[Full-disclosure] WifiZoo v1.2 release
WifiZoo v1.2: -Bug Fixes -It now has a web GUI running on localhost:8000, it will hopefully make its use more 'convenient' -And it also has an 'http proxy' ala ferret/hamster. You can display the captured cookies with the web gui, clicking on a cookie will set that cookie on the wifizoo proxy. Set your browser to use the proxy, and again, hopefully, that will do the trick. Updated docs: http://community.corest.com/~hochoa/wifizoo/index.html Direct download link: http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz Thanks!, Hernan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Testing DidTheyReadIt.com
Can we get stats? On 10/1/07, Gautam [EMAIL PROTECTED] wrote: ditto On 10/1/07, Anshuman G [EMAIL PROTECTED] wrote: Me :) and I think lots of people are interested . Regards, Anshu On 10/2/07, Thierry Zoller [EMAIL PROTECTED] wrote: Who is interested in the stats ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/fullhttp://lists.grok.org.uk/full-disclosure-charter.html-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- [EMAIL PROTECTED] 1.866.200.6829:22 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/fullhttp://lists.grok.org.uk/full-disclosure-charter.html -disclosure-charter.htmlhttp://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://search.goldwatches.com/search.aspx?Search=cufflinks http://www.jewelerslounge.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1365-3] New id3lib3.8.3 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - -- Debian Security Advisory DSA 1365-3[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff, Dann Frazier October 2nd, 2007 http://www.debian.org/security/faq - - -- Package: id3lib3.8.3 Vulnerability : programming error Problem-Type : local Debian-specific: no CVE ID : CVE-2007-4460 Debian Bug : 438540 Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag Library, may lead to denial of service through symlink attacks. This update to DSA-1365-2 provides missing packages for the mipsel architecture for the stable distribution (etch). For the oldstable distribution (sarge) this problem has been fixed in version 3.8.3-4.1sarge1. For the stable distribution (etch) this problem has been fixed in version 3.8.3-6etch1. For the unstable distribution (sid) this problem has been fixed in version 3.8.3-7. We recommend that you upgrade your id3lib3.8.3 packages. Upgrade Instructions - - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - Source archives: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-4.1sarge1.dsc Size/MD5 checksum: 655 94eda5191994c0dbe0146a85a9e94737 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-4.1sarge1.diff.gz Size/MD5 checksum: 134382 b45300bc3341dbedf90f4c593462794f http://security.debian.org/pool/updates/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3.orig.tar.gz Size/MD5 checksum: 950726 19f27ddd2dda4b2d26a559a4f0f402a7 Alpha architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_alpha.deb Size/MD5 checksum: 200738 a089ad12c4ddd30a4f6fdb340b3c9c26 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_alpha.deb Size/MD5 checksum: 358668 6a3178d16f20a2a4228133a0f692d197 AMD64 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_amd64.deb Size/MD5 checksum: 190378 90cfc4e6ab66afc0618946eda78ce66d http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_amd64.deb Size/MD5 checksum: 295174 79e8d0882c54ffceabff4b4b527317cb ARM architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_arm.deb Size/MD5 checksum: 204106 ae12d537affbc35f82517dbba061b332 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_arm.deb Size/MD5 checksum: 322872 607fdb462573a9d022338c5f011363e0 HP Precision architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_hppa.deb Size/MD5 checksum: 213312 5279c3416cd3d0c301439a8de2b70ee7 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_hppa.deb Size/MD5 checksum: 349392 28751fdfecf730380b111537646cac03 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_i386.deb Size/MD5 checksum: 180852 10afd005f77c934946d1bcaf04998d92 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_i386.deb Size/MD5 checksum: 258526 3bb1cb543f6b2ab1a4985dfa536dd3e5 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_ia64.deb Size/MD5 checksum: 214970 eb496451fad3c40a54f55dd55ff0e4d9 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_ia64.deb Size/MD5 checksum: 371532 2a339fa9b2d875dccf416dc648b5d11a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_m68k.deb Size/MD5 checksum: 190796 9d8b6bb6f224470ea1ac92d92015ad95 http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-4.1sarge1_m68k.deb Size/MD5 checksum: 263074 a5747d036e6df6f1170e8c2607cb632d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/i/id3lib3.8.3/libid3-3.8.3_3.8.3-4.1sarge1_mips.deb Size/MD5 checksum: 197400
Re: [Full-disclosure] Firefox 2.0.0.7 has a very serious calculation bug
