sysadmin
valid and important (and expected) feature of file access semantics.
That said, the user in the example already has access to the file (in
a running process), and would be able to do so again, *if he had
access to a directory where the file was hard-linked*. Pavel
described that the sysadmin checked for that, but even if this worked
as expected, there's a race condition where the user could create the
hard link after the sysadmin checked, but before the permissions were
corrected. Unlikely, I know... but possible.
There's a nearly identical case that works in all Unixen, AFAIK: You
: you can saw the letter which was posted last week by one developer of
: one such vulnerable web application ---
from my reading of that exchange, i "thought" the author a 'system
administrator', rather THAN, the programmer of the flawed application.
from my experience, a sysadmin seldom enjoys the freedom programmers
enjoy.
: it's only way to draw attention of web developers to these issues.
> On Sat, Oct 24, 2009 at 01:46:17AM -0500, Derek Martin wrote:
>
> || That said, the user in the example already has access to the file (in
> || a running process), and would be able to do so again, *if he had
> || access to a directory where the file was hard-linked*. Pavel
> || described that the sysadmin checked for that, but even if this worked
> || as expected, there's a race condition where the user could create the
> || hard link after the sysadmin checked, but before the permissions were
> || corrected. Unlikely, I know... but possible.
>
> That race is easily fixed.
On Sat, Oct 24, 2009 at 01:46:17AM -0500, Derek Martin wrote:
|| That said, the user in the example already has access to the file (in
|| a running process), and would be able to do so again, *if he had
|| access to a directory where the file was hard-linked*. Pavel
|| described that the sysadmin checked for that, but even if this worked
|| as expected, there's a race condition where the user could create the
|| hard link after the sysadmin checked, but before the permissions were
|| corrected. Unlikely, I know... but possible.
That race is easily fixed. After chmodding the directory to 0700, *first*
Vulnerability description:
--------------------------
The following SOAP request queries the user data for the user
"sysadmin":
---
POST /Common/WebServices/SOAPWrapperCommon/SOAPWrapperCommonWS.asmx
HTTP/1.1
Host: 10.1.2.3
CVE Id : CVE-2010-1646
Debian Bug : 585394
Anders Kaseorg and Evan Broder discovered a vulnerability in sudo, a
program designed to allow a sysadmin to give limited root privileges to
users, that allows a user with sudo permissions on certain programs to
use those programs with an untrusted value of PATH.
This could possibly lead to certain intended restrictions being bypassed,
such as the secure_path setting.
username: '
password: test
An unrecoverable error has occurred.
Please report this message to your system administrator.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
Exit
©2006 Trivantis Corporation. Trivantis and CourseMill are registered trademarks of Trivantis. All Rights Reserved.
EXPLOITATION:
restrict which systems can send NTP packets to ntpd(8).
Note that systems will only be affected if they have the "autokey" option
set in /etc/ntp.conf; FreeBSD does not ship with a default ntp.conf file,
so will not be affected unless this option has been explicitly enabled by
the system administrator.
V. Solution
Perform one of the following:
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
- Details
PacerCMS is susceptible to both persistent cross-site scripting and
SQL injection attacks. An attacker could use the public
'Write a Letter'(submit.php) form to send a message to the System
Administrator or staff member containing Javascript. The name,
headline, or text POST variables are not sufficiently sanitized.
The system administrator of the CMS sees a list of submitted
messages on siteadmin/index.php right after logging in. If an
attacker sends a message containing Javascript in the name or
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
Thank you all for your valuable comments... Indeed I appreciated some of the
links/info extended (Susan, Thor and Tom) However, in the end, it sounded
like:
a) As a sysadmin in charge of maintaining XP systems along with a whole
shebang of other mix setups, unless I deploy a "better" firewall solution, I
seem to be SOL.
b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
earlier, they did the exact same thing back in Win2K days... Nothing new
Title: Multiple Security Bugs In Hosting Controller
Critical: Extremely critical
Impact: Full system administrator access
Vendor: Hosting Controller
Version: 6.1 Hot fix <= 3.3
Vendor URL: www.hostingcontroller.com
Solution: N/A From company - There is temporary solution in this report
Exploit: Available
Release Date: 2007 - December
Credit: www.BugReport.ir
== Description ==
Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.
The vulnerability is a sql injection which exists in header.php file.
Attacker could pass a special sql string which can used to create/modify
information stored in the database or authenticated in any user.
### Verify the output directory is empty
Don't Panic! # ls -al /var/tmp/fcs/outdir
total 8
drwx------ 2 root root 2 Dec 8 23:00 .
drwxr-xr-x 4 fstuart sysadmin 47 Dec 8 21:47 ..
### Verify my unprivileged, simulated malware is in place. It will
### write a root-owned file in the /var/tmp/fcs/outdir if executed
### by root.
Don't Panic! # ls -dl /var/tmp/fcs/testdir/vncserver
> directory but for whatever reason keeps scribbling in files with wrong
> permission in it. While I cannot think of a current example, out of the
> older ones at least one of the Word Perfect versions for linux used to
> do that.
>
> By tightening up the protection on the directory the sysadmin can
> mitigate the problem. It is in fact the standard way of doing this.
>
If the application sets wrong permissions on files, it is by definition broken.
Yes, setting more restrictive directory permissions can to some extent mitigate
the problem, but not really fix it. What if that application is used by multiple
directory but for whatever reason keeps scribbling in files with wrong
permission in it. While I cannot think of a current example, out of the
older ones at least one of the Word Perfect versions for linux used to
do that.
By tightening up the protection on the directory the sysadmin can
mitigate the problem. It is in fact the standard way of doing this.
On Sat, 2009-10-24 at 01:12 +0400, Dan Yefimov wrote:
> On 24.10.2009 0:35, Matthew Bergin wrote:
> > doesnt look like the original owner is trying to write to it. Shows it
>>> some of the
>>> links/info extended (Susan, Thor and Tom) However, in the end, it
>>> sounded
>>> like:
>>>
>>> a) As a sysadmin in charge of maintaining XP systems along with a whole
>>> shebang of other mix setups, unless I deploy a "better" firewall
>>> solution, I
>>> seem to be SOL.
>>>
>>> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was
services by default (you can enable UDP filtering in the Advanced
settings). So no change here from the status quo.
--
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university KF8NH
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
h. Service Console package sudo updated to 1.6.9p17-6.el5_4
Sudo (su "do") allows a system administrator to delegate authority
to give certain users (or groups of users) the ability to run some
(or all) commands as root or another user while providing an audit
trail of the commands and their arguments.
When a pseudo-command is enabled, sudo permits a match between the
arbitrary commands.
Background
==========
sudo allows a system administrator to give users the ability to run
commands as other users.
Affected packages
=================
A vulnerability in sudo may allow for privilege escalation.
Background
==========
sudo allows a system administrator to give users the ability to run
commands as other users.
Affected packages
=================
Debian-specific: no
CVE Id(s) : CVE-2010-0426 CVE-2010-0427
Debian Bugs : 570737
Several vulnerabilities have been discovered in sudo, a program
designed to allow a sysadmin to give limited root privileges to users
database server.
The Common Vulnerabilities and Exposures project identifies the
following problems:
v1.0 2007-01-11 Initial release.
v1.1 2007-08-01 Corrected patch for FreeBSD 5.5.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
privileges and execute arbitrary code with root privileges.
Background
==========
sudo allows a system administrator to give users the ability to run
commands as other users.
Affected packages
=================
|
