[Full-disclosure] [SECURITY] [DSA 2714-1] kfreebsd-9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2714-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 25, 2013 http://www.debian.org/security/faq - - Package: kfreebsd-9 Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2013-2171 Konstantin Belousov and Alan Cox discovered that insufficient permission checks in the memory management of the FreeBSD kernel could lead to privilege escalation. For the stable distribution (wheezy), this problem has been fixed in version 9.0-10+deb70.2. For the unstable distribution (sid), this problem has been fixed in version 9.0-12. We recommend that you upgrade your kfreebsd-9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHJ0doACgkQXm3vHE4uylqjLwCg4KRLRjp4uRk6HFyQq9QwBdPx BjkAoJ8vtwiijYd1MUuQnQocDSD5kNJH =KyCc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Magnolia CMS multiple access control vulnerabilities
Subject: == Multiple access control vulnerabilities in Magnolia CMS, Community and Enterprise editions CVE ID: === CVE-2013-4621 Summary: A non-admin user (such as default users eric / peter) can access and execute multiple administrative functionalities of the CMS by accessing directly the specific URLs. Product: Magnolia CMS Vendor: === Magnolia International Ltd. Affected versions: == Magnolia CMS <= 4.5.8 Tested on: 4.5.8, 4.5.7 and 4.5.3, both Community and Enterprise editions Not-affected version: = Magnolia CMS 4.5.9 Product information: Magnolia CMS is an open-source Web Content Management System that focuses on providing an intuitive user experience in an enterprise-scale system. Vulnerability details: == The following functionalities can be accessed and executed by a non-admin user based on the URL: - View and set the log level of Magnolia http://127.0.0.1:8080/magnoliaPublic/.magnolia/log4j - Read Magnolia log files (can contain sensitive information) http://127.0.0.1:8080/magnoliaPublic/.magnolia/pages/logViewer.html?command=displayFileContent&fileName=magnolia-error.log http://127.0.0.1:8080/magnoliaPublic/.magnolia/pages/logViewer.html?command=displayFileContent&fileName=magnolia-debug.log - View Magnolia configuration: http://127.0.0.1:8080/magnoliaPublic/.magnolia/pages/configuration.html - View permissions of Magnolia users. Also can be used for user enumeration http://127.0.0.1:8080/magnoliaPublic/.magnolia/pages/permission.html - Send arbitrary email messages http://127.0.0.1:8080/magnoliaPublic/.magnolia/pages/sendMail.html - View the list of installed modules http://127.0.0.1:8080/magnoliaPublic/.magnolia/pages/installedModulesList.html - Execute arbitrary queries in the repository (limited by the current user's rights) http://127.0.0.1:8080/magnoliaPublic/.magnolia/pages/jcrUtils.html Vendor contact log: === 2013-04-25: Contacting vendor through supp...@magnolia-cms.com 2013-04-29: Vendor acknowledges the receipt of the advisory 2013-04-29: Vendor confirms the vulnerability 2013-06-03: Vendor releases version 4.5.9 which fixes the vulnerability Credits: This vulnerability was discovered by Adrian Furtuna http://pentest-tools.com Solution: = Upgrade to the latest version of Magnolia CMS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:178 ] nfs-utils
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:178 http://www.mandriva.com/en/support/security/ ___ Package : nfs-utils Date: June 25, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated nfs-utils packages fix security vulnerability It was reported that rpc.gssd in nfs-utils is vulnerable to DNS spoofing due to it depending on PTR resolution for GSSAPI authentication. Because of this, if a user where able to poison DNS to a victim's computer, they would be able to trick rpc.gssd into talking to another server (perhaps with less security) than the intended server (with stricter security). If the victim has write access to the second (less secure) server, and the attacker has read access (when they normally might not on the secure server), the victim could write files to that server, which the attacker could obtain (when normally they would not be able to). To the victim this is transparent because the victim's computer asks the KDC for a ticket to the second server due to reverse DNS resolution; in this case Krb5 authentication does not fail because the victim is talking to the correct server (CVE-2013-1923). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1923 http://advisories.mageia.org/MGASA-2013-0178.html ___ Updated Packages: Mandriva Business Server 1/X86_64: ef6b2113ca2c817fc22efcc1ac86cb4b mbs1/x86_64/nfs-utils-1.2.5-2.1.mbs1.x86_64.rpm b757876d603028118ed714a379632c87 mbs1/x86_64/nfs-utils-clients-1.2.5-2.1.mbs1.x86_64.rpm 1b545015a01bd04c6db45b4f37e49652 mbs1/SRPMS/nfs-utils-1.2.5-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRyWBBmqjQ0CJFipgRAvHXAJoCmWHHuwaboTIg5th6kc9gilZfCwCfZG/L 9BuHlQy28NrvSrp1vgkUmWg= =8JEC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:177 ] dbus
