Next Page >>
file
Impact : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html
Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.
2. Overview
``Vim is an almost compatible version of the UNIX editor Vi. Many new features
PHP filesystem attack vectors
Name PHP filesystem attack vectors
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (giovanni.pellerano AT
evilaliv3 DOT org)
Date 20090207
3. *Vulnerability Description*
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
1. *Advisory Information*
Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All
affected products are command-line versions of
the AVs.
----------------------------
Vulnerability Descriptions
----------------------------
1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes
evades detection.
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards,
and usability. WordPress is both free and priceless at the same time. More simply, WordPress is
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made a new version of the ovalarmsrv program available to resolve the vulnerabilities. The new ovalarmsrv is available as a file to be installed manually. There are separate ovalarmsrv files for each version of NNM. The files are listed in the table below. Instructions for installing the files are contained in the readme_for_ovalarmsrv.txt file.
For NNM v7.01 and NNM v7.51 patches must be installed before the ovalarmsrv file is installed. No patches are required for NNM v7.53.
The ovalarmsrv files and the readme_for_ovalarmsrv.txt file are available from ftp://ss080044:ss080044@hprc.external.hp.com/
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs
Lotus Notes buffer overflow in the Lotus WorkSheet file processor
*Advisory Information*
Title: Lotus Notes buffer overflow in the Lotus WorkSheet file processor
Advisory ID: CORE-2007-0821
Advisory URL: http://www.coresecurity.com/index.php5?action=item&id=2008
Abstract:
Some Windows antivirus software fails to detect, block and/or
disinfect/move/delete malware if the malware EXE file has only
execution permission and no read, write or other permissions.
The worst cases are NOD32 and Avast antivirus, which allow the
malware to run unimpeded. Avast has fixed the flaw while NOD32
is still vulnerable as of this writing.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected is OpenCart version 1.5.2.1, older versions may be vulnerable as well.
###############################################################################
1. Local File Inclusion in "action.php"
###############################################################################
Reason: using unsanitized user submitted data for file operations
Attack vector: user submitted GET parameter "route"
Preconditions:
List of found vulnerabilities
===============================================================================
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
*Vulnerability Description*
Internet Explorer introduces the concept of URL Security Zones, which
basically define a set of privileges for web applications (such as, for
example, accessing and/or modifying the local computer files) depending
on their level of trustworthiness.
Issues have been found in the way that security policies are applied
when a URI is specified in the UNC form:
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'
function really(d,f,m,t) {
if (confirm(m)) {
if (t == 1) {
window.location.href='?dir='+d+'&deldir='+f;
} else {
window.location.href='?dir='+d+'&delfile='+f;
}
}
}
<hr width="775" noshade><table width="775" border="0" cellpadding="0">
<?PHP
I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted. I do not know of a 'nix based tool for access to the db. If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward. If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM.
t
From: Rohit Patnaik [mailto:quanticle@gmail.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
RESOLUTION
HP has made the following procedure available to resolve the vulnerability.
Note: The resolution is contained in the archive files listed below. Before an archive file is applied a patch may be required. The patch will insure that NNM is compatible with the software files in the archive. No patch is required for NNM v7.53.
1. Install the appropriate patch listed in the table below. The patches are available from http://itrc.hp.com
2. Download the appropriate archive file listed in the table below. The archive files are available here:
ftp://ss080024:ss080024@hprc.external.hp.com/
II. Overview
During an audit of the MapServer v5.2.1 source code, five (5)
vulnerabilities were identified ranging from low to medium/high
severity. They include stack and heap overflows, a relative path
writing weakness, a file content leakage, as well as a file existence
leakage. Furthermore, after reporting these issues to the vendor, a
second audit by the project maintainer not only determined that v4.10.3
was also affected, but that four (4) additional stack overflows existed
in the code as well.
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks Liu Zhen Hua of FortiGuard Global Security Research Team for reporting this vulnerability to security-alert@hp.com.
RESOLUTION
HP has made archive files and patches available to resolve the vulnerability. The archive files are listed in the table below. In some cases a patch is required. The patch will insure that NNM is compatible with the software files in the archive. No patch is required for NNM v7.53
Note: The files installed for the Resolution in "rev.1" of this Security bulletin must be removed. Instructions for removing the files are in the Readme.txt file. The files recommended in "rev.1" of this Security Bulletin introduced a problem with the 'ovstop -c' command. Under certain circumstances the 'ovstop -c' command would not stop certain NNM processes. The files recommended in "rev.1" of this Security Bulletin do resolve the security vulnerability.
