[Full-disclosure] Sagan 0.1.8 release | SEIM tool
,-._,-.Sagan [http://sagan.softwink.com] \/)(\/By Champ Clark III The Softwink Team: http://www.softwink.com (_o_) Copyright (C) 2009-2011 Softwink, Inc., et al. / \/) (|| ||) oo-oo Softwink, Inc. [https://www.softwink.com] is proud to release Sagan version 0.1.8 [http://sagan.softwink.com]. What is Sagan? Sagan is multi-threaded, real-time system- and event-log monitoring software, but with a twist. Sagan uses a Snort like rule set for detecting nefarious events happening on your network and/or computer systems. If Sagan detects a bad thing happening, it can do a number of things with that information. For example, Sagan can store the information to a Snort MySQL database for viewing with utilities like Snorby [http://www.snorby.org], it can send e-mail(s) about the event to the appropriate personnel, it can store to a Prelude back end, it can also spawn external utilities, as well as numerous other things. Sagan can also correlate the events with your Intrusion Detection/Intrusion Prevention (IDS/IPS) system and basically acts like an SIEM (Security Information Log Management) system. What's new in Sagan? * Unified2 output. [src/output-plugins/sagan-unified2.c] This allows Sagan to work in conjunction with programs like Barnyard2 [http://www.securixlive.com/barnyard2/] or Snoge [http://leonward.wordpress.com/snoge/]. Via Barnyard, Sagan can also access output formats such as: - MySQL, PostgreSQL, MS-SQL, Oracle (Which can give you access to Sagan data alongside your IDS/IPS data using consoles like Snorby [http://www.snorby.org] or BASE.) - The Prelude framework - Sguil - ..and many more.. * Liblognorm functionality Liblognorm is a log normalization library that Sagan can use to extract useful information from logged messages; including, TCP/IP information, user-names, uid, etc. This library/project was started by Rainer Gerhards of Rsyslog fame and is being designed from the Mitre CEE (Common Event Expression) standard (not released/complete). For more information, please see: http://www.liblognorm.com/news/introducing-liblognorm and http://cee.mitre.org. * PLOG support [src/sagan-plog.c] This is a syslog based sniffer created from Marcus J. Ranum's plog work. Sagan can spawn a thread that will sniff the wire for syslog traffic. If traffic is seen, it is re-injected into /dev/log for Sagan to analyze and/or archive. This is handy for environments resistant to changes. * Many, many bug fixes. Other Sagan features: * Native threaded output support to Snort databases (MySQL/PostgreSQL) * Native threaded Prelude plug in * Threaded libesmtp support (SMTP/e-mail triggered events) based on rule criteria or general Sagan configuration * Native threaded Logzilla support (MySQL/PostgreSQL) * 'Snort' like rule set making Sagan compatible with rule management utilities like oinkmaster and pulled pork * Sagan can spawn external programs when events get triggered. This way, you can write your own plugin in the language you choose (perl, C, python, ruby, etc). For more information, please see: http://sagan.softwink.com Thank!, Champ Clark III -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL. pgpvVBqBPzm6i.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Deferral Announcement for the March 2011 Cisco IOS Software Security Advisories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco PSIRT regularly discloses vulnerabilities in Cisco IOS Software on the fourth Wednesday in March and September via the Cisco IOS Security Advisory bundle. The next bundled disclosure was planned for Wednesday, March 23, 2011, but Cisco will defer this disclosure until the next scheduled Cisco IOS bundle on September 28, 2011. Cisco has a long-standing policy of disclosing vulnerabilities to customers and the public simultaneously to ensure equal access to patched software. Based on recent events in Japan and eastern Asia, we are sensitive to the fact that customers globally are impacted directly or indirectly by these events and may not be able to respond effectively to the scheduled disclosure event. This regional disaster has not affected the ability of Cisco to disclose vulnerability information. In keeping with our policy, if we see evidence of active exploitation of a vulnerability that could lead to increased risk for Cisco customers, we will disclose appropriate information out of cycle. Please direct any questions about this announcement to either ps...