Next Page >>
configuration files
capabilities.
The Cisco RVS4000 and WRVS4400N Gigabit Security Routers contain
three web management interface vulnerabilities:
* Retrieval of the configuration file
If an administrator of the device has previously created a backup
of the configuration, using Administration --> Backup & Restore
--> Backup, it is possible for a remote unauthenticated user to
access the backup configuration file. This file contains all
configuration parameters of the device, including the HTTP
Multiple vulnerabilities was discovered and fixed in gimp:
Stack-based buffer overflow in the "LIGHTING EFFECTS > LIGHT" plugin in
GIMP 2.6.11 allows user-assisted remote attackers to cause a denial
of service (application crash) or possibly execute arbitrary code
via a long Position field in a plugin configuration file. NOTE:
it may be uncommon to obtain a GIMP plugin configuration file from
an untrusted source that is separate from the distribution of the
plugin itself (CVE-2010-4540).
Stack-based buffer overflow in the SPHERE DESIGNER plugin in GIMP
Advisory: Authentication Bypass in Configuration Import and Export of
ZyXEL ZyWALL USG Appliances
Unauthenticated users with access to the management web interface of
certain ZyXEL ZyWALL USG appliances can download and upload
configuration files, that are applied automatically.
Details
=======
============
Users with the role "limited-admin" are allowed to log into the
web-based administrative interface and configure some aspects of a
ZyWALL USG appliance. It is usually not possible to download the current
configuration file, as this includes the password-hashes of all users.
When the "download" button in the File Manager part of the web interface
is pressed, a JavaScript dialogue window informs the user that this
operation is not allowed. However, setting the JavaScript variable
"isAdmin" to "true" (e.g. by using the JavaScript console of the
"Firebug" extension for the Firefox web browser) disables this check and
Vulnerabilty overview:
---------------
SonicWALL Global VPN Client suffers from a format string vulnerability
that can be triggered by supplying a specially crafted configuration
file. This vulnerability allows an attacker to execute arbitrary code in
the context of the vulnerable client. For a successful attack, the
attacker would have to entice his victim into importing the special
configuration file.
e) Configuration encoding
Users can backup the configuration of the device through the web
interface. The configuration is saved in a tgz file ("config.cfg") that is
"encrypted" in a easy-to-reverse form. The following Python procedure
decodes the "encrypted" version of the configuration file:
# 'data' is the content of the encrypted configuration file, as downloaded
# from the web interface
def conf_decode(data):
r = ""
Authentication Flaw.
2. Relevant releases
VMware ESXi 4.1 if upgraded from ESXi 3.5 or ESXi 4.0 with a modified
SFCB configuration file.
3. Problem Description
a. ESXi 4.1 Update Installer SFCB Authentication Flaw
~ NOTE: This issue doesn't affect the latest versions of VMware
~ Workstation 6, VMware Player 2, and ACE 2 products.
~ h. Local Privilege Escalation on Windows based platforms by
~ Hijacking VMware VMX configuration file
~ VMware uses a configuration file named "config.ini" which
~ is located in the application data directory of all users.
~ By manipulating this file, a user could gain elevated
~ privileges by hijacking the VMware VMX process.
Vulnerability Description
-------------------------
A post-installation shell script is executed both in the provisioning of a
Security Management Domain and installation of a standalone SmartCenter. The
script is used to generate a configuration file for use by the SofaWare
Management Server (SMS). The SMS is used to send all configuration changes
performed in the SmartCenter/Management Domain to UTM-1 Edge devices. UTM-1
Edge devices also communicate their status to the SmartCenter/Management
Domain via SMS.
necessary changes.
Details follow:
It was discovered that PHP did not properly enforce php_admin_value and
php_admin_flag restrictions in the Apache configuration file. A local attacker
could create a specially crafted PHP script that would bypass intended security
restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS.
