Re: [Full-disclosure] Draw a line under this non-sense, seriously
On Thu, 04 Mar 2010 19:52:44 GMT, "james o' hare" said: > Son of Ram today, what alias will you be using tomorrow? We were about to ask you the same thing, actually. pgpzO7To45QBj.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I am furious.
You are a fucking idiot. It will never end, will it ? On Mon, Mar 1, 2010 at 10:48 AM, intel unit wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I am stopping using this web log its just being used by people not > interested in national security to paste my work to Full-disclosure > mailing list to misrepresent me and my group. > > They tried to say I was a hacker with 0-day, I am furious. > > We are security experts nothing to do with hackers and 0-day. > > I spend my life against hackers and 0-day, I suggest new laws > against hackers, and lobby the government to introduce new laws to > gain more intelligence about them. > > I am a strong policy maker within corporations against hackers and > 0-day. > > This misrepresentation is damaging and I am angry. > > I don't have just 1 0day. I have 26 0days and can hack anything if > the price is right. And I sell them to the bad guys, for the lulz. > I think being disloyal and a hypocrite is hilarious. > > I am a consummate civil servant, if I do say so myself. > > This web log is now closed, I got sum inboxin to do. > -BEGIN PGP SIGNATURE- > Charset: UTF8 > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 3.0 > > wpwEAQMCAAYFAkuMC/YACgkQwGoky+I7EovcNgP/VmABlM8SsYANvwEROSZIfrJYd1ZI > S83fggswtSrnNcRxzGYfh0KnXC694mlRd2Laq18w/wfNL6orCM4RnHGSyoFeSRK6dcMZ > yC2jpd79S/1xen/Lh5UIPNFQs8U8HJveWFxGnhm77GfSl1YQEIHsPo9eNsgz9wzdIOhu > cnfmq/Y= > =9yO5 > -END PGP SIGNATURE- > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- - Scott Ex Nihilo Nihil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 03.04.10: Autonomy KeyView OLE Document Integer Overflow Vulnerability
iDefense Security Advisory 03.04.10 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 04, 2010 I. BACKGROUND Autonomy KeyView SDK is a commercial SDK that provides many file format parsing libraries. It supports a large number of different document formats. KeyView is used by several popular vendors for processing documents. For more information, visit the URLs referenced below. http://www.autonomy.com/ II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in Autonomy's KeyView Filter SDK allows attackers to execute arbitrary code with the privileges of the targeted application. This vulnerability occurs when processing specially crafted documents. When processing such a document, the software reads an integer value from the file and uses this integer, without validation, in an arithmetic operation to calculate the amount of memory to allocate. If a sufficiently large number is supplied, the calculation overflows, resulting in a buffer of insufficient size being allocated. The software then proceeds to copy data into this under-sized buffer. This results in an exploitable heap buffer overflow condition. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the targeted application. In order to exploit this vulnerability, an attacker must cause a specially crafted OLE file to be processed by an application using the Autonomy KeyView SDK. This includes file types such as PowerPoint, Excel, Word, as well as other document formats. The amount of user interaction required is tied to the way in which the KeyView SDK is used. In cases such as Lotus Notes, this requires that an attacker convince a user to view an e-mail attachment; however, in other cases, processing may take place automatically as a document is examined. The privileges that an attacker gains may be different for each application that uses the KeyView SDK. For example, exploiting this issue via Lotus Notes yields the current user's privileges while exploiting the vulnerability via Symantec Mail Security yields SYSTEM privileges. IV. DETECTION iDefense confirmed the existence of this vulnerability using the following versions of the affected software: kvolefio.dll version 8.5.0.8339, distributed with IBM Lotus Notes 8.5 kvolefio.dll version 10.5.0.0, distributed with Symantec Mail Security for Microsoft Exchange All versions of the KeyView SDK that include the "kvolefio.dll" library are suspected to be vulnerable. All applications that utilize Autonomy's KeyView SDK to process untrusted content are also believed to be vulnerable. A full list of vulnerable Symantec products can be found in Symantec Security Advisory SYM10-006. V. WORKAROUND For Symantec Mail Security, disabling "content filtering" will prevent exploitation. Unfortunately, disabling the affected "kvolefio.dll" library causes additional issues. Working around this issue by disabling filters would require all filters that utilize this module to be disabled. It is not clear at this time if this is even possible. iDefense will update this workaround once more information has been received from the vendor(s). VI. VENDOR RESPONSE Symantec Corporation has released a solution which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100304_00 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-3032 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/28/2009 Initial Vendor Notification 09/28/2009 Initial Vendor Reply 03/04/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was discovered by Joshua J. Drake of iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___
