Next Page >>
change
=======
Versions of the Cisco Application Velocity System (AVS) prior to
software version AVS 5.1.0 do not prompt users to modify system account
passwords during the initial configuration process. Because there is no
requirement to change these credentials during the initial configuration
process, an attacker may be able to leverage the accounts that have
default credentials, some of which have root privileges, to take full
administrative control of the AVS system.
After upgrading to software version AVS 5.1.0, users will be prompted to
####################
- Discussion:
####################
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
Summary
=======
Cisco Network Registrar Software Releases prior to 7.2 contain a
default password for the administrative account. During the initial
installation, users are not forced to change this password, allowing
it to persist after the installation. An attacker who is aware of
this vulnerability could authenticate with administrative privileges
and arbitrarily change the configuration of Cisco Network Registrar.
The upgrade to Software Release 7.2 is not free; however, a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Secure Access Control System Unauthorized
Password Change Vulnerability
Advisory ID: cisco-sa-20110330-acs
Revision 1.0
HP is documenting the following actions the following patches to resolve the vulnerability.
The updates are available from: http://itrc.hp.com
HP-UX Release - HP-UX B.11.11 (11i v1)
Action - Install PHCO_36562 or subsequent; change NFS configuration as needed
HP-UX Release - HP-UX B.11.23 (11i v2)
Action - Install PHCO_36563 or subsequent; change NFS configuration as needed
Changing SNMP community string and restricting access
+----------------------------------------------------
By default, Cisco uBR10012 series devices that are configured for
linecard redundancy use a community string of private. This community
string can be changed in Cisco IOS versions 12.3(13)BC and later. It
is recommended to change the community string and apply access
control restrictions that only permit authorized devices SNMP access
to the device.
The following configuration example provides operators with
***********
Browser-Based Interface (BBI) software is included in the Nortel Networks(vesrions < 25.0.0.0) and Radware
family of switches. The BBI software lets you use your Web browser to access switch
information and statistics, to perform switch configuration via the Internet. This
vulnerabilities allow remote attackers to change the switch configuration.
Details:
*******
Affected Products:
Admin r8.1 SP2
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3
CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
The allows a journalist or editor level user to edit any article.
By default a journalist user cannot edit his own news articles. Using
this method, a journalist can submit an article, have it approved by the
admin, then later change it to include stored XSS.
8.10.1 Proof of concept exploit
Article IDs can be found in the links from this page:
http://localhost/test/cutenews/index.php?mod=editnews&action=list
=======
Customers who use the CiscoWorks Wireless LAN Solution Engine (WLSE) may use a
conversion utility to convert over to a Cisco Wireless Control System (WCS).
This conversion utility creates and uses administrative accounts with default
credentials. Because there is no requirement to change these credentials during
the conversion process, an attacker may be able to leverage the accounts that
have default credentials to take full administrative control of the WCS after
the conversion has been completed.
Customers who have converted their CiscoWorks WLSE to a Cisco WCS are advised
Cisco Media Processing Software releases prior to 1.2 ship with a
root administrator account that is enabled by default with a default
password. An unauthorized user could use this account to modify the
software configuration and operating system settings or gain complete
administrative control of the device. A software upgrade is not
required to resolve this vulnerability. Customers can change the root
account password by issuing a configuration command on affected
engines. The workarounds detailed in this document provide
instructions for changing the root account password.
This advisory is posted at:
> > such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> > installed), and likely numerous other options.
>
> Once the attacker can run code as the same user > the webserver runs as, he
> can make the webserver do whatever he wants. He > can just 'debug' the
> webserver process and change any setting, inject code, whatever. You can
> php.ini whatever you want, and the attacker can > just make the webserver
> read his own php.ini, or change the webserver memory after the fact, to
> make it think it read something else than you wrote.
This is not true, at least on most platforms, because webservers typically start as root and use setuid to change their access level down to that of the webserver user after binding to the port. Most platforms do not allow users with the level of access as the webserver user to make ptrace syscalls against a process which used setuid to change to the webserver user.
- Vulnerability:
####################
+--> CSRF (Cross-Site Request Forgery)
The password changing page is vulnerable to CSRF attack. This vulnerability
can be used to change the password of the victim. For details of this
process see "Exploits/PoCs" section.
+--> Stored XSS Vulnerability
The comment page is vulnerable to Stored XSS attack. But comments
will be published
This privilege escalation is a direct consequence of using the same name
on a local variable ("username" on "modules/passreset.inc.php" and
"modules/signup.inc.php") and a global variable
("$_SESSION['username']"). When the "register_globals" setting is
enabled and the session variable "username" is set (to any value,
including empty string), any changes made to the local variables will
also be written on the global one.
Since both modules set the variable to a user input string, and the
authentication module uses that global variable to both determine if the
user is logged in and which username to use, following the instructions
* - any number of wildcards, "*" or "?"
* - {,} syntax (not nested)
...
- ---
That true but anyone who has changed ftpd bsd daemon to vsftpd to protect before CVE-2010-2632 (glob(3) resource exhaustion) are in danger. Any code with huge complexity, could allow of denial of service if an affected system received vulnerable pattern. This bug allow to disable wide range of servers. To designate vulnerable servers, we have to used pattern with medium complexity.
- -Example affected server---
cx@cx64:~$ telnet ftp.gnu.org 21
Trying 140.186.70.20...