@cisco.com or your local Cisco support team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk2CKzMACgkQQXnnBKKRMNBLjgD/bPLtpIYQd/8DSNfx9/PQg1jA Wmpe6qGaHA3L1YXSzP0A/i7Kyal+nGaJJnqwSsAzaQeV+Lh261Ah9fozXSBba0Kb =kX8s -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:046 ] pure-ftpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:046 http://www.mandriva.com/security/ ___ Package : pure-ftpd Date: March 17, 2011 Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A security flaw was discovered in pure-ftpd which allows plaintext command injection over TLS (similar to CVE-2011-0411). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updated packages have been patched to correct this issue. ___ References: http://www.postfix.org/CVE-2011-0411.html ___ Updated Packages: Mandriva Linux 2009.0: ed4ae86475a00faaadbda5683ee496f5 2009.0/i586/pure-ftpd-1.0.21-8.1mdv2009.0.i586.rpm 0dea42dbd5958a0a4a4e8a47d020062a 2009.0/i586/pure-ftpd-anon-upload-1.0.21-8.1mdv2009.0.i586.rpm 3f3c60fbe60ffa16a542ae78868042c1 2009.0/i586/pure-ftpd-anonymous-1.0.21-8.1mdv2009.0.i586.rpm 32f302505171f7d7801acec8e0aac0ab 2009.0/SRPMS/pure-ftpd-1.0.21-8.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 9fbbd20ce659012dcef2ea534b3e065c 2009.0/x86_64/pure-ftpd-1.0.21-8.1mdv2009.0.x86_64.rpm d953ece1911ad4f744b5fe5f704c2e9e 2009.0/x86_64/pure-ftpd-anon-upload-1.0.21-8.1mdv2009.0.x86_64.rpm fd131923aa12607939a33ab0d5a47690 2009.0/x86_64/pure-ftpd-anonymous-1.0.21-8.1mdv2009.0.x86_64.rpm 32f302505171f7d7801acec8e0aac0ab 2009.0/SRPMS/pure-ftpd-1.0.21-8.1mdv2009.0.src.rpm Mandriva Linux 2010.0: 580032400f3f536b90509404bfa5ff50 2010.0/i586/pure-ftpd-1.0.22-1.1mdv2010.0.i586.rpm 05fe3428a8378f9c7e8282d9e62c9fdf 2010.0/i586/pure-ftpd-anon-upload-1.0.22-1.1mdv2010.0.i586.rpm 8e63f703e071bf7f819b98cb96eeab1d 2010.0/i586/pure-ftpd-anonymous-1.0.22-1.1mdv2010.0.i586.rpm 5370b6f3148695cae7d37dd7a79c4158 2010.0/SRPMS/pure-ftpd-1.0.22-1.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 897957ada6eadf9e87bae3e26ff442fe 2010.0/x86_64/pure-ftpd-1.0.22-1.1mdv2010.0.x86_64.rpm add9ece828990b566192691992e43cc6 2010.0/x86_64/pure-ftpd-anon-upload-1.0.22-1.1mdv2010.0.x86_64.rpm 6c82671449daf5c7b9d6e40c4c33939b 2010.0/x86_64/pure-ftpd-anonymous-1.0.22-1.1mdv2010.0.x86_64.rpm 5370b6f3148695cae7d37dd7a79c4158 2010.0/SRPMS/pure-ftpd-1.0.22-1.1mdv2010.0.src.rpm Mandriva Linux 2010.1: 441c80d9c965274c99d34fce9a4bb6ca 2010.1/i586/pure-ftpd-1.0.29-2.1mdv2010.2.i586.rpm f73c5b101a3100fa5ccf7be95cb820c1 2010.1/i586/pure-ftpd-anon-upload-1.0.29-2.1mdv2010.2.i586.rpm 1bf7c0076615559f213f9e90aabe1ee3 2010.1/i586/pure-ftpd-anonymous-1.0.29-2.1mdv2010.2.i586.rpm 77f0d44baa44e8abc0a5393154d1e347 2010.1/SRPMS/pure-ftpd-1.0.29-2.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 7f83617195a06fe87d4fe91f78256ea8 2010.1/x86_64/pure-ftpd-1.0.29-2.1mdv2010.2.x86_64.rpm d0428e106e4c4233a266b62b1208f63e 2010.1/x86_64/pure-ftpd-anon-upload-1.0.29-2.1mdv2010.2.x86_64.rpm 04a2e708f8334b33fda7975f72c9afd0 2010.1/x86_64/pure-ftpd-anonymous-1.0.29-2.1mdv2010.2.x86_64.rpm 77f0d44baa44e8abc0a5393154d1e347 2010.1/SRPMS/pure-ftpd-1.0.29-2.1mdv2010.2.src.rpm Corporate 4.0: 2054ec719cbd8c9be8ad7e9bc654f79e corporate/4.0/i586/pure-ftpd-1.0.20-7.1.20060mlcs4.i586.rpm 2614d3560204ffb498f6c49453442d05 corporate/4.0/i586/pure-ftpd-anon-upload-1.0.20-7.1.20060mlcs4.i586.rpm 1fb356298d6a5c4b50b6822e8dde3e0b corporate/4.0/i586/pure-ftpd-anonymous-1.0.20-7.1.20060mlcs4.i586.rpm 63859bd845934e2d382fd2406a1fd9f7 corporate/4.0/SRPMS/pure-ftpd-1.0.20-7.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: b4d4edc6889d96135330b98057bf5396 corporate/4.0/x86_64/pure-ftpd-1.0.20-7.1.20060mlcs4.x86_64.rpm 99ffba7cc4e729a617ca45a10baa9125 corporate/4.0/x86_64/pure-ftpd-anon-upload-1.0.20-7.1.20060mlcs4.x86_64.rpm b84684dfd4166dcf6def917014355b76 corporate/4.0/x86_64/pure-ftpd-anonymous-1.0.20-7.1.20060mlcs4.x86_64.rpm 63859bd845934e2d382fd2406a1fd9f7 corporate/4.0/SRPMS/pure-ftpd-1.0.20-7.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 3e3694e0220ab4cfc55b3d0614443d5d mes5/i586/pure-ftpd-1.0.21-8.1mdvmes5.2.i586.rpm c281cdd9b6ab44f956802cbd9d327e36 mes5/i586/pure-ftpd-anon-upload-1.0.21-8.1mdvmes5.2.i586.rpm ab25c5522a053fddf570a7af29f79db7 mes5/i586/pure-ftpd-anonymous-1.0.21-8.1mdvmes5.2.i586.rpm 71436d40f9fe4780edc71f326a71324c mes5/SRPMS/pure-ftpd-1.0.21-8.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: dd4fbf6ccb18a342b91b2bdc07048fd9 mes5/x86_64/pure-ftpd-1.0.21-8.1mdvmes5.2.x86_64.rpm 70a0f49eaca5fd8f7a80967810fbfb7d
