[Full-disclosure] OFFTOPIC - moderated subset of list is back
Apologies for the off topic post. Send flames directly to me, not to full-disclosure please. For those of you like me who can't stand the incessant noise and smell of monkeys flinging poop at each other I've started running a moderated version of full-disclosure again. Currently 152 email addresses are allowed (vendors, smart people, etc.) to post automatically and 167 are blocked (the poop flingers). It's not as fine grained as I would like but it's mostly automatic so posts aren't held up. http://lists.seifried.org/mailman/listinfo/moderated-security -Kurt Seifried ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-647-1] Thunderbird vulnerabilities
=== Ubuntu Security Notice USN-647-1 September 26, 2008 mozilla-thunderbird, thunderbird vulnerabilities CVE-2008-3835, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064, CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4070 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1 Ubuntu 7.04: mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.7.04.1 Ubuntu 7.10: thunderbird 2.0.0.17+nobinonly-0ubuntu0.7.10.1 Ubuntu 8.04 LTS: thunderbird 2.0.0.17+nobinonly-0ubuntu0.8.04.1 After a standard system upgrade you need to restart Thunderbird to effect the necessary changes. Details follow: It was discovered that the same-origin check in Thunderbird could be bypassed. If a user had JavaScript enabled and were tricked into opening a malicious website, an attacker may be able to execute JavaScript in the context of a different website. (CVE-2008-3835) Several problems were discovered in the browser engine of Thunderbird. If a user had JavaScript enabled, this could allow an attacker to execute code with chrome privileges. (CVE-2008-4058, CVE-2008-4059, CVE-2008-4060) Drew Yao, David Maciejak and other Mozilla developers found several problems in the browser engine of Thunderbird. If a user had JavaScript enabled and were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064) Dave Reed discovered a flaw in the JavaScript parsing code when processing certain BOM characters. An attacker could exploit this to bypass script filters and perform cross-site scripting attacks if a user had JavaScript enabled. (CVE-2008-4065) Gareth Heyes discovered a flaw in the HTML parser of Thunderbird. If a user had JavaScript enabled and were tricked into opening a malicious web page, an attacker could bypass script filtering and perform cross-site scripting attacks. (CVE-2008-4066) Boris Zbarsky and Georgi Guninski independently discovered flaws in the resource: protocol. An attacker could exploit this to perform directory traversal, read information about the system, and prompt the user to save information in a file. (CVE-2008-4067, CVE-2008-4068) Georgi Guninski discovered that Thunderbird improperly handled cancelled newsgroup messages. If a user opened a crafted newsgroup message, an attacker could cause a buffer overrun and potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4070) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1.diff.gz Size/MD5: 457690 6d3b4e43ba967ab95fc6ad85fe595e12 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1.dsc Size/MD5: 1688 9ed773039d32a90e73c6bd4e211f723e http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614g.orig.tar.gz Size/MD5: 38029718 4ae446c58ccde45cb8f156b395968d2b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1_amd64.deb Size/MD5: 3593958 4f8eb1f994751de1541bd53c7b3f8236 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1_amd64.deb Size/MD5: 194972 9e89bd92215c471d5265d3866fdd8c52 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1_amd64.deb Size/MD5:60218 b30948cbd58517559134ad18a0d7f95e http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1_amd64.deb Size/MD5: 12118598 f13001d92a989bc023fe16e3c02a0149 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1_i386.deb Size/MD5: 3587744 9058cf1a1de1fc9ca54052768c46b7a9
[Full-disclosure] CA Service Desk Multiple Cross-Site Scripting Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA Service Desk Multiple Cross-Site Scripting Vulnerabilities CA Advisory Date: 2008-09-24 Reported By: Open Security Foundation Impact: A remote attacker can conduct cross-site scripting attacks. Summary: CA Service Desk contains multiple vulnerabilities that can allow a remote attacker to conduct cross-site scripting attacks. CA has issued patches to address the vulnerabilities. The vulnerabilities, CVE-2008-4119, are due to insecure handling of passed variables in multiple web forms. An attacker, who can convince a user to click on a specially crafted link, can potentially conduct cross-site scripting attacks. Mitigating Factors: None Severity: CA has given these vulnerabilities a Low risk rating. Affected Products: CA Service Desk r11.2 CA CMDB 11.0 CA CMDB 11.1 CA CMDB 11.2 Affected Platforms: Microsoft Windows 2003 R2 Microsoft Windows 2003 SP1 Microsoft Windows 2003 SP2 Microsoft Windows 