Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
On Tue, Apr 24, 2012 at 11:28:29AM -0400, Charles Morris wrote: On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski lcam...@coredump.cx wrote: IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest researcher through secondary discovery I'm not sure I follow. Are you saying that the dishonest researcher will not try to find vulnerabilities if there is no reward program for the honest ones? /mz I'm not sure what he means either, however I know that many organizations treat security patches to the same lifecycle as features, which means sometimes upwards of a year of testing- thus giving a huge window for secondary discovery; whereas a vuln exploited in-the-wild generally has a much faster patch. Still I'm not sure how this fact is relevant, if it is at all. Perhaps if the adversary sees the vuln in unencrypted email between researcher and organization and then uses it silently making sure not to alert anyone? Not sure, but I digress. I don't know who believes that they are owed anything in this manner, and I agree with you, Jim, on that point. However, my main complaint is that businesses should either not pay anything at all (perhaps 1$ as a token of gratitude, some swag or some such), or at least make a real effort. Finding a code execution vuln in google's whatever app-of-the-day is non-trivial task that requires researchers to learn a completely new landscape. I would expect Google, of all people, to pay 10x to 100x this amount for this sort of thing.. A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. There is zero ability to make an argument that such businesses can't realistically outcompete all buyers of weaponized exploits as Michal has done [ :'( ]. The huge amount of damage that a badguy code executing on google wallet would cost far more than 2M in damages, repair work, lost business, and penalties; and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families. Increase the payouts and you not only get good guys doing good things but you also get bad guys doing good things (even if for the wrong reasons). n.b. The fact that badguys take risk when doing their badguy activities, including selling exploits, makes it even easier to outcompete the buyers. Still, this is a huge improvement on what it was if memory serves. A million thanks to Michal ! I suppose if they get hit by malware the size of m$ they will adjust the numbers. Maybe time will tell. -- Georgi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2454-2] openssl incomplete fix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2454-2 secur...@debian.org http://www.debian.org/security/ Raphael Geissert April 24, 2012 http://www.debian.org/security/faq - - Package: openssl Vulnerability : multiple Problem type : remote Debian-specific: no CVE ID : CVE-2012-2131 Tomas Hoger, Red Hat, discovered that the fix for CVE-2012-2110 for the 0.9.8 series of OpenSSL was incomplete. It has been assigned the CVE-2012-2131 identifier. For reference, the original description of CVE-2012-2110 from DSA-2454-1 is quoted below: CVE-2012-2110 Tavis Ormandy, Google Security Team, discovered a vulnerability in the way DER-encoded ASN.1 data is parsed that can result in a heap overflow. For the stable distribution (squeeze), this problem has been fixed in version 0.9.8o-4squeeze12. The testing distribution (wheezy), and the unstable distribution (sid), are not affected by this issue. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk+XW2QACgkQYy49rUbZzlqF/QCgnLBFXWG/+6tcVFrOTb0/Mxqs qmcAn1iaplottiLfQw1LlKH2pdHm30aT =vZV9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Backtrack
Crazy! it works in pretty much every linux by default. This guy knows stuff. We all got to enroll on that High School of Security he is talking about!!! On Tue, Apr 24, 2012 at 4:51 PM, David3 Gonnella nete...@hackers.it wrote: it makes me scary! There is also on my distro! DOH! ;P On 04/24/12 16:41, Urlan wrote: It makes me laugh! hahahaha 2012/4/24 Gage Bystrom themadichi...@gmail.com *sigh* vulnerability reports like this make me sad. On Apr 24, 2012 5:50 AM, Григорий Братислава musntl...@gmail.com wrote: Is good evening. I is would like to warn you about is vulnerability in Backtrack is all version. Backtrack Linux is penetration tester is system. Is come complete with tool for to make hacking for penetration tester. In is booting Backtrack, vulnerability exist in booting for when start if attacker is edit grub, attacker can bypass restricted user and is boot into admin account. E.g.: grub edit kernel /boom/vmlinuz-2.3.11.7 root=/dev/sda1 ro Single [ENTER] grub edit b # mount -t proc proc /proc # mount -o remount,rw / # passwd [ENTER IS ANYTHING YOU WANT] # sync # reboot I is will make this into video for bypassing security in Backtrack for to post on InfoSecInstitute -- `Wherever I is go - there am I routed` ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
