Next Page >>
configuration file
capabilities.
The Cisco RVS4000 and WRVS4400N Gigabit Security Routers contain
three web management interface vulnerabilities:
* Retrieval of the configuration file
If an administrator of the device has previously created a backup
of the configuration, using Administration --> Backup & Restore
--> Backup, it is possible for a remote unauthenticated user to
access the backup configuration file. This file contains all
configuration parameters of the device, including the HTTP
Multiple vulnerabilities was discovered and fixed in gimp:
Stack-based buffer overflow in the "LIGHTING EFFECTS > LIGHT" plugin in
GIMP 2.6.11 allows user-assisted remote attackers to cause a denial
of service (application crash) or possibly execute arbitrary code
via a long Position field in a plugin configuration file. NOTE:
it may be uncommon to obtain a GIMP plugin configuration file from
an untrusted source that is separate from the distribution of the
plugin itself (CVE-2010-4540).
Stack-based buffer overflow in the SPHERE DESIGNER plugin in GIMP
Vulnerabilty overview:
---------------
SonicWALL Global VPN Client suffers from a format string vulnerability
that can be triggered by supplying a specially crafted configuration
file. This vulnerability allows an attacker to execute arbitrary code in
the context of the vulnerable client. For a successful attack, the
attacker would have to entice his victim into importing the special
configuration file.
e) Configuration encoding
Users can backup the configuration of the device through the web
interface. The configuration is saved in a tgz file ("config.cfg") that is
"encrypted" in a easy-to-reverse form. The following Python procedure
decodes the "encrypted" version of the configuration file:
# 'data' is the content of the encrypted configuration file, as downloaded
# from the web interface
def conf_decode(data):
r = ""
Authentication Flaw.
2. Relevant releases
VMware ESXi 4.1 if upgraded from ESXi 3.5 or ESXi 4.0 with a modified
SFCB configuration file.
3. Problem Description
a. ESXi 4.1 Update Installer SFCB Authentication Flaw
~ NOTE: This issue doesn't affect the latest versions of VMware
~ Workstation 6, VMware Player 2, and ACE 2 products.
~ h. Local Privilege Escalation on Windows based platforms by
~ Hijacking VMware VMX configuration file
~ VMware uses a configuration file named "config.ini" which
~ is located in the application data directory of all users.
~ By manipulating this file, a user could gain elevated
~ privileges by hijacking the VMware VMX process.
---[ Vulnerability description ]
Positive Research Center has discovered multiple vulnerabilities in Dlink DPH 150SE/E/F1 IP phone.
1. A vulnerability exists in web management interface of Dlink DPH 150SE and allows an unauthenticated user to obtain device configuration file with all the settings including administrator's password. An attacker should set up a tftp/ftp server to receive configuration file to exploit the vulnerability.
2. A vulnerability exists in web management interface of Dlink DPH 150SE and allows an unauthenticated user to upload configuration file to the device.
3. A vulnerability exists in web management interface of Dlink DPH 150SE and allows an unauthenticated user to modify the message shown on the device LCD display.
statement and get its output in both inband and blind SQL injection attack.
* Added an option (--privileges) to retrieve DBMS users privileges, it
also notifies if the user is a DBMS administrator.
* Added support (-c) to read options from configuration file, an example
of valid INI file is sqlmap.conf and support (--save) to save command
line options on a configuration file.
* Implemented support for HTTPS requests over HTTP(S) proxy.
* Hosted products are VMware Workstation, Player, ACE, Fusion.
b. vCenter Apache Tomcat Management Application Credential Disclosure
The Apache Tomcat Manager application configuration file contains
logon credentials that can be read by unprivileged local users.
The issue is resolved by removing the Manager application in
vCenter 4.1 Update 1.
============
Users with the role "limited-admin" are allowed to log into the
web-based administrative interface and configure some aspects of a
ZyWALL USG appliance. It is usually not possible to download the current
configuration file, as this includes the password-hashes of all users.
