Interesting paper, Gadi.
Some thoughts:
1) It seems obvious that RFI is equivalent to remote code execution,
but it's worth repeating.
2) A PHP exploit is much easier to write than a shellcode exploit.
Plus, with the file inclusion, the payload is not limited in size,
and you have a lo
= MS Interactive Training .cbo Overflow
=
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/bulletin/MS07-005.mspx
=
= Affected Software:
=Microsoft Windows 2000
=Microsoft Windows XP
=Microsoft
> I have to agree with a previous poster and suspect (only
> suspect) it could somehow be a backdoor rather than a bug.
Reminds me of the WMF SetAbortProc() "backdoor" accusation.
:-) It was just bad design.
>Yeah, a backdoor is a remote possibility. But it's also an arbitrary and
>needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed
>shadow government, but chances are, it's not (they have better things to
>do today).
And one which was too easy to discover; real back doors are bet
>On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
>>
>> >On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
>> >>
>> >> >
>> >> >Am I missing something? This vulnerability is close to 10 years old.
>> >> >It was in one of the first versions of Solaris after Sun moved off of
>> >> >the SunOS BSD platform
On Tue, 13 Feb 2007, Gadi Evron wrote:
> On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> >
> > >On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> > >>
> > >> >
> > >> >Am I missing something? This vulnerability is close to 10 years old.
> > >> >It was in one of the first versions of Solaris after Su
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200702-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200702-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
>
> >On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> >>
> >> >
> >> >Am I missing something? This vulnerability is close to 10 years old.
> >> >It was in one of the first versions of Solaris after Sun moved off of
> >> >the SunOS BSD platform and over
>On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
>>
>> >
>> >Am I missing something? This vulnerability is close to 10 years old.
>> >It was in one of the first versions of Solaris after Sun moved off of
>> >the SunOS BSD platform and over to SysV. It has specifically to do w=
>> >ith
>> >how argu
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
>
> >
> >Am I missing something? This vulnerability is close to 10 years old.
> >It was in one of the first versions of Solaris after Sun moved off of
> >the SunOS BSD platform and over to SysV. It has specifically to do w=
> >ith
> >how arguments are
Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption
Vulnerability
iDefense Security Advisory 02.13.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 13, 2007
I. BACKGROUND
The WinInet module provides access to common Internet protocols, including
FTP and HTTP, allowing
Hi,
Solaris is now Open Source, so you can see yourself at
http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-in
et/usr.sbin/in.telnetd.c?r2=3629&r1=2923
what the problem and its resolution are.
There are also the blogs by Alan Hargreaves from SUN Australia at
http://blogs.sun.
Well the ideal situation for incuding files is when your root is not
yout webroot.
But if you dont have this you can make a workaround by placing every php
file that is not directy called (but included) into a folder and place
in it an .htaccess file with a deny from all command so it would not
> 1). 90 days is plenty of time to fix a vulnerability, and in this case
> the author is merely stating the details of which will be revealed after
> 90 days. I doubt this will lead to any mass exploitation as I imagine
> you will need to go to a "specially crafted" website to exploit this DoS
> co
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200702-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
>It's a bug. I recall it being found and fixed in AIX many years ago.
>Embarassing for Sun that it's still in Solaris, though.
It's not "still" in Solaris; it's the first time it occurred in
Solaris; it is stupid it did but it's a typical programming error:
passing unchecked arguments to a progr
Fullaspsite Shop (tr) Xss & SqL İnj. VulnZ.
Found By : ShaFuck31
Risk : Medium
VulnZ : Xss & SqL Injection
Vuln. :
http://victim.com/ScriptPath/listmain.asp?cat=alert(document.cookie);
http://victim.com/ScriptPath/listmain.asp?cat=[ SqL Code ]
GreetZ : BLaSTER , DesquneR , The RéD , Dekolax
On Tue, 13 Feb 2007, Gadi Evron wrote:
> I have to agree with a previous poster and suspect (only suspect) it
> could somehow be a backdoor rather than a bug.
You're attributing malice to what could be equally well (or better!)
explained by incompetence or gross negligence. The latter two haunt l
On Tue, 13 Feb 2007, Andreas Beck wrote:
> Let scripts and form parser handle upload fields just as usual form
> fields. Prefilling them with VALUE, changing them from script, etc. pp.
>
> BUT: Warn the user about uploading files.
The problem here is that a majority of users find browser warnings
>
>Am I missing something? This vulnerability is close to 10 years old.
>It was in one of the first versions of Solaris after Sun moved off of
>the SunOS BSD platform and over to SysV. It has specifically to do w=
>ith
>how arguments are processed via getopt() if I recall correctly.
