[Full-disclosure] hiding routers
I brought this question up on another mailing list, but didn't get any good answers... How common is it that a router does not decrement the TTL of packets, such that it is unable to be identified using traceroute? Choosing not to decrement the TTL causes the next router to appear as the hop, but the current router to remain hidden. How does one commonly identify such hidden routers in an automated fashion? And is it policy for any organizations to actually do this, or only with certain packet types? The responses I got were along the lines of don't do that, it breaks tcp/ip and error conditions. However, I am still interested in how likely an organization is to try something like this for both legitimate and illegitimate purposes. -- Kristian Hermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox 2.0.0.3 Phishing Protection Bypass Vulnerability
This flaw http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php remains upatched since months!!! Firefox 2.0.0.1, 2.0.0.2, 2.0.0.3 are still vulnerable! https://bugzilla.mozilla.org/show_bug.cgi?id=367538 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] hiding routers
On Wed, 18 Apr 2007, Kristian Hermansen wrote: Hi, All better firewalling equipment offers a stealth-routing feature; patches also exist for the Linux kernel. They can be detected using DF-bit and certain other fields within the IP hdr, depending on implementation and setup. Not decrementing TTL also does not mean that it actually forwards packets with TTL 0. Sebastian I brought this question up on another mailing list, but didn't get any good answers... How common is it that a router does not decrement the TTL of packets, such that it is unable to be identified using traceroute? Choosing not to decrement the TTL causes the next router to appear as the hop, but the current router to remain hidden. How does one commonly identify such hidden routers in an automated fashion? And is it policy for any organizations to actually do this, or only with certain packet types? The responses I got were along the lines of don't do that, it breaks tcp/ip and error conditions. However, I am still interested in how likely an organization is to try something like this for both legitimate and illegitimate purposes. -- ~ ~ perl self.pl ~ $_='print\$_=\47$_\47;eval';eval ~ [EMAIL PROTECTED] - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.3 Phishing Protection Bypass Vulnerability
Dear carl hardwick, Do you know examples of phishing sites exploiting this vulnerability? --Wednesday, April 18, 2007, 1:47:03 PM, you wrote to full-disclosure@lists.grok.org.uk: ch This flaw ch http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php ch remains ch upatched since months!!! ch Firefox 2.0.0.1, 2.0.0.2, 2.0.0.3 are still vulnerable! ch https://bugzilla.mozilla.org/show_bug.cgi?id=367538 -- ~/ZARAZA http://securityvulns.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory: Bypass Oracle Logon Trigger
NameBypass Oracle Logon Trigger (7826485) [DB05] Systems AffectedOracle 8-10g Rel. 2 Severity High Risk CategoryBypass Security Feature Database Logon Trigger Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database- security.com) Advisory17 April 2007 (V 1.00) Details ### It is possible to bypass the Oracle database logon trigger. This can cause severe security problems. Oracle database logon trigger are often used to restrict user access (e.g. based on time or ip addresses) and/or to do audit entries into (custom) tables. This can be bypassed on unpatched systems. This advisory is available at http://www.red-database-security.com/advisory/ bypass_oracle_logon_trigger.html Patch Information # Apply the patches for Oracle CPU April 2007. History ### 07-jun-2006 Oracle secalert was informed 08-jun-2006 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [DB05] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory: SQL Injection in package SYS.DBMS_AQADM_SYS
Name SQL Injection in package SYS.DBMS_AQADM_SYS [DB04] Systems AffectedOracle 8i-10g Rel. 2 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database- security.com) Advisory17 April 2007 (V 1.00) Details ### The package DBMS_AQADM_SYS contains SQL injection vulnerabilities. This advisory is available at http://www.red-database-security.com/advisory/ oracle_sql_injection_dbms_aqadm_sys.html Patch Information # Apply the patches for Oracle CPU April 2007. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [DB04] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory: Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet [AS01]
NameShutdown unprotected TNS Listener via Oracle Discoverer Servlet [AS01] Systems AffectedOracle Discoverer Servlet SeverityLow Risk CategoryRemote D.o.S. Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database- security.com) Advisory17 April 2007 (V 1.00) Details ### The Oracle Discoverer Servlet contains a field for the database/tns alias. It is possible to send TNS STOP commands via this field and to shutdown unprotected Oracle TNS Listener. This advisory is available at http://www.red-database-security.com/advisory/ oracle_discoverer_servlet.html Patch Information ## Apply the patches for Oracle CPU April 2007. History ### 28-oct-2003 Oracle secalert was informed 29-oct-2003 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [AS01] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory: Cross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search [SES01]
NameCross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search Systems AffectedOracle Secure Enterprise Search 10.1.6- SES Severity Medium Risk CategoryCross Site Scripting (XSS/CSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date17 April 2007 (V 1.00) Details ### Oracle Secure Enterprise Search 10g, a standalone product from Oracle, enables a secure, high quality, easy-to-use search across all enterprise information assets. The parameter EXPTYPE in boundary_rules.jsp contains a cross site scripting vulnerability. This advisory is available at http://www.red-database-security.com/advisory/oracle_css_ses.html Exploit ### http://ses10106:/search/admin/sources/boundary_rules.jsp? event=deleteIncludeRulep_src=webp_mode=editp_id=3pattern=rdsexpType =%3Cscript%3Ealert(document.cookie)%3C/script%3ECC_SIMPLE_INCLUSION' Affected Products # Oracle Enterprise Search 10.1.8 Patch Information # Please upgrade to the latest version of SES or apply CPU April 2007. History ### 05-Apr-2005 Oracle secalert was informed 06-Apr-2005 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 17-apr-2007 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory: SQL Injection in package SYS.DBMS_UPGRADE_INTERNAL
NameSQL Injection in package SYS.DBMS_UPGRADE_INTERNAL (6980753) [DB07] Systems AffectedOracle 8i-10g Rel. 2 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database- security.com) Advisory17 April 2007 (V 1.00) Details ### The package DBMS_UPGRADE_INTERNAL contains SQL injection vulnerabilities. This advisory is available at http://www.red-database-security.com/advisory/ oracle_sql_injection_dbms_upgrade_internal.html Patch Information # Apply the patches for Oracle CPU April 2007. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [DB07] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] hiding routers
