system manager
I. BACKGROUND
EMC DiskXtender is a data backup and migration suite. It consists of
several applications that are used to manage storing large quantities
of files across multiple storage devices. One of the components of
DiskXtender is the File System Manager, which is used to create and
manage backups. For more information see the vendor's website at the
following URL.
http://software.emc.com/products/product_family/diskxtender_family.htm
=======
CiscoWorks Common Services for both Oracle Solaris and Microsoft
Windows contains a vulnerability that could allow a remote
unauthenticated attacker to execute arbitrary code on a host device
with privileges of a system administrator.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds that mitigate this vulnerability.
|----------------------------------------------------------------+---------------------------|
| Cisco Signaling Gateway Manager | CSCts33248 |
|----------------------------------------------------------------+---------------------------|
| Cisco Small Business Network Storage Systems | CSCts33288 |
|----------------------------------------------------------------+---------------------------|
| Cisco SSC System Manager | CSCts36187 |
|----------------------------------------------------------------+---------------------------|
| Cisco TelePresence Manager | CSCts33310 |
|----------------------------------------------------------------+---------------------------|
| Cisco TelePresence Multipoint Switch | CSCts33224 |
|----------------------------------------------------------------+---------------------------|
I. BACKGROUND
EMC DiskXtender is a data backup and migration suite. It consists of
several applications that are used to manage storing large quantities
of files across multiple storage devices. One of the components of
DiskXtender is the File System Manager, which is used to create and
manage backups. For more information see the vendor's website at the
following URL.
http://software.emc.com/products/product_family/diskxtender_family.htm
System was restarted on Thu Jun 3 04:09:25 2010.
The system has been up for 2 hours, 11 minutes, 27 seconds.
cdn-cde#
Alternatively the Content Delivery System Manager home page gives a
brief summary of the software versions in use on all the devices in the
content delivery system network.
To view the software version running on a particular device, choose
"Devices > Devices". The Devices Table page displays the software
services by default (you can enable UDP filtering in the Advanced
settings). So no change here from the status quo.
--
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university KF8NH
restrict which systems can send NTP packets to ntpd(8).
Note that systems will only be affected if they have the "autokey" option
set in /etc/ntp.conf; FreeBSD does not ship with a default ntp.conf file,
so will not be affected unless this option has been explicitly enabled by
the system administrator.
V. Solution
Perform one of the following:
A vulnerability in sudo may allow for privilege escalation.
Background
==========
sudo allows a system administrator to give users the ability to run
commands as other users.
Affected packages
=================
- Details
PacerCMS is susceptible to both persistent cross-site scripting and
SQL injection attacks. An attacker could use the public
'Write a Letter'(submit.php) form to send a message to the System
Administrator or staff member containing Javascript. The name,
headline, or text POST variables are not sufficiently sanitized.
The system administrator of the CMS sees a list of submitted
messages on siteadmin/index.php right after logging in. If an
attacker sends a message containing Javascript in the name or
privileges and execute arbitrary code with root privileges.
Background
==========
sudo allows a system administrator to give users the ability to run
commands as other users.
Affected packages
=================
Microsoft Windows computer system using any method, they can either
leave behind a regular user or hijack a known user account (Such as
ASPNET). This user account will now have all of the rights of the
built-in local administrator account from local or remote connections.
The user will also share the Administrator's desktop and profile. When
inspected by system administrators, the regular user always looks like
it is just part of the built-in user's group. The attacker can also
make the regular user account hard to detect by creating a user with
the username of "ALT-0160", for blank space. Events in the audit log
pertaining to the hidden account will be created if the system
administrator has enabled auditing, but the user name fields are all
arbitrary commands.
Background
==========
sudo allows a system administrator to give users the ability to run
commands as other users.
Affected packages
=================
== Description ==
Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.
The vulnerability is a sql injection which exists in header.php file.
Attacker could pass a special sql string which can used to create/modify
information stored in the database or authenticated in any user.
v1.0 2007-01-11 Initial release.
v1.1 2007-08-01 Corrected patch for FreeBSD 5.5.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
* User accounts that are defined on external identity stores such
as a Lightweight Directory Access Protocol (LDAP) server, a
Microsoft Active Directory server, an RSA SecurID server, or an
external RADIUS server
* System administrator accounts for the Cisco Secure ACS server
itself that have been configured through the web-based interface
* Users accounts for the Cisco Secure ACS server itself that have
been configured through the "username <username> password <password>"
CLI command
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
Description:
Previous versions of the lighttpd package are vulnerable to a remote
Arbitrary Code Execution attack due to a header overflow in the
mod_fastcgi extension.
Note that the Foresight System Manager (aka rAPA or rAA), the only user of
lighttpd on a default Foresight install, does not enable the mod_fastcgi
extension, and so is not vulnerable to this attack.
- ---
Title: Multiple Security Bugs In Hosting Controller
Critical: Extremely critical
Impact: Full system administrator access
Vendor: Hosting Controller
Version: 6.1 Hot fix <= 3.3
Vendor URL: www.hostingcontroller.com
Solution: N/A From company - There is temporary solution in this report
Exploit: Available
Release Date: 2007 - December
Credit: www.BugReport.ir
username: '
password: test
An unrecoverable error has occurred.
Please report this message to your system administrator.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
Exit
©2006 Trivantis Corporation. Trivantis and CourseMill are registered trademarks of Trivantis. All Rights Reserved.
EXPLOITATION:
System was restarted on Wed Sep 15 06:50:22 2010.
The system has been up for 1 hour, 25 minutes, 6 seconds.
cdn-cde#
Alternatively, the Content Delivery System Manager home page gives a
brief summary of the software versions in use on all the devices in
the content delivery system network.
To view the software version running on a particular device, choose
Devices > Devices. The Devices Table page displays the software
attackers to escalate privileges.
Background
==========
sudo allows a system administrator to give users the ability to run
commands as other users.
Affected packages
=================
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
h. Service Console package sudo updated to 1.6.9p17-6.el5_4
Sudo (su "do") allows a system administrator to delegate authority
to give certain users (or groups of users) the ability to run some
(or all) commands as root or another user while providing an audit
trail of the commands and their arguments.
When a pseudo-command is enabled, sudo permits a match between the
I. BACKGROUND
EMC DiskXtender is a data backup and migration suite. It consists of
several applications that are used to manage storing large quantities
of files across multiple storage devices. The main components of the
product suite are the File System Manager, the MediaStor and the
License Server. These components all create RPC endpoints that can be
accessed remotely. For more information see the vendor's website at the
following URL.
http://software.emc.com/products/product_family/diskxtender_family.htm
: you can saw the letter which was posted last week by one developer of
: one such vulnerable web application ---
from my reading of that exchange, i "thought" the author a 'system
administrator', rather THAN, the programmer of the flawed application.
from my experience, a sysadmin seldom enjoys the freedom programmers
enjoy.
: it's only way to draw attention of web developers to these issues.
|