[Full-disclosure] [USN-1079-3] OpenJDK 6 vulnerabilities
=== Ubuntu Security Notice USN-1079-3March 17, 2011 openjdk-6b18 vulnerabilities CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476, CVE-2011-0706 === A security issue affects the following Ubuntu releases: Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.10: icedtea6-plugin 6b18-1.8.7-0ubuntu2.1 openjdk-6-jre 6b18-1.8.7-0ubuntu2.1 openjdk-6-jre-headless 6b18-1.8.7-0ubuntu2.1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: USN-1079-2 fixed vulnerabilities in OpenJDK 6 for armel (ARM) architectures in Ubuntu 9.10 and Ubuntu 10.04 LTS. This update fixes vulnerabilities in OpenJDK 6 for armel (ARM) architectures for Ubuntu 10.10. Original advisory details: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448) It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450) It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465) It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469) It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470) It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471) It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472) Konstantin Preißer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476) It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706) Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu2.1.diff.gz Size/MD5: 149561 b35ae7a82db49282379d36e7ece58484 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu2.1.dsc Size/MD5: 3015 04cb459aeaab6c228e722caf07a44de9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 377802 d4439da20492eafbccb33e2fe979e8c9 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5:78338 7bdf93e00fd81dc82fd0d9a8b4e905c7 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 85497146 1512e0d6563dd5120729cf5b993c618c http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 1545620 544c54891d44bdac534c81318a7f2bcb http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 9140042 0a2d6ed937081800baeb6fc55326a754 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 30092886 4cc5ad7c54638278e55ee7d2acaab413 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 266102 4278c2c06387cf883325356efda3c4d4 http://ports.ubuntu.com/pool/universe/o/openjdk-6b18/openjdk-6-jre-zero_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 1959296 6becfb4d5a2ecbe7aee622b84df57f12 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter:
[Full-disclosure] Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760
Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Related Posts WordPress Plugin Cross Site Scripting Vulnerability CVE-2011-0760 INTRODUCTION The WordPress Related Posts Plugin (http://WordPress.org/extend/plugins/wp-related-posts/) shows the posts related to others posts. This advisory describes multiple Stored Cross Site Scripting (XSS) vulnerabilities and one Cross Site Request Forgery (CSRF) vulnerability on the plugin. As a result, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the WordPress administrator user. Furthermore, the attacker can perform actions with administrative powers. This problem was confirmed in the latest version of the plugin, other versions maybe also affected. CVSS Scoring System The CVSS score is: 6.4 Base Score: 6.7 Temporal Score: 6.4 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:U/RC:C DETAILS The plugin's configuration page is vulnerable to Stored Cross Site Scripting. The three fields wp_relatedposts_ title, wp_relatedposts_num and wp_relatedposts_type are received through POST or GET and included on the response page with little sanitization. The vulnerable code is shown next: 158: tr valign=top 159:th scope=rowTitle:/th 160:tdinput type=text name=wp_relatedposts_title value=?=$options[' title']?/td 161: /tr 162: tr valign=top 163:th scope=rowNumber posts:/th 164:tdinput type=text name=wp_relatedposts_num value=?