Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 86, Issue 34
From: "Gabriel S. Craciun" <gcraciun () transfond ro>
Date: Thu, 26 Apr 2012 11:38:47 +0000
Poti sa inchizi. Task-ul. Este Ok. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of full-disclosure-request () lists grok org uk Sent: Thursday, April 26, 2012 10:20 AM To: full-disclosure () lists grok org uk Subject: Full-Disclosure Digest, Vol 86, Issue 34 Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. MoroccoTel Box Default Open Telnet Password (Jerome Athias) 2. Re: Vulnerability in Gentoo hardened (Georgi Guninski) 3. [SECURITY] [DSA 2460-1] asterisk security update (Moritz Muehlenhoff) 4. Re: Hacking WolframAlpha (Lincoln Anderson) 5. XSS, CSRF and AFU vulnerabilities in Organizer for WordPress (MustLive) 6. (no subject) (Ramon Driessen) 7. Re: (no subject) (coderman) 8. [Security-news] SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS) (security-news () drupal org) 9. [Security-news] SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS) (security-news () drupal org) 10. [Security-news] SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities (security-news () drupal org) 11. Re: [Security-news] SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS) (security-news () drupal org) 12. [Security-news] SA-CONTRIB-2012-065 - Sitedoc - Information disclosure (security-news () drupal org) 13. FW: (no subject) (imipak) 14. [Security-news] SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass (security-news () drupal org) 15. [Security-news] SA-CONTRIB-2012-067 - Linkit - Access bypass (security-news () drupal org) 16. Re: FW: (no subject) (Michael Wood) 17. [SECURITY] [DSA 2459-1] quagga security update (Florian Weimer) 18. Oracle TNS Poison vulnerability is actually a 0day with no patch available (Joxean Koret) ---------------------------------------------------------------------- Message: 1 Date: Wed, 25 Apr 2012 13:15:53 +0000 From: Jerome Athias <jerome () netpeas com> Subject: [Full-disclosure] MoroccoTel Box Default Open Telnet Password To: full-disclosure () lists grok org uk Message-ID: <4F97F909.7090701 () netpeas com> Content-Type: text/plain; charset="iso-8859-1" Hi, a "vulnerability" was identified on MoroccoTel Boxes: a telnet server is running, open to the web, with a default password of admin (or 123456) This critical vulnerability can affect the entire network of a Country. Solution: change the default password account or modify the default firmware NB: a new firmware was released, introducing a cipher on the "PPOE password" (one common, publicly available PPOE account is largely used) Discovered by NETpeas research team, NETpeas CERT is trying to contact the ISP More details: Password: telnettry 41.141.*.* -> Response telnet02: **** Copyright (c) 2001 - 2006 Huawei MT882a> *********************************************************** 41.141.*.* -> TELNET PASSWORD FOUND: admin MT882a> show all RAS version: V100R001B022 MoroccoTel 2010/02/26 System ID: $5.0.152.1(RUE0.C2)3.11.2.151 20110602_V001 [Jun 02 2011 13:54:48] romRasSize: 1217226 system up time: 2:45:45 (f2cc9 ticks) bootbase version: VTC_SPI1.5| 2011/05/26 Hostname = MT882a Message = <empty> ip route mode = Yes bridge mode = Yes DHCP setting: DHCP Mode = Server Client IP Pool Starting Address = 192.168.1.2 Size of Client IP Pool = 64 Primary DNS Server = 8.8.8.8 Secondary DNS Server = 8.8.4.4 DHCP server leasetime = 86400 TCP/IP Setup: IP Address = 192.168.1.1 IP Subnet Mask = 255.255.255.0 Rip Direction = None Version = Rip-1 Multicast = IGMP-v2 RemoteNode = 0 Rem Node Name = ISP-0(ISP) Encapsulation = PPPoE Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/35 IP Routing mode= Yes Bridge mode = No PPP Username = <snip> PPP Password 41.141.*.* -> = ******* PPP Username_ext2 = PPP Password_ext2 = Service name = Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = Yes Multicast = None Default Route node = Yes RemoteNode = 1 Rem Node Name = ISP-1 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel 41.141.1.9 -> Port 80 open 41.141.*.* -> active = Yes VPI/VCI value = 0/35 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 41.141.*.* -> IP address assignment type = Dynamic 41.141.*.