Exactly so. I'm not so naive as to believe that monetary motivation turns EvilBob into GoodBob, but neither do I want to make EvilBob's job that much easier by increasing the number of concurrent attackers (good or bad) through rewards. -Original Message- From: Ramon de C Valle [mailto:rcva...@redhat.com] Sent: Tuesday, April 24, 2012 12:13 PM To: Michal Zalewski Cc: dailydave; websecur...@lists.webappsec.org; full-disclosure; bugtraq; Jim Harrison Subject: Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest researcher through secondary discovery I'm not sure I follow. Are you saying that the dishonest researcher will not try to find vulnerabilities if there is no reward program for the honest ones? He made a good example of a Slippery Slope. -- Ramon de C Valle / Red Hat Product Security Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Vulnerability research and exploit writing
What the hell is an empanelment? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Nope, im still here :p ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Vulnerability research and exploit writing
Paper list of jurors traditionally. But yes, spam as far as I can tell. On Wed, Apr 25, 2012 at 2:46 AM, Alex Buie ab...@kwdservices.com wrote: What the hell is an empanelment? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelai laure...@oneechan.org wrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 4:54 AM, Benji wrote: No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.orgwrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. There are any number of reasons why someone, even sabu could have stopped tweeting then started back up again. It just turned out that this was the case this time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Backtrack
I like it; its kinda like the old one about anonymous hacking FTP servers and the only way to tell is whether or not you have a user 'anonymous' On Tue, Apr 24, 2012 at 7:10 PM, Disposable disposable_94...@puedohacerlo.com wrote: Crazy! it works in pretty much every linux by default. This guy knows stuff. We all got to enroll on that High School of Security he is talking about!!! On Tue, Apr 24, 2012 at 4:51 PM, David3 Gonnella nete...@hackers.it wrote: it makes me scary! There is also on my distro! DOH! ;P On 04/24/12 16:41, Urlan wrote: It makes me laugh! hahahaha 2012/4/24 Gage Bystrom themadichi...@gmail.com *sigh* vulnerability reports like this make me sad. On Apr 24, 2012 5:50 AM, Григорий Братислава musntl...@gmail.com wrote: Is good evening. I is would like to warn you about is vulnerability in Backtrack is all version. Backtrack Linux is penetration tester is system. Is come complete with tool for to make hacking for penetration tester. In is booting Backtrack, vulnerability exist in booting for when start if attacker is edit grub, attacker can bypass restricted user and is boot into admin account. E.g.: grub edit kernel /boom/vmlinuz-2.3.11.7 root=/dev/sda1 ro Single [ENTER] grub edit b # mount -t proc proc /proc # mount -o remount,rw / # passwd [ENTER IS ANYTHING YOU WANT] # sync # reboot I is will make this into video for bypassing security in Backtrack for to post on InfoSecInstitute -- `Wherever I is go - there am I routed` ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
And choosing to believe any of the other reasons when you think you're an '1337 hacker' and are involved in that world, is a personality problem, end of. On Wed, Apr 25, 2012 at 10:58 AM, Laurelai laure...@oneechan.org wrote: On 4/25/12 4:54 AM, Benji wrote: No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. There are any number of reasons why someone, even sabu could have stopped tweeting then started back up again. It just turned out that this was the case this time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 4:59 AM, Benji wrote: And choosing to believe any of the other reasons when you think you're an '1337 hacker' and are involved in that world, is a personality problem, end of. On Wed, Apr 25, 2012 at 10:58 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:54 AM, Benji wrote: No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.orgwrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. There are any number of reasons why someone, even sabu could have stopped tweeting then started back up again. It just turned out that this was the case this time. I prefer not making assumptions about things i dont have any information on. Sorry you consider that a personality problem :p ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