Re: [Full-disclosure] Draw a line under this non-sense, seriously
On Wed, Mar 3, 2010 at 3:18 AM, Son of Ram wrote: > Andrew, > > I'm happy that you've made the choice to settle down and have a > family. > > But wait a second, James O'Hare? > > Your behaviour of using pretextual identities is suspiciously > similar to all those escapades we had. > > Ah, 69? All about the family, isn't that true, Mr. Wallace? > > Perhaps you should run for political office. > > Did you meet this girlfriend on Yahoo chat just this morning? I'm > sure she feels very safe and secure having an authority-type figure > such as yourself with her. ;-) > > You had about 12 hours to chart a new life course, and I'm positive > you won't be back trolling this list ever again. > It was a good national security & intelligence blog and lot's of experts were reading it, there was no reason for you to do what you did on Monday, but you decided to do it anyway. You ruined it for everyone else in the intelligence community, now they are all needing to be added to an invite list and the general public aren't being able to read it, because of you. If it wasn't for you I wouldn't have been flamed into an argument on the list and wouldn't have been banned on January 2009 and I would still be contributing good information to the list, such as who I think was really behind various cyber attacks that have happened and be able to publicly post good cyber security policy suggestions to counter the attacks, such as Google Aurora. It just means for you less public information from the security & intelligence community that you don't get to know about. I have access to the information about cyber attacks and policy, I could be posting about it all, but that all ended on January 2009 because of you. All been thrown away and is not publicly available information because of you. I have years of hands on experience in cyber security, have entered into the intelligence community and had plenty to offer this list, if it wasn't for you who flamed me into an argument on purpose just so you could have me banned last year. I was never a troll, however you are one big troll. You don't have the interest of the security & intelligence community at heart, you just create random names to wind people up, I hate you, I completely hate you and I'm watching everything your *real body* person are up to. You wanted people to be more open with the public and release information about whats going on but you blew it on January 2009. I happily accepted being banned from the list, but you couldn't accept it and you started popping up aliases since January 2009 pretending to be me and people thought it was me, however it was you. I created a national security & intelligence blog instead at the beginning of 2010 because I was banned from the list on January 2009 to offer the public the information that I couldn't post to the list because of you. However, because of you, I can't even have a public blog now, because of you, and now nobody can be open and transparent with the public about whats *really* going on because of you. Keep the aliases coming, I'm sure our monitoring systems don't link them all up and know exactly who is posting even before they reach the list as they are travelling over the internet to the list server. You had the chance for the intelligence community to be more open with the public about what the bad guys are upto but you blew it big time. Son of Ram today, what alias will you be using tomorrow? Andrew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20100304-01: Security Notice for CA SiteMinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20100304-01: Security Notice for CA SiteMinder Issued: March 04, 2010 CA's support is alerting customers to a security risk with CA SiteMinder. Multiple cross site scripting (XSS) vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information. CA has provided guidance to remediate the vulnerability. The vulnerabilities, CVE-2009-3731, are due to insufficient validation of input strings. An attacker can potentially steal network domain credentials by enticing a user to visit a web page that contains malicious content. Risk Rating Low Platforms Windows Solaris HP-UX Red Hat Linux Affected