Also notice that if there is really a problem in FF javascript engine it goes beyond the browser. You could run Tamarin, Spidermonkey or Rhino on the server side and perform some processing there with javascript. For heaven's sake please try to understand that it is not a problem at all. As a side comment I wanted to tell you that what is out there on the internet is not a standart. Is what IE dictates. IE rules the internet whether you like or not. Go and read the ECMA standard. A standard is standard and it has nothing to do with IE. I don't think that's a fair comparison. If you make the right algorithm and you do not get the expected results *is* not your fault but what are you sitting at (compiler, framework, library ...). I fail to understand which part of my argument you failed to understand. strcpy() provides the expected result for the right algorithm so we do not say there is a bug in gcc. if someone uses strcpy() to read user's input directly into a buffer, we say there is a bug in the program. Similarly, Firefox javascript floating point math gives expected results. So there is no bug in Firefox. Now if you write a program assuming the results of the floating math are absolutely accurate, your program might have a bug. - My protest against stupid Indian security researcher:- Aditya K Sood is an asshole: http://secnichebogus.blogspot.com/ - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (no subject)
Sent from my BlackBerry® wireless device ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Original Photo Gallery Remote Command Execution
Original Photo Gallery Remote Command Execution Name Original Photo Gallery Remote Command Execution Systems Affected Original 0.11.2 version and below Severity High Vendorhttp://jimmac.musichall.cz/original.php Advisory http://www.ush.it/team/ascii/hack-original/advisory_updated.txt http://www.ush.it/team/ascii/hack-original/advisory.txt AuthorFrancesco `ascii` Ongaro, Antonio `s4tan` Parata Date 20070919 I. BACKGROUND Original is a set of scripts to get your digital photos on the web. It aims to be as simple to maintain as possible. The systems consist of two parts: a client side script to scale your images to different sizes, create archives of an album, attach optional metadata and a php script to render html pages of the picture gallery. II. DESCRIPTION It's possible to execute arbitrary code on remote systems which have installed a vulnerable software version. III. ANALYSIS The file inc/exif.inc.php contains the following vulnerable statement: exec($exif_prog \$gallery_dir/$galerie/lq/img-$snimek.jpg\, $exif_data, $exif_status);. If PHP is configured with the globals on option, an attacker can execute arbitrary code doing a direct request to the file and sending shell commands in the parameter/value $exif_prog. IV. DETECTION http://www.x.com/original/inc/exif.inc.php?exif_prog=/path/to/touch%20/tmp/p0wn3d.txt; The request should create a file in the /tmp directory (on Unix systems) named p0wn3d.txt. If this happens than you have a vulnerable version of the software (and a really risky PHP setup). A rapid measurement show that ~10% systems are vulnerable of about 17'000 listed on Google (using the dork: Generated by Original ver). V. WORKAROUND Upgrade to the new version 0.11.3 witch fix this vulnerability. http://jimmac.musichall.cz/zip/original/original-0.11.3.tar.bz2 Or if unable to upgrade: 1) Disable access to the directory using Limit (vhosts/.htaccess). 2) Disable execution using disable_functions in php.ini. The result is: Warning: exec() has been disabled for security reasons in /home/XXX/inc/exif.inc.php on line 157 3) Deny direct access to the file in the PHP code by checking for a define or requested url. VI. VENDOR RESPONSE The vendor has promptly replied and addressed the problem issuing a new release. Original version 0.11.3 is available here: http://jimmac.musichall.cz/zip/original/original-0.11.3.tar.bz2 VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20070719 Bug discovered 20070725 Vendor contacted 20070927 Vendor reply and fix 20071002 Advisory released IX. CREDIT Francesco `ascii` Ongaro and Antonio `s4tan` Parata are credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2007 Francesco `ascii` Ongaro Note: this exploit is DUAL LICENSED, 1. if you'll use it for personal and non-profit purposes you can apply GPL v2 and above. 2. In the case you plain to: a. use our code in any commercial context b. implement this code in your non-GPL application c. use this code during a Penetration Test d. make any profit from it you need to contact me in order to obtain a _commercial license_. For more informations about Dual Licensing: http://producingoss.com/html-chunk/dual-licensing.html Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-17: CA BrightStor Hierarchical Storage Manager SQL Injection Vulnerabilities
TPTI-07-17: CA BrightStor Hierarchical Storage Manager SQL Injection Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-17.html October 2, 2007 -- CVE ID: CVE-2007-5084 -- Affected Vendor: Computer Associates -- Affected Products: BrightStor Hierarchical Storage Manager r11.5 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 2, 2007 by Digital Vaccine protection filter ID 4925. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow a remote attacker to inject arbitrary SQL into the backend database on vulnerable installations of CA BrightStor Hierarchical Storage Manager. Authentication is not required to exploit these vulnerabilities. The specific flaws exist in the CsAgent service that listens by default on TCP port 2000. An opcode parsing switch statement multiplexes data funneling across various vulnerable routines. At least 7 out of the available 68 opcodes are vulnerable to SQL injections, including: 0x07 - 0x09, 0x1E, 0x32, 0x36, 0x40. -- Vendor Response: http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asp -- Disclosure Timeline: 2006.11.01 - Vulnerability reported to vendor 2007.10.02 - Digital Vaccine released to TippingPoint customers 2007.10.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.02.07: Multiple Vendor X Font Server Multiple Vulnerabilities
