Next Page >>
api
VMware ACE 2.6,
VMware ACE 2.5.3 and earlier,
VMware Server 2.0.2 and earlier,
VMware Fusion 3.0,
VMware Fusion 2.0.6 and earlier,
VMware VIX API for Windows 1.6.x,
VMware ESXi 4.0 before patch ESXi400-201002402-BG
VMware ESXi 3.5 before patch ESXe350-200912401-T-BG
VMware ACE 2.6,
VMware ACE 2.5.3 and earlier,
VMware Server 2.0.2 and earlier,
VMware Fusion 3.0,
VMware Fusion 2.0.6 and earlier,
VMware VIX API for Windows 1.6.x,
VMware ESXi 4.0 before patch ESXi400-201002402-BG
VMware ESXi 3.5 before patch ESXe350-200912401-T-BG
Flickr's API Signature Forgery Vulnerability
http://netifera.com/research/flickr_api_signature_forgery.pdf
September 29, 2009
--Affected Web Sites
A lot of web sites provide API service whose architecture is the same
as Flickr's API. They are potentially vulnerable.
VMware Security Advisory
Advisory ID: VMSA-2008-0009
Synopsis: Updates to VMware Workstation, VMware Player,
VMware ACE, VMware Fusion, VMware Server, VMware
VIX API, VMware ESX, VMware ESXi resolve critical
security issues
Issue date: 2008-06-04
Updated on: 2008-06-04 (initial release of advisory)
CVE numbers: CVE-2007-5671 CVE-2008-0967 CVE-2008-2097
CVE-2008-2100 CVE-2006-1721 CVE-2008-0553
small organisations with a few servers and for large companies with a
multitude of servers.
III. INTRODUCTION
-------------------------
Zabbix version 1.8 introduces an API which is vulnerable to an SQL
Injection
attack (up to 1.8.2). No authentication required.
IV. DESCRIPTION
-------------------------
Introduction
------------
Apache Jackrabbit is a fully conforming implementation of the Content
Repository for Java Technology API (JCR). A content repository is a
hierarchical content store with support for structured and unstructured
content, full text search, versioning, transactions, observation, and
more. See the Jackrabbit web site at http://jackrabbit.apache.org/ for
more information.
due to required PIN re-entry and the need for user attention. Triggering
this bug (repeatedly in case no PIN is present) is considered a remote DoS
condition.
The second report addresses a number of issues discovered in the Android's
Dalvik API, one of them has been classified by the Android team as a DoS
vulnerability which leads to restarting the system process.
A specific malicious application can be crafted so that if it is
downloaded and executed by the user, it would trigger the vulnerable API
function and restart the system process. The same condition could occur if
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
> utilities *and* you are currently logged into a GUI desktop running the
> vmware userland process.
VMWare constantly reminds you that you don't have the vmware guest tools
installed. I'd say that most people do install them. But that doesn't matter
anyway because you can just use the VIX API function VixVM_InstallTools to
install them if they aren't already there.
And you do not need to be logged in, the VIX API allows you to wait until
the command actually runs. So it can just sit there until the next time you
do login to the console.
Open redirection vulnerability in the Drupal API function drupal_goto
(Drupal 6.15 and 5.21)
Discovered by Martin Barbella <martybarbella@gmail.com>
Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website (http://drupal.org/about).
Chroot is an operation that changes the apparent root directory for the
current process and its children. The chroot(2) system call is widely
used in many applications as a measure of limiting a process's access to
the file system, as part of implementing privilege separation.
The nsdispatch(3) API implementation has a feature to reload its
configuration on demand. This feature may also load shared libraries
and run code provided by the library when requested by the configuration
file.
II. Problem Description
Basically it supports 64 bits Windows, has a few more features, and
comes with a crash analyzer. PyDbg on the other hand supports Mac OS
and is integrated to PaiMei. So both frameworks have their own
advantages.
Also the programming API for PyDbg is much simpler (but still
powerful), but WinAppDbg's is more complete, documented, and object
oriented.
So if I were you, I wouldn't rush to port all my already written code
to WinAppDbg :) but if you're about to code something new you might
just ends up being more efficient than clicking your way around. The GUI
because we understand that we are visual beings that often can
grasp more from a single look at a graphical layout than from two days
of x/x-ing memory pages.
The third feature we required was full flexible access to the debugging API,
the graphing engine, and the GUI API. Because having to Re-Compile
plugins is lame, we decided to make everything accessible from Python.
So we put everything together and developed something we feel very
comfortable using.
Firstly, "the sky isn't falling, the risks posed by the gadget API already
existed elsewhere in Windows generally, but this is another new attack
surface without any legacy dependencies". This is my general view on the
gadget API.
On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote:
> PG> No, this is an entirely new level of attack,
> "New level of attack", what makes you believe that?
Summary:
RSA, The Security Division of EMC, announces security fixes and improvements for RSA SecurID Software Token 4.1 for Microsoft Windows
This release addresses an Insecure Library Loading vulnerability within RSA SecurID Software Token for Windows (CVE-2011-4141).
This release also provides an alternate installation package for customers who do not require the software token automation API features of the product.
Further information about these resolutions can be found in the RSA SecurID Software Token 4.1 for Microsoft Windows Release Notes.
Platforms:
Firstly, "the sky isn't falling, the risks posed by the gadget API already
existed elsewhere in Windows generally, but this is another new attack
surface without any legacy dependencies". This is my general view on the
gadget API.
On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote:
> PG> No, this is an entirely new level of attack,
> "New level of attack", what makes you believe that?
just ends up being more efficient than clicking your way around. The GUI
because we understand that we are visual beings that often can
grasp more from a single look at a graphical layout than from two days
of x/x-ing memory pages.
The third feature we required was full flexible access to the debugging API,
the graphing engine, and the GUI API. Because having to Re-Compile
plugins is lame, we decided to make everything accessible from Python.
So we put everything together and developed something we feel very
comfortable using.
Hi there,
First of all - please forgive me, I'm not a developer and I don't use
the automation API. However, I use VMware a lot for development. I
have a Windows XP host machine and I use VMware to develop Linux code
(Debian Etch, Linux 2.6).
On 8/23/07, Arthur Corliss <corliss@digitalmages.com> wrote:
> On Wed, 22 Aug 2007, M. Burnett wrote:
>
scripts in Python under a Windows environment.
It uses ctypes to wrap many Win32 API calls related to debugging, and provides
an object-oriented abstraction layer to manipulate threads, libraries and
processes, attach your script as a debugger, trace execution, hook API calls,
Feb 26, 2008
I. BACKGROUND
Symantec Scan Engine is a standalone Anti-Virus Engine that exposes a
scanning Application Programming Interface (API) directly to developers
who wish to integrate protection into their own custom applications.
More information is available on the vendor's site at the following
URL.
http://www.symantec.com/enterprise/products/overview.jsp?pcid=1008&pvid=836_1
contain ToolTalk objects.
File and ToolTalk object information is stored in a records database managed
by rpc.ttdbserverd.
* libtt is the ToolTalk application programming interface (API) library.
Applications include the API library in their program and call the ToolTalk
functions in the library.
The ToolTalk service uses the Remote Procedure Call (RPC) to communicate between
Cisco Unified Communications Manager software versions 5.x, 6.x, and
7.x store user information as a part of the internal Cisco Unified
Communications Manager configuration database. The IP Phone PAB
Synchronizer client uses the AXL application programming interface
(API) to perform address book synchronization. After a client
successfully authenticates, the Cisco Unified Communications Manager
returns credentials for a database user account named TabSyncSysUser
that will be used by the client to synchronize an user's address
book. The TabSyncSysUser account has full read and write privileges
to the Cisco Unified Communications Manager configuration database.
Cc: bugtraq@securityfocus.com
Subject: Re: VMWare poor guest isolation design
On Wed, 22 Aug 2007, M. Burnett wrote:
> I have run across a design issue in VMware's scripting automation API
that
> diminishes VM guest/host isolation in such a manner to facilitate
privilege
> escalation, spreading of malware, and compromise of guest operating
systems.
* Chained lists (when a value is selected in a field, another field gets updated with a list relevant to that value)
* Automatic updates to some QC components (Test, Test Set, Defect objects, hidden fields)
* Hidding information depending on the user's group (used when a project is shared with different vendors)
* Others
The workflow is often driven by using the OTA (Open Test Architecture), the Quality Center API. This API allows the manipulation of any QC object (e.g. Subject folder, Test/Defect objects, Fields, etc.). It also allows the direct manipulation of the database used by Quality Center.
Issue
-------
When a user connects to Quality Center, the cache folder is automatically updated with the latest VBScript workflow files. Those files are then read by the QC front-end only once for the whole session. They are then used by the application whenever the associated events are raised.
network scanners. This greatly improved the reliability of the existing
scanners and allowed for dozens of new ones to be developed. Scanner
modules now report their progress as they scan the network and the
frequency of reports can be controlled through advanced options.
A simple fuzzer API has been added as a mixin, along with over a dozen
new fuzzer modules that demonstrate their use and capabilities. While
fuzzing is not the focus of the framework, the API is easy to use and
can meet the requirements of many on-the-spot service tests. Ryan Linn's
HTTP NTLM capture module has been integrated into the framework.
On Wed, 22 Aug 2007, M. Burnett wrote:
> I have run across a design issue in VMware's scripting automation API that
> diminishes VM guest/host isolation in such a manner to facilitate privilege
> escalation, spreading of malware, and compromise of guest operating systems.
>
> VMware's scripting API allows a malicious script on the host machine to
> execute programs, open URLs, and perform other privileged operations on any
> guest operating system open at the console, without requiring any
> credentials on the guest operating system. Furthermore, the script can
507 MB EXE image VMware Server 2 for Windows Operating Systems. A
master installer file containing all Windows components of VMware
Server.
md5sum: d0eefaa79e42d13a693c4d732a460ba4
VIX API 1.6 for Windows.
Version 1.6.2 | 156745 - 03/31/09 37 MB EXE image
md5sum: ad531ed3c37c0a50fb915981f83ca133
For Linux
==================
The WinAppDbg python module allows developers to quickly code instrumentation
scripts in Python under a Windows environment.
It uses ctypes to wrap many Win32 API calls related to debugging, and provides
an object-oriented abstraction layer to manipulate threads, libraries and
processes, attach your script as a debugger, trace execution, hook API calls,
handle events in your debugee and set breakpoints of different kinds (code,
hardware and memory). Additionally it has no native code at all, making it
easier to maintain or modify than other debuggers on Windows.
507 MB EXE image VMware Server 2 for Windows Operating Systems. A
master installer file containing all Windows components of VMware
Server.
md5sum: d0eefaa79e42d13a693c4d732a460ba4
VIX API 1.6 for Windows.
Version 1.6.2 | 156745 - 03/31/09 37 MB EXE image
md5sum: ad531ed3c37c0a50fb915981f83ca133
For Linux
507 MB EXE image VMware Server 2 for Windows Operating Systems. A
master installer file containing all Windows components of VMware
Server.
md5sum: d0eefaa79e42d13a693c4d732a460ba4
VIX API 1.6 for Windows.
Version 1.6.2 | 156745 - 03/31/09 37 MB EXE image
md5sum: ad531ed3c37c0a50fb915981f83ca133
For Linux
Next Page>>
|
