Next Page >>
users
####################
- Discussion:
####################
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
Vulnerabilities and Exposures project identifies the following problems:
CVE-2010-2524
David Howells reported an issue in the Common Internet File System (CIFS).
Local users could cause arbitrary CIFS shares to be mounted by introducing
malicious redirects.
CVE-2010-3875
Vasiliy Kulikov discovered an issue in the Linux implementation of the
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
Exposures project identifies the following problems:
CVE-2010-3875
Vasiliy Kulikov discovered an issue in the Linux implementation of the
Amateur Radio AX.25 Level 2 protocol. Local users may obtain access to
sensitive kernel memory.
CVE-2011-0695
Jens Kuehnel reported an issue in the InfiniBand stack. Remote attackers can
designed to provide you with all the features you need from a webshop.
------------------------------------------------------------------------
Insecure installation instructions
------------------------------------------------------------------------
Besides changing the default password for the admin user and removing
the install.php script, no specific instructions are provided to secure
the installation of FWS. The manual assumes that FWS is installed on a
LAMP server (Linux, Apache, MySQL & PHP). If the ZIP archive is
extracted or the files are uploaded to the document root of the
webserver, the new files and directories will be created based on the
Problems addressed by these patches:
I Arbitrary code execution and denial of service vulnerabilities
This release fixes a security vulnerability that could allow a
guest operating system user with administrative privileges to cause
memory corruption in a host process, and thus potentially execute
arbitrary code on the host. (CVE-2007-4496)
This release fixes a denial of service vulnerability that could
allow a guest operating system to cause a host process to become
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
ClickOnce is a deployment technology that allows you to create
self-updating Windows-based applications that can be installed and run
with minimal user interaction. A ClickOnce application is any Windows
Forms or Console application published using ClickOnce technology.
Applications can be published from a web page, a file share, or from
media (i.e. CD-ROM). ClickOnce is available in .NET 2.0 and later.
An application that is deployed through ClickOnce consists of at least
IMPACT
------
By exploiting either of the VMware flaws described in this document,
user-mode code executing in a virtual machine may gain kernel
privileges within the virtual machine, dependent upon the guest
operating system. The flaws have been proven exploitable on x64
versions of Windows, and they have produced potentially exploitable
crashes on x64 versions of *BSD. The Linux kernel does not allow
exploitation of these flaws on x64 versions of Linux.
VMware Workstation 6.5
IMPACT
------
By exploiting the VMware flaw described in this document, user-mode
code executing in a virtual machine may gain kernel privileges within
the virtual machine, dependent upon the guest operating system. The
flaw has been proven exploitable on x64 versions of Windows, and it
has produced potentially exploitable crashes on x64 versions of *BSD.
The Linux kernel does not allow exploitation of the flaws on x64
most popular script on www.hotscripts.com. UTF-8 CuteNews is a current
fork of the Cute News project which is designed to improve security and
is available for free from http://korn19.ch/coding/utf8-cutenews/
Multiple vulnerabilities exist in Cute News and UTF-8 CuteNews. These
vulnerabilities can be exploited to steal user credentials, disclose
file contents, disclose the file path of the application and execute
arbitrary commands.
Cute News appears to be abandoned since September 2008. A local file
inclusion (LFI) vulnerability was discovered by athos on January 9th,
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
threat" attack it is possible to execute arbitrary code. This
attack affects the ActiveX control as well as the Java applet.
------------------------------------------------------------------------
Tested version
Vulnerabilities and Exposures project identifies the following problems:
CVE-2010-2963
Kees Cook discovered an issue in the v4l 32-bit compatibility layer for
64-bit systems that allows local users with /dev/video write permission to
overwrite arbitrary kernel memory, potentially leading to a privilege
escalation. On Debian systems, access to /dev/video devices is restricted to
members of the 'video' group by default.
CVE-2010-3067
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
CVE Name: CVE-2007-4901
*Vulnerability Description*
AOL Instant Messenger ("AIM", http://www.aim.com) is an instant messaging
application that allows its users to communicate in real time via text,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
CVE Name: CVE-2007-4901
*Vulnerability Description*
AOL Instant Messenger ("AIM", http://www.aim.com) is an instant messaging
application that allows its users to communicate in real time via text,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
4) Description of Vulnerabilities
Multiple vulnerabilities have been discovered in OpenX, which can be
exploited by malicious people to conduct cross-site scripting,
cross-site request forgery, and file inclusion attacks and by
malicious users to conduct script insertion and SQL injection attacks.
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
$this->p_acp = $this->get_p('acp');
# ACP path
if( !$this->p_acp )
{
# If the user changed the ACP directory, we can
# find it (if the "Remove ACP Link" option was not
# applied) by log in as an Admin, and then click
# on "Admin CP". This can be done with a user
# but I didn't implemented that ;)
$this->msg('Using default ACP path: admin', 1);
CVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274
3. *Vulnerability Description*
ManageEngine ADSelfService Plus [1] is a secure, web-based, end-user
password reset management program. This software helps domain users to
perform self service password reset, self service account unlock and
employee self update of personal details (e.g. telephone numbers, etc)
in Microsoft Windows Active Directory. Administrators find it easy to
automate password resets, account unlocks while managing optimizing the
xine-lib, such as Totem-xine and Amarok, to effect the necessary changes.
