Re: [Full-disclosure] OFF-Spanish content: CURSO WEB HACKING ONLINE GRATUITO.
50 US dollars per student just to pay for the video streaming? I have a hard time believing that. 2012/1/3 runlvl run...@gmail.com: Costo: 50 usd ( Para pagar streaming ) -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Open Redirection Vulnerability in Orchard 1.3.9
Information Name : Open Redirection Vulnerability in Orchard Software : Orchard 1.3.9 and below. Vendor Homepage : http://orchardproject.net Vulnerability Type : Open Redirection Severity : Medium Researcher : Mesut Timur Advisory Reference : NS-12-002 Description Orchard is a free, open source, community-focused project aimed at delivering applications and reusable components on the ASP.NET platform. Details Orchard is affected by a Open Redirection vulnerability in version 1.3.9. Example PoC url is as follows : http://www.example.com/orchard/Users/Account/LogOff?ReturnUrl=%2f%2fwww.netsparker.com%3f You can read the full article about Open Redirection vulnerability from here : http://www.mavitunasecurity.com/open-redirection/ Solution Upgrade to the latest Orchard version (1.3.10). Credits It has been discovered on testing of Netsparker, Web Application Security Scanner - http://www.mavitunasecurity.com/netsparker/. References Vendor Url : http://orchard.codeplex.com/discussions/283667 MSL Advisory Link : http://www.mavitunasecurity.com/open-redirection-vulnerability-in-orchard/ Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/ About Netsparker Netsparker® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner. -- Netsparker Advisories, advisor...@mavitunasecurity.com Homepage, http://www.mavitunasecurity.com/netsparker-advisories/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Monthly Threat Intelligence Report
For a month of last December available at: http://demyo.com/downloads/threat-intelligence/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2379-1] krb5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2379-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 04, 2012 http://www.debian.org/security/faq - - Package: krb5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-1528 CVE-2011-1529 It was discovered that the Key Distribution Center (KDC) in Kerberos 5 crashes when processing certain crafted requests: CVE-2011-1528 When the LDAP backend is used, remote users can trigger a KDC daemon crash and denial of service. CVE-2011-1529 When the LDAP or Berkeley DB backend is used, remote users can trigger a NULL pointer dereference in the KDC daemon and a denial of service. The oldstable distribution (lenny) is not affected by these problems. For the stable distribution (squeeze), these problems have been fixed in version 1.8.3+dfsg-4squeeze5. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1.10+dfsg~alpha1-1. We recommend that you upgrade your krb5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPBKCaAAoJEL97/wQC1SS+/3kIAKdxHCj0h0Bc6Xe+YisGXSA2 xiZjxy0aZILMW+h8/K+5TZb3WhM3mEdVybk9eyDn12mdxquAVlAlEr5VHk3Lraz4 DPnV9KrVvoXwuP008QWLNp97UNtm6sUBF9tqf2hzjn0dOWMIuMb4vxkC1pMP87qr fW0p0W3hWqrTR13cmTS9k0iRcGwPexwa1CYv+TeGY2S2T5FNsjisyfKVogN4txFp OxykTkq7I2o26j0kpIyjsOuj0+g+pW/8qvQaIJ//UtLCV8JuNvCPgwThuklrqo9e 1Z+lbeuNirZvoR9TQc+FbUpm9fSJKCt+DguB8lr0GQPG8WqKyxU0Q7WI0Ogp3tU= =yG6H -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] vsFTPd remote code execution
On Sat, Dec 17, 2011 at 9:44 PM, Chris Evans scarybea...@gmail.com wrote: On Thu, Dec 15, 2011 at 5:39 AM, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: Hi Chris, Am 14. Dezember 2011 08:21 schrieb Chris Evans scarybea...@gmail.com: On Tue, Dec 13, 2011 at 12:11 PM, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: Yes you are somewhat right, as this is the old discussion about if code execution inside an ftpd is a vulnerability itself or only local code execution. I have the opinion that an ftpd which does not allow to run code should restrict the user so, and if there is a way to execute code it it is a vulnerability. Take the example of a vsftpd configured for anonymous ftp and write access in /var/ftp. IIRC, vsftpd can refuse to start an anonymous session for the misconfiguration where the root directory is writeable (to avoid problems in the libc like this). I'll make sure it still works and maybe check other paths such as /etc thats indeed true, nevertheless I have seen boxes in the wild with vsftpd running with anonymous and write access in /var/ftp, maybe because this security measure was built into vsftpd in newer versions ? I am not sure. Weird. That's an awful config. Would you even need a glibc vuln to attack such an anonymous setup? I fiddled around with looking at how glibc loads /etc/nsswitch.conf (which can be used to provoke a shared library load from /usr/lib at runtime) and it looks like glibc caches /etc/nsswitch.conf across both fork() and