[Full-disclosure] WinRAR v3.80 - ZIP Filename Spoofing

[chr1x]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
++
| ...|
| ..''xxx'...|
|..'xxx..|
| ..'x'. |
|   .''''...'.   |
| .'x''.....  .. |
|.xx'...   .'.   |
|   'xxx'..  '.  |
|  'xx'..'x...x. |
| .'...'..  ...   .' |
| 'x'..  .  ...x.|
| xxx'.  ..x.|
| '.  xx.|
| 'x'....'xxx'.   x   .x.|
| .x'. .'xx. ''   .' |
|  .xx.  .'.   .'xx'''.  .'  |
|   .xx..''  .'x''.  |
|.'xx'.  .'xxx.  ..''|
|  .xxx'.  .'..'xx'. |
|.'.'x'.  xxx'xx'.   |
|  .'xxx'  ...xxx'.  |
| ..'x'.. ..x'.. |
|  'xx'....  |
||
|CubilFelino Security Research Lab   |
|proudly presents... |
++

===
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
===

Security Researcher Info:
=

Discovered by:Christian Navarrete (chr1x) - México
Website URL:http://chr1x.sectester.net
Contact E-mail:ch...@sectester.net
OpenPGP key id: 0x3765F4F8
OpenPGP fingerprint:58AB CB8C DCF4 8B2E 40EF 11E8 4354 91DF 3765 F4F8

Vulnerability General Information:
==
Discovery date:30/08/2009 (Good gift of Birthday! :)
Advisory URL:   
http://advisory.sectester.net/chr1xpwnadv-winrar-zip-filename-spoofing.pdf
Vulnerability on Video:http://www.youtube.com/user/sectester
PoC/Exploit Availability:http://chr1x.sectester.net/winrar380_PoC.zip
Software: WinRAR
Version:3.80
Security risk:Low
Exploitable from: Local
Vulnerability:ZIP Filename spoofing
Release mode: Coordinated disclosure.
Vendor:http://www.rarlabs.com
Status:Current version (WinRAR v3.80) not patched, next
engine version (WinRAR v.3.90) will be patched
CWE Weakness ID:CWE-372: Incomplete Internal State Distinction (1.5)
CVE ID:None provided
Disclosure Policy:http://www.wiretrip.net/rfp/policy.html

Product Description:

(Taken from Wikipedia)

WinRAR is a shareware file archiver and data compression utility
developed by Eugene Roshal, and first released around 1995. It is one
of the few applications that is

able to create RAR archives natively, because the encoding method is
held to be proprietary.

WinRAR supports the following features:

* Complete support for RAR and ZIP archives, and unpacking of ARJ,
LZH, TAR, GZ, ACE, UUE, BZ2, JAR, ISO, EXE, 7z, and Z archives. Future
versions of WinRAR are

planned to include 7z creation.
* The ability to create self-extracting and multi-volume (split)
archives.
* Data redundancy is provided via recovery records and recovery
volumes, allowing reconstruction of damaged archives.
* Support for advanced NTFS file system options and Unicode in file
names.
* Optional archive encryption using AES (Advanced Encryption Standard)
with a 128-bit key.

I. Vulnerability Summary:
=

WinRAR v3.80 is prone to a Filename Spoofing contained inside a
malformed .ZIP file.

II. Vulnerability Description:
==
ZIP File Spoofing can be done by to a mismatch of file name in the
file list in WinRAR GUI shell and in extracted file. A real
exploitation of this issue is in the following scenario: When a user
opens the malformed file using WinRAR v3.80 will see filename
(example: imagefile.gif) but when files are extracted, the extracted
file could be another one, not t

Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

[Fernando A. Lagos B.]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glafkos Charalambous wrote:
> Hello,
> 

Hi Glafkos,

>  
> 
> That definitely can be fixed easily with two lines of code but is still
> something that should have been prevented at earlier stages of "plugin"
> development
> 
>  
> 
> "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
> basename($_SERVER['SCRIPT_FILENAME']))
> 
>  die ('Please do not load this page directly');"
> 
>  

It is a simple and good fix.

