[Full-disclosure] [SECURITY] [DSA 1715-1] New moin packages fix insufficient input sanitising

2009-01-29 Thread Devin Carraway 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1715secur...@debian.org
http://www.debian.org/security/   Steffen Joeris
January 29, 2009  http://www.debian.org/security/faq
- 

Package: moin
Vulnerability  : insufficient input sanitising
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2009-0260 CVE-2009-0312
Debian Bug : 513158


It was discovered that the AttachFile action in moin, a python clone of
WikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260).
Another cross-site scripting vulnerability was discovered in the
antispam feature (CVE-2009-0312).


For the stable distribution (etch) these problems have been fixed in
version 1.5.3-1.2etch2.

For the testing (lenny) distribution these problems have been fixed in
version 1.7.1-3+lenny1.

For the unstable (sid) distribution these problems have been fixed in
version 1.8.1-1.1.

We recommend that you upgrade your moin packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3-1.2etch2.diff.gz
Size/MD5 checksum:40914 139bcec334ed7fbf1ca2bef3c89a8377
  http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3.orig.tar.gz
Size/MD5 checksum:  4187091 e95ec46ee8de9527a39793108de22f7d
  http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3-1.2etch2.dsc
Size/MD5 checksum:  671 7b24d6f694511840a0a9da0c9f33f5ad

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/m/moin/python-moinmoin_1.5.3-1.2etch2_all.deb
Size/MD5 checksum:   914904 ab6158ae7010c3701859ceb26bd61bd2
  
http://security.debian.org/pool/updates/main/m/moin/moinmoin-common_1.5.3-1.2etch2_all.deb
Size/MD5 checksum:  1595112 a46561072eb0ee26ee1a71275c0e64b3


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-annou...@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJgT3oU5XKDemr/NIRApQ9AJ4tYeY7WMIAUYHjmeryHoEo6HkecgCgmIU9
b7VcvgOvyalRLrZrejSKFQI=
=miAO
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Drupal Imagefield Module Multiple Vulnerabilities

2009-01-29 Thread Justin C. Klein Keane 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Drupal Imagefield Module Multiple Vulnerabilities

Security Risk: High
Exploitable: Remotely
Vulnerabilities:  Arbitrary File Upload, Cross Site Scripting
Discovered by:  Justin C. Klein Keane, Andrew Rosborough
Tested:  Imagefield 5.x-2.2 on Drupal 5.15

Description

Drupal (http://drupal.org) is a robust content management system (CMS)
that provides extensibility through hundreds of third party modules.
While the security of Drupal core modules is vetted by a central
security team(http://drupal.org/security), third party modules are not
reviewed for security.

The Imagefield module (http://drupal.org/project/imagefield) is a module
that extends the Drupal CCK (Content Creation Kit) module
(http://www.drupal.org/project/cck) by allowing users to add image
fields to custom content types.


Arbitrary File Upload Vulnerability

Two flaws exist in this module.  The first flaw allows for an attacker
to upload arbitrary files to the filesystem.  The vulnerability allows
attackers to upload arbitrary files in place of the 'Default image'
specified in the Imagefield specifications for a content type field.
Files are uploaded to Drupal's /files/imagefield_default_files/
directory on a default installation (with files specified as the default
upload directory through Drupal's administrative configuration - this
may vary).

Mitigating Factors

Attackers must be authenticated with an account that has 'administer
content types' permissions.  Additionally, Drupal protects the files
directory, and subdirectories with an .htaccess file located in the
files directory that specifies:

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks

This will prevent the direct execution of PHP files.  Additionally
Drupal's file_check_upload() function munges the file extensions that
match PHP, PL, PY, CGI, ASP, and JS with the following code:

// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) &&
 (substr($file->filename, -4) != '.txt')) {
  $file->filemime = 'text/plain';
  $file->filepath .= '.txt';
  $file->filename .= '.txt';
  }

Exploiting the File Upload Vulnerability

To exploit the vulnerability:

1.  Log in as a user with 'Administer content types' privilege
2.  Click Administer -> Content Types
3.  Click 'Add content type'
4.  Fill in required text in the Identification, Submission and other
fieldsets
5.  Click 'Save content type' button
6.  Click 'edit' under the Operations column on the 'Administer' ->
'Content management' screen for the new content type
7.  Click 'Add field'
8.  Fill in the 'Name' text box in the 'Create new field' fieldset and
select the 'Image' radio button
9.  Click the 'Create field' button
10.  In the next screen (assuming the new field was named 'test' and the
new type was named 'test' this will be in Home > Administer > Content
management > Content types > test) scroll down to the 'Data settings'
fieldset
11.  Click the 'Browse' button in the 'Default image' fieldset and
select a file from your filesystem.
12.  Click 'Save field settings' button
13.  Log into your server and do a directory listing of the upload
directory to verify the new file has been uploaded.

