Next Page >>
home directory
The corrupt /etc/default/useradd template file can cause accounts to be created with incorrect ownership and permissions.
The patches insure that useradd(1M) options are processed correctly in all cases.
MANUAL ACTIONS: Yes - NonUpdate
Verify group id and home directory for all accounts
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
* The /etc/default/useradd template file is missing
* The HOMEDIR or GROUPID field is missing from the /etc/default/useradd template file
MANUAL ACTIONS: Yes - NonUpdate
Verify group id and home directory for all accounts
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
That seems to have happened to Apple's older ("legacy")
Filevault in the current release of MacOX Lion (10.7.3).... something
intended to protect sensitive information stored on laptops by providing
for encrypted user home directories contained in an encrypted file
system mounted on top of the user's home directory.
Someone, for some unknown reason, turned on a debug switch
(DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that
causes the authorizationhost process's HomeDirMounter DIHLFVMount to log
in *PLAIN TEXT* in a system wide logfile readible by anyone with root or
HP-UX B.11.11
=============
OS-Core.ADMN-ENG-A-MAN
OS-Core.SYS-ADMIN
action: install patch PHCO_37290 or subsequent, verify group id and home directory for all accounts
URL: http://itrc.hp.com
HP-UX B.11.23
=============
OS-Core.ADMN-ENG-A-MAN
HP-UX B.11.11
=============
OS-Core.ADMIN-ENG-A-MAN
OS-Core.SYS-ADMIN
action: install patch PHCO_37290 or subsequent, verify group id and home directory for all accounts
URL: http://itrc.hp.com
HP-UX B.11.23
=============
OS-Core.ADMIN-ENG-A-MAN
7. Internal Daemons not Bound to Loopback Interface
This issue is not exploitable by default due to firewall configuration of the appliance. All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services.
8. Rsync Daemon Allows Access to Privileged User Home Directory
This issue is not exploitable by default due to firewall configuration of the appliance. The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the
appliance.
privilege checks by calling CREATE TABLE on a MyISAM table with
modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments
that are originally associated with pathnames without symlinks,
and that can point to tables created at a future time at which a
pathname is modified to contain a symlink to a subdirectory of the
MySQL data home directory, related to incorrect calculation of the
mysql_unpacked_real_data_home value. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079
(CVE-2009-4030).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
It was discovered that in lftp, a command-line HTTP/FTP client, there is
no proper validation of the filename provided by the server through the
Content-Disposition header; attackers can use this flaw by suggesting a
filename they wish to overwrite on the client machine, and then possibly
execute arbitrary code (for instance if the attacker elects to write a
dotfile in a home directory).
For the stable distribution (lenny), this problem has been fixed in
version 3.7.3-1+lenny1.
For the testing distribution (squeeze), this problem has been fixed in
sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a
pseudo-command is enabled, permits a match between the name of the
pseudo-command and the name of an executable file in an arbitrary
directory, which allows local users to gain privileges via a crafted
executable file, as demonstrated by a file named sudoedit in a user's
home directory (CVE-2010-0426).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
The updated packages have been patched to correct this issue.
elseif(is_readable('shared/global.php'))
include_once 'shared/global.php';
elseif(is_readable('yacs/shared/global.php'))
include_once 'yacs/shared/global.php';
else
exit('The file shared/global.php has not been found. Please reinstall or mention home directory in file yacs.home or configure the YACS_HOME environment variable.');
// load libraries used in this script
include_once $context['path_to_root'].'feeds/feeds.php'; // some links to newsfeeds
include_once $context['path_to_root'].'links/links.php'; // <= 2 (i dont give fuck)
> can be changed inside WHM via Service Configuration -> Apache
> Configuration -> Global Configuration. Simply uncheck
> "FollowSymLinks" in the "Directory / Options" section, save your
> settings and rebuild the configuration and restart Apache. Disabling
> "Options" overrides can be done via the Apache include editor by
> specifying an AllowOverride setting for the /home directory.
