[Full-disclosure] [SECURITY] [DSA 2459-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2459-1 secur...@debian.org http://www.debian.org/security/Florian Weimer April 26, 2012 http://www.debian.org/security/faq - - Package: quagga Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-0249 CVE-2012-0250 CVE-2012-0255 Several vulnerabilities have been discovered in Quagga, a routing daemon. CVE-2012-0249 A buffer overflow in the ospf_ls_upd_list_lsa function in the OSPFv2 implementation allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a Link State Update (aka LS Update) packet that is smaller than the length specified in its header. CVE-2012-0250 A buffer overflow in the OSPFv2 implementation allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field. CVE-2012-0255 The BGP implementation does not properly use message buffers for OPEN messages, which allows remote attackers impersonating a configured BGP peer to cause a denial of service (assertion failure and daemon exit) via a message associated with a malformed AS4 capability. This security update upgrades the quagga package to the most recent upstream release. This release includes other corrections, such as hardening against unknown BGP path attributes. For the stable distribution (squeeze), these problems have been fixed in version 0.99.20.1-0+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 0.99.20.1-1. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPmOgYAAoJEL97/wQC1SS+aH8H/jh5fp5jGA1G0/fnF6QOCAmi dkPAk51Lf0V/yTf/W1qoN5rOJ9B1G1PP1QCOUUHPunuCSQvynXuPb0QMmOLvtAjb +wlQX5EbdLrjcfc4Rer95dnZITU1uaCiTKw9aGRlOBMcu5jedG21Jks7vwWnBgCE lL2RuBBk1Rut5YtXuuPZTgXae3BOjjUh7yNPy/cZ/AWf1T442KLaZRQhLwimBrco S2PNHjeV+bPQUa5eKwE6OdWkNdZt85JcFzz13ojEMMxh/kPiJF7+guec8dIjHr+n OyKytdhO/wm6lyBlR4BYryGW4U1AuuiTTGs0ldAIzUBzhlLTPLQWt+Te96TMbAw= =7lac -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle TNS Poison vulnerability is actually a 0day with no patch available
Hi all, Short history: The remote pre-authenticated vulnerability with CVSS2 10 I published some days ago [1], the vulnerability I called Oracle TNS Poison (reported to vendor in 2008), is a 0day affecting all database versions from 8i to 11g R2. There is no patch at all for this vulnerability and Oracle refuses to write a patch for *ANY* existing versions, even for Oracle 11g R2. So, yes, ALL versions are vulnerable and will remain vulnerable. As I published many workarounds for this vulnerability I believe it's better to make this information public so Oracle database's customers can protect themselves. Long history: Some days ago, after the release of Oracle Critical Patch Update April 2012, a friend of mine told me that Oracle gave me credit in the Security-In-Depth program for a vulnerability they fixed. After this, I asked both Oracle and iSightPartners (the company I sold the vulnerability in 2008) for information about the vulnerability they fixed in this CPU. Oracle told us that the vulnerability with tracking id #13793589 (the TNS poison vulnerability) was the one fixed. As the vulnerability was fixed, there was no reason not to publish information about it any more and I decided to publish an advisory, a document explaining the vulnerability and a proof of concept. So far, so good. However, I was suspicious about an statement Oracle people wrote me in an e-mail as, in their words, the vulnerability was fixed in future releases of the product. Eeeeh... was and in the future? As it makes no sense, I sent Oracle an e-mail asking for details about the fix: On 4/19/2012 12:53 PM, Joxean Koret wrote: (...) How can customers with current versions installed fix this vulnerability? Do they have to wait until the next version? Just out of curiosity. And Oracle answered me with excuses (excusatio non petita, accusatio manifesta): We had to make the hard choice of fixing it in the release and not in the CPU because: * The fix is very complex and it is extremely risky to backport. * This fix is in a sensitive part of our code where regressions are a concern. * Customers have requested that Oracle not include such security fixes into Critical Patch Updates that increases the chance of regressions. As they refused to answer it clearly, I asked them once again in a more simple way about the fix for the vulnerability: On 4/23/2012 9:20 AM, Joxean Koret wrote: (..) Just a final question: Does it mean that all current versions are vulnerable and the vulnerability will only be fixed in next products like, say, 11g R3 or 12g? And