Products CA SiteMinder 6.0 (SP4 and earlier) How to determine if the installation is affected The vulnerability is caused by an issue with the publishing tool used to create the online help and HTML documentation for older CA SiteMinder releases (6.0 SP4 and earlier). This vulnerability affects CA SiteMinder in the following ways: * HTML versions of the product documentation for SiteMinder can be deployed on an individual system or through a web server. If product documentation has been deployed on a web server the SiteMinder 6.0 installation is vulnerable. * Online help systems for SiteMinder are deployed and accessible through a web server. This vulnerability applies to help systems. In both cases, this vulnerability applies if web access to the associated web servers has been configured to make use of non-public (client-specific) information. Solution CA SiteMinder: * Upgrade Policy Servers to the latest service pack for SiteMinder 6.0. Remove older versions of the product documentation from your servers. or * For Integrated Document sets, if you have deployed the HTML version of documentation to a web server, move the documentation to a file server and delete the documentation from the web server. * For Online Help systems, remove the help systems from the application folders and place them on a file system for future reference. Note that this will cause help links to fail in the associated applications. The folders that contain help systems are: o Administrative UI Help: \admin\help o Policy Server Management Console Help: \bin\smconsole-help o SiteMinder Test Tool Help: \bin\smtest-help References CVE-2009-3731 - WebWorks Help XSS Acknowledgement CVE-2009-3731 - Daniel Grzelak and Alex Kouzemtchenko of stratsec (www.stratsec.net) Change History Version 1.0: Initial Release If additional information is required, please contact CA Support at https://support.ca.com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2010 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.12.0 (Build 1035) Charset: utf-8 wj8DBQFLj/EheSWR3+KUGYURAjW/AKCZ1+Azy2f5hZbm7bgKWEly2gDqUwCcD4+w 0C9OCgxqNtYbUZJXRAGWb7E= =KPvt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Apple Airport Wireless Products: Promiscuous FTP PORT Allowed in FTP Proxy Provides Security Bypass
The FTP proxy used in Apple's Airport Express, Airport Extreme, Time Capsule and possibly elsewhere doesn't check the client provided address and port given by the FTP PORT command against the IP address of the connecting client, or against the use of privileged ports. (The FTP PORT command is used by a FTP client to tell an FTP server which address and data port to initiate the data connection on.) The FTP proxy is used to provide assistance to clients operating in NAT environments served by the Apple products. FTP servers running behind a NAT with this assistance can have addresses in the command channel rewritten for them so that external clients can reach them when operating in passive mode. The ALG operates as a proxy server, assuming responsibility for connections to the FTP server, and must therefore also handle and modify rewriting of the PORT command. It looks like it might be ftp-proxy from PF. The effect of this problem is to allow anybody with access to the FTP port forwarded on the exterior side of an Apple Airport product that offers NAT to internal clients, which for a publicly-accessible FTP server is the big bad world, to induce an FTP server operating behind a NAT to send data to arbitrary addresses and ports. This is true even if the FTP server is configured to operate more securely, since it sees connections from the NAT's exterior interface, not the connecting client. This is useful for bouncing anonymous port scans off the victim NAT, or if data is available or can be written to and then read from the FTP server, potentially for anonymous attacks, spam, news floods, and other such badness. Any trust relationship and/or security implied or assumed by a NAT is also gone, since the PORT command can also specify private addresses, inside the NAT, for victimisation. Best of all, the gateway itself makes no log entry concerning FTP connections that have been run through the proxy. Workarounds: do not use FTP; do not trigger the use of the ALG (FTP proxy) by explicitly using ports other than 21 on the inbound port mapping. If you can't do those things, you can avoid the worst effects of this attack by disabling FTP uploads that can later be downloaded by anonymous users. Apple likes to keep secrets for the protection of its customers. Since the reasonable release of this advisory removes that protection, confidential information vouchsafed to me can be safely disclosed with no ill effects. Apple has a fix, and according to its last seemingly automatic template message, they are still testing it and do not know precisely when it will