Next Page >>
opened
X) References
I) Introduction
On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some
time before that was a new attack vector for filesystem functions (fopen,
(include|require)[_once]?, file_(put|get)_contents, etc) for the PHP
language. It was a path normalization issue and I asked them to keep it
"secret" [4], this was a good idea cause my analisys was mostly
incomplete and erroneous but the idea was good and the bug was real and
disposable.
attachments are executables (.exe, .com, .cmd & .scr), scripts
(.hta, .js, .vbs & .wsf) and other types of potentially dangerous
files (.cer, .hlp, .inf & .reg). This helps protect unsuspecting
users from running malicious code.
Normally, when a user tries to open an e-mail attachment, the user is
presented an Opening Mail Attachment dialog. If the user chooses to open
the file, the file is saved locally and handed off to Windows. Windows
will try to find a program associated to this specific type of file
(through its extension). If such a program is found, Windows will launch
the file according to its Shell Open Command in the Windows Registry.
MorningStar Security - Advisory
http://www.morningstarsecurity.com/
Multiple security issues in Open Auto Classifieds
1. Advisory Information
----------------------------------------------------------------------------------------------
Title: Multiple security issues in Open Auto Classifieds
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:54 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Mocanada embedded SSH (protocol 2.0)
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:54 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Mocanada embedded SSH (protocol 2.0)
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
III. BACKGROUND
-------------------------
Google Chrome is a web browser released by Google which uses the WebKit
layout engine and application framework. It is one of the four most popular
browsers in the market today. Google released the entire source code of
Chrome, including its bespoke V8 JavaScript engine as an open source project
entitled Chromium, in 2008. Google Chrome is best known for its fast speed,
simplicity and reliability.
IV. DESCRIPTION
-------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Open Query Interface in Cisco Unified
Communications Manager and Cisco Unified Presence Server
Advisory ID: cisco-sa-20110824-cucm-cups
Revision 1.0
Summary
=======
Cisco Security Manager contains a vulnerability when it is used with
Cisco IPS Event Viewer (IEV) that results in open TCP ports on both
the Cisco Security Manager server and IEV client. An unauthenticated,
remote attacker could leverage this vulnerability to access the MySQL
databases or IEV server.
Cisco has released free software updates that address this
CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
*Vulnerability Description*
Android is project promoted primarily by Google through the Open Handset
Alliance aimed at providing a complete set of software for mobile
devices: an operating system, middleware and key mobile applications
[1]. Although the project is currently in a development phase and has
not made an official release yet, several vendors of mobile chips have
unveiled prototype phones built using development releases of the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the uri
parameter from the user specified printer-url the process blindly copies
user supplied data into a fixed-length buffer on the heap. A remote
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
profile-time parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
profile-name parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
file-date-time parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
driver-version parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
core-package parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
client-file-name parameter from the user specified printer-url the
process blindly copies user supplied data into a fixed-length buffer on
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
iprint-client-config-info parameter from the user specified printer-url
the process blindly copies user supplied data into a fixed-length buffer
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
op-printer-list-all-jobs parameter from the user specified printer-url
the process blindly copies user supplied data into a fixed-length buffer
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
op-printer-list-all-jobs parameter from the user specified printer-url
the process blindly copies user supplied data into a fixed-length buffer
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managenews to exploit the vulnerability.
Advisory ID: HTB23079
Product: Open Journal Systems (OJS)
Vendor: Public Knowledge Project
Vulnerable Version(s): 2.3.6 and probably prior
Tested Version: 2.3.6
Vendor Notification: 29 February 2012
Vendor Patch: 16 March 2012
Public Disclosure: 21 March 2012
Vulnerability Type: Arbitrary File Manipulation, Arbitrary File Upload, XSS
CVE Reference(s): CVE-2012-1467, CVE-2012-1468, CVE-2012-1469
> > IMHO; no bug or security issue, just a misunderstanding of the
> > mechanism...
Correct. It is a completely flawed assumption.
In Unix, an open() of a file checks access permissions as
specified in the files inode. If someone wants access control
applied to a file, then he MUST do so using the permission in
the file inode.
Making assumptions about directory search and acces permissions
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.35 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.26.3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.17 |
|----------------------------+---------+---------------------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.34 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.26.1 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to |
*name = cli_gentemp(dir);
if(!*name)
return CL_EMEM;
*fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU);
if(*fd == -1) {
cli_errmsg("cli_gentempfd: Can't create temporary file %s:
%s\n", *name, strerror(errno));
free(*name);
return CL_EIO;
Remote Code Execution (978212)
- Security Research & Defense blog: [4] MS10-045: Microsoft Office
Outlook Remote Code Execution vulnerability
- KB978212 [5] MS10-045: Vulnerability in Microsoft Office Outlook could
allow remote code execution
- KB2271150 [6] You cannot open linked file attachments in Outlook:
"Outlook blocked access to the following potentially unsafe
attachments"
- SSD: [7] SecuriTeam Secure Disclosure program
------------------------------------------------------------------------
"Corrected In" section, or apply a patch specified in the
"Patches" section.
Affected Versions
Product Release Series
Asterisk Open Source 1.4.x All Versions
Asterisk Open Source 1.6.2.x All Versions
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Corrected In
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.26.3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.17 |
|----------------------------+---------+---------------------------------|
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
Next Page>>
|