Hi, On Wed, 18 Apr 2007 04:24:37 -0400 Kristian Hermansen [EMAIL PROTECTED] wrote: How common is it that a router does not decrement the TTL of packets, such that it is unable to be identified using traceroute? Choosing not to decrement the TTL causes the next router to appear as the hop, but the current router to remain hidden. How does one commonly identify such hidden routers in an automated fashion? And is it policy for any organizations to actually do this, or only with certain packet types? it is common for Firewalls (ie Cisco PIX does this), less common for routers. There is no general way to identify such routers. If the router has two interfaces with different MTUs, Path discovery could be used. In general the approach would be similar to the TTL trick used by traceroute: try to generate packets that would cause the hidden router in question to return error messages (ICMP) to you. In many cases, such a packet can be identified but there is no universal solution AFAIK. cheers FX -- SABRE Labs GmbH| Felix 'FX' Lindner [EMAIL PROTECTED] http://www.sabre-labs.com | GSM: +49 171 7402062 Wrangelstrasse 4 | PGP: A740 DE51 9891 19DF 0D05 10997 Berlin, Germany | 13B3 1759 C388 C92D 6BBB HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Let's keep in mind that publishing most security information borders extortion. There isn't any other industry where fat nerds try to strongarm large corporations into admitting there are weaknesses in their products, defaming them publicly, causing their stock prices to fall, or otherwise damaging their public image and thus causing financial damage, et cetera. Gadi, I doubt your people would be thrilled if you tried to petition Yahweh with complaints regarding His children being vulnerable to pieces of metal fired at high velocity from guns, and demanding that if things aren't fixed within what you consider a satisfactory timeframe (which, in the end is just some arbitrary number invented by people with no concept of industry and economics) that you will arm every man, woman, child, and lizard of bordering Arabic nations to Israel in order to teach that big guy up in the sky a lesson about not making humans impervious to gunfire! Come on man! You're smarter than this! When socially inept people who possess only rudimentary computer skills start bullying (call it what you will, in the end if you argue against my points you clearly are one of those people who can't make it in the real world) corporations for fame and money, which have real-world financial consequences to said corporate entities, you are in the least committing extortion. And while you might think these efforts are noble, the reality of the situation is simple - this is absolutely no different than a bunch of Russians with botnets, forcing businesses to comply with their demands if that business wishes to continue existing on the Internet. When was the last time an auto manufacturer was humiliated publicly because their car windows can easily be broken and contents of the car stolen? When have chain manufacturers been chastised by the mass media for the existence of bolt cutters? What about the serious threat of hacksaws? People, grow up. If your life is spent behind a computer discovering uninteresting oversights in software design, where you clearly lack experience and ability, and proclaiming yourself the #chatzone badass and drolling saying I'm the best evah!!! doesn't make you important. The sad state of this industry is that there are enough ignorant people that find it impressive, and who don't understand the ramifications of their publicity whoring and the obvious parallels to other industries. The long and short of it is: If you want to act like a criminal, be prepared to be treated like a criminal, and don't cry about the choices you've made in life. You aren't a fucking martyr when your motivations and cause are only self-promoting and otherwise selfish. Always remember the embarrassment to hackers, humans, and Hebrews everywhere that is Kevin Mitnick. - - Dr. Neal Krawetz, PhD http://www.hackerfactor.com/blog/ On Tue, 17 Apr 2007 19:30:54 -0400 Gadi Evron [EMAIL PROTECTED] wrote: http://www.theregister.com/2007/04/17/hackers_service_terminated/ A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers. I happen to know the guy, and I am saddened by this. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYmCAUACgkQDpFP8dW5K4bwFgP/Z2cmOC7HiPZ9Bp1p0VqC/1IMv40l Vxi/gS/jMQMDG9XiIZqnDQQwMGm8OhnBu6LfMPi66Xnfr9ZV5zcE3wCeqlRfDsyAuAD7 TvpzfqAfhdLDgfG6hmX9BBZdpALXIa4ijwKuo4zs5uqtA/najmlIwgDjmGXC1NefQsZP acyWgT8= =zSxl -END PGP SIGNATURE- -- Click here for free information on earning a criminal justice degree today. http://tagline.hushmail.com/fc/CAaCXv1S4xxoKJy71c1syHceuiPxgdCh/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Reminder: HITBSecConf2007 - Malaysia: Call for Papers closing in 2 weeks
Greetings from sunny Malaysia! This is a reminder that the Call for Papers for the upcoming HITBSecConf2007 - Malaysia is closing on the 1st of May. HITBSecConf2007 - Malaysia is set to take place from the 3rd till the 6th of September in Kuala Lumpur. Our event last year attracted over 600 attendees from all corners of the globe and this year we are expecting this number to grow to well over 800. In addition, the event will feature 4 keynote speakers, 40 researchers, 7 tracks of hands-on technical trainings, a dual-track security conference, capture the flag competition, a lock picking village, zone-h/hitb hacking challenge, bzflag competition and one MASSIVE post conference party!!! If you only attend ONE event this year; make sure its HITBSecConf2007 - Malaysia; Asia's largest network security conference! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS DNS worm
So far this morning we seen 4 customers infected with what appears to be an MS DNS RPC based worm. Anyone seen any news on this yet? Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS DNS worm
http://www.sophos.com/security/analyses/w32delbotak.html http://www.sophos.com/security/analyses/w32delbotaj.html http://www.sophos.com/security/analyses/w32delbotai.html W32/Delbot-AK is a worm with backdoor functionality for the Windows platform. W32/Delbot-AK spreads to other network computers by: - Scanning network shares for weak passwords - Exploiting common buffer overflow vulnerabilities - Symantec (SYM06-010) - Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution. Geo. wrote: So far this morning we seen 4 customers infected with what appears to be an MS DNS RPC based worm. Anyone seen any news on this yet? Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
- Dr. Neal Krawetz, PhD [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED BS- All I can utter after reading your post is, It's so simple to be wise. Just think of something stupid to say and the opposite should have been said. Ummm... the above applies to me as well. Sorry, hope you wont mind, we all act funny sometimes. -- Sincerely Ajay Pal Singh Atwal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
