<< Previous Next >>
user
Impact:
False-positives are lost, since it's impossible to restore
them. Perhaps it's possible to evade the virus-protection.
3. No user-restrictions in the quarantine-management
All quarantined files are managed in the same area. Every
user can restore the files of every other user, included
the admin
Details
=======
The Cisco IP Phone Personal Address Book (PAB) Synchronizer feature
of Cisco Unified Communications Manager allows users to keep their
Cisco Unified Communications Manager address book synchronized with
their Microsoft Windows address book. The IP Phone PAB Synchronizer
feature contains a privilege escalation vulnerability that may allow
an attacker to obtain complete administrative access to a vulnerable
Cisco Unified Communications Manager system. After an IP Phone PAB
necessary changes.
Details follow:
Liu Die Yu discovered an information disclosure vulnerability in Firefox
when using saved .url shortcut files. If a user were tricked into
downloading a crafted .url file and a crafted HTML file, an attacker
could steal information from the user's cache. (CVE-2008-4582)
Georgi Guninski, Michal Zalewsk and Chris Evans discovered that the
same-origin check in Firefox could be bypassed. If a user were tricked
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
It has two levels of security, a user level and an admin level. Login is
required but it can be configured to allow anyone to obtain a user level
account if desired.
Summary
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that MySQL incorrectly handled certain requests with the
UPGRADE DATA DIRECTORY NAME command. An authenticated user could exploit
this to make MySQL crash, causing a denial of service. This issue only
affected Ubuntu 9.10 and 10.04 LTS. (CVE-2010-2008)
It was discovered that MySQL incorrectly handled joins involving a table
with a unique SET column. An authenticated user could exploit this to make
Advisory: Authentication Bypass in Configuration Import and Export of
ZyXEL ZyWALL USG Appliances
Unauthenticated users with access to the management web interface of
certain ZyXEL ZyWALL USG appliances can download and upload
configuration files, that are applied automatically.
Details
=======
-----------------------------------------------------------------------
Talsoft S.R.L. Security Advisory
WordPress User IDs and User Names Disclosure
-----------------------------------------------------------------------
I. Advisory information
Title: WordPress User IDs and User Names Disclosure
Advisory Id: TALSOFT-2011-0526
Advisory URL: http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure
Date published: 2011-05-26
I. Overview
===========
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in the Oracle eBusiness Suite deployment.
Further research has identified several vulnerabilities which, combined, can
allow an unauthenticated remote user to take over and gain full control over
the administrative web user account of the Oracle eBusiness Suite.
A friendly formatted version of this advisory, including a video
demonstrating step-by-step execution of the exploit, is available in:
http://www.hacktics.com/content/advisories/AdvORA20091214.html
kernel with a good selection of access control models, see
http://www.rsbac.org/why for more details.
Important changes since 1.3 series:
* VUM (Virtual User Management) support (http://rsbac.org/redir.php?t=vum)
* One time password support for user management
(http://rsbac.org/redir.php?t=otp)
* Code for kernels 2.4 and 2.6 has been separated. 2.4 kernels might
be phased out at a later date.
* PAM module does not send a message "User not authenticated" anymore
# + Logged in (Administrator)
# + The administrator has 2 resellers
# / Changing dareseller's password
# / Trying to connect as dareseller:thatpwnz
# + Login successful
# + The reseller has 2 users
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
the necessary changes.
Details follow:
Various flaws were discovered in the browser and JavaScript engine.
By tricking a user into opening a malicious web page, an attacker
could execute arbitrary code with the user's privileges.
(CVE-2008-0412, CVE-2008-0413)
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
Note: virtual appliances created with VMware Studio 2.0 may be
affected
3. Problem Description
a. VMware Studio 2.0 remote command execution by Studio user
VMware Studio is a development tool to create and manage virtual
appliances. VMware Studio itself is a virtual appliance.
A vulnerability in the Virtual Appliance Management Infrastructure
Fraunhofer SIT advises to use SQL-Ledger only in non-critical application
scenarios with low security requirements. Furthermore, risk mitigation in
the form of the following measures should be undertaken:
- Users shall be advised to use a seperate browser or browser profile
solely to access SQL-Ledger to counter XSRF attacks.
- Untrusted users should be given read-only access to the database to prevent
damage from SQL injection attacks.
