Next Page >>
classes
[1] - NULL pointer dereference:
-------------- xpdf-poc-null-pointer-dereference.pdf -------------
%PDF-1.3
% 'BasicFonts': class PDFDictionary
1 0 obj
% The standard fonts dictionary
<< /F1 2 0 R >>
endobj
% 'F1': class PDFType1Font
Crafted SSH Packet Vulnerability
+-------------------------------
SSH management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SSH
packets that are sent to an affected device. In the following
example, 192.168.100.1 is considered a trusted source that requires
SSH access to the affected device. Care should be taken to allow all
2. *Vulnerability Information*
Class: Stack-based buffer overflow [CWE-119], Off-by-one error [CWE-193]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-1929, CVE-2010-1930
Bugtraq ID: 40480, 40485
in the configuration:
ssl-server <context> http-header client-cert
Similarly, on the Cisco ACE, these issues may manifest themselves when
using a policy map with a class-default class, as shown below:
policy-map type loadbalance first-match SLB-VIP-REDIRECT
class class-default
serverfarm TEST-FARM
action DO-SOMETHING-WITH-HEADERS
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Piwik <= 0.4.5
Severity: Piwik unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
utilizes Piwik's classes to upload arbitrary files or
execute arbitrary PHP code
Risk: Critical
Vendor Status: Piwik 0.5.0 was released which fixes this vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/
------------------------------------------------------------------------
ATTACH_BY_REF_RESOLVE
------------------------------------------------------------------------
A message or attachment can have a Message Class property that loosely
defines the type of a message, contact or other personal information
manager objects. For normal e-mail messages, the message class is set to
IPM.Note. The Message Class is set by the TNEF attMessageClass
structure or by the PR_MESSAGE_CLASS MAPI property.
Storage
Secure Programming/Development
PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Databases
**Storage*
*PRIVILEGES*
*Speakers’ Privileges:*
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Databases
Storage
PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Databases
Storage
PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHPIDS <= 0.6.2
Severity: PHPIDS unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
can utilize existing classes which e.g. can lead to
upload of arbitrary files or execution of arbitrary PHP
code in Zend Framework Applications
Risk: Critical
Vendor Status: PHPIDS 0.6.3.1 was released which fixes this vulnerability
Reference:
Databases
Storage
PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Storage
Secure Programming/Development
*
*PRIVILEGES *
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
The following policy can be configured as a workaround to mitigate
this vulnerability. Complete the following steps to deploy this
policy for the Cisco Security Agent running on the Management Center
for Cisco Security Agent server.
Create a New Application Class
+-----------------------------
Step 1. Specify the name of the application class as 'CSA MC - all
applications but not its descendants'.
Reverse Code Engineering
Languages (Assembly, Python, Ruby etc)
PRIVILEGES
Trainers’ Privileges:
• 50% of net profit of class.
• Complimentary entry to SyScan'10 conference
• Trainers/Speakers Dinner on conference days
• After-conference party.
• A very healthy dose of alcohol and fun.
I understand that this is a vain hope that bugtraq will start posting something useful.
Author:Michael Brooks (Rook)<br>
Application:OpenClassifieds 1.7.0.3<br>
download: http://open-classifieds.com/download/<br>
Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page<br>
If registration is required an extra link in the chain is added:<br>
Exploit chain:blind sqli(select)->captcha bypass->sqli(insert)->persistant xss on front page<br>
sites with SEO url's enabled:<br>
"powered by Open Classifieds" inurl:"publish-a-new-ad.htm" (85,000 results)<br>
specially-crafted attack, Internet Explorer attempting to access a
freed object can lead to running attacker-supplied code."
However, I have not found any evidence of accessing freed memory -- as
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
--- lib/webrick/httpstatus.rb (revision 26065)
+++ lib/webrick/httpstatus.rb (working copy)
@@ -13,5 +13,15 @@ module WEBrick
module HTTPStatus
- class Status < StandardError; end
+ class Status < StandardError
+ def initialize(message, *rest)
+ super(AccessLog.escape(message), *rest)
+ end
+ class << self
:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
FileFind class from MFC Library cause heap overflow.
