IBM AIX invscout Local Command Execution Vulnerability
iDEFENSE Security Advisory 12.20.04
www.idefense.com/application/poi/display?id=171type=vulnerabilities
December 20, 2004
I. BACKGROUND
The invscout program is a setuid root application, installed by default
under newer versions of IBM
IBM AIX chcod Local Privilege Escalation Vulnerability
iDEFENSE Security Advisory 12.20.04
www.idefense.com/application/poi/display?id=170type=vulnerabilities
December 20, 2004
I. BACKGROUND
The chcod program is a setuid root application, installed by default
under newer versions of IBM AIX,
I got anonyed that the dev php response to this was curl's issue and to turn
off curl local file access so here is a hax work around i wrote maybe they will
get off there arses and submit something like this in the next release.
in ext/curl/curl.c, add the following to the function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200412-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
Yeah the last time I can remember that someone tried that on FD, was
that some called exploit that had a IRC trojan in it...it was discovered
after about 5 secs..lol
Ah yes - that perl script that magically appeared in the tmp
directory. heh, hey, can't blame the guy for trying.
Also to touch
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200412-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
==
Secunia Research 21/12/2004
- My Firewall Plus Privilege Escalation Vulnerability -
==
Table of Contents
Affected
[Big snip]
For those of you who already have a mailing list only
e-mail address and a seperate address for work
related/corporate/company matters, do you see a different
level of unsolicited spam, compared to the work address or
other private e-mail address for friends and family? I'm
Hi,
I am sorry but the server I had the advisory and the POC at went down last
night
while I was at home already. It is up and running now, sorry for the
inconvenience
Regards,
Maciej
___
Full-Disclosure - We believe in it.
Charter:
I am going to install OpenSSH in one of my servers, but I want to make
sure it is secure.
Does anybody know about vulnerabilites on OpenSSH, if yes, would you
like to suggest me another remote secure shell ?
There is a strong possibility that open port 22 will start attracting script
kiddies
==
Secunia Research 21/12/2004
- Spy Sweeper Enterprise Client Privilege Escalation Vulnerability -
==
Table of Contents
Affected
===
Ubuntu Security Notice USN-44-1 December 21, 2004
perl vulnerabilities
CAN-2004-0452
===
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty
some thing in the way of my mail delivery
- wrote:
This message has been processed by the Brightmail(tm) Anti-Virus
Solution using
Symantec's Norton AntiVirus Technology.
top-level-msg was infected with the malicious virus MHTMLRedir.Exploit
and has been deleted because the file cannot be
Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache. The worm put the following html in place of what was there:
!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
HTML
HEAD
TITLEThis site is
- --
De_aap security advisory 1
December 20th, 2004
- --
Package: rftpd 2 and rpf 1.2.2
Vulnerability : buffer overflows, race conditions,
To be fair to the often hated, this may be why they do this:
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
Contrary to RFC2616.
To quote some documentation of years ago:
If you have a file of a well-known type (e.g. .pdf) and send it with
a freely invented
Hello,
Possible apache2/php 4.3.9 worm
Confirm, it's an epidemic. The worm is called Perl.Santy.A.
Remedy is here (unofficial):
http://www.phpbb.com/phpBB/viewtopic.php?f=14t=240513
Continous info about the worm is here:
http://www.f-secure.com/weblog/
There were 40k+ infected http servers
In addition to your post here is some more info.
http://isc.sans.org/
-Original Message-
From: L. Walker [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 21, 2004 4:23 AM
To: [EMAIL PROTECTED]
Cc: full-disclosure@lists.netsys.com
Subject: Worm hitting PHPbb2 Forums
Importance: High
--On Tuesday, December 21, 2004 07:32:20 AM -0800 Alex Schultz
[EMAIL PROTECTED] wrote:
Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.
We were running apache 2.0.52 and php 4.3.9. Have any
On Sat, 2004-12-18 at 01:49 -0200, Carlos de Oliveira wrote:
Hi there!
I am going to install OpenSSH in one of my servers, but I want to make
sure it is secure.
Does anybody know about vulnerabilites on OpenSSH, if yes, would you
like to suggest me another remote secure shell ?
OpenSSH has
On Tue, 2004-12-21 at 10:32, Alex Schultz wrote:
Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache. The worm put the following html in place of what was there:
!DOCTYPE HTML PUBLIC
Does this affect PHPBB2 in general, or is it platform specific as well?
Mike Fetherston
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 21, 2004 12:47 PM
To: L. Walker
Cc: [EMAIL PROTECTED]; full-disclosure@lists.netsys.com
Subject: Re:
Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability
iDEFENSE Security Advisory 12.21.04
www.idefense.com/application/poi/display?id=172type=vulnerabilities
December 21, 2004
I. BACKGROUND
Xpdf is an open-source viewer for Portable Document Format (PDF) files.
