<< Previous Next >>
users
kernel with a good selection of access control models, see
http://www.rsbac.org/why for more details.
Important changes since 1.3 series:
* VUM (Virtual User Management) support (http://rsbac.org/redir.php?t=vum)
* One time password support for user management
(http://rsbac.org/redir.php?t=otp)
* Code for kernels 2.4 and 2.6 has been separated. 2.4 kernels might
be phased out at a later date.
* PAM module does not send a message "User not authenticated" anymore
Xulrunner 1.9.2.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
+---------------------------------------+
Vulnerable Products
+------------------
Users can determine the version of the Mediator Framework running on
a device by logging into the device. After a successful login, the
device will display the version of Mediator Framework running on the
device.
The following example identifies a Cisco Network Building Mediator
---------------
SUPERAntiSpyware and Super Ad Blocker have almost identical device
drivers in order to set up hooks and perform other duties from kernel
space. These device drivers suffer from lack of validation of
parameters passed from user mode. Additionally, some of the functions
accessible from user mode are inherently insecure and lead to easy
privilege escalation. All vulnerabilities are applicable to both
applications.
Analysis and code was developed for SUPERAntiSpyware v4.33.1000, but
installation of a flexible weblog on any computer connected to the
Internet. WordPress 2.7 reached more than 6 million downloads during
June 2009 [9].
A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
plugins configuration pages, and also in some plugins modifying plugin
options and injecting JavaScript code. Arbitrary native code may be run
by a malicious attacker if the blog administrator runs injected
JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
hosted outside 'wordpress.com', allow any person to create unprivileged
>
> III. DESCRIPTION
> -------------------------
> An existing abuse of functionality in the "Check for mail using POP3"
> capability permits automated attacks to the password data of the
> accounts of the Gmail users evading the security measures adopted by
> Google.
>
> Gmail implements a great number of security controls and, most of them
> are not revealed until an attack is conducted or a malicious use of
> the account is done. For example:
III. DESCRIPTION
-------------------------
An existing abuse of functionality in the "Check for mail using POP3"
capability permits automated attacks to the password data of the
accounts of the Gmail users evading the security measures adopted by
Google.
Gmail implements a great number of security controls and, most of them
are not revealed until an attack is conducted or a malicious use of
the account is done. For example:
problems:
CVE-2008-4307
Bryn M. Reeves reported a denial of service in the NFS filesystem.
Local users can trigger a kernel BUG() due to a race condition in
the do_setlk function.
CVE-2008-5079
Hugo Dias reported a DoS condition in the ATM subsystem that can
Summary
=======
A vulnerability exists in some Cisco Secure Access Control System
(ACS) versions that could allow a remote, unauthenticated attacker to
change the password of any user account to any value without
providing the account's previous password. Successful exploitation
requires the user account to be defined on the internal identity
store.
This vulnerability does not allow an attacker to perform any other
I. Overview
===========
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in the Oracle eBusiness Suite deployment.
Further research has identified several vulnerabilities which, combined, can
allow an unauthenticated remote user to take over and gain full control over
the administrative web user account of the Oracle eBusiness Suite.
A friendly formatted version of this advisory, including a video
demonstrating step-by-step execution of the exploit, is available in:
http://www.hacktics.com/content/advisories/AdvORA20091214.html
3. *Vulnerability Description*
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
# + Logged in (Administrator)
# + The administrator has 2 resellers
# / Changing dareseller's password
# / Trying to connect as dareseller:thatpwnz
# + Login successful
# + The reseller has 2 users
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
command failures.
CVE-2010-4158
Dan Rosenberg discovered an issue in the socket filters subsystem, allowing
local unprivileged users to obtain the contents of sensitive kernel memory.
CVE-2010-4162
Dan Rosenberg discovered an overflow issue in the block I/O subsystem that
allows local users to map large numbers of pages, resulting in a denial of
This vulnerability affects Tandberg C Series Endpoints and E/EX
Personal Video units, including software that is running on the C20,
C40, C60, C90, E20, EX60, and EX90 codecs. The software version of
the Tandberg unit can be determined by logging into the web-based
user interface (UI) or using the "xStatus SystemUnit" command.