You should be paranoid if someone could construe what you're doing as illegal. On Wed, Apr 25, 2012 at 11:07 AM, Laurelai laure...@oneechan.org wrote: On 4/25/12 4:59 AM, Benji wrote: And choosing to believe any of the other reasons when you think you're an '1337 hacker' and are involved in that world, is a personality problem, end of. On Wed, Apr 25, 2012 at 10:58 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:54 AM, Benji wrote: No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. There are any number of reasons why someone, even sabu could have stopped tweeting then started back up again. It just turned out that this was the case this time. I prefer not making assumptions about things i dont have any information on. Sorry you consider that a personality problem :p ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On 4/25/12 5:08 AM, Benji wrote: You should be paranoid if someone could construe what you're doing as illegal. On Wed, Apr 25, 2012 at 11:07 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:59 AM, Benji wrote: And choosing to believe any of the other reasons when you think you're an '1337 hacker' and are involved in that world, is a personality problem, end of. On Wed, Apr 25, 2012 at 10:58 AM, Laurelailaure...@oneechan.orgwrote: On 4/25/12 4:54 AM, Benji wrote: No, with open eyes sight. If you chose not to believe the obvious at the time, that is your own mistake and proof that you (general you, not you specifically) were more interested in being part of the crowd than thinking. On Wed, Apr 25, 2012 at 10:52 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 4:48 AM, Benji wrote: except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelailaure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ In hindsight yes. There are any number of reasons why someone, even sabu could have stopped tweeting then started back up again. It just turned out that this was the case this time. I prefer not making assumptions about things i dont have any information on. Sorry you consider that a personality problem :p Well its a good thing I dont do illegal shit, probably why im not paranoid all the time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
except it was rather obvious why. On Wed, Apr 25, 2012 at 10:27 AM, Laurelai laure...@oneechan.org wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And thats when sabu was MIA from twitter and everyone knew about that, nobody really knew why though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MoroccoTel Box Default Open Telnet Password
Hi, a vulnerability was identified on MoroccoTel Boxes: a telnet server is running, open to the web, with a default password of admin (or 123456) This critical vulnerability can affect the entire network of a Country. Solution: change the default password account or modify the default firmware NB: a new firmware was released, introducing a cipher on the PPOE password (one common, publicly available PPOE account is largely used) Discovered by NETpeas research team, NETpeas CERT is trying to contact the ISP More details: Password: telnettry 41.141.*.* - Response telnet02: Copyright (c) 2001 - 2006 Huawei MT882a *** 41.141.*.* - TELNET PASSWORD FOUND: admin MT882a show all RAS version: V100R001B022 MoroccoTel 2010/02/26 System ID: $5.0.152.1(RUE0.C2)3.11.2.151 20110602_V001 [Jun 02 2011 13:54:48] romRasSize: 1217226 system up time: 2:45:45 (f2cc9 ticks) bootbase version: VTC_SPI1.5| 2011/05/26 Hostname= MT882a Message = empty ip route mode = Yes bridge mode = Yes DHCP setting: DHCP Mode = Server Client IP Pool Starting Address = 192.168.1.2 Size of Client IP Pool = 64 Primary DNS Server = 8.8.8.8 Secondary DNS Server = 8.8.4.4 DHCP server leasetime = 86400 TCP/IP Setup: IP Address = 192.168.1.1 IP Subnet Mask = 255.255.255.0 Rip Direction = None Version = Rip-1 Multicast = IGMP-v2 RemoteNode = 0 Rem Node Name = ISP-0(ISP) Encapsulation = PPPoE Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/35 IP Routing mode= Yes Bridge mode= No PPP Username = snip PPP Password 41.141.*.* -= *** PPP Username_ext2 = PPP Password_ext2 = Service name = Remote IP Addr= 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA= Yes Multicast = None Default Route node= Yes RemoteNode = 1 Rem Node Name = ISP-1 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel 41.141.1.9 - Port 80 open 41.141.*.* - active = Yes VPI/VCI value = 0/35 IP Routing mode= No Bridge mode= Yes Remote IP Addr= 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 41.141.*.* - IP address assignment type = Dynamic 41.141.*.* - SUA= No Multicast = None Default Route node= No RemoteNode = 2 Rem Node Name = ISP-2 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/32 IP Routing mode= No Bridge mode= Yes Remote IP Addr= 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA= No Multicast = None Default Route node= No RemoteNode = 3 Rem Node Name = ISP-3 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/32 IP Routing mode= No Bridge mode= Yes Remote IP Addr= 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA= No Multicast = None Default Route node= No RemoteNode = 4 Rem Node Name = ISP-4 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/81 IP Routing mode= No Bridge mode= Yes Remote IP 41.141.*.* - Addr= 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA= No Multicast = None Default Route node= No RemoteNode = 5 Rem Node Name = ISP-5 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/100 IP Routing mode= No Bridge mode= Yes Remote IP A 41.141.*.* - ddr= 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA= No sMulticast = None 41.141.*.