headers
Bernhard Mueller | 1 Nov 2007 13:06

SEC Consult SA-20071101-0 :: Multiple Vulnerabilities in SonicWALL SSL-VPN Client

SEC Consult Security Advisory < 20071101-0 >
=====================================================================================
                  title: Multiple vulnerabilities in SonicWALL SSL-VPN
Client
                         * Deletion of arbitrary files on the client
                         * Arbitrary code execution thru various buffer
overflows
                program: SonicWALL SSL-VPN
     vulnerable version: SonicWALL SSL-VPN 1.3.0.3
                         WebCacheCleaner ActiveX Control 1.3.0.3
                         NeLaunchCtrl ActiveX Control 2.1.0.49
               homepage: www.sonicwall.com
                  found: 04-23-2007
                     by: lofi42
             perm. link: http://www.sec-consult.com/303.html
=====================================================================================

Vendor description:
---------------

SonicWALL SSL-VPN solutions can be configured to provide users with
easy-to-use, secure and clientless remote access to a broad range of
resources on the corporate network.

Vulnerabilty overview:
---------------

The SonicWALL SSL-VPN solution comes with various ActiveX Controls which
allows users to access the VPN with Internet Explorer. These controls
contain various vulnerabilities. An attacker could take control of the
(Continue reading)

Permalink | Reply | 0 comments |
headers
kingoftheworld92 | 1 Nov 2007 13:59
Picon

Synergiser <= 1.2 RC1 Local File Inclusion & Full path disclosure

---------------------------------------------------------------
 ____            __________         __             ____  __   
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
 |___|___|  /\__|  /______  /\___  >__|            |___||__|  
          \/\______|      \/     \/                         
---------------------------------------------------------------

Http://www.inj3ct-it.org 	     Staff[at]inj3ct-it[dot]org 
Original here: http://www.inj3ct-it.org/exploit/syner.txt

---------------------------------------------------------------

Synergiser <= 1.2 RC1 Local File Inclusion & Full path disclosure

---------------------------------------------------------------

#By KiNgOfThEwOrLd

---------------------------------------------------------------
PoC:
---------------------------------------------------------------
Synergiser cms allows to include a file by the get variabile "page". We can't include a remote file, coz
there is a filter..but we can include, by a directory traversal, some important files...for example:
---------------------------------------------------------------
http://[target]/[synergiser_path]/index.php?page=../../../etc/passwd

---------------------------------------------------------------
So, we have to know the script path if we wanna browse the server...we can get it generating a full path
disclosure, like this:
---------------------------------------------------------------
(Continue reading)

Permalink | Reply | 0 comments |
headers
secse08 | 1 Nov 2007 15:16
Picon

CFP: International workshop on Secure Software Engineering - Deadline extended!

Call for papers: Second International Workshop on Secure Software Engineering

In conjunction with ARES 2008
Barcelona, Catalonia, March 4th-7th 2008 

Suggested topics include, but are not limited to:
- Secure architecture and design
- Security in agile software development
- Aspect-oriented software development for secure software
- Security requirements
- Risk management in software projects
- Secure implementation
- Secure deployment
- Testing for security
- Quantitative measurement of security properties
- Static and dynamic analysis for security
- Verification and assurance techniques for security properties
- Lessons learned
- Security and usability
- Teaching secure software development
- Experience reports on successfully attuning developers to secure software engineering 

Submission Deadline:   
=====================
November 15th 2007 (Firm!)

See the full CFP at: http://www.sintef.no/secse
Permalink | Reply | 0 comments |
headers
Henrik Langos | 1 Nov 2007 13:17
Favicon

Re: Comments re ISC's announcement on bind9 security

Dear Shane,

I have no deep insight into the development of bind8/9, nor do I follow
their security track record close enough to judge any of your points
regarding its security.

I beg to differ on a point of terminology though. 

On Wed, Oct 31, 2007 at 02:44:35PM +0100, Shane Kerr wrote:
>
> My own take on it is that "crypto" implies that
> information is hidden in some way. 

The "information hidden in some way" is the next sequence number. Since
you are using a PRNG in a open source application, there is no secret in 
the algorithm but only in inner state of your PRNG, which is determined 
from its initial state and the number of rounds it has been going 
for. (simplifying a bit here)

If the claim is true that the next sequence number generated by the PRNG 
of bind9 can be guessed after seeing about a dozen of them, than the
"hidden information" is revealed to an attacker.

This to me seems to validate usage of the term "weak crypto".

> Not all security-related technology is
> cryptography. For instance, putting per-user limits on resources prevents
> certain kinds of denial-of-service attacks, but it is certainly not "crypto".
> 
> Because a lot of techniques in cryptography require good random numbers, it has
(Continue reading)

Permalink | Reply | 0 comments |
headers
Guns | 1 Nov 2007 16:39
Picon
Favicon

sBlog 0.7.3 Beta Cross Site Request Forgery

<!--
- Product : sBlog 
-
- Version : 0.7.3 Beta
-
- Website : http://www.sblog.se

-
- Author  : 0x90
-
- Homepage: WwW.0x90.CoM.Ar 
-
- Contact : Guns[at]0x90[dot]com[dot]ar    
-
- Problem : Cross Site Request Forgery Vulnerability
-
- Sumary  : sBlog has, by default, no CSRF protection, this may allow an attacker
to change any block by tricking a victim with admin privileges 
into a special forged web page (even in a a totally different server)
that sends a request to change one block in the web. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen. 
-
- Note    : I recommend steal the cookie ;)
-
- Greetz  : xiam ;)  Visit: xiam.be
-->

<script type="text/javascript">
window.onload = function() {
   var url = "http://[URL]/blocks_edit_do.php";
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paolo Perego | 1 Nov 2007 14:08
Picon
Gravatar

(tool announce) Orizon v0.50 announce

Hi there, I'd like to announce as delivery for Owasp Spring of Code
2007 project, the 0.50 release of Orizon.

