-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200710-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200710-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Invitation to Hack.lu [1] - A small but nice Conference in the
Heart of Europe.
As you may or may not know, we always prepare something special
for Hack.lu, last year BTcrack, this year we'd like to announce
our (n.runs AG) Presentation @ this years Hack. lu, entitled:
---
Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow
iDefense Security Advisory 10.09.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 09, 2007
I. BACKGROUND
Microsoft Windows Mail and Outlook Express are the default mail and news
clients for Windows operating syst
I think that you're both right, but the only solution is the same old, same
old: speed, code size, and maintainability/complexity versus the padding and
added IO checking of a very secure app. Nothing new, nothing different. It's
the same problem that has existed since the dawn of programming.
###
Luigi Auriemma
Application: World in Conflict
http://www.worldinconflict.com
Versions: <= 1.000
Platforms:Windows
Bug: access to NULL pointer
Exploitation: remote,
Glynn Clements ha scritto:
> Modifying individual programs to protect against a shell-injection bug
> in Windows' URI handler is a workaround (mitigation strategy), not a
> fix.
I repeat. Nowhere is said that ShellExecute (the default "run stuff"
function) takes URLs. It takes strings. A desktop s
- Original Message -
From: "Thierry Zoller" <[EMAIL PROTECTED]>
Again Geo, NOBODY has said that this is a vulnerability OF IE7 ITSELF we
said
the handler that IE7 installs is broken.
I'm not disagreeing with that statement. I'm saying this input should never
get that far.
Geo.
On Sat, 06 Oct 2007 12:43:16 EDT, "Geo." said:
> If the application is what exposes the URI handling routine to untrusted
> code from the internet, then it's the application's job to make sure that
> code is trusted before exposing system components to it's commands, no?
I think that given a sy
===
Ubuntu Security Notice USN-527-1 October 05, 2007
xen-3.0 vulnerability
CVE-2007-4993
===
A security issue affects the following Ubuntu releases:
Ubuntu 7.04
This adviso
Roger A. Grimes wrote Friday, October 05, 2007 3:54 PM
I'm asking, with genuine interest and a listening ear, what is the best
long term
solution you envision, to solve the larger problem?
Apparently the long term solution is for third-party apps to point blame at
Microsoft, and for Microso
Kurt Dillard wrote:
> In my opinion, every application should handle incoming data as bad data.
> Its poor programming to assume that incoming data is properly formatted and
> safe to process as is, even if the data is supposed to come from a process
> you own. Why so extreme? Because the bad
Bugtraq readers,
This may be a little off-topic, but hopefully still of interest to this
audience,
Last Friday I had the opportunity to moderate a panel - Political
Phishing - A Threat to the 2008 Campaign? - held as part of the
Anti-Phishing Working Group eCrime Researchers Summit hosted by Ca
Severity: Critical
Effect: Compromise of FInancial Data, deletion of audit trails,
alteration of system settings, disclosure of confidential information
possible in some setups.
Affected products: LedgerSMB 1.0.0-1.2.7 , SQL-Ledger 2.x (all versions).
1: SQL injection issue in invoice quantity
Geo. ha scritto:
> I don't agree. Whatever program takes input from an untrusted source, it's
> that programs duty to sanitize the input before passing it on to internal
> components. It's like a firewall, you filter before it gets inside the
> system.
NO! wrong! stop the "input sanitization" f
New Advisory:
modx-0.9.6
http://www.dear-pets.com
Summary-
Software: modx-0.9.6
Sowtwares Web Site: http://www.modxcms.com
Versions: 0.9.6
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched
PoC/Exploit: Not Available
Solution: Not Avai
[HSC] DNewsWeb Softwares Cross Site Scripting Vulrnability
The DNews News Server is advanced news server software that makes it easy for
you to
provide users with fast access to Internet (Usenet) news groups. Installing
your own l
ocal news server software also gives you complete control to
- Original Message -
From: "Thierry Zoller" <[EMAIL PROTECTED]>
The user clicks on a mailto link, is that untrusted code?