Oracle, believing I'm stupid or something like this, answered me the following: To protect the interest of our customers, we do not provide these level of details (like versions affected) for the issues that are addressed as in-depth. The future releases will have the fix. So, as previously stated, this is a 0day vulnerability with no patch, Oracle refuses to patch the vulnerability in *any* existing version and Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed. Cool. Oracle security people: For the next time, don't say that a vulnerability is fixed in a Critical Patch Update if the patch is not published. Your customers are not interested if the vulnerability is fixed in your development version, they only care about the vulnerability being fixed in the versions they are using in production systems. PS: I must admit that being Oracle, that confusion doesn't surprises me at all. [1] http://seclists.org/fulldisclosure/2012/Apr/204 Regards, Joxean Koret signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
Just let go (Buddha) :) SCNR :) -- Martin Allert arago Institut für komplexes Datenmanagement AG Eschersheimer Landstraße 526 - 532 60433 Frankfurt am Main eMail: all...@arago.de - www: http://www.arago.de Tel: +49-69-40568-403 Fax: +49-69-40568-111 -- Bankverbindung: Frankfurter Sparkasse, BLZ: 500 502 01, Kto.-Nr.: 79343 Vorstand: Hans-Christian Boos, Martin Friedrich Vorsitzender des Aufsichtsrats: Dr. Bernhard Walther Sitz: Kronberg im Taunus · HRB 5731 · Registergericht: Königstein i.Ts Ust.Idnr. DE 178572359 · Steuernummer 2603 003 228 43435 Folgen Sie uns hier: automatisierungs-experten.de -- www.hcboos.net -- facebook.com/aragoAutomationExperts -- twitter.com/arago_AG -- xing.com/companies/aragoag -- linkedin.com/company/arago-ag -- slideshare.net/Arago.AG -- youtube.com/aragoag -- flickr.com/aragoag -Ursprüngliche Nachricht- Von: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] Im Auftrag von Thomas Richards Gesendet: Sonntag, 22. April 2012 17:09 An: full-disclosure@lists.grok.org.uk Betreff: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS # Exploit Title: phpMyBible 0.5.1 Mutiple XSS # Date: 04/15/12 # Author: G13 # Twitter: @g13net # Software http://sourceforge.net/projects/phpmybible/?source=directory # Version: 0.5.1 # Category: webapps (php) # # Description # phpMyBible is an online collaborative project to make an e-book of the Holy Bible in as various language as possible. phpMyBible is designed to be flexible to all readers while maintaining the authenticity and originality of the Holy Bible scripture. # Vulnerability # phpMyBible has multiple XSS vulnerabilities. When reading a section of the Bible; both the 'version' and 'chapter' variables are prone to reflective XSS. # Exploit # http://localhost/index.php?book=1version=[XSS]chapter=[XSS] # Vendor Notification # 04/15/12 - Vendor Notified 04/22/12 - No response, disclos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [New tool] - Exploit Pack - Web Security
The exploitpack.com website and the video have been removed... (maybe we can call this a legally induced denial of service vulnerability?) On Tue, Apr 24, 2012 at 12:31 PM, Michele Orru antisnatc...@gmail.com wrote: I'm also wondering if your tool is a clone of our BeEF or not :D Cheers antisnatchor On Tue, Apr 24, 2012 at 11:25 AM, Jerome Athias jer...@netpeas.com wrote: Hi, I think that people here would be more interested by the (new?) techniques you're using in your tool than by your own (not documented?) implementation. ie: are you using MSF browser autopwn technique for browser control? (Or, will we have to spend individually 3 days to review and test your tool?) My 2 cts /JA Le 23/04/2012 21:52, runlvl a écrit : Exploit Pack - Web Security Edition This tool allows you to take control of remote browsers, steal social network credentials, obtain persistence on it, DDoS and more. Demo: http://www.youtube.com/watch?v=B_AYyRFNokI Main features: - Hacking of Gmail, Yahoo, Facebook, Live, Linkedin - Session persistence - 0day exploits included - Remote browser control - DDoS by creating botnets - Launch remote exploits - Steal credentials Questions? supp...@exploitpack.com Official site: http://exploitpack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Jerome Athias - NETpeas VP, Director of Software Engineer Palo Alto - Paris - Casablanca www.netpeas.com - Stay updated on Security: www.vulnerabilitydatabase.com The computer security is an art form. It's the ultimate martial art. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- /antisnatchor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [New tool] - Exploit Pack - Web Security