be released. This is confidential information. DO NOT DISCLOSE! Advisory history: Apple were notified on 4 Dec 2009, and responded promptly. They were given 60 days initially. Apple contacted me on 7 January 2010 to ask who to give credit to. Personal attribution. On 18 Jan I contacted Apple, advising that they'd passed the six weeks milestone. On 25 January I contacted Apple, advising that they'd passed the 7 weeks milestone. They volunteered confidential information. On 4 Feb, I urged Apple to tell me when a fix was to be issued, approximately. They'd had their two months, and release cycles happen, but I wanted news within a fortnight. Didn't they understand that their customers were at easy risk, and that keeping it quiet didn't change that? By today - that is, by about 3 months - they would certainly be beyond reconciliation. They volunteered confidential information. On 4 March, I got bored of waiting, and made this announcement. The fix is not out; apply workarounds, or trust to the fates and the security of your network. Cheers, Sabahattin smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:054 ] pam_krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:054 http://www.mandriva.com/security/ ___ Package : pam_krb5 Date: March 4, 2010 Affected: 2009.0, 2009.1, Enterprise Server 5.0 ___ Problem Description: Pam_krb5 2.2.14 through 2.3.4 generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames (CVE-2009-1384). This update provides the version 2.3.5 of pam_krb5, which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1384 ___ Updated Packages: Mandriva Linux 2009.0: 0d807317d9e0fd0d25b8cdfde550a813 2009.0/i586/pam_krb5-2.3.5-0.1mdv2009.0.i586.rpm eec3b496e0d49cdf5acc2938e87d7be9 2009.0/SRPMS/pam_krb5-2.3.5-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 5e51454148dda7c08020265d2c38b8c2 2009.0/x86_64/pam_krb5-2.3.5-0.1mdv2009.0.x86_64.rpm eec3b496e0d49cdf5acc2938e87d7be9 2009.0/SRPMS/pam_krb5-2.3.5-0.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 7ee29d86ae8cf64ab1b9a2fa6d84e4de 2009.1/i586/pam_krb5-2.3.5-0.1mdv2009.1.i586.rpm c032fb6b8490cb5c1898a333e4f8b07e 2009.1/SRPMS/pam_krb5-2.3.5-0.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 8a0ff5a977f141f1c494f316280966c5 2009.1/x86_64/pam_krb5-2.3.5-0.1mdv2009.1.x86_64.rpm c032fb6b8490cb5c1898a333e4f8b07e 2009.1/SRPMS/pam_krb5-2.3.5-0.1mdv2009.1.src.rpm Mandriva Enterprise Server 5: 81a267d32261fca0544deb4a41226fb8 mes5/i586/pam_krb5-2.3.5-0.1mdvmes5.i586.rpm 24dbd8d940e0d842577d3ce7f8c7ee00 mes5/SRPMS/pam_krb5-2.3.5-0.1eugeni2010.1.src.rpm Mandriva Enterprise Server 5/X86_64: 8d5fa51d3bb8b9c1adb9b2f8e65a8885 mes5/x86_64/pam_krb5-2.3.5-0.1mdvmes5.x86_64.rpm 24dbd8d940e0d842577d3ce7f8c7ee00 mes5/SRPMS/pam_krb5-2.3.5-0.1eugeni2010.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLj7FzmqjQ0CJFipgRAr2uAJ4/lXZzr3XVPgd30y/NNkZdqsh4AACff9XE Oopf/jjCQ/wYzq1hfiRmXOM= =lnmi -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NSOADV-2010-006: Authentium Command Free Scan ActiveX Control buffer overflow
__
-- NSOADV-2010-006 ---
Authentium Command Free Scan ActiveX Control buffer overflow
__
__
0
1 00110 0011000
11 01 01 1 10
1 0 11 01 0 11 1 1 111011001
101 1 11 0110111 110
1001 0 1 10 11 0 10 11 111 1 111 111001
1 0 10 0 11 11 1 1 1101 10
00111 0 0 11 00 0 1110 1 10111 111 11 100
1011 0 01 0 1 1 10 11 1 011
00 0110 1110 1 0 11101011 11100 00
0 0 10 1110 1 01 1 1101 01
01110 0 10 10 110 0 111010101
11 11 0 0 1 1 1 1 1101 111
10110 10 010 1 0 0 1 110
111 1 1 1 111 1 10011 10110 0 1100
111 10 110 10100010 111 11 0011100
11 10 001100 0001 11 10 11 0
0 00100 1 10 1 101010001
111010 1011 100100 111001101 0
0110 111011011 0110 10001101 0
1011 1 10 101 0101 00
1010 1 11001 1 1101 10
110101011 0 101 0
11011
111
__
__
Title: Authentium Command On Demand ActiveX Control
Buffer Overflow
Severity: High
Advisory ID:NSOADV-2010-006
Found Date: 15.02.2010
Date Reported: 22.02.2010
Release Date: 04.03.2010
Author: Nikolas Sotiriu
Website:http://sotiriu.de
Twitter:http://twitter.com/nsoresearch
Mail: nso-research at sotiriu.de
URL:http://sotiriu.de/adv/NSOADV-2009-006.txt
Vendor: Authentium (http://www.authentium.com/)
Affected Products: Authentium Command On Demand Online Scan
(http://www.commandondemand.com/)
Affected Component: CSS Web Installer ActiveX V.1.4.9508.605
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: No Patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===
Authentium Command On Demand is a highly-effective, totally free virus
scanner. Command on Demand scans for more than half a million Internet
threats, using definition files that are updated daily
(Product description from Website)
Description:
Remote exploitation of a buffer overflow vulnerability in Authentium
Command On Demand Online scanner service could allow an attacker to
execute arbitrary code within the security context of the targeted user.
