Re: [Full-disclosure] NUL Character Evasion
> List: full-disclosure > Subject:[Full-disclosure] NUL Character Evasion > From: ju () heisec ! de > Date: 2005-09-13 21:24:42 > > The Problem: > > Internet Explorer ignores NUL characters > -- i.e. ascii characters with the value 0x00 -- most > security software does not. This behaviour of IE > does not depend on the charset in the Content-Type-Header. [...] > eTrust-VETHTML.MHTMLRedir!exploit [...] > -- > Juergen Schmidt editor in chiefheise Security www.heisec.de > Heise Zeitschriften Verlag,Helstorferstr. 7, D-30625 Hannover > Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail [EMAIL PROTECTED] > GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 Juergen, Thank you for the report. Computer Associates is currently investigating the issue (as it relates to CA products). Regards, kw Ken Williams ; Dir. Vuln Research Computer Associates ; 0xE2941985 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 812-1] New turqstat packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 812-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 15th, 2005http://www.debian.org/security/faq - -- Package: turqstat Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CAN-2005-2658 Peter Karlsson discovered a buffer overflow in Turquoise SuperStat, a program for gathering statistics from Fidonet and Usenet, that can be exploited by a specially crafted NNTP server. For the old stable distribution (woody) this problem has been fixed in version 2.2.1woody1. For the stable distribution (sarge) this problem has been fixed in version 2.2.2sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.2.4-1. We recommend that you upgrade your turqstat package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1.dsc Size/MD5 checksum: 544 d928fdfa27a159fdab8a5a8884fe5f89 http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1.tar.gz Size/MD5 checksum: 270910 42d8a8a0a918f170de995d486c23b653 Alpha architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_alpha.deb Size/MD5 checksum: 132096 906f3128869e6d7b0afd07cec132c72a http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_alpha.deb Size/MD5 checksum: 176418 3109d357b362669a322ec7f5d3a95d7f ARM architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_arm.deb Size/MD5 checksum: 124080 f0fd9cedb36db2636a823aa8ade7c916 http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_arm.deb Size/MD5 checksum: 165586 15456da1a258074d87ce7732b3382498 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_i386.deb Size/MD5 checksum: 113180 6eee07bf2fe43335b19c9b1629b6057f http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_i386.deb Size/MD5 checksum: 153308 8d8a680ee6838382d749936fd5e2a6f1 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_ia64.deb Size/MD5 checksum: 137222 789b31dcb961a9f4db2114f86b543bb2 http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_ia64.deb Size/MD5 checksum: 187992 5699afd846374683fa0d8a5713966a71 HP Precision architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_hppa.deb Size/MD5 checksum: 151334 01917983921193be6871f8d7f88ada9a http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_hppa.deb Size/MD5 checksum: 189768 15400f31cf5cc357fe2b848fe833a334 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_m68k.deb Size/MD5 checksum: 110610 41a66acf6252b48d8df4e4697eb77b11 http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_m68k.deb Size/MD5 checksum: 149208 aae5619b44e2ceac583d0b1e88763812 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_mips.deb Size/MD5 checksum: 111064 34b913e65e80b6911af2a02894d816bf http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_mips.deb Size/MD5 checksum: 146630 376ba9b7bff126d556e1fe31594e4728 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_mipsel.deb Size/MD5 checksum: 107550 87be688734db30761800c310f1c8c1c1 http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_mipsel.deb Size/MD5 checksum: 142122 1bca8324176ebc4ae870e1c3d3beb398 PowerPC architecture: http://security.debian.org/pool/updates/main/t/turqstat/turqstat_2.2.1woody1_powerpc.deb Size/MD5 checksum: 112282 bc6797f83d4c9a7ae1840abbe00db82f http://security.debian.org/pool/updates/main/t/turqstat/xturqstat_2.2.1woody1_powerpc.deb Siz
RE: [Full-disclosure] Exploiting an online store
I would have thought that obtaining value by deception is just simple fraud. The detection of the incident and prosecution of the guilty is usually more challenging than committing the offence, I understand. Lyal > I know that bad programming habits exist on some of the sites out there and still use Hidden fields to pass prices over.. Although not very common I found one this morning after sending the email... > > My question is more on the theory I suppose... What laws are out there to protect against this after-the-fact? Is it true that if the seller closes the deal by sending you the merchandise then they have no case and can't go back and charge you? > > Seems there should be something out there providing protection is the system is automated... Even though there should be checks in place people do have small budgets and rush a lot of the smaller E-com stores out. > > JP > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wed 9/14/2005 7:35 PM > To: Gadi Evron > Cc: Josh Perrymon; full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Exploiting an online store -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Exploiting an online store