(CVE-2007-5900)
It was discovered that PHP did not correctly handle certain malformed font
* Hosted products are VMware Workstation, Player, ACE, Fusion.
b. vCenter Apache Tomcat Management Application Credential Disclosure
The Apache Tomcat Manager application configuration file contains
logon credentials that can be read by unprivileged local users.
The issue is resolved by removing the Manager application in
vCenter 4.1 Update 1.
High
=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, TYPO3 is susceptible to the following vulnerabilities when running on Apache web server:
1. Authenticated backend users with granted access to an arbitrary filemount are able to upload Apache configuration files (.htaccess). A malicious backend user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default case), authenticated backend users with granted access to an arbitrary filemount can upload/create and execute arbitrary files with PHP code. The same applies to frontend users in the case that TYPO3 extensions with frontend plugins rely on t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of the file name. The TYPO3 security team is aware of a number of popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions that process file uploads using the method processFiles() of the core library fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware of an existing TYPO3 extension within the TYPO3 extension repository (TER) that uses the method processFiles().
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The new versions contain an updated default value for fileDenyPattern. If this default value is not used, there will be a warning displayed in backend module "About modules". This should remind the administrator to change the value of fileDenyPattern.
application the first step is to enumerate the objects that contain
__wakeup() or __destruct() methods and read their code to analyze if
these methods are doing something interesting.
When looking at the Piwik source code one particular class can be
found that allows writing arbitrary configuration files to the
webserver. This class is called Piwik_Config and contains the
following code.
function __destruct()
{
statement and get its output in both inband and blind SQL injection attack.
* Added an option (--privileges) to retrieve DBMS users privileges, it
also notifies if the user is a DBMS administrator.
* Added support (-c) to read options from configuration file, an example
of valid INI file is sqlmap.conf and support (--save) to save command
line options on a configuration file.
* Implemented support for HTTPS requests over HTTP(S) proxy.
---[ Vulnerability description ]
Positive Research Center has discovered multiple vulnerabilities in Dlink DPH 150SE/E/F1 IP phone.
1. A vulnerability exists in web management interface of Dlink DPH 150SE and allows an unauthenticated user to obtain device configuration file with all the settings including administrator's password. An attacker should set up a tftp/ftp server to receive configuration file to exploit the vulnerability.
2. A vulnerability exists in web management interface of Dlink DPH 150SE and allows an unauthenticated user to upload configuration file to the device.
3. A vulnerability exists in web management interface of Dlink DPH 150SE and allows an unauthenticated user to modify the message shown on the device LCD display.
Synopsis
========
Portage may disclose sensitive information when updating configuration
files.
Background
==========
Portage is the default Gentoo package management system.
ATTENTION: This security update brings changes to Exim's behaviour. Please
review the following information carefully, as your Exim configuration may
need to be adjusted after applying this update.
Exim no longer runs alternate configuration files specified with the -C
option as root. The new /etc/exim4/trusted_configs file can be used to
override this new behaviour. Files listed in trusted_configs and owned by
root will be run with root privileges when using the -C option.
In addition, Exim no longer runs as root when the -D option is used. Macro
ANM is initially installed. This vulnerability can be exploited
remotely with default credential authentication and without end-user
interaction. Unauthorized access to the database may allow
modification of system files that could impact the function of ANM or
allow execution of commands on the underlying host operating system.
The ACE appliance and module device configuration files in the MySQL
database are encrypted.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52632
</form>
#########################
XSRF for any admin action
POC will change admin login and password in configuration file
<form id="myForm"
action="http://192.168.1.107/quickcart/admin.php?p=settings-config"
method="post">
<input type="text" name="sOption" value="save"/>
<input type="text" name="login" value="admin2"/>
Resume
======
Two file disclosure flaws exists on these LMS platforms, which could
allow an attacker registered on the system to obtain files from the
server, i.e your database configuration file, or any other file
readeable by the webserver.
