Re: [Full-disclosure] Some VNC doubts : access server behind TCP/IP proxy or gateways
tcpredir,fpipe,bouncerOn 7/5/05, Aditya Deshmukh <[EMAIL PROTECTED] > wrote:Hi List,I have a very peculiar problem about accessing VNC server behind gateways and proxy server...Here is the background info...I have a client who has pretty big vnc installation base mostly windows butLinux and Solaris also includes.Most of the Road Warriors have windows with vnc and ssh installed on them ( mostly winxp sp2 )VNC is used to remote admin or support for some of the road warriors. Butmost of the times when the VNC server is behind a gateway like this it wontconnect.[ Internet ] -- [ Gateway ] --- [ Lan ] The work about is to use the UltraVNC relay service, but if you don't haveany control over the gateway this becomes impossible to operate. And I hateto open ports in the firewalls of the road warriors' computers. Is there a way something like reverse shell that allows someone to connectto a VNC server, behind gateway and through firewalls without opening anyholes in it or a tcp/ip proxy that is proxy that does not allow connections from the internet ?Basically, The user initiates the connection and the helpdesk can use thesame socket to the laptop for connection over VNC ( vnc encryption andcompression have already been taken care of, and only one socket is needed for all this- for a firewall I would require only one hole )Any help would be appreciated - adityaDelivered using the Free Personal Edition of Mailtraq ( www.mailtraq.com)___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Some VNC doubts : access server behind TCP/IP proxy or gateways
Hi List, I have a very peculiar problem about accessing VNC server behind gateways and proxy server... Here is the background info... I have a client who has pretty big vnc installation base mostly windows but Linux and Solaris also includes. Most of the Road Warriors have windows with vnc and ssh installed on them ( mostly winxp sp2 ) VNC is used to remote admin or support for some of the road warriors. But most of the times when the VNC server is behind a gateway like this it wont connect. [ Internet ] -- [ Gateway ] --- [ Lan ] The work about is to use the UltraVNC relay service, but if you don't have any control over the gateway this becomes impossible to operate. And I hate to open ports in the firewalls of the road warriors' computers. Is there a way something like reverse shell that allows someone to connect to a VNC server, behind gateway and through firewalls without opening any holes in it or a tcp/ip proxy that is proxy that does not allow connections from the internet ? Basically, The user initiates the connection and the helpdesk can use the same socket to the laptop for connection over VNC ( vnc encryption and compression have already been taken care of, and only one socket is needed for all this- for a firewall I would require only one hole ) Any help would be appreciated - aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] alert: the 111111 bug
On Mon, 04 Jul 2005 00:03:02 BST, lsi said: > I noticed one of my customers using the "special" date of 11/11/11 in > their database. *yawn*. IBM mainframe systems coded expiration dates on the machine-readable volume labels on tapes in a YYDDD format. One popular tape management system from the late 80s and early 90s assigned special meaning to 98000 and 99000. Somehow, things didn't go bonkers when 1998 or 1999 started. Of *bigger* concern is that of all the Y2K mitigation work done 5 years ago, up to 70% didn't actually widen the data fields to 4-digit years, but instead modified the code to use "windowing": "If NN < 30 then year = 20NN else year equals 19NN". Of course, some programs used 30, some 40, some 45, and so on, so there's lots of little disasters waiting to go boom every 5 or 10 years for the next half-century. Ob-Security: The clever attacker can probably figure out how to use this to make the bank think an account was opened 101 years ago, and collect the interest, or similar hacks based on causing an over/underflow. The first batch of windowed programs should be ripening in about 4.5 years. :) pgpf99CNlKpEV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] alert: the 111111 bug
> > I noticed one of my customers using the "special" date of 11/11/11 in > their database. These sort of shortcuts are frequently taken by the programmers or the DB admins after the whole system has been setup :) > For this customer 11/11/11 in the date field means, don't process > this record, which will obviously cause problems with legitimate > transactions on that date. This becomes a part of the site's folklore that every new admin/programmer has to learn to prevent [EMAIL PROTECTED] Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FW: [Vtun-Users] The unprecedented lawsuit against GNU is occurred in Korea.
This just came in from korea from one my other lists that I am subscribed
to. Anyone have contacts in korea or with the .co to take care of this one ?
