[Full-disclosure] RIPA powers being used
RIPA is finally being used to force people to hand over encryption keys... http://news.bbc.co.uk/1/hi/technology/7102180.stm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] major security breach in united kingdom
This is breaking news on all the UK television stations right now. Tax Boss Quits After Records Vanish http://news.sky.com/skynews/article/0,,70131-1293566,00.html Discs with 15m bank details lost http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
A remote attacker, with read access to the password database can gain administrator rights. This also applies to many other blog software and also every system with a password database. -- Francesco Vaj [CISSP - GIAC] Senior Content Manipulation Consultant mailto:[EMAIL PROTECTED] aim: XSS Cross Site XSS Worm: Cross Site Scripting Attacks Wordpress Blog Password Hash Replay Information Portal (tm) 2007 http://www.XSSworm.com/ -- Vaj, bella vaj. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
On Wed, Nov 21, 2007 at 03:48:06AM +1100, XSS Worm XSS Security Information Portal wrote: This also applies to many other blog software In which case they are not storing their passwords properly. What makes the Wordpress scheme vulnerable is that you can attack it *without* brute forcing the password. Also, because there is no salt, brute forcing is much easier than it need be. and also every system with a password database. No, it does not apply to systems which use one way hashing correctly, for example the UNIX password database. This technique has been known for around 30 years. The reasoning and history behind these schemes can be found in a paper by Morris and Thompson, published in 1978: http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/ pgpNyuAobMH2y.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
Steven J. Murdoch schrieb: Wordpress Cookie Authentication Vulnerability Original release date: 2007-11-19 ... Source: Steven J. Murdoch http://www.cl.cam.ac.uk/users/sjm217/ Could you elaborate why you consider this news? Most public SQL injection exploits for Wordpress use this cookie trick. A simple search on milw0rm will reveal that even a Gulftech Wordpress SQL injection exploits from 2005 uses this method to login as admin once it has discovered the hash. Yours, Stefan Esser ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote: Could you elaborate why you consider this news? Most public SQL injection exploits for Wordpress use this cookie trick. I couldn't find it on the Wordpress bug tracker and when I mentioned it to the Wordpress security address, they did not mention having heard of it before. I also couldn't find a detailed explanation of the problem online, nor in the usual vulnerability databases. Blog administrators, like me, therefore risk sites being compromised because they didn't realize the problem. It seemed intuitive to me that restoring the database to a known good state would be adequate to recover from a Wordpress compromise (excluding guessable passwords). This is the case with the UNIX password database and any similarly implemented system. Because of the vulnerability I mentioned, this is not the case for Wordpress. So I also thought it important to describe the workarounds, and fixes. If these were obvious, Wordpress would have already applied them. Some commenters did not think that the current password scheme needs to be, or can be improved, despite techniques to do so being industry standard for decades. Clearly this misconception needs to be corrected. I did mention that this was being exploited, so obviously some people already know about the problem, but not the right ones. Before I sent the disclosure, there was no effort being put into fixing the problem. Now there is. Hopefully blog administrators will also apply the work-arounds in the meantime. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/ pgplepDMUt5nV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Wordpress 0day: Hacking into computers now easier than previously believed - Heise Security
*Wordpress 0day: Hacking into computers now easier than previously believed, says Heise Securityhttp://xssworm.blogvis.com/21/xssworm/wordpress-0day-hacking-into-computers-now-easier-than-previously-believed-says-heise-security/ A design flaw in the WordPress http://wordpress.org/ blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now.* *Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a rainbow table – a process that can take some time and may not work at all for long passwords, for which there simply are no tables.* ** *[image: Ed Henning]* *A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system.* *But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:* * wordpresspass_MD5(url)=MD5(user_pass) * *Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_MD5(url)=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react.* Please Mr Murdoch No more talking to the media about security. or maybe we create new media now (-; vaj -- Francesco Vaj [CISSP - GIAC] CSS Security Researcher mailto:[EMAIL PROTECTED] aim: XSS Cross Site -- XSS Cross Site Scripting Attacks Media Manipulation and Web 2.0 Insecurity Blog (tm) 2007 http://www.XSSworm.com/ -- Vaj, bella vaj. