Next Page >>
needs
for arbitrary code execution in the context of the logged on user.
This vulnerability is present only on Windows Guest Operating
Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to lure the user that is logged on a Windows Guest
Operating System to click on the attacker's file on a network
share. This file could be in any file format. The attacker will
need to have the ability to host their malicious files on a
network share.
Tests performed showed that challenges and responses obtained from a
system S can be reused multiple times against that same system and other
remote systems. We observed that challenges obtained from a system S
were also returned by other remote systems. This means that attacker A
only needs, in the best case scenario, to force user U to connect to his
own specially crafted SMB server once. Of course, user U must have
access (his credentials must be valid) to the other systems attacked.
This attack needs the victim to have port 445/tcp open and the attacker
to be able to access that port. The victim also needs to be able to
for arbitrary code execution in the context of the logged on user.
This vulnerability is present only on Windows Guest Operating
Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to lure the user that is logged on a Windows Guest
Operating System to click on the attacker's file on a network
share. This file could be in any file format. The attacker will
need to have the ability to host their malicious files on a
network share.
journalists, politicians, leaders, and even our own loved ones. If you
don't learn to see through it then you will always be poorer and at a
greater disadvantage in work, school, and life. But it doesn't have to
be this way. ISECOM, the non-profit, security research organization is
rolling out a seminar series world-wide to help you learn the skills
you need to defend yourself and your family at home, online, at work,
and on the streets.
WHEN AND WHERE?
For only 3 weeks in October, Pete Herzog, security researcher,
I. BACKGROUND
Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.
II. DESCRIPTION
Multiple Vulnerabilities exist in Vtiger CRM software.
#-----------------
#
#Package --> allow.self.registration --> True (Default value)
#
#-------
#NEED:
#-------
#
#**valid username
#
#**real captcha code/img
advisory directly to Google Security Team. And from your declining of this
vulnerability, I see that it's Google's official position about this issue.
I understand your and Mozilla's position, but I don't agree with you. And I
wrote enough (as I was thinking) arguments in my advisory, why it's
dangerous and why it need to be fixed.
Third, I note that no need to hurry up to write about location redirection
in Firefox. Because the day before your comment I posted at my site advisory
about this vulnerability in Firefox (and not only in it, but also in Opera).
And I'll write separate advisory (when will find time) to Bugtraq about
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
.text:01066853 call ds:wcslen ; find the remaining length.
.text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.
.text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).
.text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).
.text:01066861 mov dl, cl
.text:01066863 neg dl
.text:01066865 sbb edx, edx
> .text:0106684C Unescape:
> .text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
> .text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
> .text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
> .text:01066853 call ds:wcslen ; find the remaining length.
> .text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.
> .text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).
> .text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).
> .text:01066861 mov dl, cl
> .text:01066863 neg dl
> .text:01066865 sbb edx, edx
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
.text:01066853 call ds:wcslen ; find the remaining length.
.text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.
.text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).
.text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).
.text:01066861 mov dl, cl
.text:01066863 neg dl
.text:01066865 sbb edx, edx
Because it does not apply to your particular environment doesn't invalidate
the issue. There are many, many situations where someone would want to
access a vmware guest via the console and not allow any network access at
all. One that comes to mind is an offline root CA that you can only fire up
only when you need it--a virtual offline machine. Another situation for
myself is I keep all my hacking/pen-testing tools on a vm that I can use
when I need them, and quickly move to any vm host I need to run them on. I
don't necessarily want to make that virtual machine accessible from the
network. Anyway, it is absurd to say you will never log in to the console,
sometimes you just have to.
> Because it does not apply to your particular environment doesn't invalidate
> the issue. There are many, many situations where someone would want to
> access a vmware guest via the console and not allow any network access at
> all. One that comes to mind is an offline root CA that you can only fire up
> only when you need it--a virtual offline machine. Another situation for
> myself is I keep all my hacking/pen-testing tools on a vm that I can use
> when I need them, and quickly move to any vm host I need to run them on. I
> don't necessarily want to make that virtual machine accessible from the
> network. Anyway, it is absurd to say you will never log in to the console,
> sometimes you just have to.
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users. To successfully exploit this
vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
Application Control Engine contain a DoS vulnerability that can be
exploited by an unauthenticated attacker while sending crafted RTSP
packets. Only devices with RTSP inspection enabled are affected. RTSP
inspection is disabled by default.
Note: A TCP three-way handshake is needed in order to exploit this
vulnerability. Only transit traffic can trigger this vulnerability;
traffic that is destined to the affected device will not trigger the
vulnerability.
This vulnerability is documented in these Cisco Bug IDs and has been
Details
*******
1.1 SQL injections in repository
Attacker need to be authorized in system for success.
Vulnerable script - repository_document.php
Vulnerable parameter - id_document
Example
To overcome this limit (100 authentication attempts), it is sufficient
that the attacker has other Gmail accounts. Each account allows the
malicious user to make 100 new auhtentication attempts within 2 hours of
the blockade. If the attacker wants to make an authentication attempt by
second and to avoid the blockage then will need to make 3600 requests
per hour. This requires that the malicious user dispose of 3600/100 = 36
Gmail accounts. As there is a blockage of 2 hours, with 72 Gmail
accounts the attacker can reuse the initial account (eg
"account01@gmail.com") after finishing the 100 authentication attempts
with the last Gmail account (eg "account72@gmail.com).
