Re: [Full-disclosure] Web Application Security Awareness Day
On 4/16/08, n3td3v [EMAIL PROTECTED] wrote: On Tue, Apr 15, 2008 at 7:24 PM, Jeff Stebelton [EMAIL PROTECTED] wrote: On Tue, Apr 15, 2008 at 12:32 PM, n3td3v [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Why May 1st 2008? Because web applications are closely related to e-commerce and May Day is a common day for peaceful anti-capitalism protests, so it makes sense to be on this day. I almost missed this little jewel, having the inestimable Mr. n3td3v in my junk list (anyone else think it odd he always refers to himself in the third party?) I want to see if I can follow the logic here. May 1st is a common day for ANTI-capitalism protests. Web applications are tied to e-commerce. Therefore, the day you *protest* commerce is the perfect day to hold a contest that conceivably you wish to help make commerce more *secure*? These threads never fail to provide some comic relief just when I need it. i was just trying to bring awareness to web application security, not have a protest against capitalism, and like you say posting vulnerabilities in web applications is pro capitalism, so i don't see where the problem is. having it on may the 1st is just more shock and awe and is more likely to get attention towards web application security. there is no protest, there is web application security awareness day, it just makes it more interesting being on may day. if /schhhnip think i will print this off and use it when explaining pressure of speech to my students http://en.wikipedia.org/wiki/Pressure_of_speech cocaine induced mania mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle - SQL Injection in package SDO_GEOM [DB06]
Oracle - SQL Injection in package SDO_GEOM [DB06] Systems Affected 9i Rel. 1 - 10g Rel. 2 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust Advisory 16 April 2008 (V 1.00) Advisory URL http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_geom.html Details The package SDO_GEOM is vulnerable against SQL injection. Patch Information Apply the patches for Oracle CPU April 2008. History 6-jun-2007 Oracle secalert was informed 15-apr-2008 Oracle published CPU April 2008 [DB06] 16-apr-2008 Advisory published © 2008 by Red-Database-Security GmbH http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle - SQL Injection in package SDO_UTIL [DB05]
Oracle - SQL Injection in package SDO_UTIL [DB05] Systems Affected 10g Rel. 1, 10g Rel. 2 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust Advisory 16 April 2008 (V 1.00) Advisory URL http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_util.html Details The package SDO_UTIL is vulnerable against SQL injection. Patch Information Apply the patches for Oracle CPU April 2008. History 6-jun-2007 Oracle secalert was informed 15-apr-2008 Oracle published CPU April 2008 [DB05] 16-apr-2008 Advisory published © 2008 by Red-Database-Security GmbH http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle - Hardcoded Password and Password Reset of OUTLN User [DB13]
Oracle - Hardcoded Password and Password Reset of OUTLN User [DB13] Systems Affected 9i Rel. 1 - 10g Rel. 2 Severity High Risk Category Hardcoded Default Password Password Reset Vendor URL http://www.oracle.com/ Author Alexander Kornbrust Advisory 16 April 2008 (V 1.00) Advisory URL http://www.red-database-security.com/advisory/oracle_outln_password_change.html Details During the creation of a materialized view the package DBMS_STATS_INTERNAL is called and resets the password of the user OUTLN to OUTLN and grants DBA privileges to this user. [...] GRANT_DBA_OUTLN:= 'grant dba to outln identified by outln'; [...] GRANT_DBA_OUTLN:= 'grant on commit refresh to outln identified by outln'; [...] Many people are not aware that the GRANT command (GRANT CONNECT TO SYS IDENTIFIED BY FD2008) can be used to change passwords in Oracle instead of using the ALTER USER command . It's a bad idea to hardcode passwords and it took only 1 year to fix this issue. In most Oracle default installations the account OUTLN is