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013 - Juha-Matti Steven J. Murdoch [EMAIL PROTECTED] kirjoitti: On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote: Could you elaborate why you consider this news? Most public SQL injection exploits for Wordpress use this cookie trick. I couldn't find it on the Wordpress bug tracker and when I mentioned it to the Wordpress security address, they did not mention having heard of it before. I also couldn't find a detailed explanation of the problem online, nor in the usual vulnerability databases. Blog administrators, like me, therefore risk sites being compromised because they didn't realize the problem. It seemed intuitive to me that restoring the database to a known good state would be adequate to recover from a Wordpress compromise (excluding guessable passwords). This is the case with the UNIX password database and any similarly implemented system. Because of the vulnerability I mentioned, this is not the case for Wordpress. So I also thought it important to describe the workarounds, and fixes. If these were obvious, Wordpress would have already applied them. Some commenters did not think that the current password scheme needs to be, or can be improved, despite techniques to do so being industry standard for decades. Clearly this misconception needs to be corrected. I did mention that this was being exploited, so obviously some people already know about the problem, but not the right ones. Before I sent the disclosure, there was no effort being put into fixing the problem. Now there is. Hopefully blog administrators will also apply the work-arounds in the meantime. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
Right this problem has existed for a long time, but it's not the end of the world for someone to point it out again I suppose. I think it's obvious that there's another main issue here and that's the way WordPress handles its cookies in general. They are not temporary sessions that expire or are only valid upon successful authentication. The cookies work for ever.. or at least until the password changes. If someone uses an XSS attack to obtain the cookies or sniffs them (most blogs are just HTTP) they can essentially permanently authenticate. The same result occurs with being able to read the database. Furthermore, one could in theory conduct a bruteforce attack against the WordPress password by just making normal requests to the blog but changing the cookies that does the double MD5 of the password. You could in theory emulate normal continued browsing of the website while sending MD5(MD5(password)) over and over with each request via the cookie. Other than perhaps a large increase in browsing of the blog, this could possibly go unnoticed as an attack -- as it would not be logged anywhere (in most instances) that the cookies were being presented. Once authenticated into WordPress, the normal blog pages look different, so it would not require an attacker to access the Admin area to verify. Anyway, good to see the CVE is already there. Maybe better session management will find its way into WordPress. Steven http://www.securityzone.org (..runs on WordPress.. oh noes!) This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013 - Juha-Matti Steven J. Murdoch [EMAIL PROTECTED] kirjoitti: On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote: Could you elaborate why you consider this news? Most public SQL injection exploits for Wordpress use this cookie trick. I couldn't find it on the Wordpress bug tracker and when I mentioned it to the Wordpress security address, they did not mention having heard of it before. I also couldn't find a detailed explanation of the problem online, nor in the usual vulnerability databases. Blog administrators, like me, therefore risk sites being compromised because they didn't realize the problem. It seemed intuitive to me that restoring the database to a known good state would be adequate to recover from a Wordpress compromise (excluding guessable passwords). This is the case with the UNIX password database and any similarly implemented system. Because of the vulnerability I mentioned, this is not the case for Wordpress. So I also thought it important to describe the workarounds, and fixes. If these were obvious, Wordpress would have already applied them. Some commenters did not think that the current password scheme needs to be, or can be improved, despite techniques to do so being industry standard for decades. Clearly this misconception needs to be corrected. I did mention that this was being exploited, so obviously some people already know about the problem, but not the right ones. Before I sent the disclosure, there was no effort being put into fixing the problem. Now there is. Hopefully blog administrators will also apply the work-arounds in the meantime. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200711-29 ] Samba: Execution of arbitrary code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Samba: Execution of arbitrary code Date: November 20, 2007 Bugs: #197519 ID: 200711-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Samba contains two buffer overflow vulnerabilities potentially resulting in the execution of arbitrary code, one of which is currently unfixed. Background == Samba is a suite of SMB and CIFS client/server programs for UNIX. