<< Previous Next >>
files
Advisory: Authentication Bypass in Configuration Import and Export of
ZyXEL ZyWALL USG Appliances
Unauthenticated users with access to the management web interface of
certain ZyXEL ZyWALL USG appliances can download and upload
configuration files, that are applied automatically.
Details
=======
RESOLUTION
HP has made patches available to resolve the vulnerabilities for NNM v7.53.
HP has made a new version of the ovalarmsrv program available to resolve the vulnerabilities for NNM v7.01 and NNM v7.51. The new ovalarmsrv is available as a file to be installed manually. The files are listed in the table below. Instructions for installing the files are contained in the readme_for_ovalarmsrv.txt file.
For NNM v7.01 and NNM v7.51 patches must be installed before the ovalarmsrv file is installed.
The ovalarmsrv files and the readme_for_ovalarmsrv.txt file are available from ftp://ss080044:ss080044@hprc.external.hp.com/
On Mon, Oct 26, 2009 at 12:14:36PM -0400, Stephen Harris wrote:
|| User1 creates file with permissions 0644
|| User2 opens file for read access on file descriptor 4
|| User1 chmod's directory to 0700
|| User1 chmod's file to 0666
|| User1 verifies no hard links to file
|| User2 can not open the file for read or write access
|| User2 can not write to file descriptor 4
|| User2 _can_ write to /proc/$$/fd/4
RESOLUTION
HP has made patches available to resolve the vulnerabilities for NNM v7.53.
HP has made a new version of the ovtopmd program available to resolve the vulnerabilities for NNM v7.01 and NNM v7.51. The new ovtopmd is available as a file to be installed manually. The files are listed in the table below. Instructions for installing the files are contained in the readme_for_ovtopmd.txt file.
For NNM v7.01 and NNM v7.51 patches must be installed before the ovtopmd file is installed.
The ovtopmd files and the readme_for_ovtopmd.txt file are available from ftp://ss080046:ss080046@hprc.external.hp.com/
Privilege escalation in bytehoard 2.1
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
It has two levels of security, a user level and an admin level. Login is
required but it can be configured to allow anyone to obtain a user level
account if desired.
arbitrary code, gain privileges, or cause a denial of service
condition. These vulnerabilities exist in the products and on the
platforms listed below. These vulnerabilities do not impact any
Windows-based Ingres installation. The first vulnerability,
CVE-2008-3356, allows an unauthenticated attacker to potentially
set the user and/or group ownership of a verifydb log file to be
Ingres allowing read/write permissions to both. The second
vulnerability, CVE-2008-3357, allows an unauthenticated attacker
to exploit a pointer overwrite vulnerability to execute arbitrary
code within the context of the database server process. The third
vulnerability, CVE-2008-3389, allows an unauthenticated attacker
Advisory:
/////////
There is another remotely exploitable flaw within software preinstalled in HP notebook machines. This time, the culprit is automatic software update tool provided by the vendor.The Potential exploitation may lead to user files loss or altering vital system files (e.g. kernel), thus leaving PC unbootable.
Overview:
/////////
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection
II. BACKGROUND
-------------------------
Invision Power Board (IPB) is a professional forum system that has
CA Service Desk 12.1
Windows Environment:
1. Locate the files "webengine.exe" and "freeaccess.spl". The files
are located in the "$NX_ROOT\bin" and "$NX_ROOT\bopcfg\www" directory
respectively.
2. Right click on each of the files and select Properties.
3. Select the General tab.
4. If either file timestamp is earlier than indicated in the below
Summary: Solaris and Linux file system behavior has changed over
time, breaking one of the assumptions in Postfix. See below for a
description of the behavior and how it disagrees with standards.
Postfix is not affected on systems with standard (POSIX, X/Open)
file system behavior, i.e. *BSD, AIX, MacOS, HP-UX, and very old
Sun/Linux systems. The fix and workarounds are simple.