I know that bad programming habits exist on some of the sites out there and still use Hidden fields to pass prices over.. Although not very commonI found one this morning after sending the email... My question is more on the theory I suppose... What laws are out there to protect against this after-the-fact? Is it true that if the seller closes the deal by sending you the merchandise then they have no case and can't go back and charge you? Seems there should be something out there providing protection is the system is automated... Even though there should be checks in place people do have small budgets and rush a lot of the smaller E-com stores out. JP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wed 9/14/2005 7:35 PM To: Gadi Evron Cc: Josh Perrymon; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Exploiting an online store ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [FLSA-2005:160202] Updated mozilla packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated mozilla packages fix security issues Advisory ID: FLSA:160202 Issue date:2005-09-14 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-2260 CAN-2005-2261 CAN-2005-2263 CAN-2005-2265 CAN-2005-1937 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270 - - 1. Topic: Updated mozilla packages that fix various security issues are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way Mozilla handled synthetic events. It is possible that Web content could generate events such as keystrokes or mouse clicks that could be used to steal data or execute malicious Javascript code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2260 to this issue. A bug was found in the way Mozilla executed Javascript in XBL controls. It is possible for a malicious webpage to leverage this vulnerability to execute other JavaScript based attacks even when JavaScript is disabled. (CAN-2005-2261) A bug was found in the way Mozilla installed its extensions. If a user can be tricked into visiting a malicious webpage, it may be possible to obtain sensitive information such as cookies or passwords. (CAN-2005-2263) A bug was found in the way Mozilla handled certain Javascript functions. It is possible for a malicious webpage to crash the browser by executing malformed Javascript code. (CAN-2005-2265) A bug was found in the way Mozilla handled multiple frame domains. It is possible for a frame as part of a malicious website to inject content into a frame that belongs to another domain. This issue was previously fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937) A bug was found in the way Mozilla handled child frames. It is possible for a malicious framed page to steal sensitive information from its parent page. (CAN-2005-2266) A bug was found in the way Mozilla opened URLs from media players. If a media player opens a URL which is Javascript, the Javascript executes with access to the currently open webpage. (CAN-2005-2267) A design flaw was found in the way Mozilla displayed alerts and prompts. Alerts and prompts were given the generic title [JavaScript Application] which prevented a user from knowing which site created them. (CAN-2005-2268) A bug was found in the way Mozilla handled DOM node names. It is possible for a malicious site to overwrite a DOM node name, allowing certain privileged chrome actions to execute the malicious Javascript. (CAN-2005-2269) A bug was found in the way Mozilla cloned base objects. It is possible for Web content to traverse the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270) Users of Mozilla are advised to upgrade to these updated packages, which contain Mozilla version 1.7.10 and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160202 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.10-0.73.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoraleg
[Full-disclosure] [FLSA-2005:162680] Updated Zlib packagea fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated Zlib packagea fix security issues Advisory ID: FLSA:162680 Issue date:2005-09-14 Product: Fedora Core Keywords: Bugfix CVE Names: CAN-2005-1849 CAN-2005-2096 - - 1. Topic: Updated Zlib packages that fix buffer overflows are now available. Zlib is a general-purpose lossless data compression library which is used by many different programs. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Tavis Ormandy discovered a buffer overflow affecting Zlib version 1.2 and above. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file which would cause a web browser or mail viewer to crash if the image is viewed. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2096 to this issue. Markus Oberhumer discovered additional ways a stream could trigger an overflow. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file that would cause a Web browser or mail viewer to crash if the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1849 to this issue. All users should update to these erratum packages which contain a patch from Mark Adler which corrects this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162680 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/zlib-1.2.0.7-2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/zlib-1.2.0.7-2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/zlib-devel-1.2.0.7-2.3.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/zlib-1.2.1.2-0.fc2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/zlib-1.2.1.2-0.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/zlib-devel-1.2.1.2-0.fc2.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - f242225e07d39648b0d7d6558150285ddf7f62d8 fedora/1/updates/i386/zlib-1.2.0.7-2.3.legacy.i386.rpm 618d744e5a8f9a895b40f952a8593985c93fd6d6 fedora/1/updates/i386/zlib-devel-1.2.0.7-2.3.legacy.i386.rpm c812abcd0c5bcfccc86573e81d68ebff5b615ded fedora/1/updates/SRPMS/zlib-1.2.0.7-2.3.legacy.src.rpm d07c43de860f476302fcd1fc82d18db1835e1ba1 fedora/2/updates/i386/zlib-1.2.1.2-0.fc2.2.legacy.i386.rpm f3326c134c6346ca8f120d86d28908ad45907bf9 fedora/2/updates/i386/zlib-devel-1.2.1.2-0.fc2.2.legacy.i386.rpm 2d288f7b2dd848a4c3f36d3ff7c200b9b629c868 fedora/2/updates/SRPMS/zlib-1.2.1.2-0.fc2.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 9. Contact: The Fedora Legacy security contact is <[EMAIL PROTECTED]>. More project details at http://www.fedoralegacy.org -