On 18-Apr-07, at 6:01 AM, Dr. Neal Krawetz, PhD wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Let's keep in mind that publishing most security information borders extortion. There isn't any other industry where fat nerds try to strongarm large corporations into admitting there are weaknesses in their products, defaming them publicly, causing their stock prices to fall, or otherwise damaging their public image and thus causing financial damage, et cetera. Lets also keep in mind that most vendors won't patch a hole in a timely fashion, and will happily leave their customers hanging in the wind to protect their stock price and image. Gadi, I doubt your people would be thrilled if you tried to petition Yahweh with complaints regarding His children being vulnerable to pieces of metal fired at high velocity from guns, and demanding that if things aren't fixed within what you consider a satisfactory timeframe (which, in the end is just some arbitrary number invented by people with no concept of industry and economics) that you will arm every man, woman, child, and lizard of bordering Arabic nations to Israel in order to teach that big guy up in the sky a lesson about not making humans impervious to gunfire! Did you really just metaphorically compare software companies to Yahweh?? And for completeness sake, do you really mean to assert that people don't cry out to $deity about various injustices? Come on man! You're smarter than this! When socially inept people who possess only rudimentary computer skills Speak for yourself doctor. start bullying (call it what you will, in the end if you argue against my points you clearly are one of those people who can't make it in the real world) Oooo. Nice. if you disagree with me, you suck and stuff! corporations for fame and money, which have real-world financial consequences to said corporate entities, you are in the least committing extortion. Cuz Yahweh forbid there be consequences. And while you might think these efforts are noble, the reality of the situation is simple - this is absolutely no different than a bunch of Russians with botnets, forcing businesses to comply with their demands if that business wishes to continue existing on the Internet. You must live an interesting life when you lack the ability to differentiate between truth and lawlessness. When was the last time an auto manufacturer was humiliated publicly because their car windows can easily be broken and contents of the car stolen? When have chain manufacturers been chastised by the mass media for the existence of bolt cutters? What about the serious threat of hacksaws? When the hacksaw threat costs users, business and government as much as insecurities in poorly audited code you'll see these stories. Somehow I don't see that happening though. There are clear laws in place when a company places a poor/flawed product on the market. Software seems to get a pass on this. People, grow up. If your life is spent behind a computer discovering uninteresting oversights in software design, where you clearly lack experience and ability, and proclaiming yourself the #chatzone badass and drolling saying I'm the best evah!!! doesn't make you important. The sad state of this industry is that there are enough ignorant people that find it impressive, and who don't understand the ramifications of their publicity whoring and the obvious parallels to other industries. That's right ladies and germs. Stop searching for holes and insecurities in your applications and OS. Stick your head in the sand and let people with ill intent find it and exploit before you can be aware of the problem and protect yourself. Definitely *do not* share the information if you stumble on it. $deity knows you'd be a poor example if you acted to protect and inform others. The long and short of it is: If you want to act like a criminal, be prepared to be treated like a criminal, and don't cry about the choices you've made in life. You aren't a fucking martyr when your motivations and cause are only self-promoting and otherwise selfish. Yes, because you're all psychic and stuff, and can immediately ascertain someone's motives. It's a miracle you aren't employed full time by the legal system with this super amazing power. --- Tremaine Lea Network Security Consultant Be in pursuit of equality, but not at the expense of excellence. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CfP: Hack.lu 2007
Call for Papers Hack.lu 2007 The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2007 (18-20.10.2007). Scope == Topics of interest include, but are not limited to : * Software Engineering and Security * Honeypots/Honeynets * Spyware, Phishing and Botnets (Distributed attacks) * Newly discovered vulnerabilities in software and hardware * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security * Security in Information Retrieval * Network security Deadlines = The following dates are important if you want to participate in the CfP Abstract submission : no later than 1 June 2007 Full paper submission : no later than 15 July 2007 Notification date : around end of July beginning of August Submission guideline Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to : hack2007-paper(AT)hack.lu Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport)and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. The information will be used only for the sole purpose of the hack.luconvention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. Speakers' Privileges * Accommodation will be provided (max 3 nights) * Travel expenses will be covered * Conference speakers night * speakers goodies... Program Committee = http://www.hack.lu/index.php/ProgramCommittee Publication and rights == Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring == If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to info(AT)hack.lu Web site and wiki = http://www.hack.lu/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
Extortion is AFAIK the demand for money or valuables without legal authority. I do not believe fame qualifies, and in any event one who points out a bug in public has his fame or infamy independently of what a company does. At a former employer (an OS vendor) the general line was to ask customers to not disclose vulnerabilities. However this was accompanied by an almost paranoid internal search-and-destroy attitude toward security holes and by prompt fixes to such problems as became known. As a result the customers supported this stand. Mind, there was little or none of the childish counting coup that seems to go on in some quarters involved. Those who advocated disclosing problems did not claim credit for finding the problems in the cases that surfaced. The discussion about whether to do so was always centered on the theory (with some observational support) that attackers knew of the bugs already and countermeasures could often be used if the attacks were known to exist. To my mind, a company that wants its problems to be kept quiet externally till fixed needs to earn that consideration by such paranoia. If a company is smart it will communicate with outsiders who point out problems. (Communicating about problems that can affect third party software is also a good thing. Many of us did.) Still, one who reveals a problem to the public is contributing to public knowledge, and that act by itself is not extortion or bullying. It should not be confused with such. The ethical issues center around whether the warning might help avoid a problem, or simply precipitate it. A similar ethical issue appeared in science fiction and is a caution to the reveal everything side. In the story a small group learns to build a cheap doomsday device. In the end one of them kills the others because he worries about it being used for extortion. However, he is shortly afterwards killed by his wife, who worries that if the device can be built her children's lives cannot be safe. The law ought to be clear that revealing information freely is OK, but that something that risks precipitating