schwartz | 1 Nov 19:25 2009

Re: TwonkyMedia Server Multiple Cross-Site Scripting Vulnerabilities

I'm Product Manager for the company that makes TwonkyMedia software. According to our lead developer,
this issue has already been addressed on our next release. 

- Rick

Picon

Reminder for DeepSec 2009 Conference

== DeepSec In-Depth Security Conference 2009 "TripleSec" ==

This is a reminder for the third DeepSec conference, taking place between
17th and 20th November at the Imperial Riding School Renaissance Hotel.

== Schedule ==

The schedule of all presentations can be found on our web site:
https://deepsec.net/schedule/

Random speaker and content from the schedule:

Karsten Nohl from H4RDW4RE will present the latest development on his project
to break A5/1 with the help of pre-computed tables as announced at HAR 2009.
Karsten Nohl says, that a public PoC on cracking GSM"s encryption is
necessary to raise awareness about the risks of sending sensitive information
over GSM networks. In March 2008 the finalisation of A5/1 rainbow tables was
announced but never released in public, the first academic attacks date even
back to 1997. Today it is believed that agencies and well-funded
organizations have access to efficient A5/1 crackers. Publishing a practical
attack in public will give a better awareness about the situation of an
encryption scheme that was designed and developed in the 1980ies and still
used today.

More talks at the conference! - https://deepsec.net/register/

== Sponsors ==

We would like to thank our sponsors that have supported the conference:
Microsoft, Sourcefire, Global Knowledge, The British Bookshop, Viennese
(Continue reading)

ACROS Lists | 2 Nov 17:08 2009
Picon

ACROS Security: HTML Injection in Oracle WebLogic Server Console (ASPR #2009-10-30-1)

=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2009-10-30-1
-------------------------------------------------------------------------
ASPR #2009-10-30-1: HTML Injection in Oracle WebLogic Server Console
=========================================================================

Document ID:     ASPR #2009-10-30-1-PUB
Vendor:          Oracle (http://www.oracle.com)
Target:          Oracle WebLogic Server 10.3
Impact:          There is an HTML Injection vulnerability in WebLogic
                 Server 10.3 Administration Console that allows the
                 attacker to gain administrative access to the server.
Severity:        High
Status:          Official patch available, workarounds available
Discovered by:   Luka Treiber of ACROS Security

Current version 
   http://www.acrossecurity.com/aspr/ASPR-2009-10-30-1-PUB.txt

Summary
=======

There is an HTML Injection vulnerability in WebLogic Server 10.3 
Administration Console that allows the attacker to gain administrative 
access to the server. It is possible to craft such URL that will, when 
requested from the server, return a document with arbitrarily chosen HTML 
(Continue reading)

Steffen Joeris | 1 Nov 12:08 2009
Picon

[SECURITY] [DSA 1924-1] New mahara packages fix several vulnerabilities


------------------------------------------------------------------------
Debian Security Advisory DSA-1924-1                  security <at> debian.org
http://www.debian.org/security/                      Steffen Joeris
October 31, 2009                      http://www.debian.org/security/faq
------------------------------------------------------------------------

Package        : mahara
Vulnerability  : several vulnerabilities
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2009-3298 CVE-2009-3299

Two vulnerabilities have been discovered in, an electronic portfolio,
weblog, and resume builder.  The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2009-3298

Ruslan Kabalin discovered a issue with resetting passwords, which could
lead to a privilege escalation of an institutional administrator
account.

CVE-2009-3299

Sven Vetsch discovered a cross-site scripting vulnerability via the
resume fields.

For the stable distribution (lenny), these problems have been fixed in
version 1.0.4-4+lenny4.
(Continue reading)

Steffen Joeris | 1 Nov 12:08 2009
Picon

[SECURITY] [DSA 1925-1] New proftpd-dfsg packages fix SSL certificate verification weakness


------------------------------------------------------------------------
Debian Security Advisory DSA-1925-1                  security <at> debian.org
http://www.debian.org/security/                      Steffen Joeris
October 31, 2009                      http://www.debian.org/security/faq
------------------------------------------------------------------------

Package        : proftpd-dfsg
Vulnerability  : insufficient input validation
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2009-3639

It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon,
does not properly handle a '\0' character in a domain name in the
Subject Alternative Name field of an X.509 client certificate, when the
dNSNameRequired TLS option is enabled.

For the stable distribution (lenny), this problem has been fixed in
version 1.3.1-17lenny4.

For the oldstable distribution (etch), this problem has been fixed in
version 1.3.0-19etch3.

Binaries for the amd64 architecture will be released once they are
available.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.3.2a-2.

(Continue reading)

Vladimir '3APA3A' Dubrovin | 2 Nov 19:37 2009
Picon

Re: {PRL} Multiple Panda Security Products Local Privilege Escalation Vulnerability

Dear Protek Research Lab,

I have a deja-vu. http://securityvulns.ru/Odocument175.html Same problem
existed  since  2006.  With  same  reaction (total ignorance) from Panda
developers.