> 
> From the server side you can set PHP "warning" and "errors" OFF either
> through php.ini or PHP page itself but sometimes that's not an option

Yep, if you disable the "display_errors" option on php.ini is not a good
option. Setting display_erros to Off hides the problem but not fix the
problem.

> 
>  
> 
> Regards,

cheers

> 
> Glafkos Charalambous
> 
>  
> 
>  
> 
> *From:* full-disclosure-boun...@lists.grok.org.uk
> [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *majinboo
> *Sent:* Monday, September 28, 2009 11:12 PM
> *To:* Fernando A. Lagos B.
> *Cc:* full-disclosure@lists.grok.org.uk
> *Subject:* Re: [Full-disclosure] Full Path Disclosure in most wordpress'
> plugins [?]
> 
>  
> 
> Hello,
> 
> this kind of "vulnerabilities" exists whenever a PHP scripts issue a
> fatal error on a poorly configured server. PHP should log errors in a
> local file and not on the client screen. With this configuration, you
> will not see a full path disclosure in each uncatched PHP exception.
> IMHO the security weakness is on the php.ini and not on the web application.
> 
> cheers,
> 
> majinboo
> 
> 2009/9/28 Fernando A. Lagos B.  >
> 
> Exists an call to add_action() without validate with function_exists().
> When I run the php script directly, I get the full path of wp installation.
> 
> Example:
> [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php
> [+] http://www.marco2010.cl/wp-content/plugins/hello.php
> 
> 
> Is a bug? Is a feature?
> 
> More details posted in my blog:
> http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/
> (spanish)
> 
> 
> cheers.





- --
Fernando A. Lagos Berardi - Zerial
Desarrollador y Programador Web
Seguridad Informatica
Linux User #382319
Blog: http://blog.zerial.org
Skype: erzerial
Jabber: zer...@jabberes.org
GTalk && MSN: ferna...@zerial.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrBNAEACgkQIP17Kywx9JSxUQCaA0cXq74tzk6WA+0MABll30tT
d7QAmwXjiqdNkfF28X9gvYyGmkbQcB3o
=7r4O
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

[Glafkos Charalambous]

Hello,

 

That definitely can be fixed easily with two lines of code but is still
something that should have been prevented at earlier stages of "plugin"
development

 

"if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
basename($_SERVER['SCRIPT_FILENAME']))

 die ('Please do not load this page directly');"

 

>From the server side you can set PHP "warning" and "errors" OFF either
through php.ini or PHP page itself but sometimes that's not an option

 

Regards,

Glafkos Charalambous

 

 

From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of majinboo
Sent: Monday, September 28, 2009 11:12 PM
To: Fernando A. Lagos B.
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Full Path Disclosure in most wordpress'
plugins [?]

 

Hello,

this kind of "vulnerabilities" exists whenever a PHP scripts issue a fatal
error on a poorly configured server. PHP should log errors in a local file
and not on the client screen. With this configuration, you will not see a
full path disclosure in each uncatched PHP exception. IMHO the security
weakness is on the php.ini and not on the web application.

cheers,

majinboo

2009/9/28 Fernando A. Lagos B. 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Exists an call to add_action() without validate with function_exists().
When I run the php script directly, I get the full path of wp installation.

Example:
[+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php
[+] http://www.marco2010.cl/wp-content/plugins/hello.php


Is a bug? Is a feature?

More details posted in my blog:
http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins
-para-wordpress/
(spanish)


cheers.
- --
Zerial
Desarrollador y Programador Web
Seguridad Informatica
Linux User #382319
Blog: http://blog.zerial.org
Skype: erzerial
Jabber: zer...@jabberes.org
GTalk && MSN: ferna...@zerial.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrAwpgACgkQIP17Kywx9JRciQCfZeWYvflVpdSeZ+a+BM3Z6hV3
0yUAn08Kan+JbtR13aUxMkw0FzUi+W0r
=/0dj
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

[Fernando A. Lagos B.]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

majinboo wrote:
> Hello,

Hi

> 
> this kind of "vulnerabilities" exists whenever a PHP scripts issue a
> fatal error on a poorly configured server. PHP should log errors in a
> local file and not on the client screen. With this configuration, you
> will not see a full path disclosure in each uncatched PHP exception.
> IMHO the security weakness is on the php.ini and not on the web application.