a catastrophe is not. A properly defended (in 2nd Amendment sense!) society might very well in clear cases resort to the science fiction solution. On the other hand, claiming such risk for every oversight, and at the same time not advertising your code does not run in hostile environments, is a kind of public fraud which does not deserve either protection or respect. The science fiction example is in clearly defined territory. Computer risks are seldom so, and before legal (or extralegal societal extreme) measures get involved there should be much more proof than has been common, and clarity about what is arguably beneficial and what is thuggery. When I propose designs, by the way, I am very glad to have heard about vulnerabilities in different technical areas so I might design around them. If I must propose a kludge I am also very glad to have heard about where the dangers lie. At least it allows my guesstimates of how long the kludge might be used to be more accurate. In the case referred to, the ISP's arguments remind me of what English banks were reputed to do some years ago when thefts occurred: argue that (in so many words) our systems are secure so you must have done something wrong to breach them. Yep, bullying seems to be going on, but from the ISP. A response more along the lines of fixing the holes (as Microsoft has done when holes cropped up in its mail systems) would be more responsible. Had they considered that the researcher was giving them free help, having found the problem due to some vulnerabilities the ISP's software was causing on his home system, the ISP would have wound up looking better. Reading the original post btw shows the guy gives a workaround for customers to close the holes created in their home systems. No evidence there far as I can see that the guy wanted anything other than to alert others about a hole in their own systems that the ISP software created (perhaps inadvertently), and what he noted. (That they responded noting that the terms conditions say a customer is responsible for security of account passwords selected by the customer, and claiming this somehow applies to passwords evidently selected by the ISP, is an indication of CYA, not of problem solving.) Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Neal Krawetz, PhD Sent: Wednesday, April 18, 2007 8:01 AM To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] UK ISP threatens security researcher ** This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying,
[Full-disclosure] Analysis of the Oracle April 2007 Critical Patch Update
Hey all, I've just posted an analysis of the Oracle April 2007 Critical Patch Update to http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf (URL may line wrap) Cheers, David Litchfield -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle E-Business Suite Vulnerability Information April 2007
Integrigy has released additional information on the Oracle E-Business Suite 11i and R12 security vulnerabilities in the April 2007 Oracle Critical Patch Update. This analysis includes details (type, impact, etc.) regarding the vulnerabilities, a review of the required patches, and advice on applying the 6-10 required patches in a timely manner. http://www.integrigy.com/Oracle_CPU_April_2007.pdf Based on our discussions with clients, there seems to be continuing confusion regarding the versions (i.e., patch sets) required to apply the security patches. Oracle's policy is simple - Oracle only supports the 2 most recent patch sets that have been released in the past 12 months for the Oracle Database and Oracle Application Server. There are some exceptions to policy based on operating system support and other product dependencies. To highlight the differences between certified versions and versions supported in the April 2007 CPU we have released the following - http://www.integrigy.com/security-resources/analysis/Oracle-CPU-Support-Matr ix-April-2007.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
This also works under Konqueror. There should be an implimentation on ALL browsers that a loop such large is unacceptable and refuse to even run it. There is no viable reason for a client-side to run a loop through so many itterations. This DoS technique could be abused and iframes with the code could be embedded within popular websites, effectively causing a denial of service to that specific site. On Tuesday 17 April 2007 13:09, J. Oquendo wrote: Product: Internet Explorer Version 7.0.5730.11 Impact: Browser crash possibly more Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Why bother? Who doesn't know what Internet Explorer and Microsoft are. II. DESCRIPTION IE 7 is vulnerable to a script which causes the browser to hang. The memory and CPU usage go through the roof. Originally the script caused (and still causes) Safari and Konqueror to crash. III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. IV. Proof http://www.infiltrated.net/stupidInternetExploder.html V. Code $ more /stupidInternetExploder.html script var reg = /(.)*/; var z = 'Z'; while (z.length = 999 999 999 999 999 999 999 999 999) z+=z; var boum = reg.exec(z); /script Goodbye J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
On Wed, 18 Apr 2007 12:31:57 EDT, Kradorex Xeron said: There should be an implimentation on ALL browsers that a loop such large is unacceptable and refuse to even run it. There is no viable reason for a client-side to run a loop through so many itterations. There's this thing called the Turing Halting Problem. :) The problem is that it's *really* hard to *programatically* look at a loop like that, and say That's going to loop 'too long' (for some fuzzy definition of 'too long'). Take that same code, and change the comparison to 'while (z.length 3)'. Does that loop too long? How about ' 8'? (Keep in mind that to check this *from within*, it needs to have the knowledge that z is the loop control, which it has, and that z.length is approximately log10(z), and that some value of log10(z) is too much. And once you've coded all that knowledge, the attacker just changes the test to this: while (foo(z) == TRUE) (... and foo(z) is defined as: boolean foo(int z) { static a = 0; if (isprime(z)) a++; if a 100 return FALSE; return TRUE; } Bonus points for defining isprime() as Sieve of Eratosthenes rather than some higher-performance primality check like Rabin-Miller or similar. Or maybe not - Sieve is probably simple enough that you can special-case it, better methods have more obscure internals. And we're *trying* to burn CPU - so maybe Sieve of Eratosthene's less clever brother is called for (iterate 1 to N, rather than 1 to sqrt(N)) :) So - other than it has already burned more than N seconds of CPU, what test do you propose to make? And what do you do if the site is some Javascript-driven interface to a corporate application that the user is expected to be in all day, and it's *legitimate* to burn lots more than N seconds during an 8-hour day? (Hint - trusted site is probably not the greatest way to phrase that sort of check... ;) pgpVsSHySZR2O.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0072-1 lighttpd