* -> SUA = No Multicast = None Default Route node = No RemoteNode = 2 Rem Node Name = ISP-2 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/32 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No RemoteNode = 3 Rem Node Name = ISP-3 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/32 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No RemoteNode = 4 Rem Node Name = ISP-4 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/81 IP Routing mode= No Bridge mode = Yes Remote IP 41.141.*.* -> Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No RemoteNode = 5 Rem Node Name = ISP-5 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/100 IP Routing mode= No Bridge mode = Yes Remote IP A 41.141.*.* -> ddr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No sMulticast = None 41.141.*.* -> yDefault Route node = No s RemoteNode = 6 aRem Node Name = ISP-6t sEncapsulation = hRFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 1/39 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No RemoteNode = 7 Rem Node Name = ISP-7 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/16 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No MT882a> RAS version : V100R001B022 MoroccoTel romRasSize : 1217226 bootbase version : VTC_SPI1.5| 2011/05/26 Product Model : SmartAX MAC Address : <snip-inclear> Default Count 41.141.*.* -> ry Code : FF Boot Module Debug Flag : 00 RomFile Version : 9F RomFile Checksum : dceb RAS F/W Checksum : 87b7 SNMP MIB level & OID : 050000000100000002000000030000000400000005 Main Feature Bits : 86 Other Feature Bits : 93 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 MT882a> 41.141.*.* -> e 41.141.*.* -> ther config --------------- NDIS CONFIGURATION BLOCK ---------------- type=1 flags=0001 Board/Chassis:1 Lines/Board:1 Channels/Lines:2 Total Channel:2 task-id=8041f1f4 event-q=80458c2c(19) data-q=80458c70(1a) func-id=2 board-cfg=8042c8a4 line-cfg=8042c8bc chann-cfg=8042c8d0 board-pp (8042c8f0) 804273fc line-pp (8042c8f4) 8042956c chann-pp (8042c8f8) 804bf8a4 804bfe34 --------------- BOARD DISPLAY --------------------------- ID slot# n-line n-chann status line-cfg chann-cfg 00 0 1 2 0001 8042c8bc 8042c8d0 --------------- LINE DISPLAY --------------------------- ID line# board-id n-chann chann-cfg 00 1 00 2 8042c8d0 --------------- CHANNEL DISPLAY ------------------------- ID chan# line-id board-id address name 00 1 00 00 804bf8a4 enet0 01 2 00 00 804bfe34 enet1 MT882a> -- Jerome Athias - NETpeas VP, Director of Software Engineer Palo Alto - Paris - Casablanca Mobile: +212665346454 www.netpeas.com --------------------------------------------- Stay updated on Security: www.vulnerabilitydatabase.com "The computer security is an art form. It's the ultimate martial art." -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4899 bytes Desc: Signature cryptographique S/MIME Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120425/2fb2cc07/attachment-0001.bin ------------------------------ Message: 2 Date: Wed, 25 Apr 2012 16:48:49 +0300 From: Georgi Guninski <guninski () guninski com> Subject: Re: [Full-disclosure] Vulnerability in Gentoo hardened To: Laurelai <laurelai () oneechan org> Cc: full-disclosure () lists grok org uk Message-ID: <20120425134849.GC6357@sivokote.iziade.m$> Content-Type: text/plain; charset=us-ascii On Wed, Apr 25, 2012 at 04:26:57AM -0500, Laurelai wrote:
On 4/25/12 3:56 AM, Georgi Guninski wrote:On Tue, Apr 24, 2012 at 12:15:26PM -0400, Valdis.Kletnieks () vt edu wrote:On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said:if you read his "advisories" and "0-days" you know: It's not a joke...I always thought it was misunderstood performance art...this one appears to be true: http://seclists.org/fulldisclosure/2011/Jul/312 Full disclosure is arrest of Sabu (check the date)Nope, im still here :p
ok, sorry. i mean the Sabu part of the email. ------------------------------ Message: 3 Date: Wed, 25 Apr 2012 18:06:40 +0200 From: Moritz Muehlenhoff <jmm () debian org> Subject: [Full-disclosure] [SECURITY] [DSA 2460-1] asterisk security update To: debian-security-announce () lists debian org Message-ID: <20120425160640.GA6420@pisco.westfalen.local> Content-Type: text/plain; charset=us-ascii -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2460-1 security () debian org http://www.debian.org/security/ Moritz Muehlenhoff April 25, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : asterisk Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1183 CVE-2012-2414 CVE-2012-2415 Several vulnerabilities were discovered in the Asterisk PBX and telephony toolkit: CVE-2012-1183 Russell Bryant discovered a buffer overflow in the Milliwatt application. CVE-2012-2414 David Woolley discovered a privilege escalation in the Asterisk manager interface. CVE-2012-2415 Russell Bryant discovered a buffer overflow in the Skinny driver. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze5. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce () lists debian org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk+YIOUACgkQXm3vHE4uylpTYQCeIlkGimI8WtcdKK6oYD09ckfm dDUAnjksH+0jJLCG7ioSnb81645CJe5c =0126 -----END PGP SIGNATURE----- ------------------------------ Message: 4 Date: Wed, 25 Apr 2012 11:19:52 -0500 From: Lincoln Anderson <ayblinkin () gmail com> Subject: Re: [Full-disclosure] Hacking WolframAlpha To: full-disclosure () lists grok org uk Message-ID: <CAAAE9WU0xNvg4OvgGyPP0dz2WTEz-29aR7g8JpYJypXwhjcpjQ () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" This is rather low-hanging fruit. But I suppose someone has to disclose the low hanging fruit. Aside from abusing WolframAlpha's API, I'm not sure I see that this is that huge an accomplishment. I do find it somewhat silly that unobfuscated appid's are passed to the API over an unsecured connection, but meh. My access to the API getting cut would be an annoyance, and I would certainly be non-plussed about that if I were one of the poor souls who paid for a bigger better faster stronger query plan, but still, meh. Maybe I'm missing out on the gravity of this by not using the WolframAlpha API. Of course, I'm assuming the real point here *is* that the appid is passed unobfuscated and unsecured, and *not* that I can go trawling for appid's on Google. The former is somewhat interesting to the niche of WolframAlpha API users. The latter is rather old news under the heading "I can find a disturbing amount of private information using a properly formatted Google query". Patching that vulnerability will only be accomplished through reeducation and strategic employment modifications. On Tue, Apr 24, 2012 at 2:50 PM, Adam Behnke <adam () infosecinstitute com>wrote:
Sharing source code with peers is one thing; sharing secrets over a public medium is another. The all-seeing eye of Google has no mercy, and once the secret has been seen, indexed, and copied to clone sites, it is no longer a secret. Now combine the search power of Google with the computational power of WolframAlpha and the results are limitless! It's raining data from these saturated clouds, and you just need to hold out your hands for a taste: http://resources.infosecinstitute.com/hacking-wolframalpha/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120425/de94f167/attachment-0001.html ------------------------------ Message: 5 Date: Wed, 25 Apr 2012 20:51:24 +0300 From: "MustLive" <mustlive () websecurity com ua> Subject: [Full-disclosure] XSS, CSRF and AFU vulnerabilities in Organizer for WordPress To: <submissions () packetstormsecurity org>, <full-disclosure () lists grok org uk> Message-ID: <009201cd230c$2d1eb7e0$0100a8c0@ml> Content-Type: text/plain; format=flowed; charset="windows-1251"; reply-type=original Hello list! I want to warn you about multiple security vulnerabilities in plugin Organizer for WordPress. This is the second in series of advisories concerning vulnerabilities in this plugin. These are Cross-Site Scripting (reflected and persistent), Cross-Site Request Forgery and Arbitrary File Upload (Code Execution) vulnerabilities. ------------------------- Affected products: ------------------------- Vulnerable are Organizer 1.2.1 and previous versions. As answered me the developer of the plugin, he doesn't support it anymore and will not be fixing any vulnerabilities in it. ---------- Details: ---------- XSS (WASC-08): http://site/wp-admin/admin.php?page=organizer/page/users.php&edit_id=%3Cscript%3Ealert(document.cookie)%3C/script%3E XSS (Persistent) (WASC-08): Exploit: http://websecurity.com.ua/uploads/2012/Organizer%20XSS-2.html Code will execute at the page users.php of the plugin. CSRF (WASC-09): Via attack on function Add/Edit User Setting (which combined into the same POST request) it's possible to add and edit settings. POST request at page http://site/wp-admin/admin.php?page=organizer/page/users.php. Similarly to above exploit for XSS. Via attack on function Delete User Setting it's possible to delete settings. http://site/wp-admin/admin.php?page=organizer/page/users.php&delete_id=admin Arbitrary File Upload (Code Execution) (WASC-31): It's possible to upload arbitrary files with code execution (php files). Because in field "File extensions allowed" it's possible to set extensions of scripts, such as "php". This will allow to upload to the server and execute arbitrary scripts. Besides attacking admin via above-mentioned CSRF vulnerability for changing of the settings (or getting access to admin account for this), the Insufficient Authorization vulnerability (described in the third advisory) also can be used for this (in the presence of account even with lowest rights as Subscriber). ------------ Timeline: ------------ 2012.04.15 - informed the developer about previous vulnerabilities. 