Re: [Full-disclosure] n3td3v warns sans is being brought intodisrepute by pauldotcom
N3td3v, What notable security worthy thing have you done lately? Both Paul and Larry IMHO are good at what the do, if not how else would they survive, if you try to do security for a living you will get far less than the guy on the corner asking for money. Sent from my Verizon Wireless BlackBerry -Original Message- From: nnp [EMAIL PROTECTED] Date: Sat, 8 Nov 2008 23:26:28 To: n3td3v[EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] n3td3v warns sans is being brought into disrepute by pauldotcom Idiot says something about group I haven't heard of. Learn to use line breaks arsehole! On Sat, Nov 8, 2008 at 6:47 PM, n3td3v [EMAIL PROTECTED] wrote: pauldotcom are gangsters masquerading as security professionals, this is the opinion of n3td3v. they have a bad name not only because of n3td3v but its widely thought by others that pauldotcom are questionable entities, this is why n3td3v believes that its a bad thing that sans are associated with them, and in time could start to bring down the respected name of the sans institute. there are already misdemeanors who have managed to get into sans through the internet storm center door who are in support of pauldotcom enterprises. n3td3v predicts the longer sans are associated with pauldotcom the greater they eat away at the credibility and respect that sans built up before pauldotcom came onto the scene. there are good people at sans and this is why n3td3v is concerned that the good people at sans are being bought into disrepute because of pauldotcom and entities who have crept into sans through the sans handlers gateway. n3td3v suggests both sides consider their positions before moving forward and having future association with one another. there have been multiple reports on the full-disclosure list that pauldotcom hasn't been upto scratch, its time for sans to start to take feedback seriously that is being presented to them and consider dropping pauldotcom as a partner of the sans brand. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.unprotectedhex.com http://www.smashthestack.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Collabtive 0.4.8 Multiple Vulnerabilities
Collabtive 0.4.8 Multiple Vulnerabilities
Name Multiple Vulnerabilities in Collabtive
Systems Affected Collabtive 0.4.8 and possibly earlier versions
Severity High
Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendorhttp://collabtive.o-dyn.de/
Advisory http://www.ush.it/team/ush/hack-collabtive048/adv.txt
Authors Antonio s4tan Parata (s4tan AT ush DOT it)
Francesco ascii Ongaro (ascii AT ush DOT it)
Giovanni evilaliv3 Pellerano (evilaliv3 AT
digitalbullets DOT org)
Date 20080925
I. BACKGROUND
From the Collabtive web site: Collabtive is collaborative software to
get your projects done!.
II. DESCRIPTION
Multiple vulnerabilities exist in Collabtive software.
III. ANALYSIS
Summary:
A) Stored Cross Site Scripting
B) Forceful browsing authentication bypass
C) Arbitrary file upload
A) Stored Cross Site Scripting
A stored XSS vulnerability exists in the /admin.php?action=projects
section.
Once the attacker specifies an XSS attack vector, like
scriptalert(0);/script, as the Name property of a project then
an XSS vulnerability occurs because the projects Name fields are
stored and printed without any filtering.
While the cited section poses limits on the Name field when
reflecting the XSS payload, clicking on the edit link
/manageproject.php?action=editformid=projectId results in a page
without limitations on the characters showed thus allowing complete
exploitation.
This vulnerability requires administrator authentication.
CSRF+XSS and timing (JS) can be used to successfully exploit this
vulnerability in an automated manner.
B) Forceful browsing authentication bypass
An authentication bypass vulnerability exists in
/admin.php?action=usersmode=added. Directly pointing to that URL
shows an error, however at the bottom of the page there is a web
form that permits to create new users with full privileges.
With this vulnerability an attacker without any valid credentials can
create a new valid administrator.
Since this vulnerability has been discovered the exploitation
prerequisites changed as detailed below:
- A bug fix in the latest version 0.4.8 now requires globals on in
order to exploit this vulnerability.
- In version 0.4.6 instead the vulnerability is exploitable regardless
the globals settings.
C) Arbitrary file upload
It's possible to upload arbitrary files with arbitrary extensions.
An attacker that has not already gained Administration privileges using
the previously exposed vulnerabilities must be assigned to at least one
project.
To upload a file go to /managefile.php?action=showprojectid=projectId
and add a new file.
If a file with .php extension is uploaded then the mimetype will be
php/plain and the program will change the extension to .txt in order
to prevent exploitation.
This security control can be bypassed changing the mimetype to
text/plain, in this way the application will believe that a normal .txt
file was uploaded and the extension will not be changed.
The uploaded file resides in /files/projectId/filename_$seed.php.
An authenticated attacker will simply see the seed (and the complete
filename) using the web interface and can directly execute it.
In case of unauthenticated attackers the filename must be guessed.