# cd /var/www/html/drupal-5.15/files/imagefield_default_images/
# ls
- - -rw-rw-r-- 1 apache apache18 2009-01-22 10:22 field_test_0.exe

14.  Browse to the file (assuming Drupal is running at the doc root):
http://192.168.0.50/files/imagefield_default_images/field_test_0.exe

Cross Site Scripting (XSS) Vulnerability

The Imagefield module also contains a XSS vulnerability in the 'Help'
field.  Any user with rights to administer content types can edit a
content type that contains an image field or create a content type that
contains an image field.  In the 'Widget settings' fieldset presented
during configuration of the specific image field a textarea labeled
'Help text:' is presented.  Arbitrary script can be entered into this
text area and it is not escaped.  This vulnerability is especially
dangerous because the script executes whenever a user creates new
content of the type with the XSS infected help text.  This potentially
exposes site administrators to the XSS attack.

- --
Justin C. Klein Keane
http://www.MadIrish.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSYG6EZEpbGy7DdYAAQJChgb+LUEHPrQ1GboCjvl7aKeUx7KRtu56IBnj
txM6pKTjBNI42iaTIKnMK+acBtcoN5TJhtyMsrOfjaLEFsjT08Sc0WQKk8H8LAMw
rb9qWO1L01MqnbyByUZSDltyV9BI4z5dI8ekjowsL6KcrZfGPCumBt8m+FuzxPLX
vXQ+huGZQihq3lmmbdd0gc83f6hvIG6MADha6yutv1tY0H0Y1B06ZAkizh+LUvhu
mY3u6LrIWZqnZr/NRAcsX09q+4AHp+3w8va/8kx7EixzkiWK8NwXGLL+MWatT5sq
zv/ZgrnspW4=
=zBEx
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Re: [Full-disclosure] Drupal Imagefield Module Multiple Vulnerabilities

2009-01-29 Thread Valdis . Kletnieks 
On Thu, 29 Jan 2009 09:15:46 EST, "Justin C. Klein Keane" said:

> Two flaws exist in this module.  The first flaw allows for an attacker
> to upload arbitrary files to the filesystem.  The vulnerability allows
> attackers to upload arbitrary files in place of the 'Default image'
> specified in the Imagefield specifications for a content type field.

> Attackers must be authenticated with an account that has 'administer
> content types' permissions.

Umm.. what's the risk here?  Does the flaw allow the attacker to upload
files that wouldn't be permitted even as the authorized account?  Seems if
they can administer content types, they can drop pretty much whatever they
want onto the server (possibly limited as to where in the tree though), and
all this does is let them drop stuff outside said tree?


pgpBBlfMBWaKK.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Drupal Imagefield Module Multiple Vulnerabilities

2009-01-29 Thread Justin C. Klein Keane 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

  in one scenario you allow a Drupal 5.x user to administer content
types - to set up new structures for node content.  This permission
doesn't allow the user to create content, to upload material, or to
interact with the filesystem in any way.  With the Imagefield module
installed this user can move non-image files onto the filesystem.
'Administer content types' privilege only lets a user set up new
structures for content nodes, not create content, or even upload
material to the filesystem, except for the 'default image' used in the
content type.  The flaw allows such a user to upload any number of
files, opening avenues to trigger local file inclusion vulnerabilities,
hosting malware, phishing, etc., etc.  The route to exploitation might
be oblique, but ideally it shouldn't exist at all.