chroot(), at least my version in F14. Nonetheless, there must be other interesting avenues of research along these lines :) Hehe! I just noticed that FreeBSD was not so lucky: http://security.freebsd.org/advisories/FreeBSD-SA-11:07.chroot.asc Cheers Chris For v2.3.5, I moved the check to be sure it's impossible to avoid it no matter how many options you fiddle with. For local users, there's a configuration setting: chroot_local_user. The compiled-in default is false, and the man page cautions: --- .BR Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. --- I'm not uptodate with whether Linux distributions have turned this on by default or not. I think it is not the default setting but many admins will make use of it in hosting environments. vsftpd does have the concept of virtual users. I'm not sure if it's widely used but it seems that this type of user login would present the biggest headache. Amusingly, vsftpd already attempts to desist glibc from loading any timezone files from inside the chroot() (see env_init) by warming up the subsystem and even explicitly setting TZ in the environment. glibc displeases me. Perhaps it's a gmtime() vs. localtime() issue -- I'm curious to know if glibc still crashes if the setting use_localtime=YES is used? I havent checked that but as you said in a private conversation cacheing the zoneinfo file through glibc beforehand makes the zoneinfo file usage disappear in my strace output. I also don't see any zoneinfo file loads in a default vsftpd config, FWIW. Seems to need use_localtime=YES = localtime(). Although one of the crash stacks pasted goes via gmtime() so YMMV and it may be glibc version dependent. I don't mind adding workarounds or avoidances for libc bugs (for example, functions like regcomp, fnmatch have long been avoided). If you had any clever ideas, I'm happy to put them in, otherwise it's a case of waiting for the glibc updates. For me it is a miracle why this bug was not patched in glibc back in 2009. I think it's still not fixed but being actively worked on. I wonder if the /etc/passwd parser is robust :-P Any other system files you can think of that might end up getting parsed in the context of a typical FTP server? Here is the patch by you Chris I hope I can go ahead and post it here on full disclosure as this might get into a new release anyways (use at your own risk!): I just put it in a v2.3.5 release because it seems simple enough. Cheers Chris Add this to the very bottom of vsf_sysutil_tzset(): ---snip--- p_tm = localtime(the_time); if (p_tm == NULL) { die(localtime #2); } p_tm = gmtime(the_time); if (p_tm == NULL) { die(gmtime); } ---snip--- Regards, Kingcope Cheers Chris The attacker might execute code using the vulnerability without authentication credentials, or for example an attacker only has access to a user account configured for ftp. Basically you are right, vsftpd uses privsep so its a not so risky vulnerability. /Kingcope Am 13. Dezember 2011 20:56 schrieb Dan Rosenberg dan.j.rosenb...@gmail.com: Anyone with an up2date linux local root which only makes use of syscalls? : This is all fun stuff, and definitely worth looking into further, but if you've got a local kernel exploit that you can trigger
[Full-disclosure] [SECURITY] [DSA 2380-1] foomatic-filters security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2380-1 secur...@debian.org http://www.debian.org/security/Florian Weimer January 04, 2012 http://www.debian.org/security/faq - - Package: foomatic-filters Vulnerability : shell command injection Problem type : remote Debian-specific: no CVE ID : CVE-2011-2697 CVE-2011-2964 Debian Bug : 635549 It was discovered that the foomatic-filters, a support package for setting up printers, allowed authenticated users to submit crafted print jobs which would execute shell commands on the print servers. CVE-2011-2697 was assigned to the vulnerability in the Perl implementation included in lenny, and CVE-2011-2964 to the vulnerability affecting the C reimplementation part of squeeze. For the oldstable distribution (lenny), this problem has been fixed in version 3.0.2-20080211-3.2+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 4.0.5-6+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 4.0.9-1. We recommend that you upgrade your foomatic-filters packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPBLxbAAoJEL97/wQC1SS+mp0H/jSmC8YAOiGfuoqh6kXFqs6c 3A5d/OWdt/PmxiGB50uU5PUMRtvf0YsH8zdBnsLxodP8BT/67UEVvlBjcLZ3X8vX e6auNGP1irGOSIgYb7MWtw+0lCspqv49dc5gK0if/kHBv0ExcHavoR4IMaIvsP6w YOZcd3FL5rTdgIyIMB+KEbMTJW/sR26GjPbAO/N5WWtwbs3IyctM1YK/DTAu9Yji opNrQG/vCJIQSWlGEjdQ1oto74WiwEExLPsKgZ7hgv0NL4tKnihFnK3Llox5xFvN Tx57zt4N916uaPGV20GXin0Vlg2x5IwrLy6S8uAljN/3NnMCobzkCFOP4sc/lp0= =kTKo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201201-01 ] phpMyAdmin: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: phpMyAdmin: Multiple vulnerabilities Date: January 04, 2012 Bugs: #302745, #335490, #336462, #354227, #373951, #376369, #387413, #389427, #395715 ID: 201201-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in phpMyAdmin, the most severe of which allows the execution of arbitrary PHP code. Background == phpMyAdmin is a web-based management tool for MySQL databases. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/phpmyadmin 3.4.9= 3.4.9 Description === Multiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers and phpMyAdmin Security Advisories referenced below for details. Impact == Remote attackers might be able to insert and execute PHP code, include and execute local PHP files, or perform Cross-Site Scripting (XSS) attacks via various vectors. Workaround == There is no known workaround at this time. Resolution == All phpMyAdmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-db/phpmyadmin-3.4.9 References == [ 1 ] CVE-2008-7251 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7251 [ 2 ] CVE-2008-7252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7252 [ 3 ] CVE-2010-2958 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2958 [ 4 ] CVE-2010-3055 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3055 [ 5 ] CVE-2010-3056 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3056 [ 6 ] CVE-2010-3263 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3263 [ 7 ] CVE-2011-0986 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0986 [ 8 ] CVE-2011-0987 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0987 [ 9 ] CVE-2011-2505 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2505 [ 10 ] CVE-2011-2506 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2506 [ 11 ] CVE-2011-2507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2507 [ 12 ] CVE-2011-2508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2508 [ 13 ] CVE-2011-2642 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2642 [ 14 ] CVE-2011-2643 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2643 [ 15 ] CVE-2011-2718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2718 [ 16 ] CVE-2011-2719 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2719 [ 17 ] CVE-2011-3646 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3646 [ 18 ] CVE-2011-4064 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4064 [ 19 ] CVE-2011-4107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107 [ 20 ] CVE-2011-4634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634 [ 21 ] CVE-2011-4780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4780 [ 22 ] CVE-2011-4782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4782 [ 23 ] PMASA-2010-1 http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php [ 24 ] PMASA-2010-2 http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php [ 25 ] PMASA-2010-4 http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php [ 26 ] PMASA-2010-5 http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php [ 27 ] PMASA-2010-6 http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php [ 28 ] PMASA-2010-7 http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php [ 29 ] PMASA-2011-1 http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php [ 30 ] PMASA-2011-10 http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php [ 31 ] PMASA-2011-11 http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php [ 32 ] PMASA-2011-12 http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php [ 33 ] PMASA-2011-15 http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php [ 34 ] PMASA-2011-16 http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php [ 35 ] PMASA-2011-17 http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php [ 36 ] PMASA-2011-18 http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php [ 37 ] PMASA-2011-19 http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php [ 38 ] PMASA-2011-2 http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php [ 39 ] PMASA-2011-20
[Full-disclosure] Revised IETF I-D: Advice on IPv6 RA-Guard Implementation
Folks, We've published the IETF I-D Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard). It is available at: http://www.ietf.org/id/draft-gont-v6ops-ra-guard-implementation-00.txt This I-D is based on our original I-D draft-gont-v6ops-ra-guard-evasion-01, but now focuses on providing advice to RA-Guard implementations, rather than on the evasion techniques that have been found effective against most popular implementations of RA-Guard. Producing effective RA-Guard implementations is important to provide feature parity with similar mitigation techniques already available and employed in the IPv4 world. Any feedback will be greatly appreciated. -- If possible, send your feedback to: v6...@ietf.org (the relevant IETF mailing-list), and CC'me. Follow Us on Twitter: @SI6Networks Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/