begin 666 ATT00455.eml
M1G)O;3H@(K39M-DB(#QG87!E,D!H86YM86EL+FYE=#X-"E-E;F1E2!N;[EMAIL PROTECTED]('9I'0O:'1M;"!-24U%('!A2!W:&EC:"!N86UE(&ES#0I(
M;E -"F%T(%-O=71H($MO<[EMAIL PROTECTED]:&4@2!)('-E;F0@
M=&AI2!%;&EM;[EMAIL PROTECTED](&]L9"!C
M;VUP86YY(&%N9"!A;B!)4U @:[EMAIL PROTECTED]"[EMAIL PROTECTED]&AI;[EMAIL
PROTECTED]&AI6]U(&MN;W75P($AA
M;B!B>2!M:6YE&EM#0I+
M2(N("AH='1P.B\O=G1U;BYI;F9O*0T*#0I)('1H:6YK(")%
M5%5.(B!C86XG="!B92!T:&[EMAIL PROTECTED])U"[EMAIL PROTECTED]@04133"
K(#1-($%$4TP@
M*R S32!!1%-,([EMAIL PROTECTED]@2X-"@[EMAIL PROTECTED];6YE=" [EMAIL PROTECTED](&]F($MO2!T;R!D979E;&]P
M(&UO8FEL92!P2!F86UI;'[EMAIL PROTECTED]
M($AN4"X-"D)U="[EMAIL PROTECTED]"!A;GET:&EN9R!O=&AE6]U(&%G2!O9B!%5%5.(&UU75P($AA;BX-"@T*+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+0T**BD@
M4%,N#0I(3"!A;[EMAIL PROTECTED]2TR,# T
[EMAIL PROTECTED]@26YS97)TF5R;RX-"@T*)FQT.T5L:6UN970G2!C;&%I;7,F9W0[#0I%5%5.(&1EP,^SW:&[#0H-"@T*/&AT=' Z+R]G;VUA:6PN9&%U;2YN
M970O24R-G)I9VAT)3-$:'1T<"4S024R1B4R1G=W
M=RYS:7)E;C(T+F-O;24R1F1U4W-T06QI;6E6,B4R1F1U4W-T06QI;6E-80T*
M:6XN:G-P/@T*#0H\:'1T<#HO+V=O;6%I;"YD875M+FYE="]S97)V;&5T+T=O
M=&\_=7)L/24R1FAA;FUA:6PE,D9);F1E>"YD875M)3-&9G)A;64E,T1S#0IE
M8W5R:71Y)3(V[EMAIL PROTECTED]&ES8V]V97(@16%S>2!,:6YU
M>"!-:6=R871I;[EMAIL PROTECTED]71H
M:6YG('EO=2!N965D('1O(&=E="!U<"!T;R!S<&5E9"[EMAIL PROTECTED]"X-"FAT=' Z
M+R]A9',N;W-D;BYC;VTO/V%D7VED=#
M(S!(+2\F*5(O0%0J(S-10CQ#6"TB1"A.*"0U3#HV54XY-S!'/%(A+SPF14XZ
M-EU.*T!47#A'*%X-"DTC,$DJ/3991RLW154\(B$H.#980#DF-58Y-E%//"8U
M1"@B.5$]-EU4+E0U-#4T6$8\-S5//2-,0#TW+4D-"DT[1CQ *4(S!)*3TB(4D\4B%!*"0M4CHV54D[1B5,*"8E0STB4$ X1C5#
M.#(S!)23Q2(5 \1EU4.38M5#DV,$ -"DTX1T1
M,54A+"M 5%PX1RA>(S!(+2\F*5(O0%0J,C([EMAIL PROTECTED],44H)EE%/5(A0SM655 X
M-EE9*"9903LV-40-"DTH)$%.-"(A03TB(2HX-EA-+$,@4"TR(4$[1C! .#91
M4SM2(40Y-SE%.R9=4#DV,$ I1R55.U(S!))2M"(2H]-EE'-C(S!(+2\F*5(O0%0J*B8T33LV)4D-"DT[(TA +R8D0#HG*44Y
M0U1".S8E23LG,4\N1DE9.B8E3C F04$Z-EU.*T9913TB*%XZ1T5(.#99(#HF
M)4D-"DT[5EA..T8U5"\B74$O0E! +R8D0#HG*44Y0U1".S8E23LG,4\N1DE9
M.B8E3C F04X\)E%!.$)90SM65$(-"DTO1DE9.B8E3C F04X\)E%!.$)90SM6
M5%PK5B1>*R(@[EMAIL PROTECTED]([EMAIL PROTECTED]&+S([EMAIL
PROTECTED])EQ:.58E4#DS*2 -"DTZ)B5.
M.S8E23LB64XY-S!"+T8]03PF-%(P)D%!.T9503HV4$X[1C54+R)=02]"1$ C
M,U%"/$-8+2)"028-"DTX-T!:*"),6"Q"5%(K,RQ4+5,P32TC0%4M,D0M+R8I
M4B] 5"HP-RQ .D(S!)*#,B(4$[1C! ,34Q
M-3-"(4D\4B%/.$(S!(+2\F
M*5(-"DTO0%0J-44Q-3-#2$ M,E!2+",X0#LF14XY-RQ:*"(A+SQ&14(S!(0"@B($ H(E1&.#954"Y6
M/50N4B$I.T(S!)*3TB(4D\4B%..U
M(S!(0"@B($ H(B! +R.B4U(S!(0"@B($ H(B! *"(@0"@B($ H(B! *"(@0"@B($ H
M(B! *"-15#DB(5<-"DTZ-C%4.B-40BTS($4H0B%3/2=%3#DS5$(X1EU2.28U
M4BY#)5 ^(B!#.28Y1#E&,48H)RU/.R9%1"Y2*%X-"DTH(U%!*"9!4CDV.%TH
M0B%(/2+R8I4B]#4$\])C!>(S!(0"@B($ H(B!
