<< Previous Next >>
configuration file
*How to disable this behavior*
You can disable this behavior by adding an entry to the host
configuration file. This will override any VM-specific configuration and
globally disable the behavior for all virtual machines running on the host.
The host configuration is owned by the System/root account, so it is
protected against non-root users who have virtual machines on the system.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue. The
XInput extension is normally compiled into the X Server; as such, it's
not possible to disable it from being loaded in the configuration file.
VI. VENDOR RESPONSE
The X.Org team has addressed these vulnerabilities with the release of
Xserver version 1.4.1. Additionally, patches for versions 1.4 and 1.2
http://www.ibm.com/support/docview.wss?rs=475&uid=swg21285600
Workaround 1: Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file), a
dialog box will display with the message "Unable to locate the viewer
configuration file.".
Workaround 2: Delete the problem file l123sr.dll file. When a user tries
to view the specific file type, a dialog box will display with the message
"The viewer display window could not be initialized." All other file types
work without returning the error message.
Multiple vulnerabilities has been found and corrected in phpmyadmin:
The setup script used to generate configuration can be fooled using
a crafted POST request to include arbitrary PHP code in generated
configuration file. Combined with the ability to save files on the
server, this can allow unauthenticated users to execute arbitrary
PHP code (CVE-2010-3055).
It was possible to conduct a XSS attack using crafted URLs or POST
parameters on several pages (CVE-2010-3056).
In fact, in order to exploit that function you need:
1) an application which explicitly calls it (i.e. it's not used, as far
as I can tell, in the regular handshake)
2) you should pass the ciphers with the malformed names to BOTH client and server (always as far as I can tell), because cipher setting handshake occurs and it doesn't call the function, so if I'm correct on this, this means:
3) you should have an SSL-enabled application where you can run and/or supply with a configuration file both the client and the server, and which is suid or ran with higher privileges than yours for this to be exploitable.
Unless I spectacularly missed something which enables to jump through point 2... which is quite possible, this looks like a very unlikely exploitation vector.
So - where am I wrong ? :)
Description:
KeyFax response management system provides professional management of
housing and other repairs; KeyFax is normally accessed using a web
browser over port 80. Various KeyFax pages are vulnerable to a
reflective XSS attacks. Other pages including the configuration file
disclose information including the operator and SQL account passwords.
Version 3.2.2.6 dated 2003-2010
The following demonstrate the XSS flaws (no authentication needed):
Details
=======
The Cisco NAC Guest Server system software contains a vulnerability
in the configuration file of the RADIUS authentication software. This
misconfiguration may allow an unauthenticated user to access the
protected network. This vulnerability may result in authentication
bypass without requiring a valid username or password.
This vulnerability is documented in Cisco Bug ID CSCtj66922 (
The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol. It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead. The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.
The TELNET protocol has a mechanism for encryption of the data stream
(but it is not cryptographically strong and should not be relied upon
in any security-critical applications).
redirected.
=====[ Further attack scenarios ]=======================================
As depicted by the abovementioned factors, an attacker could easily run
arbitrary commands, even to overwrite system configuration files.
For instance, the Internet Super-Server (inetd) configuration file
"/etc/inetd.conf" could be modified, aiming to execute the telnet daemon
bound to an arbitrary tcp port that would be reachable through corporate
firewalls.
Previous versions of the lighttpd package are vulnerable to a remote
Denial of Service attack in which the termination of one SSL connection
may cause another concurrent SSL connection to terminate prematurely.
lighttpd is not installed by default on rPath Linux systems, and no
default configuration file is provided; only systems customized to
include and configure lighttpd are vulnerable.
Appliances built with rPath Appliance Platform Agent 2 use lighttpd and
are vulnerable to this denial of service attack. All appliances built
using rPath Appliance Platform Agent 2 should be updated to include the
r682868.
