Next Page >>
files
Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All
affected products are command-line versions of
the AVs.
----------------------------
Vulnerability Descriptions
----------------------------
1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes
evades detection.
Impact : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html
Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.
2. Overview
``Vim is an almost compatible version of the UNIX editor Vi. Many new features
3. *Vulnerability Description*
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
1. *Advisory Information*
PHP filesystem attack vectors
Name PHP filesystem attack vectors
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (giovanni.pellerano AT
evilaliv3 DOT org)
Date 20090207
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Microsoft released MS12-005 [3] that changes the way that Windows
Packager identifies unsafe files.
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
ClickOnce is a deployment technology that allows you to create
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
======
File Lite 3.3 & 3.5 PRO iOS - Multiple Web Vulnerabilities
Date:
=====
2013-05-04
References:
Content-Type header and
the "magic" signature at the beginning contradict or when the
Content-Type header
is unknown. In that case, IE will try to establish the content type and can be
tricked into assuming text/html by placing certain HTML tags within the first
255 bytes of the file. Note that such files can be valid image files
despite their
HTML payload.
A frequent example for unknown content-types is "image/bmp", which is created by
PHP's (< 5.3.0) getimagesize API function[4].
This is - the obvious XSS issue aside - used for phishing attachs[3].
I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted. I do not know of a 'nix based tool for access to the db. If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward. If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM.
t
From: Rohit Patnaik [mailto:quanticle@gmail.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards,
and usability. WordPress is both free and priceless at the same time. More simply, WordPress is
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected is OpenCart version 1.5.2.1, older versions may be vulnerable as well.
###############################################################################
1. Local File Inclusion in "action.php"
###############################################################################
Reason: using unsanitized user submitted data for file operations
Attack vector: user submitted GET parameter "route"
Preconditions:
*Vulnerability Description*
Internet Explorer introduces the concept of URL Security Zones, which
basically define a set of privileges for web applications (such as, for
example, accessing and/or modifying the local computer files) depending
on their level of trustworthiness.
Issues have been found in the way that security policies are applied
when a URI is specified in the UNC form:
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'
Abstract:
Some Windows antivirus software fails to detect, block and/or
disinfect/move/delete malware if the malware EXE file has only
execution permission and no read, write or other permissions.
The worst cases are NOD32 and Avast antivirus, which allow the
malware to run unimpeded. Avast has fixed the flaw while NOD32
is still vulnerable as of this writing.
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made a new version of the ovalarmsrv program available to resolve the vulnerabilities. The new ovalarmsrv is available as a file to be installed manually. There are separate ovalarmsrv files for each version of NNM. The files are listed in the table below. Instructions for installing the files are contained in the readme_for_ovalarmsrv.txt file.
For NNM v7.01 and NNM v7.51 patches must be installed before the ovalarmsrv file is installed. No patches are required for NNM v7.53.
The ovalarmsrv files and the readme_for_ovalarmsrv.txt file are available from ftp://ss080044:ss080044@hprc.external.hp.com/
Description
------------
PHP version 5.3.1 was just released. This release contains a patch for a
denial of service condition we've reported on 27 October 2009. The
problem is related with PHP's handling of RFC 1867 (Form-based File
Upload in HTML).
When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from the request. PHP will
File Access Vulnerability in Easy File Sharing Web Server
Discovered by:
Timothy "Thor" Mullen
Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs
Product: Easy File Sharing Web Server, current versions, default installation
Vendor: http://www.sharing-file.com/
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs
Lotus Notes buffer overflow in the Lotus WorkSheet file processor
*Advisory Information*
Title: Lotus Notes buffer overflow in the Lotus WorkSheet file processor
Advisory ID: CORE-2007-0821
Advisory URL: http://www.coresecurity.com/index.php5?action=item&id=2008
1) Insufficient authentication in many components:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Many components of GroundWork are only "secured" by Referer header checks.
An attacker who uses a specific, known Referer header of the GroundWork
Apache configuration file is able to access parts of the administration
interface without prior authentication. Only few components are additionally
secured by the JOSSO Single-Sign-On system.
List of found vulnerabilities
===============================================================================
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks Liu Zhen Hua of FortiGuard Global Security Research Team for reporting this vulnerability to security-alert@hp.com.
