Next Page >>
instances
Vulnerability details
---------------------
The Oracle TNS Listener component routes connections from the client to
the database server depending on the database's instance name the client
wants to connect to. These instances are registered at the TNS Listener
by using any of the following methods:
1. Local registration. The database's internal process PMON connects via
IPC to the TNS Listener and registers the database's instance name in
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
extra data that precedes the class instance. (This means that a
CDispNode-family class instance is not expected to snugly occupy its
own heap block.) CDispNode::SetExpandedClipRect then backs up the
class instance pointer (the 'this' pointer, which of course points to
As long as Outlook has been around, people have been trying to get two
instances running at the same time. Not multiple profiles that you can
load when starting Outlook, but two separate instances running
concurrently, each with their own associated profile. After all, Outlook
(even 2007) only lets you connect to a single Exchange server per
profile... And that sucks.
What would be great is to have one instance connected up to your
"business" Exchange Server, and another connected up to your "personal"
Exchange Server (and of course, to other people's Exchange servers who
don't you know have an account on their box ;).
Earlier versions may also be affected
Description:
Several issues have been reported which may affect applications which de-serialize objects from an untrusted source such as a remote client. It is possible for a malicious client to inject undesirable behaviour into the server by serializing proxies rather than specific class instances, or by taking advantage of internal AOP interfaces which were being exposed through the remote service, in addition to the service interface.
Example:
It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
ColdFusion 9
1. Download CFIDE-9.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-9.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.
ColdFusion 8.0.1
1. Download CFIDE-801.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
"Oracle WebLogic Server Enterprise Edition offers enterprises the ability to
consolidate their applications on a pool of shared servers for both high
efficiency and superior performance. No other application server has
the proven performance on industry benchmarks across the most varied
chip types and operating systems. Sophisticated High Availability
(HA) features built on clustered instances ensure uptime. Easy-to-use
yet substantial management tools keep systems going without hassle or
expense. By coalescing applications and services onto Oracle WebLogic
Server, IT is in position to react swiftly to change and help the
enterprise outperform the competition." -- [1]
prompted with the typical message box that says:
"An ActiveX control on this page might be unsafe to interact with other
parts of the page. Do you want to allow this interaction?"
The choice of the user will affect the entire instance of the application
and be applied to any other existing/future message windows (as well as
potentially any other locations where the Internet Explorer server
control is used.)
Attackers could use JavaScript to instantiate ActiveX controls in order to
. Nginx Web Server [1]. The way Nginx handles files may differ when
they are requested using their 8.3 alias, and short file or path names
are not correctly handled when applying file handling rules or access
restrictions. By abusing of these flaws an attacker can bypass security
options implemented in the web server. For instance, 'file.shtml' will
become 'FILE~1.SHT'. This will cause the file to be handled as a '.sht'
file, not a '.shtml' file. The result of this is that instead of
processing SSI directives as would normally be the case with a '.shtml'
file, the file would be served unprocessed. Additionally, Nginx does not
correctly handle extraneous spaces after file extensions when applying
ClientCert-Signature-Algorithm: XXX
ClientCert-Signature: XXX
Since existing ClientCert-* headers are left intact, application
developers are expected to trust only the last instance of a given
certificate header. This approach is clearly prone to error if
application developers do not carefully test this attack scenario.
An alternative approach to securing these headers can be achieved
through an optional configuration where the CSS places an additional
prompted with the typical message box that says:
"An ActiveX control on this page might be unsafe to interact with other
parts of the page. Do you want to allow this interaction?"
The choice of the user will affect the entire instance of the application
and be applied to any other existing/future message windows (as well as
potentially any other locations where the Internet Explorer server
control is used.)
