[ MDVSA-2012:028 ] libxslt

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:028
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libxslt
 Date    : March 1, 2012
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in libxslt:

 libxslt allows remote attackers to cause a denial of service
 (out-of-bounds read) via unspecified vectors (CVE-2011-3970).

 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:

phxEventManager 2.0 beta 5 search.php search_terms SQL Injection Vulnerability

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Anon war?- arrests

> Go back to your elite hacker club anonops then. Come back with something real these kids have done.

.....other than trolling.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Anon war?- arrests

On Wed, 29 Feb 2012 18:49:27 +0200, Julius Kivimäki said:
> What "list" are you talking about? Are you perhaps implying that these kids
> would be capable of things other than ordering some pizzas to people?

They can also order subs to people.

Which is pretty funny when UPS tries to deliver a Trident class to a street address. :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

FlashFXP v4.1.8.1701 - Buffer Overflow Vulnerability

Title:
======
FlashFXP v4.1.8.1701 - Buffer Overflow Vulnerability

Date:
=====
2012-03-01

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=462

VL-ID:
=====
462

Introduction:
=============
FlashFXP is a FTP (File Transfer Protocol) client for Windows, it offers you easy and fast ways to transfer
any file between other local 
computers (LAN - Local Area Network) running a FTP server or via the Internet (WAN - Wide Area Network) and
even directly between two 
servers using Site to Site transfers (FXP - File eXchange Protocol). Use FlashFXP to publish and maintain
your website, Upload and download 
documents, photos, videos, music and more! Share your files with your friends and co-workers using the
powerful site manager. There are many 
features and advanced options available within FlashFXP which are being added with the release of each new
version stable or beta*. The software 
is available in over 20 languages and under active development. FlashFXP offers high security,
performance, and reliability that you can always 
depend on to get your job done swiftly and efficiently.

(Copy of the Vendor Homepage: http://www.flashfxp.com)

Abstract:
=========
The Vulnerability Laboratory Research Team discovered a Buffer Overflow Vulnerability on FlashFXP v4.1.8.1701.

Report-Timeline:
================
2012-02-27:	Vendor Notification
2012-02-28:	Vendor Response/Feedback
2012-03-01:	Public or Non-Public Disclosure

Status:
========
Published

Affected Products:
==================
OpenSight Software
Product: FlashFXP Software Client v4.1.8.1701

Exploitation-Technique:
=======================
Local

Severity:
=========
High

Details:
========
A Buffer Overflow Vulnerability is detected on FlashFXPs Software Client v4.1.8.1701. The
vulnerability is 
located when processing to force a ListIndex Out of Bound(s) exception which allows to overwrite ecx & eip 
of the affected software process. Successful exploitation can result in process compromise, execution
of 
arbitrary code, system compromise or escaltions with privileges of affected vulnerable software process.

The flaw is a direct result of a fixed length buffer being used in the TListBox control and the 
lack of range checking. The code assumes that the string returned by the listbox control will be 
less than 4097 characters. It uses a fixed size buffer of 4096 bytes and any text longer than this 
will overflow and overwrite the memory beyond it. The TComboBox control also suffers a similar flaw.

Vulnerable Module(s):
						[+] List Index & Exception Handling [TListBox]

Picture(s):
						../1.png
						../2.png
						../3.png
						../4.png
						../5.png

Proof of Concept:
=================
The vulnerability can be exploited by local & remote attackers. For demonstration or reproduce ...

Manually reproduce ...

1. Download & open the software client
2. Connect to a random server for inter action
3. Enable the Option Settings => Filters => Skip-List
3. Open the Option => Filter Settings
4. Add a new (Skip-List)one by Including a large unicode string & wait for the exception-handling
5. The exception-handling out of bounds comes up
6. You pass it 2 times by clicking continue ...
7. The software is now crashing with a stable bex exception & displays input as offset[6]
8. Now you can overwrite the ecx & eip of the affected vulnerable software process to exploit the client system

Note: To exploit the bug (remote) an attacker needs to know the included filters of the connected client to
send large strings.