RESOLUTION
HP has made archive files and patches available to resolve the vulnerability. The archive files are listed in the table below. In some cases a patch is required. The patch will insure that NNM is compatible with the software files in the archive. No patch is required for NNM v7.53
Note: The files installed for the Resolution in "rev.1" of this Security bulletin must be removed. Instructions for removing the files are in the Readme.txt file. The files recommended in "rev.1" of this Security Bulletin introduced a problem with the 'ovstop -c' command. Under certain circumstances the 'ovstop -c' command would not stop certain NNM processes. The files recommended in "rev.1" of this Security Bulletin do resolve the security vulnerability.
The patches are available from http://itrc.hp.com
* Affected program: ClamAV (http://www.clamav.net/)
* Affected versions: 0.92
* Overwiew:
1) ClamAV uses own functions to create temporary files. One such routine is
vulnerable to a race condition attack.
2) ClamAV fails to properly check for base64-UUEncoded files, allowing
bypassing of the scanner through the use of such files.
6.2
Introduction:
=============
AirDisk Pro allows you to store, view and manage files on your iPhone, iPad or iPod touch. You can connect to AirDisk Pro from any Mac or
PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer.
DOCUMENT READER:
Support MS Office, iWork, Text & HTML
MULTIMEDIA PLAYER:
------------------------------------------------------------------------
Outlook PR_ATTACH_METHOD file execution vulnerability
------------------------------------------------------------------------
Yorick Koster, October 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It has been discovered that certain e-mail message cause Outlook to
Hey man - hope all is well.
FYI- I tried your example file and by default nothing worked on Windows 7. The "loading and embedded file" says "this file is blocked", The file spawn requires a script prompt with a "automation error" after that, the windows control panel didn't launch at all, and the files required me to save them, etc.
The text from the uri handler did work, but I'm not sure what the ramifications of that are. Oh, the Action Panel did show up.
I agree this isn't an "exploit" but I guess it is somewhat interesting. Of course, downloading random .chm files is akin to downloading any remote content-rendering document, except that .chm won't automatically run from the internet in the first place, even with your rendering code in it that must be accepted by the user to load in the first place.
As such (again, notwithstanding the mild interest around it) I'm confused by the "This was the response I expected" comment because if I read it right, it sounds as if you are being condemning for some reason. Are you saying "this is the response I expected" because it is the correct response and you are aware of what would be required to push out supported hotfixes for low impact issues, or are you saying "this is the response I expected" because you somehow think it SHOULD be hotfixed, but is not, and that is "typical" (as in "irresponsible") or something like that?
RESOLUTION
HP has made the following procedure available to resolve the vulnerability.
Note: The resolution is contained in the archive files listed below. Before an archive file is applied a patch may be required. The patch will insure that NNM is compatible with the software files in the archive. No patch is required for NNM v7.53.
1. Install the appropriate patch listed in the table below. The patches are available from http://itrc.hp.com
2. Download the appropriate archive file listed in the table below. The archive files are available here:
ftp://ss080024:ss080024@hprc.external.hp.com/
II. Overview
During an audit of the MapServer v5.2.1 source code, five (5)
vulnerabilities were identified ranging from low to medium/high
severity. They include stack and heap overflows, a relative path
writing weakness, a file content leakage, as well as a file existence
leakage. Furthermore, after reporting these issues to the vendor, a
second audit by the project maintainer not only determined that v4.10.3
was also affected, but that four (4) additional stack overflows existed
in the code as well.
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made archive files and patches available to resolve the vulnerability. The archive files are listed in the table below. In some cases a patch is required. The patch will insure that NNM is compatible with the software files in the archive. No patch is required for NNM v7.53
The patches are available from http://itrc.hp.com
The archive files are available from: ftp://ss080033:s080033@hprc.external.hp.com/
function really(d,f,m,t) {
if (confirm(m)) {
if (t == 1) {
window.location.href='?dir='+d+'&deldir='+f;
} else {
window.location.href='?dir='+d+'&delfile='+f;
}
}
}
<hr width="775" noshade><table width="775" border="0" cellpadding="0">
<?PHP
Summary:
The directories /data/log, /data/anr and /data/_SamsungBnR_ are world-writeable.
On ICS on the Galaxy S2, I have not verified the presence of /data/_SamsungBnR_,
but based on a file listing sent by a user, /data/log and /data/anr
are writeable
by the log group, which includes both the adb shell and applications with the
misleadingly named READ_LOGS permission.
A number of files are written in these directories by processes running with
Next Page>>
|
