Next Page >>
sent
destination IP-based load balancing. Additionally it seems to be an
extra load balancing which makes some remote IP addresses be caught by
a BlueCoat proxy even though the same IP was handled nearly all times
by a NetCache.
This vulnerability was not present earlier but since Speedy made their
proxies unable to go out with their own IPs, the prefetch couldn't
work anymore and the NetCache proxies seems to not want to spoof the
clients' IP addresses for that URL until the prefetch is done (never).
Here it is a PoC using a Google's IP for the testing purposes, but the
--Aviv.
-----Original Message-----
From: Core Security Technologies Advisories [mailto:advisories@coresecurity.com]
Sent: Tuesday, September 25, 2007 6:21 PM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk; vulnwatch@vulnwatch.org; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: CORE-2007-0817: Remote Command execution, HTML and JavaScript injection vulnerabilities in AOL's Instant Messaging software
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Receive ACLs (rACL)
Cisco 10000, uBR10012 and uBR7200 series devices use a UDP-based IPC
channel. This channel uses addresses from the 127.0.0.0/8 range and
UDP port 1975. Cisco 10000, uBR10012 and uBR7200 series devices that
are running an affected version of Cisco IOS will process IPC
messages that are sent to UDP port 1975 from outside of the device.
This behavior may be exploited by an attacker to cause a reload of
the device, linecards, or both, resulting in a DoS condition.
Filtering unauthorized traffic destined to 127.0.0.0/8 or UDP port
1975 will mitigate this vulnerability.
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
Overview
AOL has become aware of security vulnerabilities in several AIM instant
messaging clients. Successful exploitation of these vulnerabilities could
allow an attacker to execute arbitrary commands on a user's workstation.
AOL has deployed host side filtering on the AIM servers to block this
potentially malicious content from being sent to AIM clients.
Affected Products and Applications
* AIM 6.1
* AIM 6.2
* AIM Pro
6.1. *Solution to the Weak security question mechanism*
[CVE-2010-3272] In addition to the Security Questions, the latest
version of ADSelfService Plus also includes an SMS Verification / Email
Verification mechanism. This adds an additional security while password.
Users must confirm the code sent to their mobile phones / email when
they are to reset password / unlock accounts.
The earlier Builds used URL based on Post Request which was considered
vulnerable. This has been replaced by a more secure Tokenizer mechanism.
This mechanism prevents "by-passing any process / steps involved in
*Report Timeline*
. 2008-01-30:
Initial contact mail sent by Core to Citect's support team.
. 2008-01-30:
Additional mail sent to Citect support team asking for a software
security contact at Citect.
01/14/2008 to IBM & Symantec - 1st notice
11/24/2008 to Autonomy - 1st notice
12/04/2008 From Autonomy - 1st response
12/04/2008 to Autonomy - 2nd notice
12/05/2008 From Autonomy - PoC Request
12/08/2008 to Autonomy - PoC sent
12/09/2008 From Autonomy - PoC Resend Request
12/09/2008 to Autonomy - PoC Resend sent
12/11/2008 From Autonomy - PoC Clarification Request
12/11/2008 to Autonomy - PoC Clarification reply
01/14/2009 From Autonomy - Reset tentative disclosure / patch date
The vendor has not released a bulletin addressing this vulnerability.
7. Disclosure Timeline
2007-12-18 Reported to vendor
2008-01-17 Follow-up sent to vendor
2008-02-05 Vendor responds, no investigation into issue performed
2008-07-30 Follow-up sent to vendor
2008-07-30 Vendor responds, issue in the queue to be fixed
2008-08-05 Sample exploit sent to vendor to illustrate impact of vulnerability
2008-08-11 Vendor responds, issue in the queue to be fixed
[*] Got answer with 1 answers, 0 authorities
[*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45
[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com....
[*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...
[*] Sent 6000 queries and 120000 spoofed responses...
> [*] Got answer with 1 answers, 0 authorities
> [*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45
> [*] Checking Authoritativeness: Querying 205.178.144.45 for example.com....
> [*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as
> [*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178...
> [*] Sent 1000 queries and 20000 spoofed responses...
> [*] Sent 2000 queries and 40000 spoofed responses...
> [*] Sent 3000 queries and 60000 spoofed responses...
> [*] Sent 4000 queries and 80000 spoofed responses...
> [*] Sent 5000 queries and 100000 spoofed responses...
> [*] Sent 6000 queries and 120000 spoofed responses...
II - CROSS SITE SCRIPTING
When a guest add a comment, an HTTP packet is sent to
"comment_add_cgi.php". Before writing the comment into
a file, there is some conditions, the first condition is
that the IP sent with the POST method, must be the same
as the IP returned by the getIP() function. Let's see
the code:
From http://support.microsoft.com/kb/890830
======
Reporting component
The Malicious Software Removal Tool sends information to Microsoft if it detects malicious software or finds an error. The specific information that is sent to Microsoft consists of the following items: * The name of the malicious software that is detected
* The result of malicious software removal
* The operating system version
* The operating system locale
* The processor architecture
* The version number of the tool
Regards
________________________________
From: showrun.lee [mailto:showrun.lee@gmail.com]
Sent: Wednesday, January 14, 2009 7:59 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Cc: Paul Oxman (poxman)
Subject: DoS code for Cisco VLAN Trunking Protocol Vulnerability
pre-defined between the user-mode application and the driver module. The
selected method will determine how the I/O Manager manipulates memory
buffers used in the communication.