The most of Full Path Disclosure are triggered by a Warning, Fatal Error
or Notice message from PHP.
This problem is a problem into the developer side. Each developer must
validate incoming parameters (by GET or POST), function calls, file
opening, sql queries, etc.

If you see the rest of code (example in hello.php) each function call is
validated by "if (function_exists(...))" but "add_action()" not.

All plugins (wordpress, joomla, etc etc) must be validated and correctly
parsed, I can't call to "function()" if "function()" not exists (in the
api context).

What do you think about?

> 
> cheers,

cheers!

> 
> majinboo
> 
> 2009/9/28 Fernando A. Lagos B.  >
> 
> Exists an call to add_action() without validate with function_exists().
> When I run the php script directly, I get the full path of wp
> installation.
> 
> Example:
> [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php
> [+] http://www.marco2010.cl/wp-content/plugins/hello.php
> 
> 
> Is a bug? Is a feature?
> 
> More details posted in my blog:
> http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/
> (spanish)
> 
> 
> cheers.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




- --
Fernando A. Lagos Berardi - Zerial
Desarrollador y Programador Web
Seguridad Informatica
Linux User #382319
Blog: http://blog.zerial.org
Skype: erzerial
Jabber: zer...@jabberes.org
GTalk && MSN: ferna...@zerial.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrBHNoACgkQIP17Kywx9JQzCgCdHu3d4cwAi2tpPeqyy1PVbpNj
eQsAn2xjhAFNoUIZuTsX+Haxo4Ydgns6
=fzpB
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

[majinboo]

Hello,

this kind of "vulnerabilities" exists whenever a PHP scripts issue a fatal
error on a poorly configured server. PHP should log errors in a local file
and not on the client screen. With this configuration, you will not see a
full path disclosure in each uncatched PHP exception. IMHO the security
weakness is on the php.ini and not on the web application.

cheers,

majinboo

2009/9/28 Fernando A. Lagos B. 

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Exists an call to add_action() without validate with function_exists().
> When I run the php script directly, I get the full path of wp installation.
>
> Example:
> [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php
> [+] http://www.marco2010.cl/wp-content/plugins/hello.php
>
>
> Is a bug? Is a feature?
>
> More details posted in my blog:
>
> http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/
> (spanish)
>
>
> cheers.
> - --
> Zerial
> Desarrollador y Programador Web
> Seguridad Informatica
> Linux User #382319
> Blog: http://blog.zerial.org
> Skype: erzerial
> Jabber: zer...@jabberes.org
> GTalk && MSN: ferna...@zerial.org
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkrAwpgACgkQIP17Kywx9JRciQCfZeWYvflVpdSeZ+a+BM3Z6hV3
> 0yUAn08Kan+JbtR13aUxMkw0FzUi+W0r
> =/0dj
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] For sale - Microsoft Internet Explorer 0day

[Freddie Vicious]

MS Internet Explorer 0day exploit for sale - remote code execution via
memory corruption.

Serious offers only - fred.vici...@gmail.com

-- 
Best wishes,
Freddie Vicious
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Drupal XML-Sitemap 5.x-1.6 XSS Vulnerability

[Black Packeteer]

The Drupal XML Sitemap module version 5.x-1.6 (
http://drupal.org/project/xmlsitemap) contains a cross site scripting
vulnerability because it fails to properly sanitize 'Path' output in the XML
Sitemap administration area.  If you install XML Sitemap and click on
Administer, Site configuration, XML sitemap, then click on the Additional
tab and put JavaScript into the 'Path' text box and save the additional link
when the page refreshes the JavaScript is rendered by Drupal.  This means
that users who can administer the additional links in XML Sitemap can attack
other users who view that page.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

[Fernando A. Lagos B.]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Exists an call to add_action() without validate with function_exists().
When I run the php script directly, I get the full path of wp installation.