--- Exception Error #1 ---
date/time         : 2012-02-28, 16:38:58, 531ms
computer name     : HOSTBUSTER
user name         : Rem0ve
operating system  : Windows 7 Tablet PC x64 Service Pack 1 build 7601
system language   : German
system up time    : 5 days 13 hours
program up time   : 7 minutes 2 seconds
processors        : 2x Intel(R) Core(TM)2 Duo CPU T6600  <at>  2.20GHz
physical memory   : 2243/4091 MB (free/total)
free disk space   : (C:) 207,54 GB
display mode      : 1366x768, 32 bit
process id        : $16fc
allocated memory  : 50,75 MB
executable        : FlashFXP.exe
exec. date/time   : 2012-01-15 22:45
executable hash   : 34A53BD60479975EA6DAAB55B8D878B4
version           : 4.1.8.1701
ANSI code page    : 1252
callstack crc     : $1083d124, $c40af1d7, $90cfaf70
exception number  : 1
exception class   : EStringListError
exception message : List index out of bounds (0).

--- Exception Error #2 ---
date/time         : 2012-02-28, 16:39:57, 530ms
computer name     : HOSTBUSTER
user name         : Rem0ve
operating system  : Windows 7 Tablet PC x64 Service Pack 1 build 7601
system language   : German
system up time    : 5 days 13 hours
program up time   : 8 minutes
processors        : 2x Intel(R) Core(TM)2 Duo CPU T6600  <at>  2.20GHz
physical memory   : 2220/4091 MB (free/total)
free disk space   : (C:) 207,54 GB
display mode      : 1366x768, 32 bit
process id        : $16fc
allocated memory  : 66,67 MB
executable        : FlashFXP.exe
exec. date/time   : 2012-01-15 22:45
executable hash   : 34A53BD60479975EA6DAAB55B8D878B4
version           : 4.1.8.1701
ANSI code page    : 1252
callstack crc     : $b94d6925, $57f8c46d, $8f2c6734
exception number  : 2
exception class   : EStringListError
exception message : List index out of bounds (0).

--- Exception BEX #3  (Overwrite) ---
Version=1
EventType=BEX
EventTime=129749175156198070
ReportType=2
Consent=1
ReportIdentifier=34b76897-6223-11e1-afbd-c4a714168486
IntegratorReportIdentifier=34b76896-6223-11e1-afbd-c4a714168486
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=FlashFXP.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=4.1.8.1701
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=2a425e19
Sig[3].Name=Fehlermodulname
Sig[3].Value=StackHash_e98d
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=00000000
Sig[6].Name=Ausnahmeoffset
Sig[6].Value=41414141                   <= ECX | EIP 
Sig[7].Name=Ausnahmecode
Sig[7].Value=c0000005
Sig[8].Name=Ausnahmedaten
Sig[8].Value=00000008
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=e98d
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=e98dfca8bcf81bc1740adb135579ad53
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=6eab
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=6eabdd9e0dc94904be3b39a1c0583635
UI[2]=C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe
UI[3]=FlashFXP funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
...
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=BEX
AppName=FlashFXP
AppPath=C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe

Reference(s):
			../AppCrash_FlashFXP.exe_cb63a668207dbeae0f33144dffb1e66eae843_0a310ac0
			../AppCrash_FlashFXP.exe_cb63a668207dbeae0f33144dffb1e66eae843_07c4b531
			../bugreport1.txt
			../bugreport2.txt
			../video-poc-demo.wmv

Risk:
=====
The security risk of the buffer overflow vulnerability is estimated as high(-).

Credits:
========
Vulnerability Research Laboratory  -  Benjamin Kunz Mejri

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab
disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the
possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires
authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other
rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

LDAP Account Manager Pro v3.6 (lamp) - Multiple Vulnerabilities

Title:
======
LDAP Account Manager Pro v3.6 - Multiple Vulnerabilities

Date:
=====
2012-03-01

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=458

VL-ID:
=====
458

Introduction:
=============
LDAP Account Manager Pro is an extended version of LAM which focuses on enterprise usage. It helps you to
lower your 
administration costs by providing enhanced tools for your users and deskside support staff.
Features LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP
settings) stored 
in an LDAP directory. LAM was designed to make LDAP management as easy as possible for the user. It abstracts
from the 
technical details of LDAP and allows persons without technical background to manage LDAP entries. If
needed, power 
users may still directly edit LDAP entries via the integrated LDAP browser.

(Copy of the Vendor Homepage: http://www.ldap-account-manager.org/lamcms/lamPro )

Abstract:
=========
Vulnerability-Lab Team  discovered multiple web vulnerabilities on LDAPs Account Manager Pro v3.6.