The 'METHOD_NEITHER' is a very dangerous method because the pointer
passed to 'DeviceIoControl' as input or output buffer will be sent
directly to the driver, thus transferring it the responsibility of doing
the proper checks to validate the addresses sent from user mode.
The 'VBoxDrv.sys' driver uses the 'METHOD_NEITHER' communication method
when handling IOCTLs request and does not validate properly the buffer
me@abegetchell.com
https://abegetchell.com/
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@isatools.org]
> Sent: Sunday, July 20, 2008 4:33 PM
> To: 'me@abegetchell.com'; 'Thor (Hammer of God)'; 'Johan Beisser'
> Cc: bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> It's about reality & priorities.
5004| # File traversal
5005| $v = str_replace( '../' , '../', $v )
5006|
5007| $data[ $k ] = $v;
Then, variables which are sent through the GET and
POST methods are passed to another function. Note
that POST variables overwrite the ones sent with the
GET method:
4852| # GET first
Blue Moon Consulting adapts `RFPolicy v2.0
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
:Initial vendor contact:
June 15, 2008: Initial contact sent to overseas@snailgame.net
June 17, 2008: Another request for communication sent to
overseas@snailgame.net and local game distributors
:Vendor response:
vulnerability in 'Ebuddy Web Messenger' and we would like to inform
you that this vulnerability had been discovered and reported to the
vendor on June 5th, 2011 by DcLabs Security Research Group.
In the report below you are going to find videos and references to the
date when the POC was sent to the vendor and the follow up regarding
the timeline for the release.
- Ocultar texto das mensagens anteriores -
[Discussion]
Issue 2: Registration bypass
----------------------------
The second issue concerns the registration process. One method to
verify a phone number is through a text message that is sent to the
phone. So if the entered phone number is not yet registered with a
specific udid a HTTP GET request is sent to /v1/code.php.
This action triggers a SMS to be sent to the phone number that is
supposed to be registered. The SMS contains a 3 digit code for example
08/25/2008 - Initial Contact
09/22/2008 - Second Contact attempt
09/22/2008 - PoC Requested
09/24/2008 - PoC Requested
11/05/2008 - PoC Sent
11/06/2008 - Clarification requested
11/21/2008 - Clarification requested
12/05/2008 - Clarification Sent
12/05/2008 - Clarification requested
12/07/2008 - Additional Clarification Sent
Systems Administrator
Virginia Tech
-----Original Message-----
From: Larry Seltzer [mailto:larry@larryseltzer.com]
Sent: Wednesday, September 16, 2009 5:03 PM
To: Susan Bradley; Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
Yes, they used the bulletin to soft-pedal the description, but at the
Yet how this is a security issue is a mystery to me.
-nik
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
r.st@comcast.net schrieb:
>Hasn't xp always sent out arp on non-assignment (and 2k) and 1918 is a straight grab when unassigned. I don't see a security issue here, you might want to expand on the Issue.
Regards, Sandeep
--------------------------------------------------
From: "David Calabro" <dcalabro@transitionalwork.org>
Sent: Saturday, February 14, 2009 1:02 AM
To: "'Sandeep Cheema'" <51l3n7@live.in>; <bugtraq@securityfocus.com>
Subject: RE: SEPKILL /im SMC.EXE /f
> If the Symantec Management Client service was somehow changed from
> "smc.exe" to "smc.exe -P" it would effectively prevent the service from
vendor, but all vendors in the database. As the database table name is also passed in the
form as the hidden »db« form field, data from any database table which has an »id« key can
be deleted using this method.
Similarly to the XSS finding, the main cause of this vulnerability is the inadequate
filtering of user input. As this is present throughout the complete codebase, it is likely
that there are similar vulnerabilities in other places.
The README file of LedgerSMB, a fork of SQL-Ledger says the following about SQL injections
in SQL-Ledger:
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
{
int opt,k=0;
extern char *optarg;
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t vtp_len=0, sent;
struct vtp_summary *vtp_summ;
struct vtp_subset *vtp_sub;
u_int8_t *vtp_packet,*vtp_packet2, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
The Flickr's API consists of a set of callable methods, and some API
endpoints. To perform an action using the Flickr's API, you need to select
a calling convention, send a request to its endpoint specifying a method
and some arguments, and will receive a formatted response.
Many methods require the user to be logged in. At present there is only
one way to accomplish this. Users should be authenticated using the Flickr
Authentication API. Any applications wishing to use the Flickr Authentication
API must have already obtained a Flickr's API Key. An 8-byte long 'shared
secret' for the API Key is then issued by Flickr and cannot be changed by
the users. This secret is used in the signing process, which is required
>>>
>>> Systems Administrator
>>> Virginia Tech
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@larryseltzer.com] Sent: Wednesday,
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
Next Page>>
|