II. DESCRIPTION
Remote
Affected Products:
Faronics FreezeX v. 1.00.100.0666
(http://www.faronics.com/html/Freezex.asp)
Author:
Xenzeo
FreezeX is a program that promise, it can prevent executable files from
beeing run on windows OS.
FreezeX has a database of every file from when it was installed
* Jack Shell wrote:
Problem:
Seems harmless right? Well, if someone was to send a request of
\x1a\x09 or with \x1a\x09 at the end to a server/client running on
a Python 2.3 platform, it could cause a denial of service.
POC?:
I tested this out by sending GET \x1a\x09 HTTP/1.0\r\n to the
Hello
Long time has passed since advisories like
http://www.securityfocus.com/archive/1/348368
http://www.guninski.com/php1.html
for now we can only play with it :)
[-ap.ha.-]
http://projects.emiraga.com/hijack_apache/hijack_apache-0.1a.tar.gz
- hijacks only http connections on apache and
http://www.viruslist.com/en/weblog
http://isc.sans.org/diary.php?date=2004-12-21
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Alex Schultz
Sent: 21 December
There were several serious holes just released in 4.3.9 of PHP. That is
a possible attack vector from what you are saying. Get 4.3.10 of PHP for
sure. As far as what this does or what all it would do, someone needs to
get a good catch of it.
Anyone ready to setup a box? =)
-Original
On Fri, Dec 17, 2004 at 11:23:38AM +0100, Jaroslaw Sajko wrote:
Product: Gadu-Gadu, build 155 and older
Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact: Script execution in local zone,
Remote DoS
Severity: High
Authors: Blazej
Product:Gadu-Gadu,
all available versions including the latest (6.1 build156)
Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact: Remote Denial of Service
Severity: Important
Author: Maciej Soltysiak [EMAIL PROTECTED]
Advisory:
On December 21, 2004 07:32, Alex Schultz wrote:
Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.
ADDRESSbNeverEverNoSanity WebWorm generation 17./b/ADDRESS
Looks like this is the fallout
The search query used by the Santy worm uses the following template
(parentheses contain substitution choices and are not part of the
literal template) :
http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22
(random choice between t, p, and topic)%3D(
There is some information regarding this here:
http://www.pcpro.co.uk/news/67505/santya-sparks-messageboard-infection-epidemic.html
On Tue, 21 Dec 2004 07:32:20 -0800, Alex Schultz [EMAIL PROTECTED] wrote:
Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote
On Tue, 21 Dec 2004, ALD, Aditya, Aditya Lalit Deshmukh wrote:
I am going to install OpenSSH in one of my servers, but I want to make
sure it is secure.
Does anybody know about vulnerabilites on OpenSSH, if yes, would you
like to suggest me another remote secure shell ?
There is a strong
on Tue Dec 21 14:54:44 EST 2004, Ron DuFresne wrote
the non std port advice is not worth much, security through
obscurity kinda thing.
wrong. non standard port helps quite well against automated scans.
most targets nowadays are searched via automated scans. if you are
painted red, you get
===
Ubuntu Security Notice USN-43-1 December 20, 2004
groff vulnerabilities
http://bugs.debian.org/286371,
http://bugs.debian.org/286372
===
A security issue affects the
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:kernel
Announcement-ID:SUSE-SA:2004:044
Date: Tuesday,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200412-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
Front what I have read, this can happen in any phpbb version lower than 2.0.11
This exploit is becoming frequent. Normally uploading a ddos bot.
Mark
Quoting L. Walker [EMAIL PROTECTED]:
Just spotted two clients hit by this. One client didnt update his
software (PHP 4.3.4, Apache 1.3.22)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200412-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
Script injection in Google Groups Beta. If a user views a thread
carefully crafted by a malicious user, then the script executes,
instead of the thread.
Concept:
http://groups-beta.google.com/group/n3td3v/browse_thread/thread/2379f18f5986c985
All users are vulnerable.
On Tue, 2004-12-14 at 15:44 -0800, n30 wrote:
Guys,
Looking for few interesting security breach stories...
Any database / sites that capture these??
http://www.mynetwatchman.com
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
http://www.bsrf.org.uk
[ gpg --recv-keys
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200412-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
When I was testing Google Groups Beta
(http://groups-beta.google.com/group/n3td3v) I found the script tags
executed on the Google Groups site. This only seems to work while
clicking on a reply thread, using the reply menu, featured on a given
groups homepage, when an older thread gets a reply.