* - yDefault Route node= No s RemoteNode = 6 aRem Node Name = ISP-6t sEncapsulation = hRFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 1/39 IP Routing mode= No Bridge mode= Yes Remote IP Addr= 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA= No Multicast = None Default Route node= No RemoteNode = 7 Rem Node Name = ISP-7 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/16 IP Routing mode= No Bridge mode= Yes Remote IP Addr= 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA= No Multicast = None Default Route node= No MT882a RAS version: V100R001B022 MoroccoTel romRasSize : 1217226 bootbase version : VTC_SPI1.5| 2011/05/26 Product Model : SmartAX MAC Address: snip-inclear Default Count 41.141.*.* - ry Code : FF Boot Module Debug Flag : 00 RomFile Version: 9F RomFile Checksum : dceb RAS F/W Checksum : 87b7 SNMP MIB level OID :
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On Wed, Apr 25, 2012 at 04:26:57AM -0500, Laurelai wrote: On 4/25/12 3:56 AM, Georgi Guninski wrote: On Tue, Apr 24, 2012 at 12:15:26PM -0400, valdis.kletni...@vt.edu wrote: On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date) Nope, im still here :p ok, sorry. i mean the Sabu part of the email. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2460-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2460-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff April 25, 2012 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1183 CVE-2012-2414 CVE-2012-2415 Several vulnerabilities were discovered in the Asterisk PBX and telephony toolkit: CVE-2012-1183 Russell Bryant discovered a buffer overflow in the Milliwatt application. CVE-2012-2414 David Woolley discovered a privilege escalation in the Asterisk manager interface. CVE-2012-2415 Russell Bryant discovered a buffer overflow in the Skinny driver. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze5. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk+YIOUACgkQXm3vHE4uylpTYQCeIlkGimI8WtcdKK6oYD09ckfm dDUAnjksH+0jJLCG7ioSnb81645CJe5c =0126 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacking WolframAlpha
This is rather low-hanging fruit. But I suppose someone has to disclose the low hanging fruit. Aside from abusing WolframAlpha's API, I'm not sure I see that this is that huge an accomplishment. I do find it somewhat silly that unobfuscated appid's are passed to the API over an unsecured connection, but meh. My access to the API getting cut would be an annoyance, and I would certainly be non-plussed about that if I were one of the poor souls who paid for a bigger better faster stronger query plan, but still, meh. Maybe I'm missing out on the gravity of this by not using the WolframAlpha API. Of course, I'm assuming the real point here *is* that the appid is passed unobfuscated and unsecured, and *not* that I can go trawling for appid's on Google. The former is somewhat interesting to the niche of WolframAlpha API users. The latter is rather old news under the heading I can find a disturbing amount of private information using a properly formatted Google query. Patching that vulnerability will only be accomplished through reeducation and strategic employment modifications. On Tue, Apr 24, 2012 at 2:50 PM, Adam Behnke a...@infosecinstitute.comwrote: Sharing source code with peers is one thing; sharing secrets over a public medium is another. The all-seeing eye of Google has no mercy, and once the secret has been seen, indexed, and copied to clone sites, it is no longer a secret. Now combine the search power of Google with the computational power of WolframAlpha and the results are limitless! It's raining data from these saturated clouds, and you just need to hold out your hands for a taste: http://resources.infosecinstitute.com/hacking-wolframalpha/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS, CSRF and AFU vulnerabilities in Organizer for WordPress
Hello list! I want to warn you about multiple security vulnerabilities in plugin Organizer for WordPress. This is the second in series of advisories concerning vulnerabilities in this plugin. These are Cross-Site Scripting (reflected and persistent), Cross-Site Request Forgery and Arbitrary File Upload (Code Execution) vulnerabilities. - Affected products: - Vulnerable are Organizer 1.2.1 and previous versions. As answered me the developer of the plugin, he doesn't support it anymore and will not be fixing any vulnerabilities in it. -- Details: -- XSS (WASC-08): http://site/wp-admin/admin.php?page=organizer/page/users.phpedit_id=%3Cscript%3Ealert(document.cookie)%3C/script%3E XSS (Persistent) (WASC-08): Exploit: http://websecurity.com.ua/uploads/2012/Organizer%20XSS-2.html Code will execute at the page users.php of the plugin. CSRF (WASC-09): Via attack on function Add/Edit User Setting (which combined into the same POST request) it's possible to add and edit settings. POST request at page http://site/wp-admin/admin.php?page=organizer/page/users.php. Similarly to above exploit for XSS. Via attack on function Delete User Setting it's possible to delete settings. http://site/wp-admin/admin.php?page=organizer/page/users.phpdelete_id=admin Arbitrary File Upload (Code Execution) (WASC-31): It's possible to upload arbitrary files with code execution (php files). Because in field File extensions allowed it's possible to set extensions of scripts, such as php. This will allow to upload to the server and execute arbitrary scripts. Besides attacking admin via above-mentioned CSRF vulnerability for changing of the settings (or getting access to admin account for this), the Insufficient Authorization vulnerability (described in the third advisory) also can be used for this (in the presence of account even with lowest rights as Subscriber). Timeline: 2012.04.15 - informed the developer about previous vulnerabilities. 