locked but some security guidelines (e.g. Oracle Practical Security from Syngress) recommend to unlock the account OUTLN and set an invalid password (to avoid the error message ORA-28000 account is locked). Following this advisory and setting an invalid password is opening a default user with default password with DBA privileges in the Oracle database (OUTLN/OUTLN) if a materialized view was created. I found this vulnerability during the search for backdoors in Oracle databases for the Oracle malware report of our vulnerability scanner Repscan. I was looking for the strings like grant dba to and found that dbms_stats_internal is executing these commands in an internal package. In Oracle 9i you can find these strings using the grep command in $ORACLE_HOME/rdbms/admin because strings literals are not encrypted in wrapped PL/SQL 9i Code. BTW: During this research I found also 3 Oracle procedures modifying the Oracle Audit-Table (Insert/Update/Delete rows from SYS.AUD$). I think procedures modifying the Audit-Log (especially delete and update) are a bad coding practice. Patch Information Apply the patches for Oracle CPU April 2008. History 4-apr-2007 Oracle secalert was informed 15-apr-2008 Oracle published CPU April 2008 [DB13] 16-apr-2008 Advisory published © 2008 by Red-Database-Security GmbH http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle - SQL Injection in package SDO_IDX [DB07]
Oracle - SQL Injection in package SDO_IDX [DB07] Systems Affected 9i Rel. 1 - 11g Rel. 1 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust Advisory 16 April 2008 (V 1.00) Advisory URL http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_idx.html Details The package SDO_IDX is vulnerable against SQL injection. Patch Information Apply the patches for Oracle CPU April 2008. History 6-jun-2007 Oracle secalert was informed 15-apr-2008 Oracle published CPU April 2008 [DB07] 16-apr-2008 Advisory published © 2008 by Red-Database-Security GmbH http://www.red-database-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability Release: CKFD001-CHATX
___ ___ _ ____ ___ ( \|\ /|( ___ )\__ __/| \/\( )( \|\ /| | (\/| ) ( || ( ) | ) ( | \ / /| ()|| (\/| ) ( | | | | (___) || (___) | | | | (_/ / | ()|| (__| | _ | | | | | ___ || ___ | | | | _ ( | __)| __) | |( )| | | | | ( ) || ( ) | | | | ( \ \ | (\ ( | ( | || || | | (/\| ) ( || ) ( | | | | / \ \| ) \ \__| (/\| () () | (___/|/ \||/ \| )_( |_/\/|/ \__/(___/(___) _ _ _ /) // // / /// // . . // //__/ o _ _. // __ _ . . __ ___ _ _. __ __ __/ _ //_(_/_/_/_ (_/__/_)_(__/_(_)/_)_(_/_/ (_/_ / (_/_(__(_)/ (_(_/_/_)_ / / --[ Chat Krew / Full-Disclosure Records Presents Catalog Release 001 ]-- NOTES: Hello All! This is our first release. We hope you enjoy it. Expect more great releases this month! RELEASE: CKFD001-CHATX ARTIST: ChatX TITLE: My Name is Gadi Evron FILENAME: ckfd001-chatx-my_name_is_gadi_evron.mp3 DOWNLOAD: http://rapidshare.com/files/107868234/ckfd001-chatx-my_name_is_gadi_evron.mp3.html ABOUT: CKFDR is a label for full-disclosure releases. The catalog has mp3 renders for easy listening. Except where otherwise noted, CKFDR digtal record releases are licensed under a Creative Commons Attribution-Noncommercial 3.0 License CKFRD is run by chat bosses, all with access to the hard chat ircs. It's a low level chaos chat system that adheres to strict standards to keep the label chatting hard. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [INFIGO-2008-04-08]: ICQ 6 remote buffer overflow vulnerability
INFIGO IS Security Advisory #ADV-2008-04-08 http://www.infigo.hr/en/ Title: ICQ 6 remote buffer overflow vulnerability Advisory ID: INFIGO-2008-04-08 Date: 2008-04-14 Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-04-08 Impact: Remote code execution Risk Level: High Vulnerability Type: Remote ==[ Overview ICQ (I Seek You) Instant Messenger is one of the most popular internet chat software. Since 1996, it has grown to a community of over 180 million users. It has features for instant messaging, chat, sending e-mail, SMS, file transfer, wireless-pager