[Full-disclosure] CORE-2010-1021: IBM WebSphere Application Server Cross-Site Request Forgery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://corelabs.coresecurity.com/ IBM WebSphere Application Server Cross-Site Request Forgery 1. *Advisory Information* Title: IBM WebSphere Application Server Cross-Site Request Forgery Advisory ID: CORE-2010-1021 Advisory URL: http://www.coresecurity.com/content/IBM-WebSphere-CSRF Date published: 2011-06-15 Date of last update: 2011-06-15 Vendors contacted: IBM Release mode: User release 2. *Vulnerability Information* Class: Cross-Site Request Forgery (CSRF) [CWE-352] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2010-3271 3. *Vulnerability Description* WebSphere is IBM's integration software platform. It includes the entire middleware infrastructure --such as servers, services, and tools-- needed to write, run, and monitor 24x7 industrial-strength, on demand Web applications and cross-platform, cross-product solutions. WebSphere Application Server is the base for the infrastructure; everything else runs on top of it [1]. The administrative console of IBM WebSphere Application Server is vulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be exploited by remote attackers to force a logged-in administrator to perform unwanted actions on the IBM WebSphere administrative console, by enticing him to visit a malicious web page. 4. *Vulnerable packages* . IBM WebSphere Application Server 7.0.0.11 . IBM WebSphere Application Server 7.0.0.13 . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* Contact the vendor for a fix. 6. *Vendor Information, Solutions and Workarounds* Contact the vendor for a fix. The following are workarounds for this issue. 6.1. *Server side* According to OWASP [2], CSRF vulnerabilities can be avoided by checking the referrer of the HTTP request and verifying that the request comes from the original site. A potential workaround is thus to set a rule on a Web Application Firewall that checks the referrer of the requests, and verifies that all the requests to the WebSphere administrative console are originated from the same site. 6.2. *Client side* An administrator of WebSphere administrative console could mitigate the bug by using Firefox and the NoScript add-on; more precisely by making use of the ABE [3] (Application Boundaries Enforcer) feature of NoScript. With ABE it is possible to define rules such as the following: /- Site *.example.com Accept from SELF Deny - -/ This rule applies to *.example.com; it will allow all the requests made from the same site, and block all the requests directed to *.example.com but generated from any other site, avoiding that Firefox sends the request to the server. The syntax of the ABE rules is defined here: http://noscript.net/abe/abe_rules.pdf 7. *Credits* This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies during Bugweek 2010 [4]. Additional research was performed by Alejandro Rodriguez. Publication was coordinated by Carlos Sarraute. 8. *Technical Description / Proof of Concept Code* The administrative console (also known as Integrated Solutions Console) of IBM WebSphere Application Server is vulnerable to Cross-Site Request Forgery (CSRF) [2] attacks, which can be exploited by remote attackers to force a logged-in administrator to perform unwanted actions on the IBM WebSphere administrative console, by enticing him to visit a malicious web page. The administrative console of IBM WebSphere Application Server includes a standard protection mechanism against Cross-Site Request Forgery, which consists of a token that is included as a hidden field on every 'FORM', named 'csrfid', that is sent to the web server in each 'POST' request performed by the web browser. When the web server receives a 'POST' request, it checks that the 'csrfid' token included in the parameters of the 'POST' request matches the anti-CSRF token associated with the current session. If they do not match, then IBM WebSphere responds with an "'Unauthorized Request'" message, thus effectively preventing CSRF. However, in certain areas of the administrative console, WebSphere forgets to check the value of the 'csrfid' token when processing 'POST' requests, even though the 'csrfid' hidden field is included in every 'FORM', making the application vulnerable to Cross-Site Request Forgery. The vulnerable areas of the WebSphere administrative console include the 'Security > Global Security' panel [6], and the 'Save changes to the master configuration' feature. This makes possible for a remote attacker to disable the 'Administrative Security', 'Application Security' and 'Java 2 Security' options, and then to save the changes to the configuration, by tricking an IBM WebSphere administrator which is currently logged in to the administrative console to visit a malicious web page. Also note tha
[Full-disclosure] [SECURITY] [DSA 2262-1] moodle security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2262-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 15, 2011 http://www.debian.org/security/faq - - Package: moodle Vulnerability : several Problem type : remote Debian-specific: no CVE ID : not yet available Several cross-site scripting and information disclosure issues have been fixed in Moodle, a course management system for online learning: * MSA-11-0002 Cross-site request forgery vulnerability in RSS block * MSA-11-0003 Cross-site scripting vulnerability in tag autocomplete * MSA-11-0008 IMS enterprise enrolment file may disclose sensitive information * MSA-11-0011 Multiple cross-site scripting problems in media filter * MSA-11-0015 Cross Site Scripting through URL encoding * MSA-11-0013 Group/Quiz permissions issue For the stable distribution (squeeze), this problem has been fixed in version 1.9.9.dfsg2-2.1+squeeze1. For the unstable distribution (sid), this problem has been fixed in version 1.9.9.dfsg2-3. We recommend that you upgrade your moodle packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk35GdIACgkQXm3vHE4uylqF3gCgjU1HmnIz/EoRH1kVrijxgt2m Eb0An044A2EA6Yi4aRQqMj5SND5g5koE =hRcJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-10: Adobe Shockwave dirapi.dll rcsL Chunk Parsing Remote Code Execution Vulnerability