M*"(@0"@B($ H(B! *"(@0"@B($ -"DTH(B! *"-15#DB(5+R)=02]#44(\0UA<*U.49<3SU',54[0E55/%8U4CQ05"H-"F -"F5N9 T*
`
end
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Fwd: Returned post for [EMAIL PROTECTED]
I'm sick and tired of the stupid securityfocus.com mailing list moderators who keep refusing to allow the truth to be added to the discussions that they moderate. Boycott Symantec. They're a bunch of arrogant exploiters of other people's stupidity, and they attract those who are like-minded. Symantec profits through suppressing truth and encouraging delusion. May every person who supports the suppression of full disclosure go to prison for crimes they didn't commit based solely on digital evidence. Hooray for modern American-prisoner-industrial-slavery capitalism. Regards, Jason Coombs [EMAIL PROTECTED] Original Message Subject: Returned post for [EMAIL PROTECTED] Date: 4 Jul 2005 23:18:20 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi! This is the ezmlm program. I'm managing the [EMAIL PROTECTED] mailing list. I'm working for my owner, who can be reached at [EMAIL PROTECTED] I'm sorry, the list moderators for the forensics list have failed to act on your post. Thus, I'm returning it to you. If you feel that this is in error, please repost the message or contact a list moderator directly. --- Enclosed, please find the message you sent. Subject: [Fwd: Re: Tools accepted by the courts] From: Jason Coombs <[EMAIL PROTECTED]> Date: Wed, 29 Jun 2005 11:25:33 -1000 To: Forensics <[EMAIL PROTECTED]> For those who asked to read my original post ... See below. I propose that we do two things: 1) Add an impartial peer-review step to every submission of 'digital evidence' in court; 2) Publish all expert/analysis reports and transcripts of testimony given by forensic examiners; 3) Build a mechanism (an automatic appeal, perhaps, on the grounds that computer forensics was used to assist in the conviction) whereby careful scrutiny can be performed after-the-fact of every criminal conviction that was obtained through the involvement of 'computer forensics'. 4) Require law enforcement computer forensic examiners to do work on behalf of the defense. I have witnessed unreasonable law enforcement and prosecution behavior and technical mistakes that causes me to believe that courts are being systematically misled with respect to the reliability of computer forensic evidence. Believe it or not, people have been convicted of crimes based on computer evidence alone in cases where the fact of their computer having been acquired used, or frequently operated by multiple users, or outright owned by a warez or porn distributor, or hijacked and forced to be a P2P file sharing hub, or massively infected with spyware and Trojans, gets completely ignored. The only case I have ever seen in which prosecution/law enforcement computer forensics even bothered to look into such issues of information security was a UCMJ court martial where the DODCFL took care to locate and report the existence of the presence of a Trojan and a keylogger on the suspect's computer. Considering that this UCMJ case was a direct result of the FBI's "operation site key" child porn investigation, where nothing more than the suspect's credit card number having been found in the "site key" database of online child porn customers led to the charges in question, and the keylogger and Trojan probably did result in a third party being in possession of the suspect's credit card information, a failure of the DODCFL to search for such evidence would have itself been criminal. Fortunately, the DOD computer forensic lab staff appear quite skilled, and they are available to do work on behalf of the accused service member. The fact that the HTCIA has a written policy against any law enforcement forensic examiner ever doing work on behalf of a defendant is disgusting and offensive in light of the DOD's more enlightened procedures. We allow 'digital evidence' to have meaning and we give it weight in court, but we do so by ignoring how easy it is for anyone to obtain whatever information they need to steal another person's identity, and we do so by ignoring the fact that it is impossible to know what happened in the past to a digital computer. (heck, it is nearly-impossible in practice to know what a digital computer is doing RIGHT NOW) This issue goes far beyond simply 'fixing' the broken system that exists today. For the better part of the last two decades computer forensics has been in use by law enforcement in real-world investigations. From my experience as an instructor of CCE "boot camp" courses I learned that John Mellon claims to have invented computer forensics twenty years ago when he was at the IRS. If he is correct that some of the first uses of computer forensics in criminal investigations occurred in connection with IRS enforcement of the tax code against U.S. citizens, then the entire field is even more badly contaminated with government conflict of interest than I had previously imagined. We must stop any government from misusing 'digital evidence' as a