There are efforts to get the non-standard behavior approved by
standards (a function called llink). Today's fix for Solaris, Linux
To: L-rsyncrypto <rsyncrypto-devel@lists.sourceforge.net>
Background
Rsyncrypto[1] is a file encryption tool. It has a single RSA key that
encrypts symmetric AES keys per file. The files themselves are subject
to an encryption method that is based on CBC, but does a
security-performance trade off. In particular, the files are encrypted
in such a way that re-encrypting, using the same key, a file that was
slightly modified will result in slightly modified cypher text. This is
xine-lib, such as Totem-xine and Amarok, to effect the necessary changes.
Details follow:
It was discovered that xine-lib did not correctly handle certain malformed
Ogg and Windows Media files. If a user or automated system were tricked into
opening a specially crafted Ogg or Windows Media file, an attacker could cause
xine-lib to crash, creating a denial of service. This issue only applied to
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)
It was discovered that the MNG, MOD, and Real demuxers in xine-lib did not
------------------------------------------------------------------------
Akamai Download Manager arbitrary file download & execution
------------------------------------------------------------------------
Yorick Koster, April 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
| CubilFelino Security Research Lab |
| proudly presents... |
+------------------------------------------------------------------------+
=======================================================
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
=======================================================
Security Researcher Info:
=========================
3. *Vulnerability Description*
Foxit Reader is a lightweight, free PDF document viewer and printer. PDF
files may include actions (i.e., 'Go to a page view', 'Open/Execute a
file', 'Open a web link', 'Execute a menu item') associated with
different triggers (i.e., 'Mouse Up', 'Mouse Down', 'Page Visible',
'Page Invisible'). The way Foxit Reader handles an 'Open/Execute a file'
action makes the software victim of two kinds of vulnerabilities:
authorization bypass and buffer overflow.
iCal is a personal calendar application from Apple Inc. included on the
Mac OS X operating system. The calendar application can be used as a
stand-alone application or as a client-side component to calendar server
that lets users create and share multiple calendars and subscribe to
other user's calendars. Apple's iCal uses the iCalendar standard for its
calendar file format (which uses the '.ics' filename extension) [1] and
the CalDAV protocol for calendar sharing [2]. There is a growing number
of web sites providing calendars files and open subscription to calendar
updates [3][4][5].
Three vulnerabilities discovered in the iCal application may allow
iCal is a personal calendar application from Apple Inc. included on the
Mac OS X operating system. The calendar application can be used as a
stand-alone application or as a client-side component to calendar server
that lets users create and share multiple calendars and subscribe to
other user's calendars. Apple's iCal uses the iCalendar standard for its
calendar file format (which uses the '.ics' filename extension) [1] and
the CalDAV protocol for calendar sharing [2]. There is a growing number
of web sites providing calendars files and open subscription to calendar
updates [3][4][5].
Three vulnerabilities discovered in the iCal application may allow
- HTC devices running Android 2.1

- HTC devices running Android 2.2
References: http://www.seguridadmobile.com/android/android-security/HTC-Android-OBEX-FTP-Service-Directory-Traversal.html
Summary:
HTC devices running Android 2.1 and Android 2.2 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and read arbitrary files, via a ../ in a pathname.
Description:
In the present HTC / Android phones include a Bluetooth stack, which provides Bluetooth communications with other remote devices. The File Transfer Profile (OBEX FTP) is one among all the Bluetooth services that may be implemented in the stack.
The OBEX FTP service is a software implementation of the File Transfer Profile (FTP). The File Transfer Profile (FTP) is intended for data exchange and it is based on the OBEX communications client-server protocol. The service is present in a large number of Bluetooth mobile phones. This service can be used for sending files from the phone to other remote devices and also allows remote devices to browse shared folders and download files from the phone.
