Next Page >>
single user
Local Privilege Escalation Through Default ntmulti.exe File Permissions
Unprivileged users can execute arbitrary programs that run with the privileges of the LocalSystem account by replacing the Multi-user Cleanup Service executable with arbitrary executables. This vulnerability exists because the default file permissions assigned during installation to ntmulti.exe (the executable for the Multi-user Cleanup Service) allow unprivileged, interactive
users to replace ntmulti.exe with any file.
Because the Multi-user Cleanup Service is a Windows service running with LocalSystem privileges, unprivileged users can easily elevate their privileges.
- - WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability -
- -----------------------------------------------------------------------
Product: Wordpress-MU (multi-user)
Version: Versions prior to 2.6 are affected
Url: http://mu.wordpress.org
Affected by: Coss Site Scripting Attack
kvgc> Local Privilege Escalation Through Default ntmulti.exe File Permissions
kvgc> Unprivileged users can execute arbitrary programs that run
kvgc> with the privileges of the LocalSystem account by replacing the
kvgc> Multi-user Cleanup Service executable with arbitrary executables.
kvgc> This vulnerability exists because the default file permissions
kvgc> assigned during installation to ntmulti.exe (the executable for
kvgc> the Multi-user Cleanup Service) allow unprivileged, interactive
kvgc> users to replace ntmulti.exe with any file.
appear to be harmless, it does in fact allow an attacker to cheat the
RFC2109 (HTTP State Management Mechanism) same origin restrictions, and
therefore hijack state management data.
The result of this minor misconfiguration is that it is impossible to
access sites in affected domains securely from multi-user systems. The
attack is trivial, for example, from a shared UNIX system, an attacker
listens on an unprivileged port[0] and then uses a typical XSS attack
vector (e.g. <img src=...> in an html email) to lure a victim into
requesting http://localhost.example.com:1024/example.gif, logging the
request. The request will include the RFC2109 Cookie header, which could
WordPress MU < 2.7 'Host' HTTP Header Cross Site Scripting (XSS)
Vulnerability
II. BACKGROUND
-------------------------
WordPress MU, or multi-user, allows to run unlimited blogs with a
single install of wordpress. It is most famously used for
WordPress.com where it serves tens of millions of hits on hundreds of
thousands of blogs each day. Also is used in many other sites like
Harvard University and Le Monde.
Uh, the "first" part is not quite true. There was some discussion about
mailcap entries, and whether you should use %s or '%s' at some time in
the 90s.
> 2) Programs that were formerly assumed to be safe because they were
> only ever intended to be invoked by a single user, will now become
> unsafe if they're referenced in a handler. Think second-order
> symlink issues as one example, or buffer overflows in command-line
> arguments for non-setuid programs that are likely to be used in
> handlers (image converters, anyone?)
stronger). For BIND 9, a theoretic attack was demonstrated (requires
too many guesses at this stage, but possibly may be improved in the
future).
This weakness can be turned into a mass attack in the following way:
(1) the attacker lures a single user that uses the target DNS server
to click on a link. No further action other than clicking the link is
required (2) by clicking the link the user starts a chain reaction
that eventually poisons the DNS server's cache (subject to some
standard conditions) and associates fraudulent IP addresses with real
website domains. (3) All users that use this DNS server will now reach
Certain malformed SLP messages can trigger a crash because the MSN
protocol plugin fails to check that all pieces of the message are
set correctly (CVE-2010-0277).
In a user in a multi-user chat room has a nickname containing '<br>'
then libpurple ends up having two users with username ' ' in the room,
and Finch crashes in this situation. We do not believe there is a
possibility of remote code execution (CVE-2010-0420).
oCERT notified us about a problem in Pidgin, where a large amount of
and Denial of Service.
Background
==========
MySQL is a popular multi-threaded, multi-user SQL server.
