Coda RPC2 Denial of Serviec

2003-07-09 Thread andrewg
_,'| _.-''``-...___..--';) /_ \'. __..-' , ,--...--''' \.`--''' ` /' `-';' ; ; ; __...--'' ___...--_..' .;.' fL (,__'''

[ANNOUNCE][SECURITY] Apache 2.0.47 released

2003-07-09 Thread Apache HTTP Server Project
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Apache 2.0.47 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the tenth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes

[SECURITY] [DSA-347-1] New teapop packages fix SQL injection

2003-07-09 Thread Matt Zimmerman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 347-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman July 8th, 2003

ZH2003-2SA (security advisory): QShop priviledge escalation

2003-07-09 Thread G00db0y
ZH2003-2SA (security advisory): QShop priviledge escalation Published: 09/07/2003 Released: 09/07/2003 Name: QShop priviledge escalation Affected Systems: QShop v2.5 (and older versions?) Issue: Remote attackers can obtain full access to the remote system Author: [EMAIL PROTECTED]

Re: zkfingerd-2.0.2(the last version)Format String Vulnerabilities

2003-07-09 Thread Vade 79
In-Reply-To: [EMAIL PROTECTED] went through the zkfingerd-2.0.2 source after reading this. curious on exploitation :)... anyways, i am not seeing anywheres in the source where the msg buffer can allow for direct user input(formats). only static data/proper formats(including ones that look

[SNS Advisory No.66] Apache HTTP Server v2 Causes a DoS When Parsing a Type-Map File

2003-07-09 Thread Secure Net Service(SNS) Security Advisory
-- (BSNS Advisory No.66 (BApache HTTP Server v2 Causes a DoS When Parsing a Type-Map File (B (BProblem first discovered on: Thu, 26 Dec 2002 (BPublished on: Wed, 09 Jul 2003 (BReference:

[SECURITY] [DSA-344-1] New unzip packages fix directory traversal

2003-07-09 Thread Matt Zimmerman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 344-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman July 8th, 2003

Re: Unrealircd Anope services - join segmentation fault in operserv.c

2003-07-09 Thread Rob
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 08 July 2003 8:14 am, Lethalman wrote: If an admin say this command: '/msg operserv raw :nickserv join #chan' NickServ join in that chan, ok. If the command was: '/msg operserv raw : join #chan' ircd go to SEGFAULT. Why? *snip*

Re: [sec-labs] Adobe Acrobat Reader =5.0.7 Buffer OverflowVulnerability + PoC code

2003-07-09 Thread sec-labs team
We can easily reproduce this bug on version 5.0.7 and 5.0.5 on Slackware Linux and Phoenix and Mozilla browsers. You can choose Netscape or NCSA compatibile browser in Adobe preferences, and WWWLaunchNetscape and WWWLaunchNCSA functions. You should not have problem with this bug. It is quite

Re: Another ProductCart SQL Injection Vulnerability

2003-07-09 Thread Massimo Arrigoni
In-Reply-To: [EMAIL PROTECTED] Additional information on how to better protect a ProductCart-powered store, and specifically on how to avoid unauthorized access to stores using a MS Access database, is available at this address: http://www.earlyimpact.com/pdf/ProductCart_Security_Tips.pdf In

Re[2]: ICQ 2003a Password Bypass

2003-07-09 Thread CauŠ³ Moura Prado
First off I have notified ICQ Inc. three days ago and what I got was an automatic reply. I have released the exploit to encourage them to release a new build of ICQ Pro. The vulnerability may be exploited locally. If it was exploitable remotely make no mistake that I would wait for a new release

Black Box Voting

2003-07-09 Thread Joshua Jore
(forwarded) Subject: [GPM] Black Box Voting Inside A U.S. Election Vote Counting Program Tuesday, 8 July 2003, 6:20 pm Article: Bev Harris Inside A U.S. Election Vote Counting Program By Bev Harris* * Bev Harris is the Author of the soon to be published book Black Box Voting: Ballot

Re: ICQ 2003a Password Bypass

2003-07-09 Thread Seva Gluschenko
Message of Cau Moura Prado at Jul 5 13:30 ... CMP Software: ICQ 2003a CMP Threat: Login password can be bypassed locally I maybe missed smth but does it mean ICQ 2003a and other mentioned cache registered user's password regardless of yser's intention or you guys just run your exploit just after

Fwd: RE: Contact information for Microsoft Security Response Center [tf]

2003-07-09 Thread keepitsecret
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Very good. All one needs to do is ask. After wading through a mountain of childish, almost fanatical defences of Microsoft and bitter flames for asking the question, we have a solution from Microsoft today. - - Forwarded Message from Microsoft

Re: ProductCart XSS Vulnerability

2003-07-09 Thread Massimo Arrigoni
In-Reply-To: [EMAIL PROTECTED] This security issue ONLY affects ProductCart v1.5 and before. It was fixed several months ago. Users of ProductCart v1.5 can update their software free of charge using the following fix, which also addresses the other recently posted security issues.