TPTI-11-10: Adobe Shockwave dirapi.dll rcsL Chunk Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-10 June 15, 2011 -- CVE ID: CVE-2011-0335 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11353. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rcsL chunk inside Adobe's RIFF-based Director file format. The code within the dirapi.dll does not properly validate substructure elements before using them to manipulate memory. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-25 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown and Aaron Portnoy, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-11: Adobe Shockwave Lnam Chunk Parsing Remote Code Execution Vulnerability
TPTI-11-11: Adobe Shockwave Lnam Chunk Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-11 June 15, 2011 -- CVE ID: CVE-2011-2116 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11347. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Lnam chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly validate certain fields before using them to calculate sizes used for later memory copy operations. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-25 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown and Aaron Portnoy, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-09: Adobe Shockwave iml32.dll CSWV Chunk Byte Array Parsing Remote Code Execution Vulnerability
TPTI-11-09: Adobe Shockwave iml32.dll CSWV Chunk Byte Array Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-09 June 15, 2011 -- CVE ID: CVE-2011-2111 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11352. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CSWV chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly parse byte arrays. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-25 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown and Aaron Portnoy, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-08: Adobe Shockwave iml32.dll DEMX Chunk GIF Parsing Remote Code Execution Vulnerability
TPTI-11-08: Adobe Shockwave iml32.dll DEMX Chunk GIF Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-08 June 15, 2011 -- CVE ID: CVE-2011-2111 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11307. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DEMX chunk inside Adobe's RIFF-based Director file format. The code within the IML32.dll does not properly parse GIF images. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-25 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown, Aaron Portnoy, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-07: Adobe Shockwave iml32.dll CSWV Chunk Parsing Remote Code Execution Vulnerability
TPTI-11-07: Adobe Shockwave iml32.dll CSWV Chunk Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-07 June 15, 2011 -- CVE ID: CVE-2011-2111 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11306. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CSWV chunk inside Adobe's RIFF-based Director file format. When handling certain substructures, the code does not properly ensure arithmetic operations will not exceed expected values. By crafting a file with certain values this can be abused to cause memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-25 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown, Aaron Portnoy, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-11-06: Oracle Java ICC Profile rcs2 Tag Parsing Remote Code Execution Vulnerability
TPTI-11-06: Oracle Java ICC Profile rcs2 Tag Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-06 June 15, 2011 -- CVE ID: CVE-2011-0862 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Oracle -- Affected Products: Oracle Java Runtime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11228. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a invalid 'rcs2' tag, the process can be forced to overflow an integer value during an arithmetic operation. The newly calculated value is then used to allocate memory on the heap. By providing specific values it is possible to cause a memory corruption that can lead to remote code being executed under to user running the browser. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html -- Disclosure Timeline: 2011-01-21 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Peter Vreugdenhil, TippingPoint DVLabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-222: Adobe Shockwave Shockwave 3d Asset.x32 DEMX Chunk Substructure Count Remote Code Execution Vulnerability
ZDI-11-222: Adobe Shockwave Shockwave 3d Asset.x32 DEMX Chunk Substructure Count Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-222 June 15, 2011 -- CVE ID: CVE-2011-2113 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11361. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DEMX chunk inside Adobe's RIFF-based Director file format. The code within the Shockwave 3d Asset.x32 module does not properly check a size value used as the size for a malloc. The given size will wrap, causing a small buffer to be allocated. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-20 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway (aniway.any...@gmail.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-221: Adobe Shockwave Shockwave 3d Asset.x32 DEMX 0xFFFFFF45 Field Parsing Remote Code Execution Vulnerability
