Next Page >>
creation
Multiple vulnerabilities exist in Cisco Unified MeetingPlace. This
security advisory outlines the details of these vulnerabilities:
* Insufficient validation of SQL commands
* Unauthorized account creation
* User and password enumeration in Cisco MeetingTime
* Privilege escalation in Cisco MeetingTime
Workarounds are not available for these vulnerabilities.
2) Due to insufficient input validation, the application <v5.5.0 R5
allows the injection of direct SQL commands. By exploiting the
vulnerability, an attacker gains access to all records stored in the
database. In this instance of SQL injection, the vulnerability can
additionally be used to get access to other user accounts and their
data. During the creation of an account group by a non-sysadmin user
the account group name is not validated and is used in a SQL query.
This allows for the injection of arbitrary SQL code. The account group
creation can be accessed from the menu -> Master Data -> More ->
Account Groups.
>> content protected by the certificate.
>
> Considering that the MetaData not protected by the signature contains
> among others:
> 1.) Author
> 2.) Dates of creation and last change
> 3.) State Information
> I do think that most people, certainly the users, would feel that this
> data belongs to the "document", and would be protected when the
> "document" is signed.
>
> content protected by the certificate.
Considering that the MetaData not protected by the signature contains
among others:
1.) Author
2.) Dates of creation and last change
3.) State Information
I do think that most people, certainly the users, would feel that this
data belongs to the "document", and would be protected when the
"document" is signed.
>> are not revealed until an attack is conducted or a malicious use of
>> the account is done. For example:
>> - Use of catpcha for avoiding automated processes (e.g., in the users
>> authentication or in the new users sign up).
>> - Temporary IP locking in case of detecting unusual application
>> activities (e.g., multiple new account creation requests)
>> - Temporary account locking in case of detecting unusual use of the
>> user account (e.g., when doing multiple consecutive request to the
>> same resource).
>> - Detection of concurrent access to the account from different
>> geolocated IP addresses added to the number of these accesses.
> content protected by the certificate.
Considering that the MetaData not protected by the signature contains
among others:
1.) Author
2.) Dates of creation and last change
3.) State Information
I do think that most people, certainly the users, would feel that this
data belongs to the "document", and would be protected when the
"document" is signed.
> are not revealed until an attack is conducted or a malicious use of
> the account is done. For example:
> - Use of catpcha for avoiding automated processes (e.g., in the users
> authentication or in the new users sign up).
> - Temporary IP locking in case of detecting unusual application
> activities (e.g., multiple new account creation requests)
> - Temporary account locking in case of detecting unusual use of the
> user account (e.g., when doing multiple consecutive request to the
> same resource).
> - Detection of concurrent access to the account from different
> geolocated IP addresses added to the number of these accesses.
are not revealed until an attack is conducted or a malicious use of
the account is done. For example:
- Use of catpcha for avoiding automated processes (e.g., in the users
authentication or in the new users sign up).
- Temporary IP locking in case of detecting unusual application
activities (e.g., multiple new account creation requests)
- Temporary account locking in case of detecting unusual use of the
user account (e.g., when doing multiple consecutive request to the
same resource).
- Detection of concurrent access to the account from different
geolocated IP addresses added to the number of these accesses.
IBM DB2 Universal Database Directory Creation Vulnerability
iDefense Security Advisory 08.16.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 16, 2007
I. BACKGROUND
IBM Corp.'s DB2 Universal Database product is a large database server
product commonly used for high end databases. For more information,
* The User.offer_account_by_email WebService method lets you create
a new user account even if the active authentication method forbids
users to create an account.
* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
lead to the creation of unwanted bug reports and attachments.
All affected installations are encouraged to upgrade as soon as
possible.
Platforms: Windows
Bugs: A] GatewayService integer overflow
B] CmpWebServer stack overflow
C] CmpWebServer Content-Length NULL pointer
D] CmpWebServer invalid HTTP request NULL pointer
E] CmpWebServer folders creation
Exploitation: remote
Date: 29 Nov 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
WHERE U_Mailbox='user' AND U_Password LIKE 'test'),SLEEP(5),1)-- "
real 0m5.418s
user 0m0.040s
sys 0m0.010s
Depending on the DBMS configuration, creation of arbitrary files and/or
code execution might also be possible. The following example illustrates
the creation of a PHP script within the web application's root directory
using the SELECT .. INTO DUMPFILE functionality provided by MySQL:
$ ./sql_inject.sh a3779402b23fa4acdcba6be907521acb user@example.com "" \
well as the emotionally-charged ambient, the kind of which you make
fond memories.
The 2008 edition generated a strong emulation in France, from its
historical role as the first official hack meeting there, and in Europe
with the subsequent creation of the Hacker Space Brussels[2], the
rapprochement with The Fiber in Amsterdam and the hackerspaces.org[3]
network. Initiatives of hackerspace openings in Grenoble or Lille, or
the upcoming FrHack[4] conference show an actual enthusiasm in the
French hackers community that was doomed to the "underground" not so
long ago. We salute these initiatives and their diversity!
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
A full list of all countries' ISA .xml for ISA 2006 is available here:
Details follow:
It was discovered that MySQL could be made to overwrite existing table
files in the data directory. An authenticated user could use the DATA
DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks.