The affected function is "InstallProduct1". The functions
"InstallProduct" and "InstallProduct2" seems to be also vulnerable.
Name: CSS Web Installer Class
Vendor: Authentium, Inc.
Type: ActiveX-Control
Version: 1.4.9508.605
Prog ID: CSSWEBLib.Installer
GUID: {6CCE3920-3183-4B3D-808A-B12EB769DE12}
File: cssweb.dll
Folder: C:\WINDOWS\Downloaded Program Files\
Safe for Script: True
Safe for Init:True
IObjectSafety:False
Proof of Concept :
==
http://sotiriu.de/software/NSOPOC-2010-006.zip
Solution:
=
Product is no longer supported.
Disable the vulnerable ActiveX Control by setting the kill bit for the
following CLSID:
{6CCE3920-3183-4B3D-808A-B12EB769DE12}
Save the following text as a .REG file and imported to set the kill bit
for this control:
+--
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{6CCE3920-3183-4B3D-808A-B12EB769DE12}]
"Compatibility Flags"=dword:0400
+--
More information about how to set the kill bit is available in Microsoft
Support Document 240797 (http://support.microsoft.com/kb/240797).
Disclosure Timeline (/MM/DD):
=
2010.02.15: Vulnerability found
2010.02
[Full-disclosure] Open redirection vulnerability in the Drupal API function drupal_goto (Drupal 6.15 and 5.21)
Open redirection vulnerability in the Drupal API function drupal_goto
(Drupal 6.15 and 5.21)
Discovered by Martin Barbella
Description of Vulnerability:
-
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website (http://drupal.org/about).
The drupal_goto API function is meant to "send the user to a different
Drupal page. This issues an on-site HTTP redirect. The function makes
sure the redirected URL is formatted correctly"
(http://api.drupal.org/api/function/drupal_goto).
This function will also check $_REQUEST['destination'] and
$_REQUEST['edit']['destination'], and if either of these variables are
set, will override any specified path with the path element of the
associative array returned when passing either request variable
through parse_url.
When a URL such as
"trickparseurl:http://cwe.mitre.org/data/definitions/601.html"; is
passed to PHP's parse_url function, it will return:
array(2) {
["scheme"]=>
string(13) "trickparseurl"
["path"]=>
string(46) "http://cwe.mitre.org/data/definitions/601.html";
}
This causes the Drupal API function url to treat what is meant to be a
relative path as an external URL, which a user would then be
redirected to. It is important to note that using a destination such
as "http://example.com/"; would not result in an external redirect on
its own.
Systems affected:
-
This issue has been corrected in Drupal 6.16 and 5.22. Earlier
versions are affected.
Impact:
---
This API function is called by many of Drupal's core modules, as well
as various contributed modules. It affects form handlers, including
the login form handler, so almost all Drupal sites would be affected
by this.
Open redirection vulnerabilities can be exploited by attackers
attempting phishing scams to give their attempts a more trustworthy
appearance.
Mitigating factors:
---
The path is parsed by the Drupal API url function, which will check
that the protocols of URLs it determines to be external are among a
set of approved protocols. This prevents redirection to URLs with
protocols such as data: or javascript:.
Proof of concept:
-
1. Install Drupal 5.22 or 6.15
2. Visit
http://site/?q=user/login&destination=trickparseurl:http://cwe.mitre.org/data/definitions/601.html
3. Log in with valid credentials, as the redirect will only happen on
a successful login (otherwise, a login failed error will be displayed)
4. Note that you will be redirected to the CWE page on open
redirection vulnerabilities
Solution:
-
Upgrade to one of the latest versions of Drupal (6.16 or 5.22).