The patches are available from http://itrc.hp.com
File Access Vulnerability in Easy File Sharing Web Server
Discovered by:
Timothy "Thor" Mullen
Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs
Product: Easy File Sharing Web Server, current versions, default installation
Vendor: http://www.sharing-file.com/
On Mon, Oct 26, 2009 at 12:14:36PM -0400, Stephen Harris wrote:
|| User1 creates file with permissions 0644
|| User2 opens file for read access on file descriptor 4
|| User1 chmod's directory to 0700
|| User1 chmod's file to 0666
|| User1 verifies no hard links to file
|| User2 can not open the file for read or write access
|| User2 can not write to file descriptor 4
|| User2 _can_ write to /proc/$$/fd/4
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made archive files and patches available to resolve the vulnerability. The archive files are listed in the table below. In some cases a patch is required. The patch will insure that NNM is compatible with the software files in the archive. No patch is required for NNM v7.53
The patches are available from http://itrc.hp.com
The archive files are available from: ftp://ss080033:s080033@hprc.external.hp.com/
kidding. Because of its heavy reliance on FreeBSD source code, Mac OS X is
also affected [2], except for the realpath() case, which is conveniently
#ifdef'd out.
=====================================================
Leakage of file/directory existence via stat() calls
=====================================================
At two points (lines 366 and 436 in crontab.c), crontab makes calls to stat()
on a user-owned temporary file while retaining an euid of 0. Since stat()
follows symbolic links and returns ENOENT when called on a symbolic link
------------------------------------------------------------------------
Outlook PR_ATTACH_METHOD file execution vulnerability
------------------------------------------------------------------------
Yorick Koster, October 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It has been discovered that certain e-mail message cause Outlook to
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection
II. BACKGROUND
-------------------------
Invision Power Board (IPB) is a professional forum system that has
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Microsoft released MS12-005 [3] that changes the way that Windows
Packager identifies unsafe files.
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
ClickOnce is a deployment technology that allows you to create
Content-Type header and
the "magic" signature at the beginning contradict or when the
Content-Type header
is unknown. In that case, IE will try to establish the content type and can be
tricked into assuming text/html by placing certain HTML tags within the first
255 bytes of the file. Note that such files can be valid image files
despite their
HTML payload.
A frequent example for unknown content-types is "image/bmp", which is created by
PHP's (< 5.3.0) getimagesize API function[4].
This is - the obvious XSS issue aside - used for phishing attachs[3].
RESOLUTION
HP has made patches available to resolve the vulnerabilities for NNM v7.53.
HP has made a new version of the ovalarmsrv program available to resolve the vulnerabilities for NNM v7.01 and NNM v7.51. The new ovalarmsrv is available as a file to be installed manually. The files are listed in the table below. Instructions for installing the files are contained in the readme_for_ovalarmsrv.txt file.
For NNM v7.01 and NNM v7.51 patches must be installed before the ovalarmsrv file is installed.
The ovalarmsrv files and the readme_for_ovalarmsrv.txt file are available from ftp://ss080044:ss080044@hprc.external.hp.com/
RESOLUTION
HP has made patches available to resolve the vulnerabilities for NNM v7.53.
HP has made a new version of the ovtopmd program available to resolve the vulnerabilities for NNM v7.01 and NNM v7.51. The new ovtopmd is available as a file to be installed manually. The files are listed in the table below. Instructions for installing the files are contained in the readme_for_ovtopmd.txt file.
For NNM v7.01 and NNM v7.51 patches must be installed before the ovtopmd file is installed.
The ovtopmd files and the readme_for_ovtopmd.txt file are available from ftp://ss080046:ss080046@hprc.external.hp.com/
Privilege escalation in bytehoard 2.1
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
It has two levels of security, a user level and an admin level. Login is
required but it can be configured to allow anyone to obtain a user level
account if desired.
| CubilFelino Security Research Lab |
| proudly presents... |
+------------------------------------------------------------------------+
=======================================================
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
=======================================================
Security Researcher Info:
=========================
Next Page>>
|