Multiple Vendor X Font Server Multiple Vulnerabilities iDefense Security Advisory 10.02.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 02, 2007 I. BACKGROUND The X Window System (or X11) is a graphical windowing system used on Unix-like systems. It is based on a client/server model. The X Window System font server (xfs) is used to render fonts for the X server. More information can be found at the following URLs. http://en.wikipedia.org/wiki/X_Window_System http://www.x.org/wiki/ II. DESCRIPTION Remote exploitation of a multiple vulnerabilities in X.Org Foundation's X Font Server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code. An integer overflow vulnerability exists within the handlers for the QueryXBitmaps and QueryXExtents protocol requests. Both requests result in a call to the build_range() function. This function takes a 32bit integer from the request, and uses it in an arithmetic operation that calculates the size of a dynamic buffer. This calculation can overflow, which leads to an improperly sized memory allocation. This results in a heap overflow. Additionally, a heap corruption vulnerability exists within the handlers for the QueryXBitmaps and QueryXExtents protocol requests. Both requests result in a call to the swap_char2b() function. This function takes a 32bit integer from the request, and uses it as the number of bytes to swap in the request buffer. This allows an attacker to swap an arbitrary number of bytes on the heap. III. ANALYSIS Exploitation of these vulnerabilities could result in the execution of arbitrary code with the privileges of the X Font Server, usually 'xfs'. On current versions of Solaris, these vulnerabilities are remotely exploitable. The XFS service is turned on by default, and listens on TCP port 7100. On modern Linux systems, these vulnerabilities are only locally exploitable since the server is configured to listen on a UNIX socket only. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in XFS version X11R7.2-1.0.4. Previous versions may also be affected. V. WORKAROUND On Solaris, stop XFS from listening remotely by disabling it via the service manager. VI. VENDOR RESPONSE The X.Org team has addressed these vulnerabilities with the release of XFS version 1.0.5. Additionally, a patch for version 1.0.4 has been made available. For more information, consult the X.Org advisory at the following URL. http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4568 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/05/2007 Initial vendor notification 09/08/2007 Initial vendor response 10/02/2007 Public disclosure IX. CREDIT These vulnerabilities were discovered by Sean Larsson of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1380-1] New elinks packages fix information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA 1380-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp October 2nd, 2007 http://www.debian.org/security/faq - Package: elinks Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5034 Debian Bug : 443891 Kalle Olavi Niemitalo discovered that elinks, an advanced text-mode WWW browser, sent HTTP POST data in cleartext when using an HTTPS proxy server potentially allowing private information to be disclosed. For the stable distribution (etch), this problem has been fixed in version 0.11.1-1.2etch1. For the unstable distribution (sid), this problem has been fixed in version 0.11.1-1.5. We recommend that you upgrade your elinks package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1.orig.tar.gz Size/MD5 checksum: 3863617 dce0fa7cb2b6e7194ddd00e34825218b http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1.diff.gz Size/MD5 checksum:30543 87f297355ad1e6d20bab5569672aad5e http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1.dsc Size/MD5 checksum: 872 a4af1ff56a8d39bdf1a92cedce2f335c alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_alpha.deb Size/MD5 checksum: 497732 f553f66a91b2245cfa42088a2b4d4517 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_alpha.deb Size/MD5 checksum: 1260704 10b023af79e9d90a7cd664328f5118b5 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_amd64.deb Size/MD5 checksum: 458734 41f1f71a5e3fccf0dde9597bd871cb39 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_amd64.deb Size/MD5 checksum: 1222408 c3ad38db3fbc3a1c130115ab83506bda arm architecture (ARM) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_arm.deb Size/MD5 checksum: 416964 f7c68b19da989a205d0aa045c91c87eb http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_arm.deb Size/MD5 checksum: 1179150 