Title: Remote Command Injection in Arabic Prawn 0.0.1 Ruby Gem
Author: Larry W. Cashdollar, @_larry0
Download Site: http://rubygems.org/gems/Arabic-Prawn
CVE: 2014-2322
Date: 12/17/2013
In Arabic-Prawn-0.0.1/lib/string_utf_support.rb, the following lines pass
unsanitized input to the shell
Title: Persistent XSS in Media File Renamer V1.7.0 wordpress plugin
Date: 1/31/2014
Author: Larry W. Cashdollar, @_larry0
Vendor: Notified 2/4/2014
CVE: 2014-2040
Download: http://www.meow.fr/media-file-renamer/
Vulnerability:
The following functions do not sanitize input before being echoed out
Hi, I don't think I ever sent this to the list.
Title: Solaris Recommended Patch Cluster 6/19 local root on x86
Date: 7/3/2013
Author: Larry W. Cashdollar, @_larry0
CVE: 2010-1183
If the system administrator is updating the system using update manager or
smpatch (multi user mode) a local
Title: Bio Basespace SDK 0.1.7 Ruby Gem exposes API Key via command line
Date: 11/15/2013
Author: Larry W. Cashdollar, @_larry0
Download: http://rubygems.org/gems/bio-basespace-sdk
Description:
BaseSpace Ruby SDK is a Ruby based Software Development Kit to be used in the
development of Apps
Command injection in Ruby Gem Webbynode 1.0.5.3
Date: 11/11/2014
Author: Larry W. Cashdollar, @_larry0
Download: http://rubygems.org/gems/webbynode
Vulnerability Description:
The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb
doesn't fully sanitize user supplied
zip_dir, zip_name or output then they can possibly
execute shell commands by injecting shell meta characters as input.
PoC:
For example: filename;id;.zip
I contacted the developer a few weeks ago but received no response.
Thanks!
Larry W. Cashdollar
@_larry0
TITLE: Unauthenticated Remote File Upload via HTTP for perl-Programming language 1.6 on iOSDate: 8/1/2013Author: Larry W. Cashdollar, @_larry0Download:https://itunes.apple.com/us/app/perl-programming-language/id578116006?mt=8ls=1http://www.tayutec.com/indexen.htmlDescription: "This is an ios
TITLE: Unauthenticated Remote File Upload via HTTP for lua-Programming language 1.6 on iOSDate: 8/1/2013Author: Larry W. Cashdollar, @_larry0Download:https://itunes.apple.com/us/app/lua-programming-language/id578116006?mt=8ls=1http://www.tayutec.com/indexen.htmlDescription: "Please dow
On Sep 10, 2013, at 02:19 PM, "Larry W. Cashdollar" lar...@me.com wrote:https://itunes.apple.com/us/app/lua-programming-language/id578116006?mt=8ls=1Sorry that URL above is incorrect: https://itunes.apple.com/us/app/lua-programming-language/id505972
TITLE:Remote Command Injection in fog-dragonfly-0.8.2 Ruby GemCredit: Larry W. Cashdollar, @_larry0Date: 8/16/2013CVE: 2013-5671Download: https://rubygems.org/gems/fog-dragonflyDescription:"Dragonfly is an on-the-fly Rack-based image handling framework. It is suitable for use with Rails, Si
Title:Rgpg 0.2.2 Ruby Gem Remote Command InjectionDate: 7/31/2013Advisory Author: Larry W. Cashdollar, @_larry0CVE: CVE-2013-4203Download: https://rubygems.org/gems/rgpgDescription:"A simple Ruby wrapper around gpg command for file encryption.rgpg is a simple API for interacting with the gpg
TITLE: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability.
DATE: 5/15/2023
AUTHOR: Larry W. Cashdollar (@_larry0)
DOWNLOAD: https://rubygems.org/gems/show_in_browser
DESCRIPTION: Opens arbitrary text in your browser
VENDOR: Jonathan Leung
FIX: N/A
CVE: 2013-2105
DETAILS
TITLE: Remote command Injection in Creme Fraiche 0.6 Ruby Gem
DATE: 5/14/2013
AUTHOR: Larry W. Cashdollar (@_larry0)
DOWNLOAD: http://rubygems.org/gems/cremefraiche, http://www.uplawski.eu/technology/cremefraiche/
DESCRIPTION: Converts Email to PDF files.
