Next Page >>
risk
===============================================================================
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
2. attacker must have blog editing privileges
Registered users with blog keeping privileges can access personal gallery
Hello Salvatore!
> with very very low risk (you need to know the access to the control
> panel).
I'm agree with you that it's not vulnerability with very high risk, but it's
risk is not such low as you said. Because I have not such value of risk as
"very very low" (my minimum value is low aka "1/5") and for this kind of
vulnerability (which allow code execution for authenticated users) I'm
always giving risk value as moderate (aka "2/5"). Because there is a risk
Gateway products
-----------------
InterScan Web Security Suite product lines and
InterScan Web Protect for ISA
Impact: Detection is evaded but files are quarantined by default
,residual risk of an administrator deblocking a file as there is
no detection of malicious code.
InterScan Messaging Security Appliance
Impact: Detection is evaded but files are quarantined by default
,residual risk of an administrator deblocking a file as there is
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
several immediate high-risk attack vectors. To support rendering of HTML
content, the vulnerable IM clients use an embedded Internet Explorer
server control. Unfortunately they do not properly sanitize the
potentially malicious input content to be rendered and, as a result, an
attacker might provide malicious HTML content as part of an IM message to
directly exploit Internet Explorer bugs or to target IE‟s security
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
several immediate high-risk attack vectors. To support rendering of HTML
content, the vulnerable IM clients use an embedded Internet Explorer
server control. Unfortunately they do not properly sanitize the
potentially malicious input content to be rendered and, as a result, an
attacker might provide malicious HTML content as part of an IM message to
directly exploit Internet Explorer bugs or to target IE‟s security
I am not a fan of third party because you bring yourself outside the
support window of the product.
It is just a DOS. I DOS myself after patch Tuesday sometimes with mere
patch issues. Also the risk of this appears low, the potential for
someone coding up an attack low... I have bigger risks from fake A/V at me.
Is this truly the risk that one has to take such actions and expect such
energy?
>>
>> I am not a fan of third party because you bring yourself outside the
>> support window of the product.
>>
>> It is just a DOS. I DOS myself after patch Tuesday sometimes with
>> mere patch issues. Also the risk of this appears low, the potential
>> for someone coding up an attack low... I have bigger risks from fake
>> A/V at me.
>>
>> Is this truly the risk that one has to take such actions and expect
>> such energy? I don't see that it is. Give me more information that
http://advisory.sectester.net/chr1xpwnadv-winrar-zip-filename-spoofing.pdf
Vulnerability on Video: http://www.youtube.com/user/sectester
PoC/Exploit Availability: http://chr1x.sectester.net/winrar380_PoC.zip
Software: WinRAR
Version: 3.80
Security risk: Low
Exploitable from: Local
Vulnerability: ZIP Filename spoofing
Release mode: Coordinated disclosure.
Vendor: http://www.rarlabs.com
Status: Current version (WinRAR v3.80) not patched, next
The vendor has confirmed the issue exists in all versions prior to
3.5.11.025.
Credits
Research and Advisory: Information Risk Management Plc.
About IRM:
Information Risk Management Plc (IRM) is a vendor independent
information risk consultancy, founded in 1998. IRM has become a leader
PoC:
Username: 'or 1=1--
Password: 'or 1=1--
Risk:
=====
1.1 The security risk of the client-side arithmetic integer
overflow web vulnerability is estimated as low.
1.2 The security risk of the multiple persistent web vulnerabilities
are estimated as medium(+).
CA20100406-01: Security Notice for CA XOsoft
Issued: April 6, 2010
CA's support is alerting customers to multiple security risks with CA
XOsoft products. Multiple vulnerabilities exist that can allow a
remote attacker to gain sensitive information, cause a denial of
service, or possibly execute arbitrary code. CA has issued patches
to address the vulnerabilities.
Hey Larry- hope everything's going well...
When you've got a systemic vulnerability, in this case the TCP/IP stack itself, exploitation information must be explicit and definitive. I'm fine with risk classification, and I appreciate efforts to categorize risk into manageable exposure metrics, but we shouldn't have to infer potential vulnerability information from vague disclosure data. I know many response teams base patch paths on the published severity, but one also has to be able to make decisions on their own. For me, no big deal. But it's not that simple for others.
But there's not enough information for me to make that call. Is it for ANY "listening service?" TCP or UPD? Does the "statefull" firewall introduced in subsequent versions stop it?
The answers are "yes," "yes," and "no." They should just say that. Is it "low" because the firewall doesn't have any exceptions by default? If so, that's silly. Everyone using XP for anything has incoming connections for something, and well known if on a domain. I feel sorry for Diebold and NEC with all the ATMs out there running XP, but fortunately, I'm not responsible for clients using their systems anymore :)
Anyway, the DoS suxx0rz, but I'm more irritated with the lack of real, straight-forward, no-nonsense information and technical sleight of hand. The information should be painfully obvious, not obviously painful.
Sent: Thursday, December 03, 2009 1:58 PM
To: Pavel Machek
Cc: Patrick Webster; Thor (Hammer of God); bugtraq@securityfocus.com
Subject: Re: Millions of PDF invisibly embedded with your internal disk paths
While the risk may not be large it is still information that should not be leaked. Leaky computers should always be plugged.
On Thu, Dec 3, 2009 at 4:01 AM, Pavel Machek <pavel@ucw.cz> wrote:
Hi!
> I agree. Discovering the local path may be considered a risk, but in
> most cases the risk is nil.
Product: Geo++(R) GNCASTER
Affected Versions: <= 1.4.0.7
Fixed Versions: 1.4.0.8
Vulnerability Type: Memory corruption
Security Risk: medium
Vendor URL: http://www.geopp.de
Vendor Status: notified
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-002
Advisory Status: published
CVE: TBA
To: Pavel Machek
Cc: Patrick Webster; Thor (Hammer of God); bugtraq@securityfocus.com
Subject: Re: Millions of PDF invisibly embedded with your internal disk
paths
While the risk may not be large it is still information that should not be
leaked. Leaky computers should always be plugged.
On Thu, Dec 3, 2009 at 4:01 AM, Pavel Machek <pavel@ucw.cz> wrote:
Hi!
> I agree. Discovering the local path may be considered a risk, but in
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>
DETAILS
=======
The greatest risk is from AES decryption of invalid ciphertexts, which
can theoretically lead to arbitrary code execution under
extraordinarily unlikely conditions. Other scenarios are more likely
to lead to denial of service.
This advisory makes some reasonable assumptions about the platform.
List of found vulnerabilities
===============================================================================
1. Remote Php Code Execution in "avatarlist.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: High
Reasons:
1. uninitialized arrays "patterns" and "replacements"
Preconditions:
1. attacker must be logged in as user
IronPort
+-------
IronPort C-Series, X-Series, and M-Series appliances utilize code
covered by this advisory, but are not susceptible to any security
risk. IronPort C-Series, X-Series, and M-Series incorporate the
libraries under the advisory to provide anonymous read-only access to
system health data. There is no risk of escalated authorization
privileges allowing a 3rd party to make any configuration changes to
the IronPort devices. IronPort S-Series and Encryption Appliances are
not affected by this advisory. This announcement has also been posted
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical. However, in the event that a patch cannot immediately be
applied, the
following steps will help to mitigate the risk:
- - Disable TACACS authentication for all accounts until such time as the
patches can be applied.
- - Do not expose the Mobility Controller administrative interface to
Summary: [HT] Remote File Inclusion
[MT] SQL Injection
[MT] SQL Injection Protection Bypass
[__] Conclusion
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
Risk level: High
CVE: ----------
I mostly agree, "If I can get you to run my malicious program, it is
always game over" and not always a "security problem", but it is the
reality a computer security professional has to manage, whether we like
it or not. And yes, I don't consider a threat where the user
intentionally installs a malicious program and supplies their root or
administrator password a huge threat, but it is a risk we have to manage
either way.
One way to manage some of the risk in an environment can be to not let
our users know root or admin passwords...or not to let them install any
unauthorized programs. Personally, I don't give as much value to end
Research & Advisory: Varun Uppal and Andy Davis
About IRM:
Information Risk Management Plc (IRM) is a vendor independent
information risk consultancy, founded in 1998. IRM has become a leader
in client side risk assessment, technical level auditing and in the
research and development of security vulnerabilities and tools. IRM is
headquartered in London with Technical Centres in Europe and Asia as
well as Regional Offices in the Far East and North America. Please visit
need to authenticate with client-side certificates. Now the network
and the connection is secure (sort of), they enforce group policy for
all laptops so that these laptops cannot connect to any other network
(sending probe requests, rogue access points). Right! But now they
also kill the ethernet since a laptop cannot be connected to the
wireless and the wired network since it is also a risk (stepping stone
attacks). Each client has a firewall on the top of that. The firewall
blocks everything that comes in and lets only the browser to go out
through a proxy which requires authentication (NTLM, Basic Auth, etc).
The user of the laptop runs with the least possible privileges and
they cannot install software. They cannot use the CD (Sonny Rootkits),
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
Risk level: Medium / High
CVE: ----------
Vice President- San Diego Information Audit & Control Association (ISACA)
SANS Mentor
LinkedIn: www.linkedin.com/in/securityassessment
Blog: www.JeromieJackson.com
Twitter: www.twitter.com/Security_Sifu
Cell: 832-378-RISK (7475)
Validated Vulnerable:
All versions prior to 12/07/2010
Discussion:
SugarCRM Professional
SugarCRM Enterprise
Affected Versions: <= 6.1.1
Fixed Versions: >= 6.1.3
Vulnerability Type: privilege restriction bypass
Security Risk: medium
Vendor URL: http://www.sugarcrm.com/crm/
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-002
Advisory Status: published
CVE: CVE-2011-0745
<b>Warning</b>: preg_match() [<a href="function.preg-match">function.preg-match</a>]: No ending delimiter '/' found in <b>/kunden/282246_12623/cms-test.com/demoversion/modules/upload/class.admin.php</b> on line <b>563</b><br>
<b>Warning</b>: preg_match() [<a href="function.preg-match">function.preg-match</a>]: No ending delimiter '/' found in <b>/kunden/282246_12623/cms-test.com/demoversion/modules/upload/class.admin.php</b> on line <b>563</b><br>
<b>Warning</b>: preg_match() [<a href="function.preg-match">function.preg-match</a>]: No ending delimiter '/' found in <b>/kunden/282246_12623/cms-test.com/demoversion/modules
Risk:
=====
1.1
The security risk of the persistent vulnerabilities are estimated as high(-).
1.2
The result is the persistent execution out of the web application context.
Strings: >"<<iframe src=http://xxxxx.com/>3</iframe> ... or >"<script>alert(document.cookie)</script><div style="1
Risk:
=====
1.1
The security risk of the pre auth sql injection vulnerability is estimated as critical.
2.1
</form>
<script>document.test.submit();</script>
</html>
Risk:
=====
1.1
The security risk of the arbitrary file traversal vulnerability is estimated as high(-).
1.2
if (!empty($answer)) {
$diy_db->query(/``update diy_poll_answers set answer=/`$answer/` where aid=/`$aid/` ``);
}
Risk:
=====
1.1
The security risk of the sql injection vulnerabilities are estimated as high(+).
1.2
Next Page>>
|