ZDI-11-221: Adobe Shockwave Shockwave 3d Asset.x32 DEMX 0xFF45 Field Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-221 June 15, 2011 -- CVE ID: CVE-2011-2114 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11360. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DEMX chunk inside Adobe's RIFF-based Director file format. The code within the Shockwave 3d Asset.x32 module does not properly check a size value used for a loop counter, which will cause heap memory to be overwritten. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-20 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway (aniway.any...@gmail.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-220: Adobe Shockwave Director File rcsL Chunk Multiple Opcode Parsing Remote Code Execution Vulnerability
ZDI-11-220: Adobe Shockwave Director File rcsL Chunk Multiple Opcode Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-220 June 15, 2011 -- CVE ID: CVE-2011-0335 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11368. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the RIFF-based Director (.dir) files. When handling an undocumented substructure, the code within dirapi.dll can be forced to incorrectly calculate a destination pointer if it encounters certain 1-byte opcodes within the .dir file. The assumptions made by the code can allow for malicious values to influence a size parameter that is used to calculate a memory address. This address is then written to with controlled data. This can be abused by an attacker to corrupt memory and subsequently execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-07 - Vulnerability reported to vendor 2011-06-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway (aniway.any...@gmail.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS Vulnerability in Redmine 1.0.1 to 1.1.1
On Wed, Apr 06, 2011 at 01:22:06PM +0300, Netsparker Advisories wrote: > Information > > Name : XSS vulnerability in Redmine > Software : all Redmine versions from 1.0.1 to 1.1.1 > Vendor Homepage : http://www.redmine.org > Vulnerability Type : Cross-Site Scripting > Severity : High > Researcher : Mesut Timur > Advisory Reference : NS-11-004 > > Description > -- > Redmine is a flexible project management web application written using > Ruby on Rails framework. > > Details > --- > Redmine is affected by a XSS vulnerability in versions from 1.0.1 to 1.1.1. > Example PoC url is as follows : > > http://example.com/projects/hg-helloworld/news/%22onload=%22alert%281%29 > > > You can read the full article about Cross-Site Scripting > vulnerabilities from here : > http://www.mavitunasecurity.com/crosssite-scripting-xss/ > > Solution > --- > Upgrade to the latest Redmine version (1.1.2). > > Credits > --- > It has been discovered on testing of Netsparker, Web Application > Security Scanner - http://www.mavitunasecurity.com/netsparker/. > > References > --- > 1. Vendor URL: http://www.redmine.org/news/53 > 2. MSL Advisory Link : > http://www.mavitunasecurity.com/XSS-vulnerability-in-Redmine/ > 3. Netsparker Advisories : > http://www.mavitunasecurity.com/netsparker-advisories/ > > About Netsparker > --- > Netsparker can find and report security issues such as SQL Injection > and Cross-site Scripting (XSS) in all web applications regardless of > the platform and the technology they are built on. Netsparker's unique > detection and exploitation techniques allows it to be dead accurate in > reporting hence it's the first and the only False Positive Free web > application security scanner. > > -- > Netsparker Advisories, > Homepage, http://www.mavitunasecurity.com/netsparker-advisories/ You can use CVE-2011-1723 identifier for this issue. References: http://osvdb.org/71564 Best regards, Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NSFOCUS SA2011-01 : Microsoft Internet Explorer Link Property Processing Memory Corruption Vulnerability
NSFOCUS Security Advisory(SA2011-01) Microsoft Internet Explorer Link Property Processing Memory Corruption Vulnerability Release Date: 2011-06-15 CVE ID: CVE-2011-1250 http://www.nsfocus.com/en/advisories/1101.html Affected Software and System: = Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 Impact: == NSFOCUS Security Team discovered a security vulnerability in Microsoft Internet Explorer. This flaw could be used to corrupt memory resulting in application crash and possible code execution by convincing users to open specially crafted HTML files. Description: Microsoft Internet Explorer is the most popular Web browser application. It was found that unexpected objects access could be triggered in the way of IE processing malformed Link object property, directly resulted in unauthorized memory access and possible IE process crash or code execution. Attackers can execute malicious code in the context of vulnerable system by convincing users to visit webpages containing malicious code, and thus take control of user system. This flaw exists in Web browser itself without triggering additional ActiveX controls. Workaround: === Users for Windows can mitigate the impact from the flaw before install relative patches according to the following steps: * Temporarily use other non-IE kernel browsers like Chrome, Firefox and Opera. * Make use of Microsoft EMET that could greatly prevent utility of vulnerability but can not stop its triggering. It is available from the following link: http://go.microsoft.com/fwlink/?LinkID=200220&clcid=0x409 Vendor Status: == The vulnerability has been fixed in Microsoft Security Bulletin MS11-050. For details, please refer to the following link: http://www.microsoft.com/technet/security/bulletin/MS11-050.mspx Additional Information: == The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-1250 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Credit: == This vulnerability was discovered by Wang Liejun of NSFOCUS Security Team. DISCLAIMS: == THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,LOSS OF USINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. (c) 2011 NSFOCUS. -- Regards, NSFOCUS Security Team NSFOCUS Information Technology Co.,Ltd. (http://www.nsfocus.com) PGP Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/