Showing posts with label Vulnerability. Show all posts

Protector Plus Antivirus Local Privilege Escalation Vulnerability  

Wednesday, January 6, 2010

ShineShadow Security Report 15092009-09

TITLE

Local privilege escalation vulnerability in Protector Plus antivirus software

BACKGROUND

Protector Plus range of antivirus products are known the world over for
their efficiency and reliability. Protector Plus Antivirus Software is
available for Windows Vista, Windows XP, Windows Me, Windows 2000,
Windows 98, Windows 2000/2003/NT server and NetWare platforms. Protector
Plus Antivirus Software is the ideal antivirus protection for your
computer against all types of malware like viruses, trojans, worms and
spyware.

AddThis Social Bookmark Button

Posted in , by buzz

Coppermine Photo Gallery 1.4.22 Remote Exploit  

Saturday, May 23, 2009

Need register_globals = on and magic_quotes_gpc = off
Based on vulnerabilities discussed at http://www.milw0rm.org/exploits/8713
Coppermine Photo Gallery 1.4.22 Remote Exploit

Coded by girex

source. milw0rm

download

Need computer and internet security, click here

AddThis Social Bookmark Button

Posted in , by buzz

SQL Injection Vulnerability  

Thursday, December 25, 2008

Barracuda Networks Spam Firewall is vulnerable to various SQL Injection attacks.
When exploited by an authenticated user, the identified vulnerability can lead to
Denial of Service, Database Information Disclosure, etc.

CVE Number: CVE-2008-1094
Vulnerability: SQL Injection
Risk: Medium
Attack vector: From Remote

Vulnerability Discovered: 16th June 2008
Vendor Notified: 16th June 2008
Advisory Released: 15th December 2008
Description

The index.cgi resource was identified as being susceptible to SQL Injection attacks.
When filtering user accounts in Users->Account View section, the pattern_x parameter
(where x = 0..n) allows inserting arbitrary SQL code once filter_x parameter is set
to search_count_equals‘ value.

/cgi-bin/index.cgi?&user=&password=&et=&auth_type=Local&locale=en_US&realm=&primary_tab=USERS&secondary_tab=per_user_account_view&boolean_0=boolean_and&filter_0=search_count_equals&pattern_0=if(database() like concat(char(99),char(37)),5,0)

An attacker can exploit this vulnerability by injecting arbitrary SQL code to be
executed as part of the SQL query.


Original Advisory:

http://dcsl.ul.ie/advisories/02.htm


Barracuda Networks Technical Alert

http://www.barracudanetworks.com/ns/support/tech_alert.php


Affected Versions

Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)

Other products/versions might be affected.


Mitigation

Vendor recommends to the following firmware version

Barracuda Spam Firewall (Firmware v3.5.12.001)

Alternatively, please contact Barracuda Networks for technical support.


Credits

Dr. Marian Ventuneac, marian.ventuneac@ul.ie
Data Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick


Disclaimer

Data Communication Security Laboratory releases this information with the vendor acceptance.
DCSL is not responsible for any malicious application of the information presented in this advisory.

ref. milw0rm.com

AddThis Social Bookmark Button

Posted in , , , by buzz

PHP 5.2.6 (error_log) safe_mode Bypass Vulnerability  

Monday, December 1, 2008

SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass
Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.11.2008
- - Public: 20.11.2008

SecurityReason Research
SecurityAlert Id: 57

CWE: CWE-264
SecurityRisk: Medium

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/57
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl
with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web
developers to write dynamically generated pages quickly.


error_log

They allow you to define your own error handling rules, as well as modify the way the errors can
be logged. This allows you to change and enhance error reporting to suit your needs.

- --- 0. error_log const. bypassed by php_admin_flag ---
The main problem is between using safe_mode in global mode

php.ini­:
safe_mode = On

and declaring via php_admin_flag


...
php_admin_flag safe_mode On


When we create some php script in /www/ and try call to:

ini_set("error_log", "/hack/");

or in /www/.htaccess

php_value error_log "/hack/bleh.php"


Result:

Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0

Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4


It was for safe_mode declared in php.ini. But if we use

php_admin_flag safe_mode On

in httpd.conf, we will get only

Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4

syntax in .htaccess

php_value error_log "/hack/blehx.php"

is allowed and bypass safe_mode.

example exploit:
error_log("", 0);

- --- 2. How to fix ---
Fixed in CVS

http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup

Note:
Do not use safe_mode as a main safety.

--- 3. Greets ---
sp3x Infospec schain p_e_a pi3

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

# milw0rm.com [2008-11-20]

AddThis Social Bookmark Button

Posted in , , by buzz

Subscribe to: Posts (Atom)

Design by Amanda @ Blogger Buster