Next Page >>
logged
Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,
Yaws and Boa log escape sequence injection
Name Nginx, Varnish, Cherokee, thttpd, mini-httpd,
WEBrick, Orion, AOLserver, Yaws and Boa log escape
sequence injection
Systems Affected nginx 0.7.64
Varnish 2.0.6
Cherokee 0.99.30
mini_httpd 1.19
www.ExploitDevelopment.com 2010-M$-002
--------------------------------------------------------------------------
TITLE:
Flaw in Microsoft Domain Account Caching Allows Local Workstation
Admins to Temporarily Escalate Privileges and Login as Cached Domain
Admin Accounts
SUMMARY AND IMPACT:
All versions of Microsoft Windows operating systems allow real-time
modifications to the Active Directory cached accounts listing stored
Title: Simple PHP Blog (sphpblog) <= 0.5.1 Multiple Vulnerabilities
Vendor: http://sourceforge.net/projects/sphpblog/
Advisory: http://acid-root.new.fr/?0:15
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2007/10/21
Changelog: ----------
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
complete compromise of the entire system.
------------------------------------------------------------------------
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Timbuktu Pro Remote Path Traversal and Log Injection
*Advisory Information*
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers is affected by the
following vulnerabilities:
* Syslog Message Memory Corruption Denial of Service Vulnerability
* Authentication Proxy Denial of Service Vulnerability
* TACACS+ Authentication Bypass Vulnerability
* Sun Remote Procedure Call (SunRPC) Inspection Denial of Service
Vulnerabilities
* Internet Locator Server (ILS) Inspection Denial of Service
2) Stored XSS
An attacker may inject 36 bytes of JavaScript code into log via SSH login
parameter. Login parameter will be written into log as is. BBI or telnet login parameter
does not write into log - only SSH. And when log page will be generated all input
from SSH login parameter will be displayed as is.
Both vulnerabilities give chance to change switch configuration file or attack Administrator's
Syhunt: HFS (HTTP File Server) Username Spoofing and Log
Forging/Injection Vulnerability
Advisory-ID: 200801163
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 1.5g to and including 2.3(Beta Build
#174); and possibly HFS version 1.5f
Non-Affected Applications: HFS 1.5e and earlier versions
Class: Log Forging/Injection, Username Spoofing
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
It has two levels of security, a user level and an admin level. Login is
required but it can be configured to allow anyone to obtain a user level
account if desired.
Summary
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
For example, if a non-admin user is logged in at the vm host, but logged in
to guest operating systems as an administrator, the script running as a
non-admin on the host can still execute admin-level scripts on the guests.
I obviously did not discover this issue--the API developers provided it as a
feature-I am simply pointing out the potential danger, that it was a poor
8.2 Reflected Cross Site Scripting in index.php
------------------------------------------------------------------------------------------------------------------------
Severity: Medium
Requires: Register globals to be on
The victim user must be logged out
Magic quotes must be off
8.2.1 Proof of concept exploit
http://test/cutenews/index.php?lastusername='%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
Main application: BPET36H
Released: 03-20-08
Rev: 54
Risk: Low - Moderate
High if Web Access is in active use and
access to login page is unrestricted
Vendor Status: Vendor notified, patch available.
References: http://www.louhinetworks.fi/advisory/ibm_090409.txt
Affected devices (from vendor):
IBM BladeCenter E (1881, 7967, 8677)
>Sent: Monday, December 13, 2010 9:12 AM
>To: Thor (Hammer of God)
>Cc: George Carlson; bugtraq@securityfocus.com; full-
>disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>Cached Domain Admin Accounts (2010-M$-002)
>
>I hope I'm not just feeding the troll...
No, you are perpetuating inaccurate vulnerability claims.
F5 BIG-IP Web Management Audit Log XSS
Product: F5 BIG-IP
http://www.f5.com/products/big-ip/
The F5 BIG-IP web management interface contains a persistent cross-site scripting vulnerability in the audit log facility. Log entries are output raw, without being HTML-encoded first. This allows an attacker to create a log entry with an embedded script that gets executed any time the audit log is later reviewed by an administrator.
One of several exploit vectors is to create a node object with a script embedded in the node name. The creation will fail due to unsupported characters but an audit log entry still gets created. Other confirmed entry points are sysContact and sysLocation on the SNMP configuration page.
all. One that comes to mind is an offline root CA that you can only fire up
only when you need it--a virtual offline machine. Another situation for
myself is I keep all my hacking/pen-testing tools on a vm that I can use
when I need them, and quickly move to any vm host I need to run them on. I
don't necessarily want to make that virtual machine accessible from the
network. Anyway, it is absurd to say you will never log in to the console,
sometimes you just have to.
Whether it affects you personally or not, it certainly is helpful to know
that the capability exists so you can make better informed security
decisions--and that there is an undocumented switch to disable that feature.
there, it is still an issue. Remember the MSBlaster worm? At it's peak it
had only infected about 150,000 systems--a very small percentage of Windows
machines.
