Next Page >>
create
other UNIX systems in the course of time. Hardlinks are older and
implement the primary mechanism for accessing file system objects.
In some UNIX systems, the link(symlink, newpath) operation has
changed over time: instead of recursively following the symlink and
creating a hardlink to the file thus found, it creates a hardlink
to the symlink itself. This behavior disagrees with, for example,
the POSIX.1-2001 and X/Open XPG4v2 standards, and is the default
on current Solaris, IRIX and Linux systems. On systems with this
non-standard behavior, Postfix may be vulnerable depending on how
it is configured.
Solution & Recommendations
==========================
Unless editing web pages in SharePoint 2.0 is necessary, disable this
feature. If the feature is necessary, ensure users must authenticate to
a service before giving them the privilege to create or edit pages, and
only afford users the privileges if they need to create or edit pages.
This practice will help leave an audit trail to determine which account
was used to create a malicious web page if an incident takes place.
announce other SASL mechanisms, as shown in the previous section.
Technical details
=================
The Postfix SMTP server creates a SASL handle for each SMTP session,
when SASL authentication is enabled. The Postfix SMTP server will
use this SASL handle until it closes the SMTP connection (the Postfix
SMTP server may create a new server SASL handle when the client and
server agree to switch from a plaintext session to a TLS-encrypted
session, but this does not eliminate the memory corruption problem).
Affected Software: BigAce (version <= 2.7.1)
2. Technical Description
The XSS vulnerability of the software was found in the following modules:
- Create category
- Create Style sheet
- Create Template
- Edit template
- Create Group
- New permission
variety of content on a website. (From: http://drupal.org/about)
The MP3 Player module allows users to use the WordPress Audio Player in Drupal.
The name of the mp3 file is not properly sanitized when the javascript
to create the audio player is generated, resulting in a cross site
scripting vulnerability.
The module also fails to sanitize various inputs on the MP3 player
administration page. In the cases where the user is prompted for 6
digit hex values to use as colors for the player, it will only check
Affected Software: BigAce (version <= 2.7.1)
2. Technical Description
The XSS vulnerability of the software was found in the following modules:
- Create category
- Create Style sheet
- Create Template
- Edit template
- Create Group
- New permission
problem is related with PHP's handling of RFC 1867 (Form-based File
Upload in HTML).
When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from the request. PHP will
create those files regardless if the script can handle file uploading or
not. After the script was executed, the temporary files will be deleted.
The problem is that you can include a very large number of files in the
request. PHP will need to create those files before the script is
[+] Application: Family Connection
[+] Version: 1.8.1
[+] Website: http://www.familycms.com
[+] Bugs: [A] Multiple SQL Injection
[B] Create Admin User
[C] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 25 Mar 2009
(doesn't work as expected, cause it still ends in passwd)
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
A check like this can't be directly bypassed (it could be if the
attacker was able to create a link to /etc/passwd for example) but the
need of this level of access becomes useless using the trailing "/"
or "/." attack vector that we are presenting:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
php use create_function function to CREATE an anonymous function like below(stolen from php_manual):
--------------------------------------------------
Description
string create_function ( string args, string code )
Creates an anonymous function from the parameters passed, and returns a unique name for it. Usually the args will be passed as a single quote delimited string, and this is also recommended for the code. The reason for using single quoted strings, is to protect the variable names from parsing, otherwise, if you use double quotes there will be a need to escape the variable names, e.g. \$avar.
You can use this function, to (for example) create a function from information gathered at run time:
# + The reseller has 1 users
# + Host thegoodone.com is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# / Trying to create a database
# + Database 92xpl_db39 successfully created
# + Using database id 12
# / Trying to add SQL user
# + User 93xpl_usr2 successfully created
# + Using SQL user id 17
* Affected program: ClamAV (http://www.clamav.net/)
* Affected versions: 0.92
* Overwiew:
1) ClamAV uses own functions to create temporary files. One such routine is
vulnerable to a race condition attack.
2) ClamAV fails to properly check for base64-UUEncoded files, allowing
bypassing of the scanner through the use of such files.
Introduction:
=============
Crystal Office is the essential office suite ideal for home and business users, delivering more tools that make your work go
faster and your life go easier. Find all the essential office software to complete routine tasks faster and with better results.
Create and edit text and graphics in letters, reports, documents and Web pages. Perform calculation and manage lists in
spreadsheets. Keep track of appointments and tasks. Open, edit and save Microsoft® Office documents.
Whats Included:
• NotePro - feature-packed easy to use word processor. Create polished documents of any length or type, including reports,
kill bit for the controls in the registry. Note: review Microsoft
KB article 240797 prior updating the registry.
PSFormX ActiveX control
Create a DWORD with the name of "Compatibility Flags" containing the
value 0x00000400 in the following registry key. If the key does not
exist, create it under the following location:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{56393399-041A-4650-94C7-13DFCB1F4665}]
being a block. This allows the content managers of the site to edit
the block text and title without having to access the block
administration page. (From: http://drupal.org/project/nodeblock)
The block title is not properly sanitized when a user displays a block
created from a node, resulting in a cross site scripting
vulnerability.
Systems affected:
-----------------
Besides changing the default password for the admin user and removing
the install.php script, no specific instructions are provided to secure
the installation of FWS. The manual assumes that FWS is installed on a
LAMP server (Linux, Apache, MySQL & PHP). If the ZIP archive is
extracted or the files are uploaded to the document root of the
webserver, the new files and directories will be created based on the
active umask. In most cases, this will give read & write access to
the owner of the files and read access for all other users.