[Full-disclosure] [FLSA-2005:163047] Updated squirrelmail package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated squirrelmail package fixes security issues Advisory ID: FLSA:163047 Issue date:2005-09-14 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-1769 CAN-2005-2095 - - 1. Topic: An updated squirrelmail package that fixes two security issues is now available. SquirrelMail is a standards-based webmail package written in PHP4. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way SquirrelMail handled the $_POST variable. If a user is tricked into visiting a malicious URL, the user's SquirrelMail preferences could be read or modified. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2095 to this issue. Several cross-site scripting bugs were discovered in SquirrelMail. An attacker could inject arbitrary Javascript or HTML content into SquirrelMail pages by tricking a user into visiting a carefully crafted URL, or by sending them a carefully constructed HTML email message. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1769 to this issue. All users of SquirrelMail should upgrade to this updated package, which contains backported patches that resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163047 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.3-0.f0.9.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.3-0.f0.9.6.legacy.noarch.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.3-0.f1.1.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.3-0.f1.1.5.legacy.noarch.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.4-1.FC2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.4-1.FC2.2.legacy.noarch.rpm 7. Verification: SHA1 sum Package Name - 5182c295693a72d9602945a5985c39c125f2b422 redhat/9/updates/i386/squirrelmail-1.4.3-0.f0.9.6.legacy.noarch.rpm 1aec842c861408106c2818cf4c58caf762367230 redhat/9/updates/SRPMS/squirrelmail-1.4.3-0.f0.9.6.legacy.src.rpm 10dcfc4975cbe049df638ff43304e0a6a22f58a2 fedora/1/updates/i386/squirrelmail-1.4.3-0.f1.1.5.legacy.noarch.rpm 5f0c54493ae619de8a85813947470bfedd5415f2 fedora/1/updates/SRPMS/squirrelmail-1.4.3-0.f1.1.5.legacy.src.rpm 83e7c1b6a1f070894be5456b3dd850b3a6f090b2 fedora/2/updates/i386/squirrelmail-1.4.4-1.FC2.2.legacy.noarch.rpm de4f2ef84e23b310f7f845ee8624360dadb7b74d fedora/2/updates/SRPMS/squirrelmail-1.4.4-1.FC2.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2095 9. Contact: The Fedora Legacy security contact is <[EMAIL PROTECTED]>. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature ___ Full-Disclos
[Full-disclosure] [FLSA-2005:163274] Updated CUPS packages fix security issue
- Fedora Legacy Update Advisory Synopsis: Updated CUPS packages fix security issue Advisory ID: FLSA:163274 Issue date:2005-09-14 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-2154 - - 1. Topic: Updated CUPS packages that fix a security issue are now available. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2154 to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163274 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cups-1.1.14-15.4.5.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/cups-1.1.14-15.4.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/cups-devel-1.1.14-15.4.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/cups-libs-1.1.14-15.4.5.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cups-1.1.17-13.3.0.14.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/cups-1.1.17-13.3.0.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/cups-devel-1.1.17-13.3.0.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/cups-libs-1.1.17-13.3.0.14.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/cups-1.1.19-13.9.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/cups-1.1.19-13.9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/cups-devel-1.1.19-13.9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/cups-libs-1.1.19-13.9.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/cups-1.1.20-11.11.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/cups-1.1.20-11.11.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/cups-devel-1.1.20-11.11.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/cups-libs-1.1.20-11.11.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 0c703164c4314cc91e31a859ed8e149e4249bd68 redhat/7.3/updates/i386/cups-1.1.14-15.4.5.legacy.i386.rpm 62414dc09ab8e240f92fe476dc272d227ba223ce redhat/7.3/updates/i386/cups-devel-1.1.14-15.4.5.legacy.i386.rpm 4bce41d4c0323700d3a78adf21bb3ff0790cbe44 redhat/7.3/updates/i386/cups-libs-1.1.14-15.4.5.legacy.i386.rpm 2fa58515d46929fe6116c8c72e50c26b8313c504 redhat/7.3/updates/SRPMS/cups-1.1.14-15.4.5.legacy.src.rpm 4d6585d937c4855c8d999bc292d17e13258d5cb5 redhat/9/updates/i386/cups-1.1.17-13.3.0.14.legacy.i386.rpm 445a0332fff4b09cd2c4f8d7643fb12213498608 redhat/9/updates/i386/cups-devel-1.1.17-13.3.0.14.legacy.i386.rpm d65b045173aba91de7fa2d44217ba6d939a775a3 redhat/9/updates/i386/cups-libs-1.1.17-13.3.0.14.legacy.i386.rpm 35bf3fdafd340588d4c8f167709d53bcc2eb6ff4 redhat/9/updates/SRPMS
[Full-disclosure] FF IDN buffer overflow workaround works in Netscape too
