Next Page >>
tested
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
addr = net_addr(at);
if( addrcmp( (void *) addr, (void *) &unspec_addr, af ) != 0 ) {
name = dns_lookup(addr); [1]
if(name != NULL) {
/* May be we should test name's length */ [!!]
sprintf(newLine, "%s %d %d %d %d %d %d", name, [2]
net_loss(at),
net_returned(at), net_xmit(at),
net_best(at) /1000, net_avg(at)/1000,
net_worst(at)/1000);
0033:00000000`7701d12c e8dfdc0400 call ntdll!RtlpNotOwnerCriticalSection (00000000`7706ae10)
0033:00000000`7701d131 90 nop
0033:00000000`7701d132 e9c457feff jmp ntdll!RtlpFreeHeap+0x1ea2 (00000000`770028fb)
0033:00000000`7701d137 65488b042530000000 mov rax,qword ptr gs:[30h]
0033:00000000`7701d140 488b4860 mov rcx,qword ptr [rax+60h]
0033:00000000`7701d144 f6817803000001 test byte ptr [rcx+378h],1
0033:00000000`7701d14b 0f846f56feff je ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d151 807c245000 cmp byte ptr [rsp+50h],0
0033:00000000`7701d156 0f856456feff jne ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d15c 448b842498000000 mov r8d,dword ptr [rsp+98h]
0033:00000000`7701d164 498bd5 mov rdx,r13
1. Summary
Product : Vim -- Vi IMproved
Version : Tested with 7.1.314 and 6.4
Impact : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html
Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.
1. Summary
Product : Vim -- Vi IMproved
Version : >= 7.2a.013; tested with 7.2b
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Improper implementation of the shellescape() function and lack of
The Windows operating system supports a range of file permissions
for files stored on volumes formatted in the NTFS file system format.
For executing EXE files, the acting user account only needs the
"Execute File" permission, while all others might be missing or denied,
allthough there are cases when this is not true. The exact rule is unknown
to the author. In the system used to test and verify the vulnerability
the Execute File was enough to run programs. On another system running
Windows 7 that was not true. Start of EXE files succeeded only if other
permissions were enabled, including the Read Data permission. On another
older system (XP or Windows 2003) the "Read Attributes" permission was
required for program execution.
Hello MaXe!
> However, I just tested the vulnerability in chrome and the incidents were
> different.
As I said on my system it's solely Chrome DoS vulnerability. On my system
with Firefox 3.0.13 (and previous versions, when I tested them before) there
is not such issue, when Firefox was DoSed via Chrome, i.e. Cross-Application
DoS. Taking into account that you have this issue with Firefox 3.5.2, than
it can be problem with FF 3.5.x versions, which have tight integration with
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
------------------
Information
------------------
Name: SQL Injection Vulnerabilities in TestLink
Software tested: TL v1.8.5b & checked in v1.9.3 (prior version may be
affected)
Vendor Homepage: http://www.teamst.org
Vendor Notification: 27 January 2012
Vendor Patch: 4 February 2012
Public Disclosure: 20 February 2012
* 24/09/2009: Vulnerability discovery and analysis;
* 26/09/2009: The vendor was notificated via e-mail;
* 26/09/2009: Vendor response and a new release publicly available;
* 27/09/2009: The researcher starts coding the exploit;
* 29/09/2009: Exploit complete and tested.
Workaroud
---------
Update to the newer version 0.812.2
Affected Product
=================
1 MPlayer 1.0rc1 and prior (we tested version 20070729)
2 media player classic v6.4.9.0 and prior; and other produces base on it.
( mympc 1.0.0.1 and StormPlayer 1.0.4)
3 KMPlayer v2.9.3.1210 and prior
Find below the details of a vulnerability in the HP Quality Center product (formely Mercury Quality Center).
Introduction
------------------
Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year.
The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end.
In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server.
malformed url the browser can be chash easy.This issue is exploitable
via web links like <a href="very long url">click here</a> or via
window.location.replace('very long url') or similar vectors.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
. Foxit Reader 3.0 build 1506
6. *Vendor Information, Solutions and Workarounds*
The latest version 3.0 build 1506 of Foxit Reader has been released.