Affected packages
=================
-------------------------------------------------------------------
*Vulnerability Description*
MacOS X Server 10.5 [1], also known as Leopard Server features a Wiki
Server [2], which is a multiuser web application written in Python. The
Wiki Server is vulnerable to a path traversal attack, which can be
exploited by non-privileged system users via a forged file upload to
write arbitrary files on locations in the server filesystem, restricted
only by privileges of the Wiki Server application.
4. Affected Components Description
==================================
According to the vendor, "SAP Enterprise Portal offers a single point of access to SAP and non-SAP information sources, enterprise applications,
information repositories, databases, and services inside and outside your organization - all integrated in a single user experience".
5. Vulnerability Details
========================
algorithm of Windows DNS Server. By observing a few consecutive
transaction IDs from the same DNS server an attacker can predict
its next value.
This weakness can be turned into a mass attack in the following
way: (1) the attacker lures a single user that uses the target
DNS server to click on a link. No further action other than
clicking the link is required; (2) by clicking the link the user
starts a chain reaction that eventually poisons the DNS server's
cache (subject to some standard conditions) and associates
fraudulent IP addresses with real website domains; (3) All users
1/24/2010
With the GUI Sun Update Manager being used to install patches on a system
local users can easily run scripts and create symlinks in an attempt to
clobber files and potentially escalate privileges as this application is
typically run in multi-user mode.
Many patches use insecure file creation in /tmp to store data during
installation. The easiest one to exploit is /tmp/CLEANUP which is used in a
handful of package installation scripts:
script code is typically:
http://owl.sourceforge.net/
http://www.datensalat.eu/~fabian/cve/CVE-2008-3100-Owl.html
Description:
Owl is a multi user document repository (knowledgebase) system for
publishing files/documents onto the web. The application is vulnerable
to simple Cross Site Scripting, which can be used for several isues
Example:
Assuming Owl is installed on http://localhost/Owl/, one can inject
> http://www.wolfram.com/products/mathematica/index.html
>
> Mathematica7 on Linux uses the /tmp/MathLink directory in insecure ways.
> Mathematica creates or re-uses an existing /tmp/MathLink directory, and
> overwrites files within and follows symlinks. This type of behaviour is
> "known unsafe" on multi-user machines e.g. University login servers.
> As a classic example of a symlink attack, if an "attacker" uses:
>
> mkdir /tmp/MathLink; ln -s /home/victim/.bashrc /tmp/MathLink/.gshmm
>
> then when the victim runs Mathematica his ~/.bashrc will be clobbered.
> This should not be classified as any kind of vulnerability as there is no
> way that any harm can be done to a website using this script.
>
> The CB Captcha 2.2 plugin, as all similar Captcha scripts, are used to
> insure that human intervention is needed. The "bug" (at best) reported
> only allows a single user seeing the generated Captcha image, to use its
> code during the active session period.
>
> There is no harm that can be done to the system using this. Thus while
> this is a bit of odd behavior it does not represent a asecurity flaw.
>
QuiXplorer <= 2.4.1beta standalone and as a Mambo/Joomla component
'lang' parameter Remote Code Execution Vulnerability.
II. BACKGROUND
-------------------------
QuiXplorer is a multi-user, web-based file-manager. It allows you to
manage and/or share files over the Internet, or an Intranet.
It's currently available in many languages and with GPL and MPL
licenses and referred in other open source projects.
III. DESCRIPTION
A Denial of Service vulnerability was found in MySQL.
Background
==========
MySQL is a popular multi-threaded, multi-user SQL server.
Affected packages
=================
-------------------------------------------------------------------
gain access to other databases.
Background
==========
MySQL is a popular multi-threaded, multi-user SQL server.
Affected packages
=================
-------------------------------------------------------------------
The vulnerabilities have been fixed in Norman's compression library (NCL) 5.99.07,
relased on Norman's Internet update servers as an automatic update 03 June 2009.
