[Full-disclosure] I miss Netdev.
So I wrote him a song: http://www.soundclick.com/bands/page_songInfo.cfm?bandID=866231songID=8216151 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Details of this vulnerability can also be found at
http://www.madirish.net/?article=435
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Site Map module
(http://drupal.org/project/site_map) provides a site map that gives
visitors an overview of your site. It can also display the RSS feeds for
all blogs and categories.
The Site map module contains a cross site scripting vulnerability
because it does not properly sanitize output of titles before display.
Systems affected:
Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable.
Impact:
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
The Site map module must be installed. To carry out a Site map based XSS
exploit the attacker must have 'administer site configuration' permissions.
Proof of Concept:
1. Install Drupal 6.14
2. Install Site map 6.x-1.1
3. Enable the Site map module from Administer - Site building - Modules
4. Click Administer - Site configuration - Site map
5. Enter scriptalert('xss');/script in the 'Site map message'
text area
6. Enable the site map link in Administer - Site building - Menus
- - Navigation by clicking the 'Enable' checkbox next to 'Site map' and
clicking the 'Save configuration' button
7. Click on the 'Site map' link in the navigation to observe the
rendered JavaScript
Technical details:
The Site map module fails to sanitize the output of the site map message
before display. Applying the following patch fixes this vulnerability.
Patch
Applying the following patch mitigates these threats.
- --- site_map/site_map.module2009-09-30 15:09:49.295134033 -0400
+++ site_map/site_map.module 2009-09-30 15:09:30.09976 -0400
@@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
switch ($path) {
case 'sitemap':
$output = _sitemap_get_message();
- - - return $output ? 'p'. filter_xss($output) .'/p' : '';
+ return $output ? 'p'. $output .'/p' : '';
}
}
- --
Justin C. Klein Keane
http://www.MadIrish.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iQD1AwUBStcwjJEpbGy7DdYAAQLv4wb+OoBt42FwHYjZ+DQwb2ljQgzHMwiGUy/o
JPVN0dTsjNOIpXz5teivOPaSMIthyB1+zHpeAojqZ1yTeYHPRjxGX8w5PrUVgBPU
gbh7YJ7we6MJV2ERfUhFOswepZOeseAZc1a5XnRgPEaTzd5IFf0x4yWzHl0M01XS
NTOxuvr8HGIxqGqmhLsljjPw8nnBFwc2pMojKRGNj6pbpkgL7hqxObhjBzepi/Eg
d30c7yTZ6Z5LgsaNPkE0OiV1JIj99SBXVLghhQ3mITouIhzSsddpDoHQXDQFwz5X
icA3Z7tgEGo=
=Q0zP
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Snitz Forums 2000 Multiple Cross-Site Scripting Vulnerabilities
** Application: Snitz Forums 2000 Version affected: 3.4.07 Website: http://forum.snitz.com/ Discovered By: Andrea Fabrizi Email: andrea.fabr...@gmail.com Web: http://www.andreafabrizi.it Vuln: Multiple Cross-Site Scripting ** ## PERMANENT XSS If [sound] tag is allowed: [sound]http://url_to_valid_mp3_or_m3u_file.m3u; onLoad=alert(document.cookie)[/sound] ## ## LINK XSS http://localhost/forum/pop_send_to_friend.asp?url=/textareaimg src=http://www.google.it/intl/it_it/images/logo.gif; onLoad =alert(document.cookie) Note the space: onLoadspace=alert(document.cookie) ## -- Andrea Fabrizi http://www.andreafabrizi.it ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:279 ] ocaml-mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:279 http://www.mandriva.com/security/ ___ Package : ocaml-mysql Date: October 15, 2009 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in ocaml-mysql: It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility (CVE-2009-2942). This update fixes this vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2942 http://www.debian.org/security/2009/dsa-1910 ___ Updated Packages: Mandriva Enterprise Server 5: e61bb4eb829250affa5eff14572279ba mes5/i586/ocaml-mysql-1.0.4-9.1mdvmes5.i586.rpm 3b1ee1b2c527f9ee28ad821aac600aed mes5/i586/ocaml-mysql-devel-1.0.4-9.1mdvmes5.i586.rpm 64960c08b893271da2054f9640997ddc mes5/SRPMS/ocaml-mysql-1.0.4-9.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 899111d2a4fe395bd2cef4a743d5636a mes5/x86_64/ocaml-mysql-1.0.4-9.1mdvmes5.x86_64.rpm 5a73d1dabe89856ca97b50efd89330d5 mes5/x86_64/ocaml-mysql-devel-1.0.4-9.1mdvmes5.x86_64.rpm 64960c08b893271da2054f9640997ddc mes5/SRPMS/ocaml-mysql-1.0.4-9.