Re: vixie cron possible local root compromise

2001-02-13 Thread gabriel rosenkoetter
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote: > When crontab has determined the name of the user calling crontab (using > getpwuid()), > the login name is stored in a 20 byte buffer using the strcpy() function > (which does no bounds checking). 'useradd' (the utility used to add users

Re: severe error in SSH session key recovery patch

2001-02-13 Thread Tatu Ylonen
> 1){ > 2) static time_t last_kill_time = 0; > 3) if (time(NULL) - last_kill_time > 60 && getppid() != 1) > 4){ > 5) last_kill_time = time(NULL); > 6) kill(SIGALRM, getppid()); > 7) } > 8) fatal("Bad result from rsa_private_decrypt"); > 9)} > >

Re: vixie cron possible local root compromise

2001-02-13 Thread Kris Kennaway
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote: > the login name is stored in a 20 byte buffer using the strcpy() function > (which does no bounds checking). 'useradd' (the utility used to add users > to the system) > however allows usernames of over 20 characters (32 at most on my dist

security bulletins digest (fwd)

2001-02-13 Thread Ben Greenbaum
-- Forwarded message -- Date: Tue, 13 Feb 2001 03:53:58 -0800 (PST) From: IT Resource Center <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: security bulletins digest HP Support Information Digests ==

Re: vixie cron possible local root compromise

2001-02-13 Thread Andrew Brown
>When crontab has determined the name of the user calling crontab (using >getpwuid()), >the login name is stored in a 20 byte buffer using the strcpy() function >(which does no bounds checking). 'useradd' (the utility used to add users >to the system) >however allows usernames of over 20 character

RFP2101: RFPlutonium to fuel your PHP-Nuke

2001-02-13 Thread rain forest puppy
-/ RFP2101 /---/ rfp.labs / wiretrip/ RFPlutonium to fuel your PHP-Nuke SQL hacking user logins in PHP-Nuke web portal / rain forest puppy / [EMAIL PROTECTED] Table of contents: -/ 1 / St

Re: Fwd: Re: phpnuke, security problem...

2001-02-13 Thread sam mulvey
On Mon, 12 Feb 2001, Peter van Dijk wrote: > The author obviously doesn't care about security. He's not, and he makes it perfectly clear in the installation instructions: "3) In order to use the File Manager, please be sure to chmod 666 ALL files and 777 ALL directories. 4) Also, to activate H

W3.ORG sendtemp.pl

2001-02-13 Thread Tom Parker
Follows are details of a vunerability I recently discovered in W3.ORGS sendtemp.pl. Name: sendtemp.pl (W3C). Remote: Yes Local: Yes Type: sendtemp.pl: A part of the Amaya Web development server contains a file disclosure vulnerability, which allows remote, read access to files on the servers fi

Re: Some more MySql security issues

2001-02-13 Thread Hector A.Paterno
On Monday 12 February 2001 18:22, you wrote: > - Original Message - > From: "Joao Gouveia" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, February 09, 2001 9:54 PM > Subject: Some more MySql security issues > > > Hi, > > > > MySql staff has been notified regarding this issu

Re: tdhttp transversal bug

2001-02-13 Thread sekure
Hello, I done others tests...and didn't work here again in my 3 Server linux...look: http://192.168.151.100/../../../../../../../../../../etc/passwd http://192.168.151.150/../../../../../../../../../../etc/passwd http://192.168.151.1/../../../../../../../../../../etc/passwd All return me this me

Re: Some more MySql security issues

2001-02-13 Thread Tim Yardley
At 03:19 PM 2/12/2001, Konrad Rieck wrote: >A bof is a bof. You are completely right, but as I said and I still believe >so, most buffer overflows are just bad coding practice. Don't get confused >by all that hype, there are far more applications with buffer overflows >in argv that are definitely

Security advisory for analog

2001-02-13 Thread Stephen Turner
SECURITY ADVISORY 13th February 2001 -- Program: analog (logfile analysis program) Versions: all versions except 4.16 and 4.90beta3 Operating systems: all -

Re: Patch for Potential Vulnerability in the execution of JSPs outside doc_root

2001-02-13 Thread Jon Stevens
Hi, I'm the person responsible for maintaining Apache JServ (which is actually a product that is not being developed further as a result of being deprecated in favor of Tomcat and Jasper) and I like to just clarify that this problem is strictly within Oracle's product and not within Apache JServ

Ben Greenbaum: Re: SSHD-1 Logging Vulnerability

2001-02-13 Thread Bob Beck
>> [users getting out of sync and passwords getting logged] >Not always. I can think of one Windows SSH client off the top of my head >that will prompt for the username and password seperately - SecureCRT. I'm >sure there are others as well that I'm just not thinking of right now... Well, th

Re: Some more MySql security issues

2001-02-13 Thread Joao Gouveia
- Original Message - From: "Konrad Rieck" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 12, 2001 9:19 PM Subject: Re: Some more MySql security issues > Maybe you can explain, how I will change my privileges on a system, when > executing exactly such overflows, I can'

FreeBSD Security Advisory FreeBSD-SA-01:24.ssh

2001-02-13 Thread FreeBSD Security Advisories
-BEGIN PGP SIGNED MESSAGE- = FreeBSD-SA-01:24 Security Advisory FreeBSD, Inc. Topic: SSH1 impleme

Re: WebSPIRS CGI script "show files" Vulnerability.