Justin C. Klein Keane
http://www.MadIrish.net

valdis.kletni...@vt.edu wrote:
> On Thu, 29 Jan 2009 09:15:46 EST, "Justin C. Klein Keane" said:
> 
>> Two flaws exist in this module.  The first flaw allows for an attacker
>> to upload arbitrary files to the filesystem.  The vulnerability allows
>> attackers to upload arbitrary files in place of the 'Default image'
>> specified in the Imagefield specifications for a content type field.
> 
>> Attackers must be authenticated with an account that has 'administer
>> content types' permissions.
> 
> Umm.. what's the risk here?  Does the flaw allow the attacker to upload
> files that wouldn't be permitted even as the authorized account?  Seems if
> they can administer content types, they can drop pretty much whatever they
> want onto the server (possibly limited as to where in the tree though), and
> all this does is let them drop stuff outside said tree?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSYHgFpEpbGy7DdYAAQJCiQb+IluH+IhHZcvc3wNNsj2OrnZUUpS5jrpR
6inT0K6tExaH/hR2GQ7RzvFgC4iEgaRG6LbjqSC004q0wBrzM4/heS7QUPyL5PN5
uJXefyC/NJQNjKhaZ+0viC6fccwlbO72eTyghe6VzTHYN4IdiMwjB/cV62zZFBeA
n5ZPjqr61e7NGg20dZW7IigpjJjA4YJke2P3naYwKTgns5RY/yMjFYRJr1WA3fXt
0vRXKbERw1RHsgiwHxEAHG8uOgfMF5hncDCpSYw2fvSkIONvEhi5a4wWksHou3VH
SKn2WjZLvT4=
=GiiR
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CarolinaCon-V - March 13th-14th 2009

2009-01-29 Thread Vic Vandal 
InfoSec professionals, h4x0rs, script kidz, posers, and government spies:

CarolinaCon is back for its 5th year!  For about the price of your average
movie admission with popcorn and a drink ($20), YOU are invited to join us
for yet another intimate and informative weekend of technology education.

This year's event will be held on the weekend of March 13th-14th, 2009.
The event will mostly occur at the Holiday Inn in Chapel Hill, NC.  Chapel
Hill is about 30 minutes from Raleigh, Durham, and Research Triangle Park.
For all the exciting details as they develop, stay tuned to: 
www.carolinacon.org

CarolinaCon is an annual technology conference whose mission/purpose is
to;
- provide "affordable" technology education sessions to the unwashed masses,
- deliver varied/informative/interesting presentations on a wide variety of
InfoSec/hacking/technology/science topics, and
- mix in enough entertainment and side contests/challenges to make for a
truly fun event.

CarolinaCon is proudly brought to you by The CarolinaCon Group. The
CarolinaCon Group is a non-profit organization registered in the state of
NC, dedicated to educating the local and global communities about
technology, information/network/computer security, and information rights.
The CarolinaCon Group is also closely associated with various 2600
chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who
help develop and deliver CarolinaCon come from those chapters.

The currently chosen list of exciting topics and esteemed presenters
includes;

International Hacker Community Studies - Professor Farnsworth
Software Reverse Engineering with the Leaf Framework - Chris
Anti-debugging: A Developers Perspective - txs
Detecting the Matrix: Hiding Virtual Machines from Malware - redspot
Attacking Layer 8: Client-side Penetration Testing - Chris Gates (CG), Vince 
Marvelli (g0ne)
The Security Assessment Methodology - Kellep Charles (KC)
Running Snort and ClamAV on your Wireless Router - ciscostu
Leveraging Metasploit through Nmap - Ryan Linn
The Day The Spam Stopped: The Srizbi Botnet Takedown - Alex Lanstein
The Ten Finger Discount: Philosophy and Ethics of Modern Piracy - mjg
Packing & The Friendly Skies - Deviant Ollam
Web-enabled: Smart Solution or Security Blunder - Deral Heiland
What does Mickey Mouse have to do with a Viral Outbreak in India? - Nick Fury

Other events currently on tap include;
Capture The Flag
Hacker Trivia
and others to be announced!

Where else can you have that much fun for $20 (that doesn't involve
mind-altering substances or Internet pr0n, cough)?

WARNING: Shameless (yet well-intentioned) pitch alert!!!
For the corporate-sponsored amongst you, for the first time we invite you
and/or your organization to demonstrate its philanthropic generosity by
sponsoring a "CarolinaCon scholarship".  In past years the CarolinaCon
staff and non-profit board has allowed some predetermined number of student
attendees on tight budgets to attend CarolinaCon for free.  But why should
we monopolize all the good karma and feelings of self-worth?  So if you
have a spare $20, consider donating it to this year's scholarship fund.
You'll sleep better knowing you helped someone in need, and you can
legitimately write it off as a charitable donation.  Here is a link to the
non-profit's filed articles of incorporation, for reference:
http://www.secretary.state.nc.us/corporations/Filings.aspx?PItemId=7889445
And if your company is feeling extremly saucy and generous, the non-profit
can accept donations to help buy equipment for future Cons.  Absolutely
no pressure to give here, but the Con barely breaks even annually and we
beg/borrow/steal LCD projectors, PA equipment, etc. in putting on the event
annually.  Again, NO PRESSURE!  We just figured we'd offer the "opportunity"
to help provide affordable education to others, for the first time in 5 years
of Con history.
On that note if you're a struggling student desperately seeking knowledge,
give the Con staff your best sob story at the door (heh) and apply for one
of our admission scholarships.