I want to warn you about Cross-Site Scripting, Full path disclosure,
Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial
of Service vulnerabilities in WordPress.
For all these attacks it's needed to have access to admin account, or to
have account with rights for working with plugins. Or to attack admin or
other user with required rights via XSS, to find out token which designed to
protect against CSRF attacks.
So users of WordPress don't need to worry much about these holes (if to not
------------------------------
Access to backups of DB of site on WordPress is possible in plugin WordPress
Database Backup (WP-DB-Backup) via guessing of full path to them. The
backups can be created by admin or automatically. For the attack it's
needed that backups were saving at the site (at least for some time).
WP-DB-Backup - it's popular plugin (which shipped with WordPress 2.0.x),
which only from the site wordpress.org was downloaded 546218 times (at the
state of 30.07.2010).
Affected products: WordPress 2.0.11 and previous versions, with which plugin
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework in the Cisco Telepresence Multipoint Switch could allow a
remote, unauthenticated attacker to perform actions that should be
restricted to administrative users only. The attacker would need the
ability to submit a crafted request to an affected device on TCP port
80, 443, or 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco
ASA device that is configured to terminate SSL VPN connections. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv52239 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1156.
HP is documenting the following actions the following patches to resolve the vulnerability.
The updates are available from: http://itrc.hp.com
HP-UX Release - HP-UX B.11.11 (11i v1)
Action - Install PHCO_36562 or subsequent; change NFS configuration as needed
HP-UX Release - HP-UX B.11.23 (11i v2)
Action - Install PHCO_36563 or subsequent; change NFS configuration as needed
tected by the certificate.=20
>=20
> This fits the way we use attaching metadata during the process of categor=
ization to enable retrieval of a document by means and taxonomies of the re=
cipient, not of the author. If instead, as you seem to propose, metadata wo=
uld be treated as part of the document, attaching the metadata needed for r=
etrieval purposes would invalidate the signature of the document.=20
>=20
> Therefore this time I would go with Microsoft for their solution fits our=
needs and doesn't compromise the integrity protection of the document itse=
lf in any serious way. Just think of it as a sticker placed on the outside =
S21sec has discovered a vulnerability in Cezanne 6.5.1/Cezanne 7 that
allows injecting JavaScript code in text variables.
This issue allows javascript code execution in the user browser.
URL[ NEEDS LOGIN ]:
https://www.somesite.es/cezanneweb/CFLookUP.asp?LookUPId=>"><script>alert("S21sec")</script>&CbFun=Focus_CallBack&FUNID=7302062&CloseOnGet=yes
VULNERABLE PARAMETERS:LookUPId,CbFun
STRING:>"><script>alert("S21sec")</script>
URL[ NEEDS LOGIN ]:
# $page->slug = $_GET['slug'];
# $page->getBy(array('slug'));
#
# if(!$page->id)
# {
# throw new cccException('The page you are looking for is currently unavailable. You may need to STOP! Hammertime. If School Is Out, You should try reloading this page.','Page not found');
# }
#
# $tpl->define('title',$page->title);
# $tpl->define('content',$page->content); // we allow HTML here, no safeoutput
#
I - INTRODUCTION
Before continuing, you need to know some stuff about how
user's inputs are handled. All superglobal arrays which
can be partially modified by the user, are passed to the
function "parse_clean_globals()". Let's see the content
of the file "sources/ipsclass.php":
> Anyway, is it possible to abuse the "Check for mail using POP3"
> capability to do attacks to the passwords of the users in an automated
> way, evading all referred security restrictions and controls and doing
> a transparent and not noticeable attack to the user that its account
> is being password cracked as:
> - There's no need for required action from the victim.
> - There's no modification in the password of the victim.
> - There's no locking in the victim account.
> - There's no security notification to the victim.
>
> The vulnerability is aggravated due Gmail allows weak passwords to be
php.ini independent
site: http://retrogod.altervista.org/
software site: http://www.bitweaver.org/
You need an user account and you need to change your "display name" in:
{php}passthru($_SERVER[HTTP_CMD]);{/php}
Register and click on Preferences, look at the "User Information" tab, inside the
"Real name" text field write the code above, then click on Change.
Anyway, is it possible to abuse the "Check for mail using POP3"
capability to do attacks to the passwords of the users in an automated
way, evading all referred security restrictions and controls and doing
a transparent and not noticeable attack to the user that its account
is being password cracked as:
- There's no need for required action from the victim.
- There's no modification in the password of the victim.
- There's no locking in the victim account.
- There's no security notification to the victim.
The vulnerability is aggravated due Gmail allows weak passwords to be
the result is that you can extract the sha1 hash of the admin user and the corrispondent salt.
If you cannot decrypt the hash... you can always hijack an active session (meaning the admin user
must be logged in) by building the admin cookie, no check ex. on ip address.
To do that you need the table prefix. A default one does not exist, but exists a
'suggested one' when installing the cms, which is 'runcms', but an empty one is not allowed.
However with MySQL 5.0 you can have the table prefix by interrogating information_schema.TABLES
This whole thing works regardless of php.ini settings but you need:
>
> Looking it this operationally:
>
> 1. Functionality
>
> Do you have clients who need to interconnect with China's
> networks, or expect people to connect to you from China?
>
> If so, the cost of security by blocking may be unjustifiable.
Absolutely - If possible, please read the article at:
Next Page>>
|