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-fs/samba 3.0.26a-r2 = 3.0.26a-r2 Description === Two vulnerabilities have been reported in nmbd. Alin Rad Pop (Secunia Research) discovered a boundary checking error in the reply_netbios_packet() function which could lead to a stack-based buffer overflow (CVE-2007-5398). The Samba developers discovered a boundary error when processing GETDC logon requests also leading to a buffer overflow (CVE-2007-4572). Impact == To exploit the first vulnerability a remote unauthenticated attacker could send specially crafted WINS Name Registration requests followed by a WINS Name Query request. This might lead to execution of arbitrary code with elevated privileges. Note that this vulnerability is exploitable only when WINS server support is enabled in Samba. The second vulnerability could be exploited by sending specially crafted GETDC mailslot requests, but requires Samba to be configured as a Primary or Backup Domain Controller. It is not believed the be exploitable to execute arbitrary code. Workaround == To work around the first vulnerability, disable WINS support in Samba by setting wins support = no in the global section of your smb.conf and restart Samba. Resolution == The Samba 3.0.27 ebuild that resolves both vulnerabilities is currently masked due to a regression in the patch for the second vulnerability. Since no working patch exists yet, all Samba users should upgrade to 3.0.26a-r2, which contains a fix for the first vulnerability (CVE-2007-5398): # emerge --sync # emerge --ask --oneshot --verbose =net-fs/samba-3.0.26a-r2 An update to this temporary GLSA will be sent when the second vulnerability will be fixed. References == [ 1 ] CVE-2007-4572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572 [ 2 ] CVE-2007-5398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-29.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQ1C2uhJ+ozIKI5gRAnDrAJ9rbv6PXnbEEz8jvaraJkfH814GEACeN6dk LTWtGdO+1xJLDW/uKaRwQGo= =ic/h -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200711-30 ] PCRE: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200711-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PCRE: Multiple vulnerabilities
Date: November 20, 2007
Bugs: #198198
ID: 200711-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
PCRE is vulnerable to multiple buffer overflow and memory corruption
vulnerabilities, possibly leading to the execution of arbitrary code.
Background
==
PCRE is a library providing functions for Perl-compatible regular
expressions.
Affected packages
=
---
Package / Vulnerable / Unaffected
---
1 dev-libs/libpcre 7.3-r1 = 7.3-r1
Description
===
Tavis Ormandy (Google Security) discovered multiple vulnerabilities in
PCRE. He reported an error when processing \Q\E sequences with
unmatched \E codes that can lead to the compiled bytecode being
corrupted (CVE-2007-1659). PCRE does not properly calculate sizes for
unspecified multiple forms of character class, which triggers a
buffer overflow (CVE-2007-1660). Further improper calculations of
memory boundaries were reported when matching certain input bytes
against regex patterns in non UTF-8 mode (CVE-2007-1661) and when
searching for unmatched brackets or parentheses (CVE-2007-1662).
Multiple integer overflows when processing escape sequences may lead to
invalid memory read operations or potentially cause heap-based buffer
overflows (CVE-2007-4766). PCRE does not properly handle \P and
\P{x} sequences which can lead to heap-based buffer overflows or
trigger the execution of infinite loops (CVE-2007-4767), PCRE is also
prone to an error when optimizing character classes containing a
singleton UTF-8 sequence which might lead to a heap-based buffer
overflow (CVE-2007-4768).
Chris Evans also reported multiple integer overflow vulnerabilities in
PCRE when processing a large number of named subpatterns (name_count)
or long subpattern names (max_name_size) (CVE-2006-7227), and via
large min, max, or duplength values (CVE-2006-7228) both possibly
leading to buffer overflows. Another vulnerability was reported when
compiling patterns where the -x or -i UTF-8 options change within
the pattern, which might lead to improper memory calculations
(CVE-2006-7230).
Impact
==
An attacker could exploit these vulnerabilities by sending specially
crafted regular expressions to applications making use of the PCRE
library, which could possibly lead to the execution of arbitrary code,
a Denial of Service or the disclosure of sensitive information.
Workaround
==
There is no known workaround at this time.
Resolution
==
All PCRE users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =dev-libs/libpcre-7.3-r1
References
==
[ 1 ] CVE-2006-7227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7227
[ 2 ] CVE-2006-7228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228
[ 3 ] CVE-2006-7230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7230
[ 4 ] CVE-2007-1659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1659
[ 5 ] CVE-2007-1660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660
[ 6 ] CVE-2007-1661
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1661
[ 7 ] CVE-2007-1662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1662
[ 8 ] CVE-2007-4766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4766
[ 9 ] CVE-2007-4767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4767
[ 10 ] CVE-2007-4768
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4768
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200711-30.xml
Concerns?