CarolinaCon-V - Be there or be l4m3!

Peace,
Vic

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] rPSA-2009-0021-1 sudo

2009-01-29 Thread rPath Update Announcements 
rPath Security Advisory: 2009-0021-1
Published: 2009-01-29
Products:
rPath Linux 2

Rating: Major
Exposure Level Classification:
Local Root Deterministic Privilege Escalation
Updated Versions:
sudo=conary.rpath@rpl:2/1.6.9p12-3.1-1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-2954

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034

Description:
In previous versions of sudo, in a non-default configuration which
allows users in certain groups to run commands as other non-root
users, it is possible for non-root users to inappropriately gain
root privileges.  This has been fixed.

http://wiki.rpath.com/Advisories:rPSA-2009-0021

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] rPSA-2009-0021-1 sudo

2009-01-29 Thread rPath Update Announcements 
rPath Security Advisory: 2009-0021-1
Published: 2009-01-29
Products:
rPath Linux 2

Rating: Major
Exposure Level Classification:
Local Root Deterministic Privilege Escalation
Updated Versions:
sudo=conary.rpath@rpl:2/1.6.9p12-3.1-1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-2954

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034

Description:
In previous versions of sudo, in a non-default configuration which
allows users in certain groups to run commands as other non-root
users, it is possible for non-root users to inappropriately gain
root privileges.  This has been fixed.

http://wiki.rpath.com/Advisories:rPSA-2009-0021

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hackery Channel 01-09-01-LOLZ: Cat Spoofing against Flow Control

2009-01-29 Thread hack ery 
Security Risk:  High
Exploitable: Local
Vulnerability: Arbitrary Flow Control Control, Cat Spoofing
Discovered by: The Hackery Channel
Tested: No

The Flow Control project is an access control project for a cat.  It
consists of a cat door, an electromagnetic latch, a access control device,
and image recognition software that allows Flow to enter the house, and only
when she is not carrying prey.  When Flow is within proximity of the door,
she passes through a light that casts a shadow on an area monitored by a
camera.  If the silouhette, appears to be  Flow without prey, access is
granted.

Cat Spoofing:  An attacker could potentially gain access by posing as a
kitty by placing a cut out of the kitty next to the light.

Mitigation: None.
Work around: Guard dog
Vendor Notified: No
Vendor Site: http://www.quantumpicture.com/Flo_Control/flo_control.htm
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-715-1] Linux kernel vulnerabilities

2009-01-29 Thread Kees Cook 
===
Ubuntu Security Notice USN-715-1   January 29, 2009
linux vulnerabilities
CVE-2008-5079, CVE-2008-5182, CVE-2008-5300, CVE-2008-5395,
CVE-2008-5700, CVE-2008-5702
===

A security issue affects the following Ubuntu releases:

Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  linux-image-2.6.27-11-generic   2.6.27-11.27
  linux-image-2.6.27-11-server2.6.27-11.27
  linux-image-2.6.27-11-virtual   2.6.27-11.27

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

Details follow:

Hugo Dias discovered that the ATM subsystem did not correctly manage
socket counts. A local attacker could exploit this to cause a system hang,
leading to a denial of service. (CVE-2008-5079)

It was discovered that the inotify subsystem contained watch removal
race conditions. A local attacker could exploit this to crash the system,
leading to a denial of service. (CVE-2008-5182)

Dann Frazier discovered that in certain situations sendmsg did not
correctly release allocated memory. A local attacker could exploit
this to force the system to run out of free memory, leading to a denial
of service.  (CVE-2008-5300)

Helge Deller discovered that PA-RISC stack unwinding was not handled
correctly. A local attacker could exploit this to crash the system,
leading do a denial of service. This did not affect official Ubuntu
kernels, but was fixed in the source for anyone performing HPPA kernel
builds.  (CVE-2008-5395)