2000 Server Family with SP4 applied (32 bit only) Red Hat Enterprise Linux 3.0 x86 Red Hat Enterprise Linux 4.0 x86 SUSE Linux Enterprise Server 9 (SLES) x86 SUSE Linux Enterprise Server 10 SP1 (SLES) x86 Sun Solaris 9 SPARC (64 bit only) Sun Solaris 10 SPARC (64 bit only) HP/UX 11.11 PA-RISC (64 bit only) HP/UX 11.23 PA-RISC (64 bit only) HP/UX 11.31 PA-RISC (64 bit only) AIX 5.2 (64 bit only) AIX 5.3 (64 bit only) Status and Recommendation: CA CMDB 11.0 and CA CMDB 11.1 users should upgrade to CA CMDB 11.2, which includes all of the fixes. CA has issued the following cumulative fixes for CA Service Desk r11.2 to address the vulnerabilities. Note: If you are using a version of CA Service Desk earlier than r11.2, you will first need to upgrade to r11.2. For users of earlier versions, CA recommends upgrading to r11.2. Windows: CA Service Desk Crystal Report component: QO99896 CA Service Desk Dashboard component: QO99895 CA Service Desk Web Screen Painter component: QO99894 CA Service Desk Web Server component: QO99893 CA Service Desk Server component: QO99892 AIX: CA Service Desk Web Screen Painter component: QO99905 CA Service Desk Web Server component: QO99901 CA Service Desk Server component: QO99897 HPUX: CA Service Desk Web Screen Painter component: QO99906 CA Service Desk Web Server component: QO99902 CA Service Desk Server component: QO99898 Linux: CA Service Desk Web Screen Painter component: QO99907 CA Service Desk Web Server component: QO99903 CA Service Desk Server component: QO99899 Solaris: CA Service Desk Web Screen Painter component: QO99908 CA Service Desk Web Server component: QO99904 CA Service Desk Server component: QO99900 How to determine if you are affected: Check the Applyptf log to determine if the fix has been applied. Additional information, including platform-specific instructions and updated routine details, can be found in the appropriate solution document. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA Service Desk https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=186585 Solution Document Reference APARs: QO99896, QO99895, QO99894, QO99893, QO99892, QO99905, QO99901, QO99897, QO99906, QO99902, QO99898, QO99907, QO99903, QO99899, QO99908, QO99904, QO99900 CA Security Response Blog posting: CA Service Desk Multiple Cross-Site Scripting Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/09/25.aspx Reported By: Open Security Foundation http://opensecurityfoundation.org/ CVE References: CVE-2008-4119 – CA Service Desk multiple cross-site scripting issues http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4119 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release v1.1 - Added CA CMDB solutions Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFI3ETJeSWR3+KUGYURAhw2AKCJZ//oaNtg2G1iSCb9RxQ7Ln2/egCffJjf eQ9MojoxSfbn/JogNrCV9FM= =EocE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200809-16 ] Git: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Git: User-assisted execution of arbitrary code Date: September 25, 2008 Bugs: #234075 ID: 200809-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple buffer overflow vulnerabilities have been discovered in Git. Background == Git is a distributed version control system. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-util/git < 1.5.6.4>= 1.5.6.4 Description === Multiple boundary errors in the functions diff_addremove() and diff_change() when processing overly long repository path names were reported. Impact == A remote attacker could entice a user to run commands like "git-diff" or "git-grep" on a specially crafted repository, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Git users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/git-1.5.6.4" References == [ 1 ] CVE-2008-3546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3546 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200809-18 ] ClamAV: Multiple Denials of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ClamAV: Multiple Denials of Service Date: September 25, 2008 Bugs: #236665 ID: 200809-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in ClamAV may result in a Denial of Service. Background == Clam AntiVirus is a free anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav < 0.94 >= 0.94 Description === Hanno boeck reported an error in libclamav/chmunpack.c when processing CHM files (CVE-2008-1389). Other unspecified vulnerabilites were also reported, including a NULL pointer dereference in libclamav (CVE-2008-3912), memory leaks in freshclam/manager.c (CVE-2008-3913), and file descriptor leaks in libclamav/others.c and libclamav/sis.c (CVE-2008-3914). Impact == A remote attacker could entice a user or automated system to scan a specially crafted CHM, possibly resulting in a Denial of Service (daemon crash). The other attack vectors mentioned above could also result in a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.94" References == [ 1 ] CVE-2008-1389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1389 [ 2 ] CVE-2008-3912 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912 [ 3 ] CVE-2008-3913 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913 [ 4 ] CVE-2008-3914 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-18.