2. This issue is not about a user on the host compromising a virtual guest.
It is about a *non-privileged* user on the host being logged in to guest
machines as an administrator, and a worm--running in the context of that
non-privileged user on the host--being able to access the admin-level
context of the guest machines without knowing those administrator
credentials. Also remember that since I am talking about a non-privileged
user on the host, there will be limits on what this user could do to
Vulnerable Products
+------------------
To determine the Cisco IOS XR Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS XR Software by
displaying text similar to "Cisco IOS XR Software". The software
version is displayed after the text "Cisco IOS XR Software".
arbitrary code, gain privileges, or cause a denial of service
condition. These vulnerabilities exist in the products and on the
platforms listed below. These vulnerabilities do not impact any
Windows-based Ingres installation. The first vulnerability,
CVE-2008-3356, allows an unauthenticated attacker to potentially
set the user and/or group ownership of a verifydb log file to be
Ingres allowing read/write permissions to both. The second
vulnerability, CVE-2008-3357, allows an unauthenticated attacker
to exploit a pointer overwrite vulnerability to execute arbitrary
code within the context of the database server process. The third
vulnerability, CVE-2008-3389, allows an unauthenticated attacker
# ACP path
if( !$this->p_acp )
{
# If the user changed the ACP directory, we can
# find it (if the "Remove ACP Link" option was not
# applied) by log in as an Admin, and then click
# on "Admin CP". This can be done with a user
# but I didn't implemented that ;)
$this->msg('Using default ACP path: admin', 1);
$this->p_acp = 'admin';
}
SUMMARY
=======
A SQL injection vulnerability exists in the Log On page of the web
interface for Cisco CallManager AKA Unified Communications Manager. An
unauthenticated attacker who is able to access the Log On page could
exploit this vulnerability to run arbitrary SQL commands as the logged
in database user, usually cm_publisher. By running SQL commands, the
attacker could gain information about the CallManager configuration,
including call records.
I hope I'm not just feeding the troll...
A local admin is an admin on one system. The domain admin is an admin
on all systems in the domain, including mission critical Windows
servers. With temporary domain admin privs, the local admin could log
into the AD and change permissions / passwords for another user or
another user, thus getting full admin rights on all systems for a long
period of time. Plus whatever havoc might be caused by having the
ability to change rights on fileshares to allow the new domain admin
to see confidential files..
Sent: Monday, December 13, 2010 2:12 PM
To: Thor (Hammer of God)
Cc: George Carlson; bugtraq@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching
Allows Local Workstation Admins to Temporarily Escalate Privileges and Login
as Cached Domain Admin Accounts (2010-M$-002)
I hope I'm not just feeding the troll...
A local admin is an admin on one system. The domain admin is an admin on all
> Sent: Monday, December 13, 2010 2:12 PM
> To: Thor (Hammer of God)
> Cc: George Carlson; bugtraq@securityfocus.com;
> full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching
> Allows Local Workstation Admins to Temporarily Escalate Privileges and Login
> as Cached Domain Admin Accounts (2010-M$-002)
>
> I hope I'm not just feeding the troll...
>
> A local admin is an admin on one system. The domain admin is an admin on all
==========================================================================
syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE <= Information leak, access
prevention and possible
priviledge escalation
CVE-2011-0343
==========================================================================
1. OVERVIEW
called Sun GlassFish Enterprise Server. GlassFish supports all Java EE
API specifications, such as JDBC, RMI, e-mail, JMS, web services, XML,
etc, and defines how to coordinate them.
Stored:
The log viewer fails to securely output encode logged values. As a
result, an unauthenticated attacker can trigger the application to log
a malicious string by entering the values into the username field. This
will cause the application to log the incorrect login attempt and
results in a stored XSS vulnerability. When an administrator logs into
the application and views the log, the malicious code will be executed
- http://www.tempest.com.br/advisories/tsi-adv-1201/
=====[ Detailed description ]===========================================
The web management interface on the Polycom device allows users to
download two log files ("system log" and "error log"). This feature is
available through the following menus:
Diagnostics --> System Log --> Download Logs
The access to these log files is provided by the script "a_getlog.cgi",
Catalyst 6500 Series ASA Services Module (ASASM) are affected by the
following vulnerabilities:
* Cisco ASA UDP Inspection Engine Denial of Service Vulnerability
* Cisco ASA Threat Detection Denial of Service Vulnerability
* Cisco ASA Syslog Message 305006 Denial of Service Vulnerability
* Protocol-Independent Multicast Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is
affected by one of the vulnerabilities may not be affected by the
others.
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter
File /home/joxean/oracle11g/product/11.1.0/db_2/network/admin/listener.ora
Listener Log File /home/joxean/oracle11g/diag/tnslsnr/joxeandesktop/
listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521)))
Services Summary...
Service "ORCL11" has 2 instance(s).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
> Introduction:
> -------------
> The vulnerability found targets the Outlook Web Access application
> for Microsoft Exchange 2003. A valid user can be redirected to a
> malicious website when clicking on a specially crafted URL which can
> be sent to the user by email. If the user is logged in,
> he is redirected instantly - if he is not logged in yet, the login page
> will be displayed and he will be redirected after successful login.
> This vulnerability can be used to redirect the user to a phishing
> website which shows the (faked) login screen and getting the users
> logon credentials as soon as he tries to log in on the faked site.
Next Page>>
|