>
> We do not recommend using your attached patch. The change will break
> the intended functionality of FollowSymLinks and will ultimately
> confuse users and administrators who are accustomed to the
> documented behavior. Additionally, the patch will require a
Problem Description:
A vulnerabilitiy has been found and corrected in mysql:
MySQL is vulnerable to a symbolic link attack when the data home
directory contains a symlink to a different filesystem which allows
remote authenticated users to bypass intended access restrictions
(CVE-2008-7247).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
Sergei Golubchik discovered that MySQL allows local users to bypass certain
privilege checks by calling CREATE TABLE on a MyISAM table with modified
DATA DIRECTORY or INDEX DIRECTORY arguments that are originally associated
with pathnames without symlinks, and that can point to tables created at
a future time at which a pathname is modified to contain a symlink to a
subdirectory of the MySQL data home directory.
CVE-2009-4484
Multiple stack-based buffer overflows in the CertDecoder::GetName function
Affected: Versions 8.10.1125 and likely previous
Issue: the comb command is susceptible to a directory traversal attack which will allow downloading of arbitrary files on the server and deletion of arbitrary files on the server
Details: quote comb a ..//..//..//..//b
puts contents of 'b' in the file in the users home directory called 'a' and then deletes file b
Status: Submitted to Vendor 6/14/10 fixed 6/15/10
A vulnerability have been discovered and corrected in maildrop:
main.C in maildrop 2.3.0 and earlier, when run by root with the -d
option, uses the gid of root for execution of the .mailfilter file in
a user's home directory, which allows local users to gain privileges
via a crafted file (CVE-2010-0301).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
Impact
======
Remote unauthenticated attackers may be able to execute arbitrary code
with the privileges of the TinTin++ process, cause a Denial of Service,
or truncate arbitrary files in the top level of the home directory
belonging to the user running the TinTin++ process.
Workaround
==========
Ingres to be restored from the backup.
Unix:
1. Log in to the system as the installation owner and make sure
the environment is set up correctly:
1. II_SYSTEM must be set to the Ingres home directory
2. PATH must include $II_SYSTEM/ingres/bin and
$II_SYSTEM/ingres/utility directories
3. Add $II_SYSTEM/ingres/lib to the shared library path
4. Set TERM to ‘vt100' and TERM_INGRES to ‘vt100fx'
2. Copy the downloaded update file to the /tmp directory and
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not
properly validate a server-provided filename before determining the
destination filename of a download, which allows remote servers to
create or overwrite arbitrary files via a Content-Disposition header
that suggests a crafted filename, and possibly execute arbitrary
code as a consequence of writing to a dotfile in a home directory
(CVE-2010-2251).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
cPanel developers were notified of this vulnerability and given time to hotfix the issue.
Their response was:
After thoroughly investigating your report, we have come to the conclusion that this does not represent any deviation from the intended and documented behavior of Apache. As noted in your report, Apache's behavior with regard to symlinks is easily configurable via the FollowSymlinks and SymLinksIfOwnerMatch options. These settings can be changed inside WHM via Service Configuration -> Apache Configuration -> Global Configuration. Simply uncheck "FollowSymLinks" in the "Directory / Options" section, save your settings and rebuild the configuration and restart Apache. Disabling "Options" overrides can be done via the Apache include editor by specifying an AllowOverride setting for the /home directory.
While this is true, it should be noted that the default configuration in cPanel is readily exploitable after installation and that toggling these setting will ultimately cause issues with several large popular blog and CMS type applications. We feel this does not properly address the vulnerability in terms of a shared hosting environment.
The patch is provided by David Collins (CTO, Hostgator.com) and Ray Carro (Developer, Hostgator.com).
privilege checks by calling CREATE TABLE on a MyISAM table with
modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments
that are originally associated with pathnames without symlinks,
and that can point to tables created at a future time at which a
pathname is modified to contain a symlink to a subdirectory of the
MySQL data home directory, related to incorrect calculation of the
mysql_unpacked_real_data_home value. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079
(CVE-2009-4030).
The updated packages have been patched to correct these
===========
Description
===========
The idmap_ad.so library provides an nss_info extension to Winbind
for retrieving a user's home directory path, login shell and
primary group id from an Active Directory domain controller. This
functionality is enabled by defining the "winbind nss info"
smb.conf option to either "sfu" or "rfc2307".