Tomcat Dangerous Documentation/Tomcat Default Plaintext Password Storage

2003-07-09 Thread Mike Bommarito
From the Realm HOW-TO on the Tomcat 4.0/4.1 documentation pages: For each of the standard Realm implementations, the user's password (by default) is stored in clear text. In many environments, this is undesireable because casual observers of the authentication data can collect enough

IE Object Type Overflow Exploit

2003-07-09 Thread ash
_,'| _.-''``-...___..--';) /_ \'. __..-' , ,--...--''' \.`--''' ` /' `-';' ; ; ; __...--'' ___...--_..' .;.' fL (,__'''

[SECURITY] [DSA-343-1] New skk, ddskk packages fix insecure temporary file creation

2003-07-09 Thread Matt Zimmerman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 343-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman July 8th, 2003

TerminatorX local root

2003-07-09 Thread andrewg
Program: terminatorX 3.80 Impact: Users can gain local root Discovered: jaguar Writeup and exploits: Andrew Griffiths 1) Background 'terminatorX is a realtime audio synthesizer that allows you to scratch on digitally sampled audio data (*.wav, *.au, *.ogg, *.mp3, etc.) the way

[SECURITY] [DSA-346-1] New phpsysinfo packages fix directory traversal

2003-07-09 Thread Matt Zimmerman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 346-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman July 8th, 2003

xpdf vulnerability - CAN-2003-0434

2003-07-09 Thread Andries . Brouwer
[I sent this letter on 2003-06-28, but no letters arrived that day, it seems. A second attempt.] I see RedHat and Mandrake reactions to the vulnerability in xpdf reported by Martyn Gilmore. But their updates do not fix the problem. They change xpdf, and make it filter out backquotes before

Re: Generic way to exploit an insecure /tmp file creation - Red Hat7,8,9 (Re: Red Hat 9: free tickets)

2003-07-09 Thread Stephen Samuel
I actually *would* describe the bug below as a logwatch bug. If you have a uid=0 program calling shell scripts from data like filenames, those filenames should be sanitized. It would be easy enough to scan the filename for unexpected characters and refuse to use them on that basis. something as

Microsoft Utility Manager Local Privilege Escalation

2003-07-09 Thread NGSSoftware Insight Security Research
NGSSoftware Insight Security Research Advisory Name: Microsoft Utility Manager Local Privilege Escalation Systems Affected: Windows 2000 SP3 Severity: Medium Risk Vendor URL: http://www.microsoft.com Authors: Chris Paget [ [EMAIL PROTECTED] ] Chris Anley [ [EMAIL PROTECTED] ]

Re: xpdf vulnerability - CAN-2003-0434

2003-07-09 Thread stanislav shalunov
[EMAIL PROTECTED] writes: A urlCommand like the default netscape -remote 'openURL(%s)' is OK since the %s is protected by single quotes. How so? Consider an argument of '`rm -rf /tmp/test`' This expands to netscape -remote 'openURL('`rm -rf /tmp/test`')' where the single

Information Disclosure Vulnerability in bitboard2

2003-07-09 Thread Marc Bromm
#www.bright-shadows.net# --#theblacksheeperik#--

Cisco Security Advisory: Denial-of-Service of TCP-based Services in CatOS

2003-07-09 Thread Cisco Systems Product Security Incident Response Team
affects only CatOS. No other Cisco products are affected. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml. Affected Products = The CatOS for the following Catalyst models are affected: * Catalyst 4000 Series including models 2948G

Pipe Filename Local Privilege Escalation FAQ

2003-07-09 Thread @stake Advisories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We have received several inquiries regarding the advisory, Named Pipe Filename Local Privilege Escalation that was published by @stake on 07/08/2003. These answers should clarify where the vulnerability actually lies so customers can make informed

Website to (Safely) Check Content Filtering S/W for Malicious Code???

2003-07-09 Thread scott Stevens
Does anyone know if any safe sites out there to try to test whether or not content filtering s/w is behaving as advertised? We simply want to test things like unsigned ActiveX objects, malicious Java, mobile code, etc that is SUPPOSE to be stripped out via this software. We want to use a

PalmOS Memo Record Hiding Vulnerability.

2003-07-09 Thread Shaun Moore
Application: PalmOS Operating System: PalmOS Vendor: Palm(tm) Versions: ALL Author: [EMAIL PROTECTED] -[BACKGROUND]-: PalmOS includes a pre-installed 'Security' Application, which allows a Palm enabled device to add weak security, to hide data and protect the PDA from casual snoopers. One

Re: xpdf vulnerability - CAN-2003-0434

2003-07-09 Thread Andries . Brouwer
A urlCommand like the default netscape -remote 'openURL(%s)' is OK since the %s is protected by single quotes. How so? Consider an argument of '`rm -rf /tmp/test`' xpdf already filters out single and double quotes, so these do not occur in arguments.