Report-Timeline:
================
2012-02-22:	Public or Non-Public Disclosure

Status:
========
Published

Affected Products:
==================
Open Source
Product: LDAP Account Manager Pro (lamp) v3.6

Exploitation-Technique:
=======================
Remote

Severity:
=========
Medium

Details:
========
1.1
Multiple persistant input validation vulnerabilities are detected  on LDAPs Account Manager Pro v3.6.
The bug allows remote attacker to implement malicious script code on the application side (persistent).
Successful exploitation of the vulnerability allows an attacker to manipulate modules/context
(persistent) & can 
lead to session hijacking (user/mod/admin).

Vulnerable Module(s):
					[+] User Listing & List Input/Output
					[+] Export

Picture(s):
					../1.png
					../2.png

1.2
Multiple client-side Cross Site Scripting vulnerabilities are detected  on LDAPs Account Manager Pro v3.6.
The bug allows remote attacker hijack customer/admin sessions with medium required user inter action. 
Successful exploitation leads to session hijacking or client side module manipulation attacks and the
result 
is account steal.

Vulnerable Module(s):
					[+] &attr=
					[+] Filter- Search & Listing

Picture(s):
					../3.png
					../4.png

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attacker with low & high required user inter action. 
For demonstration or reproduce ...

1.1

Code Review: Exception handling of User Input & Listing

<div class="statusError ui-corner-all">
<table>
<tbody><tr>
<td>  <img src="list.php-filter-Dateien/error.png" alt="ERROR" height="32" width="32"></td>
<td><h2 class="statusError ui-corner-all">Please enter a valid filter. Only letters, numbers and 
" _*$. <at> -" are allowed.</h2><p class="statusError ui-corner-all">-1'"><[INJECTED PERSISTENT SCRIPT
CODE!] <</p></td>
</tr>
</tbody></table>

... or

Code Review: Export Function - Persistent Error Output File

# Suchbereich: base
# Suchfilter: >"<iframe src=http://google.com>

# Anzahl Einträge: 0

# Generated by LDAP Account Manager (http://phpldapadmin.sourceforge.net) on February 22, 2012 4:51 pm

# Version: 3.6

version: 1

Reference(s):
				../export-import-p0c.ldif
				../list.php-filter.htm

1.2
http://www.ldap-account-manager.org/lam/templates/3rdParty/pla/htdocs/cmd.php?cmd=add_value_form&
server_id=1&dn=uid%3Dpc01%24%2Cou%3Dmachines%2Cdc%3Dlam-demo%2Cdc%3Dorg&attr=%3E%22%3Ciframe
%20src=http://www.vulnerability-lab.com%20width=1200%20height=800%3E

Reference(s):
				../cmd.php-attr.htm
				../&attr=.txt

Risk:
=====
The security risk of the persistent web vulnerabilities are estimated as medium(+).

Credits:
========
Vulnerability Research Laboratory   -    Benjamin Kunz Mejri

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab
disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the
possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires
authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other
rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Endian UTM Firewall v2.4.x & v2.5.0 - Multiple Web Vulnerabilities

Title:
======
Endian UTM Firewall v2.4.x & v2.5.0 - Multiple Web Vulnerabilities

Date:
=====
2012-03-01

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=228

VL-ID:
=====
228

Introduction:
=============
Einfach, schnell und zukunftssicher! Die ideale Lösung, um Ihre Filialen und industriellen
Zweigstellen rund um den Globus zu schützen.
Endian 4i ist die ideale Lösung für Büroaußenstellen oder Industrieinstallationen. Die Firewall
ist in den zwei Varianten „Office“ und 
„Industrial“ erhältlich. Die Office-Version bietet alle Funktionen, um Netzwerke in der Firma und
in Verbindung mit Außenstellen einfach 
und sicher zu verlinken. Derselbe Funktionsumfang ist bei der Industrial-Version vorhanden, die sich
speziell an den Industriebereich 
richtet und 24V Support bietet sowie auf der Hutschiene installiert werden kann. Remote-Supporting,
Remote-Konfiguration, Systemüberwachung 
bis hin zur einfachen, sicheren Vernetzung von Außenstellen – die Kostenvorteile dabei liegen auf der
Hand. Sichern auch Sie sich die 
Konnektivität Ihres Unternehmens ab, und behalten Sie mit der Endian 4i stets die Nase vorn.

(Copy of the Vendor Homepage: http://www.endian.com/de/products/utm-hardware/4i/)

Abstract:
=========
Vulnerability-Lab Team discovered multiple Web Vulnerabilities on Endians UTM Firewall v2.5.0 Appliance.

