rpm f7b4e5e149fb3d338c85eef948e16b27 2011/x86_64/raptor2-2.0.7-0.1-mdv2011.0.x86_64.rpm 7adcdbaed9ca771c734765e9ed92e8c4 2011/SRPMS/raptor-1.4.21-5.1.src.rpm 404f1edc446a93566026bbee0fbc8210 2011/SRPMS/raptor2-2.0.7-0.1.src.rpm Mandriva Enterprise Server 5: 5d0221fba67389461f2808a8c1cf93fd mes5/i586/libraptor1-1.4.18-3.1mdvmes5.2.i586.rpm 777bcd9d7035fcec459c2b0848ccb660 mes5/i586/libraptor-devel-1.4.18-3.1mdvmes5.2.i586.rpm 56c867304527d1b6ba5980b7d5c6e354 mes5/i586/raptor-1.4.18-3.1mdvmes5.2.i586.rpm 5d90acb0be0fd63e90a5dec62a19dfdc mes5/SRPMS/raptor-1.4.18-3.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 4680f20036dc383367955faab0ffb028 mes5/x86_64/lib64raptor1-1.4.18-3.1mdvmes5.2.x86_64.rpm f40ea3da4964474fcf1acab58511d59b mes5/x86_64/lib64raptor-devel-1.4.18-3.1mdvmes5.2.x86_64.rpm 593bb4d51e183ea45d416ff90ff4cb07 mes5/x86_64/raptor-1.4.18-3.1mdvmes5.2.x86_64.rpm 5d90acb0be0fd63e90a5dec62a19dfdc mes5/SRPMS/raptor-1.4.18-3.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabili
Re: Squid URL Filtering Bypass
Hi, I tested against a server that I do not have access to the config file, but I did some tests in a new installation of Squid and the acl that allows CONNECT only in the SSL_PORTS works well for the CONNECT to GET translation attack, because the CONNECT method will not work for port 80. But the method of converting Host to IP still works. Squid do a better job than McAfee Web Gateway. But it is still possible to access any site with SSL enabled, like GMail, Facebook and Youtube(known sites that are filtered in most companies). Another possible attack is to find a web proxy in the internet that allows SSL connection(there are several of them in Google!). This way, the attacker will access the normal sites (port 80) through this web proxy and the web proxy through Squid. McAfee Web Gateway blocks several of this web proxies in regular configuration. But the appliance is vulnerable to the attacks mentioned. One radical method is to block any connection with just the IP address. Force the user to use DNS hostnames. I do not know if it is practical, but it will stop the attack. Many people tell that it is not a attack, it is normal working of SSL CONNECT Tunnel, but I guess if you block a site in your institution/company and the users can access this site, it is a vulnerability! So, why did you install a proxy, if you can't block anything? People will waste your bandwidth with videos, access porn and malware sites without a problem. For me, it is a serious vulnerability. Thanks for the feedback and the discussion. Gabriel Menezes Nunes > Can you please email these details and the squid.conf used to find it to > the security bugs reporting address bugs at squid-cache.org. > > This appears to be an aspect of same-origin bypass (CVE-2009-0801) or > something closely related. > > Thank You > Amos Jeffries > Squid Software Foundation >
Re: McAfee Web Gateway URL Filtering Bypass
Hello, We might be able to fix this by simply doing a ping to the website before connecting, so that the IP of the host specified matches the connect field. In any case, the consistency of the host and connect is indeed a big design flaw. - Vikram On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes wrote: > # Exploit Title: McAfee Web Gateway URL Filtering Bypass > # Date: 16/04/2012 > # Author: Gabriel Menezes Nunes > # Version: McAfee Web Gateway > # Tested on: McAfee Web Gateway 7.0 > # CVE: CVE-2012-2212 > > > I found a vulnerability in McAfee Web Gateway 7 that allows access to > filtered sites. > The appliance believes in the Host field of HTTP Header using CONNECT method. > Example > > CONNECT 66.220.147.44:443 HTTP/1.1 > Host: www.facebook.com > > > It is blocked. > > CONNECT 66.220.147.44:443 HTTP/1.1 (without host field) > > It is blocked. > > But: > > CONNECT 66.220.147.44:443 HTTP/1.1 > Host: www.uol.com.br (allowed url) > > The connection works. > > From here, I