Next Page >>
original
disable_functions feature can be bypassed by using functions alias. A
list of aliases is given in http://php.net/aliases/. For example,
ini_alter() may be used instead of ini_set() and vice versa.
SecurityVulns issue: http://securityvulns.com/news/PHP/alias-pb.html
Original message (in Russian): http://securityvulns.ru/Sdocument67.html
2. MustLive reports Crossite-Cripting vulnerability in WordPress
MultiUser 1.0
XSS is possible via Username form field.
1.2 Same check pairs may be used for multiple postings
According to vendor both problems were addressed in Version 2.9.0 on
August 11, 2007
Original article: http://websecurity.com.ua/1501/
Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html
2. mt-scode CAPTCHA (plugin for Movable type and Drupal)
Same check pairs may be used for multiple postings
http://site/templates/example_template.php?data[message]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/templates/example_template.php?data[table][1][item]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/templates/example_template.php?data[table][1][url]=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/templates/example_template.php?data[poweredby]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
Original article (in Russian): http://securityvulns.ru/Sdocument784.html
Additional details (in Ukrainian): http://websecurity.com.ua/1694/
2. Wordpress multiple security vulnerabilities:
2.1 information disclosure (WordPress 2.2/2.3)
the first available scheduled release in the future will be in June, 2009.
. 2009-03-26:
Core indicates that the previous email from MSRC is quite confusing. It
seems to indicate that the vulnerability is already fixed in IE8 whereas
at the time of the original report IE8 was still a beta product and
there was not any communication from MSRC indicating whether the problem
was going to be fixed nor a tentative date for such fix. Core asks MSRC
to confirm that the vulnerability was indeed fixed in the released
version of IE8 while two consecutive tentative released date for patches
to the officially confirmed vulnerable versions IE5 to IE7 have been
> .....data
> [MakeFiles]
> 5=CRC Check.exe
> [MakeDef]
> Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
> 1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
> 2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2 <==Command Execution by replacing the original file path with the command
> 3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
> 4=0,0,,5
> 5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
> 7=0,0,"$E\OllyDbg",5
+zlib_decode(svn_stringbuf_t *in, svn_stringbuf_t *out, apr_size_t limit)
{
apr_size_t len;
char *oldplace = in->data;
@@ -390,6 +409,13 @@ static svn_error_t *
/* First thing in the string is the original length. */
in->data = (char *)decode_size(&len, (unsigned char *)in->data,
(unsigned char *)in->data+in->len);
+ if (in->data == NULL)
+ return svn_error_create(SVN_ERR_SVNDIFF_INVALID_COMPRESSED_DATA, NULL,
+ _("Decompression of svndiff data failed:
.....data
[MakeFiles]
5=CRC Check.exe
[MakeDef]
Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2 <==Command Execution by replacing the original file path with the command
3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
4=0,0,,5
5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
7=0,0,"$E\OllyDbg",5
HTTP request with missed Host: header prevents administration
interface access until reboot. Vendor was reportedly contacted, but
failed to react.
SecurityVulns issue: http://securityvulns.com/news/Planet/VC-200M/DoS.html
Original message (in Russian): http://securityvulns.ru/Rdocument847.html
2. MustLive reports low-risk (requires social engineering), yet
interesting example of crossite scripting in Internet Explorer. Local
zone scripting is possible on accessing saved page with original URL
in the form of
--
Abe Getchell
me@abegetchell.com
https://abegetchell.com/
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@isatools.org]
> Sent: Sunday, July 20, 2008 4:33 PM
> To: 'me@abegetchell.com'; 'Thor (Hammer of God)'; 'Johan Beisser'
> Cc: bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
you know why!
Systems Administrator
Virginia Tech
-----Original Message-----
From: Larry Seltzer [mailto:larry@larryseltzer.com]
Sent: Wednesday, September 16, 2009 5:03 PM
To: Susan Bradley; Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
If someone can demonstrate an actual vulnerability or exploit on the basis of this bug _alone_, then they may have something to make noise about. There are enough real bugs and security vulns in software to deal with. Not every security issue spells doom and damnation or warrants immediate corrective response from the vendor.
Jim
-----Original Message-----
From: Abe Getchell [mailto:me@abegetchell.com]
Sent: Sunday, July 20, 2008 12:32 PM
To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
Cc: bugtraq@securityfocus.com
Subject: RE: Windows Vista Power Management & Local Security Policy
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>> you know why!