Example:
[+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php
[+] http://www.marco2010.cl/wp-content/plugins/hello.php


Is a bug? Is a feature?

More details posted in my blog:
http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/
(spanish)


cheers.
- --
Zerial
Desarrollador y Programador Web
Seguridad Informatica
Linux User #382319
Blog: http://blog.zerial.org
Skype: erzerial
Jabber: zer...@jabberes.org
GTalk && MSN: ferna...@zerial.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrAwpgACgkQIP17Kywx9JRciQCfZeWYvflVpdSeZ+a+BM3Z6hV3
0yUAn08Kan+JbtR13aUxMkw0FzUi+W0r
=/0dj
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-838-1] Dovecot vulnerabilities

[Marc Deslauriers]

===
Ubuntu Security Notice USN-838-1 September 28, 2009
dovecot vulnerabilities
CVE-2008-4577, CVE-2008-5301, CVE-2009-2632, CVE-2009-3235
===

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  dovecot-common  1:1.0.10-1ubuntu5.2

Ubuntu 8.10:
  dovecot-common  1:1.1.4-0ubuntu1.3

Ubuntu 9.04:
  dovecot-common  1:1.1.11-0ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that the ACL plugin in Dovecot would incorrectly handle
negative access rights. An attacker could exploit this flaw to access the
Dovecot server, bypassing the indended access restrictions. This only
affected Ubuntu 8.04 LTS. (CVE-2008-4577)

It was discovered that the ManageSieve service in Dovecot incorrectly
handled ".." in script names. A remote attacker could exploit this to read
and modify arbitrary sieve files on the server. This only affected Ubuntu
8.10. (CVE-2008-5301)

It was discovered that the Sieve plugin in Dovecot incorrectly handled
certain sieve scripts. An authenticated user could exploit this with a
crafted sieve script to cause a denial of service or possibly execute
arbitrary code. (CVE-2009-2632, CVE-2009-3235)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.diff.gz
  Size/MD5:   407785 8bab610c8eaa3d584251f43f589458ef

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.dsc
  Size/MD5: 1295 381a3267d0258419fee8f054ee5bcd13

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10.orig.tar.gz
  Size/MD5:  1797790 c050fa2a7dae8984d432595e3e8183e1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_amd64.deb
  Size/MD5:  1838902 c0bd69b04f49b20bdbe7e2c830660e04

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_amd64.deb
  Size/MD5:   387834 b6a474d722d36ca98e2790954304d249

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_amd64.deb
  Size/MD5:   662814 ab6309638125fabe5752177671b3f8b3

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_amd64.deb
  Size/MD5:   625852 ce40fd95a9dc4bcc60c1b0c473a5e117

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_i386.deb
  Size/MD5:  1695832 b1c5df762f681ee1c6ab3a9903ff367a

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_i386.deb
  Size/MD5:   387848 d00535e76b28f9622ea77c36c69b808d

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_i386.deb
  Size/MD5:   629748 61cb4fda4aa29fce1bf326522bbb2dda

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_i386.deb
  Size/MD5:   596084 d97fb54aba0f43f014f9e1dfd6404456

  lpia architecture (Low Power Intel Architecture):


http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_lpia.deb
  Size/MD5:  1689932 e20d72de31679d4698caaa2d3fd92ebb

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_lpia.deb
  Size/MD5:   387846 34903b7cdb220e85978c6483c7f09848

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_lpia.deb
  Size/MD5:   630210 7238a78a55f787251facd75cc3a15539

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_lpia.deb
  Size/MD5:   596564 f969a0ee5a2de65dee4e81de9c103622

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_powerpc.deb
  Size/MD5:  1859284 96619941551bb690e56d6604972370da

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_powerpc.deb
  Size/MD5:   387880 cf175dd90cf5b677f55106c4e680ed9b