messages, etc. ==[ Vulnerability INFIGO IS's security team identified a critical remote buffer overflow vulnerability in the latest ICQ version (ICQ 6.0). In newer versions, ICQ has a 'Personal Status Manager' feature, where a user can specify text messages for his status/mood (online/offline/etc.). The specified message will be visible in the title part of a remote user's ICQ chat window, when a chat session is initiated. When a user writes a message in the status manager, the text string is processed with the boxelyRenderer module. The boxelyRenderer module has a vulnerability in the HTML tags processing code. If malformed HTML tags are set for the 'status message', boxelyRenderer will try to process the HTML tags, and a UNICODE heap overflow will occur. The 'status' string from a remote user is processed by boxelyRenderer for each new chat session. If the remote user has a malicious 'status message', ICQ's heap memory will be overflowed. Upon setting, the status message is sent to ICQ's servers, and will be stored on them. When another user looks up the malicious user's profile, or tries to send him a message, even if the malicious user is offline, the ICQ client will receive the malicious status message from ICQ's server. In other words, once the malicious user sets his status message, he doesn't have to be online in order to exploit other vulnerable ICQ clients. There are few different exploitation paths for this vulnerability, and they depend on user actions in ICQ and the current heap state. Below is an example of malicious HTML code that will crash ICQ: -- |a href=img src=A border=0 //a| -- When a user sets this HTML code as his 'status message', ICQ/boxelyRenderer will process it and ICQ will crash. To prevent this, open ICQ in debugger and set it to ignore INT3 and memory violation exceptions. We identified two exploitable scenarios: Scenario 1: In this scenario, the ESI register has our input, so we control the EIP register at the 'CALL' instruction. boxelyRE: -- MOV EDX, DWORD PTR DS:[ESI] PUSH 5A LEA EAX, DWORD PTR SS:[EBP-2A0] PUSH EAX MOV ECX, ESI CALL DWORD PTR DS:[EDX+8] - HERE --- Scenario 2: In this scenario, which is harder to exploit, we can write one byte to a memory location. ntdll: --- MOV BYTE PTR DS:[EDI+6], AL --- ==[ Affected Version The vulnerability has been identified in the latest available ICQ version 6 (build 6043). It was tested on Windows XP SP2 and Windows 2003. ==[ Fix The vendor has addressed this vulnerability on 1st of March 2008 with an automatic update. ==[ PoC Exploit PoC will not be released. ==[ Vendor status 26.02.2008 - Initial contact 26.02.2008 - Initial vendor response 28.02.2008 - Further clarification about the vulnerability 28.02.2008 - Vendor status update 01.03.2008 - Vendor released an automatic update. 14.03.2008 - Vendor status update 14.04.2008 - Coordinated public disclosure ==[ Credits Vulnerability discovered by Leon Juranic [EMAIL PROTECTED]. Special thanks to Marko Goricki, who pointed on the ICQ crash :-). ==[ INFIGO IS Security Contact INFIGO IS, WWW : http://www.infigo.hr/en/ E-mail : [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco Network Admission Control Shared Secret Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Network Admission Control Shared Secret Vulnerability Advisory ID: cisco-sa-20080416-nac http://www.cisco.com/warp/public/707/cisco-sa-20080416-nac.shtml Revision 1.0 For Public Release 2008 April 16 1600 UTC (GMT) Summary === A vulnerability exists in the Cisco Network Admission Control (NAC) Appliance that can allow an attacker to obtain the shared secret that is used between the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM). Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080416-nac.shtml. Affected Products = Vulnerable Products +-- The following table lists all Cisco NAC Appliance software versions affected by this vulnerability. +---+ | NAC Software | Vulnerable Versions | | Release|| |--+| | 3.5.x| All 3.5.x versions | |--+| | 3.6.x| All 3.6.x versions | | | prior to 3.6.4.4 | |--+| | 4.0.x| All 4.0.x versions | | | prior to 4.0.6 | |--+| | 4.1.x| All 4.1.x versions | | | prior to 4.1.2 | +---+ Products Confirmed Not Vulnerable + Cisco NAC Appliance software versions 3.6.4.4 and later in the 3.6.x train; 4.0.6 and later in the 4.0.x train; and 4.1.2 and later in the 4.1.x train are not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco NAC Appliance solution allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. The solution identifies whether machines are compliant with security policies and repairs vulnerabilities before permitting access to the network. A vulnerability exists in the Cisco NAC Appliance that can allow an attacker to obtain the shared secret used by the CAS and the CAM from error logs that are transmitted over the network. Obtaining this information could enable an attacker to gain complete control of the CAS remotely over the network. This vulnerability is documented in Cisco Bug ID CSCsj33976 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1155. Vulnerability Scoring Details + Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * NAC Appliance Shared Secret Vulnerability (CSCsj33976) CVSS Base Score - 10.0 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of the vulnerability could allow an attacker to take complete control of the CAS remotely over the network. Software Versions and Fixes === Each row of the following software table (below) describes the earliest possible releases that contain the fix for this vulnerability. These are shown in the First Fixed Release column. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). +---+ | Affected Releases| First Fixed| | | Releases | |--+| | NAC Appliance| Vulnerable - | | software version | Contact TAC
[Full-disclosure] CA DSM gui_cm_ctrls ActiveX Control Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA DSM gui_cm_ctrls ActiveX Control Vulnerability CA Advisory Date: 2008-04-15 Reported By: Greg Linares of eEye Digital Security Impact: A remote attacker can execute arbitrary code or cause a denial of service condition. Summary: CA products that implement the DSM gui_cm_ctrls ActiveX control contain a vulnerability that can allow a remote attacker to cause a denial of service or execute arbitrary code. The vulnerability, CVE-2008-1786, is due to insufficient verification of function arguments by the gui_cm_ctrls control. An attacker can execute arbitrary code under the context of the user running the web browser. Mitigating Factors: For BrightStor ARCserve Backup for Laptops Desktops, only the server installation is affected. Client installations are not affected. For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and Agents are not affected. Severity: CA has given this vulnerability a maximum risk rating of High. Affected Products: BrightStor ARCServe Backup for Laptops and Desktops r11.5 CA Desktop Management Suite r11.2 C2 CA Desktop Management Suite r11.2 C1 CA Desktop Management Suite r11.2a CA Desktop Management Suite r11.2 CA Desktop Management Suite r11.1 (GA, a, C1) Unicenter Desktop Management Bundle r11.2 C2 Unicenter Desktop Management Bundle r11.2 C1 Unicenter Desktop Management Bundle r11.2a Unicenter Desktop Management Bundle r11.2 Unicenter Desktop Management Bundle r11.1 (GA, a, C1) Unicenter Asset Management r11.2 C2 Unicenter Asset Management r11.2 C1 Unicenter Asset Management r11.2a Unicenter Asset Management r11.2 Unicenter Asset Management r11.1 (GA, a, C1) Unicenter Software Delivery r11.2 C2 Unicenter Software Delivery r11.2 C1 Unicenter Software Delivery r11.2a Unicenter Software Delivery r11.2 Unicenter Software Delivery r11.1 (GA, a, C1) Unicenter Remote Control r11.2 C2 Unicenter Remote Control r11.2 C1 Unicenter Remote Control r11.2a Unicenter Remote Control r11.2 Unicenter Remote Control r11.1 (GA, a, C1) CA Desktop and Server Management r11.2 C2 CA Desktop and Server Management r11.2 C1 CA Desktop and Server Management r11.2a CA Desktop and Server Management r11.2 CA Desktop and Server Management r11.1 (GA, a, C1) Affected Platforms: Windows Status and Recommendation: CA has provided the following updates to address the vulnerabilities. BrightStor ARCserve Backup for Laptops and Desktops r11.5: QI96333 CA Desktop Management Suite for Windows r11.1 (GA, a, C1), Unicenter Desktop Management Bundle r11.1 (GA, a, C1), Unicenter Asset Management r11.1 (GA, a, C1), Unicenter Software Delivery r11.1 (GA, a, C1), Unicenter Remote Control r11.1 (GA, a, C1): QO96283 CA Desktop Management Suite for Windows r11.2a, Unicenter Desktop Management Bundle r11.2a, Unicenter Asset Management r11.2a, Unicenter Software Delivery r11.2a, Unicenter Remote Control r11.2a: QO96286 CA Desktop Management Suite for Windows r11.2, Unicenter Desktop Management Bundle r11.2, Unicenter Asset Management r11.2, Unicenter Software Delivery r11.2, Unicenter Remote Control r11.2: QO96285 CA Desktop Management Suite for Windows r11.2 C1, Unicenter Desktop Management Bundle r11.2 C1, Unicenter Asset Management r11.2 C1, Unicenter Software Delivery r11.2 C1, Unicenter Remote Control r11.2 C1: QO96284 CA Desktop Management Suite for Windows r11.2 C2, Unicenter Desktop Management Bundle r11.2 C2, Unicenter Asset Management r11.2 C2, Unicenter Software Delivery r11.2 C2, Unicenter Remote Control r11.2 C2: QO99084 CA Desktop and Server Management r11.2 C2: QO99080 CA Desktop and Server Management r11.2 C1: QO96288 CA Desktop and Server Management r11.2a: QO96290 CA Desktop and Server Management r11.2: QO96289 CA Desktop and Server Management r11.1 (GA, a, C1): QO96287 How to determine if you are affected: For products on Windows: 1. Using Windows Explorer, locate the file “gui_cm_ctrls.ocx”. By default, the file is in the “C:\Program Files\CA\DSM\bin\” directory. 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated in the list below, the installation is vulnerable. Product: CA Desktop Management Suite for Windows r11.1 (GA, a, C1), Unicenter Desktop Management Bundle r11.1 (GA, a, C1), Unicenter Asset Management r11.1 (GA, a, C1), Unicenter Software Delivery r11.1 (GA, a, C1), Unicenter Remote Control r11.1 (GA, a, C1), CA Desktop and Server Management r11.1 (GA, a, C1) File Name: gui_cm_ctrls.ocx File Version: 11.1.8124.2517 Product: CA Desktop Management Suite for Windows r11.2, Unicenter Desktop Management Bundle r11.2, Unicenter Asset Management r11.2, Unicenter Software Delivery r11.2, Unicenter Remote Control r11.2, CA Desktop and Server
Re: [Full-disclosure] Web Application Security Awareness Day
On Wed, Apr 16, 2008 at 9:13 AM, Michael Simpson [EMAIL PROTECTED] wrote: think i will print this off and use it when explaining pressure of speech to my students http://en.wikipedia.org/wiki/Pressure_of_speech as long as you credit it to n3td3v and not plagiarize it as your own work. http://en.wikipedia.org/wiki/Plagiarism ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Web Application Security Awareness Day
LOLthat is either comedy genius or extreme dumbness...I can't decide which -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: 16 April 2008 17:55 To: full-disclosure@lists.grok.org.uk; n3td3v Subject: Re: [Full-disclosure] Web Application Security Awareness Day On Wed, Apr 16, 2008 at 9:13 AM, Michael Simpson [EMAIL PROTECTED] wrote: think i will print this off and use it when explaining pressure of speech to my students http://en.wikipedia.org/wiki/Pressure_of_speech as long as you credit it to n3td3v and not plagiarize it as your own work. http://en.wikipedia.org/wiki/Plagiarism ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 04.15.08: Oracle Application Express Privilege Escalation Vulnerability