Users can determine the Tandberg software version by entering the IP
address of the codec in a web browser, authenticating (if the device
is configured for authentication), and then selecting the "system
info" menu option. The version number is displayed after the
to the bottom page of a shared memory segment, as demonstrated by a
memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)
The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel
does not properly restrict TCP_MAXSEG (aka MSS) values, which allows
local users to cause a denial of service (OOPS) via a setsockopt call
that specifies a small value, leading to a divide-by-zero error or
incorrect use of a signed integer. (CVE-2010-4165)
The copy_shmid_to_user function in ipc/shm.c in the Linux kernel
does not initialize a certain structure, which allows local users to
=======
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) player. In some cases, exploitation of the
vulnerabilities could allow a remote attacker to execute arbitrary
code on the system with the privileges of a targeted user.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on a WebEx meeting
site or on the computer of an online meeting attendee. The players
can be automatically installed when the user accesses a recording
ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
"End of Product Availability FAQs" at
http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
details.
Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
to upgrade to at least ESX 3.0.3 and preferably to the newest
release available.
Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
to upgrade to at least ESX 3.5 and preferably to the newest release
ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
"End of Product Availability FAQs" at
http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
details.
Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
to upgrade to at least ESX 3.0.3 and preferably to the newest
release available.
Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
to upgrade to at least ESX 3.5 and preferably to the newest release
Fraunhofer SIT advises to use SQL-Ledger only in non-critical application
scenarios with low security requirements. Furthermore, risk mitigation in
the form of the following measures should be undertaken:
- Users shall be advised to use a seperate browser or browser profile
solely to access SQL-Ledger to counter XSRF attacks.
- Untrusted users should be given read-only access to the database to prevent
damage from SQL injection attacks.
- The server administrator shall restrict file creation rights on the
SQL-Ledger server in order to prevent the storing of arbitrary files which
Details follow:
Thor Larholm discovered that PHPMailer, as used by Moodle, did not
correctly escape email addresses. A local attacker with direct access
to the Moodle database could exploit this to execute arbitrary commands
as the web server user. (CVE-2007-3215)
Nigel McNie discovered that fetching https URLs did not correctly escape
shell meta-characters. An authenticated remote attacker could execute
arbitrary commands as the web server user, if curl was installed and
configured. (CVE-2008-4796, MSA-09-0003)
Details
=======
The Cisco IP Phone Personal Address Book (PAB) Synchronizer feature
of Cisco Unified Communications Manager allows users to keep their
Cisco Unified Communications Manager address book synchronized with
their Microsoft Windows address book. The IP Phone PAB Synchronizer
feature contains a privilege escalation vulnerability that may allow
an attacker to obtain complete administrative access to a vulnerable
Cisco Unified Communications Manager system. After an IP Phone PAB
following problems:
CVE-2006-5823
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted cramfs filesystem.
CVE-2006-6054
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext2 filesystem.
Overview:
/////////
Software called "HP Info Center" is shipped with almost every HP laptop model for few years.
It is designed to support user with quick system information and hardware configuration
using single button touch.
One of its ActiveX controls deployed by default by the vendor has three insecure methods
that allow a malicious person to target the HP notebook machines for a remote code execution
and remote registry manipulation based attacks.
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
It has two levels of security, a user level and an admin level. Login is
required but it can be configured to allow anyone to obtain a user level
account if desired.
Summary
www.ExploitDevelopment.com 2010-M$-001
----------------------------------------------------------
TITLE:
Flaw in Microsoft Windows SAM Processing Allows Continued
Administrative Access Using Hidden Regular User Masquerading After
Compromise
SUMMARY AND IMPACT:
All versions of Microsoft Windows allow real-time modifications to the
Security Accounts Manager (SAM) that enable an attacker to create a
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
firefox 3.6.6+nobinonly-0ubuntu0.10.04.1
xulrunner-1.9.2 1.9.2.6+nobinonly-0ubuntu0.10.04.1
Mozilla has changed the support model for Firefox and they no longer
support version 3.0 of the browser. As a result, Ubuntu is providing an
upgrade to Firefox 3.6 for Ubuntu 8.04 LTS users, which is the most current
stable release of Firefox supported by Mozilla. When upgrading, users
should be aware of the following:
- Firefox 3.6 does not support version 5 of the Sun Java plugin. Please use
icedtea-java7-plugin or sun-java6-plugin instead.
changes.
Details follow:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
We apologize for the inconvenience.
Original advisory details:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
<<Previous Next>>
|
