Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 17/11/11 18:14, valdis.kletni...@vt.edu wrote: The problem is that if you install Ubuntu on a server (as lots of people do) and enable ssh so you can remotely admin the server, you can find yourself shot in the foot if you don't realize there's a passwordless guest account. PermitEmptyPasswords no Is set by default in sshd_config ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/17/2011 08:34 PM, Ryan Dewhurst wrote: Are there any other services this may effect? The question could also be how many features like this are (will be?) silently enabled by default on new Ubuntu systems. Perfect for business use, Ubuntu is safe, intuitive and stable -- http://www.ubuntu.com/business Ubuntu is clearly no more recommended for business use. End users will have to become security experts to avoid teenager's attacks ... shameful On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz mailto:andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 17/11/11 12:14, valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 18:50:12 +0100, Mario Vilas said: The guest account has no password, but it's not possible to login remotely with ssh. Well.. out of the box, anyhow. The problem is that if you install Ubuntu on a server (as lots of people do) and enable ssh so you can remotely admin the server, you can find yourself shot in the foot if you don't realize there's a passwordless guest account. There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. Cheers, signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) On Thu, Nov 17, 2011 at 9:52 PM, Olivier feui...@bibibox.fr wrote: On 11/17/2011 08:34 PM, Ryan Dewhurst wrote: Are there any other services this may effect? The question could also be how many features like this are (will be?) silently enabled by default on new Ubuntu systems. Perfect for business use, Ubuntu is safe, intuitive and stable -- http://www.ubuntu.com/business Ubuntu is clearly no more recommended for business use. End users will have to become security experts to avoid teenager's attacks ... shameful On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz mailto:andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) pgplspPxzTQBQ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Fri, 18 Nov 2011 12:24:36 +0100, Mario Vilas said: Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) Given that Ubuntu is an African word for Can't configure Debian, and the target audience of Ubuntu, the lack of the simple GUI is surprising... (Yes, there's still one config setting saving your butt in sshd_config - but for a distro that wraps a Teletubby interface around freaking /bin/su so you don't accidentally hurt yourself, the fact that there's exactly one config file setting saving your butt if you manage to enable inbound ssh seems a bit of an oversight). pgpgYofnRuZ1s.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
To be honest, while Ubuntu is hardly secure, it is not DESIGNED to be secure per se. It is designed to wean Windows users away from M$ and toward GNU/Linux OS types. Kind of a Linux for newbs. My family went from Win XP to Ubuntu years ago and stuck with it. I moved on to Debian, they stuck to Ubuntu and Win7 (eventually) as they are not computer enthusiasts - mere users. Hell, a friend of mine, she was a self confessed computer illiterate and when I moved her to Ubuntu a month later she was learning how to write simple shell scripts to automate tasks - not bad for someone who couldn't work XP's Control Panel for ages... If you want secure as in, OUR version of secure, look elsewhere. One thing I do like about Ubuntu though is it looks pretty :) On Fri, Nov 18, 2011 at 1:04 PM, valdis.kletni...@vt.edu wrote: On Fri, 18 Nov 2011 12:24:36 +0100, Mario Vilas said: Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) Given that Ubuntu is an African word for Can't configure Debian, and the target audience of Ubuntu, the lack of the simple GUI is surprising... (Yes, there's still one config setting saving your butt in sshd_config - but for a distro that wraps a Teletubby interface around freaking /bin/su so you don't accidentally hurt yourself, the fact that there's exactly one config file setting saving your butt if you manage to enable inbound ssh seems a bit of an oversight). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
About time someone mentioned that little bit of information... On Fri, Nov 18, 2011 at 2:10 PM, Dan Kaminsky d...@doxpara.com wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Fri, 18 Nov 2011 06:10:00 PST, Dan Kaminsky said: OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). Right. Which is why a passwordless guest account available to people who have physical access isn't such a big deal. The problem is that if you manage to get ssh enabled, there's not *that* much stopping the account from being used from Zanzibar. Some operating systems (AIX, for instance) allowed tagging a userid as local access only, or even may only login on tty 3, 5, and 23. Adding that sort of a tag to the guest account would help the situation by adding some security in depth. pgpcArEqn7yTx.