VENDOR: Notifed on 5/13/2013
arry) groups=1000(larry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),117(sambashare)
Linux underfl0w 3.2.0-39-virtual #62-Ubuntu SMP Wed Feb 27 22:45:45 UTC 2013 i686 athlon i386 GNU/Linux
= nil
http://vapid.dhs.org/advisories/md2pdf-remote-exec.htmlThis vulnerability has been a
Remote command injection in Ruby Gem kelredd-pruview 0.3.8
Larry W. Cashdollar
4/4/2013
@_larry0
Description:
"A gem to ease generating image previews (thumbnails) of various files."
https://rubygems.org/gems/kelredd-pruview
Remote commands can be executed if the file name contains
Remote Command Injection Ruby Gem Karteek Docsplit 0.5.4
4/1/2013
Larry W. Cashdollar
@_larry0
User supplied input isn't sanitized against shell metacharacters and
is fed directly to the shell. If the user is tricked into extracting a
file with shell characters in the name code can
Remote command execution in Ruby Gem ldoce 0.0.2
Larry W. Cashdollar
@_larry0
3/25/2013
Ldoce Ruby Gem:
Easily interface with the Longman Dictionary of Contemporary English API from Ruby:
NB currently mac only as it depends on the afplay command.
https://rubygems.org/gems/ldoce
https
to the shell in the following code
snippet from ./thumbshooter-0.1.5/lib/thumbshooter.rb lines:1012 command "xvfb-run -a --server-args='-screen 0, #{screen}x24' "1015 command "{WEBKIT2PNG} '{url}'{args}"1017 img = `{command} 21`Larry W. Cashdollar@_larry0http://vapid.dhs.org/adv
/entry_controller.rb
.strip only removes whitespace before and after the URL.
115 # open web browser
116 command = (ENV['FASTREADER_WEB'] || "open") + " {@current_entry.url.strip}"
117 `{command}`
Larry W. Cashdollar
@_larry0
The .strip will only remove whitespace from the beginning and end of the command.
Larry W. Cashdollar
@_larry0
http://vapid.dhs.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
if @debug
133 puts cmd.red
134 end
135 result = open_pipe(cmd)
PoC:
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")
larry@underfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)
Larry W.
Hello Everyone,Just an update that Oracle has released a fix for the vulnerabilities in these two packages and if you're using them you should use the new versions.Oracle ASR Manager 4.3.2: Patch 16431755Oracle Automated Service Manager (OASM) 1.4.1: Patch 16426687ThanksLarry
OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability
3/6/2013
Larry W. Cashdollar
@_larry0
The infiniband diagnostic utiltiy handles files in /tmp insecurely. A malicious user
can clobber root owned files with common symlink attacks.
http://www.openfabrics.org/downloads/ibutils/
[nobody
Hello everyone,I took a closer look at this vulnerability here is my exploit to share:45 cat /tmp/updateScript.sh EOF -- if we own it first, wait for I_MODIFY and inject our malicious code46 #!/bin/bash47 if mv "${_tempFileName}" "$0"; then48 rm -- "\$0"49 exec env UPDATE_SELF=0 /bin/bash "$0"
Flash Tool 0.6.0 Remote code execution vulnerability3/1/2013http://rubygems.org/gems/flash_toolhttps://github.com/milboj/flash_toolIf files downloaded contain shell characters it's possible to execute
code as the client user.
ie: flash_file;id/tmp/o;.swf
./flash_tool-0.6.0/lib/flash_tool.rb
'21',
217 ].compact.join(' ')
218 if File.exists?(dirname)
219 list = Dir.chdir(dirname) do
220 `{command}`This vulnerability has been fixed by the author in the latest release.