Please download the latest version from
http://www.foxitsoftware.com/downloads/ and visit the Foxit security
page for details at http://www.foxitsoftware.com/pdf/reader/security.htm.
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
8.1. *Windows*
/-----------
.text:1000D64D test esi, esi
.text:1000D64F mov eax, esi
.text:1000D651 jnz short loc_1000D658
.text:1000D653
.text:1000D653 loc_1000D653: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
Debasis Mohanty wrote:
> No offence intended but if you take a little more effort of validating your
> work before posting publicly then you can save yourself from embarrassment.
>
> I don't see anything in the script that can bypass zone security and run
> successfully from internet zone. I am sure you have tested it locally and
> drawn conclusion that the script can execute from internet zone. To test the
> script from internet zone, you need to upload it to a webserver and try
> accessing via browser.
>
> Any VB/Java script will run from local security with a charm but if you can
Please understand that I will not enter that discussion any longer.
Please note that :
V3D> is not malware/intrusion or malware in the form unused in-the-wild
V3D> is not vulnerability.
Is false. It is recognised malware, else the test woulnd't make sense -
obviously.
Regards,
Thierry
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
Hello MustLive,
Thanks for your immediate reply.
I have now tested what you said, cause I suspected that it was only happening because Google Chrome was installed, due to FireFox isn't able to know what ``chromehtml:´´ is on its own. (it has to be associated with an application in this case).
The following would open a lot of windows, consuming most likely all ressources:
http://websecurity.com.ua/uploads/2009/Google%20Chrome%20DoS%20Exploit2.html
FireFox version: FireFox 3.5.2 (Mozilla/5.0 (Windows; U; Windows NT 5.1; da; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
> allows it to be evaded.
>
> URLs are normalised and unescaped prior to validation using
> MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
> escape sequences into their original characters, the relevant code from
> helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
>
> .text:0106684C Unescape:
> .text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
> .text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
> .text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
1. Exploit is using "preg_replace" e-modifier
2. "register_globals" setting does not matter
3. Sentinel will not stop this exploit
4. POST method will leave clean logs in most real-world cases
Test using GET method:
http://localhost/ravennuke230/modules.php?name=Your_Account&op=avatarlist
&avatarcategory=gallery&patterns[6]=/a/e&replacements[6]=phpinfo()
Test using POST method:
...
> $ time ~/john/john-1.7.9-jumbo-5/run/unique -v -mem=25 1gu < 1g
> Total lines read 1000000000 Unique lines written 697066573
Here's some further analysis of the 1 billion sample used as a training
set along with a separate 1 million sample used as a test set:
Applying the 697 million unique passwords (from the 1 billion sample
above) as a wordlist (6 GB file size) to crack another 1 million of
pwgen'ed passwords cracks 418168 of them (41.8%). For a uniform
distribution (which is not the case), this would correspond to total
to bypass this checkpoint and provides the "location.search" as in the previous
vulnerable versions.
The version 2.1.11 is patched against this vulnerability.
The server side validation introduced in the second generation appears to be a black-list
based filter. All HTML tags tested were blocked by the filter. However the '<BGSOUND>' tag
has not been included in the black-list and it bypasses the server-side validation.
As reported by Rsnake in his XSS Cheat Sheet,'<BGSOUND>' tag is a valid attack vector in
certain versions of Opera.
The latest version (2.1.12) has not yet been tested for this vector. Since only Opera
1. Summary
Product : Vim -- Vi IMproved, Netrw
Version : Tested with Vim 7.2b, Netrw 127
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-netrw.v5.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Lack of sanitization throughout Netrw can lead to arbitrary code execution upon
Hey Jon,
I am sorry about the space after the "~", That was a typo.
Its been tested it on all the versions prior to MR4MP1 since the
RTM(11.0.776)
But what's interesting is that the process isn't crashing. But a possible
arbitrary execution of code.
Core Security Technologies - CoreLabs
Advisory
http://www.coresecurity.com/corelabs/
Multiple XSS and Injection Vulnerabilities in TestLink Test Management
and Execution System
1. *Advisory Information*
. XnView 1.97.5
6. *Vendor Information, Solutions and Workarounds*
Update to the latest version of XnView, available on the website
[http://www.xnview.com/]
7. *Credits*
Next Page>>
|