[Full-disclosure] Advisory 06/2005: Geeklog SQL Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Geeklog SQL Injection Vulnerability Release Date: 2005/07/05 Last Modified: 2005/07/05 Author: Stefan Esser [EMAIL PROTECTED] Application: Geeklog <= 1.3.11 Severity: An input validation flaw within Geeklog allows SQL injection and can lead f.e. to user password hash disclosure Risk: High Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-062005.php Overview: Quote from http://www.geeklog.net "Geeklog is a weblog powered by PHP and MySQL. It allows you within minutes to set up a fully functioning dynamic website, and has many features to get you started. As of Geeklog 1.3, these features are: * User-system, allowing members of the public to register for your site and submit stories. * Comment system, allowing users to comment on posts made to your site. * Block system, allowing you to put information anywhere on your site. * Plugin system that allows you to extend Geeklog, without having to code any new PHP. * Theme system that allows users to select what layout they want to view. * Excellent security model that allows you to give users control over certain aspects of the site with no need to worry. * Site Statistics that show you the most popular areas of your site. * Link system that allows users to add links to the site. * Calendar System that lets you and your user add up-and-coming events. * Allow users to email stories to their friends." An audit of the Geeklog sourcebase has revealed a possible SQL injection, that can f.e. lead to disclosure of a users password hash if this user has posted atleast one comment to an article and that article having atleast another comment. If the site admin account is also used for commenting to articles this means the admin password hash can be revealed with this hole. A possible candidate for this is for example some very popular site that documents everything about the SCO vs. World process. Details: The Geeklog 1.3.x codebase is one of the PHP applications, that are quite secure, although it was designed to only run with register_globals turned on. They initialise their variables, filter user input and escape strings before putting them into SQL queries. Nevertheless our audit has revealed a possible SQL injection in the ORDER BY clause of a query that is used to retrieve user comments for a given article. Usually people believe that such an injection is harmless, because MySQL does not allow multi queries and so you can only influence the order of the returned rows. In this special case however the query performs a JOIN of the comment and the user table, and therefore it is possible to order the retrieved user comments in dependance of date in the user table. Such a conditional ORDER BY statement looks like: ORDER BY (u.uid=1 && (conv(substring(u.pass, 1, 1),16,10)&1)) This example would order all comments of the user with userid 1 to the end of all retrieved comments, but only if the lowest bit of the first nibble of the password hash is set. With similiar strings it is possible to retrieve the complete MD5 hash of the attacked user account, by sending 128 HTTP requests and checking in the returned HTML page if the first (switching search order) comment was written by the user. It should be obvious, that this issue is only exploitable if there are atleast 2 comments. The resulting MD5 hash can then be attacked in the usual way, to retrieve the users password. Proof of Concept: The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 30. June 2005 - Contacted geeklog.net via email 01. July 2005 - Sent requested POC to vendor 03. July 2005 - Vendor releases bugfixed version (and request a disclosure not on 4th July) 05. July 2005 - Public disclosure Recommendation: We strongly recommend to upgrade to the vendor supplied new version Geeklog 1.3.11sr1 http://www.geeklog.net/filemgmt/visit.php?lid=574 Special Note to Secunia: You have censored 2 of our 3 Cacti advisories. In both we tried hard to help you guys out with short summaries, because you often have enormous problems with understanding advisories. Unfortunately we forgot to put such a summary into our 3rd Cacti advisory and so it is maybe our responsibility that you made up a 2nd bug in the administrative interface of
[Full-disclosure] Re: Directory traversal in source.php not fixed.