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
Microsoft Help Files (.CHM): 'Locked File' Bypass
Versions Affected: Windows XP, Windows Vista, Windows 7
pdf: http://www.security-assessment.com/files/advisories/Windows_Locked_HelpFiles.pdf
+-----------+
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
Disclosure, Local File Inclusion, Authentication Bypass and PHP Command
Injection
Remotely Exploitable: Yes
Locally Exploitable: No
Lots of security holes can fall into that category! The code matches
its design, and works as expected... it's just that the author had no
idea what he was getting himself into. =8^)
> If the file owner in fact allows writing to it, why should Linux
> prevent that from happening?
Because securing a file by securing directories that lead to it is a
valid and important (and expected) feature of file access semantics.
How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file "rxRPC.dll". The file
can be found in the following default locations:
CA ARCserve Backup for Laptops and Desktops 11.5:
C:\Program Files\CA\BrightStor ARCserve Backup for Laptops and
Desktops\Server
different third-party open source libraries to implement processing of
several image formats.
Android includes a web browser based on the Webkit framework that
contains multiple binary vulnerabilities when processing .GIF, .PNG and
.BMP image files, allowing malicious client-side attacks on the web
browser. A client-side attack could be launched from a malicious web
site, hosting specially crafted content, with the possibility of
executing arbitrary code on the victim's Android system.
These client-side binary vulnerabilities were discovered using the
== Abstract ==
WinImage is an disc images' exploring application, with many
useful functions implemented, such as injecting/extracting files
from the data images, handling virtual machines' hard drives and so on.
The first vulnerability - Denial of Service - exists in the FAT image
handling function (mainly diskette image files are able to cause this kind
of application hang, but it's also possible that other image formats'
Impact: An unauthenticated remote attacker without any kind of
credentials can access the SMB service under the credentials of an
authorized user. Depending on the privileges of the authorized user, and
the configuration of the remote system, an attacker can gain read/write
access to the remote file system and execute arbitrary code by using
DCE/RPC over SMB.
Remotely Exploitable: Yes
Bugtraq Id: <unknown>
CVE: CVE-2010-0231
For complete post with images, please visit
http://securethoughts.com/2009/11/using-blended-browser-threats-involving-ch
rome-to-steal-files-on-your-computer/
SECURETHOUGHTS.COM ADVISORY
=============================================
- CVE-ID : CVE-2009-XXXX (Chrome) {Pending}
- Release Date : November 05, 2009
- Severity : Medium
- Discovered by : Inferno
Jim,
Your assumption that the same file descriptor is being re-opened is
wrong!
The file descriptor retrieved via /proc is a new one. It is not the
same as the
initial read-only.
Do a strace on your test and you will see that the 'file descriptor'
in /proc
Multiple Vulnerabilities found in Rapidleech
1. General Information
Rapidleech is a Web based application supporting file upload and download on
the Internet, especially files from popular sites such as rapidshare.com,
megaupload.com, depositfiles.com.
On March 03, 2009, Bkis has detected several vulnerabilities in the upload
function of Rapidleech. These are highly critical vulnerabilities, allowing
Vulnerable Version(s): 2.3.6 and probably prior
Tested Version: 2.3.6
Vendor Notification: 29 February 2012
Vendor Patch: 16 March 2012
Public Disclosure: 21 March 2012
Vulnerability Type: Arbitrary File Manipulation, Arbitrary File Upload, XSS
CVE Reference(s): CVE-2012-1467, CVE-2012-1468, CVE-2012-1469
Solution Status: Fixed by Vendor
Risk Level: Critical
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
Besides changing the default password for the admin user and removing
the install.php script, no specific instructions are provided to secure
the installation of FWS. The manual assumes that FWS is installed on a
LAMP server (Linux, Apache, MySQL & PHP). If the ZIP archive is
extracted or the files are uploaded to the document root of the
webserver, the new files and directories will be created based on the
active umask. In most cases, this will give read & write access to
the owner of the files and read access for all other users.
Since FWS needs to write to certain files and directories, the
<<Previous Next>>
|
