Next Page >>
Source
1. Windows platform
2. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution
Source code snippet from script "index.php":
-----------------[ source code start ]---------------------------------
// Router
if (isset($request->get['route'])) {
$action = new Action($request->get['route']);
-----------------[ source code end ]-----------------------------------
TorrentTrader is a feature packed and highly customisable PHP/MySQL Based
BitTorrent tracker. Featuring integrated forums and plenty of administration
options. Please visit www.torrenttrader.org for the support forums.
http://sourceforge.net/projects/torrenttrader
List of found vulnerabilities
===============================================================================
http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal
They can also upload image files to the server. File uploading can be
dangerous without proper security checks. So let's have a closer look
at the source code of "modules/blog/index.php" line ~2452:
---------------------[source code]---------------------
function upload_imm () {
global $mkportals, $DB, $mklib, $Skin, $_FILES;
Attack vectors: user submitted POST parameters "ID" and "Password"
Preconditions: none
Impact: attacker can take over CruxCMS admin account
Php script "manager/passwordreset.php" is directly accessible via web
without any authorization. Source code snippet:
-----------------[ source code start ]---------------------------------
include ("../includes/injectionprevention.php");
$ID = numericquery($_POST["ID"]) ;
The CoreTex Team from Core Security is happy to announce the *1st Open
Backdoor Hiding & Finding Contest* to be held at DEFCON 0x12 this year!
Hiding a backdoor in open source code that will be subjected to the
scrutiny of security auditors by the hundredths may not be an easy task.
Positively and unequivocally identifying a cleverly hidden backdoor may
be extremely difficult as well.
But doing both things at DEFCON 0x12 could be a lot of fun!
and similiar functions).
This is also part of the vector discovered by barbarianbob, while he
uses it for different purposes from what I initially thought.
But with vanilla PHP (the official source tree) it will not work and
you'll get an error complaining about the fact that the target is not
a directory. Why? Because barbarianbob, everybody who ran it succesfully,
and me in my initial disclosure [4] were using a patched PHP (for example
Suhosin, both loaded as .so or "build-in", Ubuntu PHP, that is patched
with Suhosin, etc).
return;
}
break;
default:
sprintf(tempstring,"Resolver error: Received unimplemented query type: %u (%s)",
qdatatype,qdatatype < ResourcetypeCount ?
resourcetypes[qdatatype] : resourcetypes[ResourcetypeCount]);
restell(tempstring);
}
for (rr = hp->ancount + hp->nscount + hp->arcount;rr;rr--) {
...
Asterisk Project Security Advisory - AST-2009-006
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | IAX2 Call Number Resource Exhaustion |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|--------------------+---------------------------------------------------|
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
processing graphic content in some of the most used image formats (PNG,
GIF an BMP). While some of these vulnerabilities stem from the use of
outdated and vulnerable open source image processing libraries other
were introduced by native Android code that use them or that implements
new functionality.
Exploitation of these vulnerabilities to yield complete control of a
phone running the Android platform has been proved possible using the
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
Note that this security update changes BIND network behavior in a
---- --------------- -------- -----------
HOSTNAME pwned.example.com yes Hostname to hijack
NEWADDR 1.3.3.7 yes New address for hostname
RECONS 208.67.222.222 yes Nameserver used for reconnaissance
RHOST yes The target address
SRCPORT yes The target server's source query port (0 for automatic)
XIDS 10 yes Number of XIDs to try for each query
msf auxiliary(bailiwicked_host) > set RHOST A.B.C.D
RHOST => A.B.C.D
> ---- --------------- -------- -----------
> HOSTNAME pwned.example.com yes Hostname to hijack
> NEWADDR 1.3.3.7 yes New address for hostname
> RECONS 208.67.222.222 yes Nameserver used for reconnaissance
> RHOST yes The target address
> SRCPORT yes The target server's source query port (0 for automatic)
> XIDS 10 yes Number of XIDs to try for each query
>
> msf auxiliary(bailiwicked_host) > set RHOST A.B.C.D
> RHOST => A.B.C.D
>
| | Javantea subsequently found that we were doing |
| | insufficent verification of the ACK response and that |
| | the ACK response could be spoofed, just like the initial |
| | NEW message. We have addressed this failure with two |
| | changes. First, we have started to require that the ACK |
| | response contains the unique source call number that we |
| | send in our reply to the NEW message. Any ACK response |
| | that does not contain the source call number that we |
| | have created will be silently thrown away. Second, we |
| | have made the generation of our source call number a |
| | little more difficult to predict, by randomly selecting |
(delay), and packet loss.