can send SSL traffic without a problem. This way, I can > access any blocked site that allows SSL connections. > Others test that I did is convert GET methods in CONNECT methods. > > GET http://www.facebook.com HTTP/1.1 > Host: www.facebook.com > > in > > CONNECT 66.220.147.44:80 HTTP/1.1 > Host: www.uol.com.br > > It will connect. > > and after it is possible to send the GET packets. It will work! > > This vulnerability is different from the CONNECT Tunnel method. The > flaw is on the Host field processing. The appliance believes on this > field. > > So, any sites can be accessed. URL filtering in this device/software > is irrelevant and useless. > One of the most important (if not the most important) feature of this > kind of device is to protect the network in accessing specific URLs. > So, this flaw is very dangerous, and it can be implemented even in > malwares, bypassing any protection. > I developed a python script that acts like a proxy and it uses this > flaw to access any site. > This tool is just a proof of concept. -- Regards, Vikram Dhillon ~~~ To perceive is to suffer.
Re: Squid URL Filtering Bypass
On 17/04/2012 10:11 a.m., Gabriel Menezes Nunes wrote: # Exploit Title: Squid URL Filtering Bypass # Date: 16/04/2012 # Author: Gabriel Menezes Nunes # Version: Squid Proxy # Tested on: Squid Proxy 3.1.19 # CVE: CVE-2012-2213 I found a vulnerability in Squid Proxy that allows access to filtered sites. The software believes in the Host field of HTTP Header using CONNECT method. Example CONNECT 66.220.147.44:443 HTTP/1.1 Host: www.facebook.com It is blocked. CONNECT 66.220.147.44:443 HTTP/1.1 (without host field) It is blocked. But: CONNECT 66.220.147.44:443 HTTP/1.1 Host: www.uol.com.br (allowed url) The connection works. From here, I can send SSL traffic without a problem. This way, I can access any blocked site that allows SSL connections. This vulnerability is different from the CONNECT Tunnel method. The flaw is on the Host field processing. The software believes on this field. So, any sites can be accessed. URL filtering in this software is irrelevant and useless. One of the most important (if not the most important) feature of this kind of device is to protect the network in accessing specific URLs. So, this flaw is very dangerous, and it can be implemented even in malwares, bypassing any protection. I developed a python script that acts like a proxy and it uses this flaw to access any site. This tool is just a proof of concept. Can you please email these details and the squid.conf used to find it to the security bugs reporting address bugs at squid-cache.org. This appears to be an aspect of same-origin bypass (CVE-2009-0801) or something closely related. Thank You Amos Jeffries Squid Software Foundation
[SECURITY] [DSA 2455-1] typo3-src security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2455-1 secur...@debian.org http://www.debian.org/security/Nico Golde April 20, 2012 http://www.debian.org/security/faq - - Package: typo3-src Vulnerability : missing input sanitization Problem type : remote Debian-specific: no CVE IDs: CVE-2012-2112 Debian bug : 669158 Helmut Hummel of the typo3 security team discovered that typo3, a web content management system, is not properly sanitizing output of the exception handler. This allows an attacker to conduct cross-site scripting attacks if either third-party extensions are installed that do not sanitize this output on their own or in the presence of extensions using the extbase MVC framework which accept objects to controller actions. For the stable distribution (squeeze), this problem has been fixed in version 4.3.9+dfsg1-1+squeeze4. For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon. We recommend that you upgrade your typo3-src packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk+RpV4ACgkQHYflSXNkfP+VIACfbEir6HamwuelZk/0+SbuJjCO wKQAn0f6DWR7lIzlK6JLw1hpEGusPDRy =NPIT -END PGP SIGNATURE-