=
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
===
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
Wordpress never knew how to deal with cookies! On Nov 20, 2007 9:23 PM, Steven Adair [EMAIL PROTECTED] wrote: Right this problem has existed for a long time, but it's not the end of the world for someone to point it out again I suppose. I think it's obvious that there's another main issue here and that's the way WordPress handles its cookies in general. They are not temporary sessions that expire or are only valid upon successful authentication. The cookies work for ever.. or at least until the password changes. If someone uses an XSS attack to obtain the cookies or sniffs them (most blogs are just HTTP) they can essentially permanently authenticate. The same result occurs with being able to read the database. Furthermore, one could in theory conduct a bruteforce attack against the WordPress password by just making normal requests to the blog but changing the cookies that does the double MD5 of the password. You could in theory emulate normal continued browsing of the website while sending MD5(MD5(password)) over and over with each request via the cookie. Other than perhaps a large increase in browsing of the blog, this could possibly go unnoticed as an attack -- as it would not be logged anywhere (in most instances) that the cookies were being presented. Once authenticated into WordPress, the normal blog pages look different, so it would not require an attacker to access the Admin area to verify. Anyway, good to see the CVE is already there. Maybe better session management will find its way into WordPress. Steven http://www.securityzone.org (..runs on WordPress.. oh noes!) This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013 - Juha-Matti Steven J. Murdoch [EMAIL PROTECTED] kirjoitti: On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote: Could you elaborate why you consider this news? Most public SQL injection exploits for Wordpress use this cookie trick. I couldn't find it on the Wordpress bug tracker and when I mentioned it to the Wordpress security address, they did not mention having heard of it before. I also couldn't find a detailed explanation of the problem online, nor in the usual vulnerability databases. Blog administrators, like me, therefore risk sites being compromised because they didn't realize the problem. It seemed intuitive to me that restoring the database to a known good state would be adequate to recover from a Wordpress compromise (excluding guessable passwords). This is the case with the UNIX password database and any similarly implemented system. Because of the vulnerability I mentioned, this is not the case for Wordpress. So I also thought it important to describe the workarounds, and fixes. If these were obvious, Wordpress would have already applied them. Some commenters did not think that the current password scheme needs to be, or can be improved, despite techniques to do so being industry standard for decades. Clearly this misconception needs to be corrected. I did mention that this was being exploited, so obviously some people already know about the problem, but not the right ones. Before I sent the disclosure, there was no effort being put into fixing the problem. Now there is. Hopefully blog administrators will also apply the work-arounds in the meantime. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://search.goldwatches.com/ http://www.jewelerslounge.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200711-31 ] Net-SNMP: Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Net-SNMP: Denial of Service Date: November 20, 2007 Bugs: #198346 ID: 200711-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A Denial of Service vulnerability has been discovered in Net-SNMP when processing GETBULK requests. Background == Net-SNMP is a collection of tools for generating and retrieving SNMP data. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-analyzer/net-snmp 5.4.1-r1 = 5.4.1-r1 Description === The SNMP agent (snmpd) does not properly handle GETBULK requests with an overly large max-repetitions field. Impact == A remote unauthenticated attacker could send a specially crafted SNMP request to the vulnerable application, possibly resulting in a high CPU and memory consumption. Workaround == There is no known workaround at this time. Resolution == All Net-SNMP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-analyzer/net-snmp-5.4.1-r1 References == [ 1 ] CVE-2007-5846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-31.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQ1pguhJ+ozIKI5gRAloIAJwNN2cF293I5pN/BJwA0zM8JETK/gCfQlX7 QFxzB87XtNfEymlkZKn4Fb0= =V0Fa -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200711-32 ] Feynmf: Insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Feynmf: Insecure temporary file creation Date: November 20, 2007 Bugs: #198231 ID: 200711-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Feynmf allowing local users to overwrite arbitrary files via a symlink attack. Background == Feynmf is a combined LaTeX and Metafont package for easy drawing of professional quality Feynman (and maybe other) diagrams. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-tex/feynmf 1.08-r2 = 1.08-r2 Description === Kevin B. McCarty discovered that the feynmf.pl script creates a temporary properly list file at the location $TMPDIR/feynmf$PID.pl, where $PID is the process ID. Impact == A local attacker could create symbolic links in the directory where the temporary files are written, pointing to a valid file somewhere on the filesystem that is writable by the user running Feynmf. When Feynmf writes the temporary file, the target valid file would then be overwritten with the contents of the Feynmf temporary file. Workaround == There is no known workaround at this time. Resolution == All Feynmf users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-tex/feynmf-1.08-r2 References == [ 1 ] CVE-2007-5940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5940 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-32.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQ2B8uhJ+ozIKI5gRAuCDAJ9G/yQeobVm4DkhwdyeVkmIyntbGwCgnVYw V4uWftTIfQRuyitNYI09vjg= =2KBf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Websense security contact?