2012.04.16 - announced at my site (http://websecurity.com.ua/5786/). 2012.04.17 - the developer answered, that he didn't support the plugin anymore. 2012.04.17 - additionally informed the developer about new vulnerabilities. 2012.04.24 - disclosed at my site. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ------------------------------ Message: 6 Date: Wed, 25 Apr 2012 20:53:05 +0200 From: Ramon Driessen <ramon.driessen () gmail com> Subject: [Full-disclosure] (no subject) To: full-disclosure () lists grok org uk Message-ID: <CAPq4OLerHm2PtTBKya8JMceYs-bTS59Fb0cUZ0E25RNSANxmPA () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120425/9afdf35c/attachment-0001.html ------------------------------ Message: 7 Date: Wed, 25 Apr 2012 12:22:20 -0700 From: coderman <coderman () gmail com> Subject: Re: [Full-disclosure] (no subject) To: Ramon Driessen <ramon.driessen () gmail com> Cc: full-disclosure () lists grok org uk Message-ID: <CAJVRA1QWTZeU35AzFst8ptxiDN4CCAS4fmCfFCgS4mz-jQwAfw () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 ------------------------------ Message: 8 Date: Wed, 25 Apr 2012 19:44:43 +0000 (UTC) From: security-news () drupal org Subject: [Full-disclosure] [Security-news] SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS) To: security-news () drupal org Message-ID: <20120425194443.09C5C108051 () www2 drupal org> Content-Type: text/plain; charset="us-ascii" View online: http://drupal.org/node/1547520 * Advisory ID: DRUPAL-SA-CONTRIB-2012-062 * Project: Creative Commons [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer creative commons". -------- VERSIONS AFFECTED --------------------------------------------------- * Creative Commons 6.x-1.x versions prior to 6.x-1.1. [3] Drupal core is not affected. If you do not use the contributed Creative Commons [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Creative Commons module for Drupal 6.x, upgrade to Creative Commons 6.x-1.1 [5] Also see the Creative Commons [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein-Keane [7] -------- FIXED BY ------------------------------------------------------------ * Kevin Reynen [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/creativecommons [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1547478 [4] http://drupal.org/project/creativecommons [5] http://drupal.org/node/1547478 [6] http://drupal.org/project/creativecommons [7] http://drupal.org/user/302225 [8] http://drupal.org/user/48877 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news () drupal org http://lists.drupal.org/mailman/listinfo/security-news ------------------------------ Message: 9 Date: Wed, 25 Apr 2012 19:49:57 +0000 (UTC) From: security-news () drupal org Subject: [Full-disclosure] [Security-news] SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS) To: security-news () drupal org Message-ID: <20120425194957.281CE108051 () www2 drupal org> Content-Type: text/plain; charset="us-ascii" View online: http://drupal.org/node/1547660 * Advisory ID: DRUPAL-SA-CONTRIB-2012-063 * Project: RealName [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module allows you to set a pattern for constructing "Real names" for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting (XSS) [3] attack. -------- VERSIONS AFFECTED --------------------------------------------------- * RealName 6.x-1.x versions prior to 6.x-1.5 [4]. * RealName 7.x-1.x versions are not vulnerable. Drupal core is not affected. If you do not use the contributed RealName [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the RealName module for Drupal 6.x, upgrade to RealName 6.x-1.5 [6]. Also see the RealName [7] project page. -------- REPORTED BY --------------------------------------------------------- * Gabor Szanto [8] * Dave Reid [9], module maintainer and Drupal Security Team member -------- FIXED BY ------------------------------------------------------------ * Gabor Szanto [10] * Dave Reid [11], module maintainer and Drupal Security Team member -------- COORDINATED BY ------------------------------------------------------ * Dave Reid [12] of the Drupal Security Team * Michael Hess [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/realname [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/node/1547352 [5] http://drupal.org/project/realname [6] http://drupal.org/node/1547352 [7] http://drupal.org/project/realname [8] http://drupal.org/user/610310 [9] http://drupal.org/user/53892 [10] http://drupal.org/user/610310 [11] http://drupal.org/user/53892 [12] http://drupal.org/user/53892 [13] http://drupal.org/user/102818 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news () drupal org http://lists.drupal.org/mailman/listinfo/security-news ------------------------------ Message: 10 Date: Wed, 25 Apr 2012 19:51:15 +0000 (UTC) From: security-news () drupal org Subject: [Full-disclosure] [Security-news] SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities To: security-news () drupal org Message-ID: <20120425195115.4D3D51D00C5 () www1 drupal org> Content-Type: text/plain; charset="us-ascii" View online: http://drupal.org/node/1547674 * Advisory ID: DRUPAL-SA-CONTRIB-2012-064 * Project: Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Varies (Local & Remote) * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability. .... Failure to encrypt data: Exploitable from local Passwords supplied by new customers during checkout were stored as plain text until payment was completed for an order, for a maximum of 15 minutes. This vulnerability is not exploitable remotely, but information may have inadvertently been leaked via database access (e.g. backups, developer laptops that are compromised). .... Cross Site Scripting: Exploitable from remote The product classes feature did not properly sanitize output and was vulnerable to a cross site scripting attack. This vulnerability is mitigated by the fact that an attacker must have the "administer product classes" permission. .... Arbitrary PHP Execution: Exploitable from remote In Ubercart 6.x-2.x, arbitrary PHP code can be executed by users with the "administer conditional actions" permission. This vulnerability is mitigated by the fact that this permission should only granted to trusted users. -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart 6.x-2.x versions prior to 6.x-2.8. [3] * Ubercart 7.x-3.x versions prior to 7.x-3.1. [4] Drupal core is not affected. If you do not use the contributed Ubercart [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.8. [6] * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.1. [7] Additionally, in Drupal 6.x, ensure that only trusted users have roles that have been granted the "administer conditional actions" permission. Also see the Ubercart [8] project page. -------- REPORTED BY --------------------------------------------------------- * Shaun Dychko [9] reported the Failure to encrypt data issue * Lee Rowlands [10] reported the Cross Site Scripting issue * Dave Long [11] reported the Arbitrary PHP Execution issue -------- FIXED BY ------------------------------------------------------------ * Dave Long [12] the module maintainer * Lyle Mantooth [13] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/ubercart [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1547506 [4] http://drupal.org/node/1547508 [5] http://drupal.org/project/ubercart [6] http://drupal.org/node/1547506 [7] http://drupal.org/node/1547508 [8] http://drupal.org/project/ubercart [9] http://drupal.org/user/475828 [10] http://drupal.org/user/395439 [11] http://drupal.org/user/246492 [12] http://drupal.org/user/246492 [13] http://drupal.org/user/86683 [14] http://drupal.org/user/36762 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news () drupal org http://lists.drupal.org/mailman/listinfo/security-news ------------------------------ Message: 11 Date: Wed, 25 Apr 2012 12:55:56 -0700 From: security-news () drupal org Subject: Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS) To: Security-news () drupal org Message-ID: <0BE574B9-9E83-40F5-A3F6-B36DEB6D86FA () earthlink net> Content-Type: text/plain; charset="us-ascii" Hi - WIll you please remove me from this list? Thank you! On Apr 25, 2012, at 12:49 PM, security-news () drupal org wrote:
Security-news () drupal org