Summary about Firefox IDN buffer overflow vulnerability workarounds in Netscape Browser [a new, more informative title used] Instructions and methods described at Mozilla Foundation Security Advisory "What Firefox and Mozilla users should know about the IDN buffer overflow security issue" https://addons.mozilla.org/messages/307259.html (yes, it was http://www.mozilla.org/security/idn.html earlier) can be used in Netscape too. This advisory has been included to security company advisories handling this security issue and mentioned in the news widely. Disabling IDN (Internationalized Domain Names) support via about:config Location Bar feature or prefs.js configuration file is possible in Netscape Browser 8 too. Additionally, .xpi file for Firefox and Mozilla Suite works in Netscape 8.0.3.3 too. Test in Windows environment was successful and even UA was changed to include 'Gecko/20050729 <<(No IDN)>> Netscape/8.0.3.3' string. However, the manual method is recommended. Vendor developer team was contacted, no reply yet. Like US-CERT says in Firefox VU#573857: "While implementing this workaround does not correct the buffer overflow error, it prevents the vulnerable portion of code from being exploited." When an updated version of Netscape Browser 8 is available the download link is http://browser.netscape.com/ns8/download/default.jsp Regards, Juha-Matti Laurio Security researcher Finland ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting an online store
On Thu, 15 Sep 2005 03:29:25 +0200, Gadi Evron said: > Check the date of the article. That company no longer exists and SQL > injections are not THAT big of an issue for established eCommerce sites > as they were in 1999. Which is exactly why the previous posting on the list was an SQL injection in Oracle Reports. I see.. :) pgpLOKHS65AAc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] FireFox Host: Buffer Overflow is not justexploitable on FireFox
Hi Juha! > I have informed the vendor Netscape being affected on 9th > September 2005. I did the same on the 10th of September - still no reply nor official statement from Netscape which makes me a little worried. Good to know. It seems that's their way to act. They had a coverage Security Center wp.netscape.com/security/index.html earlier, but all these wp.netscape.com pages redirect to Netscape Browser 8.0 Main Page when writing this. > Disabling IDN support via about:config (or prefs.js file) is > possible in Netscape Browser 8 too. Xpi file for Firefox and Correct. I reported that workaround on the 10th of September. I did so using both the security address at netscape.com and the "submission form" on Netscape's official webpage. I never got any reply/respons from netscape. Yes, I have similar experiences. I have information that they are reading their bug report submissions, however. Netscape uses the same rendering engine as Firefox (unless explicitly told to use IE) and as such, will also be vulnerable. The workaround, covered by the Mozilla Team, will correct the problem simply by disabling IDN. Regards Peter Kruse Thanks for sharing the word. - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting an online store
Josh perrymon wrote: I was reading an article about an attacker that could have changed a price in an online shopping cart- Check the date of the article. That company no longer exists and SQL injections are not THAT big of an issue for established eCommerce sites as they were in 1999. Web security is still a major issue, but this article is nothing but FUD in 2005. Eran Reshef is now CEO of the infamous Blue Security. Gadi. -- Available for consulting: +972-50-5428610 / [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla / Mozilla Firefox authentication weakness
This is https://bugzilla.mozilla.org/show_bug.cgi?id=281851 It seems that this is assigned to http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2395 (in July '05) too. - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Reports: Generic SQL Injection Vulnerability via Lexical References
Red-Database-Security GmbH - Oracle Reports Security Advisory Generic SQL Injection Vulnerability in Oracle Reports via Lexical References NameGeneric SQL Injection Vulnerability in Oracle Reports via Lexical References Systems AffectedGenerated Oracle Reports using Lexical References SeverityHigh Risk CategorySQL Injection Remote Exploitable Yes Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date15 September 2005 (V 1.00) Advisory-URL http://www.red-database-security.com/wp/sql_injection_reports_us.pdf Details ### Oracle Reports provides a feature called lexical references. A lexical reference is a placeholder for text that you embed in a SELECT statement. It is possible to replace the clauses appearing after SELECT, FROM, WHERE, GROUP BY, ORDER BY, HAVING, CONNECT BY and START WITH. If lexical references are in use it is possible to modify SQL statements via a simple URL. After adding the parameter "paramform=yes" in the URL a parameter form window appears (=SQL Injection with a menu). An attacker can modify the parameter values and inject SQL statements. Testcase Executed an Oracle Report via an URL, e.g. http://myserver:8889/reports/rwservlet?report=sqlinject3.rdf+userid=scot t/[EMAIL PROTECTED] Add the value paramform=yes to the URL http://myserver:8889/reports/rwservlet?report=sqlinject3.rdf+userid=scot t/[EMAIL PROTECTED] A parameter window appears. Inject the SQL statement by modifying the values in the parameter form and submit the query. A detailed description including hardcopies is available in the PDF advisory: http://www.red-database-security.com/wp/sql_injection_reports_us.pdf (English) http://www.red-database-security.com/wp/sql_injection_reports_dt.pdf (German) Affected systems All generated reports using lexical references without input validation. Patch Information # This issue is not a bug in Oracle Reports itself. It is a problem of missing input validation in all generated Oracle Reports. Fix ### Validate all parameter values before the SQL statement is executed in an After-Parameter-Form-Trigger. History ### 14-may-2004 Oracle secalert was informed to give them time to fix their reports in the E-Business Suite. 15-sep-2005 Red-Database-Security published this advisory (c) 2005 by Red-Database-Security GmbH http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Exploiting an online store