LOL :D loosers Cheers antisnatchor On Thu, Apr 26, 2012 at 3:07 PM, Mario Vilas mvi...@gmail.com wrote: The exploitpack.com website and the video have been removed... (maybe we can call this a legally induced denial of service vulnerability?) On Tue, Apr 24, 2012 at 12:31 PM, Michele Orru antisnatc...@gmail.com wrote: I'm also wondering if your tool is a clone of our BeEF or not :D Cheers antisnatchor On Tue, Apr 24, 2012 at 11:25 AM, Jerome Athias jer...@netpeas.com wrote: Hi, I think that people here would be more interested by the (new?) techniques you're using in your tool than by your own (not documented?) implementation. ie: are you using MSF browser autopwn technique for browser control? (Or, will we have to spend individually 3 days to review and test your tool?) My 2 cts /JA Le 23/04/2012 21:52, runlvl a écrit : Exploit Pack - Web Security Edition This tool allows you to take control of remote browsers, steal social network credentials, obtain persistence on it, DDoS and more. Demo: http://www.youtube.com/watch?v=B_AYyRFNokI Main features: - Hacking of Gmail, Yahoo, Facebook, Live, Linkedin - Session persistence - 0day exploits included - Remote browser control - DDoS by creating botnets - Launch remote exploits - Steal credentials Questions? supp...@exploitpack.com Official site: http://exploitpack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Jerome Athias - NETpeas VP, Director of Software Engineer Palo Alto - Paris - Casablanca www.netpeas.com - Stay updated on Security: www.vulnerabilitydatabase.com The computer security is an art form. It's the ultimate martial art. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- /antisnatchor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” -- /antisnatchor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
Perhaps I'm more of a pessimist (actually just a disgruntled optimist), but unless the rewards increase _substantually_, I can't see a $$-oriented black hat switching sides. The potential reward for silently cracking into the Google (or any cloud or hosting provider, for that matter) user information (especially PII) has been estimated to be well above $20K. The user list alone can possibly net that much, depending on who's buying and the list contents. Any _actual_ black hat that sells a really serious discovery to Google rather than marketing his discovery (and the data it exposes) on the black market is either under LEA scrutiny or is just a bit confused about where the real money is to be made. ..but maybe that's just me... Jim -Original Message- From: Bob McConnell [mailto:r...@cbord.com] Sent: Thursday, April 26, 2012 05:45 To: Michal Zalewski; Charles Morris Cc: Jim Harrison; dailydave; websecur...@lists.webappsec.org; full-disclosure; bugtraq Subject: RE: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services From: Michal Zalewski A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. [...] and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families People who want to make a living helping to improve Google security are welcome to apply for a job :-) We have a remarkably large and interesting security team. The program simply serves to complement that (and some other, contract-driven efforts), and it works for quite a few people who see it as a way to do something useful on the side, and get compensated for it, too. Now, I have done a fair amount of vulnerability research in my life, I do have a family and a mortgage - and I still wouldn't see $20k as an insult; but I know that this is subjective. In that spirit, you are at liberty to determine whether to participate, and how much time to invest into the pursuit :-) Another point that seems to be overlooked in these discussions is that this bounty adds a new vector into the decision tree for the black hat. EvilBob now has to decide if that vulnerability he just found is worth more for his usual nefarious uses than the cash reward. In some cases, this might result in discoveries being reported for the reward instead of being used to attack the servers, converting the black hat over to white. I suspect the likelihood of this outcome increases exponentially with the size of the reward. Bob McConnell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 86, Issue 34