The vulnerability that is described in this document is triggered by
malformed UDP packets triggered by malformed IP SLA packets sent to
the vulnerable device and port. A vulnerable device can be an IP SLA
responder or the source device of a vulnerable IP SLA operation.
This vulnerability is documented in Cisco bug ID CSCtk67073 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-3272.
Vulnerable IP SLA Responder Configurations
Preconditions:
1. attacker must be logged in as valid user
2. PHP must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution
Source code snippet from vulnerable script "like.php":
-----------------[ source code start ]---------------------------------
protected function _unsubscribe()
{
/* Fetch data */
$key = trim( IPSText::base64_decode_urlSafe( $this->request['key'] ) );
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.35 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.26.3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.17 |
|----------------------------+---------+---------------------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.34 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.26.1 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to |
SSH management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SSH
packets that are sent to an affected device. In the following
example, 192.168.100.1 is considered a trusted source that requires
SSH access to the affected device. Care should be taken to allow all
required management access to the affected device. An attacker could
exploit this vulnerability using spoofed packets. This workaround
cannot provide complete protection against this vulnerability when
the attack comes from a trusted source address.
The CoreTex Competitions Team from Core Security is happy to announce
the *2nd Open Backdoor Hiding & Finding Contest* to be held at DEFCON
0x13 this year!
Hiding a backdoor in open source code that will be subjected to the
scrutiny of security auditors by the hundreds may not be an easy task.
Positively and unequivocally identifying a cleverly hidden backdoor may
be extremely difficult as well. But doing both things at DEFCON 0x13
could be a lot of fun!
"Corrected In" section, or apply a patch specified in the
"Patches" section.
Affected Versions
Product Release Series
Asterisk Open Source 1.4.x All Versions
Asterisk Open Source 1.6.2.x All Versions
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Corrected In
Overview:
Quote from http://www.piwik.org
"Piwik is a downloadable, open source (GPL licensed) web analytics
software program. It provides you with detailed real time reports
on your website visitors: the search engines and keywords they
used, the language they speak, your popular pages… and so much more.
Piwik aims to be an open source alternative to Google Analytics."
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.26.3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.17 |
|----------------------------+---------+---------------------------------|
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
William Grant discovered that dpkg-source did not safely apply diffs
when unpacking source packages. If a user or an automated system were
tricked into unpacking a specially crafted source package, a remote
attacker could modify files outside the target unpack directory, leading
to a denial of service or potentially gaining access to the system.
In addition, this update contains reliability improvements which do
not target security issues.
For the old stable distribution (etch), these problems have been fixed
in version 7.4.26-0etch1 of the postgresql-7.4 source package, and
version 8.1.18-0etch1 of the postgresql-8.1 source package.
For the stable distribution (lenny), these problems have been fixed in
version 8.3.8-0lenny1 of the postgresql-8.3 source package.
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | Versions 1.4.22, 1.4.23, |
| | | 1.4.23.1 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.6 |
[ Our anticipate apologies if you receive this call for paper more than
once! ]
CALL FOR PAPERS:
1st Workshop on Open Source Software for Computer and Network Forensics
(OSSCoNF)
We are currently inviting the submission of full papers to the 1st Workshop
on Open Source Software for Computer and Network Forensics (OSSCoNF),
which will be held in conjunction with OSS2008, the Fourth International
[ Our anticipate apologies if you receive this call for paper more than
once! ]
CALL FOR PAPERS:
1st Workshop on Open Source Software for Computer and Network Forensics
(OSSCoNF)
We are currently inviting the submission of full papers to the 1st Workshop
on Open Source Software for Computer and Network Forensics (OSSCoNF),
which will be held in conjunction with OSS2008, the Fourth International
[ Our anticipate apologies if you receive this call for paper more than
once! ]
CALL FOR PAPERS:
1st Workshop on Open Source Software for Computer and Network Forensics
(OSSCoNF)
We are currently inviting the submission of full papers to the 1st Workshop
on Open Source Software for Computer and Network Forensics (OSSCoNF),
which will be held in conjunction with OSS2008, the Fourth International
The in_decimal::set function in item_cmpfunc.cc in MySQL
before 5.0.40 allows context-dependent attackers to cause a
denial of service (crash) via a crafted IF clause that results
in a divide-by-zero error and a NULL pointer dereference.
(Affects source version 5.0.32)
CVE-2007-2691
MySQL does not require the DROP privilege for RENAME TABLE
statements, which allows remote authenticated users to rename
Next Page>>
|