You're conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [UPDATE] GLSA 200611-05:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: Multiple IOS IPS Vulnerabilities
Advisory ID: cisco-sa-20070213-iosips
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml
Revision 1.0
For Public Release 2007 February 13 1600 UTC (GMT
On Tue, 13 Feb 2007, Oliver Friedrichs wrote:
>
> Gadi,
>
> It looks like I was confused, this actually affected AIX and Linux in
> 1994:
>
> http://www.securityfocus.com/bid/458/info
> http://www.cert.org/advisories/CA-1994-09.html
Same same but with rlogin, as someone mentioned on DSHIELD.
Le dimanche 11 février 2007 à 23:20 +, [EMAIL PROTECTED] a
écrit :
> Fatal error: Call to a member function fetch() on a non-object in
> /home/users//dotclear/themes/xxx/list.php on line 34
Note it's not wise to display errors on a production website. However,
when hosted, you don't necess
I do agree with you, but I think in this case it is a DotClear issue.
The default themes provided with DotClear do not check that they have
been called by a regular DotClear page, and spit out useful information
for an attacker.
They should check that a certain variable is defined for example
On Mon, 12 Feb 2007, Oliver Friedrichs wrote:
>
> Am I missing something? This vulnerability is close to 10 years old.
> It was in one of the first versions of Solaris after Sun moved off of
> the SunOS BSD platform and over to SysV. It has specifically to do with
> how arguments are processed v
I see this was not on bugtraq, adding here as well:
[...] bz says in the bug that this has already been fixed on the trunk
[before these new reports]. You can't type *at all* in file input fields
there, only use the File Open dialog, as I understood him.
I hope this fixes it once and for all.
hi,
I tested with SunOS 5.7, 5.8,5.9 and 5.10 . Only SunOS 5.19 and
Solaris 10(Sparc) seems to be vulnerable with my systems.
On 2/12/07, Vincent Archer < [EMAIL PROTECTED]> wrote:
On Mon, Feb 12, 2007 at 12:00:30AM -0600, Gadi Evron wrote:
> Johannes Ullrich from the SANS ISC sent this to me a
Gadi,
It looks like I was confused, this actually affected AIX and Linux in
1994:
http://www.securityfocus.com/bid/458/info
http://www.cert.org/advisories/CA-1994-09.html
Oliver
-Original Message-
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 13, 2007 1:46 AM
To:
> From: Thierry Zoller [mailto:[EMAIL PROTECTED]
> Sent: Monday, 12 February, 2007 07:52
>
> GE> telnet -l "-froot" [hostname]
>
> Should we really consider this a BUG ? With all due respect, this
> reads, smells and probably tastes like a backdoor
It's a bug. I recall it being found and f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2007:042
http://www.mandriva.com/security/
___
Michal Zalewski <[EMAIL PROTECTED]> wrote:
> > A proper solution would be to keep a list of files explicitly selected
> > by the user and only allow uploads of files in this list. Then even if a
> > script can manipulate the field, the browser won't upload files that
> > have not been selected by t
Le mardi 13 février 2007 à 08:34 +0100, Raphaël HUCK a écrit :
> But you can use secure software (or modify the unsecure ones you have)
We agree on the fact DotClear must be fixed on this, as for most people,
neither changing the PHP conf nor modify the scripts is an option. Don't
forget who this
I checked this on gentoo running lighttpd 1.4.11... Nothing abnormal seen.
Just the normal page, or a 404 error.
Regards,
Bart
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 9 februari 2007 22:34
Aan: bugtraq@securityfocus.com
Onderwerp: XSS
They should check that a certain variable is defined for example, and if
not, do not display anything... even if the hosted website is configured
to display errors, and you cannot change this.
Exactly my point: you may not have the choice of your PHP configuration.
I said I agreed with you. B
explanation of how the attack works here:
http://www.gnucitizen.org/blog/browser-focus-rip
On 2/12/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Mon, 12 Feb 2007, [ISO-8859-1] Claus Färber wrote:
> A proper solution would be to keep a list of files explicitly selected
> by the user and onl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Trustix Secure Linux Security Advisory #2007-0007
Package names: fetchmail, gd, php, postgresql, samba
Summary: Multiple vulnerabilities
Date: 2007
This is the call for participation for the annual Network and
Distributed System Security conference, starting in two weeks February
28th to March 2nd in San Diego http://www.isoc.org/isoc/conferences/ndss/07/
NDSS is a traditional scholarly academic security conference with a peer
reviewed track
This flaw has now been fixed and a free patch is available for download at:
http://www.kiwisyslog.com/kb/idx/5/178/article/
Am I missing something? This vulnerability is close to 10 years old.
It was in one of the first versions of Solaris after Sun moved off of
the SunOS BSD platform and over to SysV. It has specifically to do with
how arguments are processed via getopt() if I recall correctly.
Oliver
-Origin
n.runs AG
http://www.nruns.com/ security at nruns.com
n.runs-SA-2007.002 8-Feb-2007
Vendor:
n.runs AG
http://www.nruns.com/ security at nruns.com
n.runs-SA-2007.0018-Feb-2007
Vendor:
43 matches
Mail list logo