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh perrymon Sent: Wednesday, September 14, 2005 4:05 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Exploiting an online store I was reading an article about an attacker that could have changed a price in an online shopping cart- Snip <> What are laws on this?? What if the guy did make the transaction using his credit card? Since it is just a web transaction sending html from the client to the server what proof would they have? Joshua Perrymon IANAL, but I believe that the contract isn’t formed between buyer and seller until the purchase price is accepted on both sides and money changes hands. The price in a store is analogous to one in a catalog – suggested, and subject to change. Typically, that means by the seller, but if the buyer does it and the seller accepts the price, then it is a legal transaction. Once the money is accepted, the seller has agreed to sell at that price, and taken the money, making it difficult for him to suggest that he was unaware. Of course, what typically happens is that the seller goes to ship the item, and sees how much was paid, and sends a bill for the remaining balance before the item is shipped. Proof isn’t really needed. Tom ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploiting an online store
I was reading an article about an attacker that could have changed a price in an online shopping cart- Snip Next, Reshef performed a little number he calls ``electronic shoplifting'': He edited the site's online order form to reduce the price of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef actually could have purchased the book for the reduced price, adding a whole new spin to Priceline.com's ``name-your-own-price'' marketing campaign. Reshef's exploits didn't require any sophisticated software or particularly detailed knowledge of computer code. ``The only thing you need is an HTML editor that comes bundled with your Netscape or Internet Explorer browser,'' he said. ``There is no magic to this.'' What are laws on this?? What if the guy did make the transaction using his credit card? Since it is just a web transaction sending html from the client to the server what proof would they have? Joshua Perrymon ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Fwd: SF new mailing list announcement: BS 7799Security
What a news!!keep up the good work n3td3v :D -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de n3td3v Envoyé : mercredi 14 septembre 2005 19:11 À : full-disclosure@lists.grok.org.uk Objet : [Full-disclosure] Fwd: SF new mailing list announcement: BS 7799Security -- Forwarded message -- From: Daniel Hanson <[EMAIL PROTECTED]> Date: Sep 14, 2005 3:02 PM Subject: SF new mailing list announcement: BS 7799 Security To: [EMAIL PROTECTED] The following mailing list was just added to the SecurityFocus collection of moderated mailing lists: BS 7799 Security. To see the complete list of all 31 moderated SecurityFocus mailing lists and their charters, visit http://www.securityfocus.com/archive. How do I subscribe to the list ? Send an e-mail message to [EMAIL PROTECTED] The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. How do I unsubscribe from the list ? Send an e-mail message to [EMAIL PROTECTED] The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. -- http://www.geocities.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla / Mozilla Firefox authentication weakness
This is https://bugzilla.mozilla.org/show_bug.cgi?id=281851 3APA3A wrote: I have reported this issue some time ago: http://www.security.nnov.ru/Fnews19.html but it looks like it was ignored, and not fixed in latest mozilla and firefox releases, so I decided to send "formal" advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: SF new mailing list announcement: BS 7799 Security
-- Forwarded message -- From: Daniel Hanson <[EMAIL PROTECTED]> Date: Sep 14, 2005 3:02 PM Subject: SF new mailing list announcement: BS 7799 Security To: [EMAIL PROTECTED] The following mailing list was just added to the SecurityFocus collection of moderated mailing lists: BS 7799 Security. To see the complete list of all 31 moderated SecurityFocus mailing lists and their charters, visit http://www.securityfocus.com/archive. How do I subscribe to the list ? Send an e-mail message to [EMAIL PROTECTED] The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. How do I unsubscribe from the list ? Send an e-mail message to [EMAIL PROTECTED] The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. -- http://www.geocities.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting a Worm