for Oracle 11g R2. So, yes, ALL versions are vulnerable and will remain vulnerable. As I published many workarounds for this vulnerability I believe it's better to make this information public so Oracle database's customers can protect themselves. Long history: Some days ago, after the release of Oracle Critical Patch Update April 2012, a friend of mine told me that Oracle gave me credit in the Security-In-Depth program for a vulnerability they fixed. After this, I asked both Oracle and iSightPartners (the company I sold the vulnerability in 2008) for information about the vulnerability they fixed in this CPU. Oracle told us that the vulnerability with tracking id #13793589 (the TNS poison vulnerability) was the one fixed. As the vulnerability was fixed, there was no reason not to publish information about it any more and I decided to publish an advisory, a document explaining the vulnerability and a proof of concept. So far, so good. However, I was suspicious about an statement Oracle people wrote me in an e-mail as, in their words, the vulnerability was fixed in future releases of the product. Eeeeh... was and in the future? As it makes no sense, I sent Oracle an e-mail asking for details about the fix: On 4/19/2012 12:53 PM, Joxean Koret wrote: (...) How can customers with current versions installed fix this vulnerability? Do they have to wait until the next version? Just out of curiosity. And Oracle answered me with excuses (excusatio non petita, accusatio manifesta): We had to make the hard choice of fixing it in the release and not in the CPU because: * The fix is very complex and it is extremely risky to backport. * This fix is in a sensitive part of our code where regressions are a concern. * Customers have requested that Oracle not include such security fixes into Critical Patch Updates that increases the chance of regressions. As they refused to answer it clearly, I asked them once again in a more simple way about the fix for the vulnerability: On 4/23/2012 9:20 AM, Joxean Koret wrote: (..) Just a final question: Does it mean that all current versions are vulnerable and the vulnerability will only be fixed in next products like, say, 11g R3 or 12g? And Oracle, believing I'm stupid or something like this, answered me the following: To protect the interest of our customers, we do not provide these level of details (like versions affected) for the issues that are addressed as in-depth. The future releases will have the fix. So, as previously stated, this is a 0day vulnerability with no patch, Oracle refuses to patch the vulnerability in *any* existing version and Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed. Cool. Oracle security people: For the next time, don't say that a vulnerability is fixed in a Critical Patch Update if the patch is not published. Your customers are not interested if the vulnerability is fixed in your development version, they only care about the vulnerability being fixed in the versions they are using in production systems. PS: I must admit that being Oracle, that confusion doesn't surprises me at all. [1] http://seclists.org/fulldisclosure/2012/Apr/204 Regards, Joxean Koret -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120426/32040dda/attachment.bin -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 86, Issue 34 *** NOTICE OF CONFIDENTIALITY This E-mail message and its attachments (if any) are intended solely for the use of the addressees hereof. In addition, this message and the attachments (if any) may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. Delivery of this message to any person other than the intended recipient is not intended to waive any right or privilege. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft MSN Hotmail - Password Reset Setup Vulnerability
Title: == Microsoft MSN Hotmail - Password Reset Setup Vulnerability Date: = 2012-04-26 References: === http://www.vulnerability-lab.com/get_content.php?id=529 http://news.softpedia.com/news/Critical-0-Day-in-Hotmail-Exploited-in-Wild-Microsoft-Issues-Fix-266506.shtml http://news.hitb.org/content/0day-remote-password-reset-vulnerability-msn-hotmail-patched VL-ID: = 529 Introduction: = Hotmail (also known as Microsoft Hotmail and Windows Live Hotmail), is a free web-based email service operated by Microsoft as part of Windows Live. One of the first web-based email services, it was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as HoTMaiL. It was acquired by Microsoft in 1997 for an estimated $400 million, and shortly after it was rebranded as MSN Hotmail. The current version was released in 2007. Hotmail features unlimited storage, Ajax, and integration with Microsofts instant messaging (Windows Live Messenger), calendar (Hotmail Calendar), file hosting service (SkyDrive) and contacts platform. According to comScore (August 2010) Windows Live Hotmail is the world s largest web-based email service with 364 million members, followed by Gmail and Yahoo! Mail, respectively. It is available in 36 different languages. Hotmail is developed from Mountain View, California. When Hotmail Corporation was an independent company, its headquarters was in Sunnyvale. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Hotmail ) Abstract: = Vulnerability-Lab Team discovered a Password Reset Vulnerability on Microsofts official MSN Hotmail service. Report-Timeline: 2012-04-06: Researcher Notification Coordination 2012-04-20: Vendor Notification 2012-04-20: Vendor Response/Feedback 2012-04-20: Vendor Fix/Patch [#HOTFIX] 2012-04-26: Public or Non-Public Disclosure Status: Published Affected Products: == Microsoft Corporation Product: MSN - Hotmail v2012 - Q1 Q2 Exploitation-Technique: === Remote Severity: = Critical Details: A high severity password reset vulnerability is detected in Microsofts official MSN Hotmail service. A Vulnerability Laboratory senior researcher, Benjamin Kunz Mejri, identified a critical security vulnerability in Microsoft’s official MSN Hotmail (Live) service. A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA send automated values over the MSN Hotmail module. Vulnerable Module(s): [+] Password Recovery Service New Pass Proof of Concept: = The vulnerability can be exploited by remote attacker without required user inter action. For demonstration or reproduce ... Note: To exploit the vulnerability only a browser and a url (GET|POST) tamper is required. Exploitation Techique(s): [+] Bypass the Recovery Mod Page to New Pass or Reset [+] Bypass token protection via not empty value or positiv value(s) [+] Setup new password [+] Decode captcha send automatique values Solution: = 2012-04-20: Vendor Fix/Patch [#HOTFIX] - Coordination MSRC Team Risk: = The security risk of the remote password reset vulnerability is estimated as critical. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically
[Full-disclosure] [SECURITY] [DSA 2461-1] spip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2461-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff April 26, 2012 http://www.debian.org/security/faq - - Package: spip Vulnerability : several Problem type : remote Debian-specific: no CVE ID : not yet available Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site scripting, script code injection and bypass of restrictions. For the stable distribution (squeeze), this problem has been fixed in version 2.1.1-3squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 2.1.13-1. For the unstable distribution (sid), this problem has been fixed in version 2.1.13-1. We recommend that you upgrade your spip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk+ZsigACgkQXm3vHE4uylq5TACfblBWBVSXqv21Erk6AUJvaHNa ntcAoLQ77XgAPjU8enWV3NkzWAjqCeZ2 =Mh2b -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IA, CSRF and FPD vulnerabilities in Organizer for WordPress
Hello list! I want to warn you about multiple new security vulnerabilities in plugin Organizer for WordPress. This is the third in series of advisories concerning vulnerabilities in this plugin. These are Insufficient Authorization, Cross-Site Request Forgery and Full path disclosure vulnerabilities. - Affected products: - Vulnerable are Organizer 1.2.1 and previous versions. As answered me the developer of the plugin, he doesn't support it anymore and will not be fixing any vulnerabilities in it. -- Details: -- Insufficient Authorization (WASC-02): Access to users.php and execution of all operations are allowed to any users of the system (even Subscriber). http://site/wp-admin/admin.php?page=organizer/page/users.php View of settings, adding, editing and deleting of users settings are possible. Particularly any user (such as Subscriber) can set, even for his account, allowed extensions for uploading files, e.g. php. Including unprivileged user can conduct Persistent XSS attacks on admin (via two earlier-mentioned Persistent XSS holes). And also this vulnerability allows to conduct CSRF attacks (for changing of the settings) not only on admin, but on any logged in user. CSRF (WASC-09): All functionality of the plugin is vulnerable to CSRF attacks. Besides earlier-mentioned CSRF in script users.php, e.g. in script