Next Page >>
changing
=======
Versions of the Cisco Application Velocity System (AVS) prior to
software version AVS 5.1.0 do not prompt users to modify system account
passwords during the initial configuration process. Because there is no
requirement to change these credentials during the initial configuration
process, an attacker may be able to leverage the accounts that have
default credentials, some of which have root privileges, to take full
administrative control of the AVS system.
After upgrading to software version AVS 5.1.0, users will be prompted to
####################
- Discussion:
####################
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Secure Access Control System Unauthorized
Password Change Vulnerability
Advisory ID: cisco-sa-20110330-acs
Revision 1.0
Summary
=======
Cisco Network Registrar Software Releases prior to 7.2 contain a
default password for the administrative account. During the initial
installation, users are not forced to change this password, allowing
it to persist after the installation. An attacker who is aware of
this vulnerability could authenticate with administrative privileges
and arbitrarily change the configuration of Cisco Network Registrar.
The upgrade to Software Release 7.2 is not free; however, a
***********
Browser-Based Interface (BBI) software is included in the Nortel Networks(vesrions < 25.0.0.0) and Radware
family of switches. The BBI software lets you use your Web browser to access switch
information and statistics, to perform switch configuration via the Internet. This
vulnerabilities allow remote attackers to change the switch configuration.
Details:
*******
HP is documenting the following actions the following patches to resolve the vulnerability.
The updates are available from: http://itrc.hp.com
HP-UX Release - HP-UX B.11.11 (11i v1)
Action - Install PHCO_36562 or subsequent; change NFS configuration as needed
HP-UX Release - HP-UX B.11.23 (11i v2)
Action - Install PHCO_36563 or subsequent; change NFS configuration as needed
Changing SNMP community string and restricting access
+----------------------------------------------------
By default, Cisco uBR10012 series devices that are configured for
linecard redundancy use a community string of private. This community
string can be changed in Cisco IOS versions 12.3(13)BC and later. It
is recommended to change the community string and apply access
control restrictions that only permit authorized devices SNMP access
to the device.
The following configuration example provides operators with
Package : exim4
Vulnerability : privilege escalation
Problem type : local
CVE Id(s) : CVE-2010-4345 CVE-2011-0017
Behaviour change : yes
A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim
user to obtain root privileges by specifying an alternate
configuration file using the -C option or by using the macro override
facility (-D option). Unfortunately, fixing this vulnerability is not
Background
----------
NNT Change Tracker Enterprise is a commercial product created by
UK-based New Net Technologies, and is designed to detect changes to
PC, server and network device configurations. The central component
'Core Server' is sent change data from 'Remote Angels' that monitor
remote systems.
It is marketed as a security product.
The allows a journalist or editor level user to edit any article.
By default a journalist user cannot edit his own news articles. Using
this method, a journalist can submit an article, have it approved by the
admin, then later change it to include stored XSS.
8.10.1 Proof of concept exploit
Article IDs can be found in the links from this page:
http://localhost/test/cutenews/index.php?mod=editnews&action=list
Affected Products:
Admin r8.1 SP2
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3
CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
This privilege escalation is a direct consequence of using the same name
on a local variable ("username" on "modules/passreset.inc.php" and
"modules/signup.inc.php") and a global variable
("$_SESSION['username']"). When the "register_globals" setting is
enabled and the session variable "username" is set (to any value,
including empty string), any changes made to the local variables will
also be written on the global one.
Since both modules set the variable to a user input string, and the
authentication module uses that global variable to both determine if the
user is logged in and which username to use, following the instructions
=======
Customers who use the CiscoWorks Wireless LAN Solution Engine (WLSE) may use a
conversion utility to convert over to a Cisco Wireless Control System (WCS).
This conversion utility creates and uses administrative accounts with default
credentials. Because there is no requirement to change these credentials during
the conversion process, an attacker may be able to leverage the accounts that
have default credentials to take full administrative control of the WCS after
the conversion has been completed.
Customers who have converted their CiscoWorks WLSE to a Cisco WCS are advised
bypassed in the same manner, enabling the automation of the guessing
attempts.
The security question mechanism can also be bypassed by changing the
flow of the application, skipping the security question mechanism and
sending a HTTP request requiring the password change immediately after
declaring which user is to run the recovery procedure.
Additionally, two cross site scripting vulnerabilities were found
related to search functions.
Cisco Media Processing Software releases prior to 1.2 ship with a
root administrator account that is enabled by default with a default
password. An unauthorized user could use this account to modify the
software configuration and operating system settings or gain complete
administrative control of the device. A software upgrade is not
required to resolve this vulnerability. Customers can change the root
account password by issuing a configuration command on affected
engines. The workarounds detailed in this document provide
instructions for changing the root account password.
This advisory is posted at:
- Vulnerability:
####################
+--> CSRF (Cross-Site Request Forgery)
The password changing page is vulnerable to CSRF attack. This vulnerability
can be used to change the password of the victim. For details of this
process see "Exploits/PoCs" section.