===================================================
Internal ID: VULWKU200706142
introduction
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com
Microsoft Office HtmlDlgHelper class memory corruption
1. *Advisory Information*
Title: Microsoft Office HtmlDlgHelper class memory corruption
Advisory Id: CORE-2010-0517
Inspect: sip , packet 0, drop 0, reset-drop 0
Alternatively, an appliance that has SIP inspection enabled has a
configuration similar to the following:
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
The following configuration commands are used to enable SunRPC
inspection in the Cisco ASA.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
* Jackrabbit API (jackrabbit-api)
Interface extensions that Apache Jackrabbit supports in
addition to the standard JCR API.
* Jackrabbit JCR Commons (jackrabbit-jcr-commons)
General-purpose classes for use with the JCR API.
* Jackrabbit JCR Tests (jackrabbit-jcr-tests)
Set of JCR API test cases designed for testing the compliance
of an implementation. Note that this is not the official JCR TCK!
Hi,
First let me start by saying im not writing to flame anyone (or whatever you kids say these days). I know its can be a daunting to release a paper to the security community because if any of its incorrect you're gonna hear about it.
However releasing a paper and claiming it to be a new class (or sub-class) of vulnerability, well im sorry, its like wearing Gold football boots, you better get it right after a statement like that.
If this paper was titled "Bypassing Broken Input Validation Filters" then there would be no problems. However none of what exists in this document is new, in fact most of it is in the Web Application Hackers Handbook or in much older papers. Constructing attackers of all kinds to bypass black list filters is a common duty of the web application tester, also take a look at all of the recent SQL injection worms.
The main thing wrong here is claiming it to be something new, or even claiming it to be a "sub-class", it not!
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
The device is vulnerable if the configuration has a Layer 7 class map
and Layer 7 policy map for HTTP deep packet inspection (DPI), and
these policies are applied to any firewall zone. To determine whether
the device is running a vulnerable configuration of Cisco IOS
firewall AIC for HTTP, log in to the device and issue the CLI command
show policy-map type inspect zone-pair | section packet inspection.
This two-day workshop revisits the basics of GSM, SS7, and OTA before
discussing their control and trust mechanics. It will become apparent
that technology providers and attackers can invade GSM users' location
and communication privacy in multiple ways. The workshop is targeted
at GSM users concerned with the confidentiality of their information
and location. The class provides technical and organizational
protection strategies for minimizing the attack surface and mitigating
the risks of the telecommunication infrastructure.
2) Exploit Laboratory with Saumil Shah:
The workshop brings you an action packed class teaching the art of
> '=.|w|.='
> _='`"``=.
>
> presents..
>
> Oracle JRE - java.net.URLConnection class –
> Same-of-Origin (SOP) Policy Bypass
>
> PDF: http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf
> CVE Identifier: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3573
>
==
xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )
==
Author: geinblues ( geinblues [at] gmail [dot] com )
DATE: 9.7.2008
Site: http://enterblue.net/~x90c/
Risk: Midium
==
2.5.0 to 2.5.7 (subscription customers)
Earlier versions may also be affected
Description:
The Spring Framework provides a mechanism to use client provided data to update the properties of an object. This mechanism allows an attacker to modify the properties of the class loader used to load the object (via 'class.classloader'). This can lead to arbitrary command execution since, for example, an attacker can modify the URLs used by the class loader to point to locations controlled by the attacker.
Example:
This example is based on a Spring application running on Apache Tomcat.
1. Attacker creates attack.jar and makes it available via an HTTP URL. This jar has to contain following:
- META-INF/spring-form.tld - defining spring form tags and specifying that they are implemented as tag files and not classes;
Limiting MGCP application layer inspection to traffic between MGCP
gateways may help to mitigate this vulnerability since it would require
an attacker to have additional information (the addresses of the MGCP
gateways) to launch a successful attack. To limit MGCP application layer
inspection to traffic between certain devices, a class map that matches
only traffic between the gateways must be created. Then, MGCP inspection
must be performed on traffic in that class. The following example shows
how to accomplish this:
FWSM(config)# access-list mgcp_traffic permit udp host 192.168.0.1
Next Page>>
|