When the "download" button in the File Manager part of the web interface
is pressed, a JavaScript dialogue window informs the user that this
operation is not allowed. However, setting the JavaScript variable
"isAdmin" to "true" (e.g. by using the JavaScript console of the
"Firebug" extension for the Firefox web browser) disables this check and
necessary changes.
Details follow:
It was discovered that PHP did not properly enforce php_admin_value and
php_admin_flag restrictions in the Apache configuration file. A local attacker
could create a specially crafted PHP script that would bypass intended security
restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS.
(CVE-2007-5900)
It was discovered that PHP did not correctly handle certain malformed font
application the first step is to enumerate the objects that contain
__wakeup() or __destruct() methods and read their code to analyze if
these methods are doing something interesting.
When looking at the Piwik source code one particular class can be
found that allows writing arbitrary configuration files to the
webserver. This class is called Piwik_Config and contains the
following code.
function __destruct()
{
1 net-misc/wicd < 1.5.9 >= 1.5.9
Description
===========
Tiziano Mueller of Gentoo discovered that the DBus configuration file
for Wicd allows arbitrary users to own the org.wicd.daemon object.
Impact
======
Multiple vulnerabilities have been reported in phpMyAdmin:
* Greg Ose discovered that the setup script does not sanitize input
properly, leading to the injection of arbitrary PHP code into the
configuration file (CVE-2009-1151).
* Manuel Lopez Gallego and Santiago Rodriguez Collazo reported that
data from cookies used in the "Export" page is not properly sanitized
(CVE-2009-1150).
Advisory: Authentication Bypass in Configuration Import and Export of
ZyXEL ZyWALL USG Appliances
Unauthenticated users with access to the management web interface of
certain ZyXEL ZyWALL USG appliances can download and upload
configuration files, that are applied automatically.
Details
=======
--- CUT ---
and config file:
--- CUT ---
// Sample pdnsd configuration file. Must be customized to obtain a working pdnsd setup!
// Read the pdnsd.conf(5) manpage for an explanation of the options.
// Add or remove '#' in front of options you want to disable or enable, respectively.
// Remove '/*' and '*/' to enable complete sections.
global {
Details
=======
The Cisco NAC Guest Server system software contains a vulnerability
in the configuration file of the RADIUS authentication software. This
misconfiguration may allow an unauthenticated user to access the
protected network. This vulnerability may result in authentication
bypass without requiring a valid username or password.
This vulnerability is documented in Cisco Bug ID CSCtj66922 (
A number of vulnerabilities and security-related issues have been fixed
in phpMyAdmin versions since the 2.9.1.1 release. This update provides
version 2.11.1.2 which is the latest stable release of phpMyAdmin.
Note that due to heavy configuration file changes, it may be necessary
to reconfigure phpMyAdmin. The configuration file is located in
/etc/phpMyAdmin/. In most cases, it should be sufficient so simply
replace config.default.php with config.default.php.rpmnew and make
whatever modifications are necessary.
_______________________________________________________________________
Previous versions of the lighttpd package are vulnerable to a remote
Denial of Service attack in which the termination of one SSL connection
may cause another concurrent SSL connection to terminate prematurely.
lighttpd is not installed by default on rPath Linux systems, and no
default configuration file is provided; only systems customized to
include and configure lighttpd are vulnerable.
Appliances built with rPath Appliance Platform Agent 2 use lighttpd and
are vulnerable to this denial of service attack. All appliances built
using rPath Appliance Platform Agent 2 should be updated to include the
EMC SW: EMC Data Protection Advisor earlier than 5.8.1
Vulnerability Summary:
A vulnerability exists in EMC Data Protection Advisor in which sensitive information may be exposed in clear text in the configuration file.
Vulnerability Details:
In certain situations, sensitive account credentials may potentially be displayed in clear text in the DPA configuration file. The credentials are not stored in clear text by default or during normal operation of the product. Review EMC Knowledgebase solution <A href="http://solutions.emc.com/emcsolutionview.asp?id=esg122538">esg122538</A> to determine if your existing installation has already been exposed to this issue.
reasons, it is no longer possible to use wide links and UNIX extensions at
the same time. After applying this security update, wide links will be
disabled automatically as UNIX extensions are turned on by default. If
wide links are required, you can re-enable them by adding
"unix extensions = no" to the [global] section of the /etc/samba/smb.conf
configuration file.
