<< Previous Next >>
email
Core Security Technologies sends the Microsoft team the information
requested. The vulnerability was triggered on Virtual PC SP1 with and
without HAV, using a Windows XP SP2 guest OS over a Windows XP SP3 host OS.
. 2009-09-08:
MSRC acknowledges Core email.
. 2009-09-08:
Vendor says that it is still investigating the bug and will have more
concrete details in a few days.
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
$res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");
$user = mysql_fetch_assoc($res);
if (!$user)
$message = "Username not found.";
...
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
III. ANALYSIS
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a malicious image file either hosted on a Web
server, on local file system or embedded in an-email or Office
documents, or through some form of social engineering.
This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
user only needs to open the e-mail to trigger the vulnerability.
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to visit a malicious URL through some form of social
engineering.
This vulnerability can also be triggered through e-mail. If the e-mail
client automatically displays images embedded in the e-mail, the user
only needs to open the e-mail to trigger the vulnerability.
IV. DETECTION
http://www.infigo.hr/en/
Title: SOPHOS Email Security Appliance Cross Site Scripting Vulnerability
Advisory ID: INFIGO-2008-02-13
Date: 2008-02-13
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-02-13
Impact: Malicious JavaScript Code Injection
Risk Level: Medium
Dear Bugtraq community,
I am happy to announce the immediate availability of a web based email
security testing tool at http://www.ismymailsecure.com. The tool is an
end-user friendly way to determine if the mail servers for a certain
email address support the STARTTLS capability to encrypt the email
transfer between servers. While most email providers have frontends that
use encryption, the actual email transfers via SMTP are often not secure
at all, giving users a false sense of security. While it was always
possible to manually check for the availability of TLS encryption, the
>> At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
>> security risk, as they said), found by Henry Sudhof - Mozilla Foundation
>> Security Advisory 2010-23
>> (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image
>> src
>> redirect to mailto: URL opens email editor). Which allow to open email
>> client at user's computer via redirector, which redirecting to mailto:
>> URL.
>> But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 and
>> SeaMonkey 2.0.4, but not in Firefox 3.0.x.
>>
> At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
> security risk, as they said), found by Henry Sudhof - Mozilla Foundation
> Security Advisory 2010-23
> (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html)
> (Image src
> redirect to mailto: URL opens email editor). Which allow to open email
> client at user's computer via redirector, which redirecting to mailto:
> URL.
> But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 and
> SeaMonkey 2.0.4, but not in Firefox 3.0.x.
>
At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
security risk, as they said), found by Henry Sudhof - Mozilla Foundation
Security Advisory 2010-23
(http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image src
redirect to mailto: URL opens email editor). Which allow to open email
client at user's computer via redirector, which redirecting to mailto: URL.
But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 and
SeaMonkey 2.0.4, but not in Firefox 3.0.x.
After I recently read this advisory, I decided to check different browsers.
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Standard Bank email disclaimer and confidentiality note
Please go to http://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and confidentiality note. Kindly email disclaimer@standardbank.co.za (no content or subject line necessary) if you cannot view that page and we will email our email disclaimer and confidentiality note to you.
#####################################################################################
===============
1) Introduction
===============
Sick of junk email? Bored of all email programs looking the same? Take a look at Eureka Email and see how different things could be...
Eureka Email has a built in junk email filter which can remove about 95% of your spam and it continually learns as it comes across new junk emails. You can customise the program so each of your friends has their own icon and sound for when they send you an email. You can also set up special accounts for your children so that they never get to see sexually explicit or offensive junk emails.
(from Eureka Mail website)
#####################################################################################
A Remote Code Execution vulnerability exists in Vtiger CRM version
5.0.4. In order to exploit this vulnerability an account on the CRM
system is required.
The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.
This routine involves some security checks to handle uploaded files, it
See you next year!
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
Advisory: IceWarp WebMail Server: Cross Site Scripting in Email View
During a penetration test, RedTeam Pentesting discovered that the IceWarp
WebMail Server is prone to Cross Site Scripting attacks in its email view.
This enables attackers to send emails with embedded JavaScript code,
for example, to steal users' session IDs.
Details
=======
#######################################
ShakaCon III Crew
Hawaii: Home of Sun, Surf, and C Shells
#######################################
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
It contents:
function authenticate()
{
$authentication = $this->access->authenticate($_POST['email'],$_POST['password'],(bool) $_POST['stayLogged']);
if($authentication === true)
{
header('Location: index.php?info=hasLoggedIn');
exit;
}
It contents:
function authenticate()
{
$authentication = $this->access->authenticate($_POST['email'],$_POST['password'],(bool) $_POST['stayLogged']);
if($authentication === true)
{
header('Location: index.php?info=hasLoggedIn');
exit;
}
* Do not follow untrusted links
Timeline:
* 2008-xx-xx Issues discovered
* 2009-02-25 Contacted vendor via e-mail
* 2009-03-02 Contacted vendor via e-mail
* 2009-03-02 Vendor response.
XSS vulnerabilities were already fixed independently.
Description
pPIM (http://www.phlatline.org/index.php?page=prod-ppim) is a Personal
Information Management application written in PHP that can store
contacts (including their photos), events, links, notes, send and check
email, and upload files. pPIM came to my attention recently with the
publishing on Milw0rm of exploit code designed to facilitate remote
command execution (http://www.milw0rm.com/exploits/8093). As there is a
milw0rm exploit already posted it is likely malicious users are already
exploiting pPIM. I decided to have a closer look at pPIM and, quite
frankly, was horrified by what I found. pPIM contains multiple
PR08-21: Cross-site Request Forgery (CSRF) on Novell GroupWise WebAccess
allows email theft and other attacks
Vulnerability found: 3rd October 2008
Vendor contacted: 3rd October 2008
Advisory publicly released: 30th January 2009
Severity: Critical
difficult to exploit.
--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
of userland threading.
--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
just spreading FUD.
--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
controlled in Solaris.
--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
diminishes the size of the problem.
--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
be babbling like this.
--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
*Report Timeline*
. 2008-04-24:
Initial contact email sent by Core to BigView team setting the estimated
publication date of the advisory to May 19th.
. 2008-04-28:
Vendor acknowledges the email notification.
Public disclosure: 03/2008
PART I - COMPROMISING USER’S ACCOUNT
Explanation:
When user already has session and he/she clicks on that link (from email), the exploit code will be automatically executed. User’s email address is changed without his/her notice. At the same time, his/her current email address, first and last name, and current encrypted password (in User Information page) is logged by a remote server side script.
The attacker reads all these information in a log file.
After that, he gets a new user password sent to his email address by using Lost Password form.
With victim’s username and password, the attacker has full permission on that account and does whatever he wants.
Upon finishing his works, he changes back user’s initial email address and encrypted password.
<<Previous Next>>
|