On Tue, 2005-09-13 at 22:29 +, Ian Gizak wrote: > I'm pentesting a client's network and I have found a Windows NT4 machine > with ports 620 and 621 TCP ports open. > > When I netcat this port, it returns garbage binary strings. When I connect > to port 113 (auth), it replies with random USERIDs. > [...] > I have checked the open ports and no-one seems to be the worm ftp server or > something useful related to the worm. Some ports allow input but don't reply > anything... Could it be that you are buzzing around a honeypot like a moth around a porch light? Or have to followed up with the client and can you rule it out as a honeypot? Otherwise it's a very interesting port fingerprint for an NT4 box :) Cheers, Frank -- Ciscogate: Shame on Cisco. Double-Shame on ISS. signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security Conference
For those of you that are interested in :hack.lu 2005The purpose of the hack.lu convention is to give an open and freeplayground where people can discuss the implication of new technologies (mainly security) on society. hack.lu is a balanced convention wheretechnical and non-technical people can meet each others and share freelyall kind of information. The convention will be held in the Grand-Duchy of Luxembourg on Friday/Saturday 14-15 octobre 2005(http://www.hack.lu/wiki/index.php/Map). The convention is open and freeto everyone. ScopeTopics of interest include, but are not limited to :* Software Engineering* Honeypots/Honeynets* Electronic/Digital Privacy* Wireless Network and Security* Attacks on Information Systems and/or Digital Information Storage * Electronic Voting* Free Software and Security* Assessment of Computer, Electronic Devices and Information Systems* Standards for Information Security* Legal and Social Aspect of Information Security * Software Engineering and Security* Forensic AnalysisAgendaA preview agenda is available including workshops and lectures - http://www.hack.lu/wiki/index.php/AgendaRegistrationRegistration is now open http://www.hack.lu/wiki/index.php/RegistrationPage As the hack.lu 2005 event is free, registration is optional but highlyrecommended.The 100 first users to register will receive a MISC magazine.Capture The Flag Contest A Capture The Flag Contest will be held on Saturday. If you want toparticipate and propose a team, feel free to check the web page : http://www.hack.lu/wiki/index.php/CaptureTheFlag ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WiFi encryption performance comparrison?
Hey Paul, What sort of info exactly are you looking for? Throughput figures, etc? The difference you will notice in network performance between WEP 128 and WPA is really minimal, to be honest with you, you shouldn't really notice any performance hit at all. When it comes to WEP 64 and WEP 128, you shouldn't notice a difference either. As far as WEP 64, WEP 128, and WPA go, they all use RC4 encryption, the difference is that WPA uses TKIP as well as the RC4 encryption method. When it comes to WPA2 though, you are talking about stronger encryption methods such as AES, this may have a hit on your network throughput depending on the hardware in use, but you will need pretty recent hardware to be using WPA2, so theorecticaly you shouldn't notice too much difference here either. This really begs the question though as to why you are even asking about WEP, either 64 or 128? Care to ellaborate at all? xyberpix >On Wed Sep 14 7:16 , Paul Day [EMAIL PROTECTED]> sent: > >>Howdy, >> >>Does anyone have any real-world info/papers/figures on comparing the >>performance of WEP64 vs 128 vs WPA vs WPA2 etc on recent-ish hardware? ie, >>same hardware, different encryption methods, performance trade-offs from >>each. Google's not being awfully helpful. >> >>Thanks in advance. :) >> >>Cheers, >>Paul >> >>___ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: AVIRA Antivirus ACE Archive Handling Buffer Overflow
== Secunia Research 14/09/2005 - AVIRA Antivirus ACE Archive Handling Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software AVIRA Desktop for Windows version 1.00.00.68 with AVPACK32.DLL version 6.31.0.3. Prior versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in AVIRA Desktop for Windows antivirus, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error when reading the filename of a compressed file from an ACE archive. This can be exploited to cause a stack-based buffer overflow when an ACE archive containing a compressed file with an overly long filename is scanned. Successful exploitation allows arbitrary code execution, but requires that archive scanning is enabled. The vulnerability is related to: SA14359 == 4) Solution Update to the latest version via online update. (AVPACK32.DLL version 6.31.1.7). == 5) Time Table 05/09/2005 - Initial vendor notification. 05/09/2005 - Initial vendor reply. 06/09/2005 - Vendor provides updated version for testing. 14/09/2005 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References AVIRA: http://www.avira.com/en/news/avira_desktop_for_windows_patched_ against_vulnerability.html == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-43/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow Exploit
There was some confusion as to whether this bug (https://bugzilla.mozilla.org/show_bug.cgi?id=307259 in bugzilla) was similar or identical to https://bugzilla.mozilla.org/show_bug.cgi?id=267669. David Baron of Mozilla is saying (I think - see https://bugzilla.mozilla.org/show_bug.cgi?id=267669#c39) that they are not the same. Can someone parse that comment 39 in my last link for me? I don't understand what he is saying, and if I take Firefox 1.0.6 with network.enableIDN set to true and run the test case linked to in bug 267669, the browser crashes. If I run it with network.enableIDN set to false, it doesn't crash. It sure quacks like the same bug. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WiFi encryption performance comparrison?