c3560026dc7aa46613ddbb2a24f070cb hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_hppa.deb Size/MD5 checksum: 1245642 0a9eb32d625456d171a987d5efe50296 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_hppa.deb Size/MD5 checksum: 480962 ca0f2c3876e1eb5c1b66f7ce5661cc39 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_i386.deb Size/MD5 checksum: 423676 5e433eb3f0c5f6f004ea2285282a4455 http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_i386.deb Size/MD5 checksum: 1187014 557a2322c1f91a8debb9993cb46a8f51 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_ia64.deb Size/MD5 checksum: 1432774 4a2706c3945ae2fdc842a67b5d25ca10 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_ia64.deb Size/MD5 checksum: 624134 4c2e59b24b38c3b9fbeb104fb373160b mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_mips.deb Size/MD5 checksum: 1229684 e05d34e21f29f58c93c05c203c448d4b http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_mips.deb Size/MD5 checksum: 470490 a7c54a8151b9b3268e00b3f517f60eb7 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch1_mipsel.deb Size/MD5 checksum: 466824 53be2f6ef576c97a3aaa01c6af2bb0ac http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch1_mipsel.deb Size/MD5 checksum: 1223900 a6463ca7afd8ec0781c797c3dfc56e91 powerpc architecture (PowerPC)
[Full-disclosure] [SECURITY] [DSA 1379-1] New openssl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1379 [EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 02, 2007 - Package: openssl Vulnerability : off-by-one error/buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5135 Debian Bug : 35 An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in the libssl library from OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch1. For the old stable distribution (sarge), this problem has been fixed in version 0.9.7e-3sarge5. For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 0.9.8e-9. We recommend that you upgrade your openssl packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.diff.gz Size/MD5 checksum:30634 b64d10acf6285197d3ad8e923883b6d7 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.dsc Size/MD5 checksum: 639 d19d0a6a8faf12e7e2abe6b82409af05 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 3342712 38ada0535339d8394a829f22ce835578 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_alpha.udeb Size/MD5 checksum: 662280 2e67541092c341c4e26e2d17ad11ccc7 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 2449572 a4e4d409db4eb013544112da61b764be http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 940288 928194da95c5f7edb570847de437fbf4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 703530 ca501fee744837c951c78959070eea14 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 903938 b4c46339201162d467bd46a50c9a0f4e http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_amd64.udeb Size/MD5 checksum: 495318 2d10728b8ebfb6fbb4d48bd675f866b8 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 2694270 cc856b1fdd41fffc03b867de55ad2b2c arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 607492 63a3b6d82a8d5dd53aa9201322d5f89d http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 2559868 0427629ed30efabf0ea0d168a6c9d36e http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_arm.udeb Size/MD5 checksum: 410604 6d52b2de602333bcb70306fa2198205e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 905292 4b0944650181c97b07abb6e2dcb826a6 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_hppa.udeb Size/MD5 checksum: 510404 06fc22d1d0ff5a2c7d36e08d280d4dea http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_hppa.deb Size/MD5 checksum: 722886 3db792d32f4709c143cb729721278e6c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_hppa.deb Size/MD5 checksum: 914764 2ce08cb33e5eed3dff1c3e35af46298c
[Full-disclosure] rPSA-2007-0203-1 rmake rmake-proxy rmake-repos
rPath Security Advisory: 2007-0203-1 Published: 2007-10-02 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local Root Deterministic Privilege Escalation Updated Versions: rmake=/[EMAIL PROTECTED]:devel//1/1.0.11.1-2-0.1 rmake-proxy=/[EMAIL PROTECTED]:devel//1/1.0.11.1-2-0.1 rmake-repos=/[EMAIL PROTECTED]:devel//1/1.0.11.1-2-0.1 rPath Issue Tracking System: https://issues.rpath.com/browse/RMK-634 Description: When building packages, rMake creates device files in the change root environments in which the packages are built. In previous versions of rMake, the /dev/zero file had incorrect device number and ownership, which might allow a user to execute arbitrary code as the superuser. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Java Applets can connect to other hosts using HTTP 302 redirection
It seems that the java applet located on the host A is allowed to connect to the host B using HTTP 302 redirection on the host B. Is it a normal behaviour? PoC: http://www.jumperz.net/exploits/appletTest1.jsp host A: www.gyosatu.com host B: www.jumperz.net In this PoC, the java applet is downloaded from www.gyosatu.com and connects to www.jumperz.net port . Use tcpdump port to see the packets. -- Kanatoko[EMAIL PROTECTED] Open Source WebAppFirewall http://guardian.jumperz.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/