Seth, Thank you again. I've personally not found a difference in efficiency between strstr and strpos. However, I'll look into whether this is case for my script. As my main concern is with the path traversal issue brought up (naturally), and these two lines: $file = (strstr($file_get, '..') == true) ? NULL : $file_get; $file = (strpos($file_get, '..') === false) ? $file_get : NULL; appear to be functionally equivalent, I can take a little time testing strpos vs. strstr for speed and memory use. I agree with your Perl observation, but then you work with the tools for the job at hand. Just another monkey, :) -Kaf Seth Alan Woolley wrote: > Actually, if I'm not mistaken again ;), it would be faster this way while still getting strpos speed advantages: $file = (strpos($file_get, '..') === false) ? $file_get : NULL; Note how we're testing for false and negating now -- I earlier made the mistake that (!(a === false)) is the same thing as (a === true), but they aren't because of the type munging going on (I'm really not used to php's type munging semantics). I suggested === in my first proposed fix because php.net says to use it to test the return value, but they aren't explicit that this will only work on false. strpos is also faster than strstr, according to php.net's manual of strstr. I'll note that perl's index function is actually sane in that it uses a _different_ integer value for not found than one that overlaps with the valid set of found index positions: index STR,SUBSTR,POSITION index STR,SUBSTR The index function searches for one string within another, but without the wildcard-like behavior of a full regular-expression pattern match. It returns the position of the first occurrence of SUBSTR in STR at or after POSITION. If POSITION is omitted, starts searching from the beginning of the string. The return value is based at 0 (or whatever you've set the $[ variable to--but don't do that). *If the substring is not found, returns* *one less than the base, ordinarily "-1".* Just another reason why perl's so much easier to code secure software in. I hate having to learn poorly-thought-through functions in php just because monkeys are taught to use it instead of a real scripting language. *sigh* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] UPDATE: [ GLSA 200506-17 ] SpamAssassin 3, Vipul's Razor: Denial of Service vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [UPDATE] GLSA 200506-17:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SpamAssassin 3, Vipul's Razor: Denial of Service vulnerability Date: June 21, 2005 Updated: July 04, 2005 Bugs: #94722, #95492, #96776 ID: 200506-17:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Update == Sascha Lucas discovered that with certain malformed headers it was still possible to crash Vipul's Razor. The updated sections appear below. Affected packages = --- Package / Vulnerable / Unaffected --- 1 mail-filter/spamassassin < 3.0.4 >= 3.0.4 < 3.0.1 2 mail-filter/razor < 2.74 >= 2.74 --- 2 affected packages on all of their supported architectures. --- Resolution == All SpamAssassin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.0.4" All Vipul's Razor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-filter/razor-2.74" Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200506-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpQOlSgF3gJ0.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Published exploit codes foo foo foo
On Thu, June 30, 2005 12:40 pm, J. Oquendo said: > I wonder how > many of these bigger boys' products that have had vulnerabilities > discovered, I wonder how many of that coding came from outsourced vendors. > Meaning... "Well we thought we would save money by having > _INSERT_COUNTRY_HERE code for us." Would be interesting to see where the > majority of sloppy coders, whose projects have been exploited, come from. Like anybody fighting against prejudices, most offshore companies that offer outsourced coding are fighting an uphill battle. Any mistake is seen as proof of inadequacy. Therefore, the rule for the minority is perfection for cheap, and any mistake is unacceptable. Last I heard, Microsoft does 0% outsourcing of coding. All Microsoft code is 100% USA Quality. -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Directory traversal in source.php not fixed.
On Mon, Jul 04, 2005 at 01:17:50PM -0400, Kaf Oseo wrote: > Thank you for contacting me. > > I've corrected, as well as further attempted to *harden*, my Quick & > Dirty PHPSource Printer (PHP script). > > The line referred below to is now: > > $file = (strstr($file_get, '..') == true) ? NULL : $file_get; Actually, if I'm not mistaken again ;), it would be faster this way while still getting strpos speed advantages: $file = (strpos($file_get, '..') === false) ? $file_get : NULL; Note how we're testing for false and negating now -- I earlier made the mistake that (!(a === false)) is the same thing as (a === true), but they aren't because of the type munging going on (I'm really not used to php's type munging semantics). I suggested === in my first proposed fix because php.net says to use it to test the return value, but they aren't explicit that this will only work on false. strpos is also faster than strstr, according to php.net's manual of strstr. I'll note that perl's index function is actually sane in that it uses a _different_ integer value for not found than one that overlaps with the valid set of found index positions: index STR,SUBSTR,POSITION index STR,SUBSTR The index function searches for one string within another, but without the wildcard-like behavior of a full regular-expression pattern match. It returns the position of the first occurrence of SUBSTR in STR at or after POSITION. If POSITION is omitted, starts searching from the beginning of the string. The return value is based at 0 (or whatever you've set the $[ variable to--but don't do that). *If the substring is not found, returns* *one less than the base, ordinarily "-1".