Next Page >>
opens
X) References
I) Introduction
On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some
time before that was a new attack vector for filesystem functions (fopen,
(include|require)[_once]?, file_(put|get)_contents, etc) for the PHP
language. It was a path normalization issue and I asked them to keep it
"secret" [4], this was a good idea cause my analisys was mostly
incomplete and erroneous but the idea was good and the bug was real and
disposable.
MorningStar Security - Advisory
http://www.morningstarsecurity.com/
Multiple security issues in Open Auto Classifieds
1. Advisory Information
----------------------------------------------------------------------------------------------
Title: Multiple security issues in Open Auto Classifieds
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:54 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Mocanada embedded SSH (protocol 2.0)
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-09 14:54 CEST
Interesting ports on xxx.xxx.xxx.xxx:
Not shown: 1693 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Mocanada embedded SSH (protocol 2.0)
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Open Query Interface in Cisco Unified
Communications Manager and Cisco Unified Presence Server
Advisory ID: cisco-sa-20110824-cucm-cups
Revision 1.0
Summary
=======
Cisco Security Manager contains a vulnerability when it is used with
Cisco IPS Event Viewer (IEV) that results in open TCP ports on both
the Cisco Security Manager server and IEV client. An unauthenticated,
remote attacker could leverage this vulnerability to access the MySQL
databases or IEV server.
Cisco has released free software updates that address this
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the uri
parameter from the user specified printer-url the process blindly copies
user supplied data into a fixed-length buffer on the heap. A remote
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
profile-time parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
profile-name parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
file-date-time parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
driver-version parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
core-package parameter from the user specified printer-url the process
blindly copies user supplied data into a fixed-length buffer on the
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
client-file-name parameter from the user specified printer-url the
process blindly copies user supplied data into a fixed-length buffer on
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
iprint-client-config-info parameter from the user specified printer-url
the process blindly copies user supplied data into a fixed-length buffer
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
op-printer-list-all-jobs parameter from the user specified printer-url
the process blindly copies user supplied data into a fixed-length buffer
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell iPrint Client. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the nipplib component which is used by both the
ActiveX and Netscape compatible browser plugins. When handling the
op-printer-list-all-jobs parameter from the user specified printer-url
the process blindly copies user supplied data into a fixed-length buffer
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managenews to exploit the vulnerability.
attachments are executables (.exe, .com, .cmd & .scr), scripts
(.hta, .js, .vbs & .wsf) and other types of potentially dangerous
files (.cer, .hlp, .inf & .reg). This helps protect unsuspecting
users from running malicious code.
Normally, when a user tries to open an e-mail attachment, the user is
presented an Opening Mail Attachment dialog. If the user chooses to open
the file, the file is saved locally and handed off to Windows. Windows
will try to find a program associated to this specific type of file
(through its extension). If such a program is found, Windows will launch
the file according to its Shell Open Command in the Windows Registry.
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.35 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.26.3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.17 |
|----------------------------+---------+---------------------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.34 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.26.1 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to |
CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
*Vulnerability Description*
Android is project promoted primarily by Google through the Open Handset
Alliance aimed at providing a complete set of software for mobile
devices: an operating system, middleware and key mobile applications
[1]. Although the project is currently in a development phase and has
not made an official release yet, several vendors of mobile chips have
unveiled prototype phones built using development releases of the
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.26.3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.17 |
|----------------------------+---------+---------------------------------|
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+--------------------|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+--------------------|
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | Versions 1.4.22, 1.4.23, |
| | | 1.4.23.1 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.6 |
[ Our anticipate apologies if you receive this call for paper more than
once! ]
CALL FOR PAPERS:
1st Workshop on Open Source Software for Computer and Network Forensics
(OSSCoNF)
We are currently inviting the submission of full papers to the 1st Workshop
on Open Source Software for Computer and Network Forensics (OSSCoNF),
which will be held in conjunction with OSS2008, the Fourth International
[ Our anticipate apologies if you receive this call for paper more than
once! ]
CALL FOR PAPERS:
1st Workshop on Open Source Software for Computer and Network Forensics
(OSSCoNF)
We are currently inviting the submission of full papers to the 1st Workshop
on Open Source Software for Computer and Network Forensics (OSSCoNF),
which will be held in conjunction with OSS2008, the Fourth International
[ Our anticipate apologies if you receive this call for paper more than
once! ]
CALL FOR PAPERS:
1st Workshop on Open Source Software for Computer and Network Forensics
(OSSCoNF)
We are currently inviting the submission of full papers to the 1st Workshop
on Open Source Software for Computer and Network Forensics (OSSCoNF),
which will be held in conjunction with OSS2008, the Fourth International
*name = cli_gentemp(dir);
if(!*name)
return CL_EMEM;
*fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU);
if(*fd == -1) {
cli_errmsg("cli_gentempfd: Can't create temporary file %s:
%s\n", *name, strerror(errno));
free(*name);
return CL_EIO;
- $username = $_POST['reset_username'];
- $userrows = select_bhdb("users", array("username"=>$username), "");
+ $xgqd_username = $_POST['reset_username'];
+ $userrows = select_bhdb("users", array("username"=>$xgqd_username), "");
if (empty($userrows)) {
# Open layout object
$layoutobj = new bhlayout("generic");
@@ -31,16 +31,16 @@
} else {
# Insert a password reset request row for that username
$resetid = md5(time().rand(1, 99999).rand(54, time()));
Next Page>>
|