--Saturday, October 31, 2009, 5:24:38 PM, you wrote to bugtraq <at> securityfocus.com:

PRL> #####################################################################################

PRL> Application:  Panda Global Protection 2010
PRL>           Panda Internet Security 2010                

PRL> Platforms:    Windows XP Professional SP & windows Vista SP1

PRL> Exploitation: Local Privilege Escalation

PRL> Date:         2009-10-27

PRL> Author:       Francis Provencher (Protek Research Lab's) 

PRL>           
PRL> #####################################################################################

PRL> 1) Introduction
PRL> 2) Technical details
PRL> 3) The Code (N/A)

PRL> #####################################################################################

(Continue reading)

Martin Rex | 2 Nov 18:53 2009
Picon

Re: /proc filesystem allows bypassing directory permissions on

Jim Paris wrote:
> 
> > Therefor it's totally of no influence what you do with the original
> > directory permission. File access has nothing to do with directory
> > permissions...!
> 
> Right.  However the whole point of this discussion is that that is a
> non-obvious point, there was no other way that the user could have
> opened that file without the use of /proc.

The actual fallacy of the "problem report" is the flawed assumption
about what a link count of 1 tells you.

The link count of a files tells you the number of hard links that
are persisted within the same filesystem.  It is _NOT_ a promise
that there are no other means to access the inode of the file.

/proc creates a virtual reference to an inode, and since it is
virtual (and in a different filesystem) and not persisted in the
original filesystem, you will not see it in the link count of
the original filesystem.

There may be other (virtual) filesystems with similar features.
Some Linux distros with Live-CDs (such as Knoppix) use some sort
of Overlay filesystem (UNIONFS) which is also purely virtual,
none of the changes in the UNIONFS are persited into the
underlying filesystem.  The inode is part of the administrative
data to manage the filesystem space&usage.

It is simply inappropriate for an application to draw invalid
(Continue reading)

Pavel Machek | 2 Nov 20:53 2009
Picon

Re: /proc filesystem allows bypassing directory permissions on

On Mon 2009-11-02 18:53:19, Martin Rex wrote:
> Jim Paris wrote:
> > 
> > > Therefor it's totally of no influence what you do with the original
> > > directory permission. File access has nothing to do with directory
> > > permissions...!
> > 
> > Right.  However the whole point of this discussion is that that is a
> > non-obvious point, there was no other way that the user could have
> > opened that file without the use of /proc.
> 
> The actual fallacy of the "problem report" is the flawed assumption
> about what a link count of 1 tells you.
> 
> The link count of a files tells you the number of hard links that
> are persisted within the same filesystem.  It is _NOT_ a promise
> that there are no other means to access the inode of the file.

It used to be promise before /proc was mounted.

> /proc creates a virtual reference to an inode, and since it is
> virtual (and in a different filesystem) and not persisted in the
> original filesystem, you will not see it in the link count of
> the original filesystem.

Well, there _may_ be other filesystems with similar features, but they
are neither common nor mounted by default. 

Normally, mounting filesystems does not change security properties of
rest of the system; and it should be possible to fix in this case.
(Continue reading)

NSO Research | 2 Nov 21:14 2009
Picon

NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control Buffer Overflow

_________________________________________
Security Advisory NSOADV-2009-001
_________________________________________
_________________________________________

  Title:                  Symantec ConsoleUtilities ActiveX Control
                          Buffer Overflow
  Severity:               Critical
  Advisory ID:            NSOADV-2009-001
  Found Date:             09.09.2009
  Date Reported:          15.09.2009
  Release Date:           02.11.2009
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
  URL:                    http://sotiriu.de/adv/NSOADV-2009-001.txt
  Vendor:                 Symantec (http://www.symantec.com/)
  Affected Products:      Symantec Altiris Notification Server 6.x
                          Symantec Management Platform 7.0.x
                          Symantec Altiris Deployment Solution 6.9.x
  Affected Component:     ConsoleUtilities ActiveX Control V.6.0.0.1846
  Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000
  Remote Exploitable:     Yes
  Local Exploitable:      No
  CVE-ID:                 CVE-2009-3031
  Patch Status:           Vendor released an patch
  Discovered by:          Nikolas Sotiriu
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy

(Continue reading)

Marc Deslauriers | 2 Nov 22:46 2009

[USN-850-3] poppler vulnerabilities

===========================================================
Ubuntu Security Notice USN-850-3          November 02, 2009
poppler vulnerabilities
CVE-2009-3603, CVE-2009-3604, CVE-2009-3607, CVE-2009-3608,
CVE-2009-3609
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.10:
  libpoppler-glib4                0.12.0-0ubuntu2.1
  libpoppler5                     0.12.0-0ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-850-1 fixed vulnerabilities in poppler. This update provides the
corresponding updates for Ubuntu 9.10.

Original advisory details:
(Continue reading)


Gmane