Attackers could use JavaScript to instantiate ActiveX controls in order to
Control Protocol (TCP) and similar protocols. The consequences of
these attacks range from throughput reduction to broken connections
or data corruption. These attacks rely on the attacker's ability to
guess or know the five-tuple (Protocol, Source Address, Destination
Address, Source Port, Destination Port) that identifies the transport
protocol instance to be attacked. This document describes a number
of simple and efficient methods for the selection of the client port
number, such that the possibility of an attacker guessing the exact
value is reduced. While this is not a replacement for cryptographic
methods for protecting the transport-protocol instance, the
aforementioned port selection algorithms provide improved security
Changes
=======
Some of the new features include:
* Support to enumerate and dump all databases' tables containing user
provided column(s) by specifying for instance '--dump -C user,pass'.
Useful to identify for instance tables containing custom application
credentials (Bernardo).
* Support to parse -C (column name(s)) when fetching columns of a
table with --columns: it will enumerate only columns like the provided
one(s) within the specified table (Bernardo).
u30 method_count
method_info method[method_count]
u30 metadata_count
metadata_info metadata[metadata_count]
u30 class_count
instance_info instance[class_count]
class_info class[class_count]
u30 script_count
script_info script[script_count]
u30 method_body_count
method_body_info method_body[method_body_count]
II. DESCRIPTION
Local exploitation of a library loading vulnerability in IBM Corp.'s DB2
Universal Database could allow attackers to gain root privileges.
When the DB2INSTANCE environment variable is set, the libdb2 library
will use the corresponding user's directory in place of the DB2
instance directory. This allows an unprivileged local user to control
the directory structure on which several set-uid root binaries operate.
This vulnerability exists due to the way the db2pd binary loads a
These vulnerabilities were discovered and researched by Ariel Sanchez of
Application Security Inc.
Details:
DB2 has multiple vulnerabilities which can lead to Denial of Service
(DoS) attacks against the instance. When RECOVERJAR and REMOVE_JAR
procedures are called with a specially crafted parameter the DB2
instance crashes. Any DB2 database user can exploit these
vulnerabilities since PUBLIC permissions are granted to both procedures
by default. The RECOVERJAR and REMOVE_JAR procedures are installed by
default.
> Sent: Thursday, January 10, 2008 9:59 PM
> To: focus-ms@securityfocus.com
> Subject: At long last - Extra Outlooks!
>
> As long as Outlook has been around, people have been trying to get two
> instances running at the same time. Not multiple profiles that you can
> load when starting Outlook, but two separate instances running
> concurrently, each with their own associated profile. After all,
> Outlook
> (even 2007) only lets you connect to a single Exchange server per
> profile... And that sucks.
A vulnerability exists in software version 7.1(5) for Cisco Unified
ICME, Unified ICMH, UCCE, UCCH and SUCCE editions that may enable any
Windows Active Directory domain defined user to obtain unauthorized
privilege levels. This would provide Windows Active Directory users
the ability to view Web View report information for any call center
instance. Cisco SUCCE is also impacted by unauthorized access to the
Web Admin tool, which could result in the ability to change the
application configuration, including editing application rights.
This vulnerability is documented in Cisco Bug ID: CSCsj55686
router rip
...
!
phone-proxy <instance name>
media-termination address <IP address>
...
<Rest of phone proxy feature configuration>
Or (Cisco ASA Software version 8.2 and later):
graph_view.php (graph_list parameter)
tree.php (leaf_id parameter)
graph_xport.php (local_graph_id parameter)
tree.php (id parameter)
index.php/login (login_username parameter)
D) HTTP response splitting on very old PHP instances
A) XSS Vulnerabilities
We have found many XSS vulnerabilities in the application. We list some
examples only, but many other injection points exist:
Vulnerability details
----------------------
The vulnerability is due to insecure buffer handling.
For instance in sgLog.c :
if(vsprintf(msg, format, ap) > (MAX_BUF - 1))
This piece of code may cause a buffer overflow and detects when it's too late.
squidGuard only logs URL with patched bypass attempts (for instance, trailing
-id4-start---------
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/pdo_odbc/pdo_odbc.c?view=markup
98 char *instance = INI_STR("pdo_odbc.db2_instance_name");
99 if (instance) {
100 char *env = malloc(sizeof("DB2INSTANCE=") +
strlen(instance));
101 strcpy(env, "DB2INSTANCE=");
102 strcat(env, instance);
umask 022
tar xf [update_file]
This creates a directory containing the distribution and
other files.