2001-02-13 Thread Ashwin Kutty
I have just tried this with WebSpirs 3.1 The URL I tried is.. http://www.targethost.com/spirs/webspirs.cgi?sp.nextform=../../../../../etc/passwd It worked.. I also tried this with WebSpirs 4.2 and it did NOT work.. I have not tried WebSpirs 4.3 yet.. Maybe it is cause you have it in your cgi-bin

Solution for Potential Vunerability in Granting FilePermission to Oracle Java Virtual Machine

2001-02-13 Thread Oracle Security Alerts
Solution for Potential Vulnerability in Granting FilePermission to Oracle Java Virtual Machine Versions Affected Oracle8i Release 3 (8.1.7) Oracle Application Server 9iAS Release 1.0.2.0.1 Platforms Affected All Description of the Problem A potential vulnerability in Oracle JVM has been discove

MySql new version

2001-02-13 Thread Joao Gouveia
Hi, MySql version 3.23.33 has been released, addressing this latest problems. Change log in http://www.mysql.com/doc/N/e/News-3.23.33.html Fixed buffer overrun in libmysqlclient library. Fixed bug in handling STOP event after ROTATE event in replication. Fixed another buffer overrun in DROP DATA

Bad PRNGs revisted in FreSSH

2001-02-13 Thread Charles M. Hannum
The newly announced FreSSH, when there is no /dev/urandom available, uses a `fallback' to seed its PRNG that consists of: int numfs, whichfs = 0; struct statfs *mntbuf; numfs = getmntinfo(&mntbuf, MNT_NOWAIT);

Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow

2001-02-13 Thread Mike Prosser
SIRC Incident Headline: Symantec pcAnywhere 9.0 DoS / Buffer Overflow Affected Components: Symantec pcAnywhere 9.0 and earlier Incident Details: On 02/11/01 05:22 PM, Zoa Chien of Securax.org reported a denial of service in Symantec's pcAnywhere 9.0 in which pcAnywhere, configured as a host PC

Trustix Security Advisory - proftpd, kernel

2001-02-13 Thread Trustix Security Advisory Team
Hi Trustix has made available security updates for Trustix secure linux. kernel: Trustix specific: no Distribution versions: All A race condition in ptrace allows a malicious user to gain root. A signedness error in the sysctl interface also potentially allows a user to gain root. proftpd: Tru

Re: Fwd: Re: phpnuke, security problem...

2001-02-13 Thread Thomas J. Stensas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greets. This problem is known and fixed by the author and a patched opendir.php file have been made availible for download from the phpnuke home site. phpnuke home: http://www.phpnuke.org/ Patched opendir.php: http://www.phpnuke.org/download.php?op=

Re: [2] vixie cron possible local root compromise

2001-02-13 Thread Mark van Reijn
You are so right!! Must have been very late or something... I've checked whether it actually works...nope! Crontab doesn't get more than 20 chars but somehow it copies them twice? Strange Mark Mate Wierdl <[EMAIL PROTECTED]> wrote on 13-2-01 18:23:10: > >On Mon, Feb 12, 2001 at 10:14:00PM +0100,

elm 2.5 PL3 exploit

2001-02-13 Thread kiss
this is a just a proof of concept, i haven't included setgid call in the shellcode: /*** - elm253-exploit.c - ***/ #include #define NOP 0x90 #define LEN 356 #define OFFSET 0 #define RET 0xba64 unsigned long dame_sp() { __asm__("movl %esp,%eax");

Re: vixie cron possible local root compromise

2001-02-13 Thread Alfred Perlstein
* Andrew Brown <[EMAIL PROTECTED]> [010213 14:38] wrote: > >When crontab has determined the name of the user calling crontab (using > >getpwuid()), > >the login name is stored in a 20 byte buffer using the strcpy() function > >(which does no bounds checking). 'useradd' (the utility used to add use

Re: vixie cron possible local root compromise

2001-02-13 Thread Rodrigo Barbosa (aka morcego)
On Mon, Feb 12, 2001 at 01:12:02PM -0500, gabriel rosenkoetter wrote: > On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote: > > When crontab has determined the name of the user calling crontab (using > > getpwuid()), > > the login name is stored in a 20 byte buffer using the strcpy() functio

Microsoft Security Bulletin MS01-009

2001-02-13 Thread Microsoft Product Security
The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. -BEGIN PGP SIGNED MESSAGE- - --

Re: vixie cron possible local root compromise

2001-02-13 Thread Alan DeKok
gabriel rosenkoetter <[EMAIL PROTECTED]> wrote: > On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote: > > When crontab has determined the name of the user calling crontab (using > > getpwuid()), > > the login name is stored in a 20 byte buffer using the strcpy() function > > (which does no b

Re: vixie cron possible local root compromise

2001-02-13 Thread gabriel rosenkoetter
On Tue, Feb 13, 2001 at 03:54:00PM -0500, Alan DeKok wrote: > I find this attitude amazing. You don't understand why other people > would want to have usernames longer than 8 characters, so you're > willing to blame *their* systems for security problems when insecure > applications are executed

SSH1 key recovery patch

2001-02-13 Thread Iván Arce
Hello, In light of the recent posts to bugtraq concerning the CORE SDI advisory that describes the SSH1 session key recovery vulnerability a few things needs to be noted: - CORE SDI does not provide support services to SSH1 and does not maintain its source tree. However, given the inst