Howdy, Does anyone have any real-world info/papers/figures on comparing the performance of WEP64 vs 128 vs WPA vs WPA2 etc on recent-ish hardware? ie, same hardware, different encryption methods, performance trade-offs from each. Google's not being awfully helpful. Thanks in advance. :) Cheers, Paul ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Full-Disclosure Digest, Vol 7, Issue 25
lonely wolf wrote: Peer Janssen wrote: Aditya Deshmukh wrote: (on system you want to copy) dd if=/dev/hda | nc otherhost 5000 If you are running bash, then you do not even need netcat: dd if=/dev/hda > /dev/tcp/otherhost/5000 This is interesting. Indeed :-) Which version of bash are you using ? I havent found it in my man page! My guess is that it probably has nothing to do with bash but with the devices your system provides. But where is documentation for this kind of useful information anyway? it's in bash for a long time. however not all distributions compile bash with this option activated. debian for instance does not. That's good to know, thank you. My question was somewhat more about finding information about such things, though. (Related: Will a bash compiled with that option automatically include the doc for this feature?) I never found information about the following recurrent question of mine either: If a plug in an USB storage device, it has a /dev/sg<...> assigned to it. But which one? I need to know this mapping in order to mount it. I always deduce this device's name from the syslog, which works but is a bit of a PITA, so I always wondered if there is no other way to get this info, namely something like lsusb. lsusb, which would be the logical place to look for it, doesn't give away this info, at least not in an easily recognizable form (e.g. I never figured it out). sg_scan and such didn't do the trick for me either, although I might have missed something here. Peer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mozilla / Mozilla Firefox authentication weakness
Dear bugTraq,
I have reported this issue some time ago:
http://www.security.nnov.ru/Fnews19.html
but it looks like it was ignored, and not fixed in latest mozilla and
firefox releases, so I decided to send "formal" advisory
Issue: Mozilla browsers authentication weakness
Author: 3APA3A <[EMAIL PROTECTED]>
Advisory URL: http://www.security.nnov.ru/Fnews19.html
Vendor: Mozilla (http://www.mozilla.org)
Products: Mozilla 1.7.11 (Windows version tested)
FireFox 1.0.6 (Windows version tested)
Type: Man-in-the-Middle, information leak
Exploit:Not required
I. Intro
RFC 2617 defines Authentication mechanism for HTTP protocol. Any web
browser implement this standard for web site access authentication.
II. Vulnerability
Firefox and Mozilla browser have vulnerability in authentication
mechanism implementation. Potential impact of this vulnerability is
weak authentication protocol (for example cleartext) may be chosen for
Web site authentication instead of stronger one.
III. Details
From RFC 2617:
The user agent MUST
choose to use one of the challenges with the strongest auth-scheme it
understands and request credentials from the user based upon that
challenge.
Instead, Mozilla uses authentication schemas in the order of
WWW-Authenticate headers sent by Web server. It may lead to situation
weak authentication (for example cleartext "Basic" authentication) may
be chosen by Mozilla while both server and Mozilla support stronger
authentication mechanism.
IV. Demonstration
This links demonstrate initial handshake for different authentication
protocols:
http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication
With this link you can check which protocol was chosen by browser, if
server support few authentication protocols:
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted over the wire will be chosen by default. By pressing
"Cancel" you can choose different authentication. Internet Explorer
offers strongest authentication.
