| New User, Welcome! Login |
address book
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified Communications Manager IP
Phone Personal Address Book Synchronizer Privilege Escalation
Vulnerability
Advisory ID: cisco-sa-20090311-cucmpab
Revision 1.0
PUBLIC
=========================================================================
ACROS Security Problem Report #2010-12-14-1
-------------------------------------------------------------------------
ASPR #2010-12-14-1: Remote Binary Planting in Windows Address Book
=========================================================================
Document ID: ASPR #2010-12-14-1-PUB
Vendor: Microsoft Corp. (http://www.microsoft.com)
Target: Windows Address Book & Windows Contacts
Hello,
I have found a HTML Injection vulnerability in Sun Java™ System Communications Express, a web client that provides an integrated web-based communication and collaboration client to the Sun Java Communications Suite. It consists of three client modules - Calendar, Address Book, and Mail.
Here is a screen-shot that demonstrates the vulnerability:
http://sosoblood.freehostia.com/SJSC/html_injection.gif
As we can see in the picture, I was able to inject some HTML and make my name in bold at the header of the page. Also, I was able to inject an image in the test message subject that I sent to myself.
One can also inject an IFRAME or any HTML tag.
Advisory number: SN-2007-01
Advisory URL: http://www.securenetwork.it/advisories/, http://www.ikkisoft.com
*** SUMMARY ***
GCALDaemon is an OS-independent Java program that offers two-way synchronization between Google Calendar and various iCalendar compatible calendar applications. GCALDaemon is primarily designed as a calendar synchronizer but it can also be used as a Gmail notifier, Address Book importer, Gmail terminal and RSS feed converter.
Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars over HTTP, by uploading their file via an HTTP PUT and getting/refreshing their calendar with an HTTP GET. The GCALDaemon's built-in HTTP server keeps this HTTP messages in sync with a specified Google Calendar. An input validation flaw permits to craft an HTTP request with an abnormal content-length value; this malformed request could trigger a denial of service that arises from a Java out of memory fatal error.
*** VULNERABILITY DETAILS ***
--------------------------------------------------------------------
MULTIPLE SQL INJECTION VULNERABILITIES --PHP-AddressBook v-4.0.X-->
--------------------------------------------------------------------
CMS INFORMATION:
-->WEB: http://sourceforge.net/projects/php-addressbook/
-->DOWNLOAD: http://sourceforge.net/projects/php-addressbook/
-->DEMO: http://php-addressbook.sourceforge.net/demo/
-->CATEGORY: Address Book
"POP Peeper is an email notifier that runs in your Windows task bar and
alerts you when you have new email on your POP3, IMAP (with IDLE
support), Hotmail\MSN\LiveMail, Yahoo, GMail, Mail.com, MyWay, Excite,
iWon, Lycos.com, RediffMail, Juno and NetZero accounts. IMAP supports
allows you to access AOL, AIM, Netscape and other services. Send mail
directly from POP Peeper and use the address book to email your
frequently used contacts. POP Peeper allows you to view messages using
HTML or you can choose to safely view all messages in rich or plain
text. Several options are available that will decrease or eliminate the
risks of reading your email (viruses, javascript, webbugs, etc). POP
Peeper can be run from a portable device and can be password protected.
module.
CVE-2009-4415
Multiple directory traversal vulnerabilities were found in the
addressbook module.
CVE-2009-4416
The authentication module is affected by cross-site scripting.
II. BACKGROUND
-------------------------
Atmail allows users to access IMAP Mailboxes of any server of your
choice. The software provides a comprehensive email-suite for
accessing user mailboxes, and provides an inbuilt Calendar and
Addressbook features. The WebMail Client of Atmail supports any
existing IMAP server running under Unix/Linux or Windows systems.
III. DESCRIPTION
-------------------------
Has been detected a reflected XSS vulnerability in the login process
"he was trying to attack". The vast majority of cases, it's some malware
that's gotten onto the machine and is doing the attacking totally without
the user's knowledge.
Remember - if the sender is known to you, they probably have your e-mail
address in a file (address book, saved mail, whatever), where malware can
grovel through it and find likely addresses to send itself.
alerts you when you have new email on your
POP3, IMAP (with IDLE support), Hotmail\MSN\LiveMail, Yahoo, GMail,
Mail.com, MyWay, Excite, iWon, Lycos.com, RediffMail,
Juno and NetZero accounts. IMAP supports allows you to access AOL, AIM,
Netscape and other services. Send mail directly
from POP Peeper and use the address book to email your frequently used
contacts. POP Peeper allows you to view messages
using HTML or you can choose to safely view all messages in rich or
plain text. Several options are available that will
decrease or eliminate the risks of reading your email (viruses,
javascript, webbugs, etc). POP Peeper can be run from a
Background
==========
eGroupWare is a suite of web-based group applications including
calendar, address book, messenger and email.
Affected packages
=================
-------------------------------------------------------------------
http://Aria-Security.Net
------------------------------------
Web based alpha tabbed address book SQL Injection [codewidgets.com]
Poc
index.asp?alpha='[SQL INJECTION]
Credits Goes To Aria-Security Team
Regards,
The-0utl4w
websites. This is a commercial application.
Keep your family "Connected" with this content management
system (CMS) designed specifically with family's in mind.
Key features are: a message board, a photo gallery,
a blog-like "Family News" section, a calendar, an
address book and recipe sharing section.
Each family member has their own personal settings, like
the ability to change the website's theme.
Now with Portuguese, Czech, English, Estonian, German, and
Spanish language Support....
After our Online Binary Planting Exposure Test became defunct as a result of
Microsoft fixing the Windows Address Book binary planting bug, we updated the test
with two unfixed vulnerabilities. Everyone is welcome to keep testing their Windows
computers for Internet-based binary planting attacks.
Online Binary Planting Exposure Test
http://www.binaryplanting.com/test.htm
Blog entry with a bit of background
|
|
|
