Next Page >>
administrators
Document ID: ASPR #2009-01-27-1-PUB
Vendor: ORACLE (http://www.oracle.com)
Target: Oracle WebLogic Server 10.0
Impact: There is an HTML Injection vulnerability in WebLogic
Server 10 Administration Console that allows the
attacker to gain administrative access to the server.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Sasa Kos of ACROS Security
Document ID: ASPR #2008-03-11-1-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
Impact: There is an HTML Injection vulnerability in WebLogic
Server 10 Administration Console that allows the
attacker to gain administrative access to the server.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Sasa Kos and Mitja Kolsek of ACROS Security
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
>change permissions / passwords for another user or another user, thus
>getting full admin rights on all systems for a long period of time. Plus whatever
>havoc might be caused by having the ability to change rights on fileshares to
>allow the new domain admin to see confidential files..
People, PLEASE at least take the time to read the OP before just adding comments. You don't get any "temporary domain admin privileges." Period. Authenticating against cached domain credentials on a local system cannot be used for ANYTHING other than logging on to the local system when a controller is not available. Period. Now, please read this part carefully: *You must be a local administrator to use utilities to overwrite the cached verifier of cached credentials.* The most you can do is to allow yourself to log on as an account that has local admin. YOU ARE ALREADY A LOCAL ADMIN AT THIS POINT.
1) You MUST be local admin to access the cached domain credentials.
2) You can't log on to any network resources as the cached user.
3) You can't long on to another workstation as the cached user.
4) You can't access any EFS or other user-based data as the cached user.
to see confidential files..
I would expect that the intent is to use another flaw for a normal
user to become a local admin, and then jump to domain admin via this.
So yes. In an enterprise environment, the "domain administrator" is "bigger".
Cheers,
On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God)
<thor@hammerofgod.com> wrote:
fileshares to allow the new domain admin to see confidential files..
I would expect that the intent is to use another flaw for a normal user to
become a local admin, and then jump to domain admin via this.
So yes. In an enterprise environment, the "domain administrator" is
"bigger".
Cheers,
On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God) <thor@hammerofgod.com>
> fileshares to allow the new domain admin to see confidential files..
>
> I would expect that the intent is to use another flaw for a normal user to
> become a local admin, and then jump to domain admin via this.
>
> So yes. In an enterprise environment, the "domain administrator" is
> "bigger".
>
> Cheers,
>
> On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God) <thor@hammerofgod.com>
Wow. I guess you didn't read the post either. I'm a bit surprised that a Sr. Network Engineer thinks that Group Policies "differentiate between local and Domain administrators." You're making it sound like you think Group Policy application has some "magic permissions" or something, or that a "domain administrator" is a "bigger" administrator than the local administrator.
Group Policy loads from the client via the Group Policy Client service. If I'm a local admin, I can just set my local system to not process group policy via the GPExtensions hive. Done. If I take the domain admin out of my local administrators, they can't do anything. Done.
How exactly do you think this is problematic for "shops that differentiate between desktop support and AD support"? (whatever that means).
t
>-----Original Message-----
>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
HTTP Response Splitting vulnerability in Sun Delegated Administrator
1. *Advisory Information*
Document ID: ASPR #2009-10-30-1-PUB
Vendor: Oracle (http://www.oracle.com)
Target: Oracle WebLogic Server 10.3
Impact: There is an HTML Injection vulnerability in WebLogic
Server 10.3 Administration Console that allows the
attacker to gain administrative access to the server.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Luka Treiber of ACROS Security
Your objections are mostly true in a normal sense. However, it is not
true when Group Policy is taken into account. Group Policies
differentiate between local and Domain administrators and so this
vulnerability is problematic for shops that differentiate between
desktop support and AD support.
George Carlson
Sr. Network Engineer
(804) 423-7430
> TITLE:
> Flaw in Microsoft Domain Account Caching Allows Local Workstation
> Admins to Temporarily Escalate Privileges and Login as Cached Domain
> Admin Accounts
There is NO privilege escalation. A local administrator is an admistrator
is an administrator...
> SUMMARY AND IMPACT:
> All versions of Microsoft Windows operating systems allow real-time
> modifications to the Active Directory cached accounts listing stored
>> TITLE:
>> Flaw in Microsoft Domain Account Caching Allows Local Workstation
>> Admins to Temporarily Escalate Privileges and Login as Cached Domain
>> Admin Accounts
>
>There is NO privilege escalation. A local administrator is an admistrator is an
>administrator...
>
>> SUMMARY AND IMPACT:
>> All versions of Microsoft Windows operating systems allow real-time
>> modifications to the Active Directory cached accounts listing stored
> TITLE:
> Flaw in Microsoft Domain Account Caching Allows Local Workstation
> Admins to Temporarily Escalate Privileges and Login as Cached Domain
> Admin Accounts
There is NO privilege escalation. A local administrator is an admistrator
is an administrator...
> SUMMARY AND IMPACT:
> All versions of Microsoft Windows operating systems allow real-time
> modifications to the Active Directory cached accounts listing stored
Administrators of systems that are running Cisco Unified
Communications Manager software version 4.x can determine the
software version by navigating to Help > About Cisco Unified
CallManager and selecting the Details button via the Cisco Unified
Communications Manager administration interface.
Administrators of systems that are running Cisco Unified
Communications Manager software versions 5.x, 6.x, and 7.x can
determine the software version by viewing the main page of the Cisco
Unified Communications Manager administration interface. The software
"Provides easy integration to promote innovation and help manage
growth, complexity and risk"
During a quick overview of BladeCenter AMM web access, it was
discovered that web administration interface has multiple
vulnerabilities regarding input and request validation.
Details:
Cross Site Scripting
exploit was published in January 2009.
Attackers without a registered account or with a comment level account
can exploit cross site scripting (XSS) to steal cookies from other
users, cross site request forgery (CSRF) vulnerability to execute
administrator functions including adding a new administrator account and
can exploit a file path disclosure vulnerability.
Attackers with an administrator account, possibly gained by using the
exploits described above can exploit local file inclusion and command
execution vulnerabilities to execute arbitrary commands. Journalist and
A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
plugins configuration pages, and also in some plugins modifying plugin
options and injecting JavaScript code. Arbitrary native code may be run
by a malicious attacker if the blog administrator runs injected
JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
hosted outside 'wordpress.com', allow any person to create unprivileged
users called subscribers. Other sensitive username information
disclosures were found in WordPress.
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in dotProject, which can be exploited to perform SQL injection and cross-site scripting (XSS) attacks.
1) SQL Injection in dotProject: CVE-2012-5701
High-Tech Bridge Security Research Lab has discovered multiple SQL injection vulnerabilities in dotProject administrative interface. A remote authenticated administrator can execute arbitrary SQL commands in application's database. These vulnerabilities could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to cross-site request forgery attacks. In order to do so an attacker should trick the logged-in administrator to visit a web page with CSRF exploit.
1.1 Vulnerability exists due to insufficient sanitation of input passed via the "search_string" HTTP GET parameter to the index.php script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, this PoC code will create a /tmp/file.txt file, containing MySQL server version:
%>
<head>
<meta http-equiv="content-type" content="text/html;
charset=iso-8859-1"/>
@@ -45,7 +47,7 @@
<title>Sessions Administration: details for <%= currentSessionId
%></title>
</head>
<body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
To all,
The reason I wrote this article was not to explain how to create a hidden
user account. I wrote the article to show you that you can modify the SAM
in real time in a way that is undetectable by ANYONE. This modification
allows you to masquerade any user account as the built-in Administrator.
Christian,
"Continued Access" to a system means that someone has compromised a system
and they have continued access. This implies that the administrators don't
Hi!
>
> The reason I wrote this article was not to explain how to create a hidden
> user account. I wrote the article to show you that you can modify the SAM
> in real time in a way that is undetectable by ANYONE. This modification
> allows you to masquerade any user account as the built-in Administrator.
>
> Christian,
>
> "Continued Access" to a system means that someone has compromised a system
> and they have continued access. This implies that the administrators don't
+------------------
All Cisco TelePresence System Integrator C Series, Cisco TelePresence
EX Series, and Cisco TelePresence Quick Set products that were
distributed within the designated timeframe are potentially affected.
Administrators can determine the status of their device by using the
Serial Number Validator located at the following link:
http://serialnumbervalidation.com/PSIRT-20111026
The Serial Number Validator tool will indicate if the device was
affected when the product was shipped. If a factory reset or software
There are multiple methods to determine the version of system
software that is running on a device. At the device web login screen,
the system software version is displayed under the "Security
Appliance Configuration Utility" heading. Administrators can also log
in to a device through the web management interface and navigate to
Administration > Firmware & Configuration > Network. The Primary
Firmware field appears below Status Information. The number directly
beside the Primary Firmware field is the system software version.
Alternately, after logging in to the device, administrators can click
on the About link on top right side of the screen. The system
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account. Any user
with network access to the device can log in as an administrator and
take complete control over the vulnerable device.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* Cisco Unified Communications Manager 6.x versions prior to 6.1(1)
Administrators of systems running Cisco Unified Communications
Manager version 4.x can determine the software version by navigating
to Help > About Cisco Unified CallManager and selecting the Details
button via the Cisco Unified Communications Manager Administration
interface.
Administrators of systems that are running Cisco Unified
Communications Manager versions 5.x and 6.x can determine the
software version by viewing the main page of the Cisco Unified
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Oracle GlassFish Server Administration Console Authentication Bypass
1. *Advisory Information*
Title: Oracle GlassFish Server Administration Console Authentication Bypass
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PHP-Fusion is a light-weight open-source content management system (CMS)
written in PHP 5. It utilises a MySQL database to store your site content and
includes a simple, comprehensive administration system. PHP-Fusion includes the
most common features you would expect to see in many other CMS packages.
http://www.php-fusion.co.uk/news.php
http://sourceforge.net/projects/php-fusion/
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:
* Cross-Site-Scripting (XSS) (CVE-2010-3890)
The GET parameter »command« used inside the administration interface is
embedded directly into the HTML source without any input validation or
output sanitization. Using this parameter the attacker can inject arbitrary
Javascript code which will be run in the session context of other users.
As session credentials are stored within cookies, an attacker can steal
the cookie information and impersonate (CVE-2010-3893) the session and
Next Page>>
|