rPath Security Advisory: 2007-0072-1 Published: 2007-04-18 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: lighttpd=/[EMAIL PROTECTED]:devel//1/1.4.15-0.1-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1870 https://issues.rpath.com/browse/RPL-1218 Description: Previous versions of the lighttpd package are vulnerable to two denial of service attacks. One is a remote denial of service that can cause lighttpd to consume all available CPU time and stop serving requests, and the other is a denial of service attack which generally requires a local user to create a file with an mtime of 0; the lighttpd daemon will crash when attempting to serve that file. This crash does not enable any arbitrary or directed code execution. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0073-1 php php-mysql php-pgsql
rPath Security Advisory: 2007-0073-1 Published: 2007-04-18 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Remote System User Deterministic Unauthorized Access Updated Versions: php=/[EMAIL PROTECTED]:devel//1/4.3.11-15.10-1 php-mysql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.10-1 php-pgsql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.10-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1711 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910 https://issues.rpath.com/browse/RPL-1268 Description: Previous versions of the php package are vulnerable to many attacks, the worst of which enable various remote attackers to run arbitrary code as the apache user. These vulnerabilities are exposed by a wide variety of applications written in the PHP language. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0074-1 dovecot
rPath Security Advisory: 2007-0074-1 Published: 2007-04-18 Products: rPath Linux 1 Rating: Informational Exposure Level Classification: Local User Deterministic Information Exposure Updated Versions: dovecot=/[EMAIL PROTECTED]:devel//1/1.0.0-0.1-1 References: https://issues.rpath.com/browse/RPL-1200 Description: Previous versions of the dovecot package are vulnerable to a trivial information exposure in which files outside the user's mail directory could be opened if the zlib plugin was used. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] UNIX man pages based fuzzing
A simple man page based fuzzer http://www.cipher.org.uk/projects/downloads/fuzzman.tar.gz and an example http://www.cipher.org.uk/index.php?p=news/Man_page_based_fuzzing.news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
There should be an implimentation on ALL browsers that a loop such large is unacceptable and refuse to even run it. There is no viable reason for a client-side to run a loop through so many itterations. It's an unsolvable problem in computer science: a program (the browser) cannot calculate exactly how long another program (the script) will execute except by executing it... thus running at least as long as the latter. Proven mathematically, inescapable fact. The PoC at hand only demonstrates the easiest case, but there are infinitely more possible ones. The only safe way out is a timeout, like Internet Explorer (or PHP on the server side) implements ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK ISP threatens security researcher
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 n3td3v! your postings have become much more articulate. i didnt know that you could use big words. by the way - does Dr. Neal Krawetz, PhD even know youre pretending to be him? does dave aitel know that your doing this on company time or did he fire your sorry ass? On Wed, 18 Apr 2007 06:01:05 -0600 Dr. Neal Krawetz, PhD [EMAIL PROTECTED] wrote: Let's keep in mind that publishing most security information borders extortion. There isn't any other industry where fat nerds try to strongarm large corporations into admitting there are excess flamebait deleted -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYmUpYACgkQiDw0BWMaDTHn4gQAjYT74sqYJhYUZdELdCQJjThN/7xv 0UAW9CDtErDN9rrEPedpHj0W0JAFxeEcoJTY12AG/NxFHLfk1Wu5Ihc69Ye/iavVt6pU 5HjcoEl/bIhXiOCqzEBTo2N130yUJSnNRsJ4eHFP9i9eQgEO3zU93kOtbJ+R5r4jfJH6 HsBDRgg= =Y4Dr -END PGP SIGNATURE- -- Click to get a free credit repair consultation, raise your FICO score http://tagline.hushmail.com/fc/CAaCXv1QNssxDpGHmyOWMwE0OqYn90SV/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Database Buffer overflow vulnerabilities in package DBMS_SNAP_INTERNAL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: Oracle Database Buffer overflow vulnerabilities in package DBMS_SNAP_INTERNAL Risk Level: Medium Affected versions: Oracle Database Server versions 8i, 9i and 10gR1 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc. Details: Oracle Database Server provides the DBMS_SNAP_INTERNAL package that contains procedures used internally by Oracle. Some procedures of this package have the parameters SNAP_OWNER and SNAP_NAME. These parameters are vulnerable to buffer overflow attacks. Impact: Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_SNAP_INTERNAL can exploit this vulnerability. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing the Oracle server process. Vendor Status: Vendor was contacted and a patch was released. Workaround: Restrict access to the SYS.DBMS_SNAP_INTERNAL package. Fix: Apply Oracle Critical Patch Update April 2007 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html http://www.appsecinc.com/resources/alerts/oracle/2007-07.shtml - -- Application Security, Inc. www.appsecinc.com AppSecInc is the leading provider of database security solutions for the enterprise. AppSecInc products proactively secure enterprise applications at more than 300 organizations around the world by discovering, assessing, and protecting the database against rapidly changing security threats. By securing data at its source, we enable organizations to more confidently extend their business with customers, partners and suppliers. Our security experts, combined with our strong support team, deliver up-to-date application safeguards that minimize risk and eliminate its impact on business. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJmGK9EOAcmTuFN0RAm4qAJwMWIuqw1wETWxS7nSFrOyPx/WJWgCgoRQz q8llBKUahqqkGZvHT6x3CEQ= =RbmR -END PGP SIGNATURE- 0x64EE14DD.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-015: Novell Groupwise WebAccess Base64 Decoding Stack Overflow Vulnerability
ZDI-07-015: Novell Groupwise WebAccess Base64 Decoding Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-015.html April 18, 2007 -- CVE ID: CVE-2007-2171 -- Affected Vendor: Novell -- Affected Products: Groupwise WebAccess -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 19, 2007 by Digital Vaccine protection filter ID 5295. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Groupwise WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists in the GWINTER.exe process bound by default on TCP ports 7205 and 7211. During the handling of an HTTP Basic authentication request, the process copies user-supplied base64 data into a fixed length stack buffer. Sending at least 336 bytes will trigger a stack based buffer overflow due to a vulnerable base64_decode() call. Exploitation of this issue can result in arbitrary code execution. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=8RF83go0nZg~ http://download.novell.com/Download?buildid=O9ucpbS1bK0~ -- Disclosure Timeline: 2007.03.19 - Vulnerability reported to vendor 2007.04.18 - Coordinated public release of advisory 2007.04.19 - Digital Vaccine released to TippingPoint customers -- Credit: This vulnerability was discovered by Tenable Network Security. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-016: Oracle E-Business Suite Arbitrary Node Deletion Vulnerability