* Just another reason why perl's so much easier to code secure software in. I hate having to learn poorly-thought-through functions in php just because monkeys are taught to use it instead of a real scripting language. *sigh* > > Script available here: > http://guff.szub.net/quick-and-dirty-phpsource-printer/ > > Source can be viewed here: > http://guff.szub.net/wp-content/sourceprt.php?file=source.php > > -Kaf Oseo > > Chew Keong Tan wrote: > >Hi, > > > >I have taken a look at source.php and the vulnerability does not seem to > >be fixed. This is due to an error in the strstr comparison in the > >following line of code. Further, if your script is deployed in the > >Windows platform, then "..\" sequences can also be used for directory > >traversal. Unfortunate if this is true from within php. This is truly a security bug in windows or php itself since it should properly map directories to the posix way. In any case, I don't really care if it works or does not work on windows. Let them pay for their software and security; they aren't getting it for free from me. > > > >$file = (strstr($file_get, '../') === true) ? '' : $file_get; // protect > >from site traversing > > > >Do let us know when this has been fixed. > > > >Thanks. > -- Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized Quality Assurance Team Leader & Security Team: Source Mage GNU/linux Linux so advanced, it may as well be magic http://www.sourcemage.org Secretary Pacific Green Party of Oregon http://www.pacificgreens.org Key id 00BA3AF3 = 8BE0 A72E A47E A92A 0737 F2FF 7A3F 6D3C 00BA 3AF3 pgpiQ5kCX2SKa.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] pam_ldap/nss_ldap password leak in a master+slave+start_tls LDAP setup
pam_ldap/nss_ldap fail to re-start TLS when following referred connections. This can result in credentials being sent in clear text when pam_ldap/nss_ldap attempt to rebind. This affects any LDAP infrastructure which can generate referrals during NSS or PAM operations (generally a master+slave LDAP setup) and which relies on "ssl start_tls" in ldap.conf for security of the connections. Although the initial connection starts TLS properly, subsequent referred connections do not. This is a bug in all three of nss_ldap, pam_ldap and openldap. pam_ldap and nss_ldap to not attempt to re-start TLS and Openldap does not currently allow a client to start TLS on a referred connection anyway, due to a buggy "already doing tls" check. Bugs have been filed (and ignored, save for a mistaken "we don't take 3rd party patches" email) upstream at: http://www.openldap.org/its/index.cgi/Incoming?id=3791 and http://bugzilla.padl.com/show_bug.cgi?id=210 http://bugzilla.padl.com/show_bug.cgi?id=211 The nss bug (211) is only filed today as I've only just been alerted to the fact that it suffers the same problem. -- rob holland - [ [EMAIL PROTECTED] ] - Gentoo Audit Team [ 5251 4FAC D684 8845 5604 E44F D65C 392F D91B 4729 ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 725-2] New ppxp packages fix local root exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 725-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 4th, 2005 http://www.debian.org/security/faq - -- Package: ppxp Vulnerability : missing privilege release Problem-Type : local Debian-specific: no CVE ID : CAN-2005-0392 Jens Steube discovered that ppxp, yet another PPP program, does not release root privileges when opening potentially user supplied log files. This can be tricked into opening a root shell. For the old stable distribution (woody) this problem has been fixed in version 0.2001080415-6woody1 (DSA 725-1). For the stable distribution (sarge) this problem has been fixed in version 0.2001080415-10sarge2. For the unstable distribution (sid) this problem has been fixed in version 0.2001080415-11. We recommend that you upgrade your ppxp package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/ppxp/ppxp_0.2001080415-10sarge2.dsc Size/MD5 checksum: 714 0e065407ae76d9ca2f9def7a1d8f92af http://security.debian.org/pool/updates/main/p/ppxp/ppxp_0.2001080415-10sarge2.diff.gz Size/MD5 checksum: 8957 ed343f25afa1ade81217f8b315d25e96 http://security.debian.org/pool/updates/main/p/ppxp/ppxp_0.2001080415.orig.tar.gz Size/MD5 checksum: 426444 35dc6007ee4eafa9685f5e1e695a1464 Alpha architecture: http://security.debian.org/pool/updates/main/p/ppxp/ppxp_0.2001080415-10sarge2_alpha.deb Size/MD5 checksum: 273842 9ed2250a15a07b317cd277237e80f669 http://security.debian.org/pool/updates/main/p/ppxp/ppxp-dev_0.2001080415-10sarge2_alpha.deb Size/MD5 checksum:84818 f405c062f88ad812c57bbe7f5fcb8c26 http://security.debian.org/pool/updates/main/p/ppxp/ppxp-tcltk_0.2001080415-10sarge2_alpha.deb Size/MD5 checksum:63084 2214812bc3da14f06d992322ca9f15d2 http://security.debian.org/pool/updates/main/p/ppxp/ppxp-x11_0.2001080415-10sarge2_alpha.deb Size/MD5 checksum:76728 7b2ff4bc2208e1a93f9d123c2c31cc4a ARM architecture: http://security.debian.org/pool/updates/main/p/ppxp/ppxp_0.2001080415-10sarge2_arm.deb