Next Page >>
recent changes
=======
Versions of the Cisco Application Velocity System (AVS) prior to
software version AVS 5.1.0 do not prompt users to modify system account
passwords during the initial configuration process. Because there is no
requirement to change these credentials during the initial configuration
process, an attacker may be able to leverage the accounts that have
default credentials, some of which have root privileges, to take full
administrative control of the AVS system.
After upgrading to software version AVS 5.1.0, users will be prompted to
####################
- Discussion:
####################
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Secure Access Control System Unauthorized
Password Change Vulnerability
Advisory ID: cisco-sa-20110330-acs
Revision 1.0
Summary
=======
Cisco Network Registrar Software Releases prior to 7.2 contain a
default password for the administrative account. During the initial
installation, users are not forced to change this password, allowing
it to persist after the installation. An attacker who is aware of
this vulnerability could authenticate with administrative privileges
and arbitrarily change the configuration of Cisco Network Registrar.
The upgrade to Software Release 7.2 is not free; however, a
***********
Browser-Based Interface (BBI) software is included in the Nortel Networks(vesrions < 25.0.0.0) and Radware
family of switches. The BBI software lets you use your Web browser to access switch
information and statistics, to perform switch configuration via the Internet. This
vulnerabilities allow remote attackers to change the switch configuration.
Details:
*******
HP is documenting the following actions the following patches to resolve the vulnerability.
The updates are available from: http://itrc.hp.com
HP-UX Release - HP-UX B.11.11 (11i v1)
Action - Install PHCO_36562 or subsequent; change NFS configuration as needed
HP-UX Release - HP-UX B.11.23 (11i v2)
Action - Install PHCO_36563 or subsequent; change NFS configuration as needed
Package : exim4
Vulnerability : privilege escalation
Problem type : local
CVE Id(s) : CVE-2010-4345 CVE-2011-0017
Behaviour change : yes
A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim
user to obtain root privileges by specifying an alternate
configuration file using the -C option or by using the macro override
facility (-D option). Unfortunately, fixing this vulnerability is not
Background
----------
NNT Change Tracker Enterprise is a commercial product created by
UK-based New Net Technologies, and is designed to detect changes to
PC, server and network device configurations. The central component
'Core Server' is sent change data from 'Remote Angels' that monitor
remote systems.
It is marketed as a security product.
The allows a journalist or editor level user to edit any article.
By default a journalist user cannot edit his own news articles. Using
this method, a journalist can submit an article, have it approved by the
admin, then later change it to include stored XSS.
8.10.1 Proof of concept exploit
Article IDs can be found in the links from this page:
http://localhost/test/cutenews/index.php?mod=editnews&action=list
Affected Products:
Admin r8.1 SP2
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3
CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
This privilege escalation is a direct consequence of using the same name
on a local variable ("username" on "modules/passreset.inc.php" and
"modules/signup.inc.php") and a global variable
("$_SESSION['username']"). When the "register_globals" setting is
enabled and the session variable "username" is set (to any value,
including empty string), any changes made to the local variables will
also be written on the global one.
Since both modules set the variable to a user input string, and the
authentication module uses that global variable to both determine if the
user is logged in and which username to use, following the instructions
While researching the fixes issued by Microsoft in Microsoft's Security
Bulletin MS10-024
[http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx]
published April 13, 2010 Nicolas Economou discovered two vulnerabilities
in Windows SMTP Service and Microsoft Exchange . These vulnerabilities
were fixed by the patches referenced in MS10-024 but were not disclosed
in the vendor's security bulletin and did not have an unique
vulnerability identifier assigned to them. As a result, the guidance and
the assessment of risk derived from reading the vendor's security
bulletin may overlook or misrepresent actual threat scenarios.
> > such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> > installed), and likely numerous other options.
>
> Once the attacker can run code as the same user > the webserver runs as, he
> can make the webserver do whatever he wants. He > can just 'debug' the
> webserver process and change any setting, inject code, whatever. You can
> php.ini whatever you want, and the attacker can > just make the webserver
> read his own php.ini, or change the webserver memory after the fact, to
> make it think it read something else than you wrote.
This is not true, at least on most platforms, because webservers typically start as root and use setuid to change their access level down to that of the webserver user after binding to the port. Most platforms do not allow users with the level of access as the webserver user to make ptrace syscalls against a process which used setuid to change to the webserver user.
Advisory: http://acid-root.new.fr/?0:18
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2008/08/29
Changelog: 2008/08/29
Summary: Introduction
Blind SQL Injection
Insecure SQL Password Usage
Admin Session Hijacking
Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
bypassed in the same manner, enabling the automation of the guessing
attempts.
The security question mechanism can also be bypassed by changing the
flow of the application, skipping the security question mechanism and
sending a HTTP request requiring the password change immediately after
declaring which user is to run the recovery procedure.
Additionally, two cross site scripting vulnerabilities were found
related to search functions.
Cisco Media Processing Software releases prior to 1.2 ship with a
root administrator account that is enabled by default with a default
password. An unauthorized user could use this account to modify the
software configuration and operating system settings or gain complete
administrative control of the device. A software upgrade is not
required to resolve this vulnerability. Customers can change the root
account password by issuing a configuration command on affected
engines. The workarounds detailed in this document provide
instructions for changing the root account password.