Connected to ftp.gnu.org.
exhaust the Cisco Unified Communications Manager's memory by opening
multiple connections, which will cause Cisco Unified Communications
Manager to restart. The Packet Capture Service should be disabled in
the Cisco Unified Communications Manager Administration Interface by
setting the service parameter to False. The Cisco Unified
Communications Manager application must be restarted for the change
to take effect. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. This
vulnerability affects only 4.x versions of Cisco Unified
Communications Manager.
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
accounts that have the password expired so that the user is able to
change an expired password for a new one.
It was observed that this API can be used to change the password of
------
PoC:
------
When an user change his options, he can inject sql code and change options of other user
Choose any option, for example name.
Name: name=y3nh4ck3r', [SQL] /*
Advisory: http://acid-root.new.fr/?0:18
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2008/08/29
Changelog: 2008/08/29
Summary: Introduction
Blind SQL Injection
Insecure SQL Password Usage
Admin Session Hijacking
re: "set 403 page's charset in the server side by writing it in your server code"
Apache *does* set the charset in the HTTP header. It is set to iso-8859-1 by default.
Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the browser behavior. See below for the captured response from a test with this change.
The user can still manually override the charset to UTF-7 via the browser menu, regardless of anything the Apache server sends.
re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Secure Access Control Server for
Windows User-Changeable Password
Vulnerabilities
Advisory ID: cisco-sa-20080312-ucp
http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01118367
Version: 3
HPSBUX02249 SSRT071442 rev.3 - HP-UX Running the Ignite-UX or the DynRootDisk (DRD) get_system_info Command, Local Unqualified Configuration Change
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-20
Last Updated: 2008-02-11
http://www.opencosmo.com
http://www.opencosmo.com/news.php?readmore=21
###################################################
DeluxeBB E-Mail Address Change Security Bypass
Crediti: Nexen
Applicazione: DeluxeBB
Versione: 1.09
Impatto: Security Bypass
Rischio: [3/5]
SUMMARY AND IMPACT:
The ActiveWeb Professional 3.0 web content management server is
vulnerable to remote operating system takeover. An unauthenticated
remote user can upload malicious files and backdoor ColdFusion
websites using the EasyEdit.cfm page. By accessing the "getImagefile"
section of the EasyEdit module, the remote attacker can change hidden
form fields to upload malicious applications and ColdFusion CFML
websites that execute those malicious applications or operating system
commands in the context of the ColdFusion service account (SYSTEM).
The remote user can now perform all functions of the system
administrator using uploaded CFML pages. The attacker can create a
Background
----------
NNT Change Tracker Enterprise is a commercial product created by
UK-based New Net Technologies, and is designed to detect changes to
PC, server and network device configurations. The central component
'Core Server' is sent change data from 'Remote Angels' that monitor
remote systems.
It is marketed as a security product.
Subject: Resolved - NNT Change Tracker - Hard-Coded Encryption Key -
Originally posted as http://seclists.org/fulldisclosure/2011/May/460
Background
-----------------
The product employs a portion of legacy code as referenced in the original
post. This is used for the product key and some database entries but whilst
the strength of the encryption being used here may be a problem for the NNT
licensing team, there is no genuine security risk for device data. This
Cisco TelePresence Software version TE 4.1.0 contains a default
account vulnerability that could allow an unauthenticated, remote
attacker to take complete control of the affected device.
The vulnerability is due to an architectural change that was made in
the way the system maintains administrative accounts. During the
process of upgrading a Cisco IP Video Phone E20 device to TE 4.1.0, an
unsecured default account may be introduced. An attacker who is able
to take advantage of this vulnerability could log in to the device as
the root user and perform arbitrary actions with elevated privileges.
Communications Manager servers.
If the Cisco Unified Communications Manager does not need to provide
SIP services, the ports on which the Cisco Unified Communications
Manager listens for SIP messages can be moved to non-standard ports.
To change the ports from their default values, log into the Cisco
Unified CallManager Administration web interface, go to System >
Cisco Unified CM, locate the appropriate Cisco Unified Communications
Manager, change the fields SIP Phone Port and SIP Phone Secure Port
to a non-standard port, then click Save. SIP Phone Port, by default
5060, refers to the TCP and UDP ports where the Cisco Unified
Privilege Escalation Vulnerability
+---------------------------------
A vulnerability exists in Cisco DMM versions 5.0.x and 5.1.x that could
allow authenticated, but unauthorized users to change the configuration
and obtain full access of the device.
This vulnerability is documented in Cisco Bug ID CSCtc46008 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2010-0571.
1. Authenticated backend users with granted access to an arbitrary filemount are able to upload Apache configuration files (.htaccess). A malicious backend user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default case), authenticated backend users with granted access to an arbitrary filemount can upload/create and execute arbitrary files with PHP code. The same applies to frontend users in the case that TYPO3 extensions with frontend plugins rely on t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of the file name. The TYPO3 security team is aware of a number of popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions that process file uploads using the method processFiles() of the core library fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware of an existing TYPO3 extension within the TYPO3 extension repository (TER) that uses the method processFiles().
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The new versions contain an updated default value for fileDenyPattern. If this default value is not used, there will be a warning displayed in backend module "About modules". This should remind the administrator to change the value of fileDenyPattern.
If you can't update directly, change the value of the configuration variable fileDenyPattern to the following value:
\.php[3456]?(\..*)?$|^\.htaccess$
Next Page>>
|