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200809-17 ] Wireshark: Multiple Denials of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wireshark: Multiple Denials of Service Date: September 25, 2008 Bugs: #236515 ID: 200809-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple Denial of Service vulnerabilities have been discovered in Wireshark. Background == Wireshark is a network protocol analyzer with a graphical front-end. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-analyzer/wireshark < 1.0.3 >= 1.0.3 Description === The following vulnerabilities were reported: * Multiple buffer overflows in the NCP dissector (CVE-2008-3146). * Infinite loop in the NCP dissector (CVE-2008-3932). * Invalid read in the tvb_uncompress() function when processing zlib compressed data (CVE-2008-3933). * Unspecified error when processing Textronix .rf5 files (CVE-2008-3934). Impact == A remote attacker could exploit these vulnerabilities by sending specially crafted packets on a network being monitored by Wireshark or by enticing a user to read a malformed packet trace file, causing a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.3" References == [ 1 ] CVE-2008-3146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3146 [ 2 ] CVE-2008-3932 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3932 [ 3 ] CVE-2008-3933 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3933 [ 4 ] CVE-2008-3934 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3934 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Worldwide SQL Protocol Advisory
+-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-+ TSUH-SecuritySecurity Advisory Topic: Multiple SQL Injections Announced: 2008-09-25 Credits:UberDuberHax0rx Affects:Teh Interweb I. Background TeamSuperUber [EMAIL PROTECTED] a group of supercomputing collaborative human superpower elite hackers with a clue has determined that there are worldwide vulnerabilities surrounding vast implementations of websites running SQL. It would seem in our efermal wisdumb of the inner workings of the OSI layer we have discovered the potential to inject multiple e-syringes into websites all over the world. This persistent problem is relevant to programmers and webdevelopers who cannot conform to our upper strategically placed of infinite wisdumb associated with technology. We cannot be stopped nor we will be hindered from disclosing to the world our intentions of Global Security Domination in the security realm. II. Problem description The problem exists with the usage of the apostrophe character which will now be reffered to as "'" or '\'' if using certain shells. The ' character is an omen to escape and has provided malicious hackers, crackers, slackers and hijackers with an attack vector to thereafter flood your email with useless advisories. III. Impact Hackers, crackers, slackers, hijackers and governments will in turn compromise multiple dozens of hundreds and thousands of millions of servers should the ' character continued to be used on the Internet. IV. Workaround Develop a new character to replace the apostrophe V.Solution Using a flat thin object preferrably a screwdriver, carefully pluck the apostrophe from your keyboard. This will ensure that in the event your machine - be it server, laptop or desktop - becomes compromised, you do not aid anyone in performing SQL injections. We are now forming a petition to the IEEE and other organizations to remove the apostrophe as it is as useful as an American penny. Many people do not know the function of pennies and financial organizations will not accept pennies as curriences in hopes of raping you financially on a microscale. Billions of pennies sit in cars, desks, jars, drawers in unusable fashion with millions of dollars in value solely because of the machinations of the financial industry's conspiracy to avoid giving you the face value of ten thousand pennies you're trying to deposit. Same holds true for the apostrophe. VI. Apostrophe Project Beginning now, we will scour and download every single program in this world that uses SQL in order to audit the apostrophe attack vector. We do so in hopes to not annoy you with utterly meaningless advisories, sometimes up to twenty a day, but to fill your heart with the warm thought that there are some superhero hackers left in this world. #!/bin/bash # SLAPDATASS.sh # Super Leet Apostrophe Project # Definitely Addressing the Topic # Always Supporting Security # (c) 2008 printf "TeamSuperUber [EMAIL PROTECTED] activate!" wget http://www.freshcripts.com/ && cd www.freshcripts.com for x in `echo TeamSuperUber [EMAIL PROTECTED] activate\!` do for y in `find . |grep signin do echo "Ut oh spaghetti0 we bees founded a vuln" && genIdiotAdvisory done done VII. Shoutouts We wish to shout out all the uberhax0rrifickal superstars who flood our inboxes with vulnerabilities time after time. It takes a real genius to point us in the right direction and gives us incentive to go forward facing in the hopes of being able to properly direct corporations of proper security posture. Without all my fellow hax0rrrifickal comrades toiling 24/7 every day of the year, we would not be able to contain the risk associated with Citibank using say phpBB or IBM using PHPmyEjeetSuperThingAMajiggyFoofoo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SQL Injection in EasyRealtorPRO 2008