4. Stop all applications that may be connected to or using any of
the files in the Ingres instance.
5. Stop all Ingres processes with the ‘ingstop' utility:
ingstop
6. Important: Take an operating system backup of the
$II_SYSTEM/ingres directory and other DATA locations that you
may have elsewhere. Also, copy the
restricition. Or put in a different way: you aren't allowed to make
XMLHttpRequests to any server except the server where your web page
came from.
However, if you find a pre-auth XSS vulnerability [4] on the target
device you can bypass such restriction. For instance, many devices
such as the BT Home Hub and Speedtouch routers offer certain pages
before authenticating. Some of these pages are cgi scripts which are
vulnerable to XSS. Although offering certain "useless" functionalities
before logging into the router might not seem like a big deal, it can
actually lead to UPnP being exploited remotely, even if the web admin
- - - a high-speed, integrated firewall module for Cisco Catalyst 6500
switches and Cisco 7600 Series routers, that may result in a reload
of the FWSM. The only affected FWSM System Software Version is
3.2(3).
There are no known instances of intentional exploitation of this
issue. However, Cisco has observed data streams that appear to be
unintentionally triggering this vulnerability.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5584
has been assigned to this vulnerability.
This is exactly what the patch I included does; it prevents users from running PHP scripts as the user ID.
>
> The only thing that could be done, would be to make the process running as
> another user id, that is the php instance running from suexec, completely
> distrust any input it gets from the webserver. > That way, what the attacker
> can do is limited to what php lets him do.
This is exactly what PHP should provide the tools for the user to do (and what my patch achieves). The webserver should not be able to instruct the suexec wrapped PHP binary to run any arbitrary PHP script, only PHP scripts which were installed by the user in the correct location (in a similar way to how suexec will only execute binaries installed correctly, rather than just running any arbitrary process).
This bug is a simple design bug that results in an endless loop (and interesting
memory leaks).
Once upon a time Netscape thought it would be a great idea to add the keygen tag
(<keygen>) as a feature to their Browser. The keygen tag offers a simple way
of automatically generating key material using various algorithms. For instance
it is possible to generate RSA, DSA and EC key material.
"The public key and challenge string are DER encoded as PublicKeyAndChallenge and
then digitally signed with the private key to produce a SignedPublicKeyAndChallenge.
The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally
http://www.microsoft.com/technet/security/bulletin/fq99-054.mspx
-----
What's the problem with the search algorithm?
When IE 5 starts, it will begin searching for a WPAD server, if it is
configured to use WPAD. It starts the search by adding the hostname "WPAD" to
current fully-qualified domain name. For instance, a client in
a.b.Microsoft.com would search for a WPAD server at wpad.a.b.microsoft.com. If
it could not locate one, it would remove the bottom-most domain and try again;
for instance, it would try wpad.b.microsoft.com next. IE 5 would stop searching
when it found a WPAD server or reached the third-level domain,
wpad.microsoft.com.
This vulnerability allows any user with execute privileges on the
affected package (by default users granted the DBA role) to impersonate
the SYS user.
This is especially high risk vulnerability in databases where strict
separation-of-duty is implemented as required by some regulations. This
may also be the case, for instance, where Oracle Database Vault is
deployed. Exploiting this vulnerability may allow a DBA to bypass
Database Vault protections and access protected data that should be
restricted by Database Vault. In other words, a DBA may escalate to
DV_OWNER (Database Vault Owner) privileges.
opened tabs is less than MAX_TABS (usually 8). Otherwise, it opens the URL
in the current tab.
* As a last resort, it loads the URL in the current tab.
The Browser app uses the WebView class as the underlying engine. If the WebView
class has already loaded a URL, and the same instance is used to load a
javascript:// URI, then the javascript is executed in the domain of the loaded
URL. This is the desired behavior, as it allows applications to inject scripts
into loaded pages, and control the WebView. However, this means that the
browser must take special care if it reuses the same WebView instance, in order
to avoid a Cross-Application Scripting vulnerability.
Next Page>>
|