_______________________________________________ Security-news mailing list Security-news () drupal org http://lists.drupal.org/mailman/listinfo/security-news ------------------------------ Message: 12 Date: Wed, 25 Apr 2012 19:54:11 +0000 (UTC) From: security-news () drupal org Subject: [Full-disclosure] [Security-news] SA-CONTRIB-2012-065 - Sitedoc - Information disclosure To: security-news () drupal org Message-ID: <20120425195411.4EA6B1D00C5 () www1 drupal org> Content-Type: text/plain; charset="utf-8" View online: http://drupal.org/node/1547686 * Advisory ID: DRUPAL-SA-CONTRIB-2012-065 * Project: Site Documentation [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This vulnerability is mitigated by the fact that the administrator must have configured the module to save the HTML report file to disk. -------- VERSIONS AFFECTED --------------------------------------------------- * Sitedoc 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Site Documentation [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Sitedoc module for Drupal 6.x, upgrade to Sitedoc 6.x-1.4 [4], and * Enable the private file system if you want to save the output file. Also see the Site Documentation [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jakub Such? [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nancy Wichmann [7], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Forest Monsen [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/sitedoc [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/sitedoc [4] http://drupal.org/node/1546224 [5] http://drupal.org/project/sitedoc [6] http://drupal.org/user/31977 [7] http://drupal.org/user/101412 [8] http://drupal.org/user/181798 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news () drupal org http://lists.drupal.org/mailman/listinfo/security-news ------------------------------ Message: 13 Date: Wed, 25 Apr 2012 20:59:37 +0100 From: imipak <imipak () gmail com> Subject: [Full-disclosure] FW: (no subject) To: coderman <coderman () gmail com> Cc: Full Disclosure <full-disclosure () lists grok org uk> Message-ID: <CAOpQXKPdtBRpBwU-xpUnn+gjXwa5PpKG8swaCbNZmZKJw8=s4w () mail gmail com> Content-Type: text/plain; charset="utf-8"
Well, you believe that if you want to, but ask yourself... who benefits? -i -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120425/eab84f6b/attachment-0001.html ------------------------------ Message: 14 Date: Wed, 25 Apr 2012 20:20:15 +0000 (UTC) From: security-news () drupal org Subject: [Full-disclosure] [Security-news] SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass To: security-news () drupal org Message-ID: <20120425202015.84FC9110049 () www7 drupal org> Content-Type: text/plain; charset="us-ascii" View online: http://drupal.org/node/1547736 * Advisory ID: DRUPAL-SA-CONTRIB-2012-066 * Project: Spaces [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces and spaces_og modules (part of the spaces package) in some cases do not apply the expected spaces access permission to pages that are non-objects (e.g. /node) This vulnerability is mitigated by the fact that node_access and user profile permissions will prevent node or user data from being exposed, but other information (e.g. block data,etc) is still displayed. This issue only affects sites using spaces to limit access to content for some users. -------- VERSIONS AFFECTED --------------------------------------------------- * Spaces 6.x-3.x versions prior to 6.x-3.4. Drupal core is not affected. If you do not use the contributed Spaces [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.4 [4] Also see the Spaces [5] project page. -------- REPORTED BY --------------------------------------------------------- * hefox [6] -------- FIXED BY ------------------------------------------------------------ * Patrick Settle [7] the module maintainer * Fox [8] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Matt Kleve [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/spaces [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/spaces [4] http://drupal.org/node/1547730 [5] http://drupal.org/project/spaces [6] http://drupal.org/user/426416 [7] http://drupal.org/user/26618 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news () drupal org http://lists.drupal.org/mailman/listinfo/security-news ------------------------------ Message: 15 Date: Wed, 25 Apr 2012 20:21:29 +0000 (UTC) From: security-news () drupal org Subject: [Full-disclosure] [Security-news] SA-CONTRIB-2012-067 - Linkit - Access bypass To: security-news () drupal org Message-ID: <20120425202129.2755EF0058 () www5 drupal org> Content-Type: text/plain; charset="us-ascii" View online: http://drupal.org/node/1547738 * Advisory ID: DRUPAL-SA-CONTRIB-2012-067 * Project: Linkit [1] (third-party module) * Version: 7.