If
On Wednesday 15 December 2004 15:48, [EMAIL PROTECTED] wrote:
Not by disabling the syscall but by replacing it in the manner that a
rootkit replaces syscalls. Build a new kernel from the same
source/config except for patch. Replace syscalls where there is change.
Practical?
Stable?
No.
===
Ubuntu Security Notice USN-41-1 December 17, 2004
samba vulnerability
CAN-2004-1154
===
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty
En mon absence, toute demande concernant les réseaux doit être envoyée au
mail : [EMAIL PROTECTED] ou (ars_transpac pour tout incident lié à ce réseau)
En cas d'urgence, Vous pouvez contacter :
La Hot-line Réseaux : 01 49 15 32 53
François LEVEQUE au 01 49 15 30 56
Pascal PAINPARAY au
Sanity.A - phpBB = 2.0.10 Web Worm Source Code (PoC)
http://www.k-otik.com/exploits/20041222.sanityworm.pl.php
__
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
http://news.com.com/Yahoo+denies+family+access+to+dead+marines+e-mail/2100-1038_3-5500057.html?tag=st.prev
http://news.com.com/5208-1038-0.html?forumID=1threadID=3847messageID=21470start=-1
___
Full-Disclosure - We believe in it.
Charter:
I missed an important F on my previous post for these snort sigs.
alert tcp $EXTERNAL_NET any - $HOME_NET $HTTP_PORTS (msg:BLEEDING-EDGE
phpBB Highlighting Code Execution - Santy.A Worm;
flow:to_server,established; uricontent:/viewtopic.php?; nocase;
uricontent:highlight='.fwrite(fopen(;
Could be worse... at least they didn't include any of the recent IE
exploits in the defaced page. Given the popularity of phpbb, that
could have affected a *lot* of people really quickly.
-Brendan
___
Full-Disclosure - We believe in it.
Charter:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: php
Advisory ID:
On Tue, 14 Dec 2004 16:33:59 CST, wastedimage said:
can anyone provide me with a traffic sample of this? I would really
like to see if this is the actual exploit or just a script kiddy
trying his little heart out.
What's this '*THE* actual exploit' stuff? These things are rarely unique ;)
MPlayer MMST Streaming Stack Overflow Vulnerability
iDEFENSE Security Advisory 12.16.04
http://www.idefense.com/application/poi/display?id=167
December 16, 2004
I. BACKGROUND
MPlayer is a movie player for Linux that also runs on many other Unices,
and non- x86 CPUs. It plays most MPEG, VOB,
Short version:
-
http://www.markusjansson.net/erecent.html#comments
The laptop computers used by members of parlament and their assistants
in here Finland have severe security holes. These laptop computers dont
have firewalls, file encryption and wiping tools, automatic update is
I don't have allot to say on this topic as a whole which I have not
said before, so some of this is just repetition; maybe it'll be heard
this time. DoSing browsers will almost always be possible, as with any
other application, so long as you can load it up to process enough
information.
If the
Veritas Backup Exec Agent Browser Registration Request Buffer Overflow
Vulnerability
iDEFENSE Security Advisory 12.16.04
http://www.idefense.com/application/poi/display?id=169
December 16, 2004
I. BACKGROUND
Backup Exec is a next generation backup and restore solution for
Microsoft Windows
MPlayer Bitmap Parsing Remote Heap Overflow Vulnerability
iDEFENSE Security Advisory 12.16.04
http://www.idefense.com/application/poi/display?id=168
December 16, 2004
I. BACKGROUND
MPlayer is a movie player for Linux that also runs on many other Unices,
and non- x86 CPUs. It plays most MPEG,
On Tue, 14 Dec 2004 15:44:41 PST, n30 said:
Guys,
Looking for few interesting security breach stories...
Any database / sites that capture these??
Well, there's a problem - where do you get the stories?
The black hats probably won't be sharing their version of the stories
(at least until
En mon absence, toute demande concernant les réseaux doit être envoyée au
mail : [EMAIL PROTECTED] ou (ars_transpac pour tout incident lié à ce réseau)
En cas d'urgence, Vous pouvez contacter :
La Hot-line Réseaux : 01 49 15 32 53
François LEVEQUE au 01 49 15 30 56
Pascal PAINPARAY au
En mon absence, toute demande concernant les réseaux doit être envoyée au
mail : [EMAIL PROTECTED] ou (ars_transpac pour tout incident lié à ce réseau)
En cas d'urgence, Vous pouvez contacter :
La Hot-line Réseaux : 01 49 15 32 53
François LEVEQUE au 01 49 15 30 56
Pascal PAINPARAY au
61 matches
Mail list logo