Timeline:
-
2010-02-17 - Drupal Security notified
2010-02-18 - Response from Drupal Security
2010-03-03 - Drupal 6.16 and 5.22 released
2010-03-04 - Public disclosure
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2007-1] New cups packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2007-1secur...@debian.org http://www.debian.org/security/ Nico Golde March 3rd, 2010 http://www.debian.org/security/faq - -- Package: cups Vulnerability : format string vulnerability Problem type : local Debian-specific: no Debian bug : none CVE ID : CVE-2010-0393 Ronald Volgers discovered that the lppasswd component of the cups suite, the Common UNIX Printing System, is vulnerable to format string attacks due to insecure use of the LOCALEDIR environment variable. An attacker can abuse this behaviour to execute arbitrary code via crafted localization files and triggering calls to _cupsLangprintf(). This works as the lppasswd binary happens to be installed with setuid 0 permissions. For the stable distribution (lenny), this problem has been fixed in version 1.3.8-1+lenny8. For the testing distribution (squeeze) this problem will be fixed soon. For the unstable distribution (sid) this problem has been fixed in version 1.4.2-9.1. We recommend that you upgrade your cups packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8.dsc Size/MD5 checksum: 1837 a511bb4de5c768a4862a55d227a4ff70 http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8.diff.gz Size/MD5 checksum: 189649 82c747daa3ed7bb71e10094a50a0cabd http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8.orig.tar.gz Size/MD5 checksum: 4796827 10efe9825c1a1dcd325be47a6cc21faf Architecture independent packages: http://security.debian.org/pool/updates/main/c/cups/cups-common_1.3.8-1+lenny8_all.deb Size/MD5 checksum: 1181030 11167383d8fa0f8518cb550e4946c109 http://security.debian.org/pool/updates/main/c/cups/cupsys-common_1.3.8-1+lenny8_all.deb Size/MD5 checksum:52398 15e639e1ac4d44042e5e5245d0670cb9 http://security.debian.org/pool/updates/main/c/cups/cupsys-bsd_1.3.8-1+lenny8_all.deb Size/MD5 checksum:52398 796f92741e989eac9ba214ede18630d8 http://security.debian.org/pool/updates/main/c/cups/libcupsys2-dev_1.3.8-1+lenny8_all.deb Size/MD5 checksum:52406 2bce3838eaf23010ab40842e6cd15b64 http://security.debian.org/pool/updates/main/c/cups/cupsys-dbg_1.3.8-1+lenny8_all.deb Size/MD5 checksum:52398 57ee5c01a3a6b88e9dd73a5fae4052e6 http://security.debian.org/pool/updates/main/c/cups/libcupsys2_1.3.8-1+lenny8_all.deb Size/MD5 checksum:52398 a57e7e5775ef54f3b173aa78cb56925c http://security.debian.org/pool/updates/main/c/cups/cupsys-client_1.3.8-1+lenny8_all.deb Size/MD5 checksum:52402 e558bca7e419849e9985fab5b253d541 http://security.debian.org/pool/updates/main/c/cups/cupsys_1.3.8-1+lenny8_all.deb Size/MD5 checksum:52382 6fb5db2ff939a66c82805069e2673122 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1+lenny8_alpha.deb Size/MD5 checksum: 445498 e4c86a6a0e2956a543432ea47d2b4e4d http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1+lenny8_alpha.deb Size/MD5 checksum: 119902 54fbde6934338f62546a3a9d63366e24 http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1+lenny8_alpha.deb Size/MD5 checksum: 108236 b5585a98bb2ba4395aa8b995663eb449 http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1+lenny8_alpha.deb Size/MD5 checksum:39296 ba38fb23064f0265b08e634c5553680c http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1+lenny8_alpha.deb Size/MD5 checksum:81528 586baf5c22624b387b17522f9336a62f http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1+lenny8_alpha.deb Size/MD5 checksum: 178786 855af4932cc8c4d8fa79615cfb9268d7 http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1+lenny8_alpha.deb Size/MD5 checksum: 1149260 0655f89a290365b71040ad2ab6d5708e http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1+lenny8_alpha.deb Size/MD5 checksum: 2103240 eb83ee8de10a7bd5
[Full-disclosure] new facebook vulnerability
http://intothesymmetry.blogspot.com/2010/02/facebook-vulnerability-2.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IETF effort: Security Assesment of the Internet Protocol
Folks, We're close to ship the IETF Internet-Draft "Security Assessment of the Internet Protocol" for publication as an IETF RFC. The draft is available at: http://tools.ietf.org/id/draft-ietf-opsec-ip-security-02.txt FYI, this document is heavily based on the document "Security Assessment of the Internet Protocol" that I wrote for CPNI a couple of years ago, and that is available at: http://www.cpni.gov.uk/Docs/InternetProtocol.pdf Any comments will be more than welcome! -- feel free to post them here, or send them unicast to me at: ferna...@gont.com.ar Thanks! Kind regards, Fernando Gont ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