ZDI-07-016: Oracle E-Business Suite Arbitrary Node Deletion Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-016.html April 18, 2007 -- CVE ID: CVE-2007-2170 -- Affected Vendor: Oracle -- Affected Products: Oracle E-Business Suite -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since December 14, 2006 by Digital Vaccine protection filter ID 4919. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to delete any existing Document Management node on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists in the APPLSYS.FND_DM_NODES package. The procedure to delete nodes does not check for a valid session thereby allowing an attacker to arbitrarily delete any node registered, including the root node. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html -- Disclosure Timeline: 2007.01.29 - Vulnerability reported to vendor 2006.12.14 - Digital Vaccine released to TippingPoint customers 2007.04.18 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Joxean Koret. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-017: Oracle E-Business Suite Arbitrary Document Download Vulnerability
ZDI-07-017: Oracle E-Business Suite Arbitrary Document Download Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-017.html April 18, 2007 -- CVE ID: CVE-2007-2135 -- Affected Vendor: Oracle -- Affected Products: Oracle E-Business Suite -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since December 14, 2006 by Digital Vaccine protection filter ID 4924. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to download any existing document in the APPS.FND_DOCUMENTS table on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists in the ADI_BINARY component of the E-Business Suite. The component exposes a parameter that can also be passed to ADI_DISPLAY_REPORT to allow an attacker to view any document in the APPS.FND_DOCUMENTS table. An attacker can cycle through all document IDs to display each document that exists. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html -- Disclosure Timeline: 2007.01.29 - Vulnerability reported to vendor 2006.12.14 - Digital Vaccine released to TippingPoint customers 2007.04.18 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Joxean Koret. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-018: IBM Tivoli Monitoring Express Universal Agent Heap Overflow Vunlerability
ZDI-07-018: IBM Tivoli Monitoring Express Universal Agent Heap Overflow Vunlerability http://www.zerodayinitiative.com/advisories/ZDI-07-018.html April 18, 2007 -- CVE ID: CVE-2007-2137 -- Affected Vendor: IBM -- Affected Products: IBM Tivoli Monitoring Express 6.1 -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Monitoring Express. Authentication is not required to exploit this vulnerability. The specific flaws exist in the Tivoli Universal Agent Primary Service (TCP 10110), Monitoring Agent for Windows OS - Primary (TCP 6014) and Tivoli Enterprise Portal Server (TCP 14206) services. When a long string is sent to these services, it will result in a heap overflow during a call to a vulnerable function in kde.dll resulting in the ability to execute arbitrary code. -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-1.ibm.com/support/docview.wss?uid=swg24012341 -- Disclosure Timeline: 2006.09.14 - Vulnerability reported to vendor 2007.04.18 - Public release of advisory -- Credit: This vulnerability was discovered by CIRT.DK. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-019: BMC Patrol PerformAgent bgs_sdservice Memory Corruption Vulnerability
ZDI-07-019: BMC Patrol PerformAgent bgs_sdservice Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-019.html April 18, 2007 -- CVE ID: CVE-2007-2136 -- Affected Vendor: BMC -- Affected Products: Patrol -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 13, 2007 by Digital Vaccine protection filter ID 5287. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of BMC Patrol. User interaction is not required to exploit this vulnerability. The specific flaw exists due to improper parsing of XDR data sent to the bgs_sdservice.exe process listening by default on TCP port 10128. An attacker can influence a parameter to a memory copy operation and cause corruption of the stack and including SEH pointers. This can be leveraged to execute arbitrary code. -- Vendor Response: BMC has provided the following statement: [This issue] has been addressed, and a patch has been made available to our customers. A flash bulletin has been created describing the patch and will be sent to all affected customers in the next few days. BMC has a formal customer support mechanism in place to provide solutions to security issues brought to us by those who have legally licensed our software. In cases where security issues are brought to my attention by individuals/vendors who do not have legal access to our products, we will investigate their merit; however the issues will be addressed at our own discretion and according to our understanding of their severity. Finally, please note that in the future, I will only communicate resolutions and workarounds to licensed customers who are using our software legally. For a more meaningful dialogue around these issues and to be notified of any available patches, I urge all licensed customers to use BMC's support mechanism. -- Disclosure Timeline: 2007.03.05 - Vulnerability reported to vendor 2007.04.13 - Digital Vaccine released to TippingPoint customers 2007.04.18 - Public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability
ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-020.html April 18, 2007 -- CVE ID: CVE-2007-1972 -- Affected Vendor: BMC -- Affected Products: Performance Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 13, 2007 by Digital Vaccine protection filter ID 5286. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allows attackers to execute arbitrary code on vulnerable installations of BMC Performance Manager. User interaction is not required to exploit this vulnerability. The specific flaw exists in the PatrolAgent.exe listening on TCP port 3181. The service allows remote attackers to modify configuration files without authentication. This can be exploited by an attacker by modifying parameters in SNMP communities definitions. By modifying the masterAgentName and masterAgentStartLine parameters, an attacker can execute arbitrary code. -- Vendor Response: BMC has provided the following statement: [This issue] has been found not to be a security vulnerability; when properly configured (as described for our customers in our documentation and in our online knowledge base) this attack is not possible. BMC has a formal customer support mechanism in place to provide solutions to security issues brought to us by those who have legally licensed our software. In cases where security issues are brought to my attention by individuals/vendors who do not have legal access to our products, we will investigate their merit; however the issues will be addressed at our own discretion and according to our understanding of their severity. Finally, please note that in the future, I will only communicate resolutions and workarounds to licensed customers who are using our software legally. For a more meaningful dialogue around these issues and to be notified of any available patches, I urge all licensed customers to use BMC's support mechanism. -- Disclosure Timeline: 2007.03.05 - Vulnerability reported to vendor 2007.04.13 - Digital Vaccine released to TippingPoint customers 2007.04.18 - Public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-453-1] X.org vulnerability