Both the Windows "Identity Management for Unix" and "Services for
PoC attack on a wget cron job resulting in a .bash_profile overwrite:
http://www.openwall.com/lists/oss-security/2010/05/18/13
Brief description of an attack on a wget cron job not involving a
dot-file nor a home directory (but involving a website tree instead):
http://lists.gnu.org/archive/html/bug-wget/2010-05/msg00032.html
Advice on back-porting lftp's fix to versions 3.4.7 through 4.0.5:
http://www.openwall.com/lists/oss-security/2010/05/20/2
http://www.openwall.com/lists/oss-security/2010/06/10/1
Fatal error: require() [function.require]: Failed opening required
'./_lang/no_exists.php'
(include_path='.:/usr/share/php:/usr/share/pear') in
/var/www/quix/.include/init.php on line 88
Revealing the path to the home directory of the filemanager
V. BUSINESS IMPACT
-------------------------
An attacker could view any file or execute arbitrary code remotely
into the context of the webserver.
It is possible to workaround the remote code execution vulnerability
(IronPort Bug 65923) by disabling HTTP Invoker in the Cisco IronPort
Encryption Appliance configuration files. To disable the HTTP
Invoker, an administrator must delete several files in the PostX
application home directory and remove a directive from the web server
configuration. The following files must be deleted:
jboss/server/postx/deploy/http-invoker.sar
jboss/server/postx/deploy/jms/jbossmq-httpil.sar
echo "shutdown -r -y 120" > /tmp/plshutdown
chmod 500 /tmp/plshutdown
at now < /tmp/plshutdown
A race condition exists where a local user could symlink /tmp/plshutdown to a file in their home directory and inject malicous code. This could be done possibly by continuously writing to the file while waiting for the at command to run.
$ ln -s /tmp/plshutdown /var/tmp/runme
#/bin/perl
while(1){
The g_file_copy function in glib 2.0 sets the permissions of a
target file to the permissions of a symbolic link (777), which
allows user-assisted local users to modify files of other users,
as demonstrated by using Nautilus to modify the permissions of the
user home directory (CVE-2009-3289).
This update provides a solution to this vulnerability.
_______________________________________________________________________
References:
Knowing the path of the home directory of an unknown host has little, if any, value. Even if you know the host, you would have to get the user to run code interactively to leverage this "privacy issue" in addition to ensuring that the interactive user was indeed the same user that created the PDF doc. And that code would have to be written specifically for that particularly host/user, which is inefficient (barring network based home directory settings). Any time I've needed local user path for proof-of-concept code, I simply parse the HOMEPATH environmental variable to ensure the code runs properly and that it can be easily applied to any host.
t
-----Original Message-----
From: Inferno [mailto:inferno@securethoughts.com]
Sent: Monday, November 23, 2009 7:46 AM
To: bugtraq@securityfocus.com
Subject: Millions of PDF invisibly embedded with your internal disk paths
If either of these directives are set, extra security checks are enabled. If both are set, the security checks for one or the other of the directives must pass.
cgi.suexec_base_dir restricts script execution to paths starting with the directive (include a trailing slash if you don't want it to be used as a prefix).
cgi.suexec_user_dir gives a path relative to the users home directory where PHP will execute code from.
In addition, any PHP scripts to be executed must be owned by the same user, have the execute bit set, and not be group or world writable.
Details follow:
Chris Jones discovered that the eCryptfs support utilities would
report the mount passphrase into installation logs when an eCryptfs
home directory was selected during Ubuntu installation. The logs are
only readable by the root user, but this still left the mount passphrase
unencrypted on disk, potentially leading to a loss of privacy.
Updated packages for Ubuntu 9.04:
the original URL to determine the destination filename of a download,
which allows remote servers to create or overwrite arbitrary files
via a 3xx redirect to a URL with a .wgetrc filename followed by a
3xx redirect to a URL with a crafted filename, and possibly execute
arbitrary code as a consequence of writing to a dotfile in a home
directory (CVE-2010-2252).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
Next Page>>
|
