Next Page >>
mapping
-:: The Advisory ::-
The following files would together be vulnerable to Cross Site Scripting.
1. livezilla/templates/map.tpl (lines 18-20)
var default_lat = <!--dlat-->;
var default_lng = <!--dlng-->;
var default_zom = <!--dzom-->;
2. livezilla/map.php (lines 15-28)
POSITRON SECURITY LLC
<http://www.positronsecurity.com/>
Security Advisory #2009-000
Multiple Vulnerabilities in MapServer v5.2.1 and v4.10.3
Author: Joe Testa <jt _at_sign_ positronsecurity_dot_com>
Date: March 30th, 2009
== Abstract ==
StarCraft is a real-time strategy game by Blizzard Entertainment.
StarCraft fails to handle exceptional conditions when generating a
minimap preview of a malformed map. Additionally, since StarCraft
includes a map distribution mechanizm (allowing players that do not
own a map to download it when entering a game) it is possible to send
a malformed map to a player that enters the game, and so, remotlly DoS
his application.
in the configuration:
ssl-server <context> http-header client-cert
Similarly, on the Cisco ACE, these issues may manifest themselves when
using a policy map with a class-default class, as shown below:
policy-map type loadbalance first-match SLB-VIP-REDIRECT
class class-default
serverfarm TEST-FARM
action DO-SOMETHING-WITH-HEADERS
Severity: High
Description:
Adobe ColdFusion is a easy to use and very widely adopted Programming language, Procheckup has discovered that the ColdFusion admin console (and various programs within) are vulnerable to multiple directory traversal attacks related to a input parameter. No authentication is needed; all that is needed is that the admin console is accessible to the Internet.
Notes: Tested on ColdFusion enterprise version7.0 amd version 8.01 running on Windows XP, and Windows 2003 R2 SP2 server and mapped to IIS 6.
Defaults were chosen with "server contained installation" "like the earlier versions", and all subcomponents.
ColdFusion 9 provides an additional layer of filtering to prevent common attacks, preventing the below attack from working. Procheckup recommends however ColdFusion 9 users to apply the ColdFusion 9 patches as Procheckup have found the filtering can be bypassed.
Versions tested and found vulnerable
ColdFusion MX7 7,0,0,91690 base patches
Not you too... people talking about "enough for them to search your computer" and "silent mapping of intranet." Enough already. The home path is a local path or mapped drive letter. Not an IP or UNC. Even if it was, "\\192.168.1.55\users\jsmith" is worthless. You don't even know the source of the document. Don't we have enough to deal with than waste time with this? You actually think the security team needs to be aware of this and make policies to scan and replace metadata in pdf's? Why not have them start off by cleaning up Word docs just to show us they are capable of it in the first place.
My homepath is c:\users\tmullen. My IP address is 192.168.1.3. Go ahead, map away.
Bonsai kittens, search warrants, silent intranet mapping and autonomous amelioration tools. People have lost their minds. Check the headers on people's email if you want a map of the intranet. Meh.
t
-----Original Message-----
From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01760771
Version: 1
HPSBMA02433 SSRT090084 rev.1 - HP Discovery & Dependency Mapping Inventory (DDMI) Running on Windows, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-06-04
Last Updated: 2009-06-04
directly from the Windows 7 desktop but in doing so they may be
inadvertently increasing their risk due to a bug that makes standard
Windows anti-exploitation mechanisms ineffective.
A vulnerability found in the memory management of the Virtual Machine
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
Address Space Layout Randomization (ASLR) [3] designed to prevent
Details
=======
The Domain Name System is an integral part of networks that are based
on TCP/IP such as the Internet. Simply stated, the Domain Name System
is a hierarchical database that contains mappings of hostnames and IP
addresses. The DNS protocol is part of the TCP/IP protocol suite and
allows DNS clients to query the DNS database to resolve hostnames to IP
addresses.
A DNS server is an application that implements the DNS protocol and that
The 'PathName' parameter is converted from a multi byte string to a wide
character string after verifying that it doesn't contain the dot-dot
substring (the two-byte sequence '0x2e0x2e' that translates to the ASCII
substring '".."') that may allow a malicious user to break out of the
shared folder using a path traversal attack. The resulting wide character
string converted from 'PathName' is then passed to the file system API on
the Host system.