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFK1zlvmqjQ0CJFipgRAonOAJ9fxKkKDTcx1OPHzKWAUo0u0cM24wCeItst TQqvyVKe9hpF7y8n4xAmiuM= =HQNT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-849-1] libsndfile vulnerabilities
=== Ubuntu Security Notice USN-849-1 October 15, 2009 libsndfile vulnerabilities CVE-2009-1788, CVE-2009-1791 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libsndfile1 1.0.17-4ubuntu0.8.04.2 Ubuntu 8.10: libsndfile1 1.0.17-4ubuntu0.8.10.2 Ubuntu 9.04: libsndfile1 1.0.17-4ubuntu1.1 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: Tobias Klein discovered a heap-based buffer overflow in libsndfile. If a user or automated system processed a crafted VOC file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1788) Erik de Castro Lopo discovered a similar heap-based buffer overflow when processing AIFF files. If a user or automated system processed a crafted AIFF file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1791) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.17-4ubuntu0.8.04.2.diff.gz Size/MD5:10982 155661fd8f753ba4f40339ce22653247 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.17-4ubuntu0.8.04.2.dsc Size/MD5: 824 6a662dc8fc04a7155fa0d7618a1ad08a http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.17.orig.tar.gz Size/MD5: 819456 2d126c35448503f6dbe33934d9581f6b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1-dev_1.0.17-4ubuntu0.8.04.2_amd64.deb Size/MD5: 333080 b04139894513c7f772d43e9faa9d5067 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.17-4ubuntu0.8.04.2_amd64.deb Size/MD5: 191356 fd8af059d7a228a774dfd3faa618c95b http://security.ubuntu.com/ubuntu/pool/universe/libs/libsndfile/sndfile-programs_1.0.17-4ubuntu0.8.04.2_amd64.deb Size/MD5:73174 f67ac788caaf442a70be9873e4fab279 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1-dev_1.0.17-4ubuntu0.8.04.2_i386.deb Size/MD5: 324752 fb5068446e64c7ce2155e2f8876d0883 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.17-4ubuntu0.8.04.2_i386.deb Size/MD5: 198188 52fba9ba7cae8403dd1c89a22f959a46 http://security.ubuntu.com/ubuntu/pool/universe/libs/libsndfile/sndfile-programs_1.0.17-4ubuntu0.8.04.2_i386.deb Size/MD5:73246 e0b79992b197d3f93dc8edde921a221d lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libs/libsndfile/libsndfile1-dev_1.0.17-4ubuntu0.8.04.2_lpia.deb Size/MD5: 324684 439609dc430fd09076b62ea35e4f4464 http://ports.ubuntu.com/pool/main/libs/libsndfile/libsndfile1_1.0.17-4ubuntu0.8.04.2_lpia.deb Size/MD5: 195676 7918d6d6246b28e79bc1b9a092b45f1b http://ports.ubuntu.com/pool/universe/libs/libsndfile/sndfile-programs_1.0.17-4ubuntu0.8.04.2_lpia.deb Size/MD5:73358 ddcde3a1cd6b548a67cb96744a47a403 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libs/libsndfile/libsndfile1-dev_1.0.17-4ubuntu0.8.04.2_powerpc.deb Size/MD5: 358530 e07d0e3e996daa11c87c2e47f7b16740 http://ports.ubuntu.com/pool/main/libs/libsndfile/libsndfile1_1.0.17-4ubuntu0.8.04.2_powerpc.deb Size/MD5: 211398 ef31fbb5159f8027f6aff3d3b631340a http://ports.ubuntu.com/pool/universe/libs/libsndfile/sndfile-programs_1.0.17-4ubuntu0.8.04.2_powerpc.deb Size/MD5:81430 79a0fe9fca817a1def72401f8d6fab27 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libs/libsndfile/libsndfile1-dev_1.0.17-4ubuntu0.8.04.2_sparc.deb Size/MD5: 344850 c863297579ed7c75bcc45c530395def7 http://ports.ubuntu.com/pool/main/libs/libsndfile/libsndfile1_1.0.17-4ubuntu0.8.04.2_sparc.deb Size/MD5: 207728 ef30bf99c77a71e4cc5a3844e0ec57bf http://ports.ubuntu.com/pool/universe/libs/libsndfile/sndfile-programs_1.0.17-4ubuntu0.8.04.2_sparc.deb Size/MD5:73910 5a7debb649fc2a2cc2461ea127b6a6de Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.17-4ubuntu0.8.10.2.diff.gz Size/MD5:10907 575d2f2d12e8db8b2d975ad93af0ae7f
Re: [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
On 15 Oct 2009, at 07:24, Justin Klein Keane wrote:
Applying the following patch mitigates these threats.
- --- site_map/site_map.module2009-09-30 15:09:49.295134033 -0400
+++ site_map/site_map.module 2009-09-30 15:09:30.09976 -0400
@@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
switch ($path) {
case 'sitemap':
$output = _sitemap_get_message();
- - - return $output ? 'p'. filter_xss($output) .'/p' : '';
+ return $output ? 'p'. $output .'/p' : '';
}
}
Surely that should be the other way around?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
