Re: [Full-disclosure] ZDI-09-070: Microsoft Internet Explorer Event Object Type Double-Free Vulnerability

2009-10-13 Thread . 
This  vulnerability can affected IE8?Isn't it mean that can bypass DEP+ASLR?

 Message: 14
 Date: Tue, 13 Oct 2009 14:24:43 -0500
 From: ZDI Disclosures zdi-disclosu...@tippingpoint.com
 Subject: [Full-disclosure] ZDI-09-070: Microsoft Internet Explorer
Event Object Type Double-Free Vulnerability
 To: Bugtraq (bugt...@securityfocus.com) bugt...@securityfocus.com,
Full   Disclosure (full-disclosure@lists.grok.org.uk)
full-disclosure@lists.grok.org.uk
 Message-ID:
ee499d69b3d0714590b6fe9762b046110381100...@emb01.unity.local
 Content-Type: text/plain; charset=us-ascii

 ZDI-09-070: Microsoft Internet Explorer Event Object Type Double-Free 
 Vulnerability
 http://www.zerodayinitiative.com/advisories/ZDI-09-070
 October 13, 2009

 -- CVE ID:
 CVE-2009-2530

 -- Affected Vendors:
 Microsoft

 -- Affected Products:
 Microsoft Internet Explorer 6
 Microsoft Internet Explorer 7
 Microsoft Internet Explorer 8

 -- TippingPoint(TM) IPS Customer Protection:
 TippingPoint IPS customers have been protected against this
 vulnerability by Digital Vaccine protection filter ID 8653.
 For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

 -- Vulnerability Details:
 This vulnerability allows remote attackers to execute arbitrary code on
 vulnerable installations of Microsoft Internet Explorer. User
 interaction is required to exploit this vulnerability in that the target
 must visit a malicious page.

 The specific flaw exists within the copy constructor for a specific DOM
 object. When duplicated, more than one reference can be made of anything
 assigned to it's properties. When the variable/object goes out of scope,
 these properties will be deallocated twice. This results in a heap
 corruption which can lead to code execution under the context of the
 current user.

 -- Vendor Response:
 Microsoft has issued an update to correct this vulnerability. More
 details can be found at:

 http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx

 -- Disclosure Timeline:
 2009-06-23 - Vulnerability reported to vendor
 2009-10-13 - Coordinated public release of advisory

 -- Credit:
 This vulnerability was discovered by:
* Anonymous
* Anonymous

 -- About the Zero Day Initiative (ZDI):
 Established by TippingPoint, The Zero Day Initiative (ZDI) represents
 a best-of-breed model for rewarding security researchers for responsibly
 disclosing discovered vulnerabilities.

 Researchers interested in getting paid for their security research
 through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

 The ZDI is unique in how the acquired vulnerability information is
 used. TippingPoint does not re-sell the vulnerability details or any
 exploit code. Instead, upon notifying the affected product vendor,
 TippingPoint provides its customers with zero day protection through
 its intrusion prevention technology. Explicit details regarding the
 specifics of the vulnerability are not exposed to any parties until
 an official vendor patch is publicly available. Furthermore, with the
 altruistic aim of helping to secure a broader user base, TippingPoint
 provides this vulnerability information confidentially to security
 vendors (including competitors) who have a vulnerability protection or
 mitigation product.

 Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/


 --

 Message: 15
 Date: Tue, 13 Oct 2009 14:24:45 -0500
 From: ZDI Disclosures zdi-disclosu...@tippingpoint.com
 Subject: [Full-disclosure] ZDI-09-071: Microsoft Internet Explorer
writing-mode Memory Corruption Vulnerability
 To: Bugtraq (bugt...@securityfocus.com) bugt...@securityfocus.com,
Full   Disclosure (full-disclosure@lists.grok.org.uk)
full-disclosure@lists.grok.org.uk
 Message-ID:
ee499d69b3d0714590b6fe9762b046110381100...@emb01.unity.local
 Content-Type: text/plain; charset=us-ascii

 ZDI-09-071: Microsoft Internet Explorer writing-mode Memory Corruption 
 Vulnerability
 http://www.zerodayinitiative.com/advisories/ZDI-09-071
 October 13, 2009

 -- CVE ID:
 CVE-2009-2531

 -- Affected Vendors:
 Microsoft

 -- Affected Products:
 Microsoft Internet Explorer 6
 Microsoft Internet Explorer 7
 Microsoft Internet Explorer 8

 -- TippingPoint(TM) IPS Customer Protection:
 TippingPoint IPS customers have been protected against this
 vulnerability by Digital Vaccine protection filter ID 8654.
 For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

 -- Vulnerability Details:
 This vulnerability allows remote attackers to execute arbitrary code on
 vulnerable installations of Microsoft Internet Explorer. User
 interaction is required in that a user must visit a malicious web page.

 The specific flaw exists in the parsing of CSS style information. When a
 writing-mode style is

Re: [Full-disclosure] Geeklog = v1.6.0sr2 - Remote File Upload

2009-10-04 Thread . 
  Successful exploitation requires the ability to execute the uploaded
JavaScript.
  The Geeklog Forum program can be used as an attack vector since it does
not
  properly validate many $_GET / $_POST variables.
 Could you give us some more details about these XSS vulnerabilities ? :)

 Cause all I see here is a RCE in the admin panel.
 You confirm that there are XSS but we don't have any details about
them...

The
easy one is when the forum allows anonymous posts and is configured for
text posts.  The anonymous user name is never filtered, so you can put
anything there, including a reference to the javascript uploaded as the
user profile image..

script src=../images/userphotos/username.jpg/script
How about the php flaw?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/