Thanks in advance. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Websense security contact?
wtf On 20/11/2007, The Security Community [EMAIL PROTECTED] wrote: Thanks in advance. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ronald MacDonald http://www.rmacd.com/ 0777 235 1655 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Websense security contact?
According to OSVDB Vendor Dictionary it's secure at websense.com http://osvdb.org/vendor_dict.php?section=vendorid=1498c=W - Juha-Matti The Security Community [EMAIL PROTECTED] kirjoitti: Thanks in advance. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:229 ] - Updated phpMyAdmin packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:229 http://www.mandriva.com/security/ ___ Package : phpMyAdmin Date: November 20, 2007 Affected: Corporate 4.0 ___ Problem Description: A few vulnerabilities and security-related issues have been fixed in phpMyAdmin since the 2.11.1.2 release. This update provides version 2.11.2.2 which is the latest stable release of phpMyAdmin. No configuration changes should be required since the previous update (version 2.11.1.2). If upgrading from older versions, it may be necessary to reconfigure phpMyAdmin. The configuration file is located in /etc/phpMyAdmin/. In most cases, it should be sufficient so simply replace config.default.php with config.default.php.rpmnew and make whatever modifications are necessary. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5977 ___ Updated Packages: Corporate 4.0: 3d5f9598f8496aee3f936b67cd9902f9 corporate/4.0/i586/phpMyAdmin-2.11.2.2-0.1.20060mlcs4.noarch.rpm 4b7f822f40edfc36e1bc9bebe0394508 corporate/4.0/SRPMS/phpMyAdmin-2.11.2.2-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 91a9ae5dda22432ed9db7b9d0accd043 corporate/4.0/x86_64/phpMyAdmin-2.11.2.2-0.1.20060mlcs4.noarch.rpm 4b7f822f40edfc36e1bc9bebe0394508 corporate/4.0/SRPMS/phpMyAdmin-2.11.2.2-0.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHQ0JwmqjQ0CJFipgRAhxAAKDDwKRTIRWNS5wpx+dgI5L36CERoACg9jZh btRtKcWi2odLFUc1MjKUV5Q= =UJC/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
Hello folks, I wonder why we don't see web applications use secure cookie recipes like [1] and [2]. There are also existing secure password hashing frameworks such as Solar's [3]. Are developers just unaware of these secure schemes?. Amusingly a proprietary web application I audited used static tokens. Even if you change your password cookies are still valid. Even passwords are stored as raw MD5 hashes on the database. I think programmers should be taught secure practices from the start. [1] http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf [2] http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf [3] http://www.openwall.com/phpass/ Eduardo Tongson NCCS On 11/21/07, James Matthews [EMAIL PROTECTED] wrote: Wordpress never knew how to deal with cookies! On Nov 20, 2007 9:23 PM, Steven Adair [EMAIL PROTECTED] wrote: Right this problem has existed for a long time, but it's not the end of the world for someone to point it out again I suppose. I think it's obvious that there's another main issue here and that's the way WordPress handles its cookies in general. They are not temporary sessions that expire or are only valid upon successful authentication. The cookies work for ever.. or at least until the password changes. If someone uses an XSS attack to obtain the cookies or sniffs them (most blogs are just HTTP) they can essentially permanently authenticate. The same result occurs with being able to read the database. Furthermore, one could in theory conduct a bruteforce attack against the WordPress password by just making normal requests to the blog but changing the cookies that does the double MD5 of the password. You could in theory