Size/MD5 checksum: 225104 f23ae008a1f1261a4b1f4c84afd35c71 http://security.debian.org/pool/updates/main/p/ppxp/ppxp-dev_0.2001080415-10sarge2_arm.deb Size/MD5 checksum:66496 0410908c710d224b793b275d375cf76c http://security.debian.org/pool/updates/main/p/ppxp/ppxp-tcltk_0.2001080415-10sarge2_arm.deb Size/MD5 checksum:57168 5dd01ecdcf92a83cd973de739c518e03 http://security.debian.org/pool/updates/main/p/ppxp/ppxp-x11_0.2001080415-10sarge2_arm.deb Size/MD5 checksum:61732 72b35701c12b3046b23ca19db5506c75 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/ppxp/ppxp_0.2001080415-10sarge2_i386.deb Size/MD5 checksum: 44 027926b5e5ac4cf6c4f22f0cd5890e84 http://security.debian.org/pool/updates/main/p/ppxp/ppxp-dev_0.2001080415-10sarge2_i386.deb Size/MD5 checksum:64024 3c59e05e77e2530260734474cf0bb77c http://security.debian.org/pool/updates/main/p/ppxp/ppxp-tcltk_0.2001080415-10sarge2_i386.deb Size/MD5 checksum:58142 56dc14c3039685d119b16c2b806d5fbd http://security.debian.org/pool/updates/main/p/ppxp/ppxp-x11_0.2001080415-10sarge2_i386.deb Size/MD5 checksum:61534 71d2ad92f1d77ad4d89ecd7de67219f6 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/ppxp/ppxp_0.2001080415-10sarge2_ia64.deb Size/MD5 checksum: 295426 a39f4b9d22a0a0b725bec69d606f1a81 http://security.debian.org/pool/updates/main/p/ppxp/ppxp-dev_0.2001080415-10sarge2_ia64.deb Size/MD5 checksum:81148 6b0399263e036d09b66806fb091524ef http://security.debian.org/pool/updates/main/p/ppxp/ppxp-tcltk_0.2001080415-10sarge2_ia64.deb Size/MD5 checksum:66188 e4fe2c30e754e698f3eb6fe3eb8d9719 http://security.debian.org/pool/updates/main/p/ppxp/ppxp-x11_0.2001080415-10sarge2_ia64.deb Size/MD5 checksum:82972 efb913c2bf338a52637cc82c97327a88 HP Precision architecture: http://security.debian.org/pool/updates/main/p/ppxp/ppxp_0.2001080415-10sarge2_hppa.deb Size/MD5 checksum
Re: [Full-disclosure] Re: alert: the 111111 bug
it is a Friday. Thomas Binder wrote: Hi! On Sun, Jul 03, 2005 at 10:18:02PM -0500, Paul Schmehl wrote: Not to worry. The 11th of November, 2011 is a Saturday. No one will be working that day. :-) Mhmm, it's a Friday according to my calendar - is mine or yours in error? Ciao Thomas ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: odd Adobe Acrobat thing...
Original Message >From: Morning Wood >Message-Id: [EMAIL PROTECTED] > i noticed... > > simply rolling over a *.pdf on your desktop launches... > C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe Probably only if you have that godawful webview of folders switched on and it's trying to render a little thumbnail to put at the bottom of the html column on the left-hand-side, no? I'm still on Acrobat 6.0 and it doesn't do that, at least the way I have it configured. Adobe have probably implemented whatever COM interface it is that renders a thumbnail for explorer in their shell extension between v6 and v7. > im guessing Explorer is doing some odd things ( preloading on a rollover ) > ..reminds me of the jpg GDI exploit. i imagine if AcroRd32Info.exe is > exploitable you could craft a bad .pdf with data to overflow that exe. ( a > simple rollover would start the sploit ) Yep, it's the exact same problem. 'doze is basically launching a viewer application (ok, COM server) whenever you mouse over various types. This is as bad an idea as the option to make-things-seem-more-like-the-web automatically launch files when you click on them once instead of twice, or one-touch record on tape decks, or fire alarms with the glass pre-smashed, or any other vital fool-proof safety measure that someone removed because it was 'inconvenient' :-( cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200507-03 ] phpBB: Arbitrary command execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200507-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: phpBB: Arbitrary command execution Date: July 04, 2005 Bugs: #97278 ID: 200507-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in phpBB allows a remote attacker to execute arbitrary commands with the rights of the web server. Background == phpBB is an Open Source bulletin board package. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/phpBB < 2.0.16>= 2.0.16 Description === Ron van Daal discovered that phpBB contains a vulnerability in the highlighting code. Impact == Successful exploitation would grant an attacker unrestricted access to the PHP exec() or system() functions, allowing the execution of arbitrary commands with the rights of the web server. Workaround == Please follow the instructions given in the phpBB announcement. Resolution == The phpBB package is no longer supported by Gentoo Linux and has been removed from the Portage repository, no further announcements will be issued regarding phpBB updates. Users who wish to continue using phpBB are advised to monitor and refer to www.phpbb.com for more information. To continue using the Gentoo-provided phpBB package, please refer to the Portage documentation on unmasking packages and upgrade to 2.0.16. References == [ 1 ] phpBB Announcement http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200507-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpFBEMBJZcmO.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: alert: the 111111 bug