iDefense Security Advisory 04.15.08 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 15, 2008 I. BACKGROUND Oracle Application Express (Oracle APEX), formerly called HTML DB, is a rapid web application development tool for the Oracle database. For more information about Oracle Application Express, please visit following URL. http://www.oracle.com/technology/products/database/application_express/index.html II. DESCRIPTION Local exploitation of a design error vulnerability in Oracle Corp.'s Application Express web application development tool allows attackers to gain elevated privileges. The vulnerability exists in run_ddl function within the wwv_execute_immediate package. This package is included in the flows_03 schema. This function allows attackers to execute SQL commands as any database user, such as SYS. III. ANALYSIS Exploitation allows the attacker to execute SQL commands as any database user. In order to exploit this vulnerability, an attacker must have access to an account which can execute the flows_03.wwv_execute_immediate.run_ddl function. On a default installation of Oracle Database 11g, the following non-DBA users can execute this function: WMSYS, WKSYS, FLOWS_03, OUTLN. If combined with other SQL injection vulnerabilities which give access to above accounts, an attacker with normal database user access can take control of the whole database and possibly the whole computer system. IV. DETECTION iDefense confirmed the existence of this vulnerability in Oracle Application Express version 3.0.1.00.08, which is installed by default with Oracle Database 11g R1 (version 11.1.0.6.0). Previous versions may also be affected. However, Oracle Database 10g R2 does not install Oracle Application Express by default. V. WORKAROUND Exploitation of this vulnerability can be prevented, if this component is not being used, by uninstalling Oracle Application Express. VI. VENDOR RESPONSE Oracle has addressed this issue within the April 2008 Critical Patch Update. For more information, visit the following URL. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1811 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/18/2008 Initial vendor notification 01/22/2008 Initial vendor response 04/15/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Joxean Koret. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-08-022: Apple Safari WebKit PCRE Handling Integer Overflow Vulnerability
ZDI-08-022: Apple Safari WebKit PCRE Handling Integer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-022 April 16, 2008 -- CVE ID: CVE-2008-1026 -- Affected Vendors: Apple -- Affected Products: Apple Safari -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6031. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the regular expression compiler (JavaScriptCore/pcre/pcre_compile.cpp) in WebKit. When nesting regular expressions with large repetitions, a heap overflow occurs resulting in a condition allowing the execution of arbitrary code. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1467 -- Disclosure Timeline: 2008-03-27 - Vulnerability reported to vendor 2008-04-16 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Charlie Miller, Jake Honoroff and Mark Daniel -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: n3td3v has a fan
On Tue, Apr 15, 2008 at 5:37 PM, mark seiden-via mac [EMAIL PROTECTED] wrote: in my opinion a few of the facts in this posting may actually be true Do share them with the list, Mr.Seiden... can you confirm to the list there are spies in Yahoo? btw, n3td3v, I know Gadi Evron, and you're no Gadi Evron. (this is probably a good thing, Its definitely a good thing... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: n3td3v has a fan
The hits just keep coming... Quoting n3td3v: Back in the day when I had relations with him I was a humble script kid who didn't realise the full extent of what was going on, a little like when you're a kid you might not realise your uncle is touching you up because you don't realise what's going on because you're naive, How long ago was this? You know, when you were humble and naive? n3td3v has no intelligence anymore Dude, if you're going to refer to yourself in the third person, at least keep it consistent. Other than that, gotta give you major props for the gut-busting laughs you give me. Dwight Schrute ain't got nothing on you, pal. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: n3td3v has a fan