Report-Timeline:
================
2011-09-16:	Vendor Notification
2011-09-20:	Vendor Response/Feedback
2012-03-01:	Public or Non-Public Disclosure

Status:
========
Published

Affected Products:
==================
Endian
Product: UTM Firewall Appliance Application v2.5.-x; 2.4-0 & 2.4.-x

Exploitation-Technique:
=======================
Remote

Severity:
=========
High

Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected on Endians WAF UTM appliance application.
The vulnerability allows an attacker to manipulate specific application requests via persistent
included script codes.

Vulnerable: 		Input Validation Vulnerabilities (Server-Side|Persistent)

Vulnerable Module(s): 
						[+] Proxy - HTTP Configuration Masks
						[+] Service - Intrusion Prevention
						[+] Netzwerk - Host Configuration
						[+] DHCP

Pictures:
						../ive1.png

1.2
Multiple cross site request forgery vulnerabilities are detected on client-side of the edian waf appliance.
The vulnerability allows an attacker to force client-side module requests of application functions.

Vulnerable: 		Cross Site Request Forgery Vulnerabilities (Client-Side|Non Persistent)

Vulnerable Module(s): 
						[+] HotSpot - Add Password
						[+] System - Passwords

Picture(s):
						../csrf1.png

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers with high required user inter action or local low
privileged user accounts. 
For demonstration or reproduce ...

1.1
Example Code Review:  	Input Validation Vulnerabilities (Persistent Inject)

Server:			demo.endian.com/
Path:			/cgi-bin/
File:			proxyconfig.cgi

<div id="page-content-box">        <div id="notification-view" class="spinner" style="display:none"></div>
        <div id="module-content">
        <script type="text/javascript">
            $(document).ready(function() {
                /* Enable visualization of service notifications */
                display_notifications(["squid","dansguardian","havp","sarg"], {"startMessage": "Proxy
settings are being 
applied. Please hold...","updateContent": ".service-switch-form","type":
"observe","endMessage": "Proxy settings have been 
applied successfully.","interval": "500"});
            })
        </script>
    <div  class="error-fancy" style="width: 504px; ">
        <div class="content">
            <table cellpadding="0" cellspacing="0" border="0">
                <tr>

                    <td class="sign" valign="middle"><img src="/images/bubble_red_sign.png" alt="" border="0" /></td>
                    <td class="text" valign="middle">">"<iframe src=http://vulnerability-lab.com width=600
height=600> <at> aollamer.de" 
at "Email used for notification (cache admin)" is not valid!(or? <at> rem0ve)<br /></td>
                </tr>
            </table>
        </div>

Reference(s):
						https://xx.xxxx.com/cgi-bin/proxyconfig.cgi
						https://xx.xxxx.com/cgi-bin/hosts.cgi
						https://xx.xxxx.com/cgi-bin/dhcp.cgi

1.2
Example Code Review: 	Cross Site Request Forgery Vulnerabilities (Non-Persistent)

Server:			demo.endian.com/
Path:			/cgi-bin/
File:			hotspot-changepw.cgi or  changepw.cgi

<form action="/cgi-bin/changepw.cgi" method="post">
            <div class="section first multi-column">
                <input type='hidden' name='ACTION_ROOT' value='save' />
                <div class="title"><h2 class="title">SSH Password (root)</h2></div> 
                <div class="fields-row">
                    <span class="multi-field">
                        <label id="username_field" for="username">Password *</label>

                        <input type="password" name="ROOT_PASSWORD1" SIZE="5" /></span>

... or

<form enctype='multipart/form-data' method='post' action='/cgi-bin/hotspot-changepw.cgi'>
<input type='hidden' name='ACTION_HOTSPOT' value='save' />
<table width='100%'>

<tr>
        <td width='15%' class='base'>Password:</td>
        <td width='30%'><input type='password' name='HOTSPOT_PASSWORD1' /></td>
        <td width='15%' class='base'>Again:</td>
        <td width='30%'><input type='password' name='HOTSPOT_PASSWORD2' /></td>
        <td width='10%'><input class='submitbutton' type='submit' name='submit' value='Save' /></td>
</tr>
</table>
</form>

References:
						https://xx.xxxx.com/cgi-bin/changepw.cgi
						https://xx.xxxx.com/cgi-bin/hotspot-changepw.cgi

Solution:
=========
1.1
Restrict & parse the vulnerable input & output sections to fix the persistent injects.

1.2
Use a csrf tokens & a checkbox to verify a request.

Risk:
=====
The security risk of the persistent vulnerabilities are estimated as high(-).
The security risk of the non-persistent vulnerabilities are estimated as low(+).

Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab
disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the
possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires
authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other
rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

linode.com hacked? anyone else?

https://bitcointalk.org/index.php?topic=66916.0;all

http://bitcoinmedia.com/compromised-linode-coins-stolen-from-slush-faucet-and-others/

---

Linode has confirmed that the error was due to a fault on their side.

Hello Marek-

We were alerted to the suspicious activity and have identified and
corrected the issue. Our investigation has revealed a customer support
interface was used to access your account. The compromised credentials
have been restricted and we are discussing policy changes to prevent this
from recurring.

We regret that this incident has occurred, and apologize for the
unnecessary work this may have caused you.

We appreciate your business and certainly want to keep you as a happy and
satisfied customer. If there is anything we can do to make this up to you,
certainly let us know.

Regards,

Thomas Asaro
Vice President

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[SECURITY] [DSA 2423-1] movabletype-opensource security update

-------------------------------------------------------------------------
Debian Security Advisory DSA-2423-1                   security <at> debian.org
http://www.debian.org/security/                            Florian Weimer
March 02, 2012                         http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : movabletype-opensource
Vulnerability  : several
Problem type   : remote
Debian-specific: no
Debian Bug     : 631437 661064

Several vulnerabilities were discovered in Movable Type, a blogging
system:

Under certain circumstances, a user who has "Create Entries" or
"Manage Blog" permissions may be able to read known files on the local
file system.

The file management system contains shell command injection
vulnerabilities, the most serious of which may lead to arbitrary OS
command execution by a user who has a permission to sign-in to the
admin script and also has a permission to upload files.

Session hijack and cross-site request forgery vulnerabilities exist in
the commenting and the community script. A remote attacker could
hijack the user session or could execute arbitrary script code on
victim's browser under the certain circumstances.

Templates which do not escape variable properly and mt-wizard.cgi
contain cross-site scripting vulnerabilities.

For the stable distribution (squeeze), these problems have been fixed
in version 4.3.8+dfsg-0+squeeze2.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 5.1.3+dfsg-1.

We recommend that you upgrade your movabletype-opensource packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce <at> lists.debian.org

Security Implications of Predictable IPv6 Fragment Identification values (rev'ed IETF I-D)

Folks,

We have published a revision of the aforementioned IETF Internet-Draft.
The revised document is available at:
<http://tools.ietf.org/id/draft-gont-6man-predictable-fragment-id-01.txt>.

A diff from the previous version is available at:
<http://tools.ietf.org//rfcdiff?url1=http://tools.ietf.org/id/draft-gont-6man-predictable-fragment-id-00.txt&url2=http://tools.ietf.org/id/draft-gont-6man-predictable-fragment-id-01.txt>.

This version incorporates lots of detailed feedback sent by Ivan Arce
(Thanks Ivan!).

Any comments will be welcome.

P.S.: Other IETF I-Ds on the subject are available at:
<http://www.si6networks.com/presentations/ietf.html>. And yes, you can
follow us on twitter:  <at> SI6Networks

Best regards,
Fernando

-------- Original Message --------
Subject: New Version Notification for
draft-gont-6man-predictable-fragment-id-01.txt
Date: Sat, 03 Mar 2012 15:02:10 -0800
From: internet-drafts <at> ietf.org
To: fgont <at> si6networks.com

A new version of I-D, draft-gont-6man-predictable-fragment-id-01.txt has
been successfully submitted by Fernando Gont and posted to the IETF
repository.

Filename:	 draft-gont-6man-predictable-fragment-id
Revision:	 01
Title:		 Security Implications of Predictable Fragment Identification Values
Creation date:	 2012-03-03
WG ID:		 Individual Submission
Number of pages: 21

Abstract:
   IPv6 specifies the Fragment Header, which is employed for the
   fragmentation and reassembly mechanisms.  The Fragment Header
   contains an &quot;Identification&quot; field which, together with the
IPv6
   Source Address and the IPv6 Destination Address of the packet,
   identifies fragments that correspond to the same original datagram,
   such that they can be reassembled together at the receiving host.
   The only requirement for setting the &quot;Identification&quot; value
is that
   it must be different than that of any other fragmented packet sent
   recently with the same Source Address and Destination Address.  Some
   implementations simply use a global counter for setting the Fragment
   Identification field, thus leading to predictable values.  This
   document analyzes the security implications of predictable
   Identification values, and updates RFC 2460 specifying additional
   requirements for setting the Fragment Identification, such that the
   aforementioned security implications are mitigated.

The IETF Secretariat

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/