Re: SECURITY.NNOV: Outlook Express address book spoofing

On Tue, Jun 05, 2001 at 12:59:03PM -0700, Dan Kaminsky wrote: > An immediate design fix would be to use a different coloring and fontfacing > scheme to refer to full names, rather than quoted email addresses from the > address book. This should self-document decently, since over the course of >

Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

3APA3A wrote: [snip] > Background: > > Netscape Messanger uses internal protocol called mailbox://. The > format of mailbox URI is > > mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber > > this URI contains full path to user's mailbox which usually contains > use

Re: $HOME buffer overflow in SunOS 5.8 x86

Solaris 8/Sparc actually appears to be vulnerable. SunOS lager 5.8 Generic_108528-01 sun4u sparc SUNW,Ultra-1 with the same signature as 5.7 below Irix 6.5 doesn't appear to be bash-2.04$ HOME=`perl -e 'print "A"x1100'` bash-2.04$ export HOME bash-2.04$ mail a[CTL-C] a... User unknown bas

Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)

Heres the first post on this issue that I saw ... I worked to exploit it but it actualy did truncate the string somehow... This was on a version prior to 4.0.2 I believe... I had the same result as Optium, I was unable to write past the edx register... the logs for syslog as I recall stated the st

Re: $HOME buffer overflow in SunOS 5.8 x86

> On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote: > > $HOME buffer overflow in SunOS 5.8 x86 ... >Digital Unix V4.0C is vulnerable: > >digital> uname -a >OSF1 digital V4.0 564.32 alpha >digital> setenv HOME `perl -e 'print "a"x1100'` >Received disconnect: Command terminated on s

Re: $HOME buffer overflow in SunOS 5.8 x86

> > 0:jpmeier@sol:~> HOME=`perl -e 'print "A"x1100'` ; export HOME > > 0:jpmeier@sol:/home/jpmeier> mail a > > ^Cmail: Mail saved in dead.letter > > 1:jpmeier@sol:/home/jpmeier> uname -a > > SunOS sol 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-5_10 > > > > > > also tried larger buffers. > > > >

Re: $HOME buffer overflow in SunOS 5.8 x86

> Solaris/sparc appears not to be vulnerable. Solaris 2.6/2.7 SPARC are also susceptable to /usr/bin/mail buffer overflow. Here are the minimum buffer's usable to produce segmentation faults. <-snip-> SunOS 5.6 Generic_105181-23 sun4u sparc bash-2.04$ ex

Re: Webtrends HTTP Server %20 bug

A url-encoded character is NOT a unicode code character.. On Sunday 03 June 2001 05:41 am, Auriemma Luigi wrote: > The bug is really simple. If the attacker insert an unicode space (%20)

Re: TWIG SQL query bugs

Hi all: I have been programming in PHP for quite some time. I can understand the confusion about magic_quotes, the situation is a tricky one. from the manual: magic_quotes_gpc boolean Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quo

Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)

Here is a patch (attached) to take 4.0.3 down to 4.0.2. On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote: > We hope that this information is accurate. Version 4.0.2 is not on the ftp > server any more, and there is no patch from 4.0.2 to 4.0.3. > We currently feel handicapped in

Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)

Roman Drahtmueller <[EMAIL PROTECTED]> writes: > We hope that this information is accurate. Version 4.0.2 is not on the ftp > server any more, and there is no patch from 4.0.2 to 4.0.3. > We currently feel handicapped in our efforts to check the code for the > changes wrt the buffer overflow. Fo

Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)

On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote: > > 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 -- > > PLEASE UPGRADE IMMEDIATELY *** > > We hope that this information is accurate. Version 4.0.2 is not on the ftp > server any more, and there is no patch f

Re: SECURITY.NNOV: Outlook Express address book spoofing

> 3. Now, if while composing new message G1 directly types e-mail > address [EMAIL PROTECTED] instead of G2, Outlook will compose address as > "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> and message will be received by B. What an elegant attack! Effectively, the software is doing *exactly

Re: SSH / X11 auth: needless complexity -> security problems?

On Mon, Jun 04, 2001 at 03:17:04PM -0700, [EMAIL PROTECTED] wrote: > On Mon, Jun 04, 2001 at 11:19:37AM -0400, David F. Skoll wrote: > > I could not duplicate this with OpenSSH 2.9p1-1 on Red Hat 6.2 > The problem code is invoked in the X forwarding of ssh. If you try > again, this time passing -

Re: $HOME buffer overflow in SunOS 5.8 x86

> On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote: > > $HOME buffer overflow in SunOS 5.8 x86 > > Systems affected: > > SunOS 5.8 x86 have not tested on other OSes > > Risk: Medium > > Date: 4 June 2001 > > > > Details: > > HOME=`perl -e 'print "A"x1100'` ; export HOME > > mail a >

[RHSA-2001:074-03] Updated ispell packages available for Red Hat Linux 5.2 and 6.2

- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated ispell packages available for Red Hat Linux 5.2 and 6.2 Advisory ID: RHSA-2001:074-03 Issue date:2001-05-30 Updated on:

[RHSA-2001:075-04] Updated xinetd package available for Red Hat Linux 7 and 7.1

- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated xinetd package available for Red Hat Linux 7 and 7.1 Advisory ID: RHSA-2001:075-04 Issue date:2001-06-04 Updated on:200

Re: SSH allows deletion of other users files...

Tomas Ericsson <[EMAIL PROTECTED]> The vulnerability works perfectly for me: sshd version OpenSSH_2.3.0 [EMAIL PROTECTED] 20010321 # uname -a FreeBSD myhost 4.3-RELEASE FreeBSD

Re: Mail delivery privileges

David Wagner wrote: >Peter W wrote: >>To protect users from each others' ~/.forward instructions, it is necessary, >>as Wietse said, for the delivery agent to start with superuser privileges. > >[...] Imagine: ~/.forward-program could be a >setuid executable, owned by the user, and a non-root del

Re: TWIG SQL query bugs

> >Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL > >statements to dbs I think you need to initialize magic_quotes_runtime > >for the addslashes() default. > > The problem with magic_quotes_gpc is that it is a global variable in PHP. > Many sysadmins turn it off because they may

Re: TWIG SQL query bugs

At 09:48 AM 5/31/2001 -0700, kj wrote: > > PHP used to have an option to automatically use addslashes() on any > variable > > passed to it via POST or GET. Please see your PHP.INI file and set the > > appropriate setting for "magic_quotes_gpc" > > >Isn't the "magic_quotes_gpc" only for GET/POST/

Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > Qpopper 4.0.3 is available at > . > > > 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 -- > PLEASE UPGRADE IMMEDIATELY *** We hope that this information is accurate. Version 4

Re: SSH allows deletion of other users files...

wrong. openssh does since the 1st release. On Mon, Jun 04, 2001 at 09:08:26AM -0700, Jason DiCioccio wrote: > [EMAIL PROTECTED] wrote: > > >SSH allows deletion of other users files. > >= > > > >You can delete any file on the filesystem you want... > > > >a

PassWD2000 v2.x Weak Encryption Vulnerability

==[ PassWD2000 v2.x Weak Encryption Vulnerability ]=== "Success does not consist in never making mistakes but in never making the same one a second time" --- George Bernard Shaw Vulnerable: PassWD2000

SECURITY.NNOV: Outlook Express address book spoofing

Hello bugtraq, sorry if this is already known - the bug is trivial. Issue : Outlook Express address book allows messages to be intercepted by 3rd party Date Released : 16 March 2001 Vendor Notified : 16 March 2001 Author

SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

Hello bugtraq, There are known bugs in Netscape which require information on user's files location. This bug is not serious one, but it allows to get this location. Topic : Netscape 4.7x user information retrival Author : 3APA3A <[EMAIL PROTECTED]> Affecte

Re: fpf module and packet fragmentation:local/remote DoS.

"XR Agent" <[EMAIL PROTECTED]> wrote: > Fpf kernel module by |CyRaX| [[EMAIL PROTECTED]] (www.pkcrew.org) alters linux tcp/ip stack to emulate other OS'es against nmap/queso fingerprints using parser by FuSyS that reads nmap-os-fingerprints > for os emulation choice. > > However, attempts to se

Re: $HOME buffer overflow in SunOS 5.8 x86

On Mon, Jun 04, 2001 at 06:14:30PM +0300, Georgi Guninski wrote: > $HOME buffer overflow in SunOS 5.8 x86 > Systems affected: > SunOS 5.8 x86 have not tested on other OSes > Risk: Medium > Date: 4 June 2001 > > Details: > HOME=`perl -e 'print "A"x1100'` ; export HOME > mail a > CTL-C > eip gets s

Re: SSH allows deletion of other users files...

Jason DiCioccio said the following on Mon, Jun 04, 2001 at 09:08:26AM -0700, > Also: SSH Version OpenSSH_2.3.0 [EMAIL PROTECTED] 20010321 -- That comes > with FreeBSD 4.3-STABLE > is not vulnerable at first glance. It does not appear to use /tmp files > as yours does and therefore is not vulne

OpenSSH_2.5.2p2 RH7.0 <- version info

Sorry, I forgot some relevant information. With regards to previous post: Tested on:- Red Hat Linux release 7.0 (Guinness) [zen-parse@clarity zen-parse]$ rpm -qf /usr/sbin/sshd openssh-server-2.5.2p2-1.7.2 [zen-parse@clarity zen-parse]$ ssh -V OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0

Re: SSH allows deletion of other users files...

On Mon, Jun 04, 2001 at 11:19:37AM -0400, David F. Skoll wrote: > I could not duplicate this with OpenSSH 2.9p1-1 on Red Hat 6.2 David (and other bugtraq readers), we think we have found some additional information that is important in tracking the source of the problem. The problem code is invo