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may see information about content that they do not normally have access to see. This issue only affects sites using an entity access module to limit access to content for some users. -------- VERSIONS AFFECTED --------------------------------------------------- * Linkit 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Linkit [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Linkit module for Drupal 7.x, upgrade to Linkit 7.x-2.3 [4] Also see the Linkit [5] project page. -------- REPORTED BY --------------------------------------------------------- * PAULAP [6] -------- FIXED BY ------------------------------------------------------------ * Emil Stjerneman [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/linkit [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/linkit [4] http://drupal.org/node/1547716 [5] http://drupal.org/project/linkit [6] http://drupal.org/user/29978 [7] http://drupal.org/user/464598 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news () drupal org http://lists.drupal.org/mailman/listinfo/security-news ------------------------------ Message: 16 Date: Wed, 25 Apr 2012 16:49:20 -0400 From: Michael Wood <itnetsec () gmail com> Subject: Re: [Full-disclosure] FW: (no subject) To: imipak <imipak () gmail com> Cc: Full Disclosure <full-disclosure () lists grok org uk> Message-ID: <CAKKN48zY3CUdYqusge=On3G5GV3XCspfkR4ywkMaNne+U9o50w () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Lmao On Apr 25, 2012 4:06 PM, "imipak" <imipak () gmail com> wrote:
Well, you believe that if you want to, but ask yourself... who benefits? -i _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120425/117e92a1/attachment-0001.html ------------------------------ Message: 17 Date: Thu, 26 Apr 2012 07:56:28 +0200 From: Florian Weimer <fw () deneb enyo de> Subject: [Full-disclosure] [SECURITY] [DSA 2459-1] quagga security update To: debian-security-announce () lists debian org Message-ID: <87obqfkpdf.fsf () mid deneb enyo de> Content-Type: text/plain; charset=us-ascii -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2459-1 security () debian org http://www.debian.org/security/ Florian Weimer April 26, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : quagga Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-0249 CVE-2012-0250 CVE-2012-0255 Several vulnerabilities have been discovered in Quagga, a routing daemon. CVE-2012-0249 A buffer overflow in the ospf_ls_upd_list_lsa function in the OSPFv2 implementation allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a Link State Update (aka LS Update) packet that is smaller than the length specified in its header. CVE-2012-0250 A buffer overflow in the OSPFv2 implementation allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field. CVE-2012-0255 The BGP implementation does not properly use message buffers for OPEN messages, which allows remote attackers impersonating a configured BGP peer to cause a denial of service (assertion failure and daemon exit) via a message associated with a malformed AS4 capability. This security update upgrades the quagga package to the most recent upstream release. This release includes other corrections, such as hardening against unknown BGP path attributes. For the stable distribution (squeeze), these problems have been fixed in version 0.99.20.1-0+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 0.99.20.1-1. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce () lists debian org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPmOgYAAoJEL97/wQC1SS+aH8H/jh5fp5jGA1G0/fnF6QOCAmi dkPAk51Lf0V/yTf/W1qoN5rOJ9B1G1PP1QCOUUHPunuCSQvynXuPb0QMmOLvtAjb +wlQX5EbdLrjcfc4Rer95dnZITU1uaCiTKw9aGRlOBMcu5jedG21Jks7vwWnBgCE lL2RuBBk1Rut5YtXuuPZTgXae3BOjjUh7yNPy/cZ/AWf1T442KLaZRQhLwimBrco S2PNHjeV+bPQUa5eKwE6OdWkNdZt85JcFzz13ojEMMxh/kPiJF7+guec8dIjHr+n OyKytdhO/wm6lyBlR4BYryGW4U1AuuiTTGs0ldAIzUBzhlLTPLQWt+Te96TMbAw= =7lac -----END PGP SIGNATURE----- ------------------------------ Message: 18 Date: Thu, 26 Apr 2012 09:13:25 +0200 From: Joxean Koret <joxeankoret () yahoo es> Subject: [Full-disclosure] Oracle TNS Poison