=$options[' count']?/td 165: /tr 166: tr valign=top 167:th scope=rowRelated on:/th 168:td 169:select name=wp_relatedposts_type 170:option selected value=?=$options['type']??=$options['type']?/option 171:option value=TagsTags/option 172:option value=CategoryCategory/option 173:/select 174:/td --- Another vulnerable piece of code is the one which prints the related posts list. The title (received through the parameter wp_relatedposts_title is included with little sanitization into suchs lists. The vulnerable code is shown next: --- 79: $relatedpost.= 'brbrbrh3' . $options['title'] . '/h3ul'; (...) 120: $relatedpost.= 'brbrbrh3' . $options['title'] . '/h3ul'; --- These vulnerabilities allow an attacker to insert HTML/JavaScript commands to be interpreted in the session of an authenticated administrator user. Since the plugin's configuration page is not protected against Cross Site Request Forgery, the exploitation permits the attacker to inject configuration values. Proof of concept exploitation code is available to interested parties. CREDITS This vulnerability has been brought to our attention by Gabriel Quadros from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Chief Security Research Vulnerability Discovery Team (VDT) Check Point Software Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Recaptcha Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0759
Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Recaptcha WordPress Plugin Cross Site Scripting Vulnerability CVE-2011-0759 INTRODUCTION The WordPress Recaptcha Plugin integrates reCAPTCHA antispam methods with WordPress including comment, registration, and email spam protection. This advisory describes multiple Stored Cross Site Scripting (XSS) vulnerabilities and one Cross Site Request Forgery (CSRF) vulnerability on the plugin. As a result, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the WordPress administrator user. Furthermore, the attacker can perform actions administrative powers. This problem was confirmed in the latest version of the plugin, other versions maybe also affected. CVSS Scoring System The CVSS score is: 6.4 Base Score: 6.7 Temporal Score: 6.4 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:U/RC:C DETAILS The plugin's configuration page is vulnerable to Stored Cross Site Scripting. Various fields are received through POST and included on the response page with little sanitization. The vulnerable code is shown next: --- 749: input name=recaptcha_opt_pubkey id=recaptcha_opt_pubkey size=40 value=?php echo $optionarray_def['pubkey']; ? / 753: input name=recaptcha_opt_privkey id=recaptcha_opt_privkey size=40 value=?php echo $optionarray_def['privkey']; ? / 782: input name=re_tabindex id=re_tabindex size=5 value=?php echo $optionarray_def['re_tabindex']; ? / 814: input name=error_blank id=error_blank size=80 value=?php echo $optionarray_ def['error_blank']; ? / 818: input name=error_incorrect id=error_incorrect size=80 value=?php echo $optionarray_def['error_incorrect']; ? / 865: input name=mailhide_pub id=mailhide_pub size=40 value=?php echo $optionarray_def['mailhide_pub']; ? / 869: input name=mailhide_priv id=mailhide_priv size=40 value=?php echo $optionarray_def['mailhide_priv']; ? / 888: input name=mh_replace_link id=mh_replace_link size=40 value=?php echo $optionarray_def['mh_replace_link']; ? / 891: input name=mh_replace_title id=mh_replace_title size=40 value=?php echo $optionarray_def['mh_replace_title']; ? / --- These vulnerabilities allow an attacker to insert HTML/JavaScript commands to be interpreted in the session of an authenticated administrator user. Since the plugin's configuration page is not protected against Cross Site Request Forgery, the exploitation permits the attacker to inject configuration values. This flaw allows an attacker to change the reCAPTCHA configuration, like disabling CAPTCHA for comments and registration forms. Proof of concept exploitation code is available to interested parties. CREDITS This vulnerability has been brought to our attention by Gabriel Quadros from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Chief Security Research Vulnerability Discovery Team (VDT) Check Point Software Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/