Depends on where the link comes from. If it's a shortcut on the users
desktop no it's not untrusted, if it's in a PDF file you received in your
email then yes it
rPath Security Advisory: 2007-0212-1
Published: 2007-10-08
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Local Root Deterministic Privilege Escalation
Updated Versions:
util-linux=/[EMAIL PROTECTED]:devel//1/2.12r-1.5-1
rPath Issue Tracking System:
https://issues
I appreciate everyone's replies. Thanks for the replies and the
explanations. I'm not a Microsoft developer, I'm just a security
consultant. I didn't understand the nature of the central issue, at
first, but now I do.
Thanks again.
Roger
*
Aria-Security Team
--
Viart Shopping Cart Directory Transversal Vuln
Vendor:
http://www.viart.com/
POC:
function createCertFingerprint($filename) {
$fp = fopen($filename, "r");
http://target/path/payments/ideal_process.php
Credits Goes To Aria-Security Team
T
- Original Message -
From: "Glynn Clements" <[EMAIL PROTECTED]>
URIs which it passes to an external handler (e.g. mailto:), it only
needs to identify the scheme (to select the correct handler); it is
the handler's responsibility to validate its own URIs (i.e. mail
programs need to valid
We've finalized the speaker lineup for Black Hat Japan 2007, and we're looking
forward to a great show. Attendees will be treated to a roster with more
variety and depth than ever.
The schedule and speaker bios are available on-line at:
http://www.blackhat.com/html/bh-japan-07/bh-jp-07-en-sch
Juergen Schmidt wrote:
> the URI handling problem on Windows XP systems with IE 7 installed hits
> a lot of applications, not only Firefox (and mIRC) -- namely Skype,
> Acrobat Reader, Miranda, Netscape.
Testing shows that the mailto: thingy in Acrobat also works on Windows
2003 Server, SP2.
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01183597
Version: 1
HPSBMA02275 SSRT071445 rev.1 - HP System Management Homepage (SMH) for Linux
and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulleti
Dear Thierry Zoller,
--Saturday, October 6, 2007, 9:06:51 PM, you wrote to bugtraq@securityfocus.com:
TZ> Dear Geo.,
G>> If the application is what exposes the URI handling routine to untrusted
G>> code from the internet,
TZ> Sorry, Untrusted code from the internet ?
TZ> The user clicks on a
Dear Geo,
Thank you for the challenge, Geo. Your trying to get the discussion in
a direction that doesn't serve the purpose of the finding, nor would
it "proof" anything. I welcome your task though I'd like you to know
that I don't think I have to proof anything to you. However if you pay
enough I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01183265
Version: 1
HPSBMA02274 SSRT071445 rev.1 - HP System Management Homepage (SMH) for HP-UX,
Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00837319
Version: 3
HPSBUX02181 SSRT061289 rev.3 - HP-UX Running IPFilter, Remote Denial of Service
(DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon
as pos
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub
The BT Home Hub, which is probably the most popular home router in the
UK, is susceptible to critical vulnerabilities.
BT's plan is to sneak one of this boxes into every UK home. Not only
does the BT Home Hub support broadband but
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00571568
Version: 11
HPSBUX01137 SSRT5954 rev.11 - HP-UX Running TCP/IP (IPv4), Remote Denial of
Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon
a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01178795
Version: 1
HPSBUX02262 SSRT071447 rev. 1 - HP-UX running Apache, Remote Arbitrary Code
Execution, Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should b
rPath Security Advisory: 2007-0210-1
Published: 2007-10-08
Products: rPath Linux 1
Rating: Severe
Exposure Level Classification:
Indirect Root Deterministic Unauthorized Access
Updated Versions:
xen=/[EMAIL PROTECTED]:devel//1/3.0.3_0-1.6-1
rPath Issue Tracking System:
https://issues.r
33 matches
Mail list logo