vulnerability is actually a 0day with no patch available To: bugtraq () securityfocus com, full-disclosure () lists grok org uk Message-ID: <1335424405.13178.274.camel@backup-server> Content-Type: text/plain; charset="utf-8" Hi all, Short history: The remote pre-authenticated vulnerability with CVSS2 10 I published some days ago [1], the vulnerability I called Oracle TNS Poison (reported to vendor in 2008), is a 0day affecting all database versions from 8i to 11g R2. There is no patch at all for this vulnerability and Oracle refuses to write a patch for *ANY* existing versions, even for Oracle 11g R2. So, yes, ALL versions are vulnerable and will remain vulnerable. As I published many workarounds for this vulnerability I believe it's better to make this information public so Oracle database's customers can protect themselves. Long history: Some days ago, after the release of Oracle Critical Patch Update April 2012, a friend of mine told me that Oracle gave me credit in the "Security-In-Depth" program for a vulnerability they fixed. After this, I asked both Oracle and iSightPartners (the company I sold the vulnerability in 2008) for information about the vulnerability they fixed in this CPU. Oracle told us that the vulnerability with tracking id #13793589 (the TNS poison vulnerability) was the one fixed. As the vulnerability was fixed, there was no reason not to publish information about it any more and I decided to publish an advisory, a document explaining the vulnerability and a proof of concept. So far, so good. However, I was suspicious about an statement Oracle people wrote me in an e-mail as, in their words, the vulnerability "was fixed in future releases of the product". Eeeeh... "was" and "in the future"? As it makes no sense, I sent Oracle an e-mail asking for details about the fix: On 4/19/2012 12:53 PM, Joxean Koret wrote: (...)
How can customers with current versions installed fix this vulnerability? Do they have to wait until the next version? Just out of curiosity.
And Oracle answered me with excuses ("excusatio non petita, accusatio manifesta"):
We had to make the hard choice of fixing it in the release and not in the CPU because: * The fix is very complex and it is extremely risky to backport. * This fix is in a sensitive part of our code where regressions are a concern. * Customers have requested that Oracle not include such security fixes into Critical Patch Updates that increases the chance of regressions.
As they refused to answer it clearly, I asked them once again in a more simple way about the "fix" for the vulnerability: On 4/23/2012 9:20 AM, Joxean Koret wrote: (..)
Just a final question: Does it mean that all current versions are vulnerable and the vulnerability will only be fixed in next products like, say, 11g R3 or 12g?
And Oracle, believing I'm stupid or something like this, answered me the following:
To protect the interest of our customers, we do not provide these level of details (like versions affected) for the issues that are addressed as in-depth. The future releases will have the fix.
So, as previously stated, this is a 0day vulnerability with no patch, Oracle refuses to patch the vulnerability in *any* existing version and Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed. Cool. Oracle security people: For the next time, don't say that a vulnerability is fixed in a Critical Patch Update if the patch is not published. Your customers are not interested if the vulnerability is fixed in your development version, they only care about the vulnerability being fixed in the versions they are using in production systems. PS: I must admit that being Oracle, that confusion doesn't surprises me at all. [1] http://seclists.org/fulldisclosure/2012/Apr/204 Regards, Joxean Koret -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120426/32040dda/attachment.bin ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 86, Issue 34 *********************************************** -------------------------------- NOTICE OF CONFIDENTIALITY This E-mail message and its attachments (if any) are intended solely for the use of the addressees hereof. In addition, this message and the attachments (if any) may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. Delivery of this message to any person other than the intended recipient is not intended to waive any right or privilege. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 86, Issue 34 Gabriel S. Craciun (Apr 26)