It was discovered that the ATA subsystem did not correctly set timeouts. A
local attacker could exploit this to cause a system hang, leading to a
denial of service. (CVE-2008-5700)

It was discovered that the ib700 watchdog timer did not correctly check
buffer sizes. A local attacker could send a specially crafted ioctl
to the device to cause a system crash, leading to a denial of service.
(CVE-2008-5702)


Updated packages for Ubuntu 8.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.27-11.27.diff.gz
  Size/MD5:  3045315 319b70724933690ebeaf2570c08e5872
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.27-11.27.dsc
  Size/MD5: 1529 1f0ca8782583778c06befbe486a5537c
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.27.orig.tar.gz
  Size/MD5: 63721466 482b04f680ce6676114ccfaaf8f66a55

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2.6.27-11.27_all.deb
  Size/MD5:  3480820 102ffe69d583daaea25e9dc16624cf1d

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6.27-11_2.6.27-11.27_all.deb
  Size/MD5:  5782904 b7de142c5ded4e2e26037799b045b17d

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.27_2.6.27-11.27_all.deb
  Size/MD5: 52041978 3eb25260c3bf95d7110174a153457fe4

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/l/linux/acpi-modules-2.6.27-11-generic-di_2.6.27-11.27_amd64.udeb
  Size/MD5:36522 9e9b81519f796f9c8d970e369e6235b9

http://security.ubuntu.com/ubuntu/pool/main/l/linux/block-modules-2.6.27-11-generic-di_2.6.27-11.27_amd64.udeb
  Size/MD5:   264132 781d177036c0d1f8d04fca8fd1322ad4

http://security.ubuntu.com/ubuntu/pool/main/l/linux/crypto-modules-2.6.27-11-generic-di_2.6.27-11.27_amd64.udeb
  Size/MD5:53470 8e367a9fbbb2aea106db18724fbd78e8

http://security.ubuntu.com/ubuntu/pool/main/l/linux/fat-modules-2.6.27-11-generic-di_2.6.27-11.27_amd64.udeb
  Size/MD5:43124 32bb76a5c82cf4787e015a8d14a78b96

http://security.ubuntu.com/ubuntu/pool/main/l/linux/fb-modules-2.6.27-11-generic-di_2.6.27-11.27_amd64.udeb
  Size/MD5:52340 46d233691c5842fa9f7347216eba0ce1

http://security.ubuntu.com/ubuntu/pool/main/l/linux/firewire-core-modules-2.6.27-11-generic-di_2.6.27-11.27_amd64.udeb
  Size/MD5:89726 a8ac9ef887eacc31ebc322cf37223aec

http://security.ubuntu.com/ubuntu/pool/main/l/linux/floppy-modules-2.6.27-11-generic-di_2.6.27-11.27_amd64.udeb
  Size/MD5:38136 9d6bf29c616ae927c9341f80cb1d354b

http://security.ubuntu.com/ubuntu/pool/main/l/linux/fs-core-modul

[Full-disclosure] [USN-716-1] MoinMoin vulnerabilities

2009-01-29 Thread Jamie Strandboge 
===
Ubuntu Security Notice USN-716-1   January 30, 2009
moin vulnerabilities
CVE-2008-0780, CVE-2008-0781, CVE-2008-0782, CVE-2008-1098,
CVE-2008-1099, CVE-2009-0260, CVE-2009-0312
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-moinmoin  1.5.2-1ubuntu2.4

Ubuntu 7.10:
  python-moinmoin 1.5.7-3ubuntu2.1

Ubuntu 8.04 LTS:
  python-moinmoin 1.5.8-5.1ubuntu2.2

Ubuntu 8.10:
  python-moinmoin 1.7.1-1ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Fernando Quintero discovered than MoinMoin did not properly sanitize its
input when processing login requests, resulting in cross-site scripting (XSS)
vulnerabilities. With cross-site scripting vulnerabilities, if a user were
tricked into viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal confidential data,
within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS.
(CVE-2008-0780)

Fernando Quintero discovered that MoinMoin did not properly sanitize its input
when attaching files, resulting in cross-site scripting vulnerabilities. This
issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781)

It was discovered that MoinMoin did not properly sanitize its input when
processing user forms. A remote attacker could submit crafted cookie values and
overwrite arbitrary files via directory traversal. This issue affected Ubuntu
6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782)