This solves the vulnerability for all updated Norman's products except for
Norman Network Protection
- Norman Virus Control single user and corporate versions
- Norman Internet Control
- Norman Virus Control E-mail plugins
- Norman Endpoint Protection
- Norman Secuirty Suite
- Norman Network Protection
Problem Description:
A vulnerability was discovered and corrected in backuppc:
CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in
use in a multi-user environment, does not restrict users from the
ClientNameAlias function, which allows remote authenticated users to
read and write sensitive files by modifying ClientNameAlias to match
another system, then initiating a backup or restore (CVE-2009-3369).
This update provides a fix for this vulnerability.
In the form there is no protection against automated requests (captcha).
XSS:
It's single-user persistent XSS (when user is logged in at the site).
POST request to profile page http://site/account.php. Code will work at
profile page (fields Name, Email, Phone, Address 1, Address 2, City, Region)
and at all external pages of the site (field Name).
> execute programs even if you lock the desktop of the guest OS.
As opposed to pausing the VM, editing the virtual memory image and
unpausing the VM? No scripting interface is needed. How about editing
the virtual disk image and replacing one of the cron scripts with a
shell-on-a-port? Rebooting the VM and going single user? If you control
the VMware process, you control the guest. Fully and Completely.
> Mark Burnett
> http://xato.net
> Thus Debian kernel team should be blamed for that misbehaviour. Don't
> worry, hardlinks behave just the same way, as you describe. Use authentic
> Linux kernels, if you dislike that.
Shall we blame Red Hat too? Just tested on 2.6.18-164.2.1.el5,
although with a single user since I don't actually run RHEL on
any of my own computers.
Ivan
I. BACKGROUND
"osTicket is a widely-used open source support ticket system. It
seamlessly
integrates inquiries created via email and web-based forms into a
simple
easy to use multi-user web interface. Easily manage, organize and
archive
all your support requests and responses in one place while providing
your
clients with accountability and responsiveness they deserve." [1]
Resources:
* Homepage: http://siege.org/projects/phpMyID/
* Demo: http://phpmyid.com
Background:
phpMyID is a single user OpenID identity provider implemented in PHP.
Problem description:
The MyID.php script does not sanitize the input it is supposed to be given
by the site where the user wants to be authenticated. When the return_to
address does not have the same "root" as trust_root it aborts, opening a
http://yehg.net/lab/pr0js/advisories/joomla/com_bc_xss(rid).jpg
6. IMPACT
As this is a multi-user chat application "component", the impact of
XSS is huge, ranking from cookie theft to mass client exploits.
7. SOLUTION
#
#-->WEB: http://www.bigace.de/
#-->DOWNLOAD: http://downloads.sourceforge.net/bigace/
#-->DEMO: http://www.bigace.de/demo.html
#-->CATEGORY: CMS / Blogging
#-->DESCRIPTION: BIGACE is an easy-to-use multisite, multilanguage and multiuser
# Web CMS, written for PHP/MySQL.Uses FCKeditor for HTML editing...
#-->RELEASED: 2009-04-27
#
#CMS VULNERABILITY:
#
kinds of issues. Web browsers are just the first to get this kind
of attention. All products that support plugins, whether web-based
or not, should be examined for this type of problem.
2) Programs that were formerly assumed to be safe because they were
only ever intended to be invoked by a single user, will now become
unsafe if they're referenced in a handler. Think second-order
symlink issues as one example, or buffer overflows in command-line
arguments for non-setuid programs that are likely to be used in
handlers (image converters, anyone?)
Resources:
* Homepage: http://siege.org/projects/phpMyID/
* Demo: http://phpmyid.com
Background:
phpMyID is a single user OpenID identity provider implemented in PHP.
Problem description:
The MyID.php script does not sanitize the input it is supposed to be given
by the site where the user wants to be authenticated. When the site would
try to know whether the user is authenticated at the identity provider, and
Next Page>>
|