The conversion is performed using the 'MultiByteToWideChar' function from
the Windows API [5] which maps a character string provided as input to a
wide (Unicode UTF-16) character string.
| 2.6.x | Not Vulnerable | 2.6.2 |
|-----------+------------------+------------------------------------|
| 3.1.xS | Not Vulnerable | Not Vulnerable |
+-------------------------------------------------------------------+
To map Cisco IOS XE Software releases to Cisco IOS Software releases,
refer to the Cisco IOS XE 2 and Cisco IOS XE 3S Release Notes.
Cisco IOS XR Software Table
+--------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This vulnerability can be mitigated by disabling RTSP inspection if
it is not required. RTSP inspection is disabled by default.
Administrators can disable RTSP inspection by issuing the "no inspect
rtsp" command under the respective policy map.
Note: This workaround is only feasible if RTSP inspection is not
needed or required in a load-balancing deployment.
HTTP, RTSP, and SIP Inspection DoS Vulnerability
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01760771
Version: 2
HPSBMA02433 SSRT090084 rev.2 - HP Discovery & Dependency Mapping Inventory (DDMI) Running on Windows, Remote Unauthorized Access, Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-06-04
Last Updated: 2010-01-14
On Thu, 2008-09-04 at 15:34 +0200, Ansgar -59cobalt- Wiechers wrote:
> It was pointed out to me in private that, of course, you can have
> multiple PTR records mapping one address to different names. My bad.
>
> However, since oftentimes (colocation scenarios for instance) forward
> and reverse zone have different maintainers, it's some hassle to keep
> the reverse zone in sync with the forward zone. Thus I have my doubts
> that proper reverse mappings for every name will become common practice
> anytime soon.
Advisory URL: http://www.ikkisoft.com
====================================================
1) Affected Software
* Nokia Mini Map Browser (S60WebKit <= 21772)
The tested device has the following User-Agent:
Mozilla/5.0 (SymbianOS/9.2;U;Series60/3.1 NokiaE90-1/210.34.75
Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML)
Safari/413
Affected: 2007.0, 2007.1, 2008.0
_______________________________________________________________________
Problem Description:
The default behaviour of autofs 5 for the hosts map did not specify the
nosuid and nodev mount options. This could allow a local user with
control of a remote NFS server to create a setuid root executable on
the exported filesystem of the remote NFS server. If this filesystem
was mounted with the default hosts map, it would allow the user to
obtain root privileges (CVE-2007-5964). Likewise, the same scenario
Affected: 2007.1, 2008.0
_______________________________________________________________________
Problem Description:
The default behaviour of autofs 5 for the hosts map did not specify the
nosuid and nodev mount options. This could allow a local user with
control of a remote NFS server to create a setuid root executable on
the exported filesystem of the remote NFS server. If this filesystem
was mounted with the default hosts map, it would allow the user to
obtain root privileges (CVE-2007-5964). Likewise, the same scenario
Application: Call of Duty 4: Modern Warfare
http://www.callofduty.com
Versions: <= 1.6
Platforms: Windows (tested) and Linux
Bugs: A] "Attempted to overrun string in call to va()" DoS
B] "callvote map" Denial of Service
Exploitation: remote, versus server (in-game)
Date: 22 Jun 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
It's known that in some circostances (for example when the PHP handler
is configured using AddType/Action/AddHandler globally, eg. not inside
an Apache's Files/FilesMatch directive) blacklisting is not enough as
files in the form of "filename.php.foo" will be mapped back to PHP
anyway (since foo is not explicitly defined in the MIME map and Apache
will try to guess the filetype by its own).
Beside this known issue we want to point out a less known exploitation
methodology that works on Windows hosts.