dir.php via CSRF it's possible to create, rename and delete directories (it's possible to rename and delete only empty directories). For this it's needed to send three corresponding POST requests. http://site/wp-admin/admin.php?page=organizer/page/dir.php And in script view.php via CSRF it's possible to rename, copy and delete uploaded files. For this it's needed to send three corresponding POST requests. http://site/wordpress/wp-admin/admin.php?page=organizer/page/view.php FPD (WASC-13): Script http://site/wordpress/wp-admin/admin.php?page=organizer/page/view.php has built-in functionality (and vulnerability) - showing of full path at the server. Timeline: 2012.04.15 - informed the developer about previous vulnerabilities. 2012.04.17 - the developer answered, that he didn't support the plugin anymore. 2012.04.17 - additionally informed the developer about new vulnerabilities. 2012.04.20 - disclosed at my site (http://websecurity.com.ua/5801/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CIntruder v0.2 released
Hi list, There is released a new version of *CIntruder* (v0.2) - the captcha intruder Take a look to the CIntruder website to see new features implemented: http://cintruder.sf.net You can download original code directly from here: http://sourceforge.net/projects/cintruder/files/cintruder_v0.2.0.tar.gz/download Or update your copy from the CIntruder repository: http://sourceforge.net/p/cintruder/code/ Now there is modularity on OCR process, you can handle CIntruder with another tool, to perform automatic test on forms that have a captcha, and interact with an online distributed dictionary. http://cintruder.sf.net/cinet I hope that you enjoy it!! :D psy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Exploit Pack] - Web Security -Webinar Live demo!
Hello to all! We want to invite you to assist the live demo of Exploit Pack - Web Security , this Saturday, April 28, 2012 5:00 PM - 6:00 PM (Buenos Aires UTC -3:00) Registration link: http://www.anymeeting.com/PIID=ED59DF80874A Also we have recorded a new video tutorial: http://www.youtube.com/watch?v=jCR5TSTmtJE Hope you like it! See you next time Juan Sacco Exploit Pack Twitter: ExploitPack Skype: juansacco Facebook: http://www.facebook.com/pages/Exploit-Pack/153917064701761 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2012-0008 VMware ESX updates to ESX Service Console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -- VMware Security Advisory Advisory ID: VMSA-2012-0008 Synopsis:VMware ESX updates to ESX Service Console Issue date: 2012-04-26 Updated on: 2012-04-26 (initial advisory) CVE numbers: CVE-2010-4008, CVE-2011-0216, CVE-2011-1944, CVE-2011-2834, CVE-2011-3191, CVE-2011-4348, CVE-2012-0028, CVE-2011-3905, CVE-2011-3919 --- 1. Summary VMware ESX updates to ESX Service Console. 2. Relevant releases ESX 4.1 without patches ESX410-201204401-SG,ESX410-201204402-SG 3. Problem Description a. ESX third party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated which addresses several security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-3191, CVE-2011-4348 and CVE-2012-0028 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = vCenterany Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX ESX410-201204401-SG ESX4.0 ESX patch pending ** ESX3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. ** Two of the three issues, CVE-2011-3191 and CVE-2011-4348, have already been addressed on ESX 4.0 in an earlier kernel patch. See VMSA-2012-0006 for details. b. Updated ESX Service Console package libxml2 The ESX Console Operating System (COS) libxml2 rpms are updated to the following versions libxml2-2.6.26-2.1.12.el5_7.2 and libxml2-python-2.6.26-2.1.12.el5_7.2 which addresses several security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4008, CVE-2011-0216, CVE-2011-1944, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = vCenterany Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX ESX410-201204402-SG ESX4.0 ESX patch pending ESX3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESX 4.1 --- ESX410-201204001 md5sum: 7994635547b375b51422b1a166c6e214 sha1sum: 9d5f3c9cbc53a9e03524b9bf0935c71f3dadf620 http://kb.vmware.com/kb/2013057 ESX410-201204001 contains ESX410-201204401-SG and ESX410-201204402-SG 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3919 --- 6. Change log 2012-04-26 VMSA-2012-0008 Initial security advisory in conjunction with the release of patches for ESX 4.1 on 2012-04-26. --- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy