Next Page >>
registers
Vulnerability details
---------------------
The Oracle TNS Listener component routes connections from the client to
the database server depending on the database's instance name the client
wants to connect to. These instances are registered at the TNS Listener
by using any of the following methods:
1. Local registration. The database's internal process PMON connects via
IPC to the TNS Listener and registers the database's instance name in
the local listener. This can be changed by altering the system parameter
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
2. attacker must have blog editing privileges
Registered users with blog keeping privileges can access personal gallery
functionality, example URL:
This vulnerability is documented in the following Cisco Bug IDs and
have been assigned the following Common Vulnerability and Exposures
(CVE) IDs:
* Cisco ACE Application Control Engine Module: CSCsq43828 (
registered customers only) - CVE-2009-0620
* Cisco ACE Application Control Engine Appliance: CSCsq43229 (
registered customers only) - CVE-2009-0621
A third account is used for the Cisco 4700 Series Application Control
Engine Appliance Device Manager also uses default credentials. Only
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account. Any user
with network access to the device can log in as an administrator and
take complete control over the vulnerable device.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
Privilege escalation
+-------------------
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence endpoint - CSCtb31640 ( registered customers
only) has been assigned the CVE identifier CVE-2011-0372
CGI Command Injection
Multiple CGI command injection vulnerabilities exist in Cisco
80, 443, or 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
* CTMS - CSCtf42008 ( registered customers only) has been assigned
the CVE identifier CVE-2011-0383.
* CTMS - CSCtf01253 ( registered customers only) has been assigned
the CVE identifier CVE-2011-0384.
Unauthenticated Arbitrary File Upload
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
* Cisco TelePresence Recording Server - CSCtf42005 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0383.
CGI Command Injection
+--------------------
Log data
0BADF00D -------------------------------------------------------------------------
0BADF00D Searching for metasploit pattern references
0BADF00D -------------------------------------------------------------------------
0BADF00D [1] Checking register addresses and contents
0BADF00D ============================================
0BADF00D Register EDI points to Metasploit pattern at position 0
0BADF00D Register EAX is overwritten with Metasploit pattern at position 4096
0BADF00D Register EBP points to Metasploit pattern at position 4100
0BADF00D Register EDX points to Metasploit pattern at position 0
8.1 Introduction
Many past advisories have been published for Cute News. An unpatched LFI
exploit was published in January 2009.
Attackers without a registered account or with a comment level account
can exploit cross site scripting (XSS) to steal cookies from other
users, cross site request forgery (CSRF) vulnerability to execute
administrator functions including adding a new administrator account and
can exploit a file path disclosure vulnerability.
addresses raises exception which is appropriately handled, and the
ZwQueryObject() call is never performed.
Because of the added "fixes", even legitimate request cannot be
fulfilled, so these drivers are very likely not used at all.
--- 2. Issue: Local DoS by overwriting array of registered processes ---
SABKUTIL.sys/SASKUTIL.sys have unique mechanism of
connecting/registering with an application (i.e. user mode). Every
application with intention to use these drivers must first register
with the driver. Registration involves a modified variant of MD5 hash
Arbitrary Variable Overwriting:
PHP Live Helper is vulnerable to a limited Variable Overwriting issue
due to some faulty register globals emulation code. The vulnerable code
in question can be found at libsecure.php @ lines 400-414
unset ($_GET[abs_path]);
$rg = ini_get ('register_globals');
$getget_count = @count ($_GET);
Manager to restart. The Packet Capture Service should be disabled in
the Cisco Unified Communications Manager Administration Interface by
setting the service parameter to False. The Cisco Unified
Communications Manager application must be restarted for the change
to take effect. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. This
vulnerability affects only 4.x versions of Cisco Unified
Communications Manager.
The second DoS vulnerability involves certain configurations of Media
http://[host]/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en¶m=rename|file.jpg|file.php%00.jpg
File upload is available by default to registered users. Registration is also enabled by default.
The second PoC will move "file_to_move" to "1x.jpg" in uploads directory via directory traversal technique:
http://[host]/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en¶m=rename|/../../../../../../../../../../../../../../../../../../../tmp/file_to_move|1x.jpg
The following PoC is available:
http://[host]/exportcsv/exportcsv_index.php?action=export_page&module=../../../../tmp/file
Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
2) Input passed via the "sel_domain_id" POST parameter to /obm.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
get to the qualification round and special prizes for the winners of
each contest.
Qualification round
Stage 1 (hiding): All participants registered for the backdoor hiding
game are given a set of requirements for a software program. Before the
deadline, they must submit the source code for a program that fulfills
these requirements plus includes a backdoor. They must also send a
description explaining how to exploit the backdoor.
include($path.$l.'/'.'filelist.mas');
...
The variables $i and $l are not properly sanitized
before using them in include() construction.
If Register Globals = On and Allow URL Include (Allow URL Fopen) = On
then an attacker can send the malicious request leading to remote
file include and therefore arbitrary command execution.
---------------------------------------------------------------------
(*5)
--//- snip ----//-----------------------------------------------------
Attacker controls the value of ECX registers initialized at 0x62448F24
(*1).
This is very important since this values are future used with
initialization
of EDI register (destination for memcpy() (*5)) and its also used as an
size argument also for memcpy() (*5) operation.
** TRAININGS **
This event would offer trainings in two tracks. To see
details of the training and to get registered, please visit
the link below:
http://www.chase.org.pk/en/training.html
- many platforms (webshops, forums, etc...) do NOT delete inactive accounts
This asymmetry in handling inactive accounts has the consequence that thousands of accounts of various online platforms can be hijacked by attackers without any technical difficulties.
The procedure is so simple that it hardly needs to be mentioned:
- An attacker takes an old email address and try to register this email account at the email service provider.
- If it can be registered, it is assumed that the account has been released (or has never existed).
- Then the attacker tries at a variety of online platforms to create accounts for the just mentioned email address.
+ If the registration would be successful, there is no account for this email address at this online platform registered
+ If the registration fails, because it already have an account there, there has been found a registered account for this email address and now its getting ugly.
"mapserv->map->name", is taken from the NAME attribute inside the same
map file. The third variable, "mapserv->Id", is read from user input
at line 406, though it is restricted to IDSIZE (128) bytes. Thus, a
buffer overflow can be achieved by creating a map file on the server
with overly long IMAGEPATH and/or NAME attributes; their values will be
stored past the end of "buffer" and will overwrite saved register
values. If the following specially-crafted map file ("bof.map") is
stored on the server (either by creating it directly, or tricking a
legitimate user into placing it onto the file system):
MAP
[** TRAININGS **]
This event would offer trainings in four tracks. To see
details of the training and to get registered, please visit
the link below:
http://www.chase.org.pk/en/training.html
There is special discount for early registration.
Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation
-----------------------------------------------------------------------------
In protected mode, cpl is usually equal to the two least significant bits of
the cs register. However, there is an exception: in Virtual-8086 mode, the
cpl is always 3 (least privileged), regardless of the value of the cs
register.
When the processor raises a #PF (page fault) exception, an exception code is
pushed onto the stack containing flags used by the operating system to
enable outside
End user systems running Microsoft Windows may be affected if they
have used the Cisco Clientless VPN feature on an affected device from
a browser that supports ActiveX technology. Devices that contain the
cscopf.ocx ActiveX control registered with a class ID (CLSID) of
{B8E73359-3422-4384-8D27-4EA1B4C01232} are affected. The affected
controls are marked both Safe for Scripting (SFS) and Safe for
Initialization (SFI), which may present additional attack vectors
when a system has registered and cached the affected control.
Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities by NBBN
########################
1) Remote File Inclusion
File: /modules/syntax_highlight.php
Register Globals: ON
Vuln code:
<?php
/* Name: Syntax Highlight */
include_once ("$libpath/geshi/geshi.php");
A device with the SSH server enabled is vulnerable.
These vulnerabilities are documented in Cisco Bug IDs:
* CSCsk42419 ( registered customers only)
* CSCsk60020 ( registered customers only)
* CSCsh51293 ( registered customers only)
Vulnerability Scoring Details
=============================
interface or from the command-line interface (CLI) of the appliance
operating system.
Customers who use the AVS 3180 or 3180A Management Station can determine
their node software versions by navigating to the Cluster Information
Page. Each registered node will display the corresponding software
version when the node is selected.
The AVS appliance version can also be determined from the host operating
system by using the "Show Version" command.
2 Ethernet/IEEE 802.3 interface(s)
1019k bytes of non-volatile configuration memory.
38079M bytes of hard disk.
981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes).
Configuration register on node 0/0/CPU0 is 0x102
Boot device on node 0/0/CPU0 is mem:
!--- output truncated
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Hello Bugtraq!
I want to warn you about Cross-Site Scripting, Insufficient Anti-automation
and Full path disclosure vulnerabilities in plugin Register Plus Redux for
WordPress. Register Plus Redux is a fork of plugin Register Plus.
-------------------------
Affected products:
-------------------------
Next Page>>
|