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Full-Disclosure Digest, Vol 7, Issue 25
Peer Janssen wrote: Aditya Deshmukh wrote: (on system you want to copy) dd if=/dev/hda | nc otherhost 5000 If you are running bash, then you do not even need netcat: dd if=/dev/hda > /dev/tcp/otherhost/5000 This is interesting. Indeed :-) Which version of bash are you using ? I havent found it in my man page! My guess is that it probably has nothing to do with bash but with the devices your system provides. But where is documentation for this kind of useful information anyway? it's in bash for a long time. however not all distributions compile bash with this option activated. debian for instance does not. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] FireFox Host: Buffer Overflow is not justexploitable on FireFox
Hi Juha! > I have informed the vendor Netscape being affected on 9th > September 2005. I did the same on the 10th of September - still no reply nor official statement from Netscape which makes me a little worried. > 2) > Disabling IDN support via about:config (or prefs.js file) is > possible in Netscape Browser 8 too. Xpi file for Firefox and > Mozilla Suite works in Netscape 8.0.3.3 too. Test was > successful and even UA was changed to include > Gecko/20050729 (No IDN) Netscape/8.0.3.3. > However, the manual method is recommended. > I.e. there is a workaround for Netscape. Vendor developer > team contacted during a weekend, no reply yet. Correct. I reported that workaround on the 10th of September. I did so using both the security address at netscape.com and the "submission form" on Netscape's official webpage. I never got any reply/respons from netscape. Netscape uses the same rendering engine as Firefox (unless explicitly told to use IE) and as such, will also be vulnerable. The workaround, covered by the Mozilla Team, will correct the problem simply by disabling IDN. Regards Peter Kruse ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NUL Character Evasion
The Problem:
Internet Explorer ignores NUL characters
-- i.e. ascii characters with the value 0x00 -- most
security software does not. This behaviour of IE
does not depend on the charset in the Content-Type-Header.
En Detail
You can embed NUL characters at any place in an HTML
document, even inside of tags. IE parses the file, as
if they were not there. The number of NUL characters
does not matter: a single one is ignored as well as
5000 en bloc after every single valid character. In
tests I sucessfully infected an unpatched Windows
system from html pages containing 5000 NUL
characters.
Example:
Both versions work with all tested versions of IE:
< script>alert("Hello world");
< s\0x0cript>alert("Hello world");
(\0x0 stands for a charachter with a value of 0,
the blanks in the script tags have been inserted
intentionally)
The consequences:
-
Protection mechanisms against evil embedded in
HTML can be evaded. Intrusion Detection/Prevention
Systems and Antivirus programms don't recognize
exploits for known browser problems any more, if they
are obfuscated by embedded NUL characters. Filtering
of JavaScript or ActiveX may fail.
Test results
Antivirus
I took a standard mhtml exploit, that was recognized by
ten AV programms:
AntiVir HTML/Exploit.OBJ-Mht
BitDefender Exploit.Html.MhtRedir.Gen (suspected)
ClamAV Exploit.HTML.MHTRedir-8
eTrust-VET HTML.MHTMLRedir!exploit
F-SecureExploit.HTML.Mht
FortinetHTML/MHTRedir.A
McAfee Exploit-MhtRedir.gen
Kaspersky Exploit.HTML.Mht
Panda Exploit/Mhtredir.gen
SymantecBloodhound.Exploit.6
After I modified it by inserting NUL characters none
of the AV scanners found anything suspicious --
although the exploits were still fully
functional.
Intrusion Prevention
A recent IE exploit using the HHCtrl addon to execute
arbitrary commands (see
http://www.heise.de/security/dienste/browsercheck/demos/ie/e5_25.shtml).
was detected and blocked by ISS Proventia (Desktop
Edition). After I inserted NUL characters, Proventia
did not detect the exploit any more, but the demo was
working. heise Security informed ISS and they promised to
publish new signatures, detecting NUL character evasion.
Other ID/IP Systems were not tested, but are likely to
show similar behaviour. Ask your vendor or test
yourself. We have setup a web page to demonstrate
NUL character evasion, where you can test your
AV/IDS/IPS solution. See:
http://www.heise.de/security/dienste/browsercheck/demos/ie/null/
Not affected:
-
Content Security Solutions that sanitize HTML
before delivering it to the client. I checked Webwasher
CSM 5.2. Its Proxy replaces embedded NUL characters (0x00)
with spaces (0x20) by default. Pure Proxies like squid
deliver NULs to the client.
Remarks:
As far as I know, Andreas Marx from AV-Test
(www.av-test.de) discovered this strange behaviour.
He started informing AV vendors and other vendors of
security products over a year ago.
Microsoft Security Response Center considers the
behaviour of Internet Explorer correct:
---
We have investigated this issue and have determined
that this is actually by design as IE is processing the
MIME type as expected. For details on how this is
handled, please see
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp
---
Please note, that the behaviour of IE is not a security
problem itself but a problem for security software.
In combination with a security hole, it can be used
to evade protection by Antivirus software
and or ID/IP Systems.
Thanks:
---
The antivirus tests have been done with help of AV-Test
(http://www.av-test.de).
Further information:
"Null Problemo", article on heise Security (german)
http://www.heise.de/security/artikel/63411
NUL Demos
http://www.heise.de/security/dienste/browsercheck/demos/ie/null/
--
Juergen Schmidt editor in chiefheise Security www.heisec.de
Heise Zeitschriften Verlag,Helstorferstr. 7, D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail [EMAIL PROTECTED]
GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