Orizon is a source code review engine, built with the aim to give
developers something usable to build code review tools.

Orizon is independent from the language used to write the sources
because its APIs translate the code in a XML file and APIs are
provided to apply security checks over the translated XML file.

By now just Java programming language is supported in XML translation
but I'm planning to add C# support very soon.

Orizon is written in Java and is provided with a small default library
containing 20 security checks.

Orizon is waiting for developers wanting to extends the engine and
also people who wants to provide further security checks to be added
into the library.

It would be great having your feedback, your opinions, your bug
reports in order to improve my project.

Links:
Orizon site: http://orizon.sourceforge.net
Milk site, a code review tool I'm writing and that uses Orizon:
http://milk.sourceforge.net

Regards,
thesp0nge
(Continue reading)

Permalink | Reply | 0 comments |
headers
skien | 1 Nov 2007 18:37
Picon

Re: Airkiosk/formlib application is XSS vuln

Raymond Pete wrote:
> Had "Skein" posted to this group (bugtraq) asking for contact
> information he would have received a response.  His posting here is
> inaccurate and speculative.

speculative? why?

> 
> DESCRIPTION:
> 
> The 3rd party module formlib.pl contained an error in handling/printing
> of unsanitized Input data, which could lead to a malicious user
> injecting code into the users displayed page via a custom generated
> link, if this subroutine was called AND the users browser does not
> encode the input string.
>

This is inaccurate.
There is another way to use your vuln (as not direct on typing it in to
the browser), the problem of encoding input can be easily overcome using
a POST method that not encode the input or a FLASH/ACTIONSCRIPT.

So re-creating a web-banner that links to your application with a new
page (document.write) .js isn't very difficult to do.

> SECURITY IMPLICATIONS:
> 
> Low.  "Skein" has written separately (not on bugtraq) that the danger
> was "for who want to steal cookies."  This speculation concerns sessions
> in which cookies are involved.   However, the AirKiosk system does not
(Continue reading)

Permalink | Reply | 0 comments |
headers
Juha-Matti Laurio | 1 Nov 2007 19:16
Picon
Favicon

Cryptome: NSA has access to Windows Mobile smartphones

A widely known Web site Cryptome has released information about backdooring Microsoft Windows machines today.

According to the post National Security Agency has access both stand-alone systems and networks running
Microsoft products.

The post states the following:
"This includes wireless wiretapping of “smart phones” running Microsoft Mobile.
Microsoft remote administrative privileges allow “backdooring” into Microsoft operating systems
via IP/TCP ports 1024 through 1030."

According to the Cryptome's source this is typically triggered when devices visit Microsoft Update servers.

Cryptome.org:
http://cryptome.org/nsa-ip-update11.htm

SecuriTeam Blogs:
http://blogs.securiteam.com/?p=1028

- Juha-Matti
Permalink | Reply | 1 comment |
headers
research | 1 Nov 2007 18:20

Two XSS on Blue Coat ProxySG Management Console

PR07-29: Two XSS on Blue Coat ProxySG Management Console

Vulnerability found: 23 July 2007

Vendor informed: 20 August 2007

Vulnerability fixed: 29 October 2007

Advisory publicly released: 1 November 2007

Severity: Medium

Description: 

Blue Coat SG400 is vulnerable to a couple of XSS holes.

Vulnerable server-side script / unfiltered parameter:
'/Secure/Local/console/install_upload_action/crl_format' / 'name'

Vulnerable server-side script / unfiltered parameter:
'/Secure/Local/console/install_upload_from_file.htm' / 'file'

Notes:

The admin user needs to be authenticated (HTTP basic authentication) for the injected JavaScript to run.


Successfully tested on:

Model: Blue Coat SG400
(Continue reading)

Permalink | Reply | 0 comments |
headers
Raymond Pete | 1 Nov 2007 17:39

Re: Airkiosk/formlib application is XSS vuln

Had "Skein" posted to this group (bugtraq) asking for contact
information he would have received a response.  His posting here is
inaccurate and speculative.

DESCRIPTION:

The 3rd party module formlib.pl contained an error in handling/printing
of unsanitized Input data, which could lead to a malicious user
injecting code into the users displayed page via a custom generated
link, if this subroutine was called AND the users browser does not
encode the input string.

SECURITY IMPLICATIONS:

Low.  "Skein" has written separately (not on bugtraq) that the danger
was "for who want to steal cookies."  This speculation concerns sessions
in which cookies are involved.   However, the AirKiosk system does not
rely on cookies for session management.  The AirKiosk system does not
use cookies at all, and we discourage their use generally.

STATUS:

formlib.pl has been patched where applicable and possible code injection
is no longer possible.  

Raymond Pete
Operations Director, AirKiosk Systems
Sutra, Inc.

On Tue, 2007-10-30 at 00:40 +0000, skienlab <at> gmail.com wrote:
(Continue reading)

Permalink | Reply | 1 comment |

Gmane