2012.04.16 - announced at my site (http://websecurity.com.ua/5786/). 2012.04.17 - the developer answered, that he didn't support the plugin anymore. 2012.04.17 - additionally informed the developer about new vulnerabilities. 2012.04.24 - disclosed at my site. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (no subject)
___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1547520 * Advisory ID: DRUPAL-SA-CONTRIB-2012-062 * Project: Creative Commons [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer creative commons. VERSIONS AFFECTED --- * Creative Commons 6.x-1.x versions prior to 6.x-1.1. [3] Drupal core is not affected. If you do not use the contributed Creative Commons [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Creative Commons module for Drupal 6.x, upgrade to Creative Commons 6.x-1.1 [5] Also see the Creative Commons [6] project page. REPORTED BY - * Justin Klein-Keane [7] FIXED BY * Kevin Reynen [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/creativecommons [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1547478 [4] http://drupal.org/project/creativecommons [5] http://drupal.org/node/1547478 [6] http://drupal.org/project/creativecommons [7] http://drupal.org/user/302225 [8] http://drupal.org/user/48877 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1547660 * Advisory ID: DRUPAL-SA-CONTRIB-2012-063 * Project: RealName [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module allows you to set a pattern for constructing Real names for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting (XSS) [3] attack. VERSIONS AFFECTED --- * RealName 6.x-1.x versions prior to 6.x-1.5 [4]. * RealName 7.x-1.x versions are not vulnerable. Drupal core is not affected. If you do not use the contributed RealName [5] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the RealName module for Drupal 6.x, upgrade to RealName 6.x-1.5 [6]. Also see the RealName [7] project page. REPORTED BY - * Gabor Szanto [8] * Dave Reid [9], module maintainer and Drupal Security Team member FIXED BY * Gabor Szanto [10] * Dave Reid [11], module maintainer and Drupal Security Team member COORDINATED BY -- * Dave Reid [12] of the Drupal Security Team * Michael Hess [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/realname [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/node/1547352 [5] http://drupal.org/project/realname [6] http://drupal.org/node/1547352 [7] http://drupal.org/project/realname [8] http://drupal.org/user/610310 [9] http://drupal.org/user/53892 [10] http://drupal.org/user/610310 [11] http://drupal.org/user/53892 [12] http://drupal.org/user/53892 [13] http://drupal.org/user/102818 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities
View online: http://drupal.org/node/1547674 * Advisory ID: DRUPAL-SA-CONTRIB-2012-064 * Project: Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Varies (Local Remote) * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities DESCRIPTION - The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability. Failure to encrypt data: Exploitable from local Passwords supplied by new customers during checkout were stored as plain text until payment was completed for an order, for a maximum of 15 minutes. This vulnerability is not exploitable remotely, but information may have inadvertently been leaked via database access (e.g. backups, developer laptops that are compromised). Cross Site Scripting: Exploitable from remote The product classes feature did not properly sanitize output and was vulnerable to a cross site scripting attack. This vulnerability is mitigated by the fact that an attacker must have the administer product classes permission. Arbitrary PHP Execution: Exploitable from remote In Ubercart 6.x-2.x, arbitrary PHP code can be executed by users with the administer conditional actions permission. This vulnerability is mitigated by the fact that this permission should only granted to trusted users. VERSIONS AFFECTED --- * Ubercart 6.x-2.x versions prior to 6.x-2.8. [3] * Ubercart 7.x-3.x versions prior to 7.x-3.1. [4] Drupal core is not affected. If you do not use the contributed Ubercart [5] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.8. [6] * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.1. [7] Additionally, in Drupal 6.x, ensure that only trusted users have roles that have been granted the administer conditional