5. Detailed analysis
When Apache HTTP Server is configured with proxy support
("ProxyRequests On" in the configuration file), and when mod_proxy_ftp
is enabled to support FTP-over-HTTP, requests containing wildcard
characters (asterisk, tilde, opening square bracket, etc) such as:
GET ftp://host/*<foo> HTTP/1.0
reasons, it is no longer possible to use wide links and UNIX extensions at
the same time. After applying this security update, wide links will be
disabled automatically as UNIX extensions are turned on by default. If
wide links are required, you can re-enable them by adding
"unix extensions = no" to the [global] section of the /etc/samba/smb.conf
configuration file.
Details follow:
It was discovered the Samba handled symlinks in an unexpected way when both
"wide links" and "UNIX extensions" were enabled, which is the default. A
--- CUT ---
and config file:
--- CUT ---
// Sample pdnsd configuration file. Must be customized to obtain a working pdnsd setup!
// Read the pdnsd.conf(5) manpage for an explanation of the options.
// Add or remove '#' in front of options you want to disable or enable, respectively.
// Remove '/*' and '*/' to enable complete sections.
global {
Previous versions of the dovecot package are vulnerable to an
Unauthorized Access attack in which a remote attacker may bypass
password authentication.
dovecot is not installed by default on rPath Linux systems, and
the default dovecot configuration file provided with rPath Linux
does not trigger this vulnerability; only systems customized to
include and reconfigure dovecot may be vulnerable.
http://wiki.rpath.com/Advisories:rPSA-2008-0108
Exploitation of these vulnerabilities might result in code execution on
the host system or on the service console in ESX Server from the guest
operating system.
The VIX API can be enabled and disabled using the "vix.inGuest.enable"
setting in the VMware configuration file. This default value for this
setting is "disabled". This configuration setting is present in the
following products:
VMware Workstation 6.0.2 and higher
VMware ACE 6.0.2 and higher
VMware Server 1.06 and higher
It was possible to conduct XSS using a crafted database name
(CVE-2012-1190).
The show_config_errors.php scripts did not validate the presence of
the configuration file, so an error message shows the full path of
this file, leading to possible further attacks (CVE-2012-1902).
This upgrade provides the latest phpmyadmin version (3.4.10.2) to
address these vulnerabilities.
_______________________________________________________________________
V. WORKAROUND
TIBCO has identified the following workarounds:
* Disable the rtserver UDP port if it has been enabled in the rtserver
configuration file.
* Utilize a firewall to restrict access to the rtserver.
* Use a user with restricted privileges to invoke the rtserver
or application.
Product: Alkacon OpenCms
http://www.opencms.org/
OpenCms contains a vulnerability in the Logfile Viewer Settings function. Input to Parameter filePath.0 in page opencms/system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp is not sufficiently validated and/or sanitized. This can be exploited as a cross-site scripting issue but also as a file access issue, which allows a disclosure of arbitrary files that are readable in the OS security context of the JSP container process. The resulting page even has a "Download" button, which facilitates retrieving binary files. Possible targeted files could be /etc/passwd, /proc pseudo-files, Java keystore, OpenCms configuration file (with database password), etc.
Only OpenCms users in administrator roles have access to the vulnerable URL, which partially reduces the severity of the file disclosure aspect.
Example 1 (XSS):
http://(target)/opencms/system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp?
ESX Server, or VMware GSX Server.
*How to disable this behavior*
You can disable this behavior by adding an entry to the host
configuration file. This will override any VM-specific configuration and
globally disable the behavior for all virtual machines running on the host.
The host configuration is owned by the System/root account, so it is
protected against non-root users who have virtual machines on the system.
CVE Id(s) : CVE-2010-4345 CVE-2011-0017
Behaviour change : yes
A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim
user to obtain root privileges by specifying an alternate
configuration file using the -C option or by using the macro override
facility (-D option). Unfortunately, fixing this vulnerability is not
possible without some changes in exim4's behvaviour. If you use the -C
or -D options or use the system filter facility, you should evaluate
the changes carefully and adjust your configuration accordingly. The
Debian default configuration is not affected by the changes.
graphical FTP clients. It's not compatible with browsers, because
browsers use different, FTP over HTTP proxy. FTP proxy is not commonly
used.
