Is that issue related?
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
The problem reported for Mathematica is present still at version 10.0.0
for the GUI interface (the command-line interface may be safe).
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
The problem reported for Mathematica is present still at version 9.0.1,
both for the GUI and for the command-line interface.
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
---
http
utempter add
checking who
psz pts/29 Oct 4 11:48 (xyz)
r00t pts/0Jan 1 01:02 (xyz.com)
doing utempter del
checking who
DONE
psz@bari:~$
Please see also:
http://bugs.debian.org/329156
http://bugs.debian.org/330907
Cheers, Paul
Paul Szabo p
will need to be implemented by
Wolfram.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
The problem reported for Mathematica became worse at version 8.0.4,
present for the command-line interface math also.
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
---
http
.
Another interesting reference:
http://www.thisisahmed.com/tia/ohs/ohshardening.html
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
The problem that was reported as below for Mathematica7, is present
also/still in (the free trial version of) Mathematica8.
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
---
I wrote
Dear An,
Referrer: scriptalert(1)/script
Yes, but... seems not all echo's get a Referer passed to them.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-bin/echo that I tested, were
already patched against the one you mention, but vulnerable to that
other I found.)
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
wrong assumptions, and jump to conclusions:
- Not anyone, but bona-fide ones only.
- I do not own an Oracle site to test.
Were not those obvious to right-thinking people?
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics
not own an over-inflated ego.
... or simply send the code to Oracle and ask them ...
Sorry to blow your assumption: sent to Oracle, ages ago, first thing.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University
off-list so I can provide PoC?
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
://download.oracle.com/docs/cd/B14099_19/core.1012/b13999/checklist.htm#BABIBCIC
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
or /usr/bin/ps2ascii . Also,
crappy coding for GS_EXECUTABLE=gs. Am not sure if these are
originally gs or Debian special.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
:
chdir(/tmp/)
execve(..., gs, ... -dSAFER, ... any.ps, ...)
So gv is careful to use -dSAFER but does not know about -P-.
I notified
bug...@gnu.org
about this, see
http://bugs.debian.org/583316
also.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School
./Encoding is not enough.
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
Dear Krzysztof,
... it is dangerous to do
cd /tmp; gs any.ps
What is in the file any.ps?
You are exposed ... without feeding *anything* to Ghostscript ...
Yes, precisely: that is why I called it any.ps.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u
of pretty interface.
Notified supp...@wolfram.com on 7 May 2010, was assigned [TS 16194].
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
into a path ...
I never noticed such support documented: references please?
... and it really does need to keep him there.
You cannot break out of shares with wide links = no.
... Samba is supposed to match Windows semantics in general.
No please, do not dumb it down.
Cheers, Paul
Paul Szabo p
to the whole filesystem (where the user has UNIX
rights). I also wonder about the interaction with the setting of unix
extensions (which I had set to non-default no to help Mac clients).
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics
installation, as per
default, is not vulnerable.
- Several distributions run with vulnerable settings per default
if there is a misconfiguration it is part of the vendor.
Is that vendor Samba?
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School
be useful... would surely be a few lines of code only, so if you
want to submit a patch to the Samba team... or just patch your own
servers (as I do, see http://www.maths.usyd.edu.au/u/psz/samba/).
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School
] are provided for ease
of use, users are encouraged to create symlinks to other interesting
places e.g. NFS-mounted directories.)
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
... There is no
problem to trick the victim and force him to change the encoding of
his browser by little social engineering.
See https://bugzilla.mozilla.org/show_bug.cgi?id=408457 about how this
can be better exploited.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School
into running anything, nor are there any interesting objects
thusly accessible. Would become a root hole if someone finds a way
to execute anything from /bin/ls (as started from ftpd).
Please see
http://bugs.debian.org/384454
for details.
Cheers,
Paul Szabo [EMAIL PROTECTED] http
https://bugzilla.mozilla.org/show_bug.cgi?id=258875
and further references therein.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
and every webpage...
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
Seems that I was wrong and Brian Eaton [EMAIL PROTECTED] was right:
default apache installations seem to return an explicit charset in their
error message. (Now I cannot explain how I convinced myself otherwise.)
Then there is no Universal XSS against default Apache webservers...
Cheers,
Paul
of the through the frames collection will give you a reference to the
document object inside the thirdparty domain ...
Sorry, but I cannot follow. Could you please show an example?
Thanks,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics
execution (shellcode in that name, for VMware on UNIX
where bits of it run as root)?
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
Restricted Zone Status Bar Spoofing
http://secunia.com/advisories/11273/
(known, unpatched, since 2004).
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
. Tested with Eudora 5.2.1 on Windows 2000.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
+ rmdir /tmp/F$$
exec $target
but Sqpe would still be open to races as it repeatedly open()s and
unlink()s that file. A proper fix will have to come from the vendor.
SIGNATURE
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics
nothing relevant in the Changelogs at http://www.kernel.org/ .
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
what MIME boundary we use,
a bare spoofed attachment line is NOT prefixed with #?
Attachment Converted: c:\winnt\system32\calc.exe
Never mind that the text comes out all funny...
Any other tricks we can play?
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz
. This
problem was caused by me attempting to install the latest security patch
by hand, without the required megapatch.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
puzzled: why patch /sbin/mount or /usr/bin/csh if they are not setuid?
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We
-ascii
Content-Transfer-Encoding: base64
SGVsbG8Kc3RyYW5nZXIK
---
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
still be vulnerable. I have no Mac to test.)
(See also http://www.securityfocus.com/bid/3225 .)
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
:
http://www.microsoft.com/technet/security/bulletin/ms01-028.asp
Malformed RTF Control Word:
http://www.microsoft.com/technet/security/bulletin/ms00-005.asp
installed.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics
only on Compaq Tru64 UNIX (DEC OSF/1) machines.
Please feel free to adapt this software to other operating systems.
The ptyfix package is available from
http://www.maths.usyd.edu.au:8000/u/psz/securedu.html#xterm or
http://www.maths.usyd.edu.au:8000/u/psz/du/ptyfix.tgz
Paul Szabo - [EMAIL PROTECTED
45 matches
Mail list logo