Next Page >>
back/end
Original release: 2011-10-18
Last update: 2011-10-18
Topic: KDC denial of service vulnerabilities
CVE-2011-1527: null pointer dereference in KDC LDAP back end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 7.8
Original release: 2011-02-08
Last update: 2011-02-08
Topic: KDC denial of service attacks
CVE-2011-0281: KDC vulnerable to hang when using LDAP back end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 7.8
The first weakness affecting the Cisco CSS is that, in a typical client
certificate configuration, HTTP clients may confuse web applications by
injecting their own certificate headers. When utilizing the CSS to
terminate SSL communications, SSL client certificates are first
authenticated by the CSS. From there, the CSS will normally pass the
client's identity to the back-end web server in the form of several HTTP
headers as shown below:
ClientCert-Subject: XXX
ClientCert-Subject-CN: XXX
ClientCert-Fingerprint: XXX
====================
Vulnerability :
When used as a Server Load Balancer and/or SSL offloader it's possible
to do requests
to the backend without leaving any ip address in the http server logs.
it's possible
then to do any L7 http attacks anonymousely.
A Bug request has been opened at cisco TAC, it has been classified
"work as designed"
Description:
Unauthenticated SQL Injection:
Client input is being used to generate queries passed to the backend
database server. This input is not sufficiently sanitized before being
passed to the backend database server. As a result, a malicious user may
be able to craft queries that will be run on the backend database server
without any authentication, leading to sensitive information such as
administrator passwords being retrieved.
content management framework. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2009-3628
The Backend subcomponent allows remote authenticated users to
determine an encryption key via crafted input to a form field.
CVE-2009-3629
Multiple cross-site scripting (XSS) vulnerabilities in the
High
=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, TYPO3 is susceptible to the following vulnerabilities when running on Apache web server:
1. Authenticated backend users with granted access to an arbitrary filemount are able to upload Apache configuration files (.htaccess). A malicious backend user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default case), authenticated backend users with granted access to an arbitrary filemount can upload/create and execute arbitrary files with PHP code. The same applies to frontend users in the case that TYPO3 extensions with frontend plugins rely on t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of the file name. The TYPO3 security team is aware of a number of popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions that process file uploads using the method processFiles() of the core library fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware of an existing TYPO3 extension within the TYPO3 extension repository (TER) that uses the method processFiles().
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The new versions contain an updated default value for fileDenyPattern. If this default value is not used, there will be a warning displayed in backend module "About modules". This should remind the administrator to change the value of fileDenyPattern.
1. OVERVIEW
The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL Injection.
2. BACKGROUND
PHP-Nuke is a Web Portal System or content management system. The goal
Advisory: SilverStripe 2.4.5 Multiple backend Cross-site scripting vulnerabilities
Advisory ID: SSCHADV2011-024
Author: Stefan Schurtz
Affected Software: Successfully tested on SilverStripe 2.4.5
Vendor URL: http://www.silverstripe.com/
Vendor Status: informed
CVE-ID: -
==========================
Vulnerability Description:
On Sat, Oct 08, 2011 at 08:22:12AM +0000, sschurtz@t-online.de wrote:
> Advisory: SilverStripe 2.4.5 Multiple backend Cross-site scripting vulnerabilities
> Advisory ID: SSCHADV2011-024
> Author: Stefan Schurtz
> Affected Software: Successfully tested on SilverStripe 2.4.5
> Vendor URL: http://www.silverstripe.com/
> Vendor Status: informed
> CVE-ID: -
>
> ==========================
3. VULNERABILITY DESCRIPTION
The 'site_footer', 'name', 'explanation' parameters are not properly
sanitized in administration backend of Drupal 5.x and 6.x versions,
which could allow attackers to conduct stored cross site scripting
attacks.
4. VERSIONS AFFECTED
Multiple vulnerabilities has been found and corrected in krb5:
The kdb_ldap plugin in the Key Distribution Center (KDC) in
MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP
back end is used, allows remote attackers to cause a denial of
service (NULL pointer dereference and daemon crash) via a kinit
operation with incorrect string case for the realm, related to the
is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal,
and process_as_req functions (CVE-2011-1527).
This vulnerability was discovered and researched by Esteban Martnez
Fay of Application Security Inc.
Details:
Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE
owned by PORTAL in the backend Oracle database server. The 'ACTION'
procedure of this package has an instance of SQL Injection that allows
attackers to create anonymous PL/SQL programs and execute any kind of
PL/SQL statements. The statements are executed with the privileges of
the PORTAL user, that has DBA privileges. The vulnerability can be
exploited using a web application and without authentication.
Invisible Things Lab is proud to present:
"Adventures with a certain Xen vulnerability (in the PVFB backend)"
by
Rafal Wojtczuk
Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows an
unauthenticated attacker on the Internet to gain full control of a backend
Oracle database server via the front end web server.
Details
*******
Oracle Application Server installs a number of PLSQL packages in the backend
Multiple vulnerabilities has been found and corrected in krb5:
The krb5_ldap_lockout_audit function in the Key Distribution Center
(KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through
1.9.1, when the LDAP back end is used, allows remote attackers to cause
a denial of service (assertion failure and daemon exit) via unspecified
vectors, related to the locked_check_p function (CVE-2011-1528).