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:177 http://www.mandriva.com/en/support/security/ ___ Package : dbus Date: June 25, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated dbus packages fix security vulnerability. Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service. Depending on the dbus services running, it could lead to complete system crash (CVE-2013-2168). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168 http://advisories.mageia.org/MGASA-2013-0173.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 6e569daec73e8128d62aadac32337dfc mbs1/x86_64/dbus-1.4.16-6.2.mbs1.x86_64.rpm 5b6e72fdacad1b24d5cb87446e56ab68 mbs1/x86_64/dbus-doc-1.4.16-6.2.mbs1.x86_64.rpm ccbba9375dd7c6e355797c6215501780 mbs1/x86_64/dbus-x11-1.4.16-6.2.mbs1.x86_64.rpm 89e5be95e460251ac2de05bcf523cf84 mbs1/x86_64/lib64dbus-1_3-1.4.16-6.2.mbs1.x86_64.rpm e2883a10a4c5c0b45b07aa1ed66a6dba mbs1/x86_64/lib64dbus-1-devel-1.4.16-6.2.mbs1.x86_64.rpm 6305ba23e81d096a3081db88a3904a5d mbs1/SRPMS/dbus-1.4.16-6.2.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRyV+AmqjQ0CJFipgRAiUwAJ9rXsiCbiCsuNE7zJ8hOE1ei2Mo5gCg6+OV MolIjH9jalimPV/U/UUC0mI= =WhSz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [NSE] Release of nmap nse vulscan 1.0
Hello, As some of you might remember, I have published a NSE script back in 2010, which added a vulnerability scanning feature to Nmap[1]. I've been doing a complete re-write of the script, which introduces some neat features: * Much better performance and accuracy of search engine * Deployment of scip VulDB, CVE, OSVDB, SecurityFocus, Secunia and Securitytracker * Correlated analysis of all available databases in the same run * Support for single database scan mode (vulscandb) * Support for your own CSV-based vulnerability database * Support of dynamic report templates (vulscanoutput) * Intelligent interactive mode remembers your definitions per session (vulscaninteractive) * Full support for Nmap 5.x/6.x on Linux and Windows * More debug output possible (-d1) * Better error handling You're able to download the latest release of Nmap NSE Vulscan 1.0 here: http://www.computec.ch/mruef/software/nmap_nse_vulscan-1.0.tar.gz Further details about usage and data processing are available in the description field of the script and in my blog post about the release: http://www.scip.ch/en/?labs.20130625 Feel free to use and share the script. And please let me know if you miss any features or if you have assembled your own vulnerability database and would like to see it added to the official repository. Regards, Marc [1] http://seclists.org/nmap-dev/2010/q2/726 -- Marc Ruef | marc.r...@computec.ch | http://www.computec.ch/mruef/ _ Meine letzte Publikation: "MD5 ist tot? Das hättest Du wohl gern!" http://www.computec.ch/news.php?item.403 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20130625-0 :: Multiple vulnerabilities in IceWarp Mail Server
SEC Consult Vulnerability Lab Security Advisory < 20130625-0 > === title: Multiple vulnerabilities in IceWarp Mail Server product: IceWarp Mail Server vulnerable version: <=10.4.5 fixed version: 10.4.5-1 impact: Critical homepage: http://www.icewarp.com found: 2013-05-28 by: V. Paulikas SEC Consult Vulnerability Lab === Vendor description: --- IceWarp Mail Server delivers a highly integrated solution, including Mail Server with dual Anti-Spam & Anti-Virus protection and available add on options including the IceWarp GroupWare Server, Instant Messaging Server, Text Messaging Server, a unified WebClient interface, full mobile device synchronization and much more. http://www.icewarp.com/ Business recommendation: By exploiting the XXE vulnerability, an unauthenticated attacker can get read access to the filesystem of the IceWarp Mail Server host and thus obtain sensitive information such as the configuration files, etc. It is also possible to scan ports of the internal hosts and cause DoS on the affected host. Vulnerability overview/description: - 1) Cross-Site Scripting The web GUI is prone to reflected cross site scripting attacks. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated URL. 2) XML External Entity Injection The used XML parser is resolving external XML entities which allows attackers to read files and send requests to systems on the internal network (e.g port scanning). The risk of this vulnerability is highly increased by the fact that it can be exploited by anonymous users without existing user accounts. Proof of concept: - Detailed proof of concept URLs or exploit code have been removed from this advisory. 1) A cross site scripting vulnerability can be exploited by tricking the user into accessing a specially crafted URL. This vulnerability was identified in the following scripts: /webmail/calendar/index.html /admin/tools/svnparser.html 2) The unauthenticated XML External Entity Injection vulnerability can be exploited by issuing a specially crafted HTTP POST request to the /rpc/gw.html script. The /rpc/api.html script was also identified to be vulnerable to XML external Entity Injection, but for successful exploitation valid administrator credentials are necessary. Vulnerable / tested versions: - The vulnerabilities have been verified to exist in the IceWarp Mail Server version 10.4.5, which was the most recent version at the time of discovery. Vendor contact log: 2013-06-07: Contacting vendor through to...@icewarp.com 2013-06-07: Initial vendor response 2013-06-07: Forwarding security advisory to vendor 2013-06-07: Vendor acknowledges that the advisory was received 2013-06-11: Vendor releases the patch 2013-06-25: SEC Consult releases coordinated security advisory. Solution: - IceWarp customers running version 10.4.5 may apply a patch available via http://www.icewarp.com/download/patches/10.4.5/html.zip Customers using the older versions are recommended to upgrade to IceWarp Server 10.4.5-1. The file /admin/tools/svnparser.html is recommended to be removed as it is not necessary for the admin panel anymore. Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF V. Paulikas / @2013 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