Larry W. Cashdollar
@_larry0
http://otiose.dhs.org/
__
Fileutils ruby gem possible remote command execution and insecure file handling in /tmp2/23/2013Hi list, I was looking at some gem files and noticed a few issues with fileutils-0.7http://rubygems.org/gems/fileutils"A set of utility classes to extract meta data from different file types".Handles
Oracle Auto Service Request /tmp file clobbering vulnerability
http://www.oracle.com/us/support/systems/premier/auto-service-request-155415.html
http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm
I noticed it creates files insecurely in /tmp using time stamps instead of mkstemp(). You
Gambas 3.3.4 Directory hijack vulnerabilityThe gambas software package creates a directory in tmp to work from without verifying another user hasn't already created it. This allows a local user to hijack ownership. This advisory was takenfrom the bug filed with the developers.Describe the
Oracle Automated Service Manager 1.3 local root during install
Larry W. Cashdollar
1/29/2013
@_larry0
SUNWsasm-1.3.1-20110815093723
https://updates.oracle.com/Orion/Services/download?type=readmearu=15864534
From the README:
"O
at 3:49 PM, Larry W. Cashdollar lar...@me.com wrote: /*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root, Centrify released a fix very quickly - nice vendor response. http://vapid.dhs.org/exploits/centrify_local_r00t.c CVE-2012-6348 12/17/2012 http://vapid.dhs.org
:) On Tue, Dec 18, 2012 at 3:49 PM, Larry W. Cashdollar lar...@me.com wrote: /*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root, Centrify released a fix very quickly - nice vendor response. http://vapid.dhs.org/exploits/centrify_local_r00t.c CVE-2012-6348 12/17/2012 http
I like in the description of the product, "The Sunny WebBox is a multi-functional, energy-efficient data logger
which offers a wealth of options for displaying, archiving and
processing data, even in networks with strict security regulations."
Looks like the link is unavailable.-- Larry C$On Dec 19, 2011, at 11:49 AM, Hacxx Under hacx...@gmail.com wrote:This is a tool that enable anyone to prank mobiles and land phones in portugal. You can choose calls or sms's. http://www.megaupload.com/?d=GKWWWMSY [Share the link, not the content]
Hi,I'd say tell your boss your application has been compromised right away. Tell them you'll need to rebuild the entire system from scratch and they'll need to either devise an upgrade path for virtuemart or find a new ecommerce solution.You can't trust a system once it has been compromised. --
I'd check these too:http://virtuemart.net/security-bulletinsOn Dec 05, 2011, at 05:35 AM, mitchell mitch...@csc.bg wrote:Hi,Here is what you generally need to do in such cases.1. Suspend the webapp until you investigate.2. Check the web server logs for unusual entries and identify the entry point.
Maybe they should ramp up their help first?
http://www.wired.com/dangerroom/2011/11/darpa-hackers-cybersecurity/
US general: 'We're cleared to cyber-bomb enemy hackers'
Curiously, his command website went down after he said it
http://www.theregister.co.uk/2011/11/17/us_military_cyberspace/
Anyone know what the default is for Ubuntu 11
PermitEmptyPasswords no
PasswordAuthentication no
in /etc/ssh/sshd_config?
On Thu, 17 Nov 2011 18:50:12 +0100, Mario Vilas said:
The guest account has no password, but it's not possible to login
remotely
with ssh.
Well.. out of the box,
imap? creating folders? etc.. =/
Are there any other services this may effect?
On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden
andrew_dow...@softdesign.net.nz wrote:
On 18/11/11 23:46, Larry W. Cashdollar wrote:
Anyone know what the default is for Ubuntu 11
PermitEmptyPasswords
Hello list,
I am wondering if anyone has more details on the bind9 DoS that just came
out? (CVE-2011-4313) from what I can tell it appears a negative cached DNS
object with a valid RR response associated with it(which shouldn't exist)
will cause a vulnerabile bind9 server to crash.
See lines 1890
, Larry W. Cashdollar b...@fbi.dhs.org wrote:
Hello list,
I am wondering if anyone has more details on the bind9 DoS that just
came
out? (CVE-2011-4313) from what I can tell it appears a negative cached
DNS
object with a valid RR response associated with it(which shouldn't
exist)
will cause
41 matches
Mail list logo