+--> Stored XSS Vulnerability
The comment page is vulnerable to Stored XSS attack. But comments
will be published
While researching the fixes issued by Microsoft in Microsoft's Security
Bulletin MS10-024
[http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx]
published April 13, 2010 Nicolas Economou discovered two vulnerabilities
in Windows SMTP Service and Microsoft Exchange . These vulnerabilities
were fixed by the patches referenced in MS10-024 but were not disclosed
in the vendor's security bulletin and did not have an unique
vulnerability identifier assigned to them. As a result, the guidance and
the assessment of risk derived from reading the vendor's security
bulletin may overlook or misrepresent actual threat scenarios.
> > such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> > installed), and likely numerous other options.
>
> Once the attacker can run code as the same user > the webserver runs as, he
> can make the webserver do whatever he wants. He > can just 'debug' the
> webserver process and change any setting, inject code, whatever. You can
> php.ini whatever you want, and the attacker can > just make the webserver
> read his own php.ini, or change the webserver memory after the fact, to
> make it think it read something else than you wrote.
This is not true, at least on most platforms, because webservers typically start as root and use setuid to change their access level down to that of the webserver user after binding to the port. Most platforms do not allow users with the level of access as the webserver user to make ptrace syscalls against a process which used setuid to change to the webserver user.
Advisory: http://acid-root.new.fr/?0:18
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2008/08/29
Changelog: 2008/08/29
Summary: Introduction
Blind SQL Injection
Insecure SQL Password Usage
Admin Session Hijacking
Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
* - any number of wildcards, "*" or "?"
* - {,} syntax (not nested)
...
- ---
That true but anyone who has changed ftpd bsd daemon to vsftpd to protect before CVE-2010-2632 (glob(3) resource exhaustion) are in danger. Any code with huge complexity, could allow of denial of service if an affected system received vulnerable pattern. This bug allow to disable wide range of servers. To designate vulnerable servers, we have to used pattern with medium complexity.
- -Example affected server---
cx@cx64:~$ telnet ftp.gnu.org 21
Trying 140.186.70.20...
Connected to ftp.gnu.org.
exhaust the Cisco Unified Communications Manager's memory by opening
multiple connections, which will cause Cisco Unified Communications
Manager to restart. The Packet Capture Service should be disabled in
the Cisco Unified Communications Manager Administration Interface by
setting the service parameter to False. The Cisco Unified
Communications Manager application must be restarted for the change
to take effect. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. This
vulnerability affects only 4.x versions of Cisco Unified
Communications Manager.
Warning: Incorrectly modifying the system registry of a Microsoft
Windows-based device may cause serious problems. Neither Cisco nor
Microsoft can guarantee that you can resolve problems that may result
from improper registry modification from either applying the registry
changes via a .reg file or by using the Registry Editor incorrectly.
Modify the registry of your system at your own risk.
To set the kill bit for the CLSID with a value of
{B8E73359-3422-4384-8D27-4EA1B4C01232}, paste the following text in a
text editor such as Notepad. Save the file using the .reg filename
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
accounts that have the password expired so that the user is able to
change an expired password for a new one.
It was observed that this API can be used to change the password of
Introduction:
=============
Car Portal is a php software product for running auto classifieds websites. It provides functionality
for the private sellers to sign up, list their car for sale and make changes in their ads online using
the private sellers administration space. The product provides special functionality for the dealers
to work and manage multiple ads. An affiliate functionality is also included, affiliate partners may
sign up and earn commissions on all the sales done through their links. The product comes with a
powerful admin panel for the administrators, allowing them not only to manage the cars portal settings,
the dealers, affiliates etc. but also providing full control over the website, its structure and content,
is not required to exploit this vulnerability but an attacker must
be authenticated.
The LinuxShield Webinterface communicates with the localy installed
"nailsd" daemon, which listens on port 65443/tcp, to do configuration
changes, query the configuration and execute tasks.
Each user, which can login to the victim box, can also authenticate
it self to the "nailsd" and can do configuration changes and execute
tasks with root privileges.
required to exploit this vulnerability but an attacker must be
authenticated.
The LinuxShield Webinterface communicates with the localy installed
"nailsd" daemon, which listens on port 65443/tcp, to do configuration
changes, query the configuration and execute tasks.
Each user, which can login to the victim box, can also authenticate it
self to the "nailsd" and can do configuration changes and execute tasks
with root privileges.
> required to exploit this vulnerability but an attacker must be
> authenticated.
>
> The LinuxShield Webinterface communicates with the localy installed
> "nailsd" daemon, which listens on port 65443/tcp, to do configuration
> changes, query the configuration and execute tasks.
>
> Each user, which can login to the victim box, can also authenticate it
> self to the "nailsd" and can do configuration changes and execute tasks
> with root privileges.
>
and world are all given read & write permissions including the file
settings.inc.php. For directories the execute bit is also set. The file
settings.inc.php contains the database username and password. In case
of a shared hosting environment, this allows for local user to obtain
these credentials. Since local users also have write access, it is even
possible to add or change PHP instructions to this file. Local user can
also create new files in the directories for which the file permissions
have been changed. Since these directories normally exist within the
document root, it is possible to create new PHP scripts and execute
these scripts using the webserver.
------
PoC:
------
When an user change his options, he can inject sql code and change options of other user
Choose any option, for example name.
Name: name=y3nh4ck3r', [SQL] /*
Next Page>>
|