>>>
>>> Systems Administrator
>>> Virginia Tech
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@larryseltzer.com] Sent: Wednesday,
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
Original Photo Gallery Remote Command Execution
Name Original Photo Gallery Remote Command Execution
Systems Affected Original 0.11.2 version and below
Severity High
Vendor http://jimmac.musichall.cz/original.php
Advisory
http://www.ush.it/team/ascii/hack-original/advisory_updated.txt
http://www.ush.it/team/ascii/hack-original/advisory.txt
Author Francesco `ascii` Ongaro, Antonio `s4tan` Parata
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com
http://blogs.pcmag.com/securitywatch/
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
--
Abe Getchell
me@abegetchell.com
https://abegetchell.com/
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
> Sent: Saturday, July 19, 2008 6:20 PM
> To: me@abegetchell.com; Jim Harrison; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
URL : http://localhost/index.php
1. Parameter = view
The following changes were applied to the original request:
• Set parameter 'view's value to 'somechars'%20+%20'article'
POC URL : http://localhost/index.php?option=com_content&view=somechars'%20+%20'article&id=25&Itemid=28
t
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
(http://www.white-hat-web-design.co.uk/articles/php-captcha.php). I.e. it
was more than 3 years ago. And CB Captcha developers ignored that, and
didn't do anything until I informed them and even after that they were
fixing hole slowly, creating different justifications for themselves,
including telling that it's not a hole. Did you (developers of CB Captcha)
think about why original author fixed that hole in 2007 (and they had this
hole almost one year after creating of the script, but when they understood
the fact of the hole they fixed it).
17.03.2010 - I disclosed at my site the vulnerabilities in
CaptchaSecurityImages (http://websecurity.com.ua/4043/) and at 22.03.2010 I
reported about it to Bugtraq. It was 9 days before I disclosed at my site
=======
Exploit
=======
Ideally, the attacker's DLL should have all the functionality of the DLL that
the application expected to load, including the same exported functions. An
attacker can patch the original DLL so that the attacker's code runs before the
DLL's original DllMain code is executed, after which the original DllMain code
is called. This allows the DLL to continue to operate as normal.
The program at http://www.malwareanalysis.com/releases/dllpatcher.zip [4] can be
used to redirect a given DLL's entrypoint (which originally pointed to DllMain)
t
> -----Original Message-----
> From: Abe Getchell [mailto:me@abegetchell.com]
> Sent: Saturday, July 19, 2008 12:33 AM
> To: 'Jim Harrison'; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> 2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
>
> t
>
>
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
security requirements, specific methods of access control enabling
large scale cooperation, usage of mobile technologies and smartcards,
new security infrastructures supporting better prevention, detection,
recovery and healing in the context of cooperative systems.
We invite original contributions from researchers in academia, research
institutions and industry on these emerging and important areas of
information technology.
Workshop topics must address security and collaboration:
* Frameworks for Security in Collaborative Systems
On 24.10.2009 2:05, Pavel Machek wrote:
> On Sat 2009-10-24 01:12:51, Dan Yefimov wrote:
>> On 24.10.2009 0:35, Matthew Bergin wrote:
>>> doesnt look like the original owner is trying to write to it. Shows it
>>> cant, it had guest write to it via the proc folders bad permissions.
>>> Looks legitimate
>>>
>> Please tell me, who issued 'chmod 0666 unwritable_file'? Was that an
>> attacker? No, that was the owner of 'unwritable_file', nobody else.
>> What the 0666 file mode means? It means, that everybody can write to
I know it. And I mentioned about this in my paragraph "Via data: it's
possible to bypass in Firefox ...". In these paragraph I wrote "But in
Firefox 3.0.11 and Google Chrome you can't get to cookies this way", which
is the same that your wrote, but in more laconic way. And in the same
paragraph I wrote "but it's possible in old Mozilla (and in those versions
of Firefox where there is relation between data: page and original page)".
So there are such browsers which data: URIs from redirectors inherit context
of the site. In any case JavaScript execution is dangerous even without
relation with original site.
Your position is similar to Mozilla's position. And because Mozilla declined
2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
t
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
Product : Vim -- Vi IMproved
Version : Tested with Vim 7.2b.10, filetype.vim 2008-07-17
Impact : Arbitrary code execution
Wherefrom: Local and remote
CVE : CVE-2008-2712
Original : http://www.rdancer.org/vulnerablevim-filetype.vim.updated.html
http://www.rdancer.org/vulnerablevim-filetype.vim.updated.patch
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
This is an update of a previous advisory[1]. Vim patch 7.1.300 which
purported to fix the ``filetype.vim'' vulnerability did not fix the
VISIT ORIGINAL ADVISORY FOR MORE DETAILS
http://myimei.com/security/2007-09-01/olate-download-342-useruploadphp-upload-executable-files.html
VISIT ORIGINAL ADVISORY FOR MORE DETAILS/
——-Summary——
Software: Olate Download
Sowtware's Web Site: http://www.olate.co.uk/
Versions: 3.4.2
Class: Remote
Status: Unpatched
Exploit: Available
VISIT ORIGINAL ADVISORY FOR MORE DETAILS
http://myimei.com/security/2007-09-01/olate-download-342uploads-folder-directory-traversal.html
VISIT ORIGINAL ADVISORY FOR MORE DETAILS
——-Summary——
Software: Olate Download
Sowtware's Web Site: http://www.olate.co.uk/
Versions: 3.4.2
Class: Remote
Status: Unpatched
Exploit: Available
Next Page>>
|