Yes, its friday! :p But.. if it's 11/11/2111? In that case will be monday, but I think there will be nothing to worry. Maybe the next generation will have problems... On 7/4/05, Thomas Binder <[EMAIL PROTECTED]> wrote: Hi!On Sun, Jul 03, 2005 at 10:18:02PM -0500, Paul Schmehl wrote:> Not to worry. The 11th of November, 2011 is a Saturday. No one > will be working that day. :-)Mhmm, it's a Friday according to my calendar - is mine or yours inerror?CiaoThomas___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: alert: the 111111 bug
Hi! On Sun, Jul 03, 2005 at 10:18:02PM -0500, Paul Schmehl wrote: > Not to worry. The 11th of November, 2011 is a Saturday. No one > will be working that day. :-) Mhmm, it's a Friday according to my calendar - is mine or yours in error? Ciao Thomas pgpHt38hQ8wUG.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200507-02 ] WordPress: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200507-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: WordPress: Multiple vulnerabilities Date: July 04, 2005 Bugs: #97374 ID: 200507-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis WordPress contains PHP script injection, cross-site scripting and path disclosure vulnerabilities. Background == WordPress is a PHP and MySQL based content management and publishing system. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/wordpress < 1.5.1.3 >= 1.5.1.3 Description === James Bercegay of the GulfTech Security Research Team discovered that WordPress insufficiently checks data passed to the XML-RPC server. He also discovered that WordPress has several cross-site scripting and full path disclosure vulnerabilities. Impact == An attacker could use the PHP script injection vulnerabilities to execute arbitrary PHP script commands. Furthermore the cross-site scripting vulnerabilities could be exploited to execute arbitrary script code in a user's browser session in context of a vulnerable site. Workaround == There are no known workarounds at this time. Resolution == All WordPress users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/wordpress-1.5.1.3" References == [ 1 ] CAN-2005-1921 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921 [ 2 ] GulfTech Advisory http://www.gulftech.org/?node=research&article_id=00085-06282005 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200507-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] alert: the 111111 bug
>>> For this customer 11/11/11 in the date field means, don't process this >>> record, which will obviously cause problems with legitimate >>> transactions on that date. >>> >>> I suspect using a new field to flag a state, instead of "special" >>> data, would have been more appropriate. >>> >Not to worry. The 11th of November, 2011 is a Saturday. No one will be working that day. :-) Actually, it will probably be a 3 day weekend for Veterans (Armistice) Day. Even less reason to worry?? LJS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] log4sh insecure temporary file creation
#
log4sh insecure temporary file creation
Vendor: http://forestent.com/products/log4sh/
Advisory: http://www.zataz.net/adviso/log4sh-06092005.txt
Vendor informed: yes
Exploit available: no
Impact : low
Exploitation : low
#
The vulnerabilities are caused due to temporary file being created
insecurely.
This can be exploited via symlink attacks in combination to create and
overwrite
arbitrary files with the privileges of the user running the affected script.
##
Versions:
##
log4sh <= 1.2.5
##
Solution:
##
Use kernel patch such as grsecurity
#
Timeline:
#
Discovered : 2005-05-26
Vendor notified : 2005-06-09
Vendor response : no reponse
Vendor fix : no fix
Vendor Sec report ([EMAIL PROTECTED]) : 2005-06-27
Disclosure : 2005-07-04
#
Technical details :
#
Vulnerable code :
-
356 log4sh_readProperties()
357 {
358 _file=$1
359
360 _tmpFile="/tmp/log4sh.$$"
361 grep "^log4sh\." $_file >$_tmpFile
#
Related :
#
Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94069
#
Credits :
#
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] [ZH2005-14SA] Phishing problems on MSN
[ZH2005-14SA] Phishing problems on MSN Date: July 1th 2005 Author:Giovanni Delvecchio email: [EMAIL PROTECTED] Overview === Multiple phishing problems exist on support.msn.com, permitting to a possible attacker to conduct phishing attack against a user. Details = 1)Input passed to the "ru" parameter in "pplogin.aspx" isn't properly sanitised before being returned to the user Example: http://support.msn.com/pplogin.aspx?ru=http://www.evil- site.com">www.msn.com/ or http://support.msn.com/pplogin.aspx?ru=%68%74%74%70%3A%2F%2F%77%77%77% 2E%65%76%69%6C%2D%73%69%74%65%2E%63%6F%6D%22%3E%77%77%77%2E%6D%73%6E% 2E%63%6F%6D/ The problem has been fixed today. Here is possible see a screen shot: http://www.zone-h.org/files/49/msn1.jpg 2)Input passed to the 'mspplogin' parameter isn't properly sanitised, and by using specialy crafted URL an attacker can cause the user to be redirected to an arbitrary URL for the passport authentication. Example: http://support.msn.com/pplogin.aspx?msppchlg=1&mspplogin=http://www.evil-site.com/login.srf%3F This problem at the moment has not been fixed. Reference === http://www.zone-h.org/advisories/read/id=7764 UPDATE - July 4th 2005 == 3)Another phishing problem exists on login.passport.net. The problem is caused due to input passed to the "ru" in "uilogout.srf" isn't properly sanitised. By using specialy crafted URL an attacker can cause the user to be redirected to an arbitrary URL for the passport authentication. Example: http://login.passport.net/uilogout.srf?id=2&ru=http://www.evil-site.com&ec=1 _ Comunica in tempo reale http://messenger.msn.com/beta ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