=== Ubuntu Security Notice USN-453-1 April 18, 2007 libx11 vulnerability CVE-2007-1667 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libx11-6 2:1.0.0-0ubuntu9.1 Ubuntu 6.10: libx11-6 2:1.0.3-0ubuntu4.1 After a standard system upgrade you need to restart your session or reboot your computer to effect the necessary changes. Details follow: Multiple integer overflows were found in the XGetPixel function of libx11. If a user were tricked into opening a specially crafted XWD image, remote attackers could execute arbitrary code with user privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11_1.0.0-0ubuntu9.1.diff.gz Size/MD5: 296713 c02907c6ee1ea4d7de17ec328eb3a2ec http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11_1.0.0-0ubuntu9.1.dsc Size/MD5: 904 910682e8e8471c93b9c7f350bde18309 http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11_1.0.0.orig.tar.gz Size/MD5: 1864594 67c938b93d52b71d350f8bb61c4ffd98 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6-dbg_1.0.0-0ubuntu9.1_amd64.deb Size/MD5: 2516010 f7ccc4a58bb4d231b24f7625efbd62fb http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6_1.0.0-0ubuntu9.1_amd64.deb Size/MD5: 753850 23e06d9506f145819681b46663f64a63 http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-dev_1.0.0-0ubuntu9.1_amd64.deb Size/MD5: 1309144 363c492cab8c189f64e435b11f61cd4f i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6-dbg_1.0.0-0ubuntu9.1_i386.deb Size/MD5: 2357296 37bcfc960b9659eecd4f18e341d042e0 http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6_1.0.0-0ubuntu9.1_i386.deb Size/MD5: 709932 a8590be9cb19a19f2e2c5a1a5e77891e http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-dev_1.0.0-0ubuntu9.1_i386.deb Size/MD5: 1239616 7ea6287c6c20e3fc7574bc4ece4a6f8a powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6-dbg_1.0.0-0ubuntu9.1_powerpc.deb Size/MD5: 2556312 7b0cbce8570ffb1a28d4db1b4cafea4c http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6_1.0.0-0ubuntu9.1_powerpc.deb Size/MD5: 739432 f5bb7c9015bb78a8028fe8ea610f56eb http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-dev_1.0.0-0ubuntu9.1_powerpc.deb Size/MD5: 1278756 cf9f2f37c22e556d944f6770e7245ec3 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6-dbg_1.0.0-0ubuntu9.1_sparc.deb Size/MD5: 2422854 6c4445eefac1d5db0351c1099076d0f6 http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6_1.0.0-0ubuntu9.1_sparc.deb Size/MD5: 708368 e4b90a1837c3ac6225ffae953c96c5b6 http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-dev_1.0.0-0ubuntu9.1_sparc.deb Size/MD5: 1247782 649b7509afa1fff166aded5c29589727 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11_1.0.3-0ubuntu4.1.diff.gz Size/MD5:95653 63f1ad8426d56ec2b0bf1f06970a5213 http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11_1.0.3-0ubuntu4.1.dsc Size/MD5: 998 b8f1fcb2a7439eed68327677488c52b7 http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11_1.0.3.orig.tar.gz Size/MD5: 1927173 d734dacf32abebc4001bd7d63076994a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-data_1.0.3-0ubuntu4.1_all.deb Size/MD5: 196810 7fe93ec08c95dae145b50ef747645ac1 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6-dbg_1.0.3-0ubuntu4.1_amd64.deb Size/MD5: 2610148 8b40eb73bfe3e7f2cf4c051176b34ca6 http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6_1.0.3-0ubuntu4.1_amd64.deb Size/MD5: 611674 146a9b05faf5693e3d2fd434ca96fe0e http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-dev_1.0.3-0ubuntu4.1_amd64.deb Size/MD5: 1224324 0729fc93822f37b6abc336fcce3f35ff i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/libx/libx11/libx11-6-dbg_1.0.3-0ubuntu4.1_i386.deb Size/MD5: 2551504
[Full-disclosure] [ MDKSA-2007:087 ] - Updated php packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:087 http://www.mandriva.com/security/ ___ Package : php Date: April 18, 2007 Affected: Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). A DoS flaw was found in how PHP processed a deeply nested array. A remote attacker could cause the PHP intrerpreter to creash by submitting an input variable with a deeply nested array (CVE-2007-1285). A vulnerability was discovered in the way PHP's unserialize() function processed data. A remote attacker able to pass arbitrary data to PHP's unserialize() function could possibly execute arbitrary code as the apache user (CVE-2007-1286). A double-free flaw was found in the session_decode() function that could allow a remote attacker to potentially execute arbitrary code as the apache user if they are able to pass arbitrary data to PHP's session_decode() function (CVE-2007-1711). A vulnerability in how PHP's mail() function processed header data was discovered. If a script sent mail using a subject header containing a string from an untrusted source, a remote attacker could send bulk email to unintended recipients (CVE-2007-1718). Updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1711 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1718 ___ Updated Packages: Corporate 3.0: 2b15b0bc22742758bb62fcd320180106 corporate/3.0/i586/libphp_common432-4.3.4-4.25.C30mdk.i586.rpm fe5339f7b2da384dfde700c20c501aab corporate/3.0/i586/php-cgi-4.3.4-4.25.C30mdk.i586.rpm 110991ac64c73f0b2febc7f67a9f0144 corporate/3.0/i586/php-cli-4.3.4-4.25.C30mdk.i586.rpm adc9ea974665abe40372bbf762ecf61a corporate/3.0/i586/php-gd-4.3.4-1.6.C30mdk.i586.rpm eb068f34f5c376dc7a1dc0ea29501a1f corporate/3.0/i586/php432-devel-4.3.4-4.25.C30mdk.i586.rpm 526b4e2d8afee42eb1f3d125ee2aba87 corporate/3.0/SRPMS/php-4.3.4-4.25.C30mdk.src.rpm 607997f818ac53d2af7c8fcaef7a0171 corporate/3.0/SRPMS/php-gd-4.3.4-1.6.C30mdk.src.rpm Corporate 3.0/X86_64: db3c2959f962b81805c8619efb297b9d corporate/3.0/x86_64/lib64php_common432-4.3.4-4.25.C30mdk.x86_64.rpm d97ed23384c43d388c93cb978d414e68 corporate/3.0/x86_64/php-cgi-4.3.4-4.25.C30mdk.x86_64.rpm dfac457ee4b81a5d54ad6f343809a241 corporate/3.0/x86_64/php-cli-4.3.4-4.25.C30mdk.x86_64.rpm da07d371618eaf195a2d88721355a3d6 corporate/3.0/x86_64/php-gd-4.3.4-1.6.C30mdk.x86_64.rpm efbf7920f6ed9595aa9c55e42e1a72ce corporate/3.0/x86_64/php432-devel-4.3.4-4.25.C30mdk.x86_64.rpm 526b4e2d8afee42eb1f3d125ee2aba87 corporate/3.0/SRPMS/php-4.3.4-4.25.C30mdk.src.rpm 607997f818ac53d2af7c8fcaef7a0171 corporate/3.0/SRPMS/php-gd-4.3.4-1.6.C30mdk.src.rpm Multi Network Firewall 2.0: 5b7e1a1db6250ff6407e2bdb72012e1f mnf/2.0/i586/libphp_common432-4.3.4-4.25.M20mdk.i586.rpm ab13e78a0c41f9dc32e92d4ea003807d mnf/2.0/i586/php-cgi-4.3.4-4.25.M20mdk.i586.rpm 513eb7fdff9ed48249f35fdf0d49507e mnf/2.0/i586/php-cli-4.3.4-4.25.M20mdk.i586.rpm 04a3bf4b56d20b26103cf28c49c1c4a3 mnf/2.0/i586/php-gd-4.3.4-1.6.M20mdk.i586.rpm 0f72994f611b8be41fb944616b07e53b mnf/2.0/i586/php432-devel-4.3.4-4.25.M20mdk.i586.rpm 2da2bb6ebf427fce22912e37448b5dd8 mnf/2.0/SRPMS/php-4.3.4-4.25.M20mdk.src.rpm 50a5b40d98a9394cf0093751aaa47877 mnf/2.0/SRPMS/php-gd-4.3.4-1.6.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com
