Next Page >>
types
Failing RPC calls might interfere with e.g.
- network connectivity (no IP address acquired, no IP address release/renew, …)
- applications utilizing COM/DCOM interfaces
- machine’s sound system
The error has been found to occur on reception of DHCPv6 Reply (message type 7)
packets, containing the option “Domain Search List” (option type 24) with an empty domain.
Affected Systems
The device is vulnerable if the configuration has a Layer 7 class map
and Layer 7 policy map for HTTP deep packet inspection (DPI), and
these policies are applied to any firewall zone. To determine whether
the device is running a vulnerable configuration of Cisco IOS
firewall AIC for HTTP, log in to the device and issue the CLI command
show policy-map type inspect zone-pair | section packet inspection.
If the output contains Policy: http layer7-policymap name , the
device is vulnerable. The following example shows the response from a
vulnerable device:
Router#show policy-map type inspect zone-pair | section packet inspection
---[cut]---
// All tests are on by default. Most can be turned off by $override[{test_name}] = false;
$test_form = true;
$test_size = true;
// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
---[cut]---
// A properly uploaded file will pass this test. There should be no reason to override this one.
=======
Background for RC4-keyed RFC 3961 checksum issues:
The hmac-sha1-des3, hmac-sha1-96-aes128, and hmac-sha1-96-aes256
checksum types are specified to be used with 3DES, AES128, and AES256
keys respectively, but MIT krb5 allows these checksum types to be used
with any type of key. All three checksum types make use of a key
derivation algorithm built around the block encryption operation of
the key's encryption type.
Router#
Note: The device is vulnerable if configured with Zone-Based
Firewall, regardless of the type of packet inspection being
performed.
* Cisco IOS Software Denial of Service when processing specially
crafted HTTP packets
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
Release Notes:
http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
File type: .iso
md5sum: 729cf247aa5d33ceec431c86377eee1a
sha1sum: c1e10a5fcbc1ae9d13348d43541d574c563d66f0
File type: .zip
md5sum: fd1441bef48a153f2807f6823790e2f0
Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau
Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.
Xpdf is an open-source viewer for Portable Document Format (PDF) files. Xpdf project also includes
a PDF text extractor, PDF-to-PostScript converter, and various other utilities. Xpdf runs under
the X Window System on UNIX, VMS, and OS/2. The non-X components (pdftops, pdftotext, etc.) also
run on Win32 systems and should run on pretty much any system with a decent C++ compiler.
Xpdf is designed to be small and efficient. It can use Type 1, TrueType, or standard X fonts.
Details:
(By the way the router I connect to is a Cisco 2621XM)
Installing and configuring minicom:
In Ubuntu type "apt-get install minicom"
Connect the console port of your router to your PC using a Cisco UTP
-> DB9 cable
type "minicom -s"
http://downloads.vmware.com/support/vsphere4/doc/vsp_esxi41_u1_rel_notes.ht
ml
http://kb.vmware.com/kb/1027919
File type: .iso
MD5SUM: d68d6c2e040a87cd04cd18c04c22c998
SHA1SUM: bbaacc0d34503822c14f6ccfefb6a5b62d18ae64
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.1)
File type: .zip
(named); a resolver library (routines for applications to use when
interfacing with DNS); and tools for verifying that the DNS server
is operating correctly.
A flaw was found in the way BIND handles dynamic update message
packets containing the "ANY" record type. A remote attacker could
use this flaw to send a specially-crafted dynamic update packet
that could cause named to exit with an assertion failure.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-0696 to this issue.
attachment. Exploitation of these vulnerabilities requires user intervention.
Although these specific vulnerabilities exist on a third–party component
the problem is compound by the way Lotus Notes displays information about
attachments, making it easier to elicit unsuspecting assistance from the
users to exploit them. Lotus Notes displays the file type and
corresponding icon based on the attached file’s extension rather than the
MIME Content-Type header in the email whereas the view functionality is
handled by the Verity KeyView component which processes the attachment
based on the file contents. Exploitation of these vulnerabilities
requires end-user interaction but the discrepancy described above could
Application: Rittal CMC-TC PU II Web management
Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
possibly other Rittal products
Attack type : XSS Type I, XSS Type II, Session prediction,
Remote command execution in default configuration
Severity: Moderate
Vendor Status: Vendor notified.
Patch already available for XSS vulnerabilities.
Other vulnerabilities will be addressed in a future
http://office.microsoft.com/excel/
II. DESCRIPTION
Remote exploitation of a type confusion vulnerability in Microsoft
Corp.'s Excel could allow an attacker to execute arbitrary code with
the privileges of the current user.
This vulnerability is a type confusion vulnerability that occurs when
parsing several related Excel record types. In this case, the type
funkction linkresolve/linkresolveip initialize data for new data (address/domain)
and once again try to find this in cache. So let's look for function sendrequest():
"dns.c"
void sendrequest(struct resolve *rp,int type)
{
do {
idseed = (((idseed + idseed) | (long)time(NULL)) + idseed - 0x54bad4a) ^ aseed;
aseed^= idseed;
rp->id = (word)idseed;
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
enhanced message types that use features provided by the HTML (Hyper Text
Markup Language) in order to, for example, provide AIM users with the
possibility of exchanging text messages with specific font formats or
colors. AIM 6.1, AIM 6.2 (beta), AIM Pro and AIM Lite have embedded an
Internet Explorer server control in the message display window in order to
facilitate the parsing and displaying of HTML controls. It is a common
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
enhanced message types that use features provided by the HTML (Hyper Text
Markup Language) in order to, for example, provide AIM users with the
possibility of exchanging text messages with specific font formats or
colors. AIM 6.1, AIM 6.2 (beta), AIM Pro and AIM Lite have embedded an
Internet Explorer server control in the message display window in order to
facilitate the parsing and displaying of HTML controls. It is a common
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pimcore.html
Product: pimcore
Vendor: elements.at New Media Solutions GmbH. ( http://www.pimcore.org/ )
Vulnerable Version: 1.1.0 and Probably Prior Versions
Vendor Notification: 02 August 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
Runtime protection is provided through the .NET Code Access Security
(CAS) infrastructure. Security is applied at the application level,
instead of the individual assembly level as it is in a normal .NET
application. The entire ClickOnce application is treated as as single
unit. The application manifest specifies what security permissions the
application needs to run.