Original article: http://www.davidsopas.com/2008/09/sql-injection-in-easyrealtorpro/ "EasyRealtorPRO 2008 provides you with all features you need to setup your own business oriented real estate website on your own domain name. Our support team will install the script on your server and then you can start selling packages to home sellers at ease." in vendor website easyrealtorpro.com This PHP script is vulnerable to SQL Injection in site_search.php file. Manipulating the unfiltred variables, a user can execute SQL commands to gather other information. The problem is located under the variables item, search_ordermethod and search_order. Proof of concept: site_search.php?search_purpose=sale&search_type=& search_price_min=&search_price_max=&search_bedroom=1& search_bathroom=1&search_city=&search_state=& search_zip=&search_radius=&search_country=& search_order=type&search_ordermethod=asc&page=2& item=5'SQL INJECTION site_search.php?search_purpose=sale&search_type=& search_price_min=&search_price_max=&search_bedroom=1& search_bathroom=1&search_city=&search_state=& search_zip=&search_radius=&search_country=& search_order=type&search_ordermethod=asc'SQL INJECTION& page=2&item=5 site_search.php?search_purpose=sale&search_type=& search_price_min=&search_price_max=&search_bedroom=1& search_bathroom=1&search_city=&search_state=& search_zip=&search_radius=&search_country=& search_order=type'SQL INJECTION&search_ordermethod=asc& page=2&item=5 Solution: The vendor was contacted 2 weeks ago and still not reply to my email. It can be fixed with the sanitize of the variables. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-645-3] Firefox and xulrunner regression
=== Ubuntu Security Notice USN-645-3 September 25, 2008 firefox-3.0, xulrunner-1.9 regression https://launchpad.net/bugs/270429 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: firefox 3.0.3+build1+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner, such as Epiphany, to effect the necessary changes. Details follow: USN-645-1 fixed vulnerabilities in Firefox and xulrunner. The upstream patches introduced a regression in the saved password handling. While password data was not lost, if a user had saved any passwords with non-ASCII characters, Firefox could not access the password database. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines. If a user were tricked into opening a crafted hyperlink, an attacker could overflow a stack buffer and execute arbitrary code. (CVE-2008-0016) It was discovered that the same-origin check in Firefox could be bypassed. If a user were tricked into opening a malicious website, an attacker may be able to execute JavaScript in the context of a different website. (CVE-2008-3835) Several problems were discovered in the JavaScript engine. This could allow an attacker to execute scripts from page content with chrome privileges. (CVE-2008-3836) Paul Nickerson discovered Firefox did not properly process mouse click events. If a user were tricked into opening a malicious web page, an attacker could move the content window, which could potentially be used to force a user to perform unintended drag and drop operations. (CVE-2008-3837) Several problems were discovered in the browser engine. This could allow an attacker to execute code with chrome privileges. (CVE-2008-4058, CVE-2008-4059, CVE-2008-4060) Drew Yao, David Maciejak and other Mozilla developers found several problems in the browser engine of Firefox. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064) Dave Reed discovered a flaw in the JavaScript parsing code when processing certain BOM characters. An attacker could exploit this to bypass script filters and perform cross-site scripting attacks. (CVE-2008-4065) Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a user were tricked into opening a malicious web page, an attacker could bypass script filtering and perform cross-site scripting attacks. (CVE-2008-4066) Boris Zbarsky and Georgi Guninski independently discovered flaws in the resource: protocol. An attacker could exploit this to perform directory traversal, read information about the system, and prompt the user to save information in a file. (CVE-2008-4067, CVE-2008-4068) Billy Hoffman discovered a problem in the XBM decoder. If a user were tricked into opening a malicious web page or XBM file, an attacker may be able to cause a denial of service via application crash. (CVE-2008-4069) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 105898 8e9d91766d1673d85b4e2e60f09ffbb6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2760 57a929804f986040bc7227fe3009156c http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly.orig.tar.gz Size/MD5: 11573662 bcf09e18019b2f2cbb8517932c891485 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5:77467 f5a62ff3d325e95c5120cc22bda2d554 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2825 ab55f7ea35f9ee735528805831854977 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly.orig.tar.gz Size/MD5: 40164202 72a5e40dda74d050021677f1b3ebabcc Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:65954 3f06a1b75554d1d23
[Full-disclosure] Cross Site Scripting (XSS) Vulnerabilitiy in flatpress 0.804, CVE-2008-4120
Cross Site Scripting (XSS) Vulnerabilitiy in flatpress 0.804, CVE-2008-4120 References http://www.datensalat.eu/~fabian/cve/CVE-2008-4120-flatpress.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4120 http://www.flatpress.org/ Description FlatPress is an open-source standard-compliant multi-lingual extensible blogging engine which does not require a DataBase Management System to work. Example Assuming flatpress is installed on http://localhost/flatpress/, anybody could inject JavaScript: http://localhost/flatpress/login.php";> http://localhost/flatpress/login.php";> http://localhost/flatpress/contact.php";> Workaround/Fix Update to 0.804.1. Disclosure Timeline 2008-09-25 Vendor contacted 2008-09-25 Vendor released 0.804.1 2008-09-25 Published advisory CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4120 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Fabian Fingerle (published with help from Hanno Boeck [0]). It's licensed under the creative commons attribution license [1]. Fabian Fingerle, 2008-09-25, http://www.fabian-fingerle.de [0] http://www.hboeck.de [1] http://creativecommons.org/licenses/by/3.0/de/ signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Caixa Economica Federal (CEF) USERNAME BruteForce
O Clube dos Macacos (CDM) orgulhosamente apresenta... .:[CEF USERNAME BruteForce]:. Como todos ja sabem, o sistema de InternetBank da Caixa Economica Federal (CEF) possui varias vulnerabilidades. Uma delas, permite que atacantes efetuem ataques do tipo "BruteForce" para descobrir nomes de usuario validos. Alem disso, tambem e possivel obter o nome completo de correntistas, fazendo com o que o todo o sistema de cadastramento de computadores va por agua abaixo. .: Prova de Conceito (PoC) :. Logue em uma conta da CAIXA (USUARIO e SENHA), apos isso, sem encerrar a seçao, entre com um novo USUARIO (teste com usuario valido). Note que o sistema nao pedira uma senha. Sera aberto a conta da primeira seçao com o nome completo do correntista da segunda seçao (caso o USERNAME seja valido). VIDEO DE DEMONSTRAÇAO EM: http://rapidshare.com/files/148315828/CEF.BruteForce.PWNED.zip.html (.avi file) .: Conclusao :. Com isso pode-se pegar os dados de correntistas, efetuar ataques de "BruteForce" e etc. .: Agradecimentos :. Ao grande "hacker" brasileiro Glaudson O. Campos (Nash Leon) que sera destaque na proxima ediçao da ISTWH. NASH LEON PWNED! Ao pessoal do CDM e MOTD (inferninho, estamos de olho em voce). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities
Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities I. Background: Google Docs is an online application which makes possibile to "Create and share your work online". You can use it to create Documents, Presentations, Spreadsheets and Forms. II. Description: Multiple cross site scripting vulnerabilities were identified in Google Docs. A remote attacker could write a malformed document and invite, through Google Docs sharing option, other users to see it in order to obtain their cookies. It's also possible to public this malformed document and send its link around the web. III. Details: Google Docs makes possible to create a new document. When a user creates a new document he has the possibility to change its html code through the Edit Html option. An attacker can make a malformed document using decimal HTML entities (without semicolons) and hexadecimal entities (with semicolons) to bypass antixss filters. Example: (decimal HTML entity) (hexadecimal HTML entity) Please note: IMG tag isn't the only affected, it's just an example. The attacker then will save his job and can share this document with someone else or send the document link to the victim to obtain his cookie. IV. Vendor Response: Google has been informed and has deployed a fix for these vulnerabilities. V. Disclosure timeline: 23/08/08 - Vulnerabilities discovered 25/08/08 - Google informed 25/08/08 - Automatic reply from Google received 24/09/08 - Ask Google for updates 25/09/09 - Google fixed all vulnerabilities submitted Regards Alfredo Melloni ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/