Details follow:
It was discovered that xine-lib did not correctly handle certain malformed
Ogg and Windows Media files. If a user or automated system were tricked into
opening a specially crafted Ogg or Windows Media file, an attacker could cause
xine-lib to crash, creating a denial of service. This issue only applied to
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)
It was discovered that the MNG, MOD, and Real demuxers in xine-lib did not
xulrunner-1.9.2 1.9.2.7+build2+nobinonly-0ubuntu0.9.10.2
Mozilla has changed the support model for Firefox and they no longer
support version 3.0 of the browser and will only support version 3.5 of the
browser for a while longer. As a result, Ubuntu is providing an upgrade to
Firefox 3.6 for Ubuntu 9.04 and 9.10 users, which is the most current
stable release of Firefox supported by Mozilla. When upgrading, users
should be aware of the following:
- Firefox 3.6 does not support version 5 of the Sun Java plugin. Please use
icedtea6-plugin or sun-java6-plugin instead.
Aye.
> > You can't actually use /proc/*/fd to gain access to files opened by
> > processes you do not own. Only ones you do (at least in a mainline kernel)
> > which is fair enough. This means that you can't have user a open a file
> > owned by user b and then let user c have access to it via
> > /proc/$pid/fd.
>
> No, but you can upgrade file from read-only to read-write using /proc.
Summary
=======
Cisco Small Business Video Surveillance Cameras and Cisco RVS4000 4-port
Gigabit Security Routers contain a vulnerability that could allow an
authenticated user to view passwords for other users, regardless of the
authenticated user's level of authorization.
An unprivileged user could take advantage of this vulnerability to
gain full administrative access on the device or view another user's
credentials.
1.Vulnerability information
---------------------------
Impact: An unauthenticated remote attacker without any kind of
credentials can access the SMB service under the credentials of an
authorized user. Depending on the privileges of the authorized user, and
the configuration of the remote system, an attacker can gain read/write
access to the remote file system and execute arbitrary code by using
DCE/RPC over SMB.
Remotely Exploitable: Yes
Bugtraq Id: <unknown>
> after which even correct credentials will not be accepted. You can't
> tell the difference in the UI you are using, so it's understandable to
> have missed these extra limits.
>
A malicious user can abuse the feature "Check for mail using POP3" for
realize the automatic process of password cracking.
As you comment, using this feature exist a lock (for 2 hours) for
authentication attempts, and beyond this limit (100 requests) the
message returned by the application does not allow to known if the
Summary
=======
The server side of the Secure Copy (SCP) implementation in Cisco IOS
software contains a vulnerability that could allow authenticated
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
IronPort Encryption Appliance devices contain two vulnerabilities
that could allow unauthorized users to gain access to the IronPort
Encryption Appliance administration interface and modify other users'
settings. These vulnerabilities do not affect Cisco Registered
Envelope Service users.
Cisco has released free software updates that address these
2. What configurations are (not) affected
=========================================
A configuration is considered affected when an attacker with local
access to a system can make Postfix append mail to an existing file
of a different user. Appendix A gives a procedure to determine if
a system is affected.
The following configurations are NOT affected: Postfix on FreeBSD
7.0, OpenBSD 4.3, NetBSD 4.0, MacOS X 10.5, AIX 5.3, HP-UX 11.11,
Solaris 1.x, Linux kernel 1.2.13, and other systems with standard
To all,
The reason I wrote this article was not to explain how to create a hidden
user account. I wrote the article to show you that you can modify the SAM
in real time in a way that is undetectable by ANYONE. This modification
allows you to masquerade any user account as the built-in Administrator.
Christian,
"Continued Access" to a system means that someone has compromised a system
Hi!
>
> The reason I wrote this article was not to explain how to create a hidden
> user account. I wrote the article to show you that you can modify the SAM
> in real time in a way that is undetectable by ANYONE. This modification
> allows you to masquerade any user account as the built-in Administrator.
>
> Christian,
>
> "Continued Access" to a system means that someone has compromised a system
than CVE-2010-4164. (CVE-2010-3873)
The bcm_connect function Broadcast Manager in the Controller Area
Network (CAN) implementation in the Linux creates a publicly accessible
file with a filename containing a kernel memory address, which allows
local users to obtain potentially sensitive information about kernel
memory use by listing this filename. (CVE-2010-4565)
The install_special_mapping function in mm/mmap.c does not make an
expected security_file_mmap function call, which allows local users
to bypass intended mmap_min_addr restrictions and possibly conduct
Next Page>>
|