- The server administrator shall restrict file creation rights on the
SQL-Ledger server in order to prevent the storing of arbitrary files which
Various URL's within the deployed OpenCms application version 7.5.0 are
open to attacks, including Cross-Site Scripting, Phishing Through Frames
and Application Error. Some of these attacks allow injection of scripts
into a parameter in the request. The application should filter out such
hazardous characters from user input.
Example follows:
Vulnerable URL (from the OpenCms VFS):
/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/
help_head.jsp?&homelink=>"'><script>alert("This%20site%20has%20been%20co
>
> III. DESCRIPTION
> -------------------------
> An existing abuse of functionality in the "Check for mail using POP3"
> capability permits automated attacks to the password data of the
> accounts of the Gmail users evading the security measures adopted by
> Google.
>
> Gmail implements a great number of security controls and, most of them
> are not revealed until an attack is conducted or a malicious use of
> the account is done. For example:
III. DESCRIPTION
-------------------------
An existing abuse of functionality in the "Check for mail using POP3"
capability permits automated attacks to the password data of the
accounts of the Gmail users evading the security measures adopted by
Google.
Gmail implements a great number of security controls and, most of them
are not revealed until an attack is conducted or a malicious use of
the account is done. For example:
3. *Vulnerability Description*
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
2) local execution of arbitrary code at the kernel level (complete system
compromise)
The issue can be triggered by sending a specially crafted IOCTL request.
No special user rights are necessary to exploit the vulnerability.
======================
Technical description:
======================
CVE Name: CVE-2007-4901
*Vulnerability Description*
AOL Instant Messenger ("AIM", http://www.aim.com) is an instant messaging
application that allows its users to communicate in real time via text,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
CVE Name: CVE-2007-4901
*Vulnerability Description*
AOL Instant Messenger ("AIM", http://www.aim.com) is an instant messaging
application that allows its users to communicate in real time via text,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
Mambo CMS is a popular Content Management System.
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.
Possible Causes
===============
Insecure web application programming or configuration
Joomla CMS is a popular Content Management System.
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.
Possible Causes
===============
Insecure web application programming or configuration
Summary
=======
Cisco Small Business Video Surveillance Cameras and Cisco RVS4000 4-port
Gigabit Security Routers contain a vulnerability that could allow an
authenticated user to view passwords for other users, regardless of the
authenticated user's level of authorization.
An unprivileged user could take advantage of this vulnerability to
gain full administrative access on the device or view another user's
credentials.
> Martijn Vernooij (tinus win tue nl) wrote
> On Wed, 11 Feb 2009 security.432 (at) amxl (dot) com [email concealed] wrote:
> > => The attacker must be able to run code as the same user that the
> > webserver runs as. This is unlikely to be a problem for many local
> > attackers, because there are a multitude of possible attack vectors,
> > such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> > installed), and likely numerous other options.
>
> Once the attacker can run code as the same user > the webserver runs as, he
> can make the webserver do whatever he wants. He > can just 'debug' the
linked against xine-lib to effect the necessary changes.
Details follow:
Alin Rad Pop discovered an array index vulnerability in the SDP
parser. If a user or automated system were tricked into opening a
malicious RTSP stream, a remote attacker may be able to execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2008-0073)
Luigi Auriemma discovered that xine-lib did not properly check
Later, we'll see how to gain the administrator's session
id. Even if we got the good session id, there is a
protection that "normally" don't permit to be logged in.
Let's see a part of the file "scripts/sb_login.php":
28| // Check if user is logged in.
29| if ( isset( $_SESSION[ 'logged_in' ] ) &&
| $_SESSION[ 'logged_in' ] == 'yes' ) {
|
30| if ( $_SESSION[ 'site_path' ] ===
| dirname($_SERVER[ 'PHP_SELF' ]) ) {
Details follow:
USN-957-1 fixed vulnerabilities in Firefox and Xulrunner. Daniel Holbert
discovered that the fix for CVE-2010-1214 introduced a regression which did
not properly initialize a plugin pointer. If a user were tricked into
viewing a malicious site, a remote attacker could use this to crash the
browser or run arbitrary code as the user invoking the program.
(CVE-2010-2755)
This update fixes the problem.
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Efront, which can be exploited to perform sql injection and cross-site scripting attacks.
1) Input passed via the "course" GET parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?ctg=lesson_info&lessons_ID=1&course=%27%20onmouseover%3dalert%28document.cookie%29%3E
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
<<Previous Next>>
|
