Steps to reproduce
. 2008-05-02: Initial notification sent to the vendor, offering the
CORE-2008-0415 advisory draft in plain-text or encrypted.
. 2008-05-05: Vendor acknowledges and requests the draft in plain text.
. 2008-05-05: Core sends the draft.
. 2008-05-09: Vendor requests a more detailed description of the steps
to reproduce the bug.
. 2008-05-09: Core sends a more detailed description of the steps to
reproduce the bug and fixes a bug on the PoC python code.
. 2008-05-09: Vendor confirms the bug has been reproduced.
. 2008-05-14: Vendor sends information for the advisory, including steps
to protect from the vulnerability and considering the issue closed.
. 2009-10-19:
Autodesk acknowledges the report and requests the information to be
provided in encrypted form.
. 2009-10-20:
Core sends draft advisory and steps to reproduce the issue.
. 2009-10-27:
Core asks Autodesk about the status of the vulnerability report sent
on October 20th, 2009.
path as “…”, rather than exposing it.
Proof of Concept:
-----------------
Steps to reproduce:
-------------------
1. Pick a .HTM or .HTML or .MHT file on your local computer.
2. Open this file in IE and click Ctrl-P.
OR Right-click the file in explorer and select PRINT from context menu.
4. Select any PDF writer as Printer such as Adobe PDF / CutePDF / PrimoPDF /
. 2009-10-19:
Autodesk acknowledges the report and requests the information to be
provided in encrypted form.
. 2009-10-20:
Core sends draft advisory and steps to reproduce the issue.
. 2009-10-27:
Core asks Autodesk about the status of the vulnerability report sent
on October 20th, 2009.
will accept ANY correctly base64 encoded username which begins with a
valid shortname or equals a valid password during AUTH LOGIN
authentication. This is only fixed by completely removing SHORTNAMES=1
from smtp(s)_psa, simply setting it to 0 has no effect.
Steps to reproduce:
- make sure smtp_psa contains: "env = SMTPAUTH=1 SHORTNAMES=1"
- generate a bogus username and encode to base64: "printf
'<validalias><bogustext>' | base64" eg. 'fbbogus' -> ZmJib2d1cw==
I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2)
Steps to reproduce:
1. Run ppp
2. type the following (or atleat some variation of)
remote Denial of Service during a null pointer dereference in relation with
special crafted IP datagrams. If the firewall handles such a packet the kernel
panics.
Steps to reproduce:
If you are behind a OpenBSD firewall this nmap scan should trigger the problem
and crash your firewall device:
nmap -sO $some_host_so_that_the_firewall_handles_the_packets
. 2010-08-04:
Core sends an updated version of the advisory and also asks if MSRC can
provide:
1. The list of affected software versions.
2. The CVE number assigned to this vulnerability (if it exists).
3. The steps to reproduce the vulnerability in IE [3].
4. The link to the knowledge base article about the newly introduced
Office killbit given that Core is investigating using that defense
mechanism as a workaround but MS10-036 points to a knowledge base
article that is no longer available
([http://support.microsoft.com/kb/983632]).
The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method.
This can be exploited to potentially trick users into supplying sensitive information to a malicious web site,
because information displayed in the address bar can be constructed in a certain way,
which may lead users to believe that they're visiting another web site than the displayed web site.
Steps to reproduce
=============
1) Visit http://majorsecurity.net/html5/ios51-demo.html with Safari on iOS 5.1
2) click the "demo" button
3) Safari will open a new window with "http://www.apple.com" in the adress bar,
but in fact "http://www.apple.com" is being displayed inside an iframe within
Good day.
Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr@gmail.com wrote:
> I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2)
>
> Steps to reproduce:
>
> 1. Run ppp
>
> 2. type the following (or atleat some variation of)
>
b) The second 16 bytes are the encrypted password
c) Initialize the cipher using the IV and key
"smetsysocsicni"
d) Decrypt the encrypted password
Steps to reproduce the VLAN separation issue:
1. Start sniffing using Wireshark on the computer connected to the PC
port
2. Apply the Wireshark display filter "VLAN" ; this will allow us to
only see VLAN tagged packets
3. Soft restart the Cisco phone by pressing on the settings button
b) really do exceed the maximum size allowed and overflow data
structures allocated on the heap, overwriting libc’s
allocation-related structures. This causes heap-corruption.
Steps to Reproduce:
1. Get example file from
"http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or
generate it via
"http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py"
2. Run it through aircrack-ng, airdecap-ng or airodump-ng
Discovered by:
Gary Simat of Total Server Solutions LLC
Randy Kent of Sevaa Group Inc
Steps to reproduce:
1) login to the APC as a user from computer 1
2) Then attempt to login from another computer (we will call this computer 2), the User Name and Password will not be editable, so just click Log On. It will say someone is already logged in. leave this page up.
3) logout of computer 1
4) simply hit refresh on computer 2 and select to resend the headers. you will be logged in as the previously authenticated user.
'(unsigned long)-1 > (int)42 == TRUE'
because all the comparison was "casted" to unsigned long... (0xFFFFFFFF
> 0x2a).
Steps to reproduce:
The quickest way to reproduce this bug is by modifying the VNC server to
send crafted evil packets as:
January 08, 2009: Draft advisory was sent to Chris and Mitchell.
January 08, 2009: Chris clarified that 4.0.2 had been released to address the issue.
January 12, 2009: Mitchell requested us not to include full details such as steps to reproduce the bug.
January 12, 2009: We explained our disclosure policy again to Mitchell, and sent an updated advisory.
:Public disclosure: January 12, 2009
Tested on firmware: 0604DAS (Latest firmwares have also been tested.)
Welcome the return of the Ping of Death!
wait a minute...isn't this 2008?
Steps to reproduce:
1. ping -s 65500 < ip of the phone >
Thanks to Spithash and the #codemasters@dal.net crew.
[1] - http://expressionengine.com/
IV. VENDOR COMMUNICATION
1.17.2009 - Vendor Notified
1.18.2009 - Initial vendor communication (details requested)
1.18.2009 - Steps to reproduce provided to vendor
1.21.2009 - Vendor response with public update "shortly"
1.22.2009 - Vendor releases 1.6.7 which addresses this vulnerability
Copyright (c) 2008 nGenuity Information Services, LLC
path as ".", rather than exposing it.
Proof of Concept:
-----------------
Steps to reproduce:
-------------------
1. Pick a .HTM or .HTML or .MHT file on your local computer.
2. Open this file in IE and click Ctrl-P.
OR Right-click the file in explorer and select PRINT from context menu.
4. Select any PDF writer as Printer such as Adobe PDF / CutePDF / PrimoPDF /
The affected function is in pf_change_a6 and the patch is just a workaround
because it filters the packet in pf_test() except of fixing the affected source
code.
Steps to reproduce:
If you have an affected OS in your network which does NAT or redirecting traffic
you should be able to test your IPv4 device with this simple hping command:
hping -0 -H 58 $a_host
. 2009-10-19:
Autodesk acknowledges the report and requests the information to be
provided in encrypted form.
. 2009-10-20:
Core sends draft advisory and steps to reproduce the issue.
. 2009-10-27:
Core asks Autodesk about the status of the vulnerability report sent
on October 20th, 2009.
login access to the server to set up a denial of service or
man-in-the-middle attack. Of course, this applies to ports greater than
1024.
Steps to reproduce:
As root, start daemon on *:55555:
[root@foo:/root]# netcat -l -p 55555
|