[Full-disclosure] [ MDKSA-2007:088 ] - Updated php packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:088 http://www.mandriva.com/security/ ___ Package : php Date: April 18, 2007 Affected: Corporate 4.0 ___ Problem Description: A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). A DoS flaw was found in how PHP processed a deeply nested array. A remote attacker could cause the PHP intrerpreter to creash by submitting an input variable with a deeply nested array (CVE-2007-1285). A vulnerability was discovered in the way PHP's unserialize() function processed data. A remote attacker able to pass arbitrary data to PHP's unserialize() function could possibly execute arbitrary code as the apache user (CVE-2007-1286). A vulnerability in the way the mbstring extension set global variables was discovered where a script using the mb_parse_str() function to set global variables could be forced to to enable the register_globals configuration option, possibly resulting in global variable injection (CVE-2007-1583). A double-free flaw was found in the session_decode() function that could allow a remote attacker to potentially execute arbitrary code as the apache user if they are able to pass arbitrary data to PHP's session_decode() function (CVE-2007-1711). A vulnerability in how PHP's mail() function processed header data was discovered. If a script sent mail using a subject header containing a string from an untrusted source, a remote attacker could send bulk email to unintended recipients (CVE-2007-1718). A buffer overflow in the sqlite_decode_function() in the bundled sqlite library could allow context-dependent attackers to execute arbitrary code (CVE-2007-1887). Updated packages have been patched to correct these issues. Also note that the default use of the Hardened PHP patch helped to protect against some of these issues prior to patching. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1711 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1887 ___ Updated Packages: Corporate 4.0: d5181607c0ef1bd993637fe129e8cc50 corporate/4.0/i586/libphp4_common4-4.4.4-1.5.20060mlcs4.i586.rpm 06dfc54d6c06fe4f249dc08b08a84c16 corporate/4.0/i586/php4-cgi-4.4.4-1.5.20060mlcs4.i586.rpm 7702c8ee1766d8420f3ab5ba61b32aff corporate/4.0/i586/php4-cli-4.4.4-1.5.20060mlcs4.i586.rpm 55947a4305717c4b598d769b601470d0 corporate/4.0/i586/php4-devel-4.4.4-1.5.20060mlcs4.i586.rpm 1e38d7f1eee4ae39b7b2c3508202404e corporate/4.0/i586/php4-gd-4.4.4-1.1.20060mlcs4.i586.rpm fb27bc94b043c155e59e06f289108795 corporate/4.0/i586/php4-mbstring-4.4.4-1.1.20060mlcs4.i586.rpm d2745977e89970f8208257099443efca corporate/4.0/i586/php4-sqlite-1.0.3-5.1.20060mlcs4.i586.rpm 33a9318558d73c76f2fe6b896915dd8f corporate/4.0/SRPMS/php4-4.4.4-1.5.20060mlcs4.src.rpm d26b3a8e4541768bc502f23b332649d7 corporate/4.0/SRPMS/php4-gd-4.4.4-1.1.20060mlcs4.src.rpm c4e4d17b70730850abe1c3898000cf04 corporate/4.0/SRPMS/php4-mbstring-4.4.4-1.1.20060mlcs4.src.rpm e691ab99a73fb2854cc4c9ab4114c845 corporate/4.0/SRPMS/php4-sqlite-1.0.3-5.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: da32934c2e180b55246f31fc998d7d0c corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.5.20060mlcs4.x86_64.rpm c301b2fd29988da6aeedfcd9f3f46386 corporate/4.0/x86_64/php4-cgi-4.4.4-1.5.20060mlcs4.x86_64.rpm be0122face0922bf0cb59ed018efe052 corporate/4.0/x86_64/php4-cli-4.4.4-1.5.20060mlcs4.x86_64.rpm e1d6ee2c35271751d0a312a3b3baf98e corporate/4.0/x86_64/php4-devel-4.4.4-1.5.20060mlcs4.x86_64.rpm 86c6a934cde38aa4ae5ac12bfad9f590 corporate/4.0/x86_64/php4-gd-4.4.4-1.1.20060mlcs4.x86_64.rpm b445267393650b1d7db6c9145176 corporate/4.0/x86_64/php4-mbstring-4.4.4-1.1.20060mlcs4.x86_64.rpm e4062b3737eb9b8a2c9d463a48dc42bd corporate/4.0/x86_64/php4-sqlite-1.0.3-5.1.20060mlcs4.x86_64.rpm 33a9318558d73c76f2fe6b896915dd8f corporate/4.0/SRPMS/php4-4.4.4-1.5.20060mlcs4.src.rpm d26b3a8e4541768bc502f23b332649d7 corporate/4.0/SRPMS/php4-gd-4.4.4-1.1.20060mlcs4.src.rpm c4e4d17b70730850abe1c3898000cf04
[Full-disclosure] [ MDKSA-2007:089 ] - Updated php packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:089 http://www.mandriva.com/security/ ___ Package : php Date: April 18, 2007 Affected: 2007.0, Corporate 4.0 ___ Problem Description: A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). A DoS flaw was found in how PHP processed a deeply nested array. A remote attacker could cause the PHP intrerpreter to creash by submitting an input variable with a deeply nested array (CVE-2007-1285). A vulnerability in the way the mbstring extension set global variables was discovered where a script using the mb_parse_str() function to set global variables could be forced to to enable the register_globals configuration option, possibly resulting in global variable injection (CVE-2007-1583). A vulnerability in how PHP's mail() function processed header data was discovered. If a script sent mail using a subject header containing a string from an untrusted source, a remote attacker could send bulk email to unintended recipients (CVE-2007-1718). A buffer overflow in the sqlite_decode_function() in the bundled sqlite library could allow context-dependent attackers to execute arbitrary code (CVE-2007-1887). Updated packages have been patched to correct these issues. Also note that the default use of the Hardened PHP patch helped to protect against some of these issues prior to patching. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1887 ___ Updated Packages: Mandriva Linux 2007.0: 9cf466b76665bc033530c80f504eb54e 2007.0/i586/libphp5_common5-5.1.6-1.7mdv2007.0.i586.rpm a1d9ebfcc187c4494af7e1e39fdf0f47 2007.0/i586/php-cgi-5.1.6-1.7mdv2007.0.i586.rpm 55439de9b2c70cc97cee9b51fb5a89a9 2007.0/i586/php-cli-5.1.6-1.7mdv2007.0.i586.rpm 8c77d342600f50e6157a3df4f1f9b8f1 2007.0/i586/php-devel-5.1.6-1.7mdv2007.0.i586.rpm f3c5bc37d6a24279a5f63b9f18e913f9 2007.0/i586/php-fcgi-5.1.6-1.7mdv2007.0.i586.rpm ca1858b16d0a4d080e052bc182fc391f 2007.0/i586/php-gd-5.1.6-1.2mdv2007.0.i586.rpm ddb1de61592f7a7281e5e91449398305 2007.0/i586/php-mbstring-5.1.6-1.1mdv2007.0.i586.rpm 083edc863400b03a69056dca44ba3a2e 2007.0/i586/php-sqlite-5.1.6-1.1mdv2007.0.i586.rpm eb4be9590d4b82d63d3041b5963dd365 2007.0/SRPMS/php-5.1.6-1.7mdv2007.0.src.rpm c488b9c4f369ac8f7bb7b727938d75bc 2007.0/SRPMS/php-gd-5.1.6-1.2mdv2007.0.src.rpm 85269cbd42e2900ee754891e240120b3 2007.0/SRPMS/php-mbstring-5.1.6-1.1mdv2007.0.src.rpm 3672001f271ae73ac8024455a887ef6e 2007.0/SRPMS/php-sqlite-5.1.6-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 4da00df59f3a9fc8105c3b540cf4054a 2007.0/x86_64/lib64php5_common5-5.1.6-1.7mdv2007.0.x86_64.rpm 6eb974c7d025e406bd8ee1b72f5972fe 2007.0/x86_64/php-cgi-5.1.6-1.7mdv2007.0.x86_64.rpm e4922361429c9aab92a44496e04eb409 2007.0/x86_64/php-cli-5.1.6-1.7mdv2007.0.x86_64.rpm 17e01392077a6c435455d0b521e82d7a 2007.0/x86_64/php-devel-5.1.6-1.7mdv2007.0.x86_64.rpm f73924c3f06c16e1382be7d18e1d1494 2007.0/x86_64/php-fcgi-5.1.6-1.7mdv2007.0.x86_64.rpm 3a88b1be7ed446e0d5a09ae8f0d64cf4 2007.0/x86_64/php-gd-5.1.6-1.2mdv2007.0.x86_64.rpm d983f296eba0b5d1642c1a673bf6673c 2007.0/x86_64/php-mbstring-5.1.6-1.1mdv2007.0.x86_64.rpm 3f1e547ebc7cb5debd2c818ad3746404 2007.0/x86_64/php-sqlite-5.1.6-1.1mdv2007.0.x86_64.rpm eb4be9590d4b82d63d3041b5963dd365 2007.0/SRPMS/php-5.1.6-1.7mdv2007.0.src.rpm c488b9c4f369ac8f7bb7b727938d75bc 2007.0/SRPMS/php-gd-5.1.6-1.2mdv2007.0.src.rpm 85269cbd42e2900ee754891e240120b3 2007.0/SRPMS/php-mbstring-5.1.6-1.1mdv2007.0.src.rpm 3672001f271ae73ac8024455a887ef6e 2007.0/SRPMS/php-sqlite-5.1.6-1.1mdv2007.0.src.rpm Corporate 4.0: a15a2db081dbf8b39751a8831e24cfd8 corporate/4.0/i586/libphp5_common5-5.1.6-1.6.20060mlcs4.i586.rpm 00f3d7a49c95ad203105d69dbf60acd1 corporate/4.0/i586/php-cgi-5.1.6-1.6.20060mlcs4.i586.rpm 6579f0081fd03d78bcbbfcec165fa017 corporate/4.0/i586/php-cli-5.1.6-1.6.20060mlcs4.i586.rpm 2e54eaef6e350edb05e57291820b40ea corporate/4.0/i586/php-devel-5.1.6-1.6.20060mlcs4.i586.rpm a74807717c95d2aa153f65ca94522f99 corporate/4.0/i586/php-fcgi-5.1.6-1.6.20060mlcs4.i586.rpm e79a2f636d497934ddf8b507d4cb54cc