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_powerpc.deb
  Size/MD5:   669752 2b3b052e0d9703b41886c57793e7d1d6

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_powerpc.deb
  Size/MD5:   633286 d87398d7e70d3eaf53e2c6fdd8652c5b

  sparc architecture (Sun SPARC/UltraSPARC):


http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_sparc.deb
  Size/MD5:  1688040 38f3316086f8e23d3894a3391d5e1a4d

http

[Full-disclosure] [SECURITY] [DSA 1897-1] New horde3 packages fix arbitrary code execution

[Nico Golde]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA-1897-1secur...@debian.org
http://www.debian.org/security/ Nico Golde
September 28th, 2009http://www.debian.org/security/faq
- --

Package: horde3
Vulnerability  : insufficient input sanitization
Problem type   : remote
Debian-specific: no
Debian bug : #547318
CVE ID : CVE-2009-3236

Stefan Esser discovered that Horde, a web application framework providing
classes for dealing with preferences, compression, browser detection,
connection tracking, MIME, and more, is insufficiently validating and
escaping user provided input.  The Horde_Form_Type_image form element
allows to reuse a temporary filename on reuploads which are stored in a
hidden HTML field and then trusted without prior validation.  An attacker
can use this to overwrite arbitrary files on the system or to upload PHP
code and thus execute arbitrary code with the rights of the webserver.


For the oldstable distribution (etch), this problem has been fixed in
version 3.1.3-4etch6.

For the stable distribution (lenny), this problem has been fixed in
version 3.2.2+debian0-2+lenny1.

For the testing distribution (squeeze), this problem has been fixed in
version 3.3.5+debian0-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.3.5+debian0-1.


We recommend that you upgrade your horde3 packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch6.diff.gz
Size/MD5 checksum:15869 3a74c50d35cf7f252cceec008e133299
  http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch6.dsc
Size/MD5 checksum: 1076 d4205b4f956ee00aa545f988f5d0206f
  http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz
Size/MD5 checksum:  5232958 fbc56c608ac81474b846b1b4b7bb5ee7

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch6_all.deb
Size/MD5 checksum:  5278984 55bb80d663cad92d40ffcd15946379cf


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny1.dsc
Size/MD5 checksum: 1388 e9bee230ea249ac6c8cd69bf4ad7c360
  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz
Size/MD5 checksum:  7180761 fb22a594bbdad07a0fbeef035a6d2f39
  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny1.diff.gz
Size/MD5 checksum:27183 2a72cd6eb73cd03aea3bf296dd17cbb5

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny1_all.deb
Size/MD5 checksum:  7232466 12e1b9fd01f35600f7fb3852025c8610


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-annou...@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrAh9kACgkQHYflSXNkfP8YPACaA0AEa1H1AAXWF9Yj+Pk4rBH2
CDAAnRgZW7Ot762BOaluR8jAlDKhIewW
=rZA8
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vulnerabilities in E107

[MustLive]

Hello Full-Disclosure!

I want to warn you about Insufficient Anti-automation and Cross-Site
Scripting vulnerabilities in E107. I found XSS holes in October 2006 and
Insufficient Anti-automation in November 2007, and disclosed them at
30.01.2009.

Insufficient Anti-Automation:

Vulnerability is in captcha at send link to news page
(http://site/email.php?news.1). And this captcha is also used at
registration page and forget password page.

http://websecurity.com.ua/uploads/2009/E107%20CAPTCHA%20bypass.html

Captcha is vulnerable to half-automated bypass method
(http://websecurity.com.ua/1595/), which I described in my project Month of
Bugs in Captchas (http://websecurity.com.ua/category/mobic/).

XSS:

Vulnerabilities are in search.php in parameters in, ex, ep and be.

http://site/search.php?in=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/search.php?ex=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/search.php?ep=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/search.php?be=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E

For XSS are vulnerable old versions of E107 and for Insufficient
Anti-automation are vulnerable all versions of E107.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/2841/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/