Details
=======
1) The user input to the $_GET['file'] variable was not been cleaned
no snmp-server community public RO
no snmp-server community private RW
Saving the configuration will update the start-up configuration
files; however the hard-coded community names will be reinserted to
the running configuration when the device reloads. This workaround
must be applied each time the device is reloaded.
Automatically Remove SNMP Community Names
+----------------------------------------
Previous versions of the dovecot package are vulnerable to an
Unauthorized Access attack in which a remote attacker may bypass
password authentication.
dovecot is not installed by default on rPath Linux systems, and
the default dovecot configuration file provided with rPath Linux
does not trigger this vulnerability; only systems customized to
include and reconfigure dovecot may be vulnerable.
http://wiki.rpath.com/Advisories:rPSA-2008-0108
Security" area in the Cisco IronPort Encryption Appliance
administration interface.
It is possible to workaround the remote code execution vulnerability
(IronPort Bug 65923) by disabling HTTP Invoker in the Cisco IronPort
Encryption Appliance configuration files. To disable the HTTP
Invoker, an administrator must delete several files in the PostX
application home directory and remove a directive from the web server
configuration. The following files must be deleted:
jboss/server/postx/deploy/http-invoker.sar
Description
Web-based Local Management Interface (LMI) of IBM Proventia Network Mail Security System appliance (firmware 1.6) is vulnerable to an Insecure Direct Object Reference vulnerability. When exploited by an authenticated attacker, such vulnerability could lead to compromising the security of the appliance, allowing OS command execution, local file inclusion resulting in exposure of appliance configuration files, source code, etc.
The affected resource is not part of the IBM PNMSS firmware 2.5.
By manipulating the l parameter of /sla/index.php resource, an authenticated attacker can perform any of the above attacks.
+------------------------------------------
There are two steps required to change the database password:
1. First change the database password.
2. Then update the Management Console configuration file with the new
database password.
Complete these steps:
1. Log in to the database using the old password, and then use the
Debian-specific: yes
CVE ID : CVE-2009-1073
Debian Bug : 520476
Leigh James that discovered that nss-ldapd, an NSS module for using
LDAP as a naming service, by default creates the configuration file
/etc/nss-ldapd.conf world-readable which could leak the configured
LDAP password if one is used for connecting to the LDAP server.
The old stable distribution (etch) doesn't contain nss-ldapd.
>
> ################################################################
> #Date Found: 21/08/08
> #Severity: High
> #Security Risk:Null Byte Files Retrieval
> #Explaination:It is possible to view the contents of any file (e.g. databases, user information or configuration files) on the web server (under the permission restrictions of the web server user)
>
>
> #POC: http://localhost/farver/index.php?c=/../../../../../../../../boot.ini%00
> #For the POC pic visit: www.beenuarora.com/POC.bmp
>
Exploitation of these vulnerabilities might result in code execution on
the host system or on the service console in ESX Server from the guest
operating system.
The VIX API can be enabled and disabled using the "vix.inGuest.enable"
setting in the VMware configuration file. This default value for this
setting is "disabled". This configuration setting is present in the
following products:
VMware Workstation 6.0.2 and higher
VMware ACE 6.0.2 and higher
VMware Server 1.06 and higher
user names in some configurations. Please see the upstream
advisory for details:
http://downloads.asterisk.org/pub/security/AST-2011-013.html
This update only modifies the sample sip.conf configuration
file. Please see README.Debian for more information on how
to update your installation.
CVE-2011-4598
Kristijan Vrban discovered that Asterisk can be crashed with
Details:
Since revision 7424, globals.php includes 'configuration.php' if
RG_EMULATION is unset, and enables RG_EMULATION by default for 'old
configuration files':
if( defined( 'RG_EMULATION' ) === false ) {
if( file_exists( dirname(__FILE__).'/configuration.php' ) ) {
require( dirname(__FILE__).'/configuration.php' );
}
Next Page>>
|