Since FWS needs to write to certain files and directories, the
instructions in the manual tell you to specifically set file permissions
* On UNIX systems, run Cascade Server in a chroot environment.
EXPLOIT
=======
This exploit example assumes the ability to create and edit blocks,
stylesheets, and pages. It's also possible to exploit the
vulnerability simply by modifying an existing stylesheet.
Create a stylesheet with the following contents:
Unicenter Software Delivery r11.1, r11.2
Unicenter Workload Control Center r11
Affected Platforms:
1. Ingres verifydb file create permission override (CVE-2008-3356)
This vulnerability impacts all platforms except Windows.
2. Ingres un-secure directory privileges with utility ingvalidpw
(CVE - 2008-3357)
This vulnerability impacts only Linux and HP platforms.
3. Ingres verifydb, iimerge, csreport buffer overflow
Version : ALL !!
Risk : Very high
What u can do with this bug is :
u can have a access to all the server with reseller privilege (Th3 r00t)
how it's work ?
when u want to create an account in shell what will happen ?
./script/wwwact [domainname] [username] [password] [Email address] lab lab lab
that u can run it with a web base program ! ( cpanel : doamin:2086)
example :
http://domain:2086/scripts/wwwacct [domainname] [username] [password] [Email address] lab lab lab
it means you got a access to wwwacct in the scripts folder (Th3 r00t)
provided during navigation exists or contains any invalid chars
before logging information about a request. This is specially
dangerous if the server has been configured to use account names
as log filenames.
In this case, a remote attacker can use this flaw to create
arbitrary files, append data to arbitrary files, create
arbitrary folders or launch a DoS attack against the server.
Technical details are included below.
----------------------------------------------------------------
::Vulnerabilites:
There are two vulnerabilities(there more XSRF, but the principle is the same)
1) Update User Profile XSRF (don't ask for current password)
2) Create an admin XSRF
1)
likely concerned about is users creating hardlinks to suid executables in
directories they control and then executing them, thus controlling the
expansion of $ORIGIN.
It is tough to form a thorough complaint about this glibc behaviour however,
as any developer who believes they're smart enough to safely create suid
programs should be smart enough to understand the implications of $ORIGIN
and hard links on load behaviour. The glibc maintainers are some of the
smartest guys in free software, and well known for having a "no hand-holding"
stance on various issues, so I suspect they wanted a better argument than this
for modifying the behaviour (I pointed it out a few years ago, but there was
The following policy can be configured as a workaround to mitigate
this vulnerability. Complete the following steps to deploy this
policy for the Cisco Security Agent running on the Management Center
for Cisco Security Agent server.
Create a New Application Class
+-----------------------------
Step 1. Specify the name of the application class as 'CSA MC - all
applications but not its descendants'.
zstream.next_in = data;
zstream.avail_out = MAX_PACKET_SIZE - sizeof(struct ipcomp);
zstream.next_out = ipcomp->comp_data;
if (deflate(&zstream, Z_FINISH) != Z_STREAM_END) {
fprintf(stderr, "error: deflate() failed to create compressed payload, %s\n", zstream.msg);
return false;
}
if (deflateEnd(&zstream) != Z_OK) {
fprintf(stderr, "error: deflateEnd() returned failure, %s\n", zstream.msg);
Application Security Inc.
Details:
RESTORE DATABASE command is prone to internal sql injection allowing
malicious users to run SQL code with highest privileges.
To exploit this vulnerability an attacker must possess CREATE DATABASE
privilege to be able to create and restore database.
Impact:
Users having CREATE DATABASE permission can become system administrators.
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] Post a new vehicle - PWRS & Description field
[+] Create News - News title
[+] Create a sub user - Name
[+] Create new user group - group Name
[+] Change profile - Dealer name &First Name & Last Name
1.2
Two vulnerabilities have been discovered in Exim 4, a popular mail transfer
agent used on Unix-like systems (www.exim.org).
1. When Exim is used with a world-writable mail directory with the sticky-bit
set, local users may create hard links to other non-root users' files at the
expected location of those users' mailboxes, causing their files to be written
to upon mail delivery. This could be used to create denial-of-service
conditions or potentially escalate privileges to those of targeted users. This
issue has been assigned CVE-2010-2023.
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0011
Synopsis: VMware Studio 2.1 addresses security vulnerabilities
in virtual appliances created with Studio 2.0.
Issue date: 2010-07-13
Updated on: 2010-07-13 (initial release of advisory)
CVE numbers: CVE-2010-2427 CVE-2010-2667
- ------------------------------------------------------------------------
1.vendor description of software
------------------------------------------------
TurboFTP Server is a high performance, secure, scalable and management friendly file transfer server running on Windows platforms. With it you can easily set up a secure file transfer server that delivers regular FTP, FTP over SSL/TLS, and "SFTP over SSH" services with virtual domains, advanced directory access control, virtual folders, IP access control, flexible authentication options and many other features.
2.vulnerability details:
------------------------------------------------
Directory Traversal Vulnerability exists in "FTP" and "SFTP" module of Turbo FTP Server that allows an authenticated user to create directories outside the root directory, which may lead to other attacks.
If you could log on the server successfully,
take the following steps to create folders outside the sftp root directory:
1. $ssh2 = Net::SSH2->new();
2. $ssh2->connect($server, $port);
You need admin rights to create junctions. At that point, path
constraints aren't relevant, just psexec and get not only arbitrary
path but arbitrary code.
The fix is to do what everybody with a directory traversal bug has to
do, block out of path relative directories. In this specific case,
prevent the creation of symlinks where the target is out of the SMB
share's range. (Still allow navigation to such symlinks if one exists,
though.)
Next Page>>
|