On Wed, Apr 16, 2008 at 11:57 PM, Shawn Nunley [EMAIL PROTECTED] wrote: The hits just keep coming... Quoting n3td3v: Back in the day when I had relations with him I was a humble script kid who didn't realise the full extent of what was going on, a little like when you're a kid you might not realise your uncle is touching you up because you don't realise what's going on because you're naive, How long ago was this? You know, when you were humble and naive? n3td3v has no intelligence anymore Dude, if you're going to refer to yourself in the third person, at least keep it consistent. Other than that, gotta give you major props for the gut-busting laughs you give me. Dwight Schrute ain't got nothing on you, pal. It don't matter if you believe me or not because the counter espionage guys at MI5/6 have his name and they are going to bust his ass open. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] xine-lib NSF demuxer buffer overflow
xine-lib = 1.1.12 is prone to a stack-based buffer overflow in the NES Sound Format demuxer(demux_nsf.c). - Code open_nsf_file(): 109: this-title = strdup(header[0x0E]); demux_nsf_send_chunk(): 122: char title[100]; 162: sprintf(title, %s, song %d/%d, this-title, this-current_song, this-total_songs); - Affected applications http://xinehq.de/index.php/releases - PoC perl -e 'print \x4E\x45\x53\x4D\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A . \x41 x 114' evil.mp3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] That song about Gadi
Evron is awesome and right on point. I can't wait for future releases from Chat Krew / Full-Disclosure Records. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:087 ] - Updated policykit package fixes format string vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:087 http://www.mandriva.com/security/ ___ Package : policykit Date: April 16, 2008 Affected: 2008.1 ___ Problem Description: A format string vulnerability in the grant helper, in PolicyKit 0.7 and earlier, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in a password. The updated package has been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1658 ___ Updated Packages: Mandriva Linux 2008.1: aa8e182bb5e5d8fe952cfab4c62bf055 2008.1/i586/libpolkit2-0.7-5.1mdv2008.1.i586.rpm 2c2de3341fd2e7b0181215c49b373953 2008.1/i586/libpolkit-devel-0.7-5.1mdv2008.1.i586.rpm 54bc0d67f70ada707da9ac5d35ac6f8a 2008.1/i586/policykit-0.7-5.1mdv2008.1.i586.rpm 864e3c1f5c99ad74a284fe3f35964515 2008.1/i586/policykit-docs-0.7-5.1mdv2008.1.i586.rpm e19c68b55d06d4ad8a00a9c82e38e3fa 2008.1/SRPMS/policykit-0.7-5.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 79e9c91841bf90f09fd7184050164bfe 2008.1/x86_64/lib64polkit2-0.7-5.1mdv2008.1.x86_64.rpm 3bb998cc6595c0f70c47cb22f411962b 2008.1/x86_64/lib64polkit-devel-0.7-5.1mdv2008.1.x86_64.rpm 16ede4d785e987f5e65361570d80bcdc 2008.1/x86_64/policykit-0.7-5.1mdv2008.1.x86_64.rpm c114e50ab7f564a281ddd1096dbde53c 2008.1/x86_64/policykit-docs-0.7-5.1mdv2008.1.x86_64.rpm e19c68b55d06d4ad8a00a9c82e38e3fa 2008.1/SRPMS/policykit-0.7-5.1mdv2008.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIBndVmqjQ0CJFipgRAtAPAKCGzbow3RcmLOWx7pcsGpW5Y+O6AQCglR6a RylBQh4kJd6y3YT4HJRk3FY= =sdlj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Web Application Security Awareness Day
sorry Dear...Now whatever u'll do people won't support u. Well it's nice idea for Awareness Day Taneja Vikas http://www.annysoft.com On 4/16/08, Rankin, James R [EMAIL PROTECTED] wrote: LOLthat is either comedy genius or extreme dumbness...I can't decide which -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: 16 April 2008 17:55 To: full-disclosure@lists.grok.org.uk; n3td3v Subject: Re: [Full-disclosure] Web Application Security Awareness Day On Wed, Apr 16, 2008 at 9:13 AM, Michael Simpson [EMAIL PROTECTED] wrote: think i will print this off and use it when explaining pressure of speech to my students http://en.wikipedia.org/wiki/Pressure_of_speech as long as you credit it to n3td3v and not plagiarize it as your own work. http://en.wikipedia.org/wiki/Plagiarism ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