It was discovered that MoinMoin did not properly sanitize its input when
editing pages, resulting in cross-site scripting vulnerabilities. This issue
only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)

It was discovered that MoinMoin did not properly enforce access controls,
which could allow a remoter attacker to view private pages. This issue only
affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)

It was discovered that MoinMoin did not properly sanitize its input when
attaching files and using the rename parameter, resulting in cross-site
scripting vulnerabilities. (CVE-2009-0260)

It was discovered that MoinMoin did not properly sanitize its input when
displaying error messages after processing spam, resulting in cross-site
scripting vulnerabilities. (CVE-2009-0312)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.diff.gz
  Size/MD5:42544 ebd2cc72e4a9b91642c7e5b7fcae7754
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.4.dsc
  Size/MD5:  710 1c979ab18f50b60ec0b9494a7513b71f
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz
  Size/MD5:  3975925 689ed7aa9619aa207398b996d68b4b87

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.4_all.deb
  Size/MD5:  1508228 88106c7e059b5b91deac7bfb71f96fb3

http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.4_all.deb
  Size/MD5:69842 bf8ce8a5b46a32185e1f09af0b370e41

http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.4_all.deb
  Size/MD5:   835312 aa269dbf77b123fe000ee69de31df352

Updated packages for Ubuntu 7.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.diff.gz
  Size/MD5:57794 cbaa73b938fa38550adfca2cd82b2228
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7-3ubuntu2.1.dsc
  Size/MD5:  805 ac38488f222ba5451ae827b834713bf2
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.7.orig.tar.gz
  Size/MD5:  4411634 b304f1c2054c7f3bf0dc48c141b28b33

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.7-3ubuntu2.1_all.deb
  Size/MD5:  1660458 98e840ca6bc4322a5a8c9c2776e5ff18

http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.7-3ubuntu2.1_all.deb
  Size/MD5:  1020898 947daca038abf2eb07c4bb220b0c9276

Updated packages for Ubuntu 8.04 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.diff.gz
  Size/MD5:61334 1b3992acd9d6720686415752ec2b84da

http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.2.dsc
  Size/MD5:  989 cf1add0defdb66648b3d327bb6fb3c59
http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz
  Size/MD5:  4351630 79

Re: [Full-disclosure] Hackery Channel 01-09-01-LOLZ: Cat Spoofing against Flow Control

2009-01-29 Thread Nancy Kramer 
Another cat not carrying prey would also work well.  Lots of stray cats 
like to come in when it is cold so this could very likely happen.  The cat 
the device was bought for could also attract other cats that would follow 
it into the house.  Some cats are quite social and have "friends".  This 
should maybe be called cat spoofing as the cat this device was intended for 
is not the cat getting entry.

Lots of fun finding strange cats in your house at 3AM.  Note;  Cats tend to 
be nocturnal.  You don't need any kind of high tech device for this.  Just 
open the door for your cat and others may come in.  Cats are fast so it is 
hard to keep them out.  Besides they are awake and you are probably NOT.

Been there done that.

Regards,

Nancy Kramer





At 06:04 PM 1/29/2009, hack ery wrote:

>Security Risk:  High
>Exploitable: Local
>Vulnerability: Arbitrary Flow Control Control, Cat Spoofing
>Discovered by: The Hackery Channel
>Tested: No
>
>The Flow Control project is an access control project for a cat.  It 
>consists of a cat door, an electromagnetic latch, a access control device, 
>and image recognition software that allows Flow to enter the house, and 
>only when she is not carrying prey.  When Flow is within proximity of the 
>door, she passes through a light that casts a shadow on an area monitored 
>by a camera.  If the silouhette, appears to be  Flow without prey, access 
>is granted.
>
>Cat Spoofing:  An attacker could potentially gain access by posing as a 
>kitty by placing a cut out of the kitty next to the light.
>
>Mitigation: None.
>Work around: Guard dog
>Vendor Notified: No
>Vendor Site: 
>http://www.quantumpicture.com/Flo_Control/flo_control.htm
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>No virus found in this incoming message.
>Checked by AVG.
>Version: 7.5.552 / Virus Database: 270.10.15/1924 - Release Date: 
>1/29/2009 5:57 PM


-- 
No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.552 / Virus Database: 270.10.15/1924 - Release Date: 1/29/2009 
5:57 PM


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/