This advisory is posted at:
exhaust the Cisco Unified Communications Manager's memory by opening
multiple connections, which will cause Cisco Unified Communications
Manager to restart. The Packet Capture Service should be disabled in
the Cisco Unified Communications Manager Administration Interface by
setting the service parameter to False. The Cisco Unified
Communications Manager application must be restarted for the change
to take effect. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. This
vulnerability affects only 4.x versions of Cisco Unified
Communications Manager.
is not required to exploit this vulnerability but an attacker must
be authenticated.
The LinuxShield Webinterface communicates with the localy installed
"nailsd" daemon, which listens on port 65443/tcp, to do configuration
changes, query the configuration and execute tasks.
Each user, which can login to the victim box, can also authenticate
it self to the "nailsd" and can do configuration changes and execute
tasks with root privileges.
required to exploit this vulnerability but an attacker must be
authenticated.
The LinuxShield Webinterface communicates with the localy installed
"nailsd" daemon, which listens on port 65443/tcp, to do configuration
changes, query the configuration and execute tasks.
Each user, which can login to the victim box, can also authenticate it
self to the "nailsd" and can do configuration changes and execute tasks
with root privileges.
> required to exploit this vulnerability but an attacker must be
> authenticated.
>
> The LinuxShield Webinterface communicates with the localy installed
> "nailsd" daemon, which listens on port 65443/tcp, to do configuration
> changes, query the configuration and execute tasks.
>
> Each user, which can login to the victim box, can also authenticate it
> self to the "nailsd" and can do configuration changes and execute tasks
> with root privileges.
>
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-4989
Debian Bug : 505360
Changes in DSA-1719-1 caused GNUTLS to reject X.509v1 certificates as
CA root certificates by default, as originally described in the
documentation. However, it turned out that there is still significant
use of historic X.509v1 CA root certificates, so this constitutes an
unacceptable regression. This update reverses this part of the
changes in DSA-1719-1. Note that the X.509v1 certificate format does
re: "set 403 page's charset in the server side by writing it in your server code"
Apache *does* set the charset in the HTTP header. It is set to iso-8859-1 by default.
Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the browser behavior. See below for the captured response from a test with this change.
The user can still manually override the charset to UTF-7 via the browser menu, regardless of anything the Apache server sends.
re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Secure Access Control Server for
Windows User-Changeable Password
Vulnerabilities
Advisory ID: cisco-sa-20080312-ucp
http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01118367
Version: 3
HPSBUX02249 SSRT071442 rev.3 - HP-UX Running the Ignite-UX or the DynRootDisk (DRD) get_system_info Command, Local Unqualified Configuration Change
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-20
Last Updated: 2008-02-11
>=20
> docProps/core.xml . Among these meta data information=20
>=20
> are the fields "LastModifiedBy", "creator" together with=20
>=20
> several others that can be displayed/changed through the=20
>=20
> following menu "Office Button -> Prepare -> Properties".
>=20
> These entries can be changed without invalidating the signature.=20
>=20
Dear Mr. Poehls,
yes, I can see your point and I agree that there's a risk for an unexperienced user to be spoofed by showing an Author, Time Stamps and State that could have been tampered with after the original owner has signed the document.
But in my opinion, this again emphasizes the need for sufficient knowledge of users about the way how applications may change the appearance of signed documents in a way not intended by the author at the time of signing and that's a question far beyond the considerations concerning the behavior of individual applications like MS Office.
In fact the visual clue you gave for a signed document in Word 2007 shows that in the context for those document properties there are also attributes like keywords, category and comments which are less misleading to the assumption those properties could be part of the signed document. So for example users of SharePoint Office Server are acquainted with the behavior of showing data that is managed and shown on server side in that area above the document. You should also mention that the label on the menu for showing this area reads "Prepare Document for Publishing" which also in my opinion gives a clue that this data is not part of the signed document.
Although I would appreciate if Word 2007 would give more visual clue for the fact that this data isn't part of the signed document, I still believe that this is not a major security issue.
Regards,
=======
Customers who use the CiscoWorks Wireless LAN Solution Engine (WLSE) may use a
conversion utility to convert over to a Cisco Wireless Control System (WCS).
This conversion utility creates and uses administrative accounts with default
credentials. Because there is no requirement to change these credentials during
the conversion process, an attacker may be able to leverage the accounts that
have default credentials to take full administrative control of the WCS after
the conversion has been completed.
Customers who have converted their CiscoWorks WLSE to a Cisco WCS are advised
mitigation possibilities.
3. Manipulation of ACL May Cause ACL Corruption
A possible workaround for this vulnerability is to completely remove the
ACL before modifying it, and then recreate it with the desired changes.
ACLs can be removed with the command "clear configure access-list <ACL
name>".
Note: The ACL corruption does not occur during normal operation of the
device, and it cannot be triggered by some type of traffic. It can
SUMMARY AND IMPACT:
The ActiveWeb Professional 3.0 web content management server is
vulnerable to remote operating system takeover. An unauthenticated
remote user can upload malicious files and backdoor ColdFusion
websites using the EasyEdit.cfm page. By accessing the "getImagefile"
section of the EasyEdit module, the remote attacker can change hidden
form fields to upload malicious applications and ColdFusion CFML
websites that execute those malicious applications or operating system
commands in the context of the ColdFusion service account (SYSTEM).
The remote user can now perform all functions of the system
administrator using uploaded CFML pages. The attacker can create a
Next Page>>
|