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:176-2 ] bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:176-2 http://www.mandriva.com/security/ ___ Package : bind Date: November 18, 2011 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in bind: Cache lookup could return RRSIG data associated with nonexistent records, leading to an assertion failure. [ISC RT #26590] (CVE-2011-4313). The updated packages have been upgraded to bind 9.7.4-P1 and 9.8.1-P1 which is not vulnerable to this issue. Update: Packages provided for Mandriva Enterprise Server 5.2 and Mandriva Linux 2010.2 with the MDVSA-2011:176 and MDVSA-2011:176-1 advisory had wrong release numbers effectively preventing installation without excessive force due previous packaging mistakes. This advisory provides corrected packages to address the problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 http://www.isc.org/software/bind/advisories/cve-2011-4313 ___ Updated Packages: Mandriva Linux 2010.1: f39bf36a6c1338c67750fdc06e6c9938 2010.1/i586/bind-9.7.4-0.1.P1.1.1mdv2010.2.i586.rpm 18ddb3de45d1803f42690d29f193ad51 2010.1/i586/bind-devel-9.7.4-0.1.P1.1.1mdv2010.2.i586.rpm 44a8b036db1c7658f40c6c29ca94a9b2 2010.1/i586/bind-doc-9.7.4-0.1.P1.1.1mdv2010.2.i586.rpm f65351bd5fa6fc2e71e6985613f30a13 2010.1/i586/bind-utils-9.7.4-0.1.P1.1.1mdv2010.2.i586.rpm 77c232d55313bc0758a26ec95e1f2462 2010.1/SRPMS/bind-9.7.4-0.1.P1.1.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 921dc324393e6b72ec9af179636843a4 2010.1/x86_64/bind-9.7.4-0.1.P1.1.1mdv2010.2.x86_64.rpm 738901860b2e5a878338086e06ab62f7 2010.1/x86_64/bind-devel-9.7.4-0.1.P1.1.1mdv2010.2.x86_64.rpm 2091b711bf18faec158f2be894d3deed 2010.1/x86_64/bind-doc-9.7.4-0.1.P1.1.1mdv2010.2.x86_64.rpm 30da2bada8620c4f7e59db23924da8ee 2010.1/x86_64/bind-utils-9.7.4-0.1.P1.1.1mdv2010.2.x86_64.rpm 77c232d55313bc0758a26ec95e1f2462 2010.1/SRPMS/bind-9.7.4-0.1.P1.1.1mdv2010.2.src.rpm Mandriva Enterprise Server 5: 73d2fef181508b237fc0d74a18c9fc4a mes5/i586/bind-9.7.4-0.1.P1.1.1mdvmes5.2.i586.rpm ffe081e6ec682e94c1578d4f4c3f5afc mes5/i586/bind-devel-9.7.4-0.1.P1.1.1mdvmes5.2.i586.rpm 8aa53e66aaac5813521c637f300690aa mes5/i586/bind-doc-9.7.4-0.1.P1.1.1mdvmes5.2.i586.rpm 80adc93320f5aaabc031252a8e74a494 mes5/i586/bind-utils-9.7.4-0.1.P1.1.1mdvmes5.2.i586.rpm 6e7372177265cf8aba76855f8577f333 mes5/SRPMS/bind-9.7.4-0.1.P1.1.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 81f88df7104598d1cecfaf07c20e539e mes5/x86_64/bind-9.7.4-0.1.P1.1.1mdvmes5.2.x86_64.rpm e148d06c5e27c014974361a88bf6b66f mes5/x86_64/bind-devel-9.7.4-0.1.P1.1.1mdvmes5.2.x86_64.rpm 0deff4d64a7a0cfc2542d9a6a4539e8b mes5/x86_64/bind-doc-9.7.4-0.1.P1.1.1mdvmes5.2.x86_64.rpm 771f3758a10b8ef8c4a01ceaa6c6e4bc mes5/x86_64/bind-utils-9.7.4-0.1.P1.1.1mdvmes5.2.x86_64.rpm 6e7372177265cf8aba76855f8577f333 mes5/SRPMS/bind-9.7.4-0.1.P1.1.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOxkXwmqjQ0CJFipgRAp3YAJ0Xo94vNtFUfsTHI8kbQotHKJ5JFwCggLXg w7F+KMFHmoO0i3407rWefGI= =L8A3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
nice try though On Fri, Nov 18, 2011 at 9:10 AM, Dan Kaminsky d...@doxpara.com wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fujacks Variant Using ACH Lure
any know the CC vectors for this ?? http://isc.sans.edu/diary.html?storyid=12061rss ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
I think T is right about you mate, you do a hell alot of talking crap, without actually moving.. like, do you ever move away from your inbox ? Your a shame on linux worls valdis, picking on ubuntu, go pick on Owl OS , a 'security' based os...Ubuntu is for beginners, nuff said. useless mofo. XD On 19 November 2011 00:04, valdis.kletni...@vt.edu wrote: On Fri, 18 Nov 2011 12:24:36 +0100, Mario Vilas said: Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) Given that Ubuntu is an African word for Can't configure Debian, and the target audience of Ubuntu, the lack of the simple GUI is surprising... (Yes, there's still one config setting saving your butt in sshd_config - but for a distro that wraps a Teletubby interface around freaking /bin/su so you don't accidentally hurt yourself, the fact that there's exactly one config file setting saving your butt if you manage to enable inbound ssh seems a bit of an oversight). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/18/2011 03:10 PM, Dan Kaminsky wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). My disk is password protected, and the whole system (except /boot) is encrypted. Ubuntu guest account is definitively the best way to hack a running laptop (or workstation). -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
yea, id also like to see how on earth Valdis calls this some kinda new 'root' problem... i dont see any problem with this, specially on THIS type of system.. intended to teach people how to use Linux. On 19 November 2011 06:32, Olivier feui...@bibibox.fr wrote: On 11/18/2011 03:10 PM, Dan Kaminsky wrote: On Fri, Nov 18, 2011 at 5:01 AM, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Thu, 17 Nov 2011 15:53:41 CST, C de-Avillez said: There is no guest account on an Ubuntu server, so at least there this is not a real/perceived risk. And nobody's *ever* installed the desktop version on a server because they didn't know any better, especially from Ubuntu's target audience. Gotcha. ;) OK, seriously. If you're sitting in front of a machine that's presenting you a login prompt, you've got enough privileges to insert a bootable USB/CD and pull all the data / make yourself an account (FDE/Bios PW notwithstanding). My disk is password protected, and the whole system (except /boot) is encrypted. Ubuntu guest account is definitively the best way to hack a running laptop (or workstation). -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Blogs manager = 1.101 SQL Injection Vulnerability