At launch, the URL or UNC path from which the application is deployed is
evaluated by the runtime. Using the deployment path, the application is
associated with one of the following security zones; Local Machine,
Virtual Center.
To stop WebAccess without a reboot:
Change the status of the VMware Infrastructure Web Access
service to stop
To prevent WebAccess from starting after the next reboot:
Change the startup type of the VMware Infrastructure Web
Access service to disabled
ESX 3.0.3 and ESX 3.5:
Open a root shell on ESX.
To stop WebAccess without a reboot:
VMware vCenter Server 4 Update 1
--------------------------------
Version 4.0 Update 1
Build Number 208156
Release Date 2009/11/19
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1
VMware vCenter Server 4 and modules
File size: 1.8 GB
File type: .iso
The following example shows a system with an FWSM (WS-SVC-FWM-1)
installed in slot 4.
switch#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAxxxxxxxxx
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE SAxxxxxxxxx
}
$url ="http://$host:$port".$path."index.php";
$out= _s($url,"");
$_tpcs=xtrct_tpc($out);
$_types=array("links","stories","filemgmt","forum");
$_t=false;
for ($i=0; $i<count($_tpcs); $i++){
for ($j=0; $j<count($_types); $j++){
$url ="http://$host:$port".$path."search.php?query=a+a+a&keyType=all&datestart=&dateend=&topic=".$_tpcs[$i]."&type=".$_types[$j]."&author=0&results=25&mode=search";
$out= _s($url,"");
many other things.''
-- Vim User Manual, Chapter 41 (usr_41.txt)
How much is Vim Script used throughout Vim?
$ find /usr/local/share/vim -type f -name \*.vim | wc -l
1037
$ find /usr/local/share/vim -type f -name \*.vim -exec cat {} \; \
| wc 2>/dev/null
149617 710299 6502709
The vulnerability occurs when
a malformed /ExtGState resource
is parsed. In this case the ExtGState
resource was supplanted with a /Font
resource, but the type of the resource
continued being ExtGState:
261 0 obj
<</Type /Page /Parent 126 0 R /MediaBox [0 0 259 408 ]/CropBox [0 0 531 666 ]/Resources <</ProcSet [/PDF /Text] /ExtGState <</R7 7 0 R>>>> /Contents [20 0 R]>>
endobj
The vulnerability occurs when
a malformed /ExtGState resource
is parsed. In this case the ExtGState
resource was supplanted with a /Font
resource, but the type of the resource
continued being ExtGState:
261 0 obj
<</Type /Page /Parent 126 0 R /MediaBox [0 0 259 408 ]/CropBox [0 0 531 666 ]/Resources <</ProcSet [/PDF /Text] /ExtGState <</R7 7 0 R>>>> /Contents [20 0 R]>>
endobj
The vulnerability occurs when
a malformed /ExtGState resource
is parsed. In this case the ExtGState
resource was supplanted with a /Font
resource, but the type of the resource
continued being ExtGState:
261 0 obj
<</Type /Page /Parent 126 0 R /MediaBox [0 0 259 408 ]/CropBox [0 0 531 666 ]/Resources <</ProcSet [/PDF /Text] /ExtGState <</R7 7 0 R>>>> /Contents [20 0 R]>>
endobj
print "sendDirList: Transfer complete\r\n"
def handleUSER (sock, cmd, argz): sock.send("331 Password required for
user\r\n")
def handlePASS (sock, cmd, argz): sock.send("230 User logged in.\r\n")
def handleSYST (sock, cmd, argz): sock.send("215 UNIX Type: L8\r\n")
def handleFEAT (sock, cmd, argz): sock.send("211-Features:\r\n
MDTM\r\n REST STREAM\r\n211 End\r\n");
def handleTYPE (sock, cmd, argz): sock.send("200 Type set to " + argz + "\r\n");
def handlePASV (sock, cmd, argz): sock.send("227 Entering Passive Mode
(127,0,0,1,10,10)\r\n");
Vulnerable Parameters:
group=Test"<script>alert("Test+XSS")</script>
members= Test"<script>alert("Test+XSS")</script>
Type: Reflective
------------------------------------------------------------
http://vulnerable-site.com/wiki/Edit.jsp?page=Main&action=save&edittime=1186698299838&addr=127.0.0.1&_editedtext=Test&changenote=Test&ok=Save
Vulnerable Parameters:
edittime=<script>alert("Test+XSS")</script>
#define IP_HDR_SIZE 20
#define GRE_HDR_SIZE 4
#define GRE_KEY_SIZE 4
#define NHRP_HDR_SIZE 62
/* Function prototypes */
int open_socket (void);
int close_socket (int);
int send_dos(int, unsigned long, unsigned long, unsigned long);
unsigned long resolve_ip (char *);
unsigned long get_int_ipv4 (char *);
Next Page>>
|