This update alters table creation behaviour by disallowing the use of the
MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This
issue only affected Ubuntu 8.10. (CVE-2008-4098)
It was discovered that MySQL contained a cross-site scripting vulnerability
in the command-line client when the --html option is enabled. An attacker
"by bitweaver" Version powered +boards
"You are running bitweaver in TEST mode"|"bitweaver * White Screen of Death"
Versions tested: 2.6.0, 2.0.2
Vulnerability type: folder creation, file creation, file overwrite, PHP code injection.
Explaination:
look at /boards/boards_rss.php, line 102:
...
echo $rss->saveFeed( $rss_version_name, $cacheFile );
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
* CVE-2008-0406 - Denial of Service (DoS) Vulnerability
----------------------------------------------------------------
Overview:
constraints aren't relevant, just psexec and get not only arbitrary
path but arbitrary code.
The fix is to do what everybody with a directory traversal bug has to
do, block out of path relative directories. In this specific case,
prevent the creation of symlinks where the target is out of the SMB
share's range. (Still allow navigation to such symlinks if one exists,
though.)
or test this. The POSIX standard mandates that link() shall fail if
the user has no search
permission for any of the directories in the path prefix of oldpath or newpath.
Therefore, setting the directory permission to 0700 protects from hardlink
creation (read that again!) and this bug in the /proc filesystem
indeed lead to a
change in access control semantics. Under POSIX, the file IS unwriteable,
because it is protected by the permissions on the parent directory.
(2) While it's irrelevant for his argument, the script by Pavel Machek has a
http://www.ipswitch.com/products/instant_messaging
Versions: <= 2.0.8.1
Platforms: Windows
Bugs: A] pre-auth NULL pointer crash in decryption function
B] format string in logging
C] arbitrary empty files creation
Exploitation: remote
A] versus both server and clients
B] versus server
C] versus server
Date: 07 Feb 2008
* Memory leak in Cisco IOS Software
A device that is configured for either Cisco IOS IPS or Cisco IOS
Zone-Based Firewall (or both), may experience a memory leak under
high rates of new session creation flows through the device.
To determine if a device is configured with Cisco IOS IPS, log
into the device and issue the "show ip ips interfaces" CLI command.
If the output shows an IPS rule either in the inbound or outbound
direction set, then the device is vulnerable. This example, shows
a device with an IPS rule set on Interface Gigabit Ethernet 0/0
IBM DB2 Universal Database Multiple File Creation Vulnerabilities
iDefense Security Advisory 08.16.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 16, 2007
I. BACKGROUND
IBM Corp.'s DB2 Universal Database product is a large database server
product commonly used for high end databases. For more information,
software projects.
This advisory covers a critical security issue that has recently been
fixed in the Bugzilla code:
* Even with account creation disabled, users can use the WebService to
create an account.
We strongly advise that 2.23.x and 3.0.x users upgrade to 3.0.2
immediately. Users of CVS HEAD or 3.1.1 should upgrade to 3.1.2
immediately. This is critical if you have a "requirelogin" installation
On Mon, 9 Mar 2009, Robert Buchholz wrote:
> Subject: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation
Once again, thanks to everyone for not contacting the Openswan Project
in this matter just like they did not do this 6 months ago when this
"vulnerability" came out originally.
> Severity: Normal
> Title: Openswan: Insecure temporary file creation
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
vulnerabilities, discovered two months ago:
insecure methods: Packagefiles() - remote file overwrite, directory traversal, *script injection* and ... a crash (investigating on this one)
SaveDna() - remote file creation, directory traversal
AddFile() - remote cpu consumption
SetIdentity() - remote file creation
This dll was present inside the SupportSoft ActiveX Controls Security Update for a previous buffer overflow vulnerability,
see: http://secunia.com/advisories/24246/
This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.
If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.
The vulnerability is fixed in Wordpress 2.5.1
http://tintin.sourceforge.net
Versions: <= 1.97.9
Platforms: Windows, Linux and Mac
Bugs: A] chat buffer-overflow
B] chat YES NULL pointer
C] chat home folder empty files creation
Exploitation: remote
Date: 06 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
> or test this. The POSIX standard mandates that link() shall fail if
> the user has no search
> permission for any of the directories in the path prefix of oldpath or newpath.
>
> Therefore, setting the directory permission to 0700 protects from hardlink
> creation (read that again!) and this bug in the /proc filesystem
> indeed lead to a
> change in access control semantics. Under POSIX, the file IS unwriteable,
> because it is protected by the permissions on the parent directory.
>
> (2) While it's irrelevant for his argument, the script by Pavel Machek has a
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-12-21
Last Updated: 2011-12-21
Potential Security Impact: Remote execution of arbitrary code, directory traversal, creation and deletion of arbitrary files, unauthorized access to application database
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Managed Printing Administration. These vulnerabilities could be exploited remotely for execution of arbitrary code, directory traversal, creation and deletion of arbitrary files, and unauthorized access to the application database.
Matta Consulting - Matta Advisory
https://www.trustmatta.com
pfSense x509 Insecure Certificate Creation
Advisory ID: MATTA-2011-001
CVE reference: CVE-2011-4197
Affected platforms: pfSense
Version: 2.0
Next Page>>
|