emulate normal continued browsing of the website while sending MD5(MD5(password)) over and over with each request via the cookie. Other than perhaps a large increase in browsing of the blog, this could possibly go unnoticed as an attack -- as it would not be logged anywhere (in most instances) that the cookies were being presented. Once authenticated into WordPress, the normal blog pages look different, so it would not require an attacker to access the Admin area to verify. Anyway, good to see the CVE is already there. Maybe better session management will find its way into WordPress. Steven http://www.securityzone.org (..runs on WordPress.. oh noes!) This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013 - Juha-Matti Steven J. Murdoch [EMAIL PROTECTED] kirjoitti: On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote: Could you elaborate why you consider this news? Most public SQL injection exploits for Wordpress use this cookie trick. I couldn't find it on the Wordpress bug tracker and when I mentioned it to the Wordpress security address, they did not mention having heard of it before. I also couldn't find a detailed explanation of the problem online, nor in the usual vulnerability databases. Blog administrators, like me, therefore risk sites being compromised because they didn't realize the problem. It seemed intuitive to me that restoring the database to a known good state would be adequate to recover from a Wordpress compromise (excluding guessable passwords). This is the case with the UNIX password database and any similarly implemented system. Because of the vulnerability I mentioned, this is not the case for Wordpress. So I also thought it important to describe the workarounds, and fixes. If these were obvious, Wordpress would have already applied them. Some commenters did not think that the current password scheme needs to be, or can be improved, despite techniques to do so being industry standard for decades. Clearly this misconception needs to be corrected. I did mention that this was being exploited, so obviously some people already know about the problem, but not the right ones. Before I sent the disclosure, there was no effort being put into fixing the problem. Now there is. Hopefully blog administrators will also apply the work-arounds in the meantime. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://search.goldwatches.com/ http://www.jewelerslounge.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
On Wed, 21 Nov 2007 07:51:30 +0800, Eduardo Tongson said: I wonder why we don't see web applications use secure cookie recipes like [1] and [2]. There are also existing secure password hashing frameworks such as Solar's [3]. Are developers just unaware of these secure schemes?. Browse the worsethanfailure.com website for a while, and you'll convince yourself that the average developer thinks that booleans are trinary-state. ;) pgpuHeG4aHsug.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
--On November 20, 2007 7:21:29 PM -0500 [EMAIL PROTECTED] wrote: On Wed, 21 Nov 2007 07:51:30 +0800, Eduardo Tongson said: I wonder why we don't see web applications use secure cookie recipes like [1] and [2]. There are also existing secure password hashing frameworks such as Solar's [3]. Are developers just unaware of these secure schemes?. Browse the worsethanfailure.com website for a while, and you'll convince yourself that the average developer thinks that booleans are trinary-state. ;) They're not???)