Vulnerability requires 'ftppr' service to be manually enabled in 3proxy
configuration file or special 'ftppr' application executed. No over
services (SOCKS, HTTP including FTP over HTTP proxy, POP3, TCP and UDP
portmapping, etc) are affected.
Vulnerability is of pre-authentication type, but, because FTP proxy in
3proxy 0.5x branch doesn't support reverse proxing, it should never be
+------------------------------------------
There are two steps required to change the database password:
1. First change the database password.
2. Then update the Management Console configuration file with the new
database password.
Complete these steps:
1. Log in to the database using the old password, and then use the
1.3
A Buffer Overflow vulnerability is detected in Format Factory v2.95 Software. The Buffer Overflow Vulnerability is
located in the *.ini configuration file when processing to load the maxwidth size. Local attackers can implement
or replace the ini settings to overwrite the EIP register. Successful exploitation can result is privilege escalation
with system access rights of the affected vulnerable software process.
Vulnerable Module(s):
[+] INI - Width & Height - Size & Buffer Validation
>
> The Cisco IOS FTP Server feature contains multiple vulnerabilities that
> can result in a denial of service (DoS) condition, improper verification
> of user credentials, and the ability to retrieve or write any file from
> the device filesystem, including the device's saved configuration. This
> configuration file may include passwords or other sensitive information.
>
> None of those sound like "remote overflow" to me. If this exploit code
> included in this mail is accurate, that means the Cisco advisory used
> crafty wording to hide the nate of the bug. Given they scored CSCek55259 /
> CVE-2007-2586 as 10.0 (and the other issue 2.0), that means that "improper
A security vulnerability has been identified and fixed in pam:
Integer signedness error in the _pam_StrTok function in
libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
configuration file contains non-ASCII usernames, might allow remote
attackers to cause a denial of service, and might allow remote
authenticated users to obtain login access with a different user's
non-ASCII username, via a login attempt (CVE-2009-0887).
The updated packages have been patched to prevent this.
Previous versions of the lighttpd package are vulnerable to multiple
Information Exposures, the most serious of which may allow a remote
attacker to read arbitrary files.
lighttpd is not installed by default on rPath Linux systems, and no
default configuration file is provided; only systems customized to
include and configure lighttpd are vulnerable.
http://wiki.rpath.com/Advisories:rPSA-2008-0106
Copyright 2008 rPath, Inc.
Multiple vulnerabilities have been reported in phpMyAdmin:
* Greg Ose discovered that the setup script does not sanitize input
properly, leading to the injection of arbitrary PHP code into the
configuration file (CVE-2009-1151).
* Manuel Lopez Gallego and Santiago Rodriguez Collazo reported that
data from cookies used in the "Export" page is not properly sanitized
(CVE-2009-1150).
printing. This could allow the removal of arbitrary files belonging
to users who invoke the program.
CVE-2008-0931
The xwine command changes the permissions of the global WINE configuration
file such that it is world-writable. This could allow local users to edit
it such that arbitrary commands could be executed whenever any local user
executed a program under WINE.
For the stable distribution (etch), these problems have been fixed in version
1.0.1-1etch1.
Vulnerability Description
-------------------------
A post-installation shell script is executed both in the provisioning of a
Security Management Domain and installation of a standalone SmartCenter. The
script is used to generate a configuration file for use by the SofaWare
Management Server (SMS). The SMS is used to send all configuration changes
performed in the SmartCenter/Management Domain to UTM-1 Edge devices. UTM-1
Edge devices also communicate their status to the SmartCenter/Management
Domain via SMS.
5. Vulnerability Details
========================
If a specially crafted message is sent to the JDENET service (specifically to the SAW Kernel), a user can remotely change the JDE.INI configuration
file. This situation might help the attacker to perform complex attacks that would lead in a full compromise of the system.
Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch
their systems and protect against the exploitation of the described vulnerability.
6. Solution
<<Previous Next>>
|