Dear all, I have found a SQL injection vulnerability in Blogs manager = 1.101 It seems to be version 1.101 as you can see in the files section of sourceforge. I reported the vulnerability to the vendor but no response as stated in the advisory. Best, muuratsalo -- ADVISORY -- Blogs manager = 1.101 SQL Injection Vulnerability author: muuratsalo (Revshell.com) contact...: muuratsalo[at]gmail[dot]com download..: http://sourceforge.net/projects/blogsmanager/ [0x01] Vulnerability overview: Blogs manager = 1.101 is affected by a SQL injection vulnerability. Note - A registered account could be required to exploit the vulnerability. [0x02] Disclosure timeline: [16/11/2011] - SQL injection vulnerability discovered and reported to the vendor. [19/11/2011] - No response from the vendor, public disclosure. [0x03] Proof of Concept: http://localhost/blogs/_authors_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/_blogs_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/_category_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/_comments_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/_policy_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/_rate_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/categoriesblogs_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/chosen_authors_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/chosen_blogs_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/chosen_comments_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/blogs/help_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Valid tiny-erp = 1.6 SQL Injection Vulnerability
Dear all, I have found a SQL injection vulnerability in Valid tiny-erp = 1.6. It seems to be version 1.6 as you can see in the 'project' section of www.valid.gr. Anyway there is not any specific number version in the sourceforge page. I reported the vulnerability to the vendor but no response as stated in the advisory. Best, muuratsalo -- ADVISORY -- Valid tiny-erp = 1.6 SQL Injection Vulnerability author: muuratsalo (Revshell.com) contact...: muuratsalo[at]gmail[dot]com download..: http://sourceforge.net/projects/validerp/ [0x01] Vulnerability overview: Valid tiny-erp = 1.6 is affected by a SQL injection vulnerability. Note - A registered account could be required to exploit the vulnerability. [0x02] Disclosure timeline: [16/11/2011] - SQL injection vulnerability discovered and reported to the vendor. [19/11/2011] - No response from the vendor, public disclosure. [0x03] Proof of Concept: http://localhost/validerp/_partner_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/validerp/proioncategory_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/validerp/_rantevou_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/validerp/syncategory_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/validerp/synallasomenos_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/validerp/ypelaton_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/validerp/yproion_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Freelancer calendar = 1.01 SQL Injection Vulnerability
Dear Sir/Madam, I have found multiple a SQL injection vulnerability in Freelancer calendar = 1.01. It seems to be version 1.01 as you can see in the 'Files' section of the Sourceforge page. I reported the vulnerability to the vendor but no response as stated in the advisory. Best, muuratsalo -- ADVISORY -- Freelancer calendar = 1.01 SQL Injection Vulnerability author: muuratsalo (Revshell.com) contact...: muuratsalo[at]gmail[dot]com download..: http://sourceforge.net/projects/freelancercal/ [0x01] Vulnerability overview: Freelancer calendar = 1.0.1 is affected by a SQL injection vulnerability. Note - A registered account could be required to exploit the vulnerability. [0x02] Disclosure timeline: [16/11/2011] - SQL injection vulnerability discovered and reported to the vendor. [19/11/2011] - No response from the vendor, public disclosure. [0x03] Proof of Concept: http://localhost/worldcalendar/category_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/worldcalendar/Copy_of_calendar_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/worldcalendar/customer_statistics_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/worldcalendar/customer_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] http://localhost/worldcalendar/task_statistics_list.php?a=searchvalue=1SearchFor=muuratsaloSearchOption=ContainsSearchField=[SQL injection] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On 11/18/2011 11:01 AM, Darren Martyn wrote: To be honest, while Ubuntu is hardly secure, it is not DESIGNED to be secure per se. It is designed to wean Windows users away from M$ and toward GNU/Linux OS types. Kind of a Linux for newbs. My family went from Win XP to Ubuntu years ago and stuck with it. I moved on to Debian, they stuck to Ubuntu and Win7 (eventually) as they are not computer enthusiasts - mere users. Bullshit, Ubuntu is designed (or at least, was designed) to be very secure, check all the stuff it comes by default: https://wiki.ubuntu.com/Security/Features Not even the default Debian kernel has all those features activated. If I'm wrong, why you see metasploit modules for Debian but not for Ubuntu? that's the reason. Recently some stupid people got into management (as always happens) and we have things like unity, the fucked up 24-bit ASLR in i386, and this guest account for retards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/