Luckily the make_seed() routine leaks real random proprieties and is
only based on the time. $seed can be easily bruteforced using values
that are likely to match the return derived by the microtime() of the
upload.
private function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
$value = (float) $sec + ((float) $usec * 10);
return $value;
}
As easily understandable $seed can be guessed in really few tries. The
same vulnerability exists when attaching a file in the Messages
section.
This vulnerability can also be exploited via CSRF.
IV. DETECTION
Collabtive 0.4.8 and possibly earlier versions are vulnerable.
V. WORKAROUND
Proper input validation will fix the vulnerabilities.
VI. VENDOR RESPONSE
No fix available.
VII. CVE INFORMATION
No CVE at this time.
VIII. DISCLOSURE TIMELINE
20080926 Initial vendor contact (No Response)
20081003 Second vendor contact (No Response)
20081010 Third vendor contact
20081010 Vendor response (Fix promised for the end of October)
20081010 Vendor contact to sync disclosure time (No response)
20081110 Advisory released (Fix not available)
IX. CREDIT
Antonio s4tan Parata, Francesco ascii Ongaro and
Giovanni evilaliv3 Pellerano are credited with the discovery of this
vulnerability.
Antonio s4tan Parata
web site: http://www.ictsc.it/
mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
Francesco ascii Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it
Giovanni evilaliv3 Pellerano
mail: evilaliv3 AT digitalbullets DOT org
X. LEGAL NOTICES
Copyright (c) 2008 Francesco ascii Ongaro
Permission is granted for the redistribution
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright [EMAIL PROTECTED] - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v warns sans is being brought into disrepute by pauldotcom
On Mon, Nov 10, 2008 at 2:30 PM, [EMAIL PROTECTED] wrote: On Sun, 09 Nov 2008 17:48:40 GMT, n3td3v said: Are you declaring yourself an enemy of n3td3v? Hint: All your friends are on your n3td3v list, not here. they're not my friends, they are silly vt.edu network admins who post philosophical replies to everything on full-disclosure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n3td3vil3d 3ggs
Every time you reply to n3td3v he lays an egg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3vil3d 3ggs
When is she due to hatch? On Mon, Nov 10, 2008 at 3:43 PM, Trollie Fingers [EMAIL PROTECTED] wrote: I just laid one. How about you? On Mon, Nov 10, 2008 at 10:40 AM, n3td3v [EMAIL PROTECTED] wrote: What if I reply to you, do we both lay eggs? On Mon, Nov 10, 2008 at 3:23 PM, Trollie Fingers [EMAIL PROTECTED] wrote: Every time you reply to n3td3v he lays an egg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v warns sans is being brought into disrepute by pauldotcom
On Mon, Nov 10, 2008 at 4:30 PM, [EMAIL PROTECTED] wrote: On Mon, 10 Nov 2008 15:14:46 GMT, n3td3v said: On Mon, Nov 10, 2008 at 2:30 PM, [EMAIL PROTECTED] wrote: On Sun, 09 Nov 2008 17:48:40 GMT, n3td3v said: Are you declaring yourself an enemy of n3td3v? Hint: All your friends are on your n3td3v list, not here. they're not my friends, they are silly vt.edu network admins who post philosophical replies to everything on full-disclosure. Oh, so you finally figured out whether or not I'm also trolling your n3td3v list? :) So you admit you're a troll then? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v warns sans is being brought into disrepute by pauldotcom
(egg) On Mon, Nov 10, 2008 at 11:45 AM, n3td3v [EMAIL PROTECTED] wrote: On Mon, Nov 10, 2008 at 4:30 PM, [EMAIL PROTECTED] wrote: On Mon, 10 Nov 2008 15:14:46 GMT, n3td3v said: On Mon, Nov 10, 2008 at 2:30 PM, [EMAIL PROTECTED] wrote: On Sun, 09 Nov 2008 17:48:40 GMT, n3td3v said: Are you declaring yourself an enemy of n3td3v? Hint: All your friends are on your n3td3v list, not here. they're not my friends, they are silly vt.edu network admins who post philosophical replies to everything on full-disclosure. Oh, so you finally figured out whether or not I'm also trolling your n3td3v list? :) So you admit you're a troll then? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v warns sans is being brought into disrepute by pauldotcom
On Sun, 09 Nov 2008 17:48:40 GMT, n3td3v said: Are you declaring yourself an enemy of n3td3v? Hint: All your friends are on your n3td3v list, not here. pgpgkl1ogq6at.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3vil3d 3ggs
What if I reply to you, do we both lay eggs? On Mon, Nov 10, 2008 at 3:23 PM, Trollie Fingers [EMAIL PROTECTED] wrote: Every time you reply to n3td3v he lays an egg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1664-1] New ekg packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1664-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 10, 2008 http://www.debian.org/security/faq - Package: ekg Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2008-4776 It was discovered that ekg, a console Gadu Gadu client performs insufficient input sanitising in the code to parse contact descriptions, which may result in denial of service. For the stable distribution (etch), this problem has been fixed in version 1:1.7~rc2-1etch2. For the unstable distribution (sid) and the upcoming stable distribution (lenny), this problem has been fixed in version 1:1.8~rc1-2 of libgadu. We recommend that you upgrade your ekg package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2.diff.gz