(*)(*@)(*(*#)(*$ :-D Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:230 ] - Updated tetex packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:230 http://www.mandriva.com/security/ ___ Package : tetex Date: November 20, 2007 Affected: 2007.0, 2007.1, 2008.0, Corporate 4.0 ___ Problem Description: A flaw in the t1lib library where an attacker could create a malicious file that would cause tetex to crash or possibly execute arbitrary code when opened (CVE-2007-4033). Alin Rad Pop found several flaws in how PDF files are handled in tetex. An attacker could create a malicious PDF file that would cause tetex to crash or potentially execute arbitrary code when opened (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393). A stack-based buffer overflow in dvips in tetex allows for user-assisted attackers to execute arbitrary code via a DVI file with a long href tag (CVE-2007-5935). A vulnerability in dvips in tetex allows local users to obtain sensitive information and modify certain data by creating certain temporary files before they are processed by dviljk, which can then be read or modified in place (CVE-2007-5936). Multiple buffer overflows in dviljk in tetext may allow users-assisted attackers to execute arbitrary code via a crafted DVI input file (CVE-2007-5937). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5937 ___ Updated Packages: Mandriva Linux 2007.0: ade4d0388b150fdd6a4469b69a5a662f 2007.0/i586/jadetex-3.12-116.5mdv2007.0.i586.rpm de24bfc0d41975bfa92aa8136ddd390b 2007.0/i586/tetex-3.0-18.5mdv2007.0.i586.rpm d44ef3cb47cc4c3f29d723989e791dc8 2007.0/i586/tetex-afm-3.0-18.5mdv2007.0.i586.rpm 2f29a9263ac09a8e944ccf73e3d26e3a 2007.0/i586/tetex-context-3.0-18.5mdv2007.0.i586.rpm 5fa8b58b9aa974ddffd556c03ca81c6f 2007.0/i586/tetex-devel-3.0-18.5mdv2007.0.i586.rpm dc551e5b0e5c31ed9cfa8d81599f07be 2007.0/i586/tetex-doc-3.0-18.5mdv2007.0.i586.rpm 3b19a24abea988d76f1ee82c25cb1dee 2007.0/i586/tetex-dvilj-3.0-18.5mdv2007.0.i586.rpm 17d5395be6f65db6777f9d701e35c2ff 2007.0/i586/tetex-dvipdfm-3.0-18.5mdv2007.0.i586.rpm ec5649686425f62103fd085c57c1c3e6 2007.0/i586/tetex-dvips-3.0-18.5mdv2007.0.i586.rpm 66888feb0b690ac4d6a5c2588b6a5a91 2007.0/i586/tetex-latex-3.0-18.5mdv2007.0.i586.rpm 3cc2a2787ff8dc4364a37dc32f81ba27 2007.0/i586/tetex-mfwin-3.0-18.5mdv2007.0.i586.rpm 0199cabc5d28eb64a6ce78f209c674eb 2007.0/i586/tetex-texi2html-3.0-18.5mdv2007.0.i586.rpm eb849d14a6242b3d0dcd5f6fb9fc2fd2 2007.0/i586/tetex-xdvi-3.0-18.5mdv2007.0.i586.rpm 109eaf4ad10fcbd4fae5db40ee2aca95 2007.0/i586/xmltex-1.9-64.5mdv2007.0.i586.rpm 1cc715537c77ecfe23117f63b57312ad 2007.0/SRPMS/tetex-3.0-18.5mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 80fd46f964f0cad564eec96f31bacb8f 2007.0/x86_64/jadetex-3.12-116.5mdv2007.0.x86_64.rpm d2cae01046967ec4472ad9fed62c7fb6 2007.0/x86_64/tetex-3.0-18.5mdv2007.0.x86_64.rpm 2783f1a16d9dd40d2b70f275167acea2 2007.0/x86_64/tetex-afm-3.0-18.5mdv2007.0.x86_64.rpm 7fef64eb5797ece756800d7ba0a79c69 2007.0/x86_64/tetex-context-3.0-18.5mdv2007.0.x86_64.rpm 25031c27e20a72e6210cde09074060c2 2007.0/x86_64/tetex-devel-3.0-18.5mdv2007.0.x86_64.rpm bd70360887385b6672d3f96f1e586c7d 2007.0/x86_64/tetex-doc-3.0-18.5mdv2007.0.x86_64.rpm 7a115bd7186675cdab6c4dd5d017cdce 2007.0/x86_64/tetex-dvilj-3.0-18.5mdv2007.0.x86_64.rpm a6de020558c9c7de6c46ca8e00f9bfdb 2007.0/x86_64/tetex-dvipdfm-3.0-18.5mdv2007.0.x86_64.rpm 13c7ec52d8ad06fe4be336fd8150ed82 2007.0/x86_64/tetex-dvips-3.0-18.5mdv2007.0.x86_64.rpm fae6d11af04ff51c41f84df96f00a718 2007.0/x86_64/tetex-latex-3.0-18.5mdv2007.0.x86_64.rpm 3c1819f536a007174df5dcd1e5cd62d7 2007.0/x86_64/tetex-mfwin-3.0-18.5mdv2007.0.x86_64.rpm e12654ecc2a4425ca5c5680a41b8d23d 2007.0/x86_64/tetex-texi2html-3.0-18.5mdv2007.0.x86_64.rpm 03823155acf3450a67f95ed26a1b1fb4 2007.0/x86_64/tetex-xdvi-3.0-18.5mdv2007.0.x86_64.rpm 65471f0bb517d9b48198213bbf867ba6 2007.0/x86_64/xmltex-1.9-64.5mdv2007.0.x86_64.rpm 1cc715537c77ecfe23117f63b57312ad 2007.0/SRPMS/tetex-3.0-18.5mdv2007.0.src.rpm Mandriva Linux 2007.1: 323fa0813e626394d1243f7dfa5bc9f6 2007.1/i586/jadetex-3.12-129.4mdv2007.1.i586.rpm