actions permission. Also see the Ubercart [8] project page. REPORTED BY - * Shaun Dychko [9] reported the Failure to encrypt data issue * Lee Rowlands [10] reported the Cross Site Scripting issue * Dave Long [11] reported the Arbitrary PHP Execution issue FIXED BY * Dave Long [12] the module maintainer * Lyle Mantooth [13] the module maintainer COORDINATED BY -- * Greg Knaddison [14] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/ubercart [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1547506 [4] http://drupal.org/node/1547508 [5] http://drupal.org/project/ubercart [6] http://drupal.org/node/1547506 [7] http://drupal.org/node/1547508 [8] http://drupal.org/project/ubercart [9] http://drupal.org/user/475828 [10] http://drupal.org/user/395439 [11] http://drupal.org/user/246492 [12] http://drupal.org/user/246492 [13] http://drupal.org/user/86683 [14] http://drupal.org/user/36762 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)
Hi - WIll you please remove me from this list? Thank you! On Apr 25, 2012, at 12:49 PM, security-n...@drupal.org wrote: security-n...@drupal.org ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-065 - Sitedoc - Information disclosure
View online: http://drupal.org/node/1547686 * Advisory ID: DRUPAL-SA-CONTRIB-2012-065 * Project: Site Documentation [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This vulnerability is mitigated by the fact that the administrator must have configured the module to save the HTML report file to disk. VERSIONS AFFECTED --- * Sitedoc 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Site Documentation [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Sitedoc module for Drupal 6.x, upgrade to Sitedoc 6.x-1.4 [4], and * Enable the private file system if you want to save the output file. Also see the Site Documentation [5] project page. REPORTED BY - * Jakub Suchý [6] of the Drupal Security Team FIXED BY * Nancy Wichmann [7], the module maintainer COORDINATED BY -- * Forest Monsen [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/sitedoc [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/sitedoc [4] http://drupal.org/node/1546224 [5] http://drupal.org/project/sitedoc [6] http://drupal.org/user/31977 [7] http://drupal.org/user/101412 [8] http://drupal.org/user/181798 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FW: (no subject)
Well, you believe that if you want to, but ask yourself... who benefits? -i ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass
View online: http://drupal.org/node/1547736 * Advisory ID: DRUPAL-SA-CONTRIB-2012-066 * Project: Spaces [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual spaces on a Drupal site. The spaces and spaces_og modules (part of the spaces package) in some cases do not apply the expected spaces access permission to pages that are non-objects (e.g. /node) This vulnerability is mitigated by the fact that node_access and user profile permissions will prevent node or user data from being exposed, but other information (e.g. block data,etc) is still displayed. This issue only affects sites using spaces to limit access to content for some users. VERSIONS AFFECTED --- * Spaces 6.x-3.x versions prior to 6.x-3.4. Drupal core is not affected. If you do not use the contributed Spaces [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.4 [4] Also see the Spaces [5] project page. REPORTED BY - * hefox [6] FIXED BY * Patrick Settle [7] the module maintainer * Fox [8] COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Matt Kleve [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/spaces [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/spaces [4] http://drupal.org/node/1547730 [5] http://drupal.org/project/spaces [6] http://drupal.org/user/426416 [7] http://drupal.org/user/26618 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-067 - Linkit - Access bypass
View online: http://drupal.org/node/1547738 * Advisory ID: DRUPAL-SA-CONTRIB-2012-067 * Project: Linkit [1] (third-party module) * Version: 7.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may see information about content that they do not normally have access to see. This issue only affects sites using an entity access module to limit access to content for some users. VERSIONS AFFECTED --- * Linkit 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Linkit [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Linkit module for Drupal 7.x, upgrade to Linkit 7.x-2.3 [4] Also see the Linkit [5] project page. REPORTED BY - * PAULAP [6] FIXED BY * Emil Stjerneman [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/linkit [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/linkit [4] http://drupal.org/node/1547716 [5] http://drupal.org/project/linkit [6] http://drupal.org/user/29978 [7] http://drupal.org/user/464598 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FW: (no subject)
Lmao On Apr 25, 2012 4:06 PM, imipak imi...@gmail.com wrote: Well, you believe that if you want to, but ask yourself... who benefits? -i ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