Size/MD5 checksum:37320 1c357cd857b7ef675a14fe103a0965c9 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2.orig.tar.gz Size/MD5 checksum: 514073 b4ea482130e163af1456699e2e6983d9 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2.dsc Size/MD5 checksum: 750 0ff1117467170af0a00db3701bfa3e30 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_alpha.deb Size/MD5 checksum:75020 32743d8f1c90d89e8fa344609bc3dee3 http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_alpha.deb Size/MD5 checksum: 161822 79d864a5bb2b5cf7f099647d92f39a86 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_alpha.deb Size/MD5 checksum: 320302 758aa135dad96eda3dff591375046982 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_amd64.deb Size/MD5 checksum: 297518 1c9fcbce7540d6ff538f98710de424b2 http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_amd64.deb Size/MD5 checksum: 136580 9ddd7e5e6fb2c3940f426d07bedf3478 http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_amd64.deb Size/MD5 checksum:69742 ce39c6ae5a6b4d6c5f9da1a5b92aee5c arm architecture (ARM) http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_arm.deb Size/MD5 checksum: 135028 c593a1482e5673777dd3b4d1513af5d4 http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_arm.deb Size/MD5 checksum:67986 905284ffdb2f523c175b5b0590e139f5 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_arm.deb Size/MD5 checksum: 287590 770c154cbe20f9e5ef9a150eba228f63 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_hppa.deb Size/MD5 checksum: 143792 879b7e4fa25861fb4b0138a64b20df1a http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_hppa.deb Size/MD5 checksum: 310140 5187d07159a4bb9937147f411d4e729c http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_hppa.deb Size/MD5 checksum:73874 32e077a057c65aeef4f42028c1beb29e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_i386.deb Size/MD5 checksum:67326 e69788fafa929636e435a7c498d6cbb2 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_i386.deb Size/MD5 checksum: 287730 bee66bb3ffa81f8d96a611d594c7e6c9 http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_i386.deb Size/MD5 checksum: 131298 9455116765cded14599b13def2760856 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_ia64.deb Size/MD5 checksum: 394676 5da127623779c65a6882763d124e106e http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_ia64.deb Size/MD5 checksum:86672 df4d5a3e854546b2107829cae3c52758 http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_ia64.deb Size/MD5 checksum: 158010
Re: [Full-disclosure] question
The usual here these days. On Mon, Nov 10, 2008 at 12:54 AM, vulcanius [EMAIL PROTECTED] wrote: This is absolutely full of irony. On Sun, Nov 9, 2008 at 5:20 PM, n3td3v [EMAIL PROTECTED] wrote: are you one of those weirdos who tries to speak on behalf of an email list and when a question is emailed to you, you don't answer it and instead attempt to get the list to answer it on your behalf that you think you're representing the opinion of? On Sun, Nov 9, 2008 at 9:58 PM, waveroad waveroad [EMAIL PROTECTED] wrote: Ask this question to your psy. 2008/11/9, n3td3v [EMAIL PROTECTED]: what is your problem with me? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/ http://www.jewelerslounge.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] This may be slightly OT....
... but I am having issues replicating my DNA. My clamp proteins are loosing contact with its template. Does anyone know where I can find some quality polymerase? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What Christianity means to me
On Sat, Nov 8, 2008 at 8:55 AM, Michael Krymson [EMAIL PROTECTED] wrote: Valdis, if you're not careful, going down this route will lead a certain spammy/ranty/unwanted someone to have a defense for all his meandering and fitful email crap he sends daily. :) To response, however, let me just say there is something to be said about exercising certain skills in appropriate places so as not to waste everyone's time and patience. Want an employee who can intelligently dive into metaphysics/religion/rhetoric? There are better places to look and/or test. Intelligence and religion shouldn't be in the same sentence. To even pretend, yet alone believe, that some pathetic moron has an insight in to the mindset of a celestial dictator is ridiculous. Religion may have been a foolish first attempt at science, but the fact that it still has a place in modern times where science explains so much shows how subservient people want to be. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PLSA 2008-69] libpng: Denial of Service
Pardus Linux Security Advisory 2008-69[EMAIL PROTECTED] Date: 2008-11-11 Severity: 1 Type: Remote Summary === A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service). Description === The vulnerability is caused due to a memory leak error within the png_handle_tEXt() function in pngrutil.c. This can be exploited to potentially exhaust all available memory via a specially crafted PNG image. Affected packages: Pardus 2008: libpng, all before 1.2.33-16-6 Resolution == There are update(s) for libpng. You can update them via Package Manager or with a single command from console: pisi up libpng References == * http://bugs.pardus.org.tr/show_bug.cgi?id=8565 * http://secunia.com/advisories/32418/ -- Pardus Security Team http://security.pardus.org.tr ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