The lookup_lockout_policy function in the Key Distribution Center (KDC)
in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1,
==================
Technical Details:
==================
Backend - XSS
http://<target>/school/starnet/index.php?option=stats&suboption='"</style></script><script>alert(document.cookie)</script>
http://<target>/school/starnet/index.php?option=pagemanager&suboption=newsection&site='"</style></script><script>alert(document.cookie)</script>
http://<target>/school/starnet/index.php?option=modulemanager&modoption=edit&module_number="</style></script><script>alert(document.cookie)</script>
http://<target>/school/starnet/index.php?option=modulemanager&module='"</style></script><script>alert(document.cookie)</script>
################################ IRANIAN THE BEST HACKERS IN THE WORLD ##################
#################### ####################
##
## Remote SQL injection Vulnerability
##
## BACKEND (categoria.php?id)
##
###############################################################
###############################################################
###############################################################
###############################################################
Services can be abused to reveal the source code of ASP.NET files.
=================
Technical Details
=================
SharePoint Team Services stores a variety of files in its backend
database. These files include site templates, custom ASP.NET pages and
documents that users of the application upload to the document libraries.
Insufficient validation in the input parameters of the download facility
can result in the source code of ASP.NET files being disclosed. For
McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords
for Oracle database access. HCI serves as the patient record datastore for the majority of McKesson applications. There are two components to an HCI implementation: the Infrastructure (or Master) server
and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes
OCI/sqlplus connections to the Oracle database back-end. A file on each HCI Infrastructure server
contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from /usr/local/bin/password is shown:
# cat /usr/local/bin/password
AMBU:hacschema
QUEUE_USER:qmanager
SYS:alLp0ver2
could lead to denial of service through crafted search requests.
CVE-2007-6698
It was discovered that a programming error in the interface to the
BDB storage backend could lead to denial of service through
crafted modify requests.
CVE-2008-0658
It was discovered that a programming error in the interface to the
CMS Made Simple: backend cross site scripting (XSS), CVE-2010-1482
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482
http://int21.de/cve/CVE-2010-1482-cmsmadesimple-xss-backend.html
http://blog.cmsmadesimple.org/2010/05/01/announcing-cms-made-simple-1-7-1-escade/
Description
Introduction
============
sqlmap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking
over of back-end database servers. It comes with a broad range of
features lasting from database fingerprinting, over data fetching from
the database, to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.
Changes
necessary changes.
Details follow:
Jonathan Clarke discovered that the OpenLDAP slapd server did not
properly handle modify requests when using the Berkeley DB backend
and the NOOP control was used. An authenticated user with modify
permissions could send a crafted modify request and cause a denial
of service via application crash. Ubuntu 7.10 is not affected by
this issue. (CVE-2007-6698)
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
Wei Wang found that the SNMP discovery backend in CUPS did not
correctly calculate the length of strings. If a user could be tricked
into scanning for printers, a remote attacker could send a specially
crafted packet and possibly execute arbitrary code (CVE-2007-5849).
As well, the fix for CVE-2007-0720 in MDKSA-2007:086 caused another
sqlmap is an automatic SQL injection tool developed in Python. Its goal
is to detect and take advantage of SQL injection vulnerabilities on web
applications. Once it detects one or more SQL injections on the target
host, the user can choose among a variety of options to perform an
extensive back-end database management system fingerprint, retrieve DBMS
session user and database, enumerate users, password hashes, privileges,
databases, dump entire or user's specific DBMS tables/columns, run his
own SQL SELECT statement, read specific files on the file system and
much more.
original post does prevent the themes from appearing but does not
execute the file in question. It is unclear based on their limited
information whether they are using a modified version of Horde or if
there were other factors that lead to the behavior reported. However
if a null byte can be inserted into the theme name (for instance when
using the LDAP preference backend which stores preference values in
Base64 encoding) it does become possible to cause a file to be
included and executed.
Based on our research it is true that Horde 3.1.6 does suffer a local
file inclusion vulnerability which in certain configurations can also
|--------------------+---------------------------------------------------|
| CVE Name |CVE-2007-4521 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | If Asterisk is configured to use IMAP as its backend |
| | storage for voicemail, then an e-mail sent to a user |
| | with an invalid/corrupted MIME body will cause Asterisk |
| | to crash when the user listens to their voicemail using |
| | the phone. |
| | |
Elgg contains a flaw that may allow an attacker to carry out an
SQL injection attack. The issue is due to the script not properly
sanitizing user-supplied input to 'container_guid' and 'owner_guid'
variables upon submision to 'mod/search/pages/search/index.php'
This may allow an attacker to inject or manipulate SQL queries
in the backend database.
################
Versions afected
################
-->WEB: http://sourceforge.net/projects/flashquiz/
-->DOWNLOAD: http://sourceforge.net/projects/flashquiz/
-->DEMO: N/A
-->CATEGORY: CMS / Testing
-->DESCRIPTION: A Flash quiz system with a PHP/MYSQL back end supporting multiple
quizzes per instance, result tracking, and high score tracking.
-->RELEASED: 2009-04-13
CMS VULNERABILITY:
Next Page>>
|