Debian Security Advisory DSA-1914-1 security@debian.org
http://www.debian.org/security/ Nico Golde
October 22nd, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : mapserver
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian bug : #535340 #523027
CVE ID : CVE-2009-0843 CVE-2009-0842 CVE-2009-0841 CVE-2009-0840
http://baboviolent.net
Versions: <= 2.08.00
Platforms: Windows and Linux
Bugs: A] crash through malformed value
B] format string
C] crash through unexistent map
D] crash through malformed UDP packet
Exploitation: A, B and C versus server (both dedicated and game)
D versus both clients and server
Date: 14 Aug 2007
Author: Luigi Auriemma
!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a class map for traffic that will be policed by
!-- the CoPP feature.
!
class-map match-all drop-tcp-class
match access-group 100
Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2007-013
Advisory Title: Lotus Notes Memory Mapped Files Vulnerability
Author: Ollie Whitehouse / ollie_whitehouse@symantec.com
Release Date: 23-10-2007
Application: Lotus Notes / Domino
Platform: Microsoft Windows
Severity: Session hijacking in shared user environments
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01861595
Version: 1
HPSBMA02456 SSRT090188 rev.1 - HP Discovery & Dependency Mapping Inventory (DDMI) Running on Windows, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-11-16
Last Updated: 2009-11-16
It is possible to upload a file containing an arbitrary PHP script with an extension of '.php.jpg'
and execute it by requesting the uploaded file directly.
The execution of the PHP code despite the .php.jpg extension is possible because Apache
allows for multiple extensions. Here is a quote from Apache docs regarding this matter:
"
Files can have more than one extension, and the order of the extensions is normally irrelevant.
For example, if the file welcome.html.fr maps onto content type text/html and language French then
the file welcome.fr.html will map onto exactly the same information. If more than one extension is
Remote exploitation of a heap memory indexing vulnerability in Adobe
Systems Inc.'s Shockwave Player could allow an attacker to execute
arbitrary code with the privileges of the current user. <BR> <BR> The
vulnerability takes place during the processing of a certain malformed
file. A function calculates an offset to be used within a memory mapped
file and returns the offset value. The return value is not checked. This
can lead to a condition where an attacker is able to overwrite memory
outside the bounds of the allocated memory map.
III. ANALYSIS
Visit http://www.rapid7.com/ to download NeXpose,
SC Magazine Winner of Best Vulnerability Management product.
_______________________________________________________________________
Rapid7 Advisory R7-0031
JFreeChart Image Map Cross-Site Scripting Vulnerabilities
Published: Dec 06, 2007
Revision: 1.0
http://www.rapid7.com/advisories/R7-0031.jsp
Virus Information: W32.Fakerecy and W32.SillyFDC
Discovered: January/February 2007
Type: Worm
Threat Level: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Virus detail: W32.Fakerecy and W32.SillyFDC are worms that spread by copying themselves to removable and/or mapped drives.
RESOLUTION
HP is providing the following procedure to resolve this vulnerability:
1. HP recommends that the optional HP USB Floppy Drive Key be checked for the potential virus infections and cleaned. To detect and clean this virus infection the HP USB Floppy Drive Key can be plugged into a USB 2.0 port on a system with current (up-to-date) anti-virus software and scanned.
Of course the preferred installation for a production server ist a system service. On the other hand, the (interactive) desktop application is the choice for web application development.
Finally the ISAPI example (!!!) files can be deleted or a simple filter in the server configuration can be used in order to hide these files:
1.) either extend the mapping directive:
Mapping Condition="&or(®exp('*.dll*',$U),®exp('*.dll',$f))" ISAPIMapper From="/isapi/" To="Isapi\"
or 2.) extend the ISAPI handler object:
CheckPath Condition="¬(&or(®exp('*.dll*',$U),®exp('*.dll',$f)))" StatusCode StatusCode="404"
> cobalt@chrome:~ $ host mail.planetcobalt.net
> mail.planetcobalt.net A 217.10.9.49
> cobalt@chrome:~ $ _
>
> You can have multiple names resolving to the same IP address, but just
> one PTR record mapping that address back to a name.
It was pointed out to me in private that, of course, you can have
multiple PTR records mapping one address to different names. My bad.
However, since oftentimes (colocation scenarios for instance) forward
Next Page>>
|