Details follow:
It was discovered the Samba handled symlinks in an unexpected way when both
"wide links" and "UNIX extensions" were enabled, which is the default. A
*How to disable this behavior*
You can disable this behavior by adding an entry to the host
configuration file. This will override any VM-specific configuration and
globally disable the behavior for all virtual machines running on the host.
The host configuration is owned by the System/root account, so it is
protected against non-root users who have virtual machines on the system.
Previous versions of the lighttpd package are vulnerable to multiple
Information Exposures, the most serious of which may allow a remote
attacker to read arbitrary files.
lighttpd is not installed by default on rPath Linux systems, and no
default configuration file is provided; only systems customized to
include and configure lighttpd are vulnerable.
http://wiki.rpath.com/Advisories:rPSA-2008-0106
Copyright 2008 rPath, Inc.
Debian-specific: yes
CVE ID : CVE-2009-1073
Debian Bug : 520476
Leigh James that discovered that nss-ldapd, an NSS module for using
LDAP as a naming service, by default creates the configuration file
/etc/nss-ldapd.conf world-readable which could leak the configured
LDAP password if one is used for connecting to the LDAP server.
The old stable distribution (etch) doesn't contain nss-ldapd.
ESX Server, or VMware GSX Server.
*How to disable this behavior*
You can disable this behavior by adding an entry to the host
configuration file. This will override any VM-specific configuration and
globally disable the behavior for all virtual machines running on the host.
The host configuration is owned by the System/root account, so it is
protected against non-root users who have virtual machines on the system.
XML RPC session to access to Administrator credentials.
Unauthorized information access
+------------------------------
A malicious user could read one of the system configuration files.
This configuration file contains user accounts details, including
passwords. Authentication is not required to read this configuration
file and an attacker could perform this attack over either XML RPC or
XML RPC over HTTPS protocol.
A security vulnerability has been identified and fixed in pam:
Integer signedness error in the _pam_StrTok function in
libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
configuration file contains non-ASCII usernames, might allow remote
attackers to cause a denial of service, and might allow remote
authenticated users to obtain login access with a different user's
non-ASCII username, via a login attempt (CVE-2009-0887).
The updated packages have been patched to prevent this.
High
=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, TYPO3 is susceptible to the following vulnerabilities when running on Apache web server:
1. Authenticated backend users with granted access to an arbitrary filemount are able to upload Apache configuration files (.htaccess). A malicious backend user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default case), authenticated backend users with granted access to an arbitrary filemount can upload/create and execute arbitrary files with PHP code. The same applies to frontend users in the case that TYPO3 extensions with frontend plugins rely on t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of the file name. The TYPO3 security team is aware of a number of popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions that process file uploads using the method processFiles() of the core library fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware of an existing TYPO3 extension within the TYPO3 extension repository (TER) that uses the method processFiles().
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The new versions contain an updated default value for fileDenyPattern. If this default value is not used, there will be a warning displayed in backend module "About modules". This should remind the administrator to change the value of fileDenyPattern.
Thanks for your response, it was informative.
> Yes, ISC has finally gotten around to randomizing the source ports, as of
> 9.5.0a2. It is controlled by the "use-queryport-pool" option in the server
> section of the BIND configuration file. It defaults to "yes".
>
> You can control how big the pool is with the "queryport-pool-ports" option. It
> defaults to 8 (an extra 3 bits of entropy).
>
> This set of ports is refreshed periodically, with a frequency controlled by the
</form>
#########################
XSRF for any admin action
POC will change admin login and password in configuration file
<form id="myForm"
action="http://192.168.1.107/quickcart/admin.php?p=settings-config"
method="post">
<input type="text" name="sOption" value="save"/